CHAPTER 1: AUDITING, ASSURANCE, &
INTERNAL CONTROL
AUDITING
Auditing is a systematic process of objectively
obtaining and evaluating evidence regarding
assertions about economic actions and events to
ascertain the degree of correspondence between
those assertions and establishing criteria and
communicating the results to interested users.
INTERNAL AUDITS
Internal auditing: independent appraisal function
established within an organization to examine and
evaluate its activities as a service to the organization
• Financial Audits
• Operational Audits
• Compliance Audits
• Fraud Audits
• IT Audits
✓ CIA
✓ IIA
IT AUDITS
• IT audits: provide audit services where
processes or data, or both, are embedded in
technologies.
• Subject to ethics, guidelines, and standards
of the profession (if certified)
CISA
Most closely associated with ISACA
• Joint with internal, external, and fraud audits
• Scope of IT audit coverage is increasing
• Characterized by CAATTs
• IT governance as part of corporate
governance
FRAUD AUDITS
• Fraud audits: provide investigation services
where anomalies are suspected, to develop
evidence to support or deny fraudulent
activities.
• Auditor is more like a detective
• No materiality
• Goal is conviction, if sufficient evidence of
fraud exists
✓ CFE
✓ ACFE
EXTERNAL AUDITS
• External auditing: Objective is that in all
material respects, financial statements are a
By: Roxy <333
fair representation of organization’s
transactions and account balances.
✓ SEC’s role
✓ Accountancy Act of 2004
✓ PRC-BOA
CPA
EXTERNAL vs. INTERNAL
External auditing:
o Independent auditor (CPA)
o Independence defined by SEC/S-OX/AIC
o Required by SEC for publicly traded
companies
o Referred to as a “financial audit”
o Represents interests of outsiders, “the
public” (e.g., stockholders)
o Standards, guidance, certification governed
by PICPA, PRC-BOA, SEC; delegated by
SEC who has final authority
Internal auditing:
o Auditor (often a CIA or CISA)
o Is an employee of organization imposing
independence on self
o Optional per management requirements
o Broader services than financial audit; (e.g.,
operational audits)
o Represent interests of the organization
o Standards, guidance, certification governed
by IIA and ISACA
FINANCIAL AUDITS
• An independent attestation performed by an
expert (i.e., an auditor, a CPA) who
expresses an opinion regarding the
presentation of financial statements
• Key concept: Independence
• {Should be} Similar to a trial by judge
• Culmination of systematic process
involving:
✓ Familiarization with the organization’s
business
✓ Evaluating and testing internal controls
✓ Assessing the reliability of financial data
• Product is formal written report that
expresses an opinion about the reliability of
the assertions in financial statements; in
conformity with GAAP
ATTEST definition
✓ Written assertions
✓ Practitioner’s written report
 ✓ Formal establishment of measurement .05 = .4 * .6 * DR
criteria or their description ... then DR=4.8%
✓ Limited to: ▪ Why is AR = 5%?
▪ Examination ▪ What is detection risk?
▪ Review ▪ Can CR realistically be 0?
▪ Application of agreed-upon procedures ▪ Relationship between DR and substantive
AUDITS procedures
• Systematic process ▪ Relationship between tests of controls and
• Five primary management assertions, and substantive tests
correlated audit objectives and procedures o Illustrate higher reliability of the internal
✓ Existence or Occurrence controls and the Audit Risk Model
✓ Completeness o What happens if internal controls are
✓ Rights & Obligations more reliable than last audit
✓ Valuation or Allocation o Last year: .05 = .4 * .6 * DR [DR = 4.8]
✓ Presentation or Disclosure o This year: .05 = .4 * .4 * DR [DR = 3.2]
➢ Phases [Figure 1-3] o The more reliable the internal controls,
1. Planning the lower the CR probability; thus the
2. Obtaining evidence lower the DR will be, and fewer
✓ Tests of Controls substantive tests are necessary.
✓ Substantive Testing o Substantive tests are labor intensive
o CAATTs
o Analytical procedures Role of Audit Committee
3. Ascertaining reliability • Selected from board of directors
✓ MATERIALITY • Usually three members
4. Communicating results • Outsiders (SEC now requires it)
✓ Audit opinion • Fiduciary responsibility to shareholders
• Serve as independent check and balance
Audit Risk Formula system
AUDIT RISK: • Interact with internal auditors
▪ The probability that the auditor will give an • Hire, set fees, and interact with external
inappropriate opinion on the financial auditors
statements: that is, that the statements will • Resolved conflicts of GAAP between
contain materials misstatement(s) which the external auditors and management
auditor fails to find What is an IT Audit?
INHERENT RISK: o most accounting transactions to be in
▪ The probability that material misstatements electronic form without any paper
have occurred documentation because electronic storage is
✓ Material vs. Immaterial more efficient. These technologies greatly
▪ Includes economic conditions, etc. change the nature of audits, which have so
▪ Relative risk (e.g., cash) long relied on paper documents.
