CHAPTER 1: AUDITING, ASSURANCE, & INTERNAL CONTROL AUDITING Auditing is a systematic process of objectively obtaining and evaluating evidence regarding assertions about economic actions and events to ascertain the degree of correspondence between those assertions and establishing criteria and communicating the results to interested users. INTERNAL AUDITS Internal auditing: independent appraisal function established within an organization to examine and evaluate its activities as a service to the organization • Financial Audits • Operational Audits • Compliance Audits • Fraud Audits • IT Audits ✓ CIA ✓ IIA IT AUDITS • IT audits: provide audit services where processes or data, or both, are embedded in technologies. • Subject to ethics, guidelines, and standards of the profession (if certified) CISA Most closely associated with ISACA • Joint with internal, external, and fraud audits • Scope of IT audit coverage is increasing • Characterized by CAATTs • IT governance as part of corporate governance FRAUD AUDITS • Fraud audits: provide investigation services where anomalies are suspected, to develop evidence to support or deny fraudulent activities. • Auditor is more like a detective • No materiality • Goal is conviction, if sufficient evidence of fraud exists ✓ CFE ✓ ACFE EXTERNAL AUDITS • External auditing: Objective is that in all material respects, financial statements are a By: Roxy <333 fair representation of organization’s transactions and account balances. ✓ SEC’s role ✓ Accountancy Act of 2004 ✓ PRC-BOA CPA EXTERNAL vs. INTERNAL External auditing: o Independent auditor (CPA) o Independence defined by SEC/S-OX/AIC o Required by SEC for publicly traded companies o Referred to as a “financial audit” o Represents interests of outsiders, “the public” (e.g., stockholders) o Standards, guidance, certification governed by PICPA, PRC-BOA, SEC; delegated by SEC who has final authority Internal auditing: o Auditor (often a CIA or CISA) o Is an employee of organization imposing independence on self o Optional per management requirements o Broader services than financial audit; (e.g., operational audits) o Represent interests of the organization o Standards, guidance, certification governed by IIA and ISACA FINANCIAL AUDITS • An independent attestation performed by an expert (i.e., an auditor, a CPA) who expresses an opinion regarding the presentation of financial statements • Key concept: Independence • {Should be} Similar to a trial by judge • Culmination of systematic process involving: ✓ Familiarization with the organization’s business ✓ Evaluating and testing internal controls ✓ Assessing the reliability of financial data • Product is formal written report that expresses an opinion about the reliability of the assertions in financial statements; in conformity with GAAP ATTEST definition ✓ Written assertions ✓ Practitioner’s written report ✓ Formal establishment of measurement criteria or their description ✓ Limited to: ▪ Examination ▪ Review ▪ Application of agreed-upon procedures AUDITS • Systematic process • Five primary management assertions, and correlated audit objectives and procedures ✓ Existence or Occurrence ✓ Completeness ✓ Rights & Obligations ✓ Valuation or Allocation ✓ Presentation or Disclosure ➢ Phases [Figure 1-3] 1. Planning 2. Obtaining evidence ✓ Tests of Controls ✓ Substantive Testing o CAATTs o Analytical procedures 3. Ascertaining reliability ✓ MATERIALITY 4. Communicating results ✓ Audit opinion Audit Risk Formula AUDIT RISK: ▪ The probability that the auditor will give an inappropriate opinion on the financial statements: that is, that the statements will contain materials misstatement(s) which the auditor fails to find INHERENT RISK: ▪ The probability that material misstatements have occurred ✓ Material vs. Immaterial ▪ Includes economic conditions, etc. ▪ Relative risk (e.g., cash) CONTROL RISK: ▪ The probability that the internal controls will fail to detect material misstatements DETECTION RISK: ▪ The probability that the audit procedures will fail to detect material misstatements ▪ Substantive procedures AUDIT RISK MODEL: ▪ AR = IR * CR * DR ▪ example inventory with: IR=40%, CR=60%, AR=5% (fixed) By: Roxy <333 ▪ ▪ ▪ ▪ ▪ .05 = .4 * .6 * DR ... then DR=4.8% Why is AR = 5%? What is detection risk? Can CR realistically be 0? Relationship between DR and substantive procedures Relationship between tests of controls and substantive tests o Illustrate higher reliability of the internal controls and the Audit Risk Model o What happens if internal controls are more reliable than last audit o Last year: .05 = .4 * .6 * DR [DR = 4.8] o This year: .05 = .4 * .4 * DR [DR = 3.2] o The more reliable the internal controls, the lower the CR probability; thus the lower the DR will be, and fewer substantive tests are necessary. o Substantive tests are labor intensive Role of Audit Committee • Selected from board of directors • Usually three members • Outsiders (SEC now requires it) • Fiduciary responsibility to shareholders • Serve as independent check and balance system • Interact with internal auditors • Hire, set fees, and interact with external auditors • Resolved conflicts of GAAP between external auditors and management What is an IT Audit? o most accounting transactions to be in