AUDITING DATABASE SYSTEMS

This topic focuses on the compliance regarding the security Elimination of Currency Problem. A single change to a
and control of an organization database. database attribute is automatically made available to all users
of the attribute. For example, a customer address change
Data Management Approaches entered by the billing clerk is immediately reflected in the
The Flat-File Approach. Flat files are data files that contain marketing and product services views.
records with no structured relationships to other files. The
flat-file approach is most often associated with so-called Elimination of Task-Data Dependency Problem. With access
legacy systems. to the full domain of entity data, changes in user information
needs can be satisfied without obtaining additional private
Problems arising from Flat-File Approach: data sets. Users are constrained only by the limitations of the
Data Storage. Efficient data management captures and stores data available to the entity and the legitimacy of their need to
data only once and makes this single source available to all access them. Therefore, the database method eliminates the
users who need it. In the flat-file environment, this is not limited access that flat files, by their nature, dictate to users.
possible. To meet the private data needs of diverse users,
organizations must incur the costs of both multiple collection Key Elements of the Database Environment
and multiple storage procedures. Some commonly used data This section discusses the key elements of the database
may be duplicated dozens, hundreds, or even thousands of environment. These include the (1) database management
times within an organization. system (DBMS), (2) users, (3) the database administrator, (4)
the physical database, and (5) the DBMS models.
Data Updating. Organizations store a great deal of data on
master files and reference files that require periodic updating 1. Database Management System. A database
to reflect changes. For example, a change to a customer's management system (DBMS) is a software application
name or address must be reflected in the appropriate master that allows users to manage and organize data in a
files. When users keep separate and exclusive files, each database. It provides an interface for users to interact
change must be made separately for each user. These with the database, perform operations such as storing,
redundant updating tasks add significantly to the cost of data retrieving, updating, and deleting data, and ensures the
management. integrity and security of the data.

Currency of Information. In contrast to the problem of Typical Features

performing multiple updates is the problem of failing to The DBMS provides a controlled environment to assist (or
update all the user files that are affected by a change in prevent) access to the database and to efficiently manage the
status. If update information is not properly disseminated, data resource. Each DBMS is unique in the way it
the change will not be reflected in some users' data, resulting accomplishes these objectives, but some typical features
in decisions based on outdated information. include:

