Chapter 4: Auditing Database Systems

DATA MANAGEMENT APPROACHES

 The Flat-File Approach
-no structured relationships to other files.
-most often associated with so-called legacy systems.
-end users own their data files rather than share them

Data Redundancy-replication of essentially the same data in multiple files

Problems (SUCT)
Data Storage
Data Updating
Currency of Information
Task-Data Dependency

 The Database Approach

-controlled by a database management system (DBMS)
-DBMS is a special software system that is programmed to know which data elements each user is
authorized to access.
-This approach centralizes the organization’s data into a common database that is shared by other users.

Problems Solved:
Elimination of Data Storage Problem
Elimination of Data Update Problem
Elimination of Currency Problem
Elimination of Task-Data Dependency Problem

KEY ELEMENTS OF THE DATABASE ENVIRONMENT

 Database Management System
Features:
-Program development
-Backup and recovery
-Database usage reporting
-Database access

Data definition language (DDL) is a programming language used to define the database to the DBMS.

Database Views (ICE)

Internal View/Physical View- is the physical arrangement of records in the
database.
Conceptual View/Logical View (Schema)- represents the database logically and
abstractly, rather than the way it is
physically stored.

External View/User View (Subschema)- defines the user’s section of the

database—the portion that an individual
user is authorized to access.

 Users
How to access the database
Formal Access: Application Interfaces
-Data Manipulation Language (DML) is used to retrieve, process, and store data
 Informal Access: Query Language
-Query is an ad hoc access methodology for extracting information from a database.
-Structured Query Language (SQL) a fourth-generation, nonprocedural language (English-
like commands) with many commands that allow users to input, retrieve, and modify data easily.

 The Database Administrator

- is responsible for managing the database resource.

Data Dictionary- describes every data element in the database.

 Physical Database
Data structures
-are the bricks and mortar of the database.

Fundamental Components:
Data Organization
- refers to the way records are physically arranged on the secondary storage device.
- Sequential files are stored in contiguous locations that occupy a specified area of disk
space.
- Random files are stored without regard for their physical relationship to other records of
the same file.

Data Access Method

- the technique used to locate records and to navigate through the database.

 DBMS Models (HNR)

Hierarchical Model
- it reflected, more or less faithfully, many aspects of an organization that are hierarchical in
relationship.
- information management system (IMS)is the most prevalent example of a hierarchical database.
- also called a tree structure
-highest level is called root segment
-lowest level is called leaf
 Limitations
1.A parent record may have one or more child records
2.No child record can have more than one parent.

Network Model
- The most popular example of the network model is IDMS (integrated database management system)
- is a navigational database withexplicit linkages between records and files.
- permits a child record to have multiple parents unlike hierarchical.

Relational Model
-proposed by E.F. Codd
- The formal model has its foundations in relational algebra and set theory.
- potrays data in the form of two-dimensional tables.

DATABASES IN A DISTRIBUTED ENVIRONMENT

 Centralized Databases
- The first approach involves retaining the data in a central location.
 Distributed Databases
Partitioned Databases
- splits the central database into segments or parti-tions that are distributed to their
primary users.
- works best for organizations that require minimal data sharing among their distributed
IT units

Advantages:
-Having data stored at local sites increases users’control.
-Transaction processing response time is improved by permitting local access to data and
reducing the volume of data that must be transmitted between IT units.
- Partitioned databases can reduce the potential effects of a disaster.

Replicated databases
-are effective in companies where there exists a high degree of data sharing but no primary user.
- the data traffic between sites is reduced considerably.

Concurrency Control
- Database concurrency is the presence of complete and accurate data at all user sites.
- Common use is to serialize transacitons.
- First, special software groups transactions into classes to identify potential conflicts.
- The second part of the control process is to time-stamp each transaction.

CONTROLLING AND AUDITING DATA MANAGEMENT SYSTEMS

 Access Controls
User View or Subschema
- is a subset of the total database that defines the user’s data domain and provides access to
the database.
Data Authorization Table
- contains rules that limit the actions a user can take.
User-Defined Procedure
- allows the user to create a personal security program or routine to provide more positive user
identification than a single password.
Data Encryption
Biometric Devices
- measure various personal characteristics, such as fingerprints, voice prints, retina prints,or
signature characteristics.
Chapter 5: Systems Development and Program Change Activities (172)

PARTICIPANTS IN SYSTEMS DEVELOPMENT

System Professionals
End Users
Stakeholders
Accountants/Auditor

INFORMATION SYSTEMS ACQUISITION

Organizations acquire information systems in two ways:
In-House Development
- requires maintaining a full-time systems staff of analysts and programmers who identify user
information needs and satisfy their needs with custom systems.
Commercial Systems
Turnkey Systems
- are completely finished and tested systems that are ready for implementation. These are
often general-purpose systems or systems customized to a specific industry.
General Accounting Systems
- are designed to serve awide variety of user needs.
- are designed in modules.
Special- Purpose Systems
-targets selected segments of the economy.
Office Automation Systems
- are computer systems that improve the productivity of office workers.
Bacbone Systems
- provide a basic system structure on which to build.
- Backbone systems come with all the primary processing modules programmed
Vendor-Supported Systems
- are hybrids of custom sys-tems and commercial software.

