Check-Up Period - Overview of IT Audit

IT Governance

IT governance is an element of corporate governance, aimed at improving the overall

management of IT and deriving improved value from investment in information and
technology. For more on this topic, kindly click on the link

IT governance definition
IT governance is an element of corporate governance, aimed at improving the overall
management of IT and deriving improved value from investment in information and
technology.

IT governance frameworks enable organisations to manage their IT risks effectively and

ensure that the activities associated with information and technology are aligned with their
overall business objectives

Why is IT governance important?

IT governance enables an organisation to:

 Demonstrate measurable results against broader business strategies and goals.

 Meet relevant legal and regulatory obligations, such as those set out in the GDPR
(General Data Protection Regulation) or the Companies Act 2006.
 Assure stakeholders they can have confidence in your organisation's IT services.
 Facilitate an increase in the return on IT investment; and
 Comply with certain corporate governance or public listing rules or requirements.

What is corporate governance?

Corporate governance is "a toolkit that enables management and the board to deal more
effectively with the challenges of running a company. Corporate governance ensures that
businesses have appropriate decision-making processes and controls in place so that the
interests of all stakeholders are balanced.”- ICSA, The Governance Institute.

A robust corporate governance framework can help you meet the requirements of laws and
regulations such as the DPA (Data Protection Act) 2018 and the GDPR.
For instance, the GDPR requires data controllers and processors to demonstrate their
compliance with its requirements through certain documentation, including relevant logs,
policies and procedures.

Harnessing the elements of IT governance will help you create and maintain appropriate
policies and procedures to help meet your data privacy requirements.

IT governance frameworks, models and standards

ISO 38500 – The international IT governance standard

ISO/IEC 38500:2015 is the international standard for corporate governance of IT.

It sets out principles, definitions and a high-level framework that organisations of all types
and sizes can use to better align their use of IT with organisational decisions and meet their
legal, regulatory and ethical obligations.

As well as ISO 38500, there are numerous widely recognised, vendor-neutral frameworks
that organisations can use to implement an IT governance programme.

Each has its own IT governance strengths – for instance, COBIT focuses more on process
management and ITIL on service management – but you might benefit from an integrated
approach, using parts of several frameworks to deliver the results you need.

ITIL – IT service management

Widely adopted around the world, ITIL is a framework for ITSM (IT service management). Its
latest iteration, ITIL 4, was launched in February 2019.

ITIL is supported by ISO/IEC 20000-1:2018 – the international standard for ITSM against
which organisations can achieve independent certification.

COBIT

COBIT (Control Objectives for Information and Related Technology) is an internationally

recognised IT governance control framework that helps organisations meet business
challenges in regulatory compliance, risk management and aligning IT strategy with
organisational goals.

COBIT 2019, the latest iteration of the framework, was released in November 2018. It builds
on COBIT 5, introducing new concepts and addressing the latest developments affecting
enterprise IT.
Calder-Moir IT Governance Framework

This framework provides structured guidance on how to approach IT governance. It can help
benchmark the balance and effectiveness of IT governance practices within an organisation.

The IT Governance Control Framework Implementation Toolkit provides practical assistance

and guidance for practitioners and board members tackling the subject.

The five domains of IT governance

The IT Governance Institute (a division of ISACA) breaks down IT governance into five
domains:

1. Value delivery
2. Strategic alignment
3. Performance management
4. Resource management
5. Risk management

IT governance auditing
As IT governance plays a crutial role in strategic performance, internal auditors are expected
to include it in their audit plans.

IIA IT Governance Model

The IIA has an IT governance model that incorporates elements of ISO/IEC 38500, and GTAG
17 is heavily based on the ISACA® COBIT® frameworks. While COBIT is not the only control
framework used in relation to IT governance, it is one of the most widely deployed,
particularly in public sector organisations and large enterprises.

GTAG 17 provides guidance on auditing IT governance under five main headings:

 Organization and Governance Structures

 Executive Leadership and Support
 Strategic and Operational Planning
 Service Delivery and Measurement
 IT Organization and Risk Management

IT Governance Audit Assurance

The types of assurances that stakeholders are looking for, in relation to the work of internal
auditors, include:

 Does the board and top management really understand its role in making IT
governance effective?
 Is IT management competent, and is it really a part of the top management team?
 Is IT genuinely contributing to achievement of organisation’s strategic and tactical
objectives?
 Is there a robust (planned and tested) IT risk management framework in place,
specifically including IT projects, DPA compliance, cyber security, ICT continuity?
 Is IT able to identify and prioritise key technology changes that will enhance
organisational performance?
 Are IT metrics really measuring IT performance in terms of delivering value and
resource optimisation and risk reduction?

For more on this topic, kindly click on the video below

https://youtu.be/5U5f17vO1Y0
Comparing COBIT 4.1 to COBIT 5

https://youtu.be/_W8DuJNi-2M

Here is a comparison between COBIT 4.1 AND COBIT 5. Click on the link to learn more
The work of an IT auditor

An IT auditor is responsible for analyzing and assessing an organization's technological

infrastructure to find problems with efficiency, risk management and compliance. For more
information on this lesson, kindly click on the link

What is an IT auditor? A vital role for risk

assessment
What is an IT auditor?
An IT auditor is responsible for analyzing and assessing a company’s technological
infrastructure to ensure processes and systems run accurately and efficiently, while
remaining secure and meeting compliance regulations. An IT auditor also identifies any IT
issues that fall under the audit, specifically those related to security and risk management. If
issues are identified, IT auditors are responsible for communicating their findings to others
in the organization and offering solutions to improve or change processes and systems to
ensure security and compliance.

The IT auditor role

The role of an IT auditor involves developing, implementing, testing and evaluating audit
review procedures. You’ll be responsible for conducting IT and IT-related audit projects
using the established IT auditing standard in your organization. The audit process can
extend to networks, software, programs, communication systems, security systems and any
other services that rely on the company’s technological infrastructure.

It’s an essential role for organizations that rely on technology given that one small technical
error or misstep can ripple down and impact the entire company. IT audits are important for
evaluating internal control and processes in an effort to keep the organization and its data
secure from external or internal threats.

IT audit responsibilities
As an IT auditor you will be responsible for running several audits of an organization’s
technologies and processes. IT audits are also referred to as automated data processing
(ADP) audits and computer audits. In the past, IT audits have also been labeled as electronic
data processing (EDP) audits. Companies may also run an information security (IS) audit to
evaluate the organization’s security processes and risk management. The IT audit process is
typically utilized to asses data integrity, security, development and IT governance.

There are several types of IT audits, including:

 Technological innovation process: an audit process that creates a risk profile for
current and future projects with a focus on the company’s experience with those
technologies and where it stands in the market
 Innovative comparison audit: an audit that looks at an organization’s ability to
innovate compared to competitors and evaluates how well the company produces
new products
 Technological position audit: an audit that examines current technology in the
organization and future technologies that will need to be adopted
 Systems and applications: an audit process that specifically evaluates whether
systems and applications are controlled, reliable, efficient, secure and effective
 Information processing facilities: an audit to evaluate an organization’s ability to
produce applications even in disruptive conditions
 Systems development: an audit for verifying that systems that are being developed
are suited for the organization and meet development standards
  Management of IT and enterprise architecture: an audit of the IT management’s
organizational structure for information processing
 Client, server, telecommunications, intranets and extranets: audits to examine
controls on client-connected servers and networks

IT auditor salary
According to data from the Robert Half Technology 2019 Accounting and Finance Salary
Guide, the average salaries for an IT auditor ranging from entry level to manager are as
follows:

25TH 50TH 75TH 95TH

SENIORITY
PERCENTILE PERCENTILE PERCENTILE PERCENTILE
Manager $97,500 $118,250 $140,750 $185,500
Senior $75,750 $92,500 $109,750 $145,750
1 to 3 Years $62,250 $76,000 $90,250 $119,000
Up to 1 Year $42,250 $51,250 $61,000 $80,250
Robert Half defines the 25th percentile as candidates new to the role, still developing skills
or who are working in a market with low competition or at a smaller organization. The 50th
and 75th percentiles encompass candidates who range from average experience and skills
to those with stronger skillsets, specializations and certifications, according to Robert Half.
Both groups typically work in roles with more complexity or in markets with higher
competition. Robert Half’s 95th percentile includes those with highly relevant skills,
experience and expertise who are working in a highly complex role in a very competitive
market.

IT auditor skills
The skills you need as an IT auditor will vary depending on your specific role and industry,
but there’s a general set of skills that all IT auditors need to be successful. Some of the most
commonly sought skills for IT auditor candidates include:

 IT security and infrastructure

 Internal audit
 IT risk
 Data analysis
 Data analysis and visualization tools (ACL, MS Excel, SAS, Tableau)
 Security risk management
 Security testing and auditing
 Computer security
 Internal auditing standards including SOX, MAR, COSO and COBIT
  Analytical and critical thinking skills
 Communication skills

For more on IT Auditing skills, please watch the video below

https://youtu.be/D-BT5V0WMag

IT auditor job requirements

Entry-level IT auditor positions require at least a bachelor’s degree in computer science,
management information systems, accounting or finance. You’ll want a strong background
in IT or IS and experience in public accounting or internal auditing. The job requires a strong
set of technical skills, with a strong emphasis on security skills, but you’ll also need soft skills
like communication. You’ll be responsible for not only identifying issues during an IT audit
but also explaining to leaders outside of IT what is wrong and what needs to change.
Analytical and critical thinking skills are also crucial, as you’ll need to evaluate data to find
trends and patterns to identify IT security and infrastructure issues.

For more on IT Auditing, please watch the video below

https://youtu.be/oMM-pn2iZ18
CISA Exam

The Certified Information Systems Auditor (CISA) is a certification and a globally recognized
standard for appraising an IT auditor's knowledge, expertise and skill in assessing
vulnerabilities and instituting IT controls in an enterprise environment. Click on the link to
learn more

Certified Information Systems Auditor

(CISA)
What is Certified Information Systems Auditor (CISA)?

The Certified Information Systems Auditor (CISA) is a certification and a globally recognized
standard for appraising an IT auditor's knowledge, expertise and skill in assessing
vulnerabilities and instituting IT controls in an enterprise environment.

This certification is issued by ISACA to people in charge of ensuring an organization's IT and

business systems are monitored, managed and protected. It is presented after completion of a
comprehensive testing and application process. It is designed for IT auditors, audit managers,
consultants and security professionals.
Attaining CISA certification is considered beneficial because it is accepted by employers
worldwide and is often requested for IT audit and security information management (SIM)
positions. The certification provides the holder with greater visibility throughout the job
application process since most recruiters prefer and keep an eye out for IT auditors with a CISA
certification.

Responsibilities of a Certified Information Systems Auditor

The primary duties of a CISA include:

 Implementing an audit strategy for information systems (IS) that is based on risk
management.
 Planning audits that can be used to determine whether or not IT assets are protected,
managed and valuable.
 Executing the audits in compliance with the organization's set standards and objectives.
 Sharing audit results and providing recommendations to management based on the
results.
 Performing reexaminations of the audits to ensure the recommended actions have been
performed by management.

A CISA's responsibilities often extend beyond auditing control. They are expected to work with
management to confirm organizational processes, plans for implementation and operation of the
deployed systems, and promote the organization's objectives and strategies.

This includes evaluating:

 risk management practices;

 IT portfolio and resource management;
 strategies for business-IT alignment;
 business continuity and disaster recovery strategies;
 IT policies, standards, processes and procedures within the organization;
 the value of the IT control framework; and
 the management and monitoring of IT personnel, the IT organizational structure and
controls.

After systems are implemented, CISAs must continue to monitor various areas to ensure
successful deployment of the systems. This includes conducting project and post-implementation
reviews. Other responsibilities include evaluating:

 the business case for the proposed system;

 controls for the IS;
 IT supplier selection and contract management processes;
 the project management framework and controls; and
 the preparedness of the IS.

Once the system is implemented, the CISA is responsible for evaluating:

  the IT service management practices and structure;
 end-user computing;
 change and release management operations;
 IT continuity and resilience;
 database management system execution;
 IT operations and maintenance;
 conducted reviews of the IS;
 complications and incident management practices; and
 data quality and life cycle management.

Finally, a CISA is responsible for working with management. This is to ensure the security
standards, policies, procedures and controls within the organization impart integrity,
confidentiality and availability of information assets.

How to become a Certified Information Systems Auditor

In order to become CISA certified, applicants must complete the following five steps:

1. Successfully complete and pass the CISA exam.

2. Apply for CISA certification.
3. Adhere to ISACA's Code of Professional Ethics.
4. Follow ISACA's Continuing Professional Education Program.
5. Comply with ISACA's Information Systems Auditing Standards.

ISACA asks that all CISA applicants complete five years of professional IS auditing,
control, assurance or security work, but substitutions and waivers can be obtained. For example,
one year of IS experience or one year of non-IS auditing can be substituted for one year of
experience. Also, 60 to 120 university semester credit hours -- a two year to four year degree --
can replace one or two years of experience, respectively. Two years as a full-time instructor
within the related field at a university can also replace one year of experience.

Work experience must be within the 10 years prior to a candidate's application submission or
within five years of a passed CISA exam. The candidate must also show adherence to ISACA's
Code of Professional Ethics and Information Systems Auditing Standards. Once these criteria are
met, the candidate can successfully apply for certification.

About the CISA exam

The CISA exam is open to any individual who expresses an interest in IS auditing, control and
security. It is four hours long and consists of 150 multiple-choice questions set around five job
practice domains:

 Information Systems Auditing Process

 Governance and Management of IT
 Information System Acquisition, Development and Implementation
 Information Systems Operations and Business Resilience
  Protection of Information Assets

A score of 450 or higher (scored on a scale of 200 to 800) is required to pass the exam. It can be
taken at any time in testing locations worldwide and remotely online. The exam is offered in
English, Chinese Mandarin Simplified, Chinese Traditional, French, German, Italian, Japanese,
Korean, Spanish and Turkish.

