It22015 slides

Copyright © 2014 AuditNet® and Richard Cascarino & Associates
AuditNet® Training without Travel™
Auditing Databases
Guest Presenter:
Richard Cascarino,
MBA, CIA, CISM, CFE
Richard Cascarino &
Associates

Jim Kaplan CIA CFE
• President and Founder of
AuditNet®, the global resource
for auditors (now available on
Apple and Android and Windows
devices)
• Auditor, Web Site Guru,
• Internet for Auditors Pioneer
• Recipient of the IIA’s 2007
Bradford Cadmus Memorial
Award.
• Author of “The Auditor’s Guide
to Internet Resources” 2nd
Edition

Richard Cascarino MBA CIA CISM CFE
• Principal of Richard Cascarino &
Associates based in Colorado USA
• Over 30 years experience in IT
audit training and consultancy
• Past President of the Institute of
Internal Auditors in South Africa
• Member of ISACA
• Member of Association of Certified
Fraud Examiners
• Author of Auditor's Guide to IT
Auditing

Webinar Housekeeping
• This webinar and its material are the property of AuditNet® and Richard Cascarino
and Associates. Unauthorized usage or recording of this webinar or any of its material
is strictly forbidden. We are recording the webinar and you will be provided with a link
access to that recording as detailed below. Downloading or otherwise duplicating the
webinar recording is expressly prohibited.
• Webinar recording link will be sent via email within 5-7 business days.
• NASBA rules require us to ask polling questions during the Webinar and CPE
certificates will be sent via email to those who answer ALL the polling questions
• The CPE certificates and link to the recording will be sent to the email address you
registered with in GTW. We are not responsible for delivery problems due to spam
filters, attachment restrictions or other controls in place for your email client.
• Submit questions via the chat box on your screen and we will answer them either
during or at the conclusion.
• After the Webinar is over you will have an opportunity to provide feedback. Please
complete the feedback questionnaire to help us continuously improve our Webinars
• If GTW stops working you may need to close and restart. You can always dial in and
listen and follow along with the handout.

Disclaimers
• The views expressed by the presenters do not necessarily represent the
views, positions, or opinions of AuditNet® or the presenters’ respective
organizations. These materials, and the oral presentation accompanying
them, are for educational purposes only and do not constitute accounting
or legal advice or create an accountant‐client relationship.
• While AuditNet® makes every effort to ensure information is accurate and
complete, AuditNet® makes no representations, guarantees, or warranties
as to the accuracy or completeness of the information provided via this
presentation. AuditNet® specifically disclaims all liability for any claims or
damages that may result from the information contained in this
presentation, including any websites maintained by third parties and
linked to the AuditNet® website
• Any mention of commercial products is for information only; it does not
imply recommendation or endorsement by AuditNet®

Today’s Agenda
– Database Jargon
– Types of DBMS
– Who Looks after the Database
– Restart and Recovery
– Reviewing the Database Design
– Impact of Databases on Auditors
– Auditing the Database
– CAATTs in a Database Environment

Databases
Definition of Terms
–Database
a collection of data logically organized to meet the information
requirements of a universe of users
–Database Management System (DBMS)
a hardware/software system which manages data by providing
organisation, access and control functions
–Data Dictionary / Data Directory Systems (DD / DS)
the software which manages a repository of information about data
and the data base environment
–Database Administration
a human function involved in the co‐ordination and control of data
related activities
7

Definition of Terms
–User System Interfaces
components of the data base environment which request, manipulate
and transform data into information for an end user
–Data Structure
the interrelationships of data
–Storage Structures
methods and techniques used to physically represent data structures on
storage devices
–Access Methods
software logic procedures used to retrieve, insert, modify and delete
data on a storage device
8

Data Independence implements
Data Sharing
Diverse users with different logical views
New users with new logical views
Changing logical views
Changing physical representation
Data Independence is the "how" of "what" Data
Sharing is
9

Principles of Data Structures
Data Structures are used to model a business (function)
in terms of information
–Sequential
–Hierarchical
–Network
–Relational Model
Data Structures are also the basis for Database Designs
10

Conceptual Level Of Database
Design
Data Structure Diagrams
–DBMSs vary in data structuring capabilities
Entry Access Methods
–Read The First
–Randomising
–Indexing
Navigational Access Methods
–Read The Next
–Embedded Links
–Inverted Index
11

Data Dictionary / Directory
Systems
Data Dictionary
–Tells "what" is in a database / file
–Deals with the description of the logical view
–Name, Description, Synonym
Data Directory
–Tells "where and how to access" data
–Deals with the description of the physical aspects of
data
–Location, Address, Physical Representation
12