Advantages
Implementation Time
Cost
Reliability
Disadvantages
Independence
The need for customized systems
Maintenance

THE SYSTEMS DEVELOPMENT LIFE CYCLE (P,A,CSD,ES,DD,APT,SI)

Systems Planning—Phase I
- objective of systems planning is to link individual system projects or applications to the strategic
objectives of the firm.
-Steering Committee does Systems Planning

Level of System Planning

Strategic System Planning
-involves the allocation of systems resources at the macrolevel. It usually deals with a time
frame of 3 to 5 years

Four justifications for strategic system planning

1. A plan that changes constantly is better than no plan at all
2. Strategic planning reduces the crisis component in systems development.
3. Strategic systems planning provides authorization control for the SDLC.
4. Cost Management
 Project Planning
- allocate resources to individual applications within the framework of the strategic plan

Project Proposal
-provides management with a basis for deciding whether to proceed with the
project.
Project Schedule
-represents management’s commitment to the project.

Systems Analysis- Phase II

Is a two-step process namely:
The Survey Step
Disadvantages
-Current physical tar pit
-Thinking inside the box
Advantages
-Identifying what aspects of the old system should be kept.
-Forcing systems analyst to fully understand the system
-Isolationg the root problem symptoms

Gathering Facts according to class

-Data sources -Data Stores
- Processes -Data Flows
-Controls -Transaction Volumes
- Error Rates -Resource Costs
-Bottlenecks and redundant operations

Fact- Gathering Techniques

-Observation -Task Paritcipation
- Personal Interviews -Reviewing Key Documents
Open-ended questions Organization charts
Questionaires Job Descriptions
Accounting Records
Chart of Accounts
Policy Statements

The Analysis Step

-Systems analysis is an intellectual process that is commingled with fact gathering.

System Analysis Report

-this report present to management or the steering committee the survey findings, the
problems identified with the current system, the user’s needs, and the requirements of the
new system.
- does not specify the detailed design of the proposed system.
Conceptual Systems Design Phase III
-to produce several alternative conceptualsystems that satisfy the system requirements identified
during systems analysis.

Two Approaches to Conceptual Systems Design

The Structured Design
-is a disciplined way of designing systems from the topdown.
-It consists of starting with the“big picture”of the proposed system that is gradually
decomposed into more and more detail until it is fully understood
-uses data flow diagrams(DFD) and Structure Diagram to show top-down decomposition of a
hypothetical business process
The Object –Oriented
-The object-oriented design (OOD) approach is to build information systems from reusable
standard components orobjects.
- This approach may be equated to the process of building an automobile.
-The concept of reusability iscentralto the object-oriented approach to systems design.

System Evaluation and Selection- Phase IV

- The systems evaluation and selection phase is an optimization process that seeks to identify the
best system

Involves two steps

1. Perform a Detailed Feasibility Study
1.1 Technical Feasibility - concerned with whether the system canbe developed under existing
technology or if new technology is.
1.2 Economic Feasibility- pertains to the availability of funds tocomplete the project
1.3 Legal Feasibility- identifies any conflicts between the conceptual sys-tem and the company’s a
bility to discharge its legal responsibilities.
1.4 Operational Feasibility- shows the degree of compatibility be-tween the firm’s existing
procedures and personnel skills and the operational require-ments
of the new system.
1.5 Schedule Feasibility- relates to the firm’s ability to implement theproject within an acceptable
time..

2. Perform a Cost-Benefit Analysis

2.1 Identify Cost
2.1.1 One –time Cost – initial investment to develop and implement the sysem.
2.1.1.1 Hardware Acquisition
2.1.1.2 Site Preparation
2.1.1.3 Software Acquisition
2.1.1.4 Systems Designs
2.1.1.5 Programming and Testing
2.1.1.6 Data conversion
2.1.1.7 Training
2.1.2 Recurring Cost- includes operating and maintenance cost that recur over the life of the
system.
2.1.2.1 Hardware Maintenance
2.1.2.2 Software Maintenance
2.1.2.3 Insureance
2.1.2.4 Supplies
2.1.2.5 Personnel Cost
2.2 Identify the Benefits
2.2.1 Tangible Benefits
2.2.1.1 those that increase the revenue
2.2.1.2 those that reduce costs.
 2.2.2 Intangible Benefits
2.2.2.1 Increased Customer Satisfaction
2.2.2.2 Improved employee satisfaction
2.2.2.3 More Current Information
2.2.2.4 Improved Decision making
2.2.2.5 Faster response to competitior actions
2.2.2.6 More efficient operations
2.2.2.7 Better internal and external communications
2.2.2.8 Improved planning
2.2.2.9 Operational flexibility
2.2.2.10 Improved control environment
2.3 Compare Cost and Benefits
2.3.1 Net present Value – cost is deducted from present value of the benefits over the life of
the system.
2.3.2 Payback Method- is a variation of break-even analysis.
- The break-even pointisreached when total costs equal total
benefits.
2.4 Prepare System Selection Report
- This formal document consists of a revised feasibility study, a cost-benefit analysis, and a list
and explanation of intangible benefits for each alternative design

