Page 102 - CITP Review
P. 102

The database risk is the reason a database administrator (DBA) has such a high inherent risk. IR
            associated with a DBA is the reason there should be strict and broad mitigating controls, such as proper
            SoD for the DBA — for example, no access to keying data, running applications, implementing
            applications, or developing systems.

            One reason for the need for extra care and controls with the DBA is the fact that the DBA might be able to
            circumvent strong network and application controls.

            An entity might have strong network controls regarding login credentials, strong SoD, and strong
            restricted access, as well as separate and strong application controls to restrict access to applications
            and data; all these controls represent rather strong access controls to protect data. It is possible,
            however, that DBAs can use their access to bypass the network and application controls and directly
            access data files and change, falsify, or steal data, all despite strong network and application controls.

            One way to view the importance of data is to think through the idea of IT risks and what they include
            related to an object like financial reporting. In fact, it could be argued that financial statement data is the
            hub of all IT risks associated with financial statement audits. From the perspective of the external CITP, it
            is all about the data.

            The data is generally under the control of applications. That is, data is accessed, changed, and reported
                                             14
            from applications (see exhibit 3-4).  Put another way, generally access to data is obtained via the
            application that houses the data (known as the “front door”). Access to applications allows a user access
            to the data it houses. This is the reason it is so important to identify the key relevant systems for
            accounting applications and financial statement reporting systems to assess this type of IT risk.
































            14
              It is possible for unauthorized IT experts to gain access to raw data or files and make changes, steal data, corrupt
            data, or otherwise carry out malicious activities. Although this scenario is possible, generally access to data is
            restricted to the application within which it is housed.


            © 2019 Association of International Certified Professional Accountants. All rights reserved.    3-18
   97   98   99   100   101   102   103   104   105   106   107