Task-Data Dependency. Another problem with the flat-file 1. Program development. The DBMS contains application
approach is the user's inability to obtain additional development software. Both programmers and end users
information as his or her needs change: this is known as task- may employ this feature to create applications to access the
data dependency. In other words, a user's task is limited and database.
decision-making ability constrained by the data that he or she
possesses and controls. 2. Backup and recovery. During processing, the DBMS
periodically makes backup copies of the physical database. In
The Database Approach. This approach centralizes the the event of a disaster (disk failure, program error, or
organization's data into a common database that is shared by malicious act) that renders the database unusable, the DBMS
other users. With the enterprise's data in a central location, can recover to an earlier version that is known to be correct.
all users have access to the data they need to achieve their Although some data loss may occur, without the backup and
respective objectives. Through data sharing, the traditional recovery feature the database would be vulnerable to total
problems associated with the flat-file approach may be destruction.
overcome.
3. Database usage reporting. This feature captures statistics
Elimination of Data Storage Problem. Each data element is on what data are being used, when they are used, and who
stored only once, thereby eliminating data redundancy and uses them. This information is used by the database
reducing data collection and storage costs. administrator (DBA) to help assign user authorization and
maintain the database. We discuss the role of the DBA later in
Elimination of Data Update Problem. Because each data this section.
element exists in only one place, it requires only a single
update procedure, This reduces the time and cost of keeping 4. Database access. The most important feature of a DBMS is
the database current. to permit authorized user access, both formal and informal,
 to the database. There are three software modules that Inserting DML commands enables standard programs, which
facilitate this task. These are the data definition language, the were originally written for the flat-file environment, to be
data manipulation language, and the query language. easily converted to work in a database environment. The use
of standard language programs also provides the organization
Data Definition Language. Data definition language (DDL) is a with a degree of independence from the DBMS vendor. If the
programming language used to define the database to the organization decides to switch vendors to one that uses a
DBMS. The DDL identifies the names and the relationship of different DML, it will not need to rewrite all user programs.
all data elements, records, and files that constitute the By replacing the old DML commands with the new
database. This definition has three levels, called views: the commands, user programs can be modified to function in the
physical internal view, the conceptual view (schema), and the new environment.
user view (subschema).
DBMS Operation. The DBMS and user applications work
Database Views together. Let's consider the typical sequence of events that
Internal View/Physical View. occur while accessing data. The following description is
 The physical arrangement of records in the database is generic and certain technical details are omitted.
presented through the internal view.
 The lowest level of representation, which is one step I. A user program sends a request for data to the DBMS. The
removed from the physical database. requests are written in a special data manipulation language
 Describes the structures of data records, the linkages that is embedded in the user program.
between files, and the physical arrangement and
sequence of records in a file. 2. The DBMS analyzes the request by matching the called
 There is only one internal view for the database. data elements against the user view and the conceptual view.
 Indicates how the data will be stored If the data request matches, it is authorized, and processing
 Describes the complex data structures and access proceeds to Step 3. If it does not match the views, access is
methods to be used by the database denied.
 Used to describe the entire database architecture.
Conceptual View/Logical View (Schema). 3. The DBMS determines the data structure parameters from
 Describes the entire database the internal view and passes them to the operating system,
 This view represents the database logically and abstractly, which performs the actual data retrieval. Data structure
rather than the way it is physically stored. There is only one parameters describe the organization and access method for
conceptual view for a database. retrieving the requested data. This topic is discussed later.
 Also called the logical structure because it defines the
logical relations between the data. 4. Using the appropriate access method (an operating system
utility program), the operating system interacts with the disk
External View/User View (Subschema). storage device to retrieve the data from the physical
 Defines the user's section of the database-the portion that an database.
individual user is authorized to access.
 Unlike the internal and conceptual views, there may be 5. The operating system then stores the data in a main
many distinct user views. memory buffer area managed by the DBMS.