How to prepare for the CISA exam

Individuals looking to prepare for the exam can take advantage of preparation materials that are
available through the ISACA. Many ISACA chapters also host CISA exam review courses. It is
recommended that people preparing for the exam take as many practice tests as possible in
addition to studying the ISACA Review Manual and learning to think like an accountant.

Adopting an accountant's mindset is beneficial because most of the people who write the CISA
exam either work as accountants or in the financial services industry. Therefore, by thinking like
an accountant, a test-taker can gain a greater understanding of the questions and answers and the
way they were written.

If a CISA candidate passes the exam, they will be sent the information needed to apply for the
CISA certificate. However, they must first ensure they have met the work experience
requirements.

How to maintain CISA certification

CISA applicants and certification holders must abide by ISACA's Continuing Professional
Education (CPE) program. This training is to ensure that CISAs stay up to date and proficient in
their fields.

The goals of the CPE program include:

 Monitoring IS audit, control and security professionals' maintenance of knowledge and

capabilities.
 Dividing qualified CISAs from those who have not met the requirements and cannot
continue their certification.
 Assisting top management in the construction of stable IS audit, control and security
functions with suggestions and criteria for personnel selection, training and development.
 Preserving an individual's CISA capabilities by updating existing knowledge and skills
within IS auditing, control and security.

ISACA requires maintenance fees and a minimum of 20 CPE hours annually, plus an additional
120 contact hours during a fixed three-year period.

Benefits of a CISA certification

The CISA certification is recognized worldwide as the sign of an individual's excellence within
information system auditing. Benefits of a CISA certification include:

 A competitive advantage in the job market and with job growth.

 Increased value of the individual within the organization.
 Increased credibility in the workplace. This is due to the combination of the achievement
of passing the exam and the recognition of work and educational experience.
 Assistance meeting high professional standards with ISACA's requirements and
Continuing Professional Education program.
 Confirmation of an individual's knowledge, experience and expertise in the field.
Demonstration of their ability to successfully meet challenges that may arise.

For more information on how to prepare for the CISA Certification Exam, please watch the
video below

https://youtu.be/JrEhhF5oFJ8

Prelim Period - Legal and Ethical Issues for IT Users

RA 8792 (E-Commerce Act of 2000)

The Philippine legal framework for E-commerce consists of various laws governing retail
trade, consumer protection laws and regulations, i.e., data protection, intellectual
property rights law, most of which were passed years before the growth of the E-
commerce industry but are currently being applied to regulate it

Under the law, E-commerce Act applies to any kind of data message and electronic
document used in the context of commercial and non-commercial activities to include
domestic and international dealings, transactions, arrangements, agreements, contracts and
exchanges and storage of information

Click on the link below for more

https://www.officialgazette.gov.ph/2000/06/14/republic-act-no-8792-s-2000/

ISACA audit standards (1001-1402)

IT audit and assurance standards define mandatory requirements for IT auditing. They
report and inform: IT audit and assurance professionals of the minimum level of acceptable
performance required to meet the professional responsibilities set out in the ISACA Code of
Professional Ethics. For more on this topic, kindly click on the link
Standards, Guidelines, Tools and
Techniques
ISACA Member and Certification Holder Compliance
The specialized nature of information technology (IT) audit and assurance and the skills
necessary to perform such engagements require standards that apply specifically to IT audit
and assurance. The development and dissemination of the IT audit and assurance standards
are a cornerstone of the ISACA® professional contribution to the audit community.

IT audit and assurance standards define mandatory requirements for IT auditing. They
report and inform:

 IT audit and assurance professionals of the minimum level of acceptable

performance required to meet the professional responsibilities set out in the ISACA
Code of Professional Ethics
 Management and other interested parties of the profession’s expectations
concerning the work of practitioners
 Holders of the Certified Information Systems Auditor ® (CISA®) designation of
requirements. Failure to comply with these standards may result in an investigation
into the CISA holder’s conduct by the ISACA Board of Directors or appropriate
committee and, ultimately, in disciplinary action.

ITAF™, 4th Edition (www.isaca.org/itaf) provides a framework for multiple levels of guidance:

IT Audit and Assurance Standards

The standards are divided into three categories:

 General standards (1000 series)—Are the guiding principles under which the IT
assurance profession operates. They apply to the conduct of all assignments and
deal with the IT audit and assurance professional’s ethics, independence, objectivity
and due care as well as knowledge, competency and skill.
 Performance standards (1200 series)—Deal with the conduct of the assignment, such
as planning and supervision, scoping, risk and materiality, resource mobilization,
supervision and assignment management, audit and assurance evidence, and the
exercising of professional judgment and due care.
 Reporting standards (1400 series)—Address the types of reports, means of
communication and the information communicated.
General
1001 Audit Charter
1002 Organizational Independence
1003 Auditor Objectivity
1004 Reasonable Expectation
1005 Due Professional Care
1006 Proficiency
1007 Assertions
1008 Criteria

Performance
1201 Risk Assessment in Planning
1202 Audit Scheduling
1203 Engagement Planning
1204 Performance and Supervision
1205 Evidence
1206 Using the Work of Other Experts
1207 Irregularities and Illegal Acts

Reporting
1401 Reporting
1402 Follow-up Activities

IT Audit and Assurance Guidelines

The guidelines are designed to directly support the standards and help practitioners achieve
alignment with the standards. They follow the same categorization as the standards (also
divided into three categories):

 General guidelines (2000 series)

 Performance guidelines (2200 series)
 Reporting guidelines (2400 series)

General
2001 Audit Charter
2002 Organizational Independence
2003 Auditor Objectivity
2004 Reasonable Expectation
2005 Due Professional Care
2006 Proficiency
2007 Assertions
2008 Criteria
Performance
2201 Risk Assessment in Planning
2202 Audit Scheduling
2203 Engagement Planning
2204 Performance and Supervision
2205 Evidence
2206 Using the Work of Other Experts
2207 Irregularities and Illegal Acts

Reporting
2401 Reporting
2402 Follow-up Activities

Below are the ten ethical standards of ISACA

For more information regarding ISACA and its corresponding Code of Ethics, kindly click on
the video below
https://youtu.be/s1cmW6xNvYg

Ethical Issues

The Code of Ethics states the principles and expectations governing the behavior of
individuals and organizations in the conduct of internal auditing. It describes the
minimum requirements for conduct and behavioral expectations rather than specific
activities. For more on this topic, kindly click on the link

Auditor Ethics

Those who act as auditors must have a high standard of ethics. The term “auditor” is Latin
for someone who hears complaints and makes decisions or acts likea judge.To act as a
judge, a person must be ethical. If the auditor loses favor in this area, it is almost impossible
to regain trust from audit managementand auditees

Examples
If a budget calls for numerous hours and you get the job done efficiently, is it unethical
to put down hours not worked?

Is it unethical to overlook something during the audit because the client says it is
not important?

Please click on the link below for more

https://www.iiafiji.org/resources/66eff172-2496-4c51-8025-c2d53d2c3956.pdf

For the complete discussion on the legal and ethical issues for IT Auditors, please click on
the video below

https://youtu.be/i1E2iNvY9fU

Fraud and accountants

Accounting fraud is the intentional manipulation of financial statements to create a false

appearance of corporate financial health. For more on this topic, kindly click on the link

What Is Accounting Fraud? Definition

and Examples
Accounting fraud is the intentional manipulation of financial statements to create a false
appearance of corporate financial health. Furthermore, it involves an employee, accountant,
or the organization itself misleading investors and shareholders. A company can falsify its
financial statements by overstating its revenue, not recording expenses, and misstating
assets and liabilities.

Understanding Accounting Fraud

For accounting fraud to take place, a firm must deliberately falsify financial records.
Consider a firm that makes an estimate that must be revised later. No accounting fraud has
taken place because the errors were not deliberate. Now suppose the CEO of a publicly-
traded company knowingly makes false statements about the firm's prospects. The
Securities and Exchange Commission (SEC) may well charge that CEO with fraud. However, it
is not accounting fraud because no financial records were falsified.
Overstating Revenue
A company can commit accounting fraud if it overstates its revenue. Suppose company ABC
is actually operating at a loss and not generating enough revenue. To cover up this
situation, the firm might claim to be producing more income on financial statements than it
does in reality. On its statements, the company's profits would be inflated. If the company
overstates its revenues, it would drive up the firm's share price and create a false image of
financial health.

Unrecorded Expenses
Another type of accounting fraud takes place when a company does not record its
expenses. The company's net income is overstated, and its costs are understated on
the income statement. This type of accounting fraud creates a false impression of how much
net income a company is receiving. In reality, it may be losing money.

Misstating Assets and Liabilities

Another form of accounting fraud occurs when a company overstates its assets or
understates its liabilities. For example, a company might overstate its current assets and
understate its current liabilities. This type of fraud misrepresents a company's short-
term liquidity.

Suppose a company has current assets of $1 million, and its current liabilities are $5 million.
If the company overstates its current assets and understates its current liabilities, it is
misrepresenting its liquidity. The company could state that it has $5 million in current assets
and $500,000 in current liabilities. Then, potential investors will believe that the company
has enough liquid assets to cover all of its liabilities.

A Real World Example of Accounting Fraud

The Enron scandal is one of the most famous examples of accounting fraud in history. Enron
used off-balance-sheet entities to hide the company's debts from investors and creditors.
Although using such entities was not illegal in itself, Enron's failure to disclose the necessary
details of its dealings constituted accounting fraud. As the true extent of Enron's debts
became known to the public, its share price collapsed. By the end of 2001, Enron declared
bankruptcy.

The consequences of accounting fraud were severe in the Enron case. Criminal charges were
brought against many of the company's top executives, and some of them were sent to
prison. The scandal also eventually destroyed accounting giant Arthur Andersen LLP, which
handled Enron's books.

What is the Fraud Triangle? (Three

Components Explained)

It’s not difficult to see why business owners want to understand the mindset behind
employee fraud. Crime insurance can cover losses once they’ve happened, but if owners can
figure out what leads workers to become fraudsters, they can work to prevent the
fraud before it happens.

In the 1970s, criminologist Donald R. Cressey published a model called the “fraud triangle”.
The fraud triangle outlines the three conditions that lead to higher instances of occupational
fraud: motivation, opportunity, and rationalization.

When an employee has a reason for committing fraud, gets a chance to do so without
getting caught, and can come up with a justification for their behavior, they’re more likely to
commit an occupational crime.

Read on to learn more about each condition of the fraud triangle, why they contribute to
fraud, and how you can prevent them from occurring within your workforce.
Who Commits Fraud?
The stereotypical fraud offender looks a lot like any other high-performing, trusted
employee. Nine in ten fraud offenders have no prior history of fraud, and 55% have no
history of any workplace misconduct. In fact, only 13% of fraudsters have so much as a poor
performance evaluation on the record.

It’s circumstances, not personality traits, that lead people to commit fraud. In fact, the
National Association of State Auditors, Comptrollers, and Treasurers claims that most
people could be incentivized to commit fraud under the right circumstances.

This estimate is called the “10-80-10 Rule.” It states that just 10% of people would never
commit fraud for any reason, another 10% of people are actively looking for opportunities
to commit fraud, and the remaining 80% fall somewhere in between.
Members of this middle group aren’t fraudsters by nature, but neither are they steadfast in
their commitment to a life free of crime.

For example, an employee with a stellar ten-year record may suddenly be able to
justify embezzlement after their child is diagnosed with a serious illness that requires
otherwise unaffordable treatments.

Each person has a different set of circumstances—a different combination of fraud triangle
components (motivation, rationalization, and opportunity)—will make fraud feel “worth it.”

By digging into each of the fraud triangle conditions, business owners can work to prevent
them from affecting their employees.

Condition #1: Motivation

Save for the 10% who actively seek out opportunities to commit fraud, most people won’t
turn to employee theft without a compelling reason.

However, the right motivation can tempt otherwise trustworthy employees to consider
cheating their employer.

What one person feels is a valid justification might not be compelling to another. There are
as many different motivations for fraud as there are people in the world, but they can be
sorted into a few main categories:

 Sudden changes in circumstances: a partner’s job loss, a surprise medical bill

 A sense of being wronged: being passed over for a promotion or denied a raise
 Survival: inability to afford life-saving medicines or to put food on the table
 Status pressure: feeling compelled to keep up with peers’ earning or spending
Your ability to understand your employees’ potential motivations for fraud relies on how
well you know them. When you spend time with staff, you’re more likely to notice sudden
changes in behavior or countenance that might signal a personal hardship or family tragedy,
and you’ll have an opportunity to ask what you can do to help.

Demonstrating empathy for your employees will help them see that you care about their
wellbeing and are willing to offer the help and support they need in good times and in bad.
With a supportive employer at their back, workers have far fewer reasons to turn to fraud.

Condition #2: Opportunity

Perhaps the easiest piece of the triangle for business owners to control is opportunity. No
matter how disgruntled or desperate your employees might feel, they can only commit
fraud if they’re given the chance to do so.

Standardized processes and rigorous oversight procedures are key to keeping your
operations invulnerable to fraud. However, it’s not enough to just put these systems in
place: the opportunity for fraud still exists if security protocols are present but unmonitored,
ineffective, or unenforced.
Particularly when it comes to fraud that relies on cybersecurity access, frequent testing and
adjustments are required to make sure security standards remain effective.

It’s also essential to have a plan for what happens after a violation is detected.

If alerts are allowed to pile up in an unmonitored inbox or if violations aren’t met with real
consequences, employees are more likely to take their chances in hopes that they’ll be able
to fly under the radar in the same way.

Condition #3: Rationalization

The final piece of the fraud triangle is rationalization. Even when people have motivation
and opportunity, most will not choose to act unless they can justify to themselves why their
fraud is “okay.”

Even those who could be incentivized to break the law given the right motivation usually
wouldn’t be willing to do so if it meant they were harming someone else.