electronic form without any paper documentation because electronic storage is more efficient. These technologies greatly change the nature of audits, which have so long relied on paper documents. THE IT ENVIRONMENT • There has always been a need for an effective internal control system. • The design and oversight of that system has typically been the responsibility of accountants. • The I.T. Environment complicates the paper systems of the past. o Concentration of data o Expanded access and linkages o Increase in malicious activities in systems vs. paper o Opportunity that can cause management fraud (i.e., override) • Audit planning • Tests of controls • Substantive test CAATTs INTERNAL CONTROL is policies, practices, procedures designed to … • safeguard assets • ensure accuracy and reliability • promote efficiency • measure compliance with policies BRIEF HISTORY - COSO Committee on Sponsoring Organizations - 1992 1. AICPA, AAA, FEI, IMA, IIA 2. Developed a management perspective model for internal controls over a number of year 3. Is widely adopted EXPOSURES AND RISK • Exposure - Absence or weakness of a control • Risks - Potential threat to compromise use or value of organizational assets Types of risk ▪ Destruction of assets ▪ Theft of assets ▪ Corruption of information or the I.S. ▪ Disruption of the I.S. THE P-D-C MODEL ▪ Preventive controls ▪ Detective controls ▪ Corrective controls ✓ Which is most cost effective? ✓ Which one tends to be proactive measures? ✓ Can you give an example of each? ▪ Predictive controls Consideration of Internal Control in a Financial Statement Audit ▪ COSO ✓ The control environment ✓ Risk assessment ✓ Information & communication By: Roxy <333 ✓ Monitoring ✓ Control activities #1:Control Environment -- elements ▪ The integrity and ethical values ▪ Structure of the organization ▪ Participation of audit committee ▪ Management’s philosophy and style ▪ Procedures for delegating ▪ Management’s methods of assessing performance ▪ External influences ▪ Organization’s policies and practices for managing human resources #1: Control Environment – Techniques ▪ Assess the integrity of organization’s management ▪ Conditions conducive to management fraud ▪ Understand client’s business and industry ▪ Determine if board and audit committee are actively involved ▪ Study organization structure #2: Risk Assessment ▪ Changes in environment ▪ Changes in personnel ▪ Changes in I.S. ▪ New IT’s ▪ Significant or rapid growth ▪ New products or services (experience) ▪ Organizational restructuring ▪ Foreign markets ▪ New accounting principles #3:Information & Communication-Elements ▪ Initiate, identify, analyze, classify and record economic transactions and events. ▪ Identify and record all valid economic transactions ▪ Provide timely, detailed information ▪ Accurately measure financial values ▪ Accurately record transactions ▪ Auditors obtain sufficient knowledge of I.S.’s to understand: ✓ Classes of transactions that are material ✓ Accounting records and accounts used ✓ Processing steps:initiation to inclusion in financial statements (illustrate) ✓ Financial reporting process (including disclosures) #4: Monitoring ▪ By separate procedures (e.g., tests of controls) ▪ By ongoing activities (Embedded Audit Modules – EAMs and Continuous Online ▪ Auditing - COA) #5: Control Activities Physical Controls (1-3) 1. Transaction authorization Example: • Sales only to authorized customer • Sales only if available credit limit 2. Segregation of duties Examples of incompatible duties: • Authorization vs. processing [e.g., Sales vs. Auth. Cust.] • Custody vs. recordkeeping [e.g., custody of inventory vs. DP of inventory] • Fraud requires collusion [e.g., separate various steps in process] 3. Supervision • Serves as compensating control when lack of segregation of duties exists by necessity Physical Controls (4-6) 4. Accounting records (audit trails; examples) 5. Access controls • Direct (the assets) • Indirect (documents that control the assets) • Fraud • Disaster Recovery 6. Independent verification • Management can assess: ▪ The performance of individuals By: Roxy <333 ▪ ▪ The integrity of the AIS The integrity of the data in the record ▪ Examples IT Risks Model • Operations • Data management systems • New systems development • Systems maintenance • Electronic commerce (The Internet) • Computer applications CHAPTER 2: AUDITING IT GOVERNANCE CONTROLS STRUCTURING THE IT FUNCTION • Centralized data processing • Organizational chart ✓ Database administrator (DBA) ✓ Data processing manager/dept. o Data control o Data preparation/conversion o Computer operations o Data library • Systems development & Systems maintenance ✓ Participants ✓ End users ✓ IS professionals ✓ Auditors ✓ Other stakeholders Segregation of incompatible IT functions • Objectives: ✓ Segregate transaction authorization from transaction processing ✓ Segregate record keeping from asset custody ✓ Divide transaction processing tasks among individuals such that short of collusion between two or more individuals would not be possible. SEGREGATION OF INCOMPATIBLE IT FUNCTIONS 1. Separating systems development from computer operations 2. Separating DBA from other functions ▪ DBA is responsible for several critical tasks: ✓ Database security ✓ Creating