Users 6. The DBMS transfers the data to the user's work location in
Formal Access: Application Interfaces main memory. At this point, the user's program is free to
Users access the database in two ways (Formal and Informal access and manipulate the data.
Access). First, access is possible by the formal application
interfaces. User programs, prepared by systems 7. When processing is complete, Steps 4, 5, and 6 are
professionals, send data access requests (calls) to the DBMS, reversed to restore the processed data to the database.
which validates the requests and retrieves the data for
processing. Informal Access: Query Language
Definition. The second method of database access is the
Data Manipulation Language. Data manipulation language informal method of queries. A query is an ad hoc access
(DML) is the proprietary methodology for extracting information from a database.
programming language that a particular DBMS uses to Users can access data via direct query, which requires no
retrieve, process, and store data. Entire user programs may formal user programs using the DBMSs built-in query facility.
be written in the DML or, alternatively, selected DMI This feature allows authorized users to process data
commands can be inserted into programs that are written in independent of professional programmers by providing a
universal languages, such as JAVA, C++, and even older "friendly" environment for integrating and retrieving data to
languages such as COBOL and FORTRAN. produce ad hoc management reports.
SQL. The query capability of the DBMS permits end users and Data structures are the bricks and mortar of the database.
professional programmers to access data in the database The data structure allows records to be located, stored, and
directly without the need for conventional programs. IBM's retrieved, and enables movement from one record to
Structured Query Language (SQL), has emerged as the another. Data structures have two fundamental components;
standard query language for both mainframe and organization and access method.
microcomputer DBMSs. SQL is a fourth-generation,
nonprocedural language with many commands that allow Data Organization
users to input, retrieve, and modify data easily. The SELECT The organization of a file refers to the way records are
command is a powerful tool for retrieving data. physically arranged on the secondary storage device. This
may be either sequential or random.
The Database Administrator
The DBA is responsible for managing the database resource. The records in sequential files are stored in contiguous
The sharing of a common database by multiple users requires locations that occupy a specified area of disk space. Records
organization, coordination, rules, and guidelines to protect in random files are stored without regard for their physical
the integrity of the database. relationship to other records of the same file. Random files
may have records distributed throughout a disk.
In large organizations, the DBA function may consist of an
entire department of technical personnel under the database If we say sequential files, these is like a long list of files that is
administrator. In smaller organizations, DBA responsibility stores in a specific order. Each record is stored one after the
may be assumed by someone within the computer services other, and they can only be accessed in the order they were
group. stored. To find a specific record, you have to start from the
beginning and go through each record until you find the one
The duties of the DBA fall into the following areas: database you're looking for.
planning; database design; database implementation,
operation, and maintenance; and database growth and Let’s relate it into flipping a through the pages of a book from
change. the beginning until you find the info or file that you are
looking for.
Organizational Interactions of the DBA
Of particular importance is the relationship among the DBA, On the other hand, random files allow direct access to any
the end users, and the systems professionals of the record in the file. Each record is assigned a unique identifier
organization. called a key, which is used to locate and retrieve the record
quickly.
When information systems need arise, users send formal
requests for computer applications to the systems Kasla metlang tay panaglukib ti libro. But this time, adda
professionals (programmers) of the organization. The table of contents na dijay libro nga katulungam mangsapol
requests are handled through formal systems development tay info or file nga masapol mo. Agjump ka latta idjay nga
procedures; if they have merit, they result in programmed page nukwan, then nalpasen.
applications.
Data Access Methods
The Data Dictionary The access method is the technique used to locate records
Another important function of the DBA is the creation and and to navigate through the database.
maintenance of the data dictionary. The data dictionary
describes every data element in the database. This enables all The criteria that influence the selection of the data structure
users (and programmers) to share a common view of the data include:
resource, thus greatly facilitating the analysis of user needs. 1. Rapid file access and data retrieval
The data dictionary may be in both paper form and online. 2. Efficient use of disk storage space
Most DBMSs employ special software for managing the data 3. High throughput for transaction processing
dictionary. 4. Protection from data loss
5. Ease of recovery from system failure
The Physical Database 6. Accommodation of file growth
The fourth major element of the database approach is the
physical database. This is the lowest level of the database and DBMS Models
the only level that exists in physical form. The physical A data model is an abstract representation of the data about
database consists of magnetic spots on metallic coated disks. entities, including resources, events, and agents and their
The other levels of the database (the user view, conceptual relationships in an organization. The purpose of a data model
view, and internal view) are abstract representations of the is to represent entity attributes in a way that is
physical level. understandable to users.

Data Structures Database Terminology

Before introducing these models formally, we need to review  Each department can have multiple
some important database terms and concepts: professors, but each professor is associated
with only one department.
Data Attribute/Field: A data attribute/field is a single item of  The "Department" entity will contain
data, such as customer's name, account balance, or address. information such as the department name,
location, contact details, and other
Entity. An entity is a database representation of an individual department-specific information.
resource, event, or agent about which we choose to collect  The "Professor" entity will contain
data. Entities may be physical (inventories, customers, and information about the professor, including
employees) or conceptual (sales, accounts receivable, and their name, email address, specialization,
depreciation expense). and other relevant details.

