1 2 2 3 4 Good afternoon everyone. To continue our discussion in Information Technology Auditing, let’s proceed now in Chapter 4 which is the part 2 of the topic last meeting and today, we will discuss Auditing Database Systems. But before that, let us all be guided of the outline of my discussion. *read overview* To proceed, kapag sinasabi nating Database, this is used po in a broad context kaya meron tayong 2 general approaches: the flat-file and the database. When we speak of Flat-file approach, *read first bullet* Legacy systems are those large mainframe systems, ito yung mga kadaanan na na systems. May pagkaout of date and old na sila ganiyan pero ginagamit pa rin sila ng mga organizations. Sa mga systems na ganito, hindi na kailangan ng support and maintenance. Let us take for example yung Windows XP, Windows Vista, and Windows 7. Just because it’s old, does not mean it’s obsolete. Ibig sabihin, para lang siya sa specific need ng isang owner kaya walang data integration. Also, yung data files is wala siyang structured relationship sa ibang files. Kumbaga yung data na iyon, for specific use lang siya nung owner. And that’s it. Dahil dito, nagkakaroon ng iba’t ibang problema like data storage kasi magiging redundant ang mga files. Paano kung kailangan ni Sales Department ng same file, need niyang mag-obtain ng separate data for that specific need. Dahil don, maraming data file ang nasstore sa storage, and magiging costly siya sa organization. Next problem is data updating, what if nagkaroon ng changes sa isang file, hindi agad malalaman ng ibang department yun kasi hindi naman connected yung mga files and yung paguudapate is magiging redundant na naman yung task. Third problem is the currency of information, dahil nga hindi agad ma-uupdate yung files, chances are some decisions will be based on outdated information. Last is the task data dependency, dahil yung mga users here prefer to work independently, most of the time maghahanap na lang sila ng new information by procuring new data files. Doon pa lang, costly na yun sa organization, it will take time, babagal ang performance, and magiging redundant ang mga files. Buti na lang, nagkaroon na ng bago, para malessen na yung ganitong problema, we have now the database approach. In database approach, meron ng DBMS na magwowork as a facilitator sa gitna. Since centralized na rin siya, this time, meron ng user community unlike sa flat-file approach. Also, thru DBMS, makikita rin dito kung ano ba yung mga data files na authorize lang na maaccess ng mga users. Siyempre, hindi porket meron ng user community, pwede mo ng makita lahat. Nope, kailangan pa rin na authorize ang pagaccess ng mga data. And, dito na papasok yung work ni Auditor dahil titignan niya if effective ba yung control na ginagawa ng isang organization pagdating sa security of files like ano yung mga access controls nila. For the org naman, dapat merong user authority assigned. Dahil si DBMS, validates and authorizes the access to the data based on the user’s authority. If di ka authorized to access, of course denied yun ni DBMS. And since centralized na nga siya, meron ng sharing of data. Which also means na eliminated na ang mga nasabing problems sa flat-file approach. Now, we proceed to the key elements of the database environment. We have the DBMS, the users, the physical database, the database administrator, and the DBMS models. So, yung relationship ng mga elements na ito: Una is si database management system, siya yung central element which provides a controlled environment dahil siya yung nagauauthorize ng access sa mga data resources. Read 1st bullet: dahil si DBMS, it contains application development software na kung saan nagagamit ito to access the database. Read 2nd bullet: kaya if ever magkaroon ng disaster like program errors ganon, DBMS can recover the earlier version. Altho hindi naman lahat, pero without this feature, total data loss yung mangyayari. Read 3rd bullet: so, hindi malalaman yung history ng kung saan at kailan ginamit, and kung sino ang gumamit ng data, which is used by Database administrator who assigns the user authorization and maintains the database. Later is mas makikita natin yung different functions niya. Read 4th bullet: This is the most important feature of the DBMS, yung pagpepermit ng access to authorized users whether formal and informal access. 5 6 7 8 9 Another terminology lang, DDL is a programming language that is used to define the database by identifying the names and relationship of all data elements, records, files, and such. It has three levels called views: so we have the database views: 1) Internal/Physical – ito yung physical arrangement of records sa database like yung structures of data records, links between files and such, and this is the lowest level of representation which is one step removed from the physical database. Also, there is only one internal view for the database. 