CHAPTER 4: Auditing Database Systems

First Section: Data Management

Two General Approaches to Data Management:

1. Flat-File Model
2. Database Model

Flat File
Note:
- used in older (legacy) systems
- characterized by private ownership of data
- cause of several problems that inhibit data integration
- resolved through data sharing and centralized control of data

Data Redundancy: flat-file approach demands that different groups of users make copies of
essentially the same data/document

Three Problems in a Flat-File Environment

1. Data Storage - data captured once is not available for other users
2. Data Updating - changes to details of a file would necessitate similar changes to other
files of the same data
3. Currency of Information - changes in data files would not reflect in other files, thus
causing the latter to contain obsolete data
4. Task-Data Dependency - user’s inability to obtain additional information as their needs
change

Database Approach
- Characterized by the use of DBMS
- Resolves the traditional problems of flat-file environments

Database Management System (DBMS): special software that is programmed to know which
data elements each user is authorized to access.
- solution for the problems of a flat-file environment
 - characterized by data sharing

Eliminations of Problems in Flat-File Environments

1. Storage - Data element is stored only once
2. Update - Data element requires only a single update
3. Currency - A single change is immediately made available to all interested users
4. Dependency - Changes in information needs can be satisfied without obtaining
additional private data
Second Section: Elements of Database

Key Elements of Database Environment:

1. DBMS
2. Users
3. Database Administrator
4. Physical Database
5. DBMS Models

Database

Typical Features of DBMS:

1. Program Development - DBMS contains application development software
2. Backup and Recovery
3. Database Usage Reporting
4. Database Access

Data Definition Language (DDL): programming language used to define the database to the
DBMS
- Has three levels, called views: (1) physical internal view, (2) conceptual view or schema,
and (3) user view or subschema

Database Views
1. Internal/Physical View: lowest level of representation, describes the structure of data
records, links between files, and physical arrangement of records in a file
2. Conceptual/Logical View: describes the entire database, represents the database
logically and abstractly
3. External/User View: defines the user’s section of the database

Users

Data Manipulation Language (DML): the proprietary programming language that a particular
DBMS uses to retrieve, process, and store data. Entire user programs may be written in the
DML or, alternatively, selected DML commands can be inserted into programs that are written in
universal languages, such as JAVA, C++, and even older languages such as COBOL and
FORTRAN.

DBMS Operation:
1. User sends request for data to DBMS
2. DBMS analyzes request by matching data elements with user and conceptual views
3. DBMS determines data structure parameters from internal view and passes them to
OS
4. The OS interacts with the disk to retrieve data
5. OS stores data in main memory buffer
6. DBMS transfers data to user’s work location in main memory
7. After completion, steps 4-6 are reversed to restore processed data to the database

Structured Query Language or SQL: query language that allows users to input, retrieve, and
modify data easily

Functions of Database Administrator:

1. Database Planning
2. Design
3. Implementation
4. Operation and Maintenance
5. Change and Growth

Data Dictionary: describes every data element in the database. This enables all users (and
programmers) to share a common view of the data resource, thus greatly facilitating the analysis
of user needs.
Note:
- Important function of a DBA

Data Structures: brick and mortar of a database, allows records to be located, stored, and
retrieved.

Data Organization: refers to the way records are physically arranged on the secondary storage
device, may either be sequential or random
Data Access Method: the technique used to locate records and to navigate through the
database

Database Terminology:
1. Data Attribute or Field - a single item of data
2. Entity - database representation of an individual resource, event, or agent
3. Record Type (Table or File) - data attributes that are grouped together, which logically
define an entity
4. Database - set of record types that an organization needs to support its business
processes
5. Associations - relationships between record types
a. One-to-one
b. One-to-many
c. Many-to-many

Three Common Database Models:

1. Hierarchical Model
2. Network Model
3. Relational Model

Navigational Databases:
1. Hierarchical
2. Network
Note:
- called navigational because of explicit links among their data elements
- characterized their structure and inflexibility
- used in late-era legacy systems, still in use today

Hierarchical Model:
- Most popular example is IBM’s IMS
- Characterized by parent and child relationships
- Files at the same level are called siblings
- Entire structure is called tree structure
 - Highest level in the segment is the root segment, while the lowest is the leaf.

