IT CONTROLS FOR DATA AND DATABASES (STUDY OBJECTIVE 10)

A company's database is a critically important component of the organization. The data are a valuable resource that must be protected with good internal controls. Chapter 4 described many of the IT internal controls that should be used to protect the security and integrity of the database. A brief summary of some of the IT controls is offered here. Three of the major control concerns related to databases are unauthorized access, adequate backup of the data, and data integrity.

IT general controls assist in preventing unauthorized access and in ensuring adequate backup. To help prevent unauthorized users from accessing, altering, or destroying data in the database, it is important to use authentication and hacking controls such as log-in procedures, passwords, security tokens, biometric controls, firewalls, encryption, intrusion detection, and vulnerability assessment. In addition to these control procedures, the database management system (DBMS) must be set up so that each authorized user has a limited view (schema) of the database. That is, an employee who logs in as an accounts receivable processor should not have access to payroll data. Each user's schema of the data limits the user's view to only a subset of the data. Controls such as these are intended to keep unauthorized users from accessing or using data in the database. Business continuity planning, data backup procedures, and disaster recovery planning can help ensure adequate backup of databases.

To ensure integrity (completeness and accuracy) of data in the database, IT application controls should be used. These controls are input, processing, and output controls such as data validation, control totals and reconciliation, and reports that are analyzed by managers.