Chapter 4:

Security Part II:

Auditing Database Systems
IT Auditing, Hall, 4e

© 2016 Cengage Learning®. May not be scanned, copied or duplicated or posted to a publicly accessible website, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website or school-approved learning management system for classroom use.
 Learning Objectives

o Understand the operational problems inherent in the flat-file

approach to data management that gave rise to the database
approach.
o Understand the relationships among the fundamental
component's of the database concept.
o Recognize the defining characteristics of three database
models: hierarchical, network, and relational.
o Understand the operational features and associated risks of
deploying centralized, partitioned, and replicated database
models in the DDP environment.
o Be familiar with the audit objectives and procedures used to test
data management controls.
 Flat-File Approach

o Associated with large, older legacy systems still in use today.

o Promotes a single-user view approach where end users own
rather than share data files.
o Separate data sets for each user leads to data redundancy
which causes problems with:
o Data storage: Commonly used data duplicated multiple times within
the organization.
o Data updating: Changes must be made separately for each user. If
updating fails problem of currency of information with users having
outdated information.
o Task-data dependency: Users cannot obtain additional information
as needs change.
Flat-File Model
 Database Approach

o Access to the data resource is controlled by a database

management system (DBMS).
o Centralizes organization’s data into a common database shared
by the user community.
o All users have access to data they need which may overcome
flat-file problems.
o Elimination of data storage problem: No data redundancy.
o Elimination of data updating problem: Single update procedure
eliminates currency of information problem.
o Elimination of task-data dependency problem: Users only
constrained by legitimacy of access needs.
Database Model
Elements of the Database Concept
 DBMS Features and Data Definition
Language

o Program Development – Applications may be created by

programmers and end users.
o Backup and Recovery - Copies made during processing.
o Database Usage Reporting - Captures statistics on database
usage (who, when, etc.).
o Database Access - Authorizes access to sections of the database.
o Data definition language used to define the database to the
DBMS on three levels (views).
 Informal Access: Query Language

o Query is an ad hoc access methodology for extracting

information from a database.
o Users can access data via direct query which requires no formal
application programs.
o IBM’s Structured Query Language (SQL) has emerged as the
standard query language.
o Query feature enhances ability to deal with problems that pop-up
but poses an important control issue.
o Must ensure it is not used for unauthorized database access.
Functions of the Database
Administrator (DBA)
Organizational Interaction of the DBA
 Database Terminology

o Entity: Anything organization wants to capture data about.

o Record Type: Physical database representation of an entity.
o Occurrence: Related to the number of records of represented
by a particular record type.
o Attributes: Defines entities with values that vary (i.e. each
employee has a different name).
o Database: Set of record types that an organization needs to
support its business processes.
 Associations

o Record types that constitute a database exist in relation to other

record types. Three basic record association:
o One-to-one: For every occurrence of Record Type X there is one (or
zero) of Record Type Y.
o One-to-many: For every occurrence of Record Type X, there are zero,
one or many occurrences of Record Type Y.
o Many-to-many: For every occurrence of Record Types X and Y, there
are zero, one or many occurrences of Record Types Y and X,
respectively.
Record Associations
 The Hierarchical Model

o Basis of earliest DBAs and still in use today.

o Sets that describe relationship between two linked files.
o Each set contains a parent and a child.
o Files at the same level with the same parent are siblings.
o Tree structure with the highest level in the tree being the root segment
and the lowest file in a branch the leaf.
o Also called a navigational database.
o Usefulness of model is limited because no child record can have
more than one parent which leads to data redundancy.
Hierarchical Data Model
The Network Model
 The Relational Model

o Difference between this and navigational models is the way data

associations are represented to the user.
o Relational model portrays data in two-dimensional tables with attributes
across the top forming columns.
o Intersecting columns to form rows are tuples which are normalized
arrays of data similar to records in a flat-file system.
o Relations are formed by an attribute common to both tables in the
relation.
Data Integration in the Relational
Model
 Audit Procedures for Testing
Database Access Controls

o Verify DBA personnel retain responsibility for authority tables and

designing user views.
o Select a sample of users and verify access privileges are
consistent with job description.
o Evaluate cost and benefits of biometric controls.
o Verify database query controls to prevent unauthorized access
via inference.
o Verify sensitive data are properly encrypted.
 Backup Controls in the Database
Environment

o Since data sharing is a fundamental objective of the database

approach, environment is vulnerable to damage from individual
users.
o Four needed backup and recovery features:
o Backup feature makes a periodic backup of entire database which is
stored in a secure, remote location.
o Transaction log provides an audit trail of all processed transactions.
o Checkpoint facility suspends all processing while system reconciles
transaction log and database change log against the database.
o Recovery module uses logs and backup files to restart the system
after a failure.
Backup of Direct Access Files
 Audit Procedures for Testing
Database Access Controls

o Verify backups are performed routinely and frequently.

o Backup policy should balance inconvenience of frequent activity
against business disruption caused by system failure.
o Verify that automatic backup procedures are in place and
functioning and that copies of the database are stored off-site.
 MS ACCESS
• Records
• Primary Key, Foreign Key
• Tables (Relations)
• Relationship (one to one , One to many, many to many)
• Referential Integrity
• Lookup
• Data Validation
• Selection, Projection, Joining
• Arithmetic operators
• Logical Operators
 Individual Activity
Create ACCESS database named “yourname_yourstudentID” having following tables. Make
sure appropriate data types, primary key and relationship are selected, also insert following
records/data to appropriate tables. The Dr_id in the Patients table is used to indicate the
primary physician of a patient. Enforce referential integrity in Record table so that only
registered patients and doctors can be entered in this table. Upload the database in Moodle.

25