CONTROL RISK:
▪ The probability that the internal controls will THE IT ENVIRONMENT
fail to detect material misstatements • There has always been a need for an
DETECTION RISK:
effective internal control system.
▪ The probability that the audit procedures
• The design and oversight of that system has
will fail to detect material misstatements
typically been the responsibility of
▪ Substantive procedures
accountants.
AUDIT RISK MODEL:
• The I.T. Environment complicates the paper
▪ AR = IR * CR * DR
systems of the past.
▪ example inventory with:
o Concentration of data
IR=40%, CR=60%, AR=5% (fixed)
By: Roxy <333
 o Expanded access and linkages ✓ Monitoring
o Increase in malicious activities in systems ✓ Control activities
vs. paper #1:Control Environment -- elements
o Opportunity that can cause management ▪ The integrity and ethical values
fraud (i.e., override) ▪ Structure of the organization
• Audit planning ▪ Participation of audit committee
• Tests of controls ▪ Management’s philosophy and style
• Substantive test ▪ Procedures for delegating
CAATTs ▪ Management’s methods of assessing
performance
INTERNAL CONTROL ▪ External influences
is policies, practices, procedures designed to … ▪ Organization’s policies and practices for
• safeguard assets managing human resources
• ensure accuracy and reliability #1: Control Environment – Techniques
• promote efficiency ▪ Assess the integrity of organization’s
management
• measure compliance with policies
▪ Conditions conducive to management fraud
▪ Understand client’s business and industry
BRIEF HISTORY - COSO
▪ Determine if board and audit committee are
Committee on Sponsoring Organizations - 1992
actively involved
1. AICPA, AAA, FEI, IMA, IIA
▪ Study organization structure
2. Developed a management perspective model
#2: Risk Assessment
for internal controls over a number of year
▪ Changes in environment
3. Is widely adopted
▪ Changes in personnel
▪ Changes in I.S.
EXPOSURES AND RISK
▪ New IT’s
• Exposure - Absence or weakness of a
▪ Significant or rapid growth
control
▪ New products or services (experience)
• Risks - Potential threat to compromise use
▪ Organizational restructuring
or value of organizational assets
▪ Foreign markets
Types of risk
▪ New accounting principles
▪ Destruction of assets
▪ Theft of assets
#3:Information & Communication-Elements
▪ Corruption of information or the I.S.
▪ Initiate, identify, analyze, classify and record
▪ Disruption of the I.S.
economic transactions and events.
THE P-D-C MODEL ▪ Identify and record all valid economic
▪ Preventive controls transactions
▪ Detective controls ▪ Provide timely, detailed information
▪ Corrective controls ▪ Accurately measure financial values
✓ Which is most cost effective? ▪ Accurately record transactions
✓ Which one tends to be proactive measures? ▪ Auditors obtain sufficient knowledge of
✓ Can you give an example of each? I.S.’s to understand:
▪ Predictive controls ✓ Classes of transactions that are
material
Consideration of Internal Control in a Financial ✓ Accounting records and accounts used
Statement Audit ✓ Processing steps:initiation to inclusion
▪ COSO in financial statements (illustrate)
✓ The control environment ✓ Financial reporting process (including
✓ Risk assessment disclosures)
✓ Information & communication
By: Roxy <333
#4: Monitoring ▪ The integrity of the AIS
▪ By separate procedures (e.g., tests of ▪ The integrity of the data in the
controls) record
▪ By ongoing activities (Embedded Audit ▪ Examples
Modules – EAMs and Continuous Online IT Risks Model
▪ Auditing - COA) • Operations
#5: Control Activities • Data management systems
• New systems development
• Systems maintenance
• Electronic commerce (The Internet)
• Computer applications

CHAPTER 2: AUDITING IT GOVERNANCE

CONTROLS
STRUCTURING THE IT FUNCTION
• Centralized data processing
• Organizational chart
✓ Database administrator (DBA)
✓ Data processing manager/dept.
o Data control
Physical Controls (1-3) o Data preparation/conversion
1. Transaction authorization o Computer operations
Example: o Data library
• Sales only to authorized customer • Systems development & Systems
maintenance
• Sales only if available credit limit
✓ Participants
2. Segregation of duties
✓ End users
Examples of incompatible duties:
✓ IS professionals
• Authorization vs. processing [e.g.,
✓ Auditors
Sales vs. Auth. Cust.]
✓ Other stakeholders
• Custody vs. recordkeeping [e.g., Segregation of incompatible IT functions
custody of inventory vs. DP of
• Objectives:
inventory]
✓ Segregate transaction authorization from
• Fraud requires collusion [e.g., separate transaction processing
various steps in process] ✓ Segregate record keeping from asset
3. Supervision custody
• Serves as compensating control when ✓ Divide transaction processing tasks among
lack of segregation of duties exists by individuals such that short of collusion
necessity between two or more individuals would not
Physical Controls (4-6) be possible.