database schema and user view ✓ Assigning database access authority to users ✓ Monitoring database usage ✓ Planning for future changes 3. Segregate data library from operations ▪ Physical security of off-line data files ▪ Implications of modern systems on use of data library: ✓ Real-time/online vs. batch processing ✓ Volume of tape files is insufficient to justify full-time librarian ✓ Alternative: rotate on ad hoc basis ✓ Custody of on site data backups ✓ Custody of original commercial software and licenses 4. Segregate Systems Development from Maintenance ▪ Two types of improvements from this approach: 1. Better documentation standards - Necessary for transfer of responsibility 2. Deters fraud - Possibility of being discovered STRUCTURING THE IT FUNCTION Audit objectives ▪ Risk assessment ▪ Verify incompatible areas are properly segregated ✓ How would an auditor accomplish this objective? ▪ Verify incompatible areas are properly segregated ▪ Verify formal vs. informal relationships exist between incompatible tasks ✓ Why does it matter? Segregation of incompatible IT functions ▪ Audit procedures: ✓ Obtain and review security policy ✓ Verify policy is communicated ✓ Review relevant documentation (org. chart, mission statement, key job descriptions) ✓ Review systems documentation and maintenance records (using a sample) ✓ Verify whether maintenance programmers are also original design programmers ✓ Observe segregation policies in practice ✓ Review operations room access log ✓ Review user rights and privileges By: Roxy <333 The distributed model ▪ Distributed Data Processing (DDP) ▪ Alternative A: centralized ▪ Alternative B: decentralized / network ▪ Risks associated with DDP ✓ Inefficient use of resources ✓ Mismanagement of resources by end users ✓ Hardware and software incompatibility ✓ Redundant tasks ✓ Destruction of audit trails ✓ Inadequate segregation of duties ✓ Hiring qualified professionals ✓ Increased potential for errors ✓ Programming errors and system failures ✓ Lack of standards ▪ Advantages of DDP ✓ Cost reduction ✓ End user data entry vs. data control group ✓ Application complexity reduced ✓ Development and maintenance costs reduced ✓ Improved cost control responsibility ✓ IT critical to success then managers must control the technologies ✓ Improved user satisfaction ✓ Increased morale and productivity ✓ Backup flexibility ✓ Excess capacity for Disaster Recovery Planning (DRP) ▪ Controlling the DDP environment ✓ Need for careful analysis ✓ Implement a corporate IT function Central systems development o Acquisition, testing, and implementation of commercial software and hardware User services o Help desk: technical support, FAQs, chat room, etc. Standard-setting body Personnel review o IT staff ✓ Audit objectives: o Conduct a risk assessment o Verify the distributed IT units employ entity-wide standards of performance that promotes compatibility among hardware, operating software, applications, and data ✓ Audit procedures: o Verify corporate policies and standards are communicated o Review current organization chart, mission statement, key job descriptions to determine if any incompatible duties exist o Verify compensating controls are in place where incompatible duties do exist o Review systems documentation o Verify access controls are properly established THE COMPUTER CENTER Computer center controls • Physical location ✓ Avoid human-made and natural hazards ✓ Example: Chicago Board of Trade • Construction ✓ Ideally: single-story, underground utilities, windowless, use of filters ✓ If multi-storied building, use top floor (away from traffic flows, and potential flooding in a basement) • Access ✓ Physical: Locked doors, cameras ✓ Manual: Access log of visitors • Air conditioning ✓ Especially mainframes ✓ Amount of heat even from a group of PCs • Fire suppression ✓ Automatic: usually sprinklers ✓ Gas, such as halon, that will smother fire by removing oxygen can also kill anybody trapped there ✓ Sprinklers and certain chemicals can destroy the computers and equipment ✓ Manual methods • Power supply ✓ Need for clean power, at a acceptable level ✓ Uninterrupted power supply Audit objectives • Verify physical security controls are reasonable • Verify insurance coverage is adequate • Verify operator documentation is adequate in case of failure Audit procedures • Tests of physical construction • Tests of fire detection • Tests of access control • Tests of backup power supply By: Roxy <333 • • Tests for insurance coverage Tests of operator documentation controls SYSTEM-WIDE CONTROLS Disaster recovery planning (DRP) • • Critical applications identified and ranked Create a disaster recovery team with responsibilities • Site backup ✓ “Hot site” – Recovery Operations Center ✓ “Cold site” – empty shell ✓ Mutual aid pact ✓ Internally provided backup ✓ Other options • Hardware backup • Software backup: operating system • Software backup: application software (based on critical application step) • Data backup • Supplies (on site) • Documentation (on site) ✓ User manuals ✓ System and software technical manuals • Test! Disaster Recovery Plan 1. Critical Applications – Rank critical applications so an orderly and effective restoration of computer systems is possible. 