But when it comes to defrauding a company, many fraudsters can convince themselves that
theirs is a victimless crime.

An accountant who sees how much their sales department spends entertaining potential
clients may justify skimming a few dollars here and there for themselves.

Or an account lead on a work trip might charge unnecessary extras to their hotel room
because “everyone does it; it’s one of the perks of the job.”
An effective way to prevent these types of rationalizations is to champion transparency
when it comes to company finances.

If you explain to your staff that holiday bonuses depend on the company’s ability to hit a
certain profit margin, employees will have a better understanding of the importance of a
few dollars here and there.

When employees witness the company’s profits being reinvested in its workforce, they’re
more likely to engage emotionally in the success of the team.

If you’re a caring and committed boss, you probably already employ the majority of these
strategies simply because you believe it’s the right way to run your company.

You shouldn’t need the threat of potential fraud to motivate you to spend time with your
employees, champion standards of fairness, and practice open communication and
transparency.

The fact that these things may also keep your company from falling victim to employee
theft is just a bonus.

Click on the video below for more

https://youtu.be/4nZtnU4fUFs

Why do people commit fraud – fraud

diamond
Wolfe and Hermanson first introduced the Fraud Diamond Theory in the CPA Journal in
December 2004. They concentrated their research on what motivates people to violate trust
in response to questions like "Why do people perpetrate fraud?" In their view, an offense
can only occur when all four conditions are met: pressure, opportunity, rationalization, and
capability.

According to Wolfe and Hermanson (2004), opportunity pushes someone into fraud, while
pressure and motivation (i.e., incentives) push people in that direction. Capability, on the
other hand, permits the individual to see the open doorway as an opportunity and seize it
by passing through it again.
1. Capability

This is the circumstance in which a person possesses the required characteristics, abilities, or
skills to conduct fraud. This is the point at which the fraudster identified the specific
opportunity for fraud and had the means to make it happen. The supporting components of
capability include position, intelligence, ego, coercion, deception, and stress. Due to the
inability to carry it out or cover it up, not every person who has the motive, opportunity, and
realization will be able to perpetrate fraud. When it comes to widespread or persistent
deception, this component is very crucial.

2. Motive or Pressure
The term "perceived pressure" refers to factors that encourage unethical behavior. Every
fraudster experiences some pressure to act unethically. Depending on the pressure, it may
be financial or not. Pressure can be felt in many different ways, particularly when there is a
non-shareable financial need. The most frequent reason for an entity to commit a bad deed
is acknowledged to be financial pressure. More specifically, financial demands on the
fraudster account for around 95% of all fraud cases.

3. Opportunity

The perception of opportunity is the third condition for fraud to take place. A person can
commit organizational fraud when a control or governance system is ineffective and
provides the opportunity. This is referred to as "internal control vulnerabilities" in the
accounting industry. A perceived opportunity has a similar aspect to perceived pressure in
that it is not necessary for the chance to also be actual. However, the perpetrator's
perception and belief provide the opportunity. In general, the lower the risk of detection,
the more likely fraud is to occur.

4. Rationalization

The FDT's fourth component is rationalization. It is stated that before acting unethically, the
offender must develop certain morally acceptable concepts. The justifications and defenses
used to distinguish immoral behavior from criminal activities are referred to as
rationalization. A person is less likely to commit fraud if he/she is unable to defend the
dishonest behavior. Other fraudsters justify their actions by saying things like, "I had to steal
to provide for my family," and "some people did it, why not me?" Since it is hard to
comprehend the mind of a fraud perpetrator, rationalization is tough to detect. Fraudsters
have a certain mindset that enables them to defend or rationalize their fraudulent behavior.

For more on Fraud Diamond, click on the video below

https://youtu.be/QbKkly5c1dI
Auditor’s responsibility for detecting fraud

. An auditor should design the audit to provide reasonable assurance of detecting errors
and fraud that are material to the financial statements. For more on this topic, kindly click
on the link

Auditors’ Responsibility for Fraud

Detection

Auditors will enter a much expanded arena of procedures to detect fraud as they implement SAS
no. 99. The new standard aims to have the auditor’s consideration of fraud seamlessly blended
into the audit process and continually updated until the audit’s completion. SAS no. 99 describes
a process in which the auditor (1) gathers information needed to identify risks of material
misstatement due to fraud, (2) assesses these risks after taking into account an evaluation of the
entity’s programs and controls and (3) responds to the results. Under SAS no. 99, you will gather
and consider much more information to assess fraud risks than you have in the past. (For the text
of the new standard, see Official Releases, page 105.)

PROFESSIONAL SKEPTICISM
SAS no. 99 reminds auditors they need to overcome some natural tendencies—such as
overreliance on client representations—and biases and approach the audit with a skeptical
attitude and questioning mind. Also essential: The auditor must set aside past relationships and
not assume that all clients are honest. The new standard provides suggestions on how auditors
can learn how to adopt a more critical, skeptical mind-set on their engagements, particularly
during audit planning and the evaluation of audit evidence.

NEW REQUIREMENT: DISCUSSION AMONG ENGAGEMENT PERSONNEL

SAS no. 99 requires the audit team to discuss the potential for a material misstatement in the
financial statements due to fraud before and during the information-gathering process. This
required “brainstorming” is a new concept in auditing literature, and early in the adoption
process firms will need to decide how best to implement this requirement in practice. Keep in
mind that brainstorming is a required procedure and should be applied with the same degree of
due care as any other audit procedure.

There are two primary objectives of the brainstorming session. The first is strategic in nature, so
the engagement team will have a good understanding of information that seasoned team
members have about their experiences with the client and how a fraud might be perpetrated and
concealed.

The second objective of the session is to set

the proper “tone at the top” for conducting
the engagement. The requirement that
brainstorming be conducted with an attitude
that “includes a questioning mind” is an The new fraud standard, Statement on Auditing
attempt to model the proper degree of Standards no. 99, Consideration of Fraud in a
professional skepticism and “set” the Financial Statement Audit, is the cornerstone of
culture for the engagement. The belief is the AICPA’s comprehensive antifraud and
that such an audit engagement culture will corporate responsibility program. The goal of the
infuse the entire engagement, program is to rebuild the confidence of investors in
making all audit procedures that much more our capital markets and reestablish audited
effective. financial statements as a clear picture window into
The mere fact the engagement team has a corporate America. From providing CPAs with
serious discussion about the entity’s clarified and focused auditing guidance to
susceptibility to fraud also serves to remind establishing a new institute for fraud studies, the
auditors that the possibility does exist in AICPA is determined to help reduce the incidence
every engagement—in spite of any history of financial fraud.
or preconceived biases about management’s
honesty and integrity.

You should note that SAS no. 99 does not This article is adapted from chapter 2 of Fraud
restrict brainstorming to the planning phase Detection in a GAAS Audit—SAS No. 99
of the audit process. Brainstorming can be Implementation Guide by Michael Ramos, which
used in conjunction with any part of the was published by the AICPA concurrent with the
information-gathering process. Auditors issuance of the new fraud standard. This
gather data continuously throughout the nonauthoritative practice aid provides an in-depth,
engagement, so look for opportunities to section-by-section explanation as well as
brainstorm all the way through. Some implementation guidance and practice tips for the
auditors may choose to meet for discussions standard. To order the book (product no. 006613)
again near the conclusion of the audit to by telephone, call the AICPA at 888-777-7077; to
consider the findings and experiences of all order online go to www.CPA2biz.com .
team members and whether the team’s
assessment about and response to the risk of
material misstatement due to fraud were
appropriate.
In addition to brainstorming, SAS no. 99 requires audit team members to communicate with
each other throughout the engagement about the risks of material misstatement due to fraud. In
fact, the standard requires the auditor with final responsibility for the audit to determine whether
there has been appropriate communication among team members throughout the engagement.

STRUCTURING AN EFFECTIVE BRAINSTORMING SESSION

Split it into two parts. The main objective of brainstorming is to generate ideas about how fraud
might be committed and concealed at the entity. That is all that SAS no. 99 requires. As a
practical matter, some engagement teams may choose to discuss how they might respond to the
identified risks.

Determine a reasonable time limit. Consultants and business owners who participate regularly
in business brainstorming sessions suggest that a good session lasts about an hour. After that, the
energy begins to fade and the law of diminishing returns sets in.

Consider assigning “homework.” The session will be much more productive if all members
have a similar level of understanding about the client, the nature of its business and its current
financial performance. For auditors brainstorming about fraud matters, it may be beneficial to
perform analytical, fact-based research before the session. In structuring your session, it will
help to consider the characteristics of the fraud triangle. For example, you might discuss the
incentives/pressures that may exist at the entity or the opportunities management or employees
have to commit fraud. You also might discuss observations about attitude/rationalization that
may indicate the presence of risk at the company.

Describe the objective of the session in language people can relate to. To help generate
creative, practical ideas, pose questions people can more easily understand, such as the
following:

If you were the bookkeeper for the entity, how could you embezzle funds and not get caught?
If you worked on the loading dock, how could you steal inventory?
If you owned this company, how might you manipulate the financial statements to impress
bankers?

SOME BRAINSTORMING RULES

You might consider setting ground rules to help you achieve your objective. Here are some
examples.

No ideas or questions are dumb. Prejudging questions by labeling them “dumb” is one sure
way to stifle the contribution of ideas.

No one “owns” ideas. When individuals become personally invested in an idea, they tend to
“fight” for it as long as possible. There may be a time and a place for battling over the validity of
an idea, but a brainstorming session is not one of them.

There is no hierarchy. The world of ideas does not recognize rank, experience or
compensation level. Create an environment in which senior team members share information
without dominating the discussion and junior members feel “safe” contributing their own ideas.
 Excessive note-taking is not allowed. A brainstorming session is an intuitive, spontaneous
process. Excessive note taking is a barrier to this process.

OBTAIN INFORMATION TO IDENTIFY THE RISKS OF FRAUD

SAS no. 99 significantly expands the number of information sources for identifying risks of
fraud. It provides guidance on obtaining information from

Management and others within the organization.

Analytical procedures.
Consideration of fraud risk factors.
Other sources.

Management. The new standard lists several items you should ask about that relate to
management’s awareness and understanding of fraud, fraud risks and the steps taken to mitigate
risks. Several of these inquiries were not required under previous standards. Some inquiries are
relatively straightforward, but others may require you to “educate” management about the
characteristics of fraud, the nature of fraud risks and the types of programs and controls that will
deter and detect fraud. The guidance contained in SAS no. 99 provides you with the background
necessary to discuss these matters.

Others. The SAS requires you to make inquiries of the audit committee (even if it is not active),
internal audit personnel (if applicable) and others about the existence or suspicion of fraud and
to inquire as to each individual’s views about the risks of fraud. “Others” can include those
employees who are outside the financial reporting process.

For the most part, auditors tend to restrict their client inquiries to personnel directly involved in
the financial-reporting process. This approach is appropriate for matters of which accounting
personnel have direct knowledge—for example, how transactions are processed or controlled.
However, it is less effective to ask accounting personnel about matters of which they do not have
first-hand knowledge (for example, the procedures used to examine, count and receive items into
inventory). Critics of the audit process frequently cite the auditor’s reluctance to make inquiries
outside of the accounting department as a reason for the lack of the in-depth understanding
necessary to plan and perform an effective and efficient audit. SAS no. 99 is the first standard
that requires auditors to make inquiries of “others within the entity,” such as

Operating personnel not directly involved in the financial-reporting process.

People with knowledge of complex or unusual transactions.
In-house legal counsel.

Further, you should not restrict your inquiries to senior management. The standard suggests
making inquiries of personnel at various levels within the organization. These are two primary
objectives in making such inquiries.

To obtain first-hand knowledge of fraud. Fraud can happen in any department and at any
level within the organization. Someone in the entity may have observed a person committing or
concealing a fraud. Often, those with knowledge of a fraud have stated, after the fact, that they
would have told someone, “but nobody asked.” SAS no. 99 increases the likelihood that the
auditor will now be that “someone” who asks.

To corroborate or lend perspective to representations of others. Operating personnel can

corroborate representations made by others or provide a different perspective on how things
“really work.” For example, accounting department personnel may be able to provide you with
the recommended control procedures relating to the safeguarding of inventory, but operational
personnel can tell you how the control procedures are applied in practice and when, if ever, those
controls are overridden or circumvented.

The standard allows you to use considerable judgment in determining to which employees
within the organization you should direct your inquiries and what questions you should ask.

EVEN MORE INQUIRIES

The new standard obligates you to inquire of management and others in the entity. However, it
does not restrict you to making only those inquiries. In fact, it encourages you to make
additional inquiries in order to gather or corroborate a wide variety of information that can help
you identify or assess risks of material misstatement due to fraud. Many of the queries related to
these matters should be submitted to personnel outside of management or the accounting
department. For example, you may wish to use inquiries to

Identify the presence of the fraud triangle characteristics.

Understand the policies, procedures and controls for recording journal entries or other
adjustments.
Identify circumstances under which management has or may override internal controls.
Understand policies and procedures related to revenue recognition.
Understand the business rationale for significant unusual transactions.

Asking the same question of different people can increase the effectiveness of your inquiries, as
you can compare answers to identify consistencies or anomalies in the responses.

PLANNING ANALYTICAL PROCEDURES

One of the reasons auditors fail to detect material misstatements caused by fraud is that they tend
to look at current numbers in isolation from the past or other relevant information. For that
reason, SAS no. 99 says the auditor should consider the results of analytical procedures in
identifying the risks of material misstatement caused by fraud, and the standard provides a list of
procedures auditors can employ that may indicate the presence of such risks.

FRAUD RISK FACTORS

A fraud risk factor is an event or condition that tracks the three conditions of the fraud triangle.
Although fraud risk factors do not necessarily indicate that fraud exists, they often are warning
signs where it does. Like SAS no. 82, this standard lists numerous illustrative fraud risk factors
to help the auditor in considering whether fraud risks are present. However, in SAS no. 99, these
illustrative fraud risk factors have been reorganized to track the fraud triangle.

