Databases Reference
In-Depth Information
These tests should indicate whether internal controls are effective and
whether they verify the integrity of data within the database environment.
For the database integrity audit, the auditor should be concerned about
the custodial, security, and organizational controls over the database.
Exhibit 2 lists the internal control questions recommended for assessing
these controls. The auditor can access the adequacy of internal controls by
applying information obtained from these questions. If the controls are
strong, the auditor can perform minimal tests. The assessment is therefore
important in determining the scope of the audit tests.
AUDIT TESTS BY OBJECTIVE
After the adequacy of the internal controls have been assessed, the audi-
tor must design tests to verify the integrity of the database and to help
achieve the stated audit objectives. Descriptions of these test follow.
(Exhibit 3 presents a check list of audit tests with there corresponding
audit objectives.)
Information about responsibility, verifica-
tion, and access to key data elements must be extracted from the data dic-
tionary. The auditor does this by examining data dictionary printouts or by
analyzing the information in an automated data dictionary, using audit soft-
ware. The test should then verify whether all needed information is con-
tained in the data dictionary, whether it is correct, and whether the infor-
mation can be used to perform other audit tests.
Review the Data Dictionary.
It should be determined whether the point-
ers and indexes in the database are complete. Utility programs, commonly
called database verifiers, can be used for this purpose, These verifiers,
which may run for several hours or even days in large databases, verify
that all access paths are complete and that all data in the database can be
accessed by at least one data path.
Verify the Database Pointers.
DBMS vendors supply information on
achievable ranges of performance for their DBMS as well as on operational
and recovery procedures. This information can be used to assess actual
service levels and to determine whether organizational recovery and oper-
ational procedures are adequate.
Review the Vendor Documentation.
The auditor should verify that password
procedures are adequate and that the procedures are enforced in the oper-
ating environment. When used, passwords can restrict data access to
authorized individuals. By operating a terminal, the auditor can access the
adequacy of password procedures by attempting to enter invalid pass-
words, by using valid passwords for invalid purposes, and by discovering
passwords through repetitive attempts.
Test the Password Procedures.
Search WWH ::
Custom Search