For example: Employee = Employee ID, Name, Address, Age In this case, the association between the "Department" and
"Professor" entities is a one-to-many association. Each
Record Type (Table or File). When we group together the department can have multiple professors, but each professor
data attributes that logically define an entity, they form a is linked to a specific department.
record type.
• Many-to-many association. For each occurrence of Record
Database. A database is the set of record types that an Types X and Y, there are zero, one, or many occurrences of
organization needs to support its business processes. Record Types Y and X respectively.
 In a many-to-many association, multiple records in
Associations. Record types that constitute a database exist in one table are associated with multiple records in
relation to other record types. This is called an association. another table, and vice versa.
Three basic record associations are: one-to-one, one-to-  This association is used when multiple entities can
many, and many-to-many. have multiple related entities.
 For example, Consider a database for a social media
• One-to-one association. This means that for every platform. In this scenario, we have two entities:
occurrence in Record Type X, there is one (or possibly zero) "User" and "Groupchat."
occurrence in Record Type Y.  Each user can be a member of multiple
 In a one-to-one association, one record in a table is groupchats, and each groupchat can have
associated with exactly one record in another table, multiple users as members.
and vice versa.  The "User" entity will contain information
 This association is typically used when two entities such as the user's username, email address,
have a unique and singular relationship. profile information, and other user-specific
 Example: Consider a database for a hospital. In this details.
scenario, we have two entities: "Patient" and  The "Groupchat" entity will contain
"Medical History." information about the group, including the
o Each patient can have only one medical group name, description, members, and
history, and each medical history is other relevant group details.
associated with only one patient.
o The "Patient" entity will contain information In this case, the association between the "User" and "Group"
such as the patient's name, date of birth, entities is a many-to-many association. Each user can be a
contact details, and other personal member of multiple groups, and each group can have
information. multiple users as members.
o The "Medical History" entity will contain
information about the patient's medical The Hierarchical Model
conditions, allergies, previous surgeries, The hierarchical model is constructed of sets that describe
medications, and other relevant medical the relationship between two linked files. This structure is
data. also called a tree structure. Each set contains a parent and a
child. Files at the same level with the same parent are called
• One-to-many association. For every occurrence in Record siblings. The highest level in the tree is the root segment, and
Type X, there are zero, one, or many occurrences in Record the lowest file in a particular branch is called a leaf.
Type Y.
 This association is commonly used when one entity The Network Model
can have multiple related entities. Like the hierarchical model, the network model is a
 Example: Consider a database for a university. In this navigational database with explicit linkages between records
scenario, we have two entities: "Department" and and files. The distinction is that the network model permits a
"Professor." child record to have multiple parents.
Navigational Databases. The hierarchical data model is called
a navigational database because traversing the files requires The Deadlock Phenomenon. In a distributed environment, it
following a predefined path. This is established through is possible for multiple sites to lock out each other from the
explicit linkages (pointers) between related records. The only database, thus preventing each from processing its
way to access data at lower levels in the tree is from the root transactions. A deadlock is a permanent condition that must
and via the pointers down the navigational path to the be resolved by special software that analyzes each deadlock
desired records. condition to determine the best solution. Because of the
implication for transaction processing, accountants should be
The hierarchical and network models are termed navigational aware of the issues pertaining to deadlock resolutions.
models because of explicit links or paths among their data
elements. Deadlock Resolution. Resolving a deadlock usually involves
terminating one or more transactions to complete processing
The Relational Model of the other transactions in the deadlock. The preempted
The relational model portrays data in the form of two- transactions must then be reinitiated. In preempting
dimensional tables. The most apparent difference between transactions, the deadlock resolution software attempts to
the relational model and the navigational models is the way minimize the total cost of breaking the deadlock. Some of the
in which data associations are represented to the user. factors that are considered in this decision follow:

Databases in a Distributed Environment Replicated Databases

Centralized Databases Replicated databases are effective in companies where there
This approach involves retaining the data in a central location. exists a high degree of data sharing but no primary user. Since
Remote IT units send requests for data to the central site, common data is replicated at each IT unit site, the data traffic
which processes the requests and transmits the data back to between sites is reduced considerably.
the requesting IT unit. The actual processing of the data is
performed at the remote IT unit. The central site performs The primary justification for a replicated database is to
the functions of a file manager that services the data needs of support read-only queries. With data replicated at every site,
the remote sites. A fundamental objective of the database data access for query purposes is ensured, and lockouts and
approach is to maintain data currency. This can be a delays due to data traffic are minimized.
challenging task in a DDP environment.
Concurrency Control
Data Currency in a DDP Environment Database concurrency is the presence of complete and
During data processing, information pass through a state of accurate data at all user sites. System designers need to
temporary inconsistency where their values are incorrectly employ methods to ensure that transactions processed at
stated. This occurs during the execution of a transaction. each site are accurately reflected in the databases of all the
other sites.
Distributed Databases
Distributed databases can be either partitioned or replicated: Because of the implication for the accuracy of accounting
records, the concurrency problem is a matter of concern for
Partitioned Databases auditors. A commonly used method for concurrency control is
The partitioned database approach splits the central database to serialize transactions.
into segments or partitions that are distributed to their
primary users. The advantages of this approach follow: Controlling and Auditing Data Management Systems
Controls over data management systems fall into two general
• Having data stored at local sites increases users' control. categories: access controls and backup controls.
• Transaction processing response time is improved by
permitting local access to data and reducing the volume of Access controls are designed to prevent unauthorized
data that must be transmitted between IT units. individuals from viewing, retrieving, corrupting, or destroying
• Partitioned databases can reduce the potential effects of a the entity's data.
disaster; By locating data at several sites, the loss of a single
IT unit does not eliminate all data processing by the Backup controls ensure that in the event of data loss due to
organization. unauthorized access, equipment failure, or physical disaster
the organization can recover its database.
The partitioned approach works best for organizations that
require minimal data sharing among their distributed IT units. Access Controls
The primary user manages data requests from other sites. To In the shared database environment, access control risks
minimize data access from remote users, the organization include corruption, theft, misuse, and destruction of data.
needs to carefully select the host location. Identifying the These threats originate from both unauthorized intruders and
optimum host requires an in-depth analysis of user data authorized users who exceed their access privileges. Several
needs. control features are now reviewed:
  Verify that database access authority and privileges
User Views are granted to users in accordance with their
Access privileges to the database, as defined in their views, legitimate needs.
should be commensurate with the user’s legitimate needs.