Auditors are cautioned not to think that these fraud risk factors are all-inclusive. In fact, research
has found that auditors who used open-ended questions that encouraged them to develop their
own fraud risk factors outperformed those who relied on a checklist based on looking only for
the illustrated fraud risk factors.

DESIGNING AUDIT PROCEDURES TO IDENTIFY FRAUD RISKS

SAS no. 99 says, “When obtaining information about the entity and its environment, the auditor
should consider whether the information indicates that one or more fraud risk factors are
present.” As a practical matter, the application of SAS no. 22, Planning and
Supervision, relating to audit planning, and SAS no. 55, Consideration of Internal Control in a
Financial Statement Audit, as amended, relating to internal controls and the other sections of
SAS no. 99, should allow you to identify the broad categories of fraud risks related to
incentive/pressure and opportunity.

Regarding fraud risk factors relating to attitude/rationalization, you cannot possibly know with
certainty a person’s ethical standards and beliefs. However, during the course of your
engagement, you may become aware of circumstances that indicate the possible presence of an
attitude or ability to rationalize that you consider to be a fraud risk. For example, a recurring
attempt by management to justify marginal, inappropriate accounting on the basis of materiality
and a strained relationship between management and the current or predecessor auditor are fraud
risks relating to fraudulent financial reporting.

SAS no. 99 requires you to consider other information that may be helpful in identifying the
risks of material misstatement due to fraud. This other data can be gleaned during

The engagement team’s brainstorming session.

Client acceptance and continuance procedures.
Reviews of interim financial information.
Consideration of inherent risks at the account or transaction level.

IDENTIFY AND ASSESS FRAUD RISKS

The key to designing effective audit tests is to perform an effective synthesis of the identified
risks. Synthesis is defined as “the assembling of a complex whole from originally separate
parts.” That is what you must do after you identify risks. SAS no. 99 requires auditors to assess
fraud risks, but one of the problems practitioners have had with the previous standard on fraud is
that they mistakenly believed “assessment” to mean they should describe the risk as high,
medium or low. That is not how “assessment” is meant to be interpreted in SAS no. 99. The
following illustration maps the audit process from risk identification to audit test design.
“Synthesis” is the element that links the two ends of the process.
Eliminate risk synthesis from the process step, and the chain is broken—there is no link to risk
identification.

Once that link between risk identification and audit test design is eliminated, it is not surprising
that the design of audit tests is not effective in helping auditors identify risks

Your goal is to “assess” or to synthesize the identified risks to determine where the entity is most
vulnerable to material misstatement due to fraud, the types of frauds that are most likely to occur
and how those material misstatements are likely to be concealed.

LINKING AUDIT PROCEDURES TO IDENTIFIED RISKS OF MATERIAL

MISSTATEMENT DUE TO FRAUD
To help you do a more effective job combining identified risks and providing that necessary
link, SAS no. 99 offers this guidance. Remember the three elements of the fraud triangle; the
risk of material misstatement due to fraud generally is greater when all three are present. As an
auditor, use your intuition, judgment and experience to look for patterns in the identified fraud
risks. The new standard reminds you that failure to observe one of the elements of the triangle
does not guarantee an absence of fraud. Stated another way, it has been observed that auditors
have a tendency to identify incentive and opportunity but mistakenly fail to pursue the issue
because they have not seen an attitude/rationalization that is conducive to fraud.

It also helps to consider whether the identified risks are related to either specific accounts or
transactions or to the financial statements as a whole. Once you can link the identified risks to a
specific account (or the financial statements taken as a whole), you then can design and perform
more effective procedures. When assessing information about potential fraud risks, consider the
type, significance, likelihood and pervasiveness of the risk.

REQUIRED RISK ASSESSMENTS

When assessing risks, the new SAS has two additional requirements. As the auditor, you should

Presume improper revenue recognition is a fraud risk. The vast majority of fraudulent
financial reporting schemes involved improper revenue recognition. SAS no. 99 states that you
“should ordinarily” presume there is risk of material misstatement due to fraud relating to
revenue recognition. If you do not identify improper revenue recognition as a risk of material
misstatement due to fraud, you should document the reasons supporting this conclusion.
 Always identify the risks of management override of controls as a fraud risk. Those who
have studied fraudulent financial reporting have noted that risk of management override is
unpredictable, and, therefore, it is difficult for auditors to design procedures to identify and
assess it. For that reason, management override always should be addressed in the design of
audit procedures.

CONSIDERING THE ENTITY’S ANTIFRAUD PROGRAMS AND CONTROLS

Once you have identified specific risks of fraud, you should consider the entity’s programs and
controls that mitigate or exacerbate your identified risks of material misstatement due to fraud.
SAS no. 99 provides examples of programs and controls in large and small businesses. A new
document, entitled Management Antifraud Programs and Controls, is included as an exhibit to
SAS no. 99; it also is posted online
at http://antifraud.aicpa.org/Resources/Auditors/Understanding+Programs+and+Controls/
Exhibit+to+SAS+No.+99+Management+Antifraud+Programs+and+Controls.htm . This
document, issued by the AICPA and other organizations, provides examples of programs and
controls management can implement to help deter, prevent and detect fraud.

RESPONDING TO THE ASSESSED RISKS

You should address the risks of material misstatement due to fraud with a response that

Has an overall effect on how the audit is conducted.

Identifies risks involving the nature, timing and extent of audit procedures.
Addresses management override of controls.

Judgments about the risks of material misstatement due to fraud have an overall effect on how
the audit is conducted in the following ways.

Assignment of personnel and supervision. SAS no. 99 provides relatively straightforward

guidance on this matter, which is easy to understand and implement. The guidance says the
greater the risk of material misstatement, the more experienced personnel and the greater amount
of supervision required on the engagement.

Accounting principles. The standard audit report expresses an opinion as to whether the
financial statements “present fairly…in accordance with GAAP.” Some auditors and others
involved in the financial reporting process have questioned whether the “present fairly” criterion
has become subordinate to “in accordance with GAAP.” That is, the issue may be whether some
entities make a case that “since GAAP does not explicitly prohibit a particular accounting
treatment, it must be acceptable” without considering whether the accounting will result in a
“fair presentation” of the financial position, results of operations and cash flows.

Thus, the choice of accounting principles, in addition to their application, becomes crucial
for auditors to consider. SAS no. 99 requires you to consider management’s selection and
application of significant accounting principles as part of your overall response to the risks
of material misstatement.
The new standard focuses your attention on accounting principles related to subjective
measurements and complex transactions. In addition, given the presumption of revenue
recognition as a fraud risk, you should consider the integrity of the entity’s policies on
revenue recognition and whether these policies are consistent with key revenue-recognition
concepts such as the completion of the earnings process, the realization of sales proceeds
and the delivery of the product or service.

Predictability of auditing procedures. Successful perpetrators of fraud are familiar with

the audit procedures external auditors normally perform. With this knowledge they can
conceal the fraud in accounts where auditors are least likely to look. SAS no. 99 requires you
to incorporate an element of unpredictability into your procedures from year to year, and it
provides tips for implementing this requirement.

ADDRESS SPECIFIC ACCOUNTS OR CLASSES OF TRANSACTIONS

SAS no. 99 provides general guidance on modifying the nature, timing and extent of the
audit procedures you will perform to address identified risks of material misstatement due
to fraud. Three other audit areas merit special mention: revenue recognition, inventory
quantities and accounting estimates, which can go hand in hand with fraud and therefore
can be interrelated.

RISK OF MANAGEMENT OVERRIDE OF INTERNAL CONTROL

SAS no. 99 requires you to perform certain tasks to address the risk of management
override of internal control. Executives can perpetrate financial reporting frauds by
overriding established control procedures and recording unauthorized or inappropriate
journal entries or other postclosing modifications (for example, consolidating adjustments
or reclassifications). To address such situations, SAS no. 99 requires you to test the
appropriateness of journal entries recorded in the general ledger and other adjustments.

Understanding the financial reporting process. To effectively identify and test

nonstandard journal entries, you will need to obtain a good understanding of the entity’s
financial reporting process. This knowledge is important because it allows you to be aware
of what should happen in a “normal” situation so you then can identify anomalies. You also
should know how journal entries are recorded (for example, directly online or in batch mode
from physical documents), be familiar with the design of any controls over journal entries
and other adjustments and learn whether those controls have been placed in operation. This
information will help you design suitable tests.

Testing journal entries and other adjustments. Your assessment of the risk of material
misstatement due to fraud, together with your evaluation of the effectiveness of controls,
will determine the extent of your tests. SAS no. 99 requires that you inspect the general
ledger to identify journal entries to be tested and examine the support for those items.
Thus, the choice of accounting principles, in addition to their application, becomes crucial
for auditors to consider. SAS no. 99 requires you to consider management’s selection and
application of significant accounting principles as part of your overall response to the risks
of material misstatement.

The new standard focuses your attention on accounting principles related to subjective
measurements and complex transactions. In addition, given the presumption of revenue
recognition as a fraud risk, you should consider the integrity of the entity’s policies on
revenue recognition and whether these policies are consistent with key revenue-recognition
concepts such as the completion of the earnings process, the realization of sales proceeds
and the delivery of the product or service.

Predictability of auditing procedures. Successful perpetrators of fraud are familiar with

the audit procedures external auditors normally perform. With this knowledge they can
conceal the fraud in accounts where auditors are least likely to look. SAS no. 99 requires you
to incorporate an element of unpredictability into your procedures from year to year, and it
provides tips for implementing this requirement.

ADDRESS SPECIFIC ACCOUNTS OR CLASSES OF TRANSACTIONS

SAS no. 99 provides general guidance on modifying the nature, timing and extent of the
audit procedures you will perform to address identified risks of material misstatement due
to fraud. Three other audit areas merit special mention: revenue recognition, inventory
quantities and accounting estimates, which can go hand in hand with fraud and therefore
can be interrelated.

RISK OF MANAGEMENT OVERRIDE OF INTERNAL CONTROL

SAS no. 99 requires you to perform certain tasks to address the risk of management
override of internal control. Executives can perpetrate financial reporting frauds by
overriding established control procedures and recording unauthorized or inappropriate
journal entries or other postclosing modifications (for example, consolidating adjustments
or reclassifications). To address such situations, SAS no. 99 requires you to test the
appropriateness of journal entries recorded in the general ledger and other adjustments.

Understanding the financial reporting process. To effectively identify and test

nonstandard journal entries, you will need to obtain a good understanding of the entity’s
financial reporting process. This knowledge is important because it allows you to be aware
of what should happen in a “normal” situation so you then can identify anomalies. You also
should know how journal entries are recorded (for example, directly online or in batch mode
from physical documents), be familiar with the design of any controls over journal entries
and other adjustments and learn whether those controls have been placed in operation. This
information will help you design suitable tests.
Testing journal entries and other adjustments. Your assessment of the risk of material
misstatement due to fraud, together with your evaluation of the effectiveness of controls,
will determine the extent of your tests. SAS no. 99 requires that you inspect the general
ledger to identify journal entries to be tested and examine the support for those items.

Consider the implications for other aspects of the audit.

Discuss the matter and the approach for further investigation with an appropriate level of
management that is at least one level above those involved and with senior management
and the audit committee.

If appropriate, suggest the client consult with legal counsel.

SAS no. 99 provides guidance on the auditor’s course of action when the risk of material
misstatement due to fraud is such that he or she is considering withdrawing from the
engagement. It is impossible to definitively describe when withdrawal is appropriate, but in
any event you probably will want to consult with your legal counsel.

COMMUNICATIONS
SAS no. 99 says, “Whenever you have
determined that there is evidence that a
fraud may exist, that matter should be
brought to the attention of the proper
level of management. This is
appropriate even if the matter might be
considered inconsequential, such as a
minor defalcation by an employee at a
low level in the entity’s organization.”
Thus, the threshold for communication
is “evidence that a fraud may exist.” The
mere presence of a fraud risk factor or
some other condition that has been
observed when fraud is present
generally does not meet this threshold.

DOCUMENTATION
The documentation requirements of SAS no. 99 significantly extend those of the previous
standard, requiring documentation supporting compliance with substantially all the major
requirements of the standard. SAS no. 99 provides a complete, easy-to-understand list of
documentation requirements.

According to the standard, you are required to document

 The discussion among engagement personnel in planning the audit regarding the
susceptibility of the entity’s financial statements to material misstatement due to fraud,
including how and when the discussion occurred, the audit team members who participated
and the subjects discussed.

The procedures performed to obtain information necessary to identify and assess the risks
of material misstatement due to fraud.

Specific risks of material misstatement due to fraud that were identified and a description
of the auditor’s response to those risks.

If the auditor has not identified improper revenue recognition as a risk of material
misstatement due to fraud in a particular circumstance, the reasons supporting that
conclusion.

The results of the procedures performed to further address the risk of management
override of controls.

Conditions and analytical relationships that caused the auditor to believe additional
auditing procedures or other responses were required and any further responses the auditor
concluded were appropriate to address such risks or other conditions.

The nature of the communications about fraud made to management, the audit
committee and others

For the complete lecture on Auditor's responsibility for detecting fraud, please watch the
video below
https://youtu.be/ybi4EZ-zrKs

For information on fraud detection techniques, please watch the video below
https://youtu.be/yZguNBE6FFQ

Midterm Period
The Ideal Structure for an IT Department in a Growing Business

The modern ecosystem of global SMEs, as well as larger enterprises, is one that heavily
relies on its Information Technology (IT) Infrastructure in order to increase internal
operations and optimize corporate products and services. Therefore, there should be an
ideal structure for an It Department in a growing business. Click on the link to learn more
The Ideal IT Department Structure to Facilitate
Business Growth

The modern ecosystem of global SMEs, as well as larger enterprises, is one that heavily
relies on its Information Technology (IT) Infrastructure in order to increase internal
operations and optimize corporate products and services. Businesses of every industry
typically have six basic, internal, functional operations:

 Production (the creation or procurement of products and/or services)

 Operations (the supporting activities that efficiently maintain an enterprise’s
processes)
 Finance (management and data-recording of the financial resources)
 Administration (implementation and evaluation of the business’s plans/operations)
 Marketing/sales (effectively generating qualified leads and converting them into
returning customers)
 Business coordination (integrating and coordinating the other critical business
operations to ensure smooth business processes).

