some do not. The most effective access control to data is to have application access controls and use
            sound access control principles in managing the application access controls; this is often referred to as
            front door access.

            Those principles would include restricted access for each user (based on job description, for example),
            as well as formal processes and procedures for adding, changing, and deleting employee access;
            employees who have no responsibilities for a certain application should not have access.


            Access to data through the O/S
            Another manner of access to the data is through administrative rights of the operating system (O/S). All
            O/S provide access controls for administrative rights, and restricted rights for other access. Thus, the
            CITP would be concerned with the number of employees who have admin rights and whether those
            individuals have roles and responsibilities commensurate with access being granted. Ideally, there should
            be a reasonably limited number of employees with admin rights; this is often referred to as back door
            access.

            The risk is that a person could access the raw data files or databases, make unauthorized changes, and
            thus cause problems with information being generated. It is also possible that person could sabotage the
            data — delete it, for example, or steal it for some purpose. Each of these risks is usually significant
            enough to require mitigation.


            Access to data by the database administrator

            A similar situation and risk exists for the database administrator (DBA). This person knows a lot of
            information about the DBMS and data being housed, so much that this person or role represents a
            significant inherent risk. The DBA not only knows how to access the data files, but also knows enough
            about the data to do a tremendous amount of damage, if so inclined.

            There are some tools that prevent the DBA from accessing the database directly, but rather have the DBA
            manage the DBMS and have limited access to it, for example, access to the data definitions but not the
            raw data itself. Thus, the CITP would want some satisfaction that there is a mitigating control in place
            and operating effectively in order to have adequate assurance about access to the data.



            Application and financial system level
            Controls at the application level are some of the most important controls in the IT environment. SoD
            application controls were discussed previously, as well as the axiom that logical access controls closest
            to the data are the more effective ones. But the application level is also the level at which most
            automated controls operate, and automated application controls are one of the most important aspects
            of controls and the CITP.


            Evaluate and test application controls

            If the ITGCs are reliable, and if the audit is going to rely on certain application controls, then testing of
            application controls is critically important in a financial audit. For B&I objectives, application controls are


            © 2019 Association of International Certified Professional Accountants. All rights reserved.    1-12