Although user views can restrict user access to a limited set of

data, they do not define task privileges such as read, delete, Audit Procedures for Testing Database Access Controls
or write. Often, several users may share a single user view but Responsibility for Authority Tables and Subschemas. The
have different authority levels. auditor should verify that database administration (DBA)
personnel retain exclusive responsibility for creating authority
Database Authorization Table tables and designing user views.
The database authorization table contains rules that limit the
actions a user can take. This technique is similar to the access Evidence may come from three sources:
control list used in the operating system. Each user is granted (1) by reviewing company policy and job descriptions, which
certain privileges that are coded in the authority table, which specify these technical responsibilities;
is used to verify the user's action requests. (2) by examining programmer authority tables for access
privileges to data definition language (DDL) commands; and
User-Defined Procedures (3) through personal interviews with programmers and DBA
A user-defined procedure allows the user to create a personal personnel.
security program or routine to provide more positive user
identification than a single password. Thus, in addition to a Appropriate Access Authority.
password, the security procedure asks a series of personal The auditor can select a sample of users and verify that their
questions (such as the user's mother's maiden name), which access privileges stored in the authority table are consistent
only the legitimate user should know. with their job descriptions organizational levels.

Data Encryption Biometric Controls

Database systems also use encryption procedures to protect The auditor should evaluate the costs and benefits of
highly sensitive stored data, such as product formulas, biometric controls.
personnel pay rates, password files, and certain financial data Generally, these would be most appropriate where highly
thus making it unreadable to an intruder "browsing" the sensitive data are accessed by a very limited number of users.
database.
Inference Controls
Biometric Devices The auditor should verify that database query controls exist
The ultimate in user authentication procedures is the use of to prevent unauthorized access via inference. The auditor can
biometric devices, which measure various personal test controls by simulating access by a sample of users and
characteristics, such as fingerprints, voice prints, retina prints, attempting to retrieve unauthorized data via inference
or signature characteristics. These user characteristics are queries.
digitized and stored permanently in a database security file or
on an identification card that the user carries. Encryption Controls
The auditor should verify that sensitive data, such as
Inference Controls passwords, are properly encrypted. Printing the file contents
One advantage of the database query capability is that it to hard copy can do this.
provides users with summary and statistical data for decision
making. Backup Controls
Data can be corrupted and destroyed by malicious acts from
To preserve the confidentiality and integrity of the database, external hackers, disgruntled employees, disk failure,
inference controls should be in place to prevent users from program errors, fires, floods, and earthquakes. To recover
inferring, through query features, specific data values that from such disasters, organizations must implement policies,
they otherwise are unauthorized to access. Inference controls procedures, and techniques that systematically and routinely
attempt to prevent three types of compromises to the provide backup copies of critical files.
database.
Backup Controls in the Flat-File Environment
The goal of inference controls is to prevent unauthorized Sequential files (both tape and disk) use a backup technique
individuals or entities from drawing accurate conclusions or called grandparent-parent-child (GPC). This backup technique
making inferences about sensitive information based on is an integral part of the master file update process. Direct
available data. access files, by contrast, need a separate backup procedure.
Both methods are outlined below.
Audit Objective Relating to Database Access
GPC Backup Technique. This backup procedure begins when • Direct Access File Backup. The auditor should select a
the current master file (the parent) is processed against the sample of applications and identify the direct access files
transaction file to produce a new updated master file (the being updated in each system. From system documentation
child). With the next batch of transactions, the child becomes and through observation, the auditor can verify that each of
the current master file (the parent), and the original parent them was copied to tape or disk before being updated.
becomes the backup (grandparent) file. The new master file • Off-Site Storage. The auditor should verify the existence