Attributes for Describing
Entities Of The DD/DS
Identification
Source
Classification
Usage
Qualification
Relationship
13

Data Dictionary / Data
Directory System
The DD/DS can be a useful tool independent of the
need for a DBMS
–Documentation support
–Coordination of shared data usage
–Control over modification of programs and files
The DD/DS has become popular with the advent of
DBMS packages
–Greater recognition of opportunities to share data
–Greater need to control data usage
–Privacy legislation
–Complexity of relationships involved
14

Activity
Scope of Activity is a function of the number of
components dependent on the DD/DS for Meta Data
–Application Programs / Report Generators / DBMS
Degree of Activity is a function of the time the
component is "bound" to its Meta Data
–Pre‐compile
–Compile
–Run‐time
–Execution Time
Embedded Links for implementing interrecord
relationships
15

Polling Question 1

Database Types
Sequential
Hierarchical
Network
Relational Model
Components
–Data Definition Language (DDL)
–Storage Structure Definition Language (SSDL)
–Data Manipulation Language (DML)
–DBMS Nucleus and Utilities
17

Sequential Approach
Fundamental Assumption
–There is a Direct Relationship between data
18

Hierarchical Approach
–There is some Hierarchical Relationship between data
Terminology
Root Segment
Parent Segment
Child Segment
Twins
19

Network Approach
Fundamental
Assumption
–There is some
General
Relationship
between data
Terminology
–Records / Pointers
Note
Any Structure
may be defined
Records may contain
multiple fields
20

Relational Model
–There is some Mathematical Relationship between
data
21

Relational Data Manipulation
–SELECT ‐ All Retrieval
–UPDATE ‐ Change
–INSERT   ‐ Create new TUPLE
–DELETE  ‐ Delete Tuple
Qualified Manipulation
–FROM    ‐ Specifies Table
–WHERE ‐ Conditions
–AND       ‐ Conjunction of Conditions
–OR          ‐ Disjunction of Conditions
22

Relational Data Manipulation
–Example
SELECT ‐ EMPLOYEE = NAME
FROM ‐ EMPLOYEE = DB
WHERE ‐ DEPT = "B03"
AND ‐ POSITION = "MANAGER"
Result
Managers in Dept B03
A.B. JONES
C.D. SMITH
–The Result is Always a Table
23

Inverted List
Indexes and Pointers
1 Ford Blue
2 BMW Blue
3 Ford Red
4 Ford Blue
Ford 1,3,4
BMW 2
Blue 1,2,4
Red 3
24

Packages and Vendors
ADABAS ‐ Software AG (North America)
IDMS ‐ Cullinane Corporation
IMS ‐ IBM
DB2 ‐ IBM
S2000 ‐ MIR Systems Corporation
TOTAL ‐ CINCOM Systems Inc.
DMS II ‐ UNISYS
DATACOM ‐ ADR
25

Polling Question 2

Who Looks After My Database
System?
Database Administrator
Functions Of The DBA
–Co‐ordinating the information content of the database
–Deciding the storage structure and access strategy
–Liaising with users
–Defining authorization checks and validation
procedures
–Defining a strategy for back‐up and recovery
–Monitoring performance and responding to changes in
requirements
27

Tools of The DBA
Utility Programs
–Loading
–Reorganisation Routines
–Statistical Analysis
–Journaling (e.g., Logs)
–Recovery
Data Dictionary
Database Analysers
28

Recovery
When? Examples
–Action Failure Insert, Replace Fails
–DB Operation Fails
–Transaction Failure Deadlock
–System Failure Power, Hardware, Software
–Media Failure Head Crash
29

Recovery Criteria
Reinstate Databases to a known state
Minimize lost work
Allow recovery on a transaction basis
Provide fast recovery
Minimize manual work
Ensure safety of recovery data
Provide mechanism to inform users of "lost"
transactions
Cater for various types of failures
30

Recovery Procedures
Roll Back
–Log processed backwards and completed transactions
Rolled out. (last Checkpoint Used)
Roll Forward
–Log processed forward to:
Reinstate the system
Update Back‐up copy (e.g., Media Failure)
Other
–Compensating Transactions (e.g., Journal Entries)
–Salvation Routine
31

Criteria For Effective Log
Recovery
Before Database is updated
–Log Before Image to undo change if necessary (e.g.,
failure before update)
After Database is updated
–Log After Image to redo change if necessary (e.g.,
media failure)
–Audit Trail information ‐ for manual follow‐up
–(e.g., Program Id, Transaction Id)
32