4. Accounting records (audit trails; examples)
5. Access controls SEGREGATION OF INCOMPATIBLE IT
• Direct (the assets) FUNCTIONS
• Indirect (documents that control the 1. Separating systems development from
assets) computer operations
• Fraud 2. Separating DBA from other functions
• Disaster Recovery ▪ DBA is responsible for several critical tasks:
6. Independent verification ✓ Database security
• Management can assess: ✓ Creating database schema and user view
▪ The performance of individuals
By: Roxy <333
 ✓ Assigning database access authority to
users
✓ Monitoring database usage
✓ Planning for future changes
3. Segregate data library from operations
▪ Physical security of off-line data files
▪ Implications of modern systems on use of
data library:
✓ Real-time/online vs. batch processing
✓ Volume of tape files is insufficient to justify
full-time librarian
✓ Alternative: rotate on ad hoc basis
✓ Custody of on site data backups
✓ Custody of original commercial software and
licenses
4. Segregate Systems Development from
Maintenance
▪ Two types of improvements from this
approach:
1. Better documentation standards - Necessary
for transfer of responsibility
2. Deters fraud - Possibility of being
discovered
STRUCTURING THE IT FUNCTION
Audit objectives
▪ Risk assessment
▪ Verify incompatible areas are properly
segregated
✓ How would an auditor accomplish this
objective?
▪ Verify incompatible areas are properly
segregated
▪ Verify formal vs. informal relationships exist
between incompatible tasks
✓ Why does it matter?
Segregation of incompatible IT functions
▪ Audit procedures:
✓ Obtain and review security policy
✓ Verify policy is communicated
✓ Review relevant documentation (org.
chart, mission statement, key job
descriptions)
✓ Review systems documentation and
maintenance records (using a sample)
✓ Verify whether maintenance
programmers are also original design
programmers
✓ Observe segregation policies in practice
✓ Review operations room access log
✓ Review user rights and privileges
By: Roxy <333
The distributed model
▪ Distributed Data Processing (DDP)
▪ Alternative A: centralized
▪ Alternative B: decentralized / network
▪ Risks associated with DDP
✓ Inefficient use of resources
✓ Mismanagement of resources by end users
✓ Hardware and software incompatibility
✓ Redundant tasks
✓ Destruction of audit trails
✓ Inadequate segregation of duties
✓ Hiring qualified professionals
✓ Increased potential for errors
✓ Programming errors and system failures
✓ Lack of standards
▪ Advantages of DDP
✓ Cost reduction
✓ End user data entry vs. data control group
✓ Application complexity reduced
✓ Development and maintenance costs
reduced
✓ Improved cost control responsibility
✓ IT critical to success then managers must
control the technologies
✓ Improved user satisfaction
✓ Increased morale and productivity
✓ Backup flexibility
✓ Excess capacity for Disaster Recovery
Planning (DRP)
▪ Controlling the DDP environment
✓ Need for careful analysis
✓ Implement a corporate IT function
Central systems development
o Acquisition, testing, and
implementation of commercial software
and hardware
User services
o Help desk: technical support, FAQs,
chat room, etc.
Standard-setting body
Personnel review
o IT staff
✓ Audit objectives:
o Conduct a risk assessment
o Verify the distributed IT units employ
entity-wide standards of performance that
promotes compatibility among hardware,
operating software, applications, and data
✓ Audit procedures:
 o Verify corporate policies and standards
are communicated
o Review current organization chart,
mission statement, key job descriptions to
determine if any incompatible duties exist
o Verify compensating controls are in place
where incompatible duties do exist
o Review systems documentation
o Verify access controls are properly
established
THE COMPUTER CENTER
Computer center controls
• Physical location
✓ Avoid human-made and natural hazards
✓ Example: Chicago Board of Trade
• Construction
✓ Ideally: single-story, underground utilities,
windowless, use of filters
✓ If multi-storied building, use top floor
(away from traffic flows, and potential
flooding in a basement)
• Access
✓ Physical: Locked doors, cameras
✓ Manual: Access log of visitors
• Air conditioning
✓ Especially mainframes
✓ Amount of heat even from a group of PCs
• Fire suppression
✓ Automatic: usually sprinklers
✓ Gas, such as halon, that will smother fire
by removing oxygen can also kill anybody
trapped there
✓ Sprinklers and certain chemicals can
destroy the computers and equipment
✓ Manual methods
• Power supply
✓ Need for clean power, at a acceptable level
✓ Uninterrupted power supply
Audit objectives
• Verify physical security controls are
reasonable
• Verify insurance coverage is adequate
• Verify operator documentation is adequate
in case of failure
Audit procedures
• Tests of physical construction
• Tests of fire detection
• Tests of access control
• Tests of backup power supply
By: Roxy <333
• Tests for insurance coverage
• Tests of operator documentation controls
SYSTEM-WIDE CONTROLS
Disaster recovery planning (DRP)
• Critical applications identified and ranked
• Create a disaster recovery team with
responsibilities
• Site backup
✓ “Hot site” – Recovery Operations Center
✓ “Cold site” – empty shell
✓ Mutual aid pact
✓ Internally provided backup
✓ Other options
• Hardware backup
• Software backup: operating system
• Software backup: application software
(based on critical application step)
• Data backup
• Supplies (on site)
• Documentation (on site)
✓ User manuals
✓ System and software technical manuals
• Test!
