Paps 1003
Paps 1003
Paps 1003
1003
IT ENVIRONMENTS - DATABASE SYSTEMS
(Issued December 2003)
The purpose of Practice Notes issued by the Hong Kong Institute of Certified Public Accountants is to
assist auditors in applying Statements of Auditing Standards (SASs) and Standards on Assurance
Engagements (SAEs) of general application to particular circumstances and industries.
They are persuasive rather than prescriptive. However they are indicative of good practice and have
similar status to the explanatory material in SASs and SAEs, even though they may be developed without
the full process of consultation and exposure used for SASs and SAEs. Auditors should be prepared to
explain departures when called upon to do so.
Introduction
1. This Practice Note (PN) describes the effects of a database system on the accounting system and
related internal controls and on audit procedures.
2. A database is a collection of data that is shared and used by many different users for different
purposes. Each user may not necessarily be aware of all the data stored in the database, or of the
ways that the data may be used for multiple purposes. Generally, individual users are aware only of
the data that they use and may view the data as computer files utilized by their applications.
3. When an entity uses a database system, the technology is likely to be complex and may be linked
with the entity's strategic business plans. The audit team may require special IT skills to make
appropriate inquiries and to understand the implications of the responses obtained1. The auditor
may need to consider using the work of an expert (see SAS 520 "Using the work of an expert").
_________________________
1
See IEG 11 "Information Technology In The Accounting Curriculum" issued by the Education Committee
of IFAC, which defines the broad content areas and specific knowledge and skills required by all professional
accountants in connection with IT applied in a business context.
Database Systems
4. Database systems consist principally of two components: the database and the database
management system (DBMS). Database systems interact with other hardware and software aspects
of the overall computer system.
5. The software that creates, maintains and operates the database is referred to as DBMS software.
Together with the operating system, the DBMS facilitates the physical storage of the data,
maintains the interrelationships between the data, and makes the data available to application
programs. It also provides controlled access methods to establish basic security measures over the
data. Usually, the DBMS software is supplied by a commercial vendor but will need to be adapted
to the entity's needs.
6. The guidance in this PN applies to database systems used in multiple user environments. Although
database systems may reside on any type of computer system, including PCs, this PN does not
relate to PC environments with only a single user.
Data Sharing
8. A database is composed of data set up with defined relationships and organized to permit many
users to use the data in different application programs. Individual applications share the data in the
database for different purposes. For example, an inventory item unit cost maintained by the
database may be used by one application program to produce a cost of sales report and by another
program to prepare an inventory valuation.
Data Dictionary
11. A significant implication of data sharing and data independence is the potential for the recording of
data only once for use in several applications. Because various application programs need to access
these data, a software facility is required to keep track of the location of the data in the database.
This software within the DBMS is known as a data dictionary. It also serves as a tool to maintain
standardized documentation and definitions of the database environment and application systems.
A data dictionary provides functions such as:
a. a facility to create or modify data definitions;
b. validation of the data definitions provided to ensure their integrity;
c. prevention of unauthorized access or manipulations of the data definitions; and
d. interrogation and reporting facilities that allow the database administrator to make inquires
on the data definitions.
12. Databases may be structured as flat file databases, or as relational databases. In a flat file database,
all the data concerning one record are stored as part of that record. With a relational database, data
are stored as a series of tables, with links between the tables as necessary. Relational databases
minimize the duplication of stored data, as data shared by more than one record need to be stored
only once. The data themselves may comprise objects for use with object-oriented applications.
This can lead to complicated data structures.
Data Administration
15. The data administration function manages data as an organizational resource and includes
responsibilities for:
a. the development and implementation of a data resource management strategic plan and
policies, which support the entity's business plans by achieving cost-effective use of the
organization's data;
b. the creation and maintenance of a corporate data model or architecture (sometimes referred
to as an enterprise data model);
c. the coordination and integration of system data models;
d. obtaining agreement among users about definitions and format of data;
e. resolving conflicts about incompatible representation and data;
f. establishing a corporate-wide data dictionary and managing the organization's naming and
definition standards;
g. establishing data standards and procedures for:
i. data naming;
ii. data usage;
iii. data security;
iv. data definition compilation; and
v. data modeling; and
h. providing training and consulting to users and the data information technology team
members (system developers and database administrators) concerning all aspects of data
resource management.
Database Administration
16. Coordination is usually the responsibility of a group of individuals who are typically referred to as
"database administration." The individual who heads this function may be referred to as the
"database administrator." Generally, the database administration function takes responsibility for
the definition, structure, security, operational control and efficiency of databases, including the
definition of the rules for accessing and storing data.
17. Database administration tasks may also be performed by individuals who are not part of a
centralized database administration group. When the tasks of database administration are
distributed among existing organizational units rather than being centralized, the different tasks
still need to be coordinated.
18. Database administration tasks typically include:
a. defining the database structure and the description of the data model. Determining how data
are defined, stored and accessed by users of the database to ensure that all their
requirements are met on a timely basis;
b. maintaining data integrity, security and completeness. Developing, implementing and
enforcing the rules for data integrity, completeness and access. Responsibilities include:
i. defining who is responsible for monitoring the appropriate origin of data and how
such monitoring is performed;
ii. defining who may access data and how the access is accomplished (for example,
through passwords and authorization tables);
iii. preventing the inclusion of incomplete or invalid data;
iv. detecting the absence of data;
v. securing the database from unauthorized access and destruction;
vi. monitoring and follow-up of security incidents and regular backing-up of data; and
vii. arranging total recovery in the event of a loss. In such a circumstance, the backup
protocol covering the data tables is likely to be complex;
c. coordinating computer operations related to the database. Assigning responsibility for
physical computer resources and monitoring their use relative to the operation of the
database;
d. monitoring system performance. Developing performance measures to monitor the integrity
of the data, the ability of the database to respond to the needs of users and the frequency of
data changes and access; and
e. providing administrative support. Coordinating and liaising with the vendor of the DBMS,
assessing new releases issued by the vendor of the DBMS and the extent of their effect on
the entity, installing new releases and ensuring that appropriate internal education is
provided.
19. Some applications may use more than one database. In these circumstances, the tasks of the
database administration group will include the need to ensure:
a. adequate linkage between databases;
b. coordination of functions; and
c. consistency between data in different databases.
Segregation of Duties
26. The responsibilities for performing the various activities required to design, implement and operate
a database are divided among technical, design, administrative and user personnel. Their duties
include system design, database design, administration and operation. Maintaining adequate
segregation of these duties is necessary to ensure the completeness, integrity and accuracy of the
database. For example, individuals responsible for modifying personnel database programs should
not be the same ones who are authorized to change individual pay rates in the database.