Checkpoints and Save Points
Used to define a "stable" state of the database for recovery
–DB is reinstated at last Checkpoint
–Log processed forward and system reinstated
Some Mechanisms For Automated Recovery
–Back‐up (image) Copies
Databases dumped at various intervals, e.g., daily, weekly, on tapes or back‐up
devices
–Journal or Log
System Ensures that all transactions and data base activity is recorded on a Log
–Save Points
User‐defined intermediate point to recovery from in the event of a failure
–System Checkpoints
System‐defined intermediate point to recovery from in the event of a failure
–Transaction Files
Changes also kept in a separate file and updated
33

Tools of Restart/Recovery
The Recovery Log
The Checkpoint
The Database Dump
Database Restart/Recovery Software
34

Recovery Log
Before/after images of the recovery log
–Before Image ‐ Content
Image of Data before modification
Date/Time of change
Processing Program Id of modifying transaction
May be written to Recovery Log stored on a direct access file
–Before Image ‐ Function
Applied to point in time of failure of the environment
Applied to Database to "back out" faulty update transactions
Establishes Database to most recent Quiet Point (Checkpoint)
35

Before/After Image Logs
After Images ‐ Content
–Image of data after modification
–Date/Time of change
–Processing Program id of modifying transaction
After Images ‐ Function
–Applied to reloaded Database dump
–Brings the Database forward in time to the last
checkpoint or point of failure
Database Checkpoint taken at a quiet point of the data base ( i.e., all
update activity has terminated
Buffers are flushed and update transactions are queued until
checkpoint is taken
36

Checkpoints
Database Checkpoints can be taken at anytime
May be difficult to synchronize with O/S Checkpoints
May be procedurally initiated by application programs
May be automatically initiated by algorithm
Elapsed Time
Transactions processed
37

Polling Question 3

Data Dictionary
"Yellow Pages" of my Database
Functions of a "DD"
–Repository for
description
definition
structure (format)
relationship
usage
access, integrity constraints
–of System Objects
39

Reviewing Relevant Database
Designs
Procedure for reviewing a Data Structure
–list all the record types
–read and analyze their descriptions and names
–identify the key of each record and verify requirement for
uniqueness
–study the relationships (and sets)
–read and analyze their descriptions and names
–identify all the relationships which are:
1:M
M:M
–Evaluate the strength of each relationship
(membership Option Specification)
–Verify consistency of the design with business
information needs
40

Documentation of the
Database Environment
Using the DD/DS as a documentation tool
Data Dictionary/Directory system can be used to
accept, record and generate
–Requirements and Specifications
–Data Documentation
–Metadata generation
Can automate documentation process
–Cross‐referencing
–Report Generation
–Change Control
41

Advantages of an Active
DD/DS
Accuracy
Timeliness
Completeness
Control over updates
42

Data Dictionary/Directory
System
Control Realized Through Metadata Generation
–Compile Date/Time Stamp
Program Execution Lock‐out
Concentration of Vulnerability in Access to DD/DS
DD/DS Self‐protection
–Status Control (e.g. "Production" Status Cannot Be
Modified)
–Password Protection
–Update authorization Restricted to DBA
43

Administration & Coordination
Functions
Review & Monitoring Activities
–Review of Database Designs
–Review of System Design
–Review of Program Design & Coding
–Monitor Quality Of Data
–Monitor Performance
44

Segregation of Duties
Strategies to mitigate the concern of concentration of
risk
–Evolutionary Development
–Fragment The Function
Distribution based on Location
Distribution based upon Users
Data Administration Versus Database Administration
–Use of the SDLC to define reponsibilities and
deliverables
45

Organizational Issues
Roles Which Require Segregation
–Systems Development
–Programming
–Operations
–End Users
–Internal Audit
46

Central Administration Of
Schema / Subschema
Assignment of Responsibilities for Database Design
Duties
–Data Administration
–Systems Development/design
–Systems Programming
Integrate the Database Design Methodology into the
SDLC and Roles Matrix
47

Control Over Changes
Classification of Changes
–Magnitude of Effort (subjective)
Start‐up Effort
Merging Existing Components
Modifying an Existing Component
Emergency Maintenance
Component of The Environment (Objective)
–Application Programs (Fix, Enhancement, Etc.)
–System Software (New Release, Enhancement, Etc.)
–Data Descriptions (Re‐organization)
–Data (File Scrubbing, Zap, Etc.)
48

