CIS ENVIRONMENTS – DATABASE SYSTEMS
a) This question required the students to have a thorough understanding of the database. Since this is an area that has not been covered in sufficient depth by students at this level, ISA 1003, CIS environment – data based systems is reproduced in its entirety below
In relation to this question, paragraphs 16,17,18,19,20 & 21 suffice.
1. The purpose of this statement is to help the auditor implement ISA 400 ―Risk
Assessments ad Internal Control,‖ and Internal Auditing Practice Statement 1008 ―Risk Assessments and Internal Control – CIS Characteristics and Considerations,‖by describing database systems. The Statement describes the effects of a database system on the accounting system and related internal controls and on audit procedures.
Database Systems
2. Database systems are comprised principally of two essential components – the database and the database management system (DBMS). Database systems interact with other hardware ad software aspects of the overall computer system.
3. A database is a collection of data that is shared and used by a number of different users for different purposes. Each user may not necessarily be aware of all the data stored in the database or of the ways that the data may be used for multiple purposes. Generally, individual users are aware only of the data that they use and may view the data as computer files utilized by their applications.
4. The software that is used to create, maintain and operate the database is referred to as DBM software. Together with the operating system, the DBMS facilitates the physical storage of data, maintains the interrelationships among the data, and makes the data available to application programs. Usually, the DBMS software is supplied by a commercial vendor.
5. Database systems may reside on any type of computer system, including a microcomputer system. In some microcomputer environments, database systems are used by a single user. Such systems are not considered to be databases fro the purposes of this Statement. The contents of this Statement, however, are applicable to all multiple user environments.
Database System Characteristics
6. Database systems are distinguished by two important characteristics: data sharing and data independence. These characteristics require the use of a data dictionary (paragraph
10) and the establishment of a database administration function (paragraphs 11-14).
Data Sharing
7. Database is composed of data which are se up with defined relationships and are organized in a manner that permits many users to use the data in the database for different purposes. For example, an inventory item unit cost maintained by the database may be used by one application program to produce a cost of sales report and by another application program to prepare an inventory valuation.
Data Independence From Application Programs
8. Because of the need for data sharing, there is a need for data independence from application programs. This is achieved by the DBMS recording the data once for use by various application programs. In non-database systems, separate data files are maintained for each application and similar data used by several applications may be repeated on several different files. In a database system, however, a single file of data (or database) is used by many applications, with data redundancy kept to a minimum.
9. DBMS‘s differ in the degree of data independence they provide. The degree of dataindependence is related to the ease with which personnel can accomplish changes to application programs or to the database. T rue data independence is achieved when the structure of data in the database can be changed without affecting the application programs, and vice versa.
Data Dictionary
10. Significant implication of data sharing and data independence is the potential for the recording of data only once for use in several applications. Because various application programs need to access this data, a software facility is required to keep track of the location of the data in the database. This software within the DBMS is known as a data dictionary. It also serves as a tool to maintain standardized documentation and definitions of the database environment and application systems.
Database Administration
11. the use of the same data by various application programs emphasizes the importance of centralised coordination of the use and definition of data and the maintenance of its integrity, security accuracy and completeness. Coordination is usually performed by a group of individuals whose responsibility is typically referred to as ―database administration.‖ The individual who heads this function may be referred to as the―database administrator‖. The database administrator is responsible generally for the definition, structure, security, operational control and efficiency of databases, including the definition of the rules by which data are accessed and stored.
1. Database administration tasks may also be performed by individuals who are not part of a centralized database administration group. Where the tasks of database administration are not centralized, but are distributed among existing organizational units, the different tasks still need to be coordinated.
2. Database administration tasks typically include:
• Defining the database structure – determining how data are defined stored and accessed by users of the database in order to ensure that all their requirements are met on a timely basis.
• Maintaining data integrity, security and completeness-developing, implementing and enforcing the rules for data integrity, completeness and access. Responsibilities include:
– Defining who may access data and how the access is accomplished (i.e., through passwords and authorization tables);
– Preventing the inclusion of incomplete or invalid data;
– Detecting the absence of data;
– Securing the databases fro unauthorized access and destruction; and
– Arranging total recovery n the event of a loss.
• Coordinating computer operations related to the database-assigning responsibility for physical computer resources and monitoring their use relative to the operation of the database.
• Monitoring system performance-developing performance measurements to monitor the integrity of the data and the ability of the database to respond to the needs of users.
• Providing administrative support-coordinating and liasing with the vendor of the DBMS, assessing new releases issued by the vendor of the DBMS and the extent of their impact on the entity, installing new releases and ensuring that appropriate internal education is provided.
3. In some applications, more than one database may be used. In these circumstances, the tasks of the database administration group will need to ensure that:
• Adequate linkage exists between databases;
• Coordination of functions is maintained: and
• Data contained in different databases are consistent.
Internal Control in a Database Environment
4. Generally, internal control in a database environment requires effective controls over the database, the DBMS and the applications. The effectiveness of internal controls depends to a great extent on the nature of the database administration tasks, described in paragraphs 11 – 14, and how they are performed.
5. Due to data sharing, data independence and other characteristics of data-base systems general computer information systems (CIS)2 controls normally have a greater influence than CIS controls over the database, the DBMS and the activities of the database administration function have a pervasive effect on application processing. The general CIS controls of particular importance in a database environment can be classified into the following groups:
• Standard approach for development and maintenance of application programs;
• Data ownership;
• Access to the database; and
• Segregation of duties
Standard Approach for Development and Maintenance of Application Programs
6. Since data are shaded by many users, control may be enhanced when a standard approach is used for developing each new application program and for application program modification. This includes following a formalized step-by- step approach that requires adherence by all individuals developing or modifying an application program. It also includes performing an analysis of the effect of new and existing transactions on the database each time a modification is required. The resulting analysis would indicate the effects of the changes on the security and integrity of the database. Implementing a standard
approach to develop and modify application programs is a technique that can help improve the accuracy, integrity and completeness of the database.