that emerges from the update process is the child. This and adequacy of off-site storage. This audit procedure may be
procedure is continued with each new batch of transactions, performed as part of the review of the disaster recovery plan
creating generations of backup files. When the desired or computer center operations controls.
number of backup copies is reached, the oldest backup file is
erased (scratched). If the current master file is destroyed or Backup Controls in the Database Environment
corrupted, processing the most current backup file against Since data sharing is a fundamental objective of the database
the corresponding transaction file can reproduce it. approach, this environment is particularly vulnerable to
damage from individual users. One unauthorized procedure,
This is a backup strategy used to create and manage backup one malicious act, or one program error can deprive an entire
copies of a database or other critical data. It involves creating user community of its information resource. Also, because of
multiple generations or versions of backups to ensure data data centralization, even minor disasters such as a disk failure
availability and recovery in case of data loss or system can affect many or all users. When such events occur, the
failures. organization needs to reconstruct the database to pre-failure
status. This can be done only if the database was properly
backed up in the first place.
Direct Access File Backup. Data values in direct access files
are changed in place through a process called destructive Backup. The backup feature makes a periodic backup of the
replacement. Therefore, once a data value is changed, the entire database. This is an automatic procedure that should
original value is destroyed, leaving only one version (the be performed at least once a day. The backup copy should
current version) of the file. then be stored in a secure remote area.

This is a backup strategy that involves creating a complete Transaction Log (Journal). The transaction log feature
copy or image of a database or file system at a specific point provides an audit trail of all processed trans-actions. It lists
in time. It is a form of backup that captures the entire data transactions in a transaction log file and records the resulting
structure, including files, folders, and system settings. changes to the database in a separate database change log.

If the current version of the master file is destroyed through a Checkpoint Feature. The checkpoint facility suspends all data
disk failure or corrupted by a program error, it can be processing while the system reconciles the transaction log
reconstructed with a special recovery program from the most and the database change log against the database. At this
current backup file. point, the system is in a quiet state. Checkpoints occur
automatically several times an hour. If a failure occurs, it is
Off-Site Storage. As an added safeguard, backup files created usually possible to restart the processing from the last
under both the GPC and direct access approaches should be checkpoint. Thus, only a few minutes of transaction
stored off-site in a secure location. processing must be repeated.

Audit Objective Relating to Flat-File Backup Recovery Module. The recovery module uses the logs and
 Verify that backup controls in place are effective in backup files to restart the system after a failure.
protecting data files from physical damage, loss,
accidental erasure, and data corruption through Audit Objective Relating to Database Backup
system failures and program errors. • Verify that controls over the data resource are sufficient to
preserve the integrity and physical security of the database.
Audit Procedures for Testing Flat-File Backup Controls
• Sequential File (GPC) Backup. The auditor should select a Audit Procedures for Testing Database Backup Controls
sample of systems and determine from the system • The auditor should verify that backup is performed
documentation that the number of GPC backup files specified routinely and frequently to facilitate the recovery of lost,
for each system is adequate. If insufficient backup versions destroyed, or corrupted data without excessive reprocessing,
exist, recovery from some types of failures may be Production databases should be copied at regular intervals
impossible. (perhaps several times an hour). Backup policy should strike a
• Backup Transaction Files. The auditor should verify through balance between the inconvenience of frequent backup
physical observation that transaction files used to reconstruct activities and the business disruption caused by excessive
the master files are also retained. Without corresponding reprocessing that is needed to restore the database after a
transaction files, reconstruction is impossible. failure.
• The auditor should verify that automatic backup procedures
are in place and functioning, and that copies of the database
are stored off-site for further security.