Controlling Access to Data in a
Database Environment
Impact of a Database Environment on Privacy &
Security
–Assessing requirements amongst multiple users is more
difficult
–Sharing of Data may cause control concerns
–It is possible to describe security specifications using
the Declaritive Data Definition Language (DDL)
More clear specification
Easier to audit
–Migration of implementation of controls from the
application to the environment
49

Controlling Completeness &
Accuracy of Databases
Impact of Database on Completeness & Accuracy Issues
–Effect on the quality of information provided
–Concentration of risk due to sharing of data
–Increased cost of error correction
–Effect on user reliance & confidence
–Database erosion
–Cascading errors
Migration of controls for mitigating the concerns involving
completeness and accuracy
Generalized in the environment
Implemented in the DBMS, DD/DS, Etc.
50

Polling Question 4

The Impact on the Auditor
Benefits from the Auditor's viewpoint
–Consistency of data
–Enhance quality of audit by increased accessibility
–More accurate systems development process
–Data Resource Management will accrue benefits
through formalized discipline
–Migration of controls
Disadvantages from the Auditor's viewpoint
–New Technology/Pioneer Syndrome
–Implementation cost control
–Access to DBMS managed data
–Data Integrity Trade‐offs
–Change in scope/timing of audit
52

Role of the Auditor
Consult with User on requirements
–Edit & Validation rules
–Partial acceptance or rejection on error
–Responsibility for correctness
Consult with DBA on implementation plan
–Tools available
–Edit & Validation element by element
–Error response
Ensure the existence of procedures for edit & validation
maintenance
–Are the Edit & Validation rules sufficient?
–Procedures for adding new Data Elements
53

Edit & Validation Controls
Commonly encountered Database Management System
supported Edit & Validation Controls
–Uniqueness checking for Key And Non‐key
–Structural/Relational checking
–Picture string and simple format checking
–Membership type in CODASYL Systems
Manual
Automatic
54

Using the DD / DS
Passive DD/DS environment
–Tool for Documentation
–No assurance that application system resembles dd/ds
content
Active DD/DS environment
–Edit & Validation performed according to declaritively
specified criteria
–Metadata generation can provide control
–DD/DS produces documentation for
Programmers
Analysts
System Users
55

The Database Input / Output Controller
(DBIOC) as a tool for Controls
Serves as an excellent repository for Completeness and
Accuracy controls
Centrally maintainable
Central responsibility for administration of controls
Security of the tool can be more easily verified
Data Sampling if required, is transparent to all users
and processes
56

Controlling Initial Database
Content
User is responsible for providing initial database
content
User spot checks loaded database for correctness
Auditor specifies sufficient checking using statistical
methods when appropriate
Database Load Utilities may be augmented using exits
57

Database Restart/recovery
Software
Database Patch Utility (data Base Zapper)
–Allows Quick (dangerous) fixes to rectify errors
–Allows DBA to disable the database
partially or completely
immediately or as current transactions complete
–Allows unrestricted browsing
–Restricted to DBA staff
–Procedural control over use
–Written approvals and log of activity
58

Auditing the Database
Set the audit objective and assess the environment
Assess capabilities of software environment
Review the DBA function
Review relevant database designs
Perform transaction impact analysis for relevant
transactions
Design and perform substantive tests when appropriate
59

Assessing The Environment
Checklist of environmental questions
1. Is there a formally established data(base) administration
function?
2. Is the administration activity project oriented or more focused
on databases?
3. Does senior management take an active role in formulating and
monitoring database strategy?
4. Is there an (active) DD/DS?
5. Are the control features of the DBMS and DD/DS effectively
utilized?
6. Are databases implemented in conjunction with on‐line
technology?
7. Are there corporate‐wide data standards?
8. Is there a formal SDLC?
60

Assessing The Environment
Checklist of application questions
1. Do diverse users share databases (of audit
consequence) that were not shared previously?
2. Are there different logical views of the same physical
database?
3. Are database planned, designed and implemented
around corporate information needs as opposed to
parochial, departmental or application oriented
requirements?
4. Can data from one user area be easily incorporated
into other applications?
5. Do users have a well defined sense of responsibility
over data within their sphere influence?
61

Assess Capabilities of the
Software Environment
Assessment must be in terms of two perspectives
–Potential Capability: Features & Characteristics available in
the package
Vendor Documentation
Education & Training
–Implemented Capability: Features & Characteristics which
have been actually made operational
Database Administration
System Generation Parameters
–Software assessment should focus on controls
implemented in these components
DBMS DD/DS DB/DC DBIOC
Performance Reports
62