Disaster Recovery Plan
1. Critical Applications – Rank critical
applications so an orderly and effective
restoration of computer systems is possible.
2. Create Disaster Recovery Team – Select team
members, write job descriptions, describe
recovery process in terms of who does what.
3. Site Backup – a backup site facility including Fault tolerance
appropriate furniture, housing, computers, and • 44% of time IS unavailable is due to system
telecommunications. Another valid option is a failures!
mutual aid pact where a similar business or • Controls
branch of same company swap availability ✓ Redundant systems or parts
when needed. ✓ RAID (Redundant Array of Independent
4. Site Backup – a backup site facility including Risks)
appropriate furniture, housing, computers, and ✓ Uninterrupted Power Supply (UPS)
telecommunications. Another valid option is a ✓ Multiprocessors
mutual aid pact where a similar business or Audit objective
branch of same company swap availability • To ensure the organization is employing an
when needed. appropriate level of fault tolerance
5. System Software Backup – Some hot sites Audit procedures
provide the operating system. If not included in • Verify proper level of RAID devices
the site plan, make sure copies are available at • Review procedures for recovery from
the backup site system failure
6. Application Software Backup – Make sure • Verify boot disks are secured
copies of critical applications are available at
the backup site CHAPTER 3: AUDITING OPERATING
7. Data Backup – One key strategy in backups is SYSTEMS AND NETWORKS
to store copies of data backups away from the
business campus, preferably several miles away Operating system performs three main tasks:
or at the backup site. Another key is to test the
• Translates high-level languages into machine-
restore function of data backups before a crisis. level language. (Compilers & Interpreters)
8. Supplies – A modicum inventory of supplies
• Allocates computer resources to users,
should be at the backup site or be able to be
workgroups & applications.
delivered quickly.
• Manages tasks of job scheduling and
9. Documentation – An adequate set of copies of
multiprogramming.
user and system documentation.
1) computer operator
10. TEST! – The most important element of an
2) various job queues
effective Disaster Recovery Plan is to test it
3) telecommunications
before a crisis occurs, and to test it periodically
(e.g., once a year)
OPERATING SYSTEMS PC
Audit objectives
• Verify management’s DRP is adequate
Audit procedures
• Verify a second-site backup is adequate
• Review the critical application list for
completeness
• Verify backups of application software are
stored off-site
• Verify that critical data files are backed up
and readily accessible to DRP team
• Verify resources of supplies, documents, and
documentation are backed up and stored off-
site
• Verify that members listed on the team
roster are current employees and that they
are aware of their responsibilities
By: Roxy <333

SMARTPHONES
OPERATING SYSTEM SECURITY
• Log-On Procedure
✓ first line of defense--user IDs and passwords
• Access Token
✓ contains key information about user
• Access Control List
✓ defines access privileges of users
• Discretionary Access Control / Privileges
✓ allows User to grant access to another user
OTHER GOOD SECURITY POLICIES
• Formalized procedures for software
acquisition
• Security clearances of prospective employees
• Formal acknowledgment by users of their
responsibilities to company
• Security group to monitor security violations
• Formal policy for taking disciplinary action
against security violators
THREATS TO OPERATING SYSTEM
INTEGRITY
• Privileged Personnel Abusing their
Authority
o Systems Administrators & programmers
must be given unlimited access to the OS to
perform maintenance.
• Browsing
o looking through memory for sensitive
information (e.g., in printer queue)
• Masquerading
o pretend to be authorized user by getting ID
and passwords – shoulder surfing
o The most common method to get your
password is for someone to look over your
shoulder! Make sure your password is a
By: Roxy <333
combination of upper/lower case letters,
numbers, special characters.