IT systems and services can be leveraged in order to greatly increase all of the core business
functions, such that an enterprise’s efficiency, communications, and productivity can be
optimized using a variety of IT systems, all of which can increase both the bottom and top
lines of the business. It is crucial, however, that an IT department be scalable to a company’s
current growth, and to its projected/future growth, thus allowing the company to grow
efficiently.

An enterprise’s IT infrastructure is usually composed of its Hardware systems, Software

systems, Enterprise systems, Network systems, and Database systems. In order for these
systems to be leveraged and efficiently utilized, board members and company executives
must strategically plan, agree on, and organize the IT department accordingly, including
setting the overall organization model, indicating all low and high-level functions, detailing
a reporting and managerial chain-of-command, creating a pertinent and practical
management model, aligning the departments with the goals of the business, and ensuring
that the defined structure continues to meet the organization’s growing needs during the
enterprise’s projected growth.

There is a great deal of strategic planning that must be undertaken in order to efficiently
define the ideal structure of any given company’s IT department. As with any company
department, the ideal structure of the IT department should be one that facilitates company
growth, increases profits, and optimizes internal operations. In order for such an ideal
structure to be realized, company executives should determine the aspects associated with
the utilization of the IT infrastructure, including:

 IT departmental resource allocation

 The strategic utilization of IT in order to optimize internal operations and increase
profits
 The skillsets required in the IT department
 Managerial and personnel roles, along with departmental teams (e.g. VP of IT, CIO,
CTO, R&D, IT security)
 Required IT systems of the IT infrastructure
 The critical problems that the IT department is envisioned to solve – currently and as
the company grows – and the inherent value of the IT infrastructure
 The expectations of the stakeholders/investors, along with the agreed-upon long-
term goals

Additionally, an overall IT strategic plan should be crafted as a precursor to the

organizational/structural blueprint of the IT department in order to ensure that all aspects of
the IT department align with the company’s goals and overall business model. An IT
strategic plan also allows management to strategically leverage IT systems in order to keep
pace in an ever-changing, global technological environment.

The planning of a company’s IT departmental structure must also take into account the
differing organizational models associated with a business organization’s departments,
which includes a matrix organizational model (project and functional-based), functional
organizational model (departments based on fulfilling distinct processes that are associated
with a specified area of expertise), product organizational structure (departments defined by
a specific product-line), customer organizational structure (structure based on customer
buyer-personas), geographic organizational structure (regional-based), etc
https://pingboard.com/blog/types-business-organizational-structures/.

Typically, an IT department will be structured according to the functional model, or the

matrix organization model, both of which focus on distinct processes and projects, and both
of which have a clear management/reporting model (i.e. a chain-of-command).

The ideal structure of an IT department in a growing business is entirely dependent on the

industry and goals of the enterprise. Additionally, there are a number of best practices that
any company should follow when strategically planning the structure of the company’s IT
department. One very critical resource that is often utilized by executives to define the
structure – and optimal operations/services – of a company’s IT department is the
Information Technology Infrastructure Library (ITIL).
The ITIL is a comprehensive framework detailing how an IT department can optimize its
services and personnel-communications, along with helping to establish best practices for
the effective management of IT operations that ultimately have the potential to better
customer experiences and increase the bottom line. Additionally, the ITIL framework is often
used to help executives understand the different roles of IT sub-departments, and how
different teams can interact optimally in order to ultimately increase corporate productivity.
In conjunction with an IT strategic plan, the ITIL framework offers valuable insights that can
help strategic planners craft the ideal structure for a company’s IT department.

Understand That Your IT Department Structure Will Adapt and Evolve

One of the most crucial aspects of any department in an enterprise is effective

communication – both within a department and interdepartmentally. More effective
interdepartmental – and intradepartmental – communications help establish more effective
workflows and better cooperation between silos and personnel, which helps to ensure that
projects and workflows/operations are carried out more effectively–all of which ultimately
increases corporate productivity.

The size of an organization, along with the management model and the structure of its
departments, plays a crucial role in how effective communications within the company will
be. Thus, the strategic plan associated with defining the structure of any given department
in an enterprise – including the IT department – must take into account the growth and
natural changes associated with a scalable IT infrastructure within an ever-changing
enterprise.

Businesses do not operate as static entities, but operate as dynamic organizations that must
have flexible strategic plans and strategies that are meant to scale with the changing needs
of the organization. Additionally, the business model, products/services, departments,
demographics, IT systems/technology, etc. may all change over time as the business grows,
along with a presumed increase in the number of personnel within the organization over
time. Thus, both an IT strategic plan, and the blueprint of the departmental structures, must
remain flexible and should include proposed tweaks to the blueprint due to projected
growth rates in order to allow the IT department (and all departments within the enterprise)
to continue to meet the goals of the organization.

Occasionally it is important for executives to define new sub-departments or teams within

the overarching IT department in order to solve new issues that may arise due to an
enterprise growing beyond what the previous structure can support. These new teams will
need resources to be allocated adequately within the new structure of the IT department to
ensure that the teams within the department are able to continue working effectively. It is
important to remember that the IT department and its structure should adapt and
ultimately evolve to meet the needs of the enterprise, and not the other way around.
Centralized vs Decentralized IT Structures

The ideal structure of a company’s IT department should include certain standard teams and
organizational characteristics, including a support/tech department, IT management
(including a bimodal IT management model), enterprise architecture, IT maintenance,
network/system administration, IT security, etc.

There are two major IT departmental/structural models an organization can use: a

centralized structure versus a decentralized structure:

 Centralized Structure: A centralized IT departmental model is one where all core IT

systems and networks are managed by a central organization, such that all systems
can be easily integrated and managed from a single IT central hub.
 Centralized Structure Pros: better budget control, easier governance, better
standardization, better alignment across the entire technology portfolio, easier
project/workflow integration, more feasible IT management.
 Centralized Structure Cons: may become bureaucratic, business departments may be
unhappy fighting with other departments to get their tech initiatives prioritized.
 Decentralized Structure: A decentralized IT departmental structure is one where the
management of critical IT components, system controls and networks is distributed
amongst multiple, different core IT centers within the overarching enterprise IT
infrastructure, allowing different sub-departments and teams to utilize different
resources within their own sub-systems/intranets.
 Decentralized Structure Pros: individual departments/business units have more direct
control over their tech projects and priorities; generally decentralized groups can get
faster results (less overhead and prioritization fights).
 Decentralized Structure Cons: solutions optimized at the department level often
result in inefficiencies at the enterprise level (“silos” of disconnected data and
business processes); too much departmental independence can lead to integration
challenges and unnecessarily duplicative systems and data.

Often the best approach is to use a centralized IT organizational model with strong
departmental relationships and focused goals, which includes using dedicated resources for
specific areas (that are managed centrally). This approach provides the control and
efficiency of a centralized organizational model, while also providing departments/business
units with a strong influence over the priorities for their respective areas.

Determine How Many Internal vs Outsourced IT Staff You Will Have

The organizational blueprint associated with the structure of a company’s IT department

must take into account the differences between internal staff/personnel within the
organization’s main structure versus outsourced IT staff that are not a part of the internal
departmental teams. Such a structural plan should align with the overall goals of the
organization, and should thus separate internal staff (associated with accomplishing certain
organizational goals within specified IT teams) versus outsourced staff that are not a core
part of the overarching IT departmental structure.

For instance, there are several IT roles that are traditionally fulfilled by internal staff, and
several roles that are commonly fulfilled by outsourced staff – however, in today’s global IT
ecosystem, there is no clear-cut rule for separating internal staff from outsourced staff.
Utilizing the most cost-effective, robust IT resources is key for any growing business, and
thus both efficiency (including operational productivity) and overhead (including internal
staff training costs) must be taken into account when deciding to use outsourced staff
versus hiring internal staff.

While it is possible for businesses to save over 15-20 percent in costs by outsourcing
specific tasks to trained professionals, there are times when it is more advantageous to
utilize in-house staff, such as for tasks associated with automation, and tasks that are
consistent and routine. Using outsourced staff, however, may help to save more money and
resources with regard to specific, highly-skilled, non-routine business tasks. Here are some
IT roles that are often outsourced to skilled professionals:

 Support Desk
 Network Administrator
 Software Developer
 Software Tester
 Engineer
 Security Analyst
 Systems/Database Engineer

With a comprehensive IT strategic plan, it is possible for executives to craft the perfect IT
departmental structure based on the determinations associated with the enterprise using
internal IT staff versus outsourced IT staff.

Roles and Functions Which Must Be Accounted For

Though the ideal structure of an organization’s IT department can vary according to the
goals of the enterprise, there are standard functions and roles/teams that every IT
department should have within its superstructure.

Service Desk and Support Roles

All IT departments require personnel that are trained and focused on providing technical
support to all departments in the event of technical failures and IT issues. An optimal service
desk is one that is focused on problem-solving, and has the ability to quickly and efficiently
fix issues as they arise, including providing maintenance to IT systems, and helping to
prevent future technical problems.

IT Governance: Program/Project Management, Vendor Management, and

Budget/Financial Controls

The four core operations carried out by managers are planning, organizing, leading, and
controlling. Within that scope, IT governance requires program/project managers, vendor
managers, and IT financial analysts. Within an IT infrastructure, services and projects are
based on the specific components of said IT infrastructure. Typically, an IT infrastructure is
composed of hardware systems, enterprise systems, software systems, network systems, and
database systems.

In order for an IT infrastructure to be utilized effectively, IT sub-departments should include

teams for projects/programs, teams associated with technical contracts/vendors, and teams
associated with fine-tuning and managing the IT department’s finances in order to provide
the requisite resources that are needed by each IT sub-department/team. Each of the above
should be managed effectively by skilled professionals, and should include an integrative
approach that allows the different, aforementioned teams to work together in a cohesive
manner.

Enterprise Architecture

Enterprise Architecture (EA), with regard to IT systems/departments, focuses on the

fulfillment of business strategies using IT systems, based on enterprise analysis, design and
strategic planning. EA requires a comprehensive, detailed alignment strategy that seeks to
translate business goals/needs into pertinent IT solutions and services. Additionally,
Enterprise Architecture aims to assess changes within an enterprise’s industry/operations in
order to produce appropriate application portfolios and roadmaps.

Deployment & Maintenance of Infrastructure Required

In the initial stages of an enterprise’s development, and as a business grows, the dynamic
nature of workplace operations translates to a requirement for constant maintenance of IT
systems, along with the initial planning, installation, testing, and deployment of IT
components. Maintenance workflows may include simple technical fixes, or large system
upgrades, along with security patches, updates, and recovery operations.

Networks and Systems Administration

One of the most critical aspects of any modern IT infrastructure is the function associated
with an enterprise’s internal network, along with a business’s overall network (including all
LAN/WAN, wireless, and Internet access). In conjunction with network security, network and
systems administration includes database storage/cloud system utilization, installation of
security controls (i.e. firewalls, web application firewalls, intrusion detection systems), a
functional and secure network architecture, and constant scanning, testing and traffic
monitoring of all network operations.

Additionally, network administration workflows include the effective management of all

network operating systems and monitoring systems. With regard to an enterprise’s web
services (e.g. web hosting services for a company website), the setting up of a demilitarized
zone for the web server, and the use of security controls, is also of importance in order for
the business’s external-facing networks (associated with the public Internet) to operate
efficiently and in a secure manner.

DevOps Is Becoming More & More Important

The development and evolution of very specific, functional departments within enterprises
has often given rise to departmental silos, which sometimes operate as completely separate,
distinct micro-organizations within a business that may or may not effectively communicate
and/or work together. In order for modern businesses to continue to offer value in an
increasingly technology-dominated world, business departments have sought to integrate
different departmental workflows in order to increase communications, productivity and
operational efficiency.

One significant example is with DevOps, which integrates software development practices
with automated testing and IT production operations. Essentially, DevOps combines
workflows – and consequently departmental operations – from the software development
lifecycle (SDLC) and IT operations (including testing and security) in order to deliver
products in a more efficient manner, while breaking down the barriers of departmental silos
within software development firms.

Application Management (Including Software Development)

Application Management is a critical function within any IT department, and includes both
Software Development – and the optimal management of an application’s Software
Development Life Cycle (SDLC) – and the patching, updating and maintenance of all
operational business applications within an enterprise. Application management is
necessary in order to ensure that all back-end IT software systems (applications) operate at
peak performance.

Information Security
Every IT department should include a skilled, trained team of cybersecurity analysts,
engineers, and security testers, to ensure that all attack surfaces are covered, and that the
security posture of the hardware, software and networking IT infrastructure is solid. In an
age of increasing data breaches, having security specialists to conduct passive and active
vulnerability scans/penetration tests, is an important step in maintaining data security, while
the installation of security controls (e.g. Unified Threat Management, Web Application
Firewalls, Intrusion Detection Systems, Next-Generation Firewalls, etc.) and the routine
completion of security analyses (e.g. threat modeling, security scanning, security
administration, malware analysis, secure database management/encryption of private data,
etc.) are critical.

These steps not only help to protect a company’s customers, but also ensures due diligence
to protect the company since many U.S. legislations and compliance standards – such as
Sarbanes-Oxley, HIPAA, PCI-DSS – require due diligence on the part of companies to ensure
complete data security. Additionally, having adequate security management – in the form of
a Chief Information Security Officer (CISO) – is an important step to ensure that all IT
security operations are carried out effectively.

