1
2
2
3
4
Good afternoon everyone. To continue our discussion in Information Technology Auditing,
let’s proceed now in Chapter 4 which is the part 2 of the topic last meeting and today, we will
discuss Auditing Database Systems. But before that, let us all be guided of the outline of my
discussion. *read overview*
To proceed, kapag sinasabi nating Database, this is used po in a broad context kaya meron
tayong 2 general approaches: the flat-file and the database. When we speak of Flat-file
approach, *read first bullet* Legacy systems are those large mainframe systems, ito yung
mga kadaanan na na systems. May pagkaout of date and old na sila ganiyan pero ginagamit
pa rin sila ng mga organizations. Sa mga systems na ganito, hindi na kailangan ng support
and maintenance. Let us take for example yung Windows XP, Windows Vista, and Windows 7.
Just because it’s old, does not mean it’s obsolete.
Ibig sabihin, para lang siya sa specific need ng isang owner kaya walang data integration.
Also, yung data files is wala siyang structured relationship sa ibang files. Kumbaga yung data
na iyon, for specific use lang siya nung owner. And that’s it. Dahil dito, nagkakaroon ng iba’t
ibang problema like data storage kasi magiging redundant ang mga files. Paano kung
kailangan ni Sales Department ng same file, need niyang mag-obtain ng separate data for that
specific need. Dahil don, maraming data file ang nasstore sa storage, and magiging costly
siya sa organization.
Next problem is data updating, what if nagkaroon ng changes sa isang file, hindi agad
malalaman ng ibang department yun kasi hindi naman connected yung mga files and yung
paguudapate is magiging redundant na naman yung task.
Third problem is the currency of information, dahil nga hindi agad ma-uupdate yung files,
chances are some decisions will be based on outdated information.
Last is the task data dependency, dahil yung mga users here prefer to work independently,
most of the time maghahanap na lang sila ng new information by procuring new data files.
Doon pa lang, costly na yun sa organization, it will take time, babagal ang performance, and
magiging redundant ang mga files. Buti na lang, nagkaroon na ng bago, para malessen na
yung ganitong problema, we have now the database approach.
In database approach, meron ng DBMS na magwowork as a facilitator sa gitna. Since
centralized na rin siya, this time, meron ng user community unlike sa flat-file approach. Also,
thru DBMS, makikita rin dito kung ano ba yung mga data files na authorize lang na maaccess
ng mga users. Siyempre, hindi porket meron ng user community, pwede mo ng makita lahat.
Nope, kailangan pa rin na authorize ang pagaccess ng mga data. And, dito na papasok yung
work ni Auditor dahil titignan niya if effective ba yung control na ginagawa ng isang
organization pagdating sa security of files like ano yung mga access controls nila. For the org
naman, dapat merong user authority assigned. Dahil si DBMS, validates and authorizes the
access to the data based on the user’s authority. If di ka authorized to access, of course
denied yun ni DBMS. And since centralized na nga siya, meron ng sharing of data. Which also
means na eliminated na ang mga nasabing problems sa flat-file approach.
Now, we proceed to the key elements of the database environment. We have the DBMS, the
users, the physical database, the database administrator, and the DBMS models. So, yung
relationship ng mga elements na ito:
Una is si database management system, siya yung central element which provides a
controlled environment dahil siya yung nagauauthorize ng access sa mga data resources.
Read 1st bullet: dahil si DBMS, it contains application development software na kung saan
nagagamit ito to access the database.
Read 2nd bullet: kaya if ever magkaroon ng disaster like program errors ganon, DBMS can
recover the earlier version. Altho hindi naman lahat, pero without this feature, total data loss
yung mangyayari.
Read 3rd bullet: so, hindi malalaman yung history ng kung saan at kailan ginamit, and kung
sino ang gumamit ng data, which is used by Database administrator who assigns the user
authorization and maintains the database. Later is mas makikita natin yung different functions
niya.
Read 4th bullet: This is the most important feature of the DBMS, yung pagpepermit ng access
to authorized users whether formal and informal access.