• Virus & Worms
o foreign programs that spread through system
o virus must attach to another program, worms
are self-contained
• Trojan Horse
o foreign program that conceals itself with
another legitimately imported program
• Logic Bomb
o foreign programs triggered by specific event
• Back Door
o alternative entry into system
o Intentional (programmers)
o Security hole
OPERATING SYSTEMS CONTROLS
Access Privileges
• Audit objectives: verify that access privileges are
consistent with separation of incompatible
functions and organization policies
• Audit procedures: review or verify…
✓ policies for separating incompatible functions
✓ a sample of user privileges, especially access
to data and programs
✓ security clearance checks of privileged
employees
✓ formally acknowledgements to maintain
confidentiality of data
✓ users’ log-on times
Password Control
• Audit objectives: ensure adequacy and
effectiveness password policies for controlling
access to operating system
• Audit procedures: review or verify…
✓ passwords required for all users
✓ password instructions for new users
✓ passwords changed regularly
✓ password file for weak passwords
✓ encryption of password file
✓ password standards
✓ account lockout policies
Audit Trail Controls
• Audit objectives: whether used to (1) detect
unauthorized access, (2) facilitate event
reconstruction, and (3) promote accountability
• Audit procedures: review or verify…
✓ how long audit trails have been in place
 ✓ archived log files for key indicators
✓ monitoring and reporting of security
violations
Malicious & Destructive Programs
• Audit objectives: verify effectiveness of
procedures to protect against programs such as
viruses, worms, back doors, logic bombs, and
Trojan horses (refer to list)
• Audit procedures: review or verify…
✓ training of operations personnel concerning
destructive programs
✓ testing of new software prior to being
implemented
✓ currency of antiviral software and frequency
of upgrades
INTERNET AND INTRANET RISKS
• Communications is a unique aspect of the
computer networks:
o different than processing (applications) or
data storage (databases)
• Network topologies – configurations of:
o communications lines (twisted-pair wires,
coaxial cable, microwaves, fiber optics)
o hardware components (modems,
multiplexers, servers, front-end
processors)
o software (protocols, network control
systems)
INTERNET RISKS
1. DOS Attack
o In a DOS Attack, the sender sends hundreds
of messages, receives the SYN/ACK packet,
but does not response with an ACK packet.
This leaves the receiver with clogged
transmission ports, and legitimate messages
cannot be received.
By: Roxy <333
2. SMURF & SYN ATTACK
SOURCES OF INTERNET & INTRANET
RISKS
Internal and external subversive activities
Audit objectives:
✓ prevent and detect illegal internal and Internet
network access
✓ render useless any data captured by a
perpetrator
✓ preserve the integrity and physical security of
data connected to the network
Equipment failure
✓ Audit objective: the integrity of the
electronic commerce transactions by
determining that controls are in place to detect
and correct message loss due to equipment
failure
IC for Subversive Threats
Firewalls provide security by channeling all
network connections through a control gateway.
• Network level firewalls
o Low cost and low security access control
o Do not explicitly authenticate outside users
o Filter junk or improperly routed messages
o Experienced hackers can easily penetrate the
system
• Application level firewalls
o Customizable network security, but
expensive
o Sophisticated functions such as logging or
user authentication
• Denial-of-service (DOS) attacks
 o Security software searches for connections
which have been half-open for a period of
time.
• Encryption
o Computer program transforms a clear
message into a coded (cipher) text form
using an algorithm
✓ Private Encryption
✓ Triple DES Encryption (EEE3 & EDE3)
✓ Public Key Encryption
✓ RSA
✓ Digital Envelope = RSA + DES
Standard Data Encryption Technique
IC for Subversive Threats
• Digital signature – electronic authentication
technique to ensure that…
✓ transmitted message originated with the
authorized sender
✓ message was not tampered with after the
signature was applied
• Digital certificate – like an electronic
identification card used with a public key
encryption system
✓ Verifies the authenticity of the message
sender
• Message sequence numbering – sequence
number used to detect missing messages
• Message transaction log – listing of all
incoming and outgoing messages to detect the
efforts of hackers
• Request-response technique – random control
messages are sent from the sender to ensure
messages are received
• Call-back devices – receiver calls the sender
back at a pre-authorized phone number before
transmission is completed
Auditing Procedures for Subversive Threats
• Review firewall effectiveness in terms of
flexibility, proxy services, filtering, segregation
By: Roxy <333
of systems, audit tools, and probing for
weaknesses.
• Review data encryption security procedures
• Verify encryption by testing
• Review message transaction logs
• Test procedures for preventing unauthorized
calls
• IC for Equipment Failure
• Line errors are data errors from
communications noise.
• Two techniques to detect and correct such data
errors are:
✓ echo check - the receiver returns the
message to the sender
✓ parity checks - an extra bit is added onto
each byte of data similar to check digits
Auditing Procedures for Equipment Failure
• Using a sample of a sample of messages from
the transaction log:
✓ examine them for garbled contents caused
by line noise
✓ verify that all corrupted messages were
successfully retransmitted
• Vertical and Horizontal Parity
Electronic Data Interchange
• Electronic data interchange (EDI) uses
computer-to-computer communications, standard
format for messaging between two dissimilar
systems. Exchange of computer-processible
business info in standard format.
