Databases Reference
In-Depth Information
•
Skill of the auditor.
Effective auditing in a database environment re-
quires skills that most auditors do not have. Unless the auditor under-
stands database risks, concepts, and approaches, the auditor can
neither access the adequacy of control nor obtain and evaluate the
new forms of evidence available in a database environment. At a min-
imum, the auditor must understand the concepts of terminology of da-
tabase technology.
•
Scope of the audit.
The database is normally independent of the appli-
cations that use that data. Thus, the database should be audited first,
and the applications that use the data audited second. After the data-
base is audited, conclusions of that audit can be applied to all of the
application audits that follow. The integrity of the application normal-
ly depends on the adequacy of the controls in the database. Thus,
without evaluating the database the auditor may not be able to con-
clude that controls in a specific application are effective.
•
There is no generally accepted ap-
proach to auditing databases; therefore, auditors must develop new
audit approaches and identify audit tools that aid in the verification of
database integrity.
Lack of standard audit approach.
AUDIT OBJECTIVES
The audit of database integrity is, in large part, an audit of the custodial
responsibility of the group administering the database. Thus, the audit
objectives addressing data integrity address he custodial aspects of data
integrity. For example, accuracy deals with the ability to retain and return
data accurately, as opposed to ensuring that the data included in the trans-
action is accurate from a business perspective, the following objectives are
both operational and financial and encompass the concerns associated
with ensuring database integrity.
The auditor should verify that the individual
groupings of data balance to the control totals for those groupings. The
data in a database belongs to, and is used by, multiple users, In the more
sophisticated DBMSs, the access path to retrieve data can be created
dynamically. Even with less sophisticated DBMSs, the DBA may not know
how individual users use and control data. Therefore, the database con-
trols may not maintain totals on groupings of data used by applications.
The database system normally keeps counts of items in various paths and
of total data items or segments within the database, which the auditor can
use when balancing data items.
Balancing of Data Items.
Because data need not be entered
tin the database on the effective data of the transaction, the auditor should
verify that data is properly identified so that users will include it in the
proper accounting period. For example, in many banking systems the
Accounting Period Cutoff Procedures.
Search WWH ::
Custom Search