2. Create Disaster Recovery Team – Select team members, write job descriptions, describe recovery process in terms of who does what. 3. Site Backup – a backup site facility including appropriate furniture, housing, computers, and telecommunications. Another valid option is a mutual aid pact where a similar business or branch of same company swap availability when needed. 4. Site Backup – a backup site facility including appropriate furniture, housing, computers, and telecommunications. Another valid option is a mutual aid pact where a similar business or branch of same company swap availability when needed. 5. System Software Backup – Some hot sites provide the operating system. If not included in the site plan, make sure copies are available at the backup site 6. Application Software Backup – Make sure copies of critical applications are available at the backup site 7. Data Backup – One key strategy in backups is to store copies of data backups away from the business campus, preferably several miles away or at the backup site. Another key is to test the restore function of data backups before a crisis. 8. Supplies – A modicum inventory of supplies should be at the backup site or be able to be delivered quickly. 9. Documentation – An adequate set of copies of user and system documentation. 10. TEST! – The most important element of an effective Disaster Recovery Plan is to test it before a crisis occurs, and to test it periodically (e.g., once a year) Audit objectives • Verify management’s DRP is adequate Audit procedures • Verify a second-site backup is adequate • Review the critical application list for completeness • Verify backups of application software are stored off-site • Verify that critical data files are backed up and readily accessible to DRP team • Verify resources of supplies, documents, and documentation are backed up and stored offsite • Verify that members listed on the team roster are current employees and that they are aware of their responsibilities By: Roxy <333 Fault tolerance • 44% of time IS unavailable is due to system failures! • Controls ✓ Redundant systems or parts ✓ RAID (Redundant Array of Independent Risks) ✓ Uninterrupted Power Supply (UPS) ✓ Multiprocessors Audit objective • To ensure the organization is employing an appropriate level of fault tolerance Audit procedures • Verify proper level of RAID devices • Review procedures for recovery from system failure • Verify boot disks are secured CHAPTER 3: AUDITING OPERATING SYSTEMS AND NETWORKS Operating system performs three main tasks: • Translates high-level languages into machinelevel language. (Compilers & Interpreters) • Allocates computer resources to users, workgroups & applications. • Manages tasks of job scheduling and multiprogramming. 1) computer operator 2) various job queues 3) telecommunications OPERATING SYSTEMS PC SMARTPHONES • • • • OPERATING SYSTEM SECURITY • Log-On Procedure ✓ first line of defense--user IDs and passwords • Access Token ✓ contains key information about user • Access Control List ✓ defines access privileges of users • Discretionary Access Control / Privileges ✓ allows User to grant access to another user OTHER GOOD SECURITY POLICIES • Formalized procedures for software acquisition • Security clearances of prospective employees • Formal acknowledgment by users of their responsibilities to company • Security group to monitor security violations • Formal policy for taking disciplinary action against security violators THREATS TO OPERATING SYSTEM INTEGRITY • Privileged Personnel Abusing their Authority o Systems Administrators & programmers must be given unlimited access to the OS to perform maintenance. • Browsing o looking through memory for sensitive information (e.g., in printer queue) • Masquerading o pretend to be authorized user by getting ID and passwords – shoulder surfing o The most common method to get your password is for someone to look over your shoulder! Make sure your password is a By: Roxy <333 combination of upper/lower case letters, numbers, special characters. Virus & Worms o foreign programs that spread through system o virus must attach to another program, worms are self-contained Trojan Horse o foreign program that conceals itself with another legitimately imported program Logic Bomb o foreign programs triggered by specific event Back Door o alternative entry into system o Intentional (programmers) o Security hole OPERATING SYSTEMS CONTROLS Access Privileges • Audit objectives: verify that access privileges are consistent with separation of incompatible functions and organization policies • Audit procedures: review or verify… ✓ policies for separating incompatible functions ✓ a sample of user privileges, especially access to data and programs ✓ security clearance checks of privileged employees ✓ formally acknowledgements to maintain confidentiality of data ✓ users’ log-on times Password Control • Audit objectives: ensure adequacy and effectiveness password policies for controlling access to operating system • Audit procedures: review or verify… ✓ passwords required for all users ✓ password instructions for new users ✓ passwords changed regularly ✓ password file for weak passwords ✓ encryption of password file ✓ password standards ✓ account lockout policies Audit Trail Controls • Audit objectives: whether used to (1) detect unauthorized access, (2) facilitate event reconstruction, and (3) promote accountability • Audit procedures: review or verify… ✓ how long audit trails have been in place ✓ archived log files for key indicators ✓ monitoring and reporting of security violations Malicious & Destructive Programs • Audit objectives: verify effectiveness of procedures to protect against programs such as viruses, worms, back doors, logic bombs, and Trojan horses (refer to list) • Audit procedures: review or verify… ✓ training of operations personnel concerning destructive programs ✓ testing of new software prior to being implemented ✓ currency of antiviral software and frequency of upgrades INTERNET AND INTRANET RISKS • Communications is a unique aspect of the computer networks: o different than processing (applications) or data storage (databases) • Network topologies – configurations of: o communications lines (twisted-pair wires, coaxial cable, microwaves, fiber optics) o hardware components (modems, multiplexers, servers, front-end processors) o software (protocols, network control systems) INTERNET RISKS 1. DOS Attack o In a DOS Attack, the sender sends hundreds of messages, receives the SYN/ACK packet, but does not response with an ACK packet. This leaves the receiver with clogged transmission ports, and legitimate messages cannot be received. By: Roxy <333 2. SMURF & SYN ATTACK SOURCES OF INTERNET & INTRANET RISKS Internal and external subversive activities Audit objectives: ✓ prevent and detect illegal internal and Internet network access ✓ render useless any data captured by a perpetrator ✓ preserve the integrity and physical security of data connected to the network Equipment failure ✓ Audit objective: the integrity of the electronic commerce transactions by determining that controls are in place to detect and correct message loss due to equipment failure IC for Subversive Threats Firewalls provide security by channeling all network connections through a control gateway. • Network level firewalls o Low cost and low security access control o Do not explicitly authenticate outside users o Filter junk or improperly routed messages o Experienced hackers can easily penetrate the system • Application level firewalls o Customizable network security, but expensive o Sophisticated functions such as logging or user authentication • Denial-of-service (DOS) attacks o Security software searches for connections which have been half-open for a period of time. • Encryption o Computer program transforms a clear message into a coded (cipher) text form using an algorithm ✓ Private Encryption ✓ Triple DES Encryption (EEE3 & EDE3) ✓ Public Key Encryption ✓ RSA ✓ Digital Envelope = RSA + DES Standard Data Encryption Technique IC for Subversive Threats • Digital signature – electronic authentication technique to ensure that… ✓ transmitted message originated with the authorized sender ✓ message was not tampered with after the signature was applied • Digital certificate – like an electronic identification card used with a public key encryption system ✓ Verifies the authenticity of the message sender • Message sequence numbering – sequence number used to detect missing messages • Message transaction log – listing of all incoming and outgoing messages to detect the efforts of hackers • Request-response technique – random control messages are sent from the sender to ensure messages are received • Call-back devices – receiver calls the sender back at a pre-authorized phone number before transmission is completed Auditing Procedures for Subversive Threats • Review firewall effectiveness in terms of flexibility, proxy services, filtering, segregation By: Roxy <333 • • • • • • • of systems, audit tools, and probing for weaknesses. Review data encryption security procedures Verify encryption by testing Review message transaction logs Test procedures for preventing unauthorized calls IC for Equipment Failure Line errors are data errors from communications noise. Two techniques to detect and correct such data errors are: ✓ echo check - the receiver returns the message to the sender ✓ parity checks - an extra bit is added onto each byte of data similar to check digits Auditing Procedures for Equipment Failure • Using a sample of a sample of messages from the transaction log: ✓ examine them for garbled contents caused by line noise ✓ verify that all corrupted messages were successfully retransmitted • Vertical and Horizontal Parity Electronic Data Interchange • Electronic data interchange (EDI) uses computer-to-computer communications, standard format for messaging between two dissimilar systems. Exchange of computer-processible business info in standard format. • Audit objectives: ✓ Transactions are authorized, validated, and in compliance with the trading partner agreement. ✓ No unauthorized organizations can gain access to database ✓ Authorized trading partners have access only to approved data. ✓ Adequate controls are in place to ensure a complete audit trail. Notes on EDI: ✓ Is an inter-organization endeavor. ✓ IS of the trading partners process the transactions. ✓ Transactions are transmitted in standardized format ✓ Directly to trading partner. ✓ Use of a third party value added network (VAN) ✓ Benefit ✓ FINANCIAL