Reviewing the DBA Function
Review DBA job description and organizational placement
Evaluate SDLC involvement
Review uilization Of DD/DS
Review DBA established standard practices and procedures,
including:
–Database Security
–Restart/Recovery
–Data Edit/Validation
–Audit Trail
Evaluate impression of others
–Systems Designers / Operations Personnel / End Users
63

Polling Question 5

CAATTs in a Database
Environment
There are three basic aspects of the Database Environment
which may be subjected to Substantive Testing
–System Components
–Metadata
–User Data
Testing of system components when appropriate is a matter of
LOAD, GEN & RUN for the purpose of checking
–System component lock‐out
–Access controls
–Input error controls
–Input completeness controls
65

Testing of Metadata
Schema/Subschema Comparison Check
–To verify consistency of Data Definitions the Schema &
Subschema would be compared to the actual Internal
Control Blocks and Storage Structures
Load Source Schema/Subschema from library
Generate Schema/Subschema from DBMS Control Blocks
Compare at Source level
Active DD/DS Comparison Check
–To verify consistency the above procedure is repeated
for descriptions maintained in the DD/DS
–Works also for Passive DD/DS's
66

Administrative Checking
System Documentation & Change Control check
–To verify Completeness & Accuracy Of Metadata which
is subject to maintenance
–Produce Status & Version control report from DD/DS
–Verify the accuracy of current status & versions by
comparison to existing occurrences
–Verify Audit Trail of Change Control with application
personnel and the DBA
67

Testing Of User Data
Sampling of user data
–use of retrieval software tools
–well known sampling routines
–should be used on recovery logs
Derived data check
–use of independently written software to verify
accuracy of derived data
–user written code may be embedded in retrieval
software
68

Testing Of User Data
Recovery Log comparison check (after image)
–dump current database (tape 1)
–load previous database dump
–apply forward transaction journal
–dump newly constructed database (tape 2)
–reload original database from tape 1
–compare tape 1 and tape 2
–should be identical
–analyze discrepancies
–make adjustments
69

Testing User Data
Recovery Log comparison check (before image)
–dump current database ‐ tape 1
–run a representative updating program
–apply transaction journal to backout transaction
–dump newly constructed database ‐ tape 2
–reload original database ‐ tape 1
–compare tape 1 and tape 2
–should be identical
–analyze discrepancies
–make adjustments
70

Audit Tools Available
Active DD/DS
Testing of application software & databases
Testing of system software & system data
Retrieval software
Integrity checking software
DBIOC
Recovery log images
Security log
Derived data
Performance measurement tools
71

Audit Techniques Available
Testing Of Application Software & Databases
–Verify the effective operation of controls through the
use of test transactions and test databases
–Test data generators may be data dictionary driven
–Pseudo‐live databases
–Parallel testing
Testing of system software & system data
–Independent verification of the DBMS Software
–Verification of system generated control blocks using
OS/DBMS dump facilities
72

Audit Tools Available
–Retrieval for audit purposes can be supported using
three different approaches
Modification of audit software
Development of special interface mechanisms
Inclusion of retrieval for audit purposes as part of DBMS Software
–Integrity Checking software
Vendor and/or user written routines to scan storage structures and
check for integrity
pointer integrity
index integrity
Available in some DBMS's
–Database Input Output Controller (DBIOC)
May be used as a host for imbedded sampling for audit purposes
Database procedures/exits
User written software modules
73

Polling Question 6

Questions?
• Any Questions?
Don’t be Shy!

Coming Up Next
IT AUDIT BASIC
3. IT Basics Audit use of CAATs May 5
4. Auditing Contingency Planning May 7
5. IT Fraud and Countermeasures May 12
IT AUDIT ADVANCED
1. Advanced IT Audit Risk Analysis for Auditors May 14
2. Advanced IT Audit Securing the Internet May 19
3. Advanced IT Audit IT Security Reviews May 21
4. Advanced IT Audit Performance Auditing of the IT
Function May 26
5. Advanced IT Audit Managing the IT Audit Function May
28

Thank You!
Richard Cascarino, MBA, CIA, CISM, CFE
Richard Cascarino & Associates
970-291-1497
rcasc@rcascarino.com
Jim Kaplan
AuditNet LLC®
800-385-1625
www.auditnet.org
webinars@auditnet.org

It22015 slides

Recomendados

Recomendados

Más contenido relacionado

La actualidad más candente

La actualidad más candente (20)

Similar a It22015 slides

Similar a It22015 slides (20)

Más de Jim Kaplan CIA CFE

Más de Jim Kaplan CIA CFE (20)

Último

Último (20)

It22015 slides