The IT Infrastructure Library (ITIL) Provides Some Tried and Tested Approaches

ITIL offers a comprehensive guide to best practices associated with the establishment of an
optimal IT department, and the effective execution of IT departmental operations. The ITIL
framework offers five core processes that can be used to align all business goals with the IT
infrastructure, and by extension, the overarching structure of the IT department:

 Service Strategy: Aligning the critical business goals/model with the components and
services of the enterprise’s IT infrastructure.
 Service Design: The IT services that the IT systems offer in order to support the
business’s operations.
 Service Transition: The transition from a planning/developmental phase to an
operational/management phase.
 Service Operation: Operating all services according to the service-level agreements in
place.
 Continual Service Improvement: Analyzing and offering improvements for each
service in order to increase service quality.

Data Center

At its simplest, a data center is a physical facility that organizations use to house their critical
applications and data. To learn more about, click on the link

What Is a Data Center

At its simplest, a data center is a physical facility that organizations use to house their critical
applications and data. A data center's design is based on a network of computing and
storage resources that enable the delivery of shared applications and data. The key
components of a data center design include routers, switches, firewalls, storage systems,
servers, and application delivery controllers.
What defines a modern data center?

Modern data centers are very different than they were just a short time ago. Infrastructure
has shifted from traditional on-premises physical servers to virtual networks that support
applications and workloads across pools of physical infrastructure and into a multicloud
environment.

In this era, data exists and is connected across multiple data centers, the edge, and public
and private clouds. The data center must be able to communicate across these multiple
sites, both on-premises and in the cloud. Even the public cloud is a collection of data
centers. When applications are hosted in the cloud, they are using data center resources
from the cloud provider.

Why are data centers important to business?

In the world of enterprise IT, data centers are designed to support business applications and
activities that include:

 Email and file sharing

 Productivity applications
 Customer relationship management (CRM)
 Enterprise resource planning (ERP) and databases
 Big data, artificial intelligence, and machine learning
 Virtual desktops, communications and collaboration services

What are the core components of a data center?

Data center design includes routers, switches, firewalls, storage systems, servers, and
application delivery controllers. Because these components store and manage business-
critical data and applications, data center security is critical in data center design. Together,
they provide:

Network infrastructure. This connects servers (physical and virtualized), data center
services, storage, and external connectivity to end-user locations.

Storage infrastructure. Data is the fuel of the modern data center. Storage systems are
used to hold this valuable commodity.

Computing resources. Applications are the engines of a data center. These servers provide
the processing, memory, local storage, and network connectivity that drive applications.

How do data centers operate?

Data center services are typically deployed to protect the performance and integrity of the
core data center components.

Network security appliances. These include firewall and intrusion protection to safeguard
the data center.

Application delivery assurance. To maintain application performance, these mechanisms

provide application resiliency and availability via automatic failover and load balancing.

What is in a data center facility?

Data center components require significant infrastructure to support the center's hardware
and software. These include power subsystems, uninterruptible power supplies (UPS),
ventilation, cooling systems, fire suppression, backup generators, and connections to
external networks.

What are the standards for data center infrastructure?

The most widely adopted standard for data center design and data center infrastructure is
ANSI/TIA-942. It includes standards for ANSI/TIA-942-ready certification, which ensures
compliance with one of four categories of data center tiers rated for levels of redundancy
and fault tolerance.

Tier 1: Basic site infrastructure. A Tier 1 data center offers limited protection against
physical events. It has single-capacity components and a single, nonredundant distribution
path.

Tier 2: Redundant-capacity component site infrastructure. This data center offers

improved protection against physical events. It has redundant-capacity components and a
single, nonredundant distribution path.

Tier 3: Concurrently maintainable site infrastructure. This data center protects against
virtually all physical events, providing redundant-capacity components and multiple
independent distribution paths. Each component can be removed or replaced without
disrupting services to end users.

Tier 4: Fault-tolerant site infrastructure. This data center provides the highest levels of
fault tolerance and redundancy. Redundant-capacity components and multiple
independent distribution paths enable concurrent maintainability and one fault
anywhere in the installation without causing downtime.

Types of data centers

Many types of data centers and service models are available. Their classification depends on
whether they are owned by one or many organizations, how they fit (if they fit) into the
topology of other data centers, what technologies they use for computing and storage, and
even their energy efficiency. There are four main types of data centers:
Enterprise data centers

These are built, owned, and operated by companies and are optimized for their end users.
Most often they are housed on the corporate campus.

Managed services data centers

These data centers are managed by a third party (or a managed services provider) on behalf
of a company. The company leases the equipment and infrastructure instead of buying it.

Colocation data centers

In colocation ("colo") data centers, a company rents space within a data center owned by
others and located off company premises. The colocation data center hosts the
infrastructure: building, cooling, bandwidth, security, etc., while the company provides and
manages the components, including servers, storage, and firewalls.
Cloud data centers

In this off-premises form of data center, data and applications are hosted by a cloud
services provider such as Amazon Web Services (AWS), Microsoft (Azure), or IBM Cloud or
other public cloud provider.

Discover more about data centers and what the future will bring to them and your network.

Infrastructure evolution: from mainframes to cloud

applications
Computing infrastructure has experienced three macro waves of evolution over the last 65
years:

 The first wave saw the shift from proprietary mainframes to x86-based servers, based
on-premises and managed by internal IT teams.
 A second wave saw widespread virtualisation of the infrastructure that supported
applications. This allowed for improved use of resources and mobility of workloads
across pools of physical infrastructure.
 The third wave finds us in the present, where we are seeing the move to cloud,
hybrid cloud and cloud-native. The latter describes applications born in the cloud.

Distributed network of applications

This evolution has given rise to distributed computing. This is where data and applications
are distributed among disparate systems, connected and integrated by network services and
interoperability standards to function as a single environment. It has meant the term data
center is now used to refer to the department that has responsibility for these systems
irrespective of where they are located.

Organizations can choose to build and maintain their own hybrid cloud data centers, lease
space within colocation facilities (colos), consume shared compute and storage services, or
use public cloud-based services. The net effect is that applications today no longer reside in
just one place. They operate in multiple public and private clouds, managed offerings, and
traditional environments. In this multicloud era, the data center has become vast and
complex, geared to drive the ultimate user experience.

For more on Data Centers, click on the video below

https://youtu.be/Amow8BJm5Go
Outsourcing the IT function

IT outsourcing is the business practice of using external providers to handle information

technology functions, i.e. software development, infrastructure solutions, software
support. Popular reasons to outsource being access to better skills, price to quality ratio,
ease of upscaling. For more on this topic, kindly click on the link

What Is IT Outsourcing?
IT outsourcing is the business practice of using external providers to handle information
technology functions, i.e. software development, infrastructure solutions, software support.

Popular reasons to outsource being access to better skills, price to quality ratio, ease of upscaling.
Companies also often outsource data storage because it is cheaper to contract a third party than to
buy and maintain their own data storage devices and facilities.
5 Main Advantages of Outsourcing

1. Reduced Expenses
2. Access to Global Talent Pool
3. Significant Time Savings
4. Ability to Upscale Fast
5. Uninterrupted workflow

Reduced Expenses

You get to enjoy significant cost savings when you outsource to a country with lower
production costs: a lower cost of living for employees, meaning lower salaries, as well as
lower infrastructure and operational costs.

Access to Global Talent Pool

Outsourcing allows you to reach professionals that may be in short supply or unavailable
locally.

Significant Time Savings

When you partner with an outsourcing vendor, you don’t have to advertise for, interview,
select, and train new in-house employees, all of which can be very time-consuming. You can
only improve the qualifications of your employees and give various materials, such as
on Studocu.com for further study.

Ability to Upscale Fast

You’ll be able to work with new clients and take on new projects without having to spend
time on the processes described above.

Uninterrupted workflow

Your business will function round the clock thanks to the time difference between the in-
house team and the outsourcing vendor’s team.

The Disadvantages of Outsourcing

Time Difference

This can be a curse as much as a blessing, and in the worst cases it can significantly hamper
the communication flow between you and your outsourcing partner

Language Barriers

The language barriers can result in miscommunication and wasted effort unless you and the
vendor you partner with have at least one language in common.

Different Work Habits

Different Work habits can be the result of different cultural environments, can interrupt your
established workflow, and will definitely need getting used to.

Long Distances

Extremely long distances between you and the outsourcing vendor can turn business trips
into an expensive and tiresome experience.

Reasons for Outsourcing

Reasons for Outsourcing

1. To Reduce Cost

More often than not, outsourcing means saving money. This is often due to lower labor
costs, cheaper infrastructure, or an advantageous tax system in the outsourcing location.

2. To Access Skills That Are Unavailable Locally

Resources that are scarce at home can sometimes be found in abundance elsewhere,
meaning you can easily reach them through outsourcing.

3. To Better Use Internal Resources

By delegating some of your business processes to a third party, you’ll give your in-house
employees the opportunity to focus on more meaningful tasks.

4. To Accelerate Business Processes

When you stop wasting time on mundane, time-consuming processes, you’ll be able to
move forward with your core offering a lot faster.

5. Globalization

When you delegate a part of non-focus functionality by outsourcing it to a third-party

vendor, you give away the responsibility and related risks.

For more on IT Outsourcing, see the video below

https://youtu.be/hkjBhwWgZAs
Auditing in an operating System

This is an investigation to review the performance of an operational system. The

objectives of conducting a system audit are as follows − To compare actual and planned
performance. To verify that the stated objectives of system are still valid in current
environment. To evaluate the achievement of stated objectives. For more on this, kindly click
on the link

Overview

The operating system is the computer’s control program. It allows users and their
applications to share and access common computer resources, such as processors, main
memory, databases, and printers. If operating system integrity is compromised, controls
within individual accounting applications may also be circumvented or neutralized. Because
the operating system is common to all users, the larger the computer facility, the greater the
scale of potential damage. Thus, with an ever-expanding user community sharing more and
more computer resources, operating system security becomes an important internal control
issue.

Operating System Objectives

OS Tasks are as follows: Translate high-level language Allocate computer resources Manage
tasks

Operating System Objectives

Translate high-level language.

First, it translates high-level languages, such as COBOL, C++, BASIC, and SQL, into the
machine-level language that the computer can execute. The language translator modules of
the operating system are called compilers and interpreters.

Operating System Objectives

Allocate computer resources.

Second, the operating system allocates computer resources to users, workgroups, and
applications. This includes assigning memory work space (partitions) to applications and
authorizing access to terminals, telecommunications links, databases, and printers.

Operating System Objectives

Manage tasks

Third, the operating system manages the tasks of job scheduling and multiprogramming. At
any point, numerous user applications (jobs) are seeking access to the computer resources
under the control of the operating system. Jobs are submitted to the system in three ways:
(1) directly by the system operator, (2) from various batch-job queues, and (3) through
telecommunications links from remote workstations. To achieve efficient and effective use
of finite computer resources, the operating system must schedule job processing according
to established priorities and balance the use of resources among the competing
applications.

Operating System Objectives

Fundamental Control Objectives

The operating system must protect itself from users. The operating system must protect
users from each other. The operating system must protect users from themselves. The
operating system must be protected from itself.The operating system must be protected
from its environment.

Operating System Security

Overview Operating system security involves policies, procedures, and controls that
determine who can access the operating system, which resources (files, programs, printers)
they can use, and what actions they can take. The following security components are found
in secure operating systems: log-on procedure, access token, access control list, and
discretionary access privileges.

Log-on Procedure

A formal log-on procedure is the operating system’s first line of defense against
unauthorized access. When the user initiates the process, he or she is presented with a
dialog box requesting the user’s ID and password. The system compares the ID and
password to a database of valid users.

Access Token

If the log-on attempt is successful, the operating system creates an access token that
contains key information about the user, including user ID, password, user group, and
privileges granted to the user. The information in the access token is used to approve all
actions the user attempts during the session.

Access Control

ListAn access control list is assigned to each IT resource (computer directory, data file,
program, or printer), which controls access to the resources. These lists contain information
that defines the access privileges for all valid users of the resource. When a user attempts to
access a resource, the system compares his or her ID and privileges contained in the access
token with those contained in the access control list. If there is a match, the user is granted
access.

Discretionary Access Privileges

The central system administrator usually determines who is granted access to specific
resources and maintains the access control list. In distributed systems, however, end users
may control (own) resources. Resource owners in this setting may be granted discretionary
access privileges, which allow them to grant access privileges to other users.

Threats to Operating System Integrity

OverviewOperating system control objectives may not be achieved because of flaws in the
operating system that are exploited either accidentally or intentionally. Accidental threats
include hardware failures that cause the operating system to crash. Errors in user application
programs, which the operating system cannot interpret, also cause operating system
failures.

OverviewAccidental system failures may cause whole segments of memory to be dumped

to disks and printers, resulting in the unintentional disclosure of confidential information.
Intentional threats to the operating system are most commonly attempts to illegally access
data or violate user privacy for financial gain. However, a growing threat is destructive
programs from which there is no apparent gain.

Sources of Exposures1. Privileged personnel who abuse their authority. Systems

administrators and systems programmers require unlimited access to the operating system
to perform maintenance and to recover from system failures. Such individuals may use this
authority to access users’ programs and data files.

Sources of Exposures2. Individuals, both internal and external to the organization, who
browse the operating system to identify and exploit security flaws.

Sources of Exposures3. Individuals who intentionally (or accidentally) insert computer

viruses or other forms of destructive programs into the operating system.

Operating System Controls and Audit Tests

Overview

If operating system integrity is compromised, controls within individual accounting

applications that impact financial reporting may also be compromised. For this reason, the
design and assessment of operating system security controls are SOX compliance issues.

Controlling Access Privileges

The way access privileges are assigned influences system security. Privileges should,
therefore, be carefully administered and closely monitored for compliance with
organizational policy and principles of internal control.

Audit Objectives Relating to Access Privileges

The auditor’s objective is to verify that access privileges are granted in a manner that is
consistent with the need to separate incompatible functions and is in accordance with the
organization’s policy.