EDI – uses intermediary such as banks (OBK,RBK & ACH). ✓ Converting remittance information to electronic form is a challenge. EDI Risks • Authorization - automated and absence of human intervention • Access - need to access EDI partner’s files • Audit trail - paperless and transparent (automatic) transactions EDI Controls • Authorization - use of passwords and value added networks (VAN) to ensure valid partner • Access - software to specify what can be accessed and at what level • Audit trail - control log records the transaction’s flow through each phase of the transaction processing ✓ Review procedures for verifying trading partner identification codes ✓ Review agreements with VAN ✓ Review trading partner files • Tests of Access Controls ✓ Verify limited access to vendor and customer files ✓ Verify limited access of vendors to database ✓ Test EDI controls by simulation • Tests of Audit Trail Controls ✓ Verify exists of transaction logs are key points ✓ Review a sample of transactions AUDITING PC BASED ACCOUNTING SYSTEMS PC Risks & Controls ✓ Operating System Weaknesses ✓ Weak Access Control ✓ Inadequate Segregation of Duties ✓ Risk of Theft ✓ Weak Back up Procedures ✓ Risk of Virus Infection ✓ Audit Objective with PC Security ✓ Audit Procedures with PC Security Auditing Procedures for EDI • Tests of Authorization and Validation Controls By: Roxy <333 DATABASE MANAGEMENT CONTROLS Two crucial database control issues: 1. Access controls • Audit objectives: (1) those authorized to use databases are limited to data needed to perform their duties and (2) unauthorized individuals are denied access to data 2. Backup controls • Audit objectives: backup controls can adequately recovery lost, destroyed, or corrupted data ACCESS CONTROLS • User views - based on subschemas. A database schema (/ˈski.mə/ skee-ma) of a database system is its structure described in a formal language supported by the database management system (DBMS) and refers to the organization of data as a blueprint of how a database is constructed (divided into database tables in case of Relational Databases). • Database authorization table - allows specific authority rules • Data encryption - encoding algorithms • Biometric devices - fingerprints, retina prints, or signature characteristic • Audit procedures: verify… ✓ Who has responsibility for authority tables & subschemas? ✓ Granting appropriate access authority ✓ Are biometric controls used? ✓ Encryption? Subschema Restricting Access BACKUP CONTROLS • Database backup – automatic periodic copy of data • Transaction log – list of transactions which provides an audit trail • Checkpoint features – suspends data during system reconciliation • Recovery module – restarts system after a failure • Grandparent-parent-child backup –the number of generations to backup is up to company policy By: Roxy <333 • Direct access file backup - back-up master-file at pre-determined intervals • Off-site storage - guard against disasters and/or physical destruction • Audit procedures: verify… ✓ that production databases are copied at regular intervals ✓ backup copies of the database are stored off site to support disaster recovery CHAPTER 4: AUDITING DATABASE SYSTEMS WHAT IS A DATABASE ✓ A database is an organized collection of data. The data are typically organized to model relevant aspects of reality in a way that supports processes requiring this information. For example, modeling the availability of rooms in hotels in a way that supports finding a hotel with vacancies. ✓ Database management systems (DBMSs) are specially designed applications that interact with the user, other applications, and the database itself to capture and analyze data. A generalpurpose database management system (DBMS) is a software system designed to allow the definition, creation, querying, update, and administration of databases. ✓ DBMS responsible for maintaining the integrity and security of stored data, and for recovering information if the system fails. EXAMPLES OF DBMS ✓ MySQL ✓ MariaDB ✓ PostgreSQL ✓ SQLite ✓ Microsoft SQL Server ✓ Oracle ✓ SAP ✓ Dbase ✓ FoxPro ✓ IBM DB2 ✓ LibreOffice ✓ Base and FileMaker Pro Flat-File Versus Database Environments • Computer processing involves two components: data and instructions (programs). • Conceptually, there are two methods for designing the interface between program instructions and data: o File-oriented processing: A specific data file was created for each application. o Data-oriented processing: Create a single data repository to support numerous applications. • Disadvantages of file-oriented processing include o redundant data and programs o varying formats for storing the redundant data • • • • • • • Users access data via computer programs that process the data and present information to the users. Users own their data files. Data redundancy results as multiple applications maintain the same data elements. Files and data elements used in more than one application must be duplicated, which results in data redundancy. As a result of redundancy, the characteristics of data elements and their values are likely to be inconsistent. Outputs usually consist of preprogrammed reports instead of ad-hoc queries provided upon request. This results in inaccessibility of data. Changes to current