Detailed Design- Phase V

- This formal document consists of a revised feasibility study, a cost-benefit analysis, and alist and
explanation of intangible benefits for each alternative design

Perform a System Design Walk-Through

- ensure that the design is free from conceptual errors that could become programmed into the
final system.
-Quality Assurance Group, is to simulate the operation of the system to uncover errors,
omissions, and ambiguities in the design.
Review System Documentation
-Detailed design report documents describes the system to this point.
-Report includes:
o Designs for all screen inputs and source documents for the system.
o Designs of all screen outputs, reports, and operational documents.
o Normalized data for database tables, specifying all data elements.
o Database structures and diagrams: Entity relationship (ER) diagrams describing
the data relations in the system, context diagrams for the overall system, low-
level dataflow diagrams of specific system processes, structure diagrams for the
program modules in the system—including a pseudocode description of each module.
o An updated data dictionary describing each data element in the database.
o Processing logic (flow charts)

Application Programming and Testing –Phase VI

Program the Application Software
Procedural Languages- requires the programmer to specify the precise order in which the
program logic is executed.
Event-Driven Languages- Under this model, the program’s code is not executed in a predefined
sequence. Instead, external actions or “events” that are initiated by
the user dictate the control flow of the program.
Object- Oriented Languages- The most popular true OOP languages are Java and
Smalltalk. However, the learning curve of OOP languages is
steep
Programming the System- modern programs should follow a modular approach. This
technique produces small programs that perform narrowly defined
tasks.
 Three benefits’ associated with modular programming:
Programming Efficiency
Maintenance Efficiency
Control
Test the Application Software
Testing Methodology-
Testing Offline before Deploying Online
Test Data

System Implementation-Phase VII

- database structures are created and populated with data, equipment is purchased and installed,
employees are trained, the system is documented, and the new system is installed.

Testing the Entire System

Documenting the System - provides the auditor with essential information about how the system works
Designer and Programmer Documentation- debug error and perform maintenance of the
system.
Operator Documentation- uses documentation called run manual which describes how to run
the system
User Documentation
Classifications:
Novice
Occasional Users
Frequent light Users
Frequent power users

User Handbook
Tutorials
Help Features

Converting the Databases

- is a critical step in the implementation phase.
-This is the transfer of data from its current form to the format or medium required by
the new system.

Precautions:
Validation- The old database must be validated before conversion.
- This requires analyzing each class of data to determine whether it should be
reproduced in the new database
Reconciliation- the new database must be reconciled against the original.
Back-up – Copies of the original file must be kept as back-up against discrepancies in the
Converted data

Converting to the New System

- The process of converting from the old system to the new one is called the cutover.

Cold Turkey Cutover (also called the “BigBang” approach)

- the firm switches to the new system and simultaneously terminates the old system
- is akin to skydiving without a reserve parachute.
Phased Cutover
- begins operating the new system in modules
- By phasing in the new system in modules, we reduce the risk of a devastating system
failure.
Parallel Operation Cutover
- involves running the oldsystem and the new system simultaneously for a
period of time
 Systems Maintenance- Phase VIII
- s a formal process by which application programs undergo changes to accommodate changes in
user needs
.
CONTROLLING AND AUDITING THE SDLC
Controllable Activities pertaining to authorization, development and implementation:
Systems Authorization Activites
- All systems must be properly authorized to ensure their economic justification and
feasibility.
User Specification Activities
- the user can and should provide a detailed written descriptionof the logical needs
that must be satisfied by the system.
Technical Design Activities
- translate the user specifications into a set of detailed tech-nical specifications of a
system that meets the user’s needs.
Internal Audit Participation
- The internal auditor can serve as a liaison between users and the systems professionals
to ensure an effective transfer of knowledge.
User Test and Acceptance Procedures
- the formal testing and acceptance of the system by the user is considered by many audi-tors to
be the most important control over the SDLC.

The Controlling Systems Maintenance

Maintenance Authorization, Testing, and Documentation
Source Program Library Controls
- In larger computer systems, application program source code is stored on magneticdisks called
the source program library (SPL)

A Controlled SPL Environment

-Password Control
-Separate Test Libraries
-Audit Trail and Management Reports
-Program Version Numbers
- Controlling Access to Maintenance Commands

Audit Procedures Related to System Maintenance

-Identify Unauthorized Changes
Reconcile program version numbers
Confirm Maintenance Authorization
-Identify Application Errors
Reconcile the source code
Review test results
Retest the program
-Test Access to Libraries
Review programmer authority tables
Test authority table