2) Conceptual/Logical – aka schema, meron din isa lang na conceptual view for database. So, dito it describes the entire database and represents it logically and abstractly, hindi lang kung ano yung physical appearance niya. 3) External/User – aka subschema, unlike sa dalawang nauna, dito is hindi na lang isa yung user views, kundi distinct na ito. In here, it defines the user’s section of the database, yung portion only an individual user is authorized to access, and that particular user, that user view is the database. Kunwari, nasa personnel department ka, ang makikita mo lang sa database is kung ano yung connected sa trabaho mo like the collection of employee records. So, let’s deal with the two ways of access: 1st, formal access: application interfaces, dito is si DBMS yung nagpepermit to authorize access or deny the access and under this mode, transparent ang DBMS to users. It is also specified here si DML or the Data Manipulation Language, which is a proprietary programming language used by DBMS to retrieve, process, and store data. So, dito is pwede raw na entire user programs ang nakapaloob or selected commands only written in universal languages like the JAVA, C++, COBOL, and FORTRAN. Thru this, pwede na rin na yung mga data resources from the flat-file environment, be transferred to the database environment. While the Informal access: query language, *read ppt* Kapag sinabi kasing ad hoc queries, it is created only when questions arise that are not able to be solved with predetermined or predefined datasets. Ibig sabihin, ginagamit lang ito to get specific information from a database when needed, unlike sa standard queries na predefined and processed on a regular, recurring basis. For example, if a business tracks daily average users and finds one day that it's 3 percent lower than the previous day, a user would write a series of ad-hoc queries to try and identify why. Now, the SQL, this is the standard query language for mainframe and microcomputers. It is like an English-like commands that allow users to retrieve, input, and modify data easily. And, the SELECT command is a powerful tool to retrieve data. So, management must ensure that it is not used to achieve unauthorized access to the database. DBMS Operations: 1) user program sends request for data to the DBMS, 2) DBMS analyzes the request by matching data elements against the user and conceptual view, if nagmatch then access is authorized if hindi, edi denied; 3) DBMS determines data structure parameters from internal view and passes them to the operating system, na siya namang gagawa ng actual data retrieval. And using proper access methods, si OS will interact with the disk storage device to retrieve data from the physical database. Then, i-store yung data sa main memory buffer area which is managed by the DBMS. Saka itratransfer yung data to the user’s work location in main memory. Then, dito is bahala na si user sa kung anong gagawin niya sa data resource. Pag-usapan na natin si Database Administrator, *read ppt* so kung malawak yung organization, pwedeng nasa technical personnel under DBA ang gumawa ng mga functions na ito, but for smaller businesses, pwedeng someone from the computer service group. We are also to note the relationship between the DBA, users, and programmers. Sa DBMS Operations, si DBA is nagauauthorize rin siya ng user request by programming the user’s view or the subschema. 10 11 Then, we have the Physical Database. Ito lang may physical form dahil yung ibang elements are abstract representations only of the physical level. At the physical level, the database forms a logical collection of records and files that constitute a firm’s data resource. This section deals with the data structures used in the physical database. When we say data structures, *read ppt* It also allows movement from one record to another. It has two components: *read ppt* kapag sinabing sequential, files are stored in contiguous locations that occupy a specified area of disk space, samantalang kapag random, as in random. Without regard for physical relationship to other records of the same files, pwedeng distributed na ito throughout the entire disk. It is said that it is sufficient to deal with access methods at conceptual level only, pero pagdating sa technical level, they are part of the OS as computer programs. This will be further discussed in Chapter 8. Before we discuss yung different model, i-review muna natin some important