file-oriented applications cannot be made easily, nor can new developments be quickly realized, which results in inflexibility. By: Roxy <333 Data Redundancy and Flat-File Problems • Data Storage - creates excessive storage costs of paper documents and/or magnetic form • Data Updating - any changes or additions must be performed multiple times • Currency of Information – has the potential problem of failing to update all affected files • Task-Data Dependency - user unable to obtain additional information as his or her needs change Advantages of the Database Approach o Data sharing/centralized database resolves flat-file problems o No data redundancy: Data is stored only once, eliminating data redundancy and reducing storage costs o Single update: Because data is in only one place, it requires only a single update, reducing the time and cost of keeping the database current o Current values: A change to the database made by any user yields current data values for all other users. o Task-data independence: As users’ information needs expand, the new needs can be more easily satisfied than under the flat-file approach. Disadvantages of the Database Approach o Can be costly to implement - additional hardware, software, storage, and network resources are required o Can only run in certain operating environments - may make it unsuitable for some system configurations o Because it is so different from the file-oriented approach, the database approach requires training users - may be inertia or resistance. Elements of the Database Environment • • Four Elements 1. Database management system 2. Users 3. Database administrator 4. Physical database Internal Controls and DBMS • The database management system stands between the user and the database per se. • Thus, commercial DBMS’s (e.g., Access or Oracle) actually consist of a database plus… ✓ software to manage the database, especially controlling access and other internal controls ✓ software to generate reports, create dataentry forms, etc. • The DBMS has special software to control which data elements each user is authorized to access. Data Definition Language (DDL) • DDL is a programming language used to define the database per se. ✓ It identifies the names and the relationship of all data elements, records, and files that constitute the database. • DDL defines the database on three viewing levels ✓ Internal view – physical arrangement of records (1 view) ✓ Conceptual view (schema) – representation of database (1 view) ✓ User view (subschema) – the portion of the database each user views (many views) Data Manipulation Language (DML) • DML is the proprietary programming language that a particular DBMS uses to By: Roxy <333 retrieve, process, and store data to / from the database Entire user programs may be written in the DML, or selected DML commands can be inserted into universal programs, such as COBOL and FORTRAN Can be used to ‘patch’ third party applications to the DBMS Query Language • The query capability permits end users and professional programmers to access data in the database without the need for conventional programs. ✓ Can be an internal control issue since users may be making an ‘end run’ around the controls built into the conventional programs • IBM’s structured query language (SQL) is a fourth-generation language that has emerged as the standard query language. ✓ Adopted by ANSI as the standard language for all relational databases Functions of the DBA PHYSICAL DATABASE • Lowest level of database and the only level that exists in physical form • Logical collection of records and files that constitute the firm’s data source. DATA STRUCTURE COMPONENTS ✓ Data Organization – physical arrangement of files ✓ Data Access Methods – technique to locate records SIX CRITERIA INFLUENCING THE SELECTION OF DATA STRUCTURE Database Conceptual Models • Refers to the particular method used to organize records in a database. a.k.a. “logical data structures” • Objective: develop the database efficiently so that data can be accessed quickly and easily • There are three main models: ✓ hierarchical (tree structure) ✓ network ✓ relational • Most existing databases are relational. Some legacy systems use hierarchical or network databases. HIERARCHICAL MODEL • Navigational Database – traversing the files following a predefined path; explicit linkages through networks. (Figure 4.10) • Limitations1: A parent record may have one or more child records • Limitation2: No child can have more than one parent. NETWORK MODEL • ANSI thru CODASYL • Most popular model of network is IDM • Navigational thru multiple linkage • A child can have multiple parents RELATIONAL MODEL • The relational model portrays data in the form of two dimensional ‘tables’. • Its strength is the ease with which tables may be linked to one another. • a major weakness of hierarchical and network databases • Relational model is based on the relational algebra functions of restrict, project, and join. • Implicit linkages, rows are dependent on the primary key and independent of the other attributes By: Roxy <333 • Linkages are established through logical operations of the DMBS rather than explicit addresses that are structured into the database. Distributed Data Processing (DDP) • Data processing is