Limitations of Hierarchical Model:

1. Parent record may have more than one child records
2. No child record can have more than one parent

Network Model
- An ANSI committee created CODASYL or Committee on Development of Applied
Symbolic Languages
- Most popular example is IDMS or Integrated Data Management System by Cullinet
Software
- Distinguished from Hierarchical by allowing a child record to have more than one parents

Relational Model:
Note:
- Principles are initially proposed by E.F. Codd, with foundations in relational algebra and
set theory
- used in newer accounting information systems
- presents data in two-dimensional format, which is easy for end users to understand and
work with
- supports entity-wide data integration when properly implemented
- Relations are formed by attributes common to both tables
Third Section: Database Technology in Distributed Environment

Temporary inconsistency: values are incorrectly stated during the execution of a transaction

Database lockout: a software control (by the DBMS) that prevents multiple simultaneous
access to data

Alternative Configurations of Databases:

1. Centralized
2. Replicated
3. Partitioned

Partitioned Database Approach: splits the central database into segments or partitions that
are distributed to their primary users
Advantages:
- Increase users’ control by having data stored at local sites
- Improve TPS time
- Reduce potential effects of a disaster

Deadlock Phenomenon: In a distributed environment, it is possible for multiple sites to lock out
each other from the database, thus preventing each from processing its transactions.
- Deadlock: a permanent condition that must be resolved by special software that
analyzes each deadlock condition to determine the best solution
- Deadlock Resolution: usually involves terminating one or more transactions to
complete processing of the other transactions in the deadlock. Thereafter, preempted
transactions have to be re-initiated. Factors: (1) resources in the transaction, (2)
transaction’s stage of completion, and (3) number of deadlocks

Replicated Databases: effective in companies where there exists a high degree of data sharing
but no primary user. Since common data is replicated at each IT unit site, the data traffic
between sites is reduced considerably.

Concurrency Control: mechanism of enforcing the presence of complete and accurate data at
all user sites. A commonly used method is serialization of transactions.
Fourth (Final) Section: Control and Audit Issues of Data Management

Access Controls: designed to prevent unauthorized individuals from viewing, retrieving,

corrupting, or destroying the entity’s data.

Examples of Access Controls:

1. User Views - subset of the database that defines the user’s domain and access thereof
2. Database Authorization Table - rules that limit the actions of users
3. User-Defined Procedures - allows users to create a personal security program or routine
4. Data Encryption - use of encryption technology to protect data transmitted over lines
5. Biometric Devices - user authentication that measures various physiological
characteristics
6. Inference Controls - set of restrictions that prevent access to confidential data from
database query responses which involve data that have fewer than two records

Audit Objective on Database Access: verify that database access authority and privileges are
granted to users in accordance with their legitimate needs.

Audit Procedures for Testing Database Access Controls:

1. Responsibility for Authority Tables and Subschemas - verify that DBA retain exclusive
responsibility
2. Appropriate Access Authority - select sample of users to verify their access privileges
3. Biometric Controls - evaluate cost and benefits of technology
4. Inference Controls - verify that database query controls exist
5. Encryption Controls - verify that sensitive data are properly encrypted

Backup Controls: ensure that in the event of data loss due to unauthorized access, equipment
failure, or physical disaster the organization can recover its database.

Backup Controls in Flat-File Environment:

1. Grandparent-Parent-Child (GPC) Backup Technique - sequential updating of master files
render different generations of backup
2. Direct Access File Backup - files must be copied before being updated as data values in
data files are changed in place through destructive replacement
 3. Offsite Storage

Audit Objective related to Flat-File Backup Controls: verify that backup controls in place are
effective in protecting data files from physical damage, loss, accidental erasure, and data
corruption through system failures and program errors.

Audit Procedures for Testing Flat-File Backup Controls:

1. Sequential File (GPC) Backup - select sample of systems and determine that the
number of GPC backup files is adequate
2. Backup Transaction Files - verify through physical observation that files used to
reconstruct master files are retained
3. Direct Access File Backup - select a sample of applications and verify if direct access
files are copied before being updated
4. Off-site Storage - verify existence and adequacy of the storage site

Backup Controls in Database Environment:

1. Backup
2. Transaction Log (Journal)
3. Checkpoint Feature
4. Recovery Module

Audit Objective related to Database Backup: verify that controls over data resources are
sufficient to preserve integrity and physical security of the database.

Audit Procedures for Testing Database Backup Controls

1. Verify that backup is performed routinely and frequently
2. Verify that automatic backup procedures are in place and functioning