it auditing & assurance, 2e, hall & singleton chapter 8: it auditing & assurance, 2e,...
TRANSCRIPT
IT Auditing & Assurance, 2e, Hall & Singleton
Chapter 8:
IT Auditing & Assurance, 2e, Hall & Singleton
CAATTs for Data Extraction and Analysis
IT Auditing & Assurance, 2e, Hall & Singleton
DATA STRUCTURES
Organization
Access method
IT Auditing & Assurance, 2e, Hall & Singleton
SEQUENTIALISAM
RANDOM
INDEX File
DATA File
SEQUENTIALRANDOM
Data Organizatio
n
HashingPointers
Access:Index Methods
Access:Non-IndexMethods
IT Auditing & Assurance, 2e, Hall & Singleton
FILE PROCESSING OPERATIONS
1. Retrieve a record by key
2. Insert a record
3. Update a record
4. Read a file
5. Find next record
6. Scan a file
7. Delete a record
Individual Records
Table 8-1
IT Auditing & Assurance, 2e, Hall & Singleton
DATA STRUCTURES
Flat file structures Sequential structure [Figure 8-1]
All records in contiguous storage spaces in specified sequence (key field)
Sequential files are simple & easy to process Application reads from beginning in sequence If only small portion of file being processed, inefficient
method Does not permit accessing a record directly Efficient: 4, 5 – sometimes 3 Inefficient: 1, 2, 6, 7 – usually 3
IT Auditing & Assurance, 2e, Hall & Singleton
DATA STRUCTURES
Flat file structures Indexed structure
In addition to data file, separate index file
Contains physical address in data file of each indexed record
IT Auditing & Assurance, 2e, Hall & Singleton
DATA STRUCTURES
Flat file structures Indexed random file Records are created without regard to
physical proximity to other related records Physical organization of index file itself
may be sequential or random Random indexes are easier to maintain,
sequential more difficult Advantage over sequential: rapid searches Other advantages: processing individual
records, efficient usage of disk storage
IT Auditing & Assurance, 2e, Hall & Singleton
DATA STRUCTURES
Flat file structures Indexed Sequential Access Method (ISAM)
Large files, routine batch processing Moderate degree of individual record processing Used for files across cylinders Uses number of indexes, with summarized content Access time for single record is slower than Indexed
Sequential or Indexed Random Disadvantage: does not perform record insertions
efficiently – requires physical relocation of all records beyond that point – SOS
Has 3 physical components: indexes, prime data storage area, overflow area [Figure 8-4]
Might have to search index, prime data area, and overflow area – slowing down access time
Integrating overflow records into prime data area, then reconstructing indexes reorganizes ISAM files
IT Auditing & Assurance, 2e, Hall & Singleton
1960 1970 1980 1990
Legacy systems
Legacy systems
DBMS etc.
EVOLUTION OF ORG./ACCESS METHODS
IT Auditing & Assurance, 2e, Hall & Singleton
Inefficient
Access entire files
Efficient
Access single records
IT Auditing & Assurance, 2e, Hall & Singleton
Stores the address (pointer) of related record in a field with each data record [Figure 8-6] Records stored randomly Pointers provide connections b/w records Pointers may also provide links of records b/w
files [Figure 8-7] Types of pointers [Figure 8-8]:
Physical address – actual disk storage location• Advantage: Access speed• Disadvantage: if related record moves, pointer must be
changed & w/o logical reference, a pointer could be lost causing referenced record to be lost
Relative address – relative position in the file (135th)• Must be manipulated to convert to physical address
Logical address – primary key of related record• Key value is converted by hashing to physical address
POINTER STRUCTURE
IT Auditing & Assurance, 2e, Hall & Singleton
Hierarchical & network structures Uses explicit linkages b/w records to establish relationship
Relational structure Uses implicit linkages b/w records to
establish relationship: foreign keys / primary keys
DATABASE STRUCTURES
IT Auditing & Assurance, 2e, Hall & Singleton
Relational Records: “Foreign Keys” in one record establishes relationships to related records in other files.
INVOICES
CUSTOMERS
INVENTORY
IT Auditing & Assurance, 2e, Hall & Singleton
Relational structure User views
Data a particular user needs to achieve his/her assigned tasks
A single view, or view without user input, leads to problems in meeting the diverse needs of the enterprise
Trend today: capture data in sufficient detail and diversity to sustain multiple user views
User views MUST be consolidated into a single “logical view” or schema
Data in the logical view MUST be normalized
DATABASE STRUCTURES
IT Auditing & Assurance, 2e, Hall & Singleton
Relational structure Importance of data normalization
Critical to success of DBMS Effective design in grouping data Several levels: 1NF, 2NF, 3NF, etc. Un-normalized data suffers from:
• Insertion anomalies• Deletion anomalies• Update anomalies
One or more of these anomalies will exist in tables < 3NF
DATABASE STRUCTURES
IT Auditing & Assurance, 2e, Hall & Singleton
Relational structure Auditors and data normalization
Database normalization is a technical matter that is usually the responsibility of systems professionals.
The subject has implications for internal control that make it the concern of auditors also.
Most auditors will never be responsible for normalizing an organization’s databases; they should have an understanding of the process and be able to determine whether a table is properly normalized.
In order to extract data from tables to perform audit procedures, the auditor first needs to know how the data are structured.
DATABASE STRUCTURES
IT Auditing & Assurance, 2e, Hall & Singleton
Identify important transactions live while they are being processed and extract them Examples
Errors Fraud Compliance
• SAS 78, SAS 94, SAS 99 / S-OX
EMBEDDED AUDIT MODULE
IT Auditing & Assurance, 2e, Hall & Singleton
Disadvantages: Operational efficiency – can decrease
performance, especially if testing is extensive
Verifying EAM integrity - such as environments with a high level of program maintenance
Status: increasing need, demand, and usage of COA/EAM/CA
EMBEDDED AUDIT MODULE
IT Auditing & Assurance, 2e, Hall & Singleton
Brief history Most widely used CAATT Usages include:
1) Footing and balancing entire files or selected data items (e.g., extending inventory)
2) Selecting and reporting detail data3) Selecting stratified statistical samples from data files4) Formatting results into audit reports (auto work papers!)5) Printing confirmations6) Screening / filtering data7) Comparing multiple files for differences8) Recalculating values in data
GENERALIZED AUDIT SOFTWARE
IT Auditing & Assurance, 2e, Hall & Singleton
Popular because:1. GAS software is easy to use and requires
little computer background2. Many products are platform independent,
works on mainframes and PCs3. Auditors can perform tests independently of
IT staff4. GAS can be used to audit the data currently
being stored in most file structures and formats
GENERALIZED AUDIT SOFTWARE
IT Auditing & Assurance, 2e, Hall & Singleton
Simple structures [Figure 8-19] Complex structures [Figures 8-20, 8-21] Auditing issues:
Auditor must sometime rely on IT personnel to produce files/data
Risk that data integrity is compromised by extraction procedures
Auditors skilled in programming better prepared to avoid these pitfalls
GENERALIZED AUDIT SOFTWARE
IT Auditing & Assurance, 2e, Hall & Singleton
ACL is a proprietary version of GAS Leader in the industry Designed as an auditor-friendly meta-
language (i.e., contains commonly used auditor tests)
Access to data generally easy with ODBC interface
ACL
IT Auditing & Assurance, 2e, Hall & Singleton
Chapter 8:CAATTs for Data Extraction and Analysis
IT Auditing & Assurance, 2e, Hall & Singleton