organized around several information processing units (IPUs) distributed throughout the organization. • Each IPU is placed under the control of the end user • DDP does not always mean total decentralization. • IPUs in a DDP system are still connected to one another and coordinated. • Typically, DDP’s use a centralized database. • Alternatively, the database can be distributed, similar to the distribution of the data processing capability. Centralized Databases in DDP Environment • The data is retained in a central location. • Remote IPUs send requests for data • Central site services the needs of the remote IPUs • The actual processing of the data is performed at the remote IPU. • Advantages of DDP ✓ Cost reductions in hardware and data entry task ✓ Improved cost control responsibility ✓ Improved user satisfaction since control is closer to the user level ✓ Backup of data can be improved through the use of multiple data storage sites • Disadvantages of DDP ✓ Loss of control ✓ Mismanagement of resources ✓ Hardware and software incompatibility ✓ ✓ ✓ ✓ Redundant tasks and data Consolidating incompatible tasks Difficulty attracting qualified personnel Lack of standards Distributed Databases: Partitioned Database Approach (Partitioning) • Splits the central database into segments that are distributed to their primary users. • Advantages: ✓ users’ control is increased by having data stored at local sites. ✓ transaction processing response time is improved. ✓ volume of transmitted data between IPUs is reduced. ✓ reduces the potential data loss from a disaster. The Deadlock Phenomenon • Especially a problem with partitioned databases • Occurs when multiple sites lock each other out of data that they are currently using. ✓ One site needs data locked by another site. • Special software is needed to analyze and resolve conflicts. ✓ Transactions may be terminated and restarted. The Deadlock Condition ✓ Mutual exclusion to data resource and the transactions are in wait until the locks are removed. ✓ DEADLOCK RESOLUTION - terminating on or more transactions to complete processing of the other transactions in the deadlock. Distributed Databases: Replication • Effective when there is high degree of sharing but no primary user • The duplication of the entire database for multiple IPUs By: Roxy <333 • • Effective for situations with a high degree of data sharing, but no primary user. Supports read-only queries Data traffic between sites is reduced considerably. CONCURRENCY CONTROL: Concurrency Problems and Control Issue • Database concurrency is the presence of complete and accurate data at all IPU sites. • With replicated databases, maintaining current data at all locations is difficult • Time stamping is used to serialize transactions. Prevents and resolves conflicts created by updating data at various IPUs Distributed Databases and the Accountant • The following database options impact the organization’s ability to maintain database integrity, to preserve audit trails, and to have accurate accounting records. ✓ Centralized or distributed data? ✓ If distributed, replicated or partitioned? ✓ If replicated, total or partial replication? ✓ If partitioned, what is the allocation of the data segments among the sites? DATABASE MANAGEMENT CONTROLS Two crucial database control issues: 1. Access controls • Audit objectives: (1) those authorized to use databases are limited to data needed to perform their duties and (2) unauthorized individuals are denied access to data 2. Backup controls • Audit objectives: backup controls can adequately recovery lost, destroyed, or corrupted data ACCESS CONTROLS • User views - based on subschemas. • A database schema (/ˈski.mə/ skee-ma) of a database system is its structure described in a formal language supported by the database management system (DBMS) and refers to the organization of data as a blueprint of how a database is constructed (divided into database tables in case of Relational Databases). • Database authorization table - allows specific authority rules • Data encryption - encoding algorithms • Biometric devices - fingerprints, retina prints, or signature characteristics • Inference Controls – prevent users from inferring, through query features, specific data values that should not be accessed. • Positive Compromise, Negative Compromise & Approximate Compromise • Audit procedures: verify… ✓ Who has responsibility for authority tables & subschemas? ✓ Granting appropriate access authority ✓ Are biometric controls used? ✓ Are inference controls used? ✓ Encryption? BACKUP CONTROLS • Database backup – automatic periodic copy of data • Transaction log – list of transactions which provides an audit trail • Checkpoint features – suspends data during system reconciliation • Recovery module – restarts system after a failure • Grandparent-parent-child backup –the number of generations to backup is up to company policy • Direct access file backup - back-up master-file at pre-determined intervals • Off-site storage - guard against disasters and/or physical destruction • Audit procedures: verify… ✓ that production databases are copied or backed up at regular intervals ✓ Verify automatic back up ✓ backup copies of the database are stored off site to support disaster recovery By: Roxy <333