• Audit objectives:
✓ Transactions are authorized, validated, and in
compliance with the trading partner
agreement.
✓ No unauthorized organizations can gain
access to database
✓ Authorized trading partners have access only
to approved data.
✓ Adequate controls are in place to ensure a
complete audit trail.
Notes on EDI:
✓ Is an inter-organization endeavor.
✓ IS of the trading partners process the
transactions.
✓ Transactions are transmitted in standardized
format
✓ Directly to trading partner.
 ✓ Use of a third party value added network
(VAN)
✓ Benefit
✓ FINANCIAL EDI – uses intermediary such as
banks (OBK,RBK & ACH).
✓ Converting remittance information to
electronic form is a challenge.
EDI Risks
• Authorization - automated and absence of
human intervention
• Access - need to access EDI partner’s files
• Audit trail - paperless and transparent
(automatic) transactions
EDI Controls
• Authorization - use of passwords and value
added networks (VAN) to ensure valid partner
• Access - software to specify what can be
accessed and at what level
• Audit trail - control log records the
transaction’s flow through each phase of the
transaction processing
Auditing Procedures for EDI
• Tests of Authorization and Validation Controls
By: Roxy <333
✓ Review procedures for verifying trading
partner identification codes
✓ Review agreements with VAN
✓ Review trading partner files
• Tests of Access Controls
✓ Verify limited access to vendor and
customer files
✓ Verify limited access of vendors to database
✓ Test EDI controls by simulation
• Tests of Audit Trail Controls
✓ Verify exists of transaction logs are key
points
✓ Review a sample of transactions
AUDITING PC BASED ACCOUNTING
SYSTEMS
PC Risks & Controls
✓ Operating System Weaknesses
✓ Weak Access Control
✓ Inadequate Segregation of Duties
✓ Risk of Theft
✓ Weak Back up Procedures
✓ Risk of Virus Infection
✓ Audit Objective with PC Security
✓ Audit Procedures with PC Security
DATABASE MANAGEMENT CONTROLS
Two crucial database control issues:
1. Access controls
• Audit objectives: (1) those authorized to use
databases are limited to data needed to
perform their duties and (2) unauthorized
individuals are denied access to data
2. Backup controls
 • Audit objectives: backup controls can
adequately recovery lost, destroyed, or
corrupted data
ACCESS CONTROLS
• User views - based on subschemas. A
database schema (/ˈski.mə/ skee-ma) of a
database system is its structure described in a
formal language supported by the database
management system (DBMS) and refers to the
organization of data as a blueprint of how a
database is constructed (divided into database
tables in case of Relational Databases).
• Database authorization table - allows specific
authority rules
• Data encryption - encoding algorithms
• Biometric devices - fingerprints, retina prints,
or signature characteristic
• Audit procedures: verify…
✓ Who has responsibility for authority tables
& subschemas?
✓ Granting appropriate access authority
✓ Are biometric controls used?
✓ Encryption?
Subschema Restricting Access
BACKUP CONTROLS
• Database backup – automatic periodic copy of
data
• Transaction log – list of transactions which
provides an audit trail
• Checkpoint features – suspends data during
system reconciliation
• Recovery module – restarts system after a
failure
• Grandparent-parent-child backup –the number
of generations to backup is up to company
policy
By: Roxy <333
• Direct access file backup - back-up master-file
at pre-determined intervals
• Off-site storage - guard against disasters
and/or physical destruction
• Audit procedures: verify…
✓ that production databases are copied at
regular intervals
✓ backup copies of the database are stored off
site to support disaster recovery
CHAPTER 4: AUDITING DATABASE
SYSTEMS
WHAT IS A DATABASE
✓ A database is an organized collection of data.
The data are typically organized to model
relevant aspects of reality in a way that supports
processes requiring this information. For
example, modeling the availability of rooms in
hotels in a way that supports finding a hotel with
vacancies.
✓ Database management systems (DBMSs) are
specially designed applications that interact with
the user, other applications, and the database
itself to capture and analyze data. A general-
purpose database management system (DBMS)
is a software system designed to allow the
definition, creation, querying, update, and
administration of databases.
✓ DBMS responsible for maintaining the integrity
and security of stored data, and for recovering
information if the system fails.
EXAMPLES OF DBMS
✓ MySQL
✓ MariaDB
✓ PostgreSQL
✓ SQLite
✓ Microsoft SQL Server
✓ Oracle
✓ SAP
✓ Dbase
✓ FoxPro
✓ IBM DB2
✓ LibreOffice
✓ Base and FileMaker Pro
Flat-File Versus Database Environments
• Computer processing involves two
components: data and instructions (programs).
• Conceptually, there are two methods for
designing the interface between program
instructions and data:
o File-oriented processing: A specific data file
was created for each application.
o Data-oriented processing: Create a single
data repository to support numerous
applications.