5
6
7
8
9
Another terminology lang, DDL is a programming language that is used to define the database
by identifying the names and relationship of all data elements, records, files, and such. It has
three levels called views: so we have the database views:
1) Internal/Physical – ito yung physical arrangement of records sa database like yung
structures of data records, links between files and such, and this is the lowest level of
representation which is one step removed from the physical database. Also, there is only one
internal view for the database.
2) Conceptual/Logical – aka schema, meron din isa lang na conceptual view for database. So,
dito it describes the entire database and represents it logically and abstractly, hindi lang kung
ano yung physical appearance niya.
3) External/User – aka subschema, unlike sa dalawang nauna, dito is hindi na lang isa yung
user views, kundi distinct na ito. In here, it defines the user’s section of the database, yung
portion only an individual user is authorized to access, and that particular user, that user view
is the database. Kunwari, nasa personnel department ka, ang makikita mo lang sa database is
kung ano yung connected sa trabaho mo like the collection of employee records.
So, let’s deal with the two ways of access:
1st, formal access: application interfaces, dito is si DBMS yung nagpepermit to authorize
access or deny the access and under this mode, transparent ang DBMS to users. It is also
specified here si DML or the Data Manipulation Language, which is a proprietary programming
language used by DBMS to retrieve, process, and store data. So, dito is pwede raw na entire
user programs ang nakapaloob or selected commands only written in universal languages like
the JAVA, C++, COBOL, and FORTRAN. Thru this, pwede na rin na yung mga data resources
from the flat-file environment, be transferred to the database environment.
While the Informal access: query language, *read ppt* Kapag sinabi kasing ad hoc queries, it
is created only when questions arise that are not able to be solved with predetermined or
predefined datasets. Ibig sabihin, ginagamit lang ito to get specific information from a
database when needed, unlike sa standard queries na predefined and processed on a regular,
recurring basis. For example, if a business tracks daily average users and finds one day that
it's 3 percent lower than the previous day, a user would write a series of ad-hoc queries to try
and identify why. Now, the SQL, this is the standard query language for mainframe and
microcomputers. It is like an English-like commands that allow users to retrieve, input, and
modify data easily. And, the SELECT command is a powerful tool to retrieve data. So,
management must ensure that it is not used to achieve unauthorized access to the database.
DBMS Operations: 1) user program sends request for data to the DBMS, 2) DBMS analyzes
the request by matching data elements against the user and conceptual view, if nagmatch
then access is authorized if hindi, edi denied; 3) DBMS determines data structure parameters
from internal view and passes them to the operating system, na siya namang gagawa ng
actual data retrieval. And using proper access methods, si OS will interact with the disk
storage device to retrieve data from the physical database. Then, i-store yung data sa main
memory buffer area which is managed by the DBMS. Saka itratransfer yung data to the user’s
work location in main memory. Then, dito is bahala na si user sa kung anong gagawin niya sa
data resource.
Pag-usapan na natin si Database Administrator, *read ppt* so kung malawak yung
organization, pwedeng nasa technical personnel under DBA ang gumawa ng mga functions
na ito, but for smaller businesses, pwedeng someone from the computer service group. We
are also to note the relationship between the DBA, users, and programmers. Sa DBMS
Operations, si DBA is nagauauthorize rin siya ng user request by programming the user’s view
or the subschema.
10
11
Then, we have the Physical Database. Ito lang may physical form dahil yung ibang elements
are abstract representations only of the physical level. At the physical level, the database
forms a logical collection of records and files that constitute a firm’s data resource. This
section deals with the data structures used in the physical database. When we say data
structures, *read ppt* It also allows movement from one record to another. It has two
components: *read ppt* kapag sinabing sequential, files are stored in contiguous locations that
occupy a specified area of disk space, samantalang kapag random, as in random. Without
regard for physical relationship to other records of the same files, pwedeng distributed na ito
throughout the entire disk.
It is said that it is sufficient to deal with access methods at conceptual level only, pero
pagdating sa technical level, they are part of the OS as computer programs. This will be
further discussed in Chapter 8.