Audit Procedures Relating to Access Privileges

To achieve their objectives auditors may perform the following tests of controls: • Review
the organization’s policies for separating incompatible functions and ensure that they
promote reasonable security. • Review the privileges of a selection of user groups and
individuals to determine if their access rights are appropriate for their job descriptions and
positions. The auditor should verify that individuals are granted access to data and
programs based on their need to know. • Review personnel records to determine whether
privileged employees undergo an adequately intensive security clearance check in
compliance with company policy. • Review employee records to determine whether users
have formally acknowledged their responsibility to maintain the confidentiality of company
data. • Review the users’ permitted log-on times. Permission should be commensurate with
the tasks being performed.

Password ControlA password is a secret code the user enters to gain access to systems,
applications, data files, or a network server. If the user cannot provide the correct password,
the operating system should deny access. Although passwords can provide a degree of
security, when imposed on nonsecurity-minded users, password procedures can result in
end-user behavior that actually circumvents security.

Password ControlThe most common forms of contra-security behavior include: • Forgetting

passwords and being locked out of the system. • Failing to change passwords on a frequent
basis. • The Post-it syndrome, whereby passwords are written down and displayed for others
to see. • Simplistic passwords that a computer criminal easily anticipates.

Password ControlThe most common method of password control is the reusable password.
The user defines the password to the system once and then reuses it to gain future access.
The quality of the security that a reusable password provides depends on the quality of the
password itself. If the password pertains to something personal about the user, such as a
child’s name, pet’s name, birth date, or hair color, a computer criminal can often deduce it.

Password ControlTo improve access control, management should require that passwords be
changed regularly and disallow weak passwords. Software is available that automatically
scans password files and notifies users that their passwords have expired and need to be
changed.

Password ControlsThe one-time password was designed to overcome the aforementioned

problems. Under this approach, the user’s password changes continuously. This technology
employs a credit card–sized smart card that contains a microprocessor programmed with an
algorithm that generates, and electronically displays, a new and unique password every 60
seconds. Another example (capcha)

Audit Objectives Relating to Passwords

The auditor’s objective here is to ensure that the organization has an adequate and effective
password policy for controlling access to the operating system.

Audit Procedures Relating to Passwords

The auditor may achieve this objective by performing the following tests: • Verify that all
users are required to have passwords. • Verify that new users are instructed in the use of
passwords and the importance of password control. • Review password control procedures
to ensure that passwords are changed regularly. • Review the password file to determine
that weak passwords are identified and disallowed. This may involve using software to scan
password files for known weak passwords. • Verify that the password file is encrypted and
that the encryption key is properly secured.

Audit Procedures Relating to Passwords

Assess the adequacy of password standards such as length and expiration interval.• Review
the account lockout policy and procedures. Most operating systems allow the system
administrator to define the action to be taken after a certain number of failed log-on
attempts. The auditor should determine how many failed log-on attempts are allowed
before the account is locked. The duration of the lockout also needs to be determined. This
could range from a few minutes to a permanent lockout that requires formal reactivation of
the account.

Controlling Against Malicious and Destructive Programs

Threats from destructive programs can be substantially reduced through a combination of
technology controls and administrative procedures. The following examples are relevant to
most operating systems. • Purchase software only from reputable vendors and accept only
those products that are in their original, factory-sealed packages. • Issue an entity-wide
policy pertaining to the use of unauthorized software or illegal (bootleg) copies of
copyrighted software. • Examine all upgrades to vendor software for viruses before they are
implemented.• Inspect all public-domain software for virus infection before using.

Controlling Against Malicious and Destructive Programs

Establish entity-wide procedures for making changes to production programs.• Establish an
educational program to raise user awareness regarding threats from viruses and malicious
programs.• Install all new applications on a stand-alone computer and thoroughly test them
with antiviral software prior to implementing them on the mainframe or local area network
(LAN) server.• Routinely make backup copies of key files stored on mainframes, servers, and
workstations.

Controlling Against Malicious and Destructive Programs

Wherever possible, limit users to read and execute rights only. This allows users to extract
data and run authorized applications, but denies them the ability to write directly to
mainframe and server directories.Require protocols that explicitly invoke the operating
system’s log-on procedures to bypass Trojan horses.Use antiviral software (also called
vaccines) to examine application and operatingsystem programs for the presence of a virus
and remove it from the affected program.

Audit Objective Relating to Viruses and Other Destructive Programs

The key to computer virus control is prevention through strict adherence to organizational
policies and procedures that guard against virus infection. The auditor’s objective is to verify
that effective management policies and procedures are in place to prevent the introduction
and spread of destructive programs, including viruses, worms, back doors, logic bombs, and
Trojan horses.

Audit Procedures Relating to Viruses and Other Destructive Programs

Through interviews, determine that operations personnel have been educated about
computer viruses and are aware of the risky computing practices that can introduce and
spread viruses and other malicious programs.• Verify that new software is tested on
standalone workstations prior to being implemented on the host or network server.• Verify
that the current version of antiviral software is installed on the server and that upgrades are
regularly downloaded to workstations.

System Audit Trail Controls

System audit trails are logs that record activity at the system, application, and user level.
Operating systems allow management to select the level of auditing to be recorded in the
log. Management needs to decide where to set the threshold between information and
irrelevant facts. An effective audit policy will capture all significant events without cluttering
the log with trivial activity. Audit trails typically consist of two types of audit logs: (1)
detailed logs of individual keystrokes and (2) event-oriented logs.

System Audit Trail Controls

Keystroke monitoring involves recording both the user’s keystrokes and the system’s
responses. This form of log may be used after the fact to reconstruct the details of an event
or as a real-time control to prevent unauthorized intrusion.
System Audit Trail Controls
Event monitoring summarizes key activities related to system resources. Event logs typically
record the IDs of all users accessing the system; the time and duration of a user’s session;
programs that were executed during a session; and the files, databases, printers, and other
resources accessed.

Setting Audit Trail Objectives

Audit trails can be used to support security objectives in three ways: (1) detecting
unauthorized access to the system, (2) facilitating the reconstruction of events, and (3)
promoting personal accountability.

For more on auditing operating systems, please see the video below
https://youtu.be/Ovlbh_2z1ho

Semi-Final Period
Auditing electronic data interchange (edi)

EDI is the electronic exchange of business transactions, in a standard format, from one
entity's computer to another entity's computer through an electronic communications
network. For more on this lesson, kindly click on the link

Electronic Data Interchange

It is the intercompany exchange of computer processible business information in standard
format. In a pure EDI environment, there are no human intermediaries to approve or
authorize transactions. Authorizations, mutual obligations, and business practices that apply
to transactions are all specified in advance under the trading partner agreement.

Audit Objectives Relating to EDI

The auditor’s objectives are to determine that (1) all EDI transactions are authorized,
validated, and in compliance with the trading partner agreement; (2) no unauthorized
organizations gain access to database records; (3) authorized trading partners have access
only to approved data; and (4) adequate controls are in place to ensure a complete audit
trail of all EDI transactions

For more on this topic, kindly click on the link below

https://egrove.olemiss.edu/cgi/viewcontent.cgi?article=1035&context=aicpa_guides
Auditing of the Software of Computer Accounting System

When auditing a computerized accounting system, the independent auditor should have a
general familiarity with the effects of the use of information technology on the various
characteristics of accounting control. For more on this topic, kindly click on the link

The corporate world is getting more and more inclined towards the use of information
technology (IT) and computer information system (CIS) in their daily operation for the
purpose of processing of data, as well as decision making, and control of business
organizations. Computers are now used in banks, hospitals, schools, home etc to keep
records and to perform other operations. Every company adopt the accounting system
method of recording of transaction, because it is generally required that companies have to
reveal certain financial and management information to the government and public users;
and also because accounting is an indispensable tool in business decision making –process
[Expert tutors and first class online study resources,2014]. With the development of
information technologies, there were also developed computer products, such as software
that make accounting easy for users of accounting information [Drew Nelson, 2012]. In the
very limited field related to accounting matter alone, computer is used in tax collection,
financial operation, insurance operation, inventory control, construction, cost estimation
among others.

This sudden change in the development of various organizations led to the change in the
nature of audit evidence generated by each financial transaction [Drew Nelson. (2012].
Auditing is important in an organization that have a computerized accounting system in
order to satisfy the owners of the business (shareholders) that the financial statement
presented to them is correct (present a true and fair view). Therefore, it is the external
auditor that is required to carry out this duty of examining the transactions and reporting
their findings to the shareholders and the public. Companies need to also satisfy themselves
that financial statement is correct, before they can use them to make decisions. They
therefore, employ auditor as a staff of the organization (internal auditor) who perform
independent appraisal function established within an organization as a service to the
organization with the objective of assisting members of the organization in the effective
discharge of their obligations. The auditor is therefore required to possess reasonable
knowledge of various hardware and software used in the organization in order to audit a
computerized accounting system. The last few years have been an exciting time in the world
of IT auditing as a result of the accounting scandals and increased regulations

For more on this topic, click on the link below

https://ceur-ws.org/Vol-2104/paper_181.pdf
PAPS 1013 (Electronic Commerce – Effect on the Audit of Financial Statements

Philippine Auditing Practice Statements (PAPS or Statements) are issued by the Auditing
Standards and Practices Council (ASPC) to provide practical assistance to auditors in
implementing the Philippine Standards on Auditing (PSAs) or to promote good practice.
Statements do not have the authority of PSAs. For more on this, please click on the link

Philippine Auditing Practice Statements (PAPS or Statements) are issued by the Auditing
Standards and Practices Council (ASPC) to provide practical assistance to auditors in
implementing the Philippine Standards on Auditing (PSAs) or to promote good practice.
Statements do not have the authority of PSAs. For more on this, please click on the link
below

https://aasc.org.ph/downloads/PAPS/publications/PDFs/PAPS-1013.pdf

Final Period
Data Management Approaches

In this article, I am going to discuss the different approaches to Data Management. Basically,
what we will discuss is, how we store data in earlier days and what problems we face, and
how we overcome those problems using the Database approach. Please click on the link for
more

Data Management:

In everyday life, we come across data. Data is the raw fact. Every day in our work or
profession we gain data. We collect information. But what is the difference between data
and information? We will make you learn about data.

Data:

Basically, all the facts about things are termed Data. We always deal with data. All the details
around us are termed as data, like name, phone no, address. So, in simple words, we can say
that it is a Raw Fact i.e. Characters, Numbers, special characters. For Example, Empid is data,
Ename is data, Salary is data, DOJ is data, etc.
Data is never giving accurate or meaningful statements or information to users. For
example, From the above data, we cannot say that whether Warner is the name of an
employee, or name of a customer, or the name of a Product because Warner is simply data.

Information:

Among all, the meaningful data is called Information. We fetch only the information from all
the facts. So, in simple words, we can say that processing the data or raw facts is called
information. And the information will provide meaningful statements.

Note: information is always provided accurate or meaningful data of particular employee,

customer, student, and product, etc. For example, from the information, we can say that
Warner is the name of an Employee. 10022 is the Employee Id of the employee whose name
is Miler.

Managing data is always a factor in our daily life events. We do different kinds of activities
according to requirements. Some areas like data modeling, data mining, data integration,
data governance, master data management, etc.

1. Data modeling: In this concept data are being designed through the different
models, the relationship between the data and other details are portrayed through
this concept.
 2. Data Mining: It is used for transforming raw data into information. It has wide use in
Industries. It is a major concept for handling data.
3. Data integration: It combines different data from different sources and also
analyzes those data for the processing of information.
4. Data governance: Data handling policies are made under this concept; it also
confirms data fetching consistency and other related issues.

There is another term called data quality management, for fixing errors and other issues of
data.

Data Storages | Data Management Approaches:

It is a location where we can store data/information. We have different types of data

storage.

1. Books & Papers

2. Flat file / Text files (File Management System)
3. DBMS / Database (Software)

Disadvantages of Books & Papers:

1. It is a completely manual process/system.

2. It required more manpower.
3. Maintenance is very cost
4. There is no security
5. Store a very small data/information
6. Retrieval v is very difficult as well as time-consuming.

File-Based Approach for Data Management:

In the file management system, data can be stored in files with help of the Operating
System. In the conventional method, data were being stored in files. Also, the fetching of
data and modification of data is done with this file. Moreover, the files contain information
with all other records.

Earlier in any enterprise, data fetching was a big issue. For every incident, one had to go
through all the records. These records were being kept in files. A file is a collection of data.

The system of maintenance and managing the files is called a file system. This was to create
and manage all the data. The conventional file system was an important part of any
enterprise.
In a File-based system, every data is stored in the form of a file. The earlier system to the
database was file-based systems. Previously database is using a file-based system. In this, a
large number of files are needed to perform various tasks so, each and every data is stored
in the form of a file only. Group of files used for storing data of an organization here
different files are used to store a data of an organization. So multiple files will be used like
file 1, file 2, file 3, ———- file n. for example, in an organization 1 st file is for employee
information 2nd file is for employee personal details 3 rd file is for employee company related
details, and so on. Each and every file is used to store different types of information. Here
each file is independent of another file. One single file is called a Flat File. Each file
contained and processed information for one specific task. All these files are designed by
using C/C++ language. So, if you stored the information, complete information will be in
the form of files then what are the drawbacks we’ll see.

What is a File?

A file is a collection of related data stored in memory. Each file is used to store different
information. Here each file is independent of another file. One single file is called a Flat File.

Drawbacks of File-Based Approach for Data Management:

Data Retrieval:

If you want to retrieve data from flat files then we must develop an application program in
high-level languages whereas if you want to retrieve data from a database then we are
using SQL language. For example, to retrieve data from flat files, we need to develop an
application program by using HLL such as C, C++, Java, .Net, etc.