• Disadvantages of file-oriented processing
include
o redundant data and programs
o varying formats for storing the redundant
data
• Users access data via computer programs that
process the data and present information to
the users.
• Users own their data files.
• Data redundancy results as multiple
applications maintain the same data elements.
• Files and data elements used in more than one
application must be duplicated, which results
in data redundancy.
• As a result of redundancy, the characteristics
of data elements and their values are likely to
be inconsistent.
• Outputs usually consist of preprogrammed
reports instead of ad-hoc queries provided
upon request. This results in inaccessibility of
data.
• Changes to current file-oriented applications
cannot be made easily, nor can new
developments be quickly realized, which
results in inflexibility.
By: Roxy <333
Data Redundancy and Flat-File Problems
• Data Storage - creates excessive storage costs
of paper documents and/or magnetic form
• Data Updating - any changes or additions
must be performed multiple times
• Currency of Information – has the potential
problem of failing to update all affected files
• Task-Data Dependency - user unable to obtain
additional information as his or her needs
change
Advantages of the Database Approach
o Data sharing/centralized database resolves
flat-file problems
o No data redundancy: Data is stored only
once, eliminating data redundancy and
reducing storage costs
o Single update: Because data is in only one
place, it requires only a single update,
reducing the time and cost of keeping the
database current
o Current values: A change to the database
made by any user yields current data values
for all other users.
o Task-data independence: As users’
information needs expand, the new needs
can be more easily satisfied than under the
flat-file approach.
Disadvantages of the Database Approach
o Can be costly to implement - additional
hardware, software, storage, and network
resources are required
o Can only run in certain operating
environments - may make it unsuitable for
some system configurations
o Because it is so different from
the file-oriented approach, the database
approach requires training users - may be
inertia or resistance.
 Elements of the Database Environment
Four Elements
1. Database management system
2. Users
3. Database administrator
4. Physical database
Internal Controls and DBMS
• The database management system stands
between the user and the database per se.
• Thus, commercial DBMS’s (e.g., Access or
Oracle) actually consist of a database plus…
✓ software to manage the database, especially
controlling access and other internal controls
✓ software to generate reports, create data-
entry forms, etc.
• The DBMS has special software to control
which data elements each user is authorized to
access.
Data Definition Language (DDL)
• DDL is a programming language used to
define the database per se.
✓ It identifies the names and the relationship
of all data elements, records, and files that
constitute the database.
• DDL defines the database on three viewing
levels
✓ Internal view – physical arrangement of
records (1 view)
✓ Conceptual view (schema) – representation
of database (1 view)
✓ User view (subschema) – the portion of the
database each user views (many views)
Data Manipulation Language (DML)
• DML is the proprietary programming
language that a particular DBMS uses to
By: Roxy <333
retrieve, process, and store data to / from the
database
• Entire user programs may be written in the
DML, or selected DML commands can be
inserted into universal programs, such as
COBOL and FORTRAN
• Can be used to ‘patch’ third party applications
to the DBMS
Query Language
• The query capability permits end users and
professional programmers to access data in
the database without the need for
conventional programs.
✓ Can be an internal control issue since users
may be making an ‘end run’ around the
controls built into the conventional programs
• IBM’s structured query language (SQL) is a
fourth-generation language that has emerged as
the standard query language.
✓ Adopted by ANSI as the standard language
for all relational databases
Functions of the DBA
PHYSICAL DATABASE
• Lowest level of database and the only level that
exists in physical form
• Logical collection of records and files that
constitute the firm’s data source.
DATA STRUCTURE COMPONENTS
✓ Data Organization – physical arrangement of
files
✓ Data Access Methods – technique to locate
records
SIX CRITERIA INFLUENCING THE
SELECTION OF DATA STRUCTURE
Database Conceptual Models
• Refers to the particular method used to
organize records in a database. a.k.a. “logical
data structures”
• Objective: develop the database efficiently so
that data can be accessed quickly and easily
• There are three main models:
✓ hierarchical (tree structure)
✓ network
✓ relational
• Most existing databases are relational. Some
legacy systems use hierarchical or network
databases.
HIERARCHICAL MODEL
• Navigational Database – traversing the files
following a predefined path; explicit linkages
through networks. (Figure 4.10)
• Limitations1: A parent record may have one or
more child records
• Limitation2: No child can have more than one
parent.
NETWORK MODEL
• ANSI thru CODASYL
• Most popular model of network is IDM
• Navigational thru multiple linkage
• A child can have multiple parents
RELATIONAL MODEL
• The relational model portrays data in the form
of two dimensional ‘tables’.
• Its strength is the ease with which tables may
be linked to one another.
• a major weakness of hierarchical and network
databases
• Relational model is based on the relational
algebra functions of restrict, project, and join.