Data Ownership
7. In a database environment, where many individuals may use programs to input and modify data, a clear and definite assignment of responsibility is required from the database administrator for the accuracy and integrity of each item of data. A single data owner should be assigned responsibility for defining access and security rules, such as who can use the data (access) and what functions they can perform (security). Assessing specific responsibility for data ownership helps to ensure the integrity of the database. For example, the credit manager may be the designated ―owner‖ of a customer‘s credit limit and would therefore be responsible for determining the authorized users of that information. If several individuals are able to make decisions affecting the accuracy and integrity of given data, the likelihood increases of the data becoming corrupted or improperly used.
Access to the Databases
8. User access to the database can be restricted through the use of passwords. These restrictions apply to individuals, terminal devices and programs. For passwords to be effective, adequate procedures are required for changing passwords, maintaining secrecy of passwords and reviewing and investigating attempted security violations. Relating passwords to defined terminal devices, programs and data helps to ensure that only authorized users and programs can access, amend or delete data. For example the credit manager may give salesmen authority to refer to a customer‘s credit limit, whereas a warehouse clerk may have such authorization.
9. User access to the various elements of the database may be further controlled through the use of authorization tables. Improper implementation of access procedures can result in unauthorized access to the data in the database.
Segregation of Duties
10. Responsibilities for performing the various activities required to design, implement and operate a database are divided among technical, design, administrative and user personnel. Their duties include system design, database design, administration and operation. Maintaining adequate segregation of these duties is necessary to ensure the completeness, integrity and accuracy of the database. For example those persons responsible for modifying personnel database programs should not be the same persons who are authorized to change individual pay rates in the database.
The Effect of Databases on the Accounting System and Related Internal Controls.
11. The effect of a database system on the accounting system and the associated risks will generally depend on:
• The extent to which databases are being used by accounting applications;
• The type and significance of financial transactions being processed;
• The nature of the database, the DBMS (including the data dictionary), the database administration tasks and the applications (e.g. batch or on-line update); and
• The general CIS controls which are particularly important in a database environment.
12. Database systems typically provide the opportunity for greater reliability of data than non-database systems. This can result in reduced risk of fraud or error in the accounting system where databases are used the following factors,
combined with adequate controls, contribute to this improved reliability of data:
• Improved consistency of data is achieved because data are recorded and update only once, rather than in non-database systems, where the same date are stored in several files and updated at different times and by different programs.
• Integrity of data will be improved by effective use of facilities included in the DBMS, such as recovery, restart routines, generalized edit and validation routines, and security and control features.
• Other functions available with the DBMS can facilitate control and audit procedures. These functions include report generators which may be used to create balancing reports, and query languages which may be used to identify inconsistencies in the data.
13. Alternatively risk of fraud or error may be increased if database systems are used without adequate controls. In a typical non-database environment, controls exercise by individual users may compensate for weaknesses in general CIS controls. However, in a database system, this may not be possible, as inadequate database administration controls cannot always be compensated for by the individual users. For example, accounts receivable personnel cannot effectively control accounts receivable data if other personnel are not restricted from modifying accounts receivable balances in the database.
The effect of Databases on Audit Procedures
14. Audit procedures in a database environment will be affected principally by the extent to which the data in the database are used by the accounting system. Where significant accounting applications use a common database, the auditor may find it cost-effective to utilize some of the procedures in the following paragraphs.
15. In order t o obtain an understanding of the database control environment and the flow of transactions, the auditor may consider the effect of the following on audit risk in planning the audit:
• The DBMS and the significant accounting applications using the database;
• The standards and procedures for development and maintenance of application programs using the database;
• The database administration function;
• Job descriptions, standards and procedures for those individuals responsible for technical support, design, administration and operation of the database;
• The procedures used to ensure the integrity, security and completeness of the financial information contained in the database; and
• The availability of audit facilities within the DBMS.
16. During the risk assessment process, in determining the extent of reliance on internal controls related to the use of databases in the accounting system, the auditor may consider how the controls described in paragraphs 17 – 21 are
used in the system. If he subsequently decides to rely on these controls, he would design and perform appropriate compliance tests.
17. Where the auditor decides to perform compliance or substantive tests related to the database system, audit procedures may include using the functions of the DBMS (see paragraph 23) to:
• Generate test data;
• Provide an audit trail;
• Check the integrity of the database;
• Provide access to the database or a copy of relevant parts of the database for the purpose of using audit software (see International Audit Practice Statement 1009 ―Computer-Assisted Audit Techniques‖); or
• Obtain information necessary for the audit.
When using the facilities of the DBMS, the auditor will need to obtain reasonable assurance regarding their correct functioning.
18. Where the auditor determines he cannot rely on the controls in the database system, he would consider whether performing additional substantive test on all significant accounting applications which use the database would achieve his audit objective as inadequate database administration controls cannot always be compensated for by the individual users.
The characteristics of database systems may make it more effective for the auditor to perform a pre-implementation review of new accounting applications rather than to review the applications after installation. This pre-implementation review may provide the auditor with an opportunity to request additional functions, such as built-in audit routines, or controls within the application design. It may also provide the auditor with sufficient time to develop and test audit procedures in advance of their use.