To retrieve data from Database, we use SQL queries such as Select * from <table name>;

Data Redundancy & Data Inconsistency:

These problems come into the picture when we store data in multiple files where the
changes are made in one file will not be reflected in another copy of the file. So, Data
Redundancy means duplicate data/information i.e. we can store the same information in
multiple files and Data Inconsistency means data confusion.
But in the case of a database, we can maintain a number of copies of the same data, and
still, the changes made in one copy will be reflected in another copy because internally
maintain acid properties by default in the database.

Data Redundancy:

Data redundancy means duplication of data values i.e.; the same information is duplicated in
several files. This makes the data redundant; the same information appears in different files
in different ways. If we maintain duplication then it means wastage of time, wastage of
money, and storage space also. So, in your DBMS main drawback is redundancy.

Data Inconsistency:

Data Inconsistency means different copies of the same data are not matching. For Ex, in 1
file employee A’s phone no. is 9764734221 and in another file that employee A’s same
phone number is having a different meaning (i.e., phone number is saved as an ID number).
So, different copies of the same data are not matching, that is nothing but a data
inconsistency. Same basic data existing in different files with different meanings then you
can say that is a data inconsistency. Example: Phone no. of the customer is different at
different files.

Data Isolation:

Data isolation means data is scattered in different files, and files in different formats, writing
a new application program to retrieve data is difficult. Each and every file is formatting in a
different way then retrieving information from these files is very difficult that is nothing but
data isolation.

Data Integrity:

Data integrity means data values may need to satisfy some integrity constraints. For
example, if you are maintaining some bank database so balance is one attribute so bank
balance values, suppose it is maintaining some integrity constraints like each and every
customer should have the 1000/- rs. Minimum balance so here bank balance value should
be 1000/- rs. Minimum, this is nothing but the integrity constraints.

Example: If you want to fill some application form here age should be like 18 yrs. this is
nothing but is some integrity constraints. So, each and every data value must satisfy some
integrity constraints.

In the file-based approach to handling the above condition, we need to go through the
program code whereas in the database approach we can declare integrity constraint along
with the definition whereas in your file-based approach if you maintain some integrity
constraint you need to write the programming code. In this database approach just simply,
you can mention the integrity constraint along with the query language.

Data Atomicity:

It is difficult to ensure atomicity in the file processing system. For example, two accounts are
their A and B both are the customers, A and B both are having accounts and A wants to
transfer 100/- rs. to B so here from A’s account 100/- rs. is deducted but it is not credited in
the B’s account due to some failure, so that is nothing but atomicity.

Data Concurrent Access Violation:

If multiple users are updating the same data simultaneously, it will result in an inconsistent
data state. In a file processing system, it is very difficult to handle using programming code.

Security:

Enforcing security constraints in a file processing system is very difficult. For example, in the
banking system, payroll personal need only the part of the database that has information
about various bank employees. They don’t need access to information about customer
account. If you see in the bank if anybody asks the payroll information then like customer
name, customer age, customer address, customer bank balance every information will be
there so if I asked my details, I should see only my details if another person details, I am
able to see then it is not maintaining security.

Data is never secure under books and flat-file whereas databases are providing an excellent
concept is called a role-based security mechanism for accessing data from databases in a
secure manner with the help of authentication and authorization.

Data Indexing:

Indexes are used for accessing data much faster but flat files do not provide any index
mechanism whereas databases will provide an indexing mechanism. To access the required
data from a location fastly indexing are used. The file is not supporting indexes.

So, organizations suffering from flat-file mechanisms to store data or information’s to

overcome these problems. Organizations introduce special software which is used to store
data permanently in secondary storage devices. This software is also called DBMS Software.

Database Approach for Data Management:

Considering all the above factors, there a need was created for better management of data.
The situation demanded proper management of data. At this point of time, a new
technology was introduced i.e. Database.
Storing data to a database, fetch from it, and updating the database is the main aim for
more accuracy of data. The management system of this database is called a database
management system. DBMS removes the main constraint for handling data. It provides data
integrity, data consistency. Redundant data was also removed from it. It allows users to have
a hassle-free process for data fetching.

Database:

It is a collection of inter-related data which contains the information of an

organization/enterprise. It is obtained by collecting data from all the data sources of an
organization. The database is a computer-based record-keeping system whose overall
purpose is to record and maintain information. The database is a single, large repository of
data that can be used simultaneously by many users.

It is a collection of interrelated information by using the database we can store, modify,

select and delete data from the database in a secure manner.

Types of Databases:

1. OLTP (Online Transaction Processing)

2. OLAP (Online Analytical Processing)
OLTP: Organizations are maintaining OLTP for storing “day-to-day transactions
information” i.e. basically using it for “running a business”. Example: SQL Server, Oracle,
MySQL, etc.

OLAP: It is used for data analysis (or) data summarized (or) history of data of particular
business. Example: Datawarehouse.

DBMS:

It is the software that is used to manage & maintain data/information in the database. By
using DBMS, we can create new databases, new tables, insert, update, delete and select the
data from the database.

User ——->DBMS——-> Curd operation ——>Database

Advantages of Database Approach for Data Management:

Program Data Independence: If a database approach is used, data is stored in a central

location called a repository. The process of the database allows an organization’s data to
change the database without modifying the application programs which are able to process
this data.

Minimal Data Redundancy: Data redundancy exists when the same data are stored
unnecessarily at different places. The database approach does not eliminate redundancy
completely, but it provides the facilities to the designer to carefully control the amount of
redundancy.

Improved Data Consistency: If the amount of data redundancy is controlled, it will reduce
the data inconsistency also. It is also highly recommended to maintain the same version of
data at all locations.

Improved Data Sharing: A database is designed as a sharable component. DBMS helps in

creating an environment in which end users have better access to more data and better
manages data. Users are allowed to utilize the services of the database by authentication
and authorization.

Enforcement of Standards: To provide services to database management, every database

administrator designs procedures & enforcement standards. Procedures are the instructions
and rules that govern the design and use of a database system.

Improved Quality: The database approach provides an optimum number of tools &
processes to improve data quality. Every data designer can specify a rule called integrity
constraints which users can’t violate.

What are the Advantages of DBMS?

1. To avoid data redundancy

2. To avoid data inconsistency
3. Easy to manipulate data
4. Easy to accessing data
5. Supporting data integrity rules (data validations)
6. Supporting indexes mechanism
7. Retrieval data is fast
8. Supporting transactions with ACID properties
9. Supporting data sharing
10. Provide security to data (Authentication & Authorization)

The main advantages of DBMS are:

1. a) Creating the database

2. b) Retrieval of database
3. c) Updating of database

The main motto of the database is to maintain the ACID Property of the database. What
does really ACID mean?
 1. ‘A’ stands for Atomicity. All the data in the database is to be Atom in nature. Any
kind of data redundancy is not acceptable in any condition. Duplicate data are to be
removed from the database.
2. ‘C’ stands for consistency. Any kind of inconsistency of data may lead to failure. so
all the inconsistent data are to be removed from the database.
3. ‘I’ stands for Integrity. Data are to be integrated in order to manage the stability of
the database.
4. The last part of the database is Durability. The effect of the change is made in the
Database is to be sustained in terms of results. A durable result is desired to be
found in the database.

In the next article, I am going to discuss Commonly used Database Management

Terminology. Here, in this article, I try to explain the different data management
approaches and why we should go for the Database approach for data management and I
hope you enjoy this Data Management approach article.

MANAGEMENT OPPORTUNITIES, CHALLENGES, AND SOLUTIONS

Effectively managing the organization’s data resources requires much more than simply
selecting a logical database model. The database is an organizational discipline, a method,
not just a tool or technology. It requires organizational and conceptual change.
Management commitment and understanding are essential.

Opportunities

Firms have become acutely aware of how much organizational performance can be
improved by making better use of their data, as the examples in this chapter and other
chapters of the text so clearly illustrate. This is why so many companies are investing in data
mining and customer relationship management technology.

Management Challenges

It has been very difficult for organizations to manage their data effectively. A true database
environment requires an organization to change the way it defines and uses data and
typically represents a very large investment.

ORGANIZATIONAL OBSTACLES TO A DATABASE ENVIRONMENT

Implementing a database requires widespread organizational change in the role of

information (and information managers), the allocation of power at senior levels, the
ownership and sharing of information, and patterns of organizational agreement. A
database management system (DBMS) challenges the existing power arrangements in an
organization and for that reason often generates political resistance. In a traditional file
environment, each department constructed files and programs to fulfill its specific needs.
Now, with a database, files and programs must be built that take into account the whole
organization’s interest in data. Although the organization has spent the money on hardware
and software for a database environment, it may not reap the benefits it should if it is
unwilling to make the requisite organizational changes.

COST/BENEFIT CONSIDERATIONS

Designing a database to serve the enterprise can be a lengthy and costly process. In
addition to the cost of DBMS software, related hardware, and data modeling, organizations
should anticipate heavy expenditures for integrating, merging, and standardizing data from
different systems and functional areas. Despite the clear advantages of the DBMS, the short-
term costs of developing a DBMS often appear to be as great as the benefits. It may take
time for the database to provide value.

Return to Top

Solution Guidelines

The critical elements for creating a database environment are (1) data administration, (2)
data-planning and modeling methodology, (3) database technology and management, and
(4) users. This environment is depicted in Figure 7-18.
FIGURE 7-18 Key organizational elements in the database environment
For a database management system to flourish in any organization, data administration
functions and data-planning and modeling methodologies must be coordinated with
database technology and management. Resources must be devoted to train end users to
use databases properly.

DATA ADMINISTRATION

Database systems require that the organization recognize the strategic role of information
and begin actively to manage and plan for information as a corporate resource. This means
that the organization must develop a data administration function with the power to define
information requirements for the entire company and with direct access to senior
management. The chief information officer (CIO) or vice president of information becomes
the primary advocate in the organization for database systems.

Data administration is responsible for the specific policies and procedures through
which data can be managed as an organizational resource. These responsibilities include
developing information policy, planning for data, overseeing logical database design and
data dictionary development, and monitoring how information systems specialists and end-
user groups use data.
 The fundamental principle of data administration is that all data are the property of
the organization as a whole. Data cannot belong exclusively to any one business area or
organizational unit. All data should be available to any group that requires them to fulfill its
mission. An organization needs to formulate an information policy that specifies its rules for
sharing, disseminating, acquiring, standardizing, classifying, and inventorying information
throughout the organization. Information policy lays out specific procedures and
accountabilities, specifying which organizational units share information, where information
can be distributed, and who is responsible for updating and maintaining the information.
Although data administration is a very important organizational function, it has proved very
challenging to implement.

DATA-PLANNING AND MODELING METHODOLOGY

The organizational interests served by the DBMS are much broader than those in the
traditional file environment; therefore, the organization requires enterprise-wide planning
for data. Enterprise analysis, which addresses the information requirements of the entire
organization (as opposed to the requirements of individual applications), is needed to
develop databases. The purpose of enterprise analysis is to identify the key entities,
attributes, and relationships that constitute the organization’s data. These techniques are
described in greater detail in Chapter 14.

DATABASE TECHNOLOGY, MANAGEMENT, AND USERS

Databases require new software and a new staff specially trained in DBMS techniques, as
well as new data management structures. Most corporations develop a database design and
management group within the corporate information systems division that is responsible for
defining and organizing the structure and content of the database and maintaining the
database. In close cooperation with users, the design group establishes the physical
database, the logical relations among elements, and the access rules and procedures. The
functions it performs are called database administration.

A database serves a wider community of users than traditional systems. Relational

systems with user-friendly query languages permit employees who are not computer
specialists to access large databases. In addition, users include trained computer specialists.
To optimize access for nonspecialists, more resourcesmust be devoted to training end users.

distributed database
A distributed database is a database that consists of two or more files located in different
sites either on the same network or on entirely different networks. Portions of the database
are stored in multiple physical locations and processing is distributed among multiple
database nodes.

A centralized distributed database management system (DDBMS) integrates data logically

so it can be managed as if it were all stored in the same location. The DDBMS synchronizes
all the data periodically and ensures that data updates and deletes performed at one
location will be automatically reflected in the data stored elsewhere.

By contrast, a centralized database consists of a single database file located at one site
using a single network.

Features of distributed databases

When in a collection, distributed databases are logically interrelated with each other, and
they often represent a single logical database. With distributed databases, data is physically
stored across multiple sites and independently managed. The processors on each site are
connected by a network, and they don't have any multiprocessing configuration.
 5 ways
centralized databases differ from distributed databases
A common misconception is that a distributed database is a loosely connected file system.
In reality, it's much more complicated than that. Distributed databases incorporate
transaction processing, but are not synonymous with transaction processing systems.

In general, distributed databases include the following features:

 Location independent
 Distributed query processing
 Distributed transaction management
 Hardware independent
 Operating system independent
 Network independent
 Transaction transparency
 DBMS independent

Distributed database architecture

Distributed databases can be homogenous or heterogeneous.

In a homogenous distributed database system, all the physical locations have the same
underlying hardware and run the same operating systems and database
applications. Homogenous distributed database systems appear to the user as a single
system, and they can be much easier to design and manage. For a distributed database
system to be homogenous, the data structures at each location must be either identical or
compatible. The database application used at each location must also be either identical or
compatible.

In a heterogeneous distributed database, the hardware, operating systems or database

applications may be different at each location. Different sites may use different schemas and
software, although a difference in schema can make query and transaction processing
difficult.

Different nodes may have different hardware, software and data structure, or they may be in
locations that are not compatible. Users at one location may be able to read data at another
location but not upload or alter it. Heterogeneous distributed databases are often difficult
to use, making them economically infeasible for many businesses.

Advantages of distributed databases

There are many advantages to using distributed databases.

Distributed databases are capable of modular development, meaning that systems can be
expanded by adding new computers and local data to the new site and connecting them to
the distributed system without interruption.

When failures occur in centralized databases, the system comes to a complete stop. When a
component fails in distributed database systems, however, the system will continue to
function at reduced performance until the error is fixed.