• Implicit linkages, rows are dependent on the
primary key and independent of the other
attributes
By: Roxy <333
• Linkages are established through logical
operations of the DMBS rather than explicit
addresses that are structured into the database.
Distributed Data Processing (DDP)
• Data processing is organized around several
information processing units (IPUs) distributed
throughout the organization.
• Each IPU is placed under the control of the end
user
• DDP does not always mean total
decentralization.
• IPUs in a DDP system are still connected to one
another and coordinated.
• Typically, DDP’s use a centralized database.
• Alternatively, the database can be distributed,
similar to the distribution of the data processing
capability.
Centralized Databases in DDP Environment
• The data is retained in a central location.
• Remote IPUs send requests for data
• Central site services the needs of the remote
IPUs
• The actual processing of the data is performed
at the remote IPU.
• Advantages of DDP
✓ Cost reductions in hardware and data entry
task
✓ Improved cost control responsibility
✓ Improved user satisfaction since control is
closer to the user level
✓ Backup of data can be improved through the
use of multiple data storage sites
• Disadvantages of DDP
✓ Loss of control
✓ Mismanagement of resources
✓ Hardware and software incompatibility
 ✓ Redundant tasks and data
✓ Consolidating incompatible tasks
✓ Difficulty attracting qualified personnel
✓ Lack of standards
Distributed Databases: Partitioned Database
Approach (Partitioning)
• Splits the central database into segments that
are distributed to their primary users.
• Advantages:
✓ users’ control is increased by having data
stored at local sites.
✓ transaction processing response time is
improved.
✓ volume of transmitted data between IPUs is
reduced.
✓ reduces the potential data loss from a
disaster.
The Deadlock Phenomenon
• Especially a problem with partitioned databases
• Occurs when multiple sites lock each other out
of data that they are currently using.
✓ One site needs data locked by another site.
• Special software is needed to analyze and
resolve conflicts.
✓ Transactions may be terminated and restarted.
The Deadlock Condition
✓ Mutual exclusion to data resource and the
transactions are in wait until the locks are
removed.
✓ DEADLOCK RESOLUTION - terminating on
or more transactions to complete processing of
the other transactions in the deadlock.
Distributed Databases: Replication
• Effective when there is high degree of sharing
but no primary user
• The duplication of the entire database for
multiple IPUs
By: Roxy <333
• Effective for situations with a high degree of data
sharing, but no primary user. Supports read-only
queries
• Data traffic between sites is reduced
considerably.
CONCURRENCY CONTROL: Concurrency
Problems and Control Issue
• Database concurrency is the presence of
complete and accurate data at all IPU sites.
• With replicated databases, maintaining current
data at all locations is difficult
• Time stamping is used to serialize transactions.
Prevents and resolves conflicts created by
updating data at various IPUs
Distributed Databases and the Accountant
• The following database options impact the
organization’s ability to maintain database
integrity, to preserve audit trails, and to have
accurate accounting records.
✓ Centralized or distributed data?
✓ If distributed, replicated or partitioned?
✓ If replicated, total or partial replication?
✓ If partitioned, what is the allocation of the
data segments among the sites?
DATABASE MANAGEMENT CONTROLS
Two crucial database control issues:
1. Access controls
• Audit objectives: (1) those authorized to use
databases are limited to data needed to
perform their duties and (2) unauthorized
individuals are denied access to data
2. Backup controls
• Audit objectives: backup controls can
adequately recovery lost, destroyed, or
corrupted data
ACCESS CONTROLS
• User views - based on subschemas.
• A database schema (/ˈski.mə/ skee-ma) of a
database system is its structure described in a
formal language supported by the database
management system (DBMS) and refers to the
organization of data as a blueprint of how a
database is constructed (divided into database
tables in case of Relational Databases).
• Database authorization table - allows specific
authority rules
• Data encryption - encoding algorithms
 • Biometric devices - fingerprints, retina prints,
or signature characteristics
• Inference Controls – prevent users from
inferring, through query features, specific data
values that should not be accessed.
• Positive Compromise, Negative Compromise
& Approximate Compromise
• Audit procedures: verify…
✓ Who has responsibility for authority tables
& subschemas?
✓ Granting appropriate access authority
✓ Are biometric controls used?
✓ Are inference controls used?
✓ Encryption?

BACKUP CONTROLS
• Database backup – automatic periodic copy of
data
• Transaction log – list of transactions which
provides an audit trail
• Checkpoint features – suspends data during
system reconciliation
• Recovery module – restarts system after a
failure
• Grandparent-parent-child backup –the number
of generations to backup is up to company
policy
• Direct access file backup - back-up master-file
at pre-determined intervals
• Off-site storage - guard against disasters
and/or physical destruction
• Audit procedures: verify…
✓ that production databases are copied or
backed up at regular intervals
✓ Verify automatic back up
✓ backup copies of the database are stored off
site to support disaster recovery
By: Roxy <333