database terms: *read ppt* database terminology. Associations: 1) for every employee in the employee table, there is an occurrence of one or zero new employee in the employee table in a year; 2) for every customer in the customer table, there are zero, one, or many sales orders in the sales order table; 3) example here is the relationship between the business and its suppliers. Si supplier pwede siyang magprovide ng inventory sa business with zero, one, or many inventory items. Ganundin si business siyempre pwede siyang bumili ng inventory items from zero, one or many suppliers. Ngayon naman, pag-usapan natin ang mga Database Models. We have three types, the hierarchical model, the network model, and the relational model. It is said that among these three, the first two are known as navigational models because of explicit links or paths among their data elements. Samantalang, kapag relational model, implicit yung links nito among its data elements. The Hierarchical Model – from the word itself, hierarchical, it means there is a hierarchy so meron ang nasa taas and nasa baba. This is known as the parent and child. So, ang example nito in reality is when we retrieve an invoice line item record, si DBMS kailangan niya munang i-access yung root segment which is the customer record. 12 13 However, there is a limitation pagdating sa model na ito which causes a larger cost due to data redundancy. Sa bawat child kasi, iisa lang dapat ang parent niya. Well, in reality, for example, merong customer purchase and dito, hindi lang naman si customer file ang gagalaw, kundi pati si salesperson file. Since, kailangan nila both yung customer purchase record, kailangan nilang gumawa ng sarili nilang file thru duplication so that maaccess nila yung record. And this is a limitation to data integration, to solve this, we have now the network model. Kapag sinabi nating Network Model, compared to the hierarchical model, this model permits a child to have multiple parents. As we can see in the diagram, Invoice number 1 is a child of both Salesperson No. 1 and Customer No. 5. And meron rin siyang two links to related records or siblings. Una is the link in Salesperson to Invoice number 2, which resulted from a sale of salesperson number 1 to customer no. 6; and the second link is the customer link from salesperson no. 1 to invoice no. 3, which resulted from a sale to customer no. 5 by salesperson no. 2. And so on, and so forth. So, ganito sa network model, it eliminates the problem of dublication in the hierarchical model because mas effective yung integration of data in this model. Now, for the last model, we have the relational model, this is made up from related algebraic equations and set theory, and that it portrays a 2D form of tables. Let us take the illustration given in figure 4.14, so this is the database table called Customer. In here, sa upper part which create columns are called the attributes, while those that form rows are called tuples, when we say tuples in layman’s term is that these are used to store multiple items in a single variable. Parang x function in that the value of T is (20, Jessa, 49) wherein 20 is her age, Jessa is her name, and 49 is here weight ganon. And sa Customer table na ito, there are four characteristics that must have: 14 15 So, yung difference pa nito sa 2 models is that the linkages are implicit. Pagdating sa model na ito, relations are formed by an attribute that is common to both tables in the relation and that linkages between records in related tables are established through logical operations of the DBMS kaysa yung explicit addresses that are structured in the database. To illustrate, let’s take for example this diagram. From the customer file, we can see the customer no. key and using that embedded foreign key, makikita natin in the sales invoice yung invoice # key which directs us the line item file to have a specific view kung paano nakuha yung 800 pesos na amount and that to see as well in the cash receipts using the customer # key kung nabayaran na ba ito. With that, nacacater ng model na ito yung associations, for instance sa one to many, using embedded keys just like this data integration between the sales invoice and the cash receipts tables with the customer # key. Kapag many to many naman, hindi na kailangan ng embedded foreign keys dahil separate link table ang kailangan which contains keys for those related tables. It will be further discussed in Chapter 8. The only thing we need to remember here is the following controls an organization should do: CONTROLS: Dapat merong use of User’s Authority; and Separate ang Database Access Authority and Systems Development (aka Programmers).