Before we discuss yung different model, i-review muna natin some important database terms:
*read ppt* database terminology.
Associations: 1) for every employee in the employee table, there is an occurrence of one or
zero new employee in the employee table in a year; 2) for every customer in the customer
table, there are zero, one, or many sales orders in the sales order table; 3) example here is
the relationship between the business and its suppliers. Si supplier pwede siyang magprovide
ng inventory sa business with zero, one, or many inventory items. Ganundin si business
siyempre pwede siyang bumili ng inventory items from zero, one or many suppliers.
Ngayon naman, pag-usapan natin ang mga Database Models. We have three types, the
hierarchical model, the network model, and the relational model. It is said that among these
three, the first two are known as navigational models because of explicit links or paths among
their data elements. Samantalang, kapag relational model, implicit yung links nito among its
data elements.
The Hierarchical Model – from the word itself, hierarchical, it means there is a hierarchy so
meron ang nasa taas and nasa baba. This is known as the parent and child.
So, ang example nito in reality is when we retrieve an invoice line item record, si DBMS
kailangan niya munang i-access yung root segment which is the customer record.
12
13
However, there is a limitation pagdating sa model na ito which causes a larger cost due to
data redundancy. Sa bawat child kasi, iisa lang dapat ang parent niya. Well, in reality, for
example, merong customer purchase and dito, hindi lang naman si customer file ang gagalaw,
kundi pati si salesperson file. Since, kailangan nila both yung customer purchase record,
kailangan nilang gumawa ng sarili nilang file thru duplication so that maaccess nila yung
record. And this is a limitation to data integration, to solve this, we have now the network
model.
Kapag sinabi nating Network Model, compared to the hierarchical model, this model permits a
child to have multiple parents. As we can see in the diagram, Invoice number 1 is a child of
both Salesperson No. 1 and Customer No. 5. And meron rin siyang two links to related
records or siblings. Una is the link in Salesperson to Invoice number 2, which resulted from a
sale of salesperson number 1 to customer no. 6; and the second link is the customer link from
salesperson no. 1 to invoice no. 3, which resulted from a sale to customer no. 5 by
salesperson no. 2. And so on, and so forth. So, ganito sa network model, it eliminates the
problem of dublication in the hierarchical model because mas effective yung integration of
data in this model.
Now, for the last model, we have the relational model, this is made up from related algebraic
equations and set theory, and that it portrays a 2D form of tables.
Let us take the illustration given in figure 4.14, so this is the database table called Customer.
In here, sa upper part which create columns are called the attributes, while those that form
rows are called tuples, when we say tuples in layman’s term is that these are used to store
multiple items in a single variable. Parang x function in that the value of T is (20, Jessa, 49)
wherein 20 is her age, Jessa is her name, and 49 is here weight ganon. And sa Customer
table na ito, there are four characteristics that must have:
14
15
So, yung difference pa nito sa 2 models is that the linkages are implicit. Pagdating sa model
na ito, relations are formed by an attribute that is common to both tables in the relation and
that linkages between records in related tables are established through logical operations of
the DBMS kaysa yung explicit addresses that are structured in the database. To illustrate, let’s
take for example this diagram. From the customer file, we can see the customer no. key and
using that embedded foreign key, makikita natin in the sales invoice yung invoice # key which
directs us the line item file to have a specific view kung paano nakuha yung 800 pesos na
amount and that to see as well in the cash receipts using the customer # key kung nabayaran
na ba ito. With that, nacacater ng model na ito yung associations, for instance sa one to many,
using embedded keys just like this data integration between the sales invoice and the cash
receipts tables with the customer # key. Kapag many to many naman, hindi na kailangan ng
embedded foreign keys dahil separate link table ang kailangan which contains keys for those
related tables. It will be further discussed in Chapter 8.
The only thing we need to remember here is the following controls an organization should do:
CONTROLS: Dapat merong use of User’s Authority; and Separate ang Database Access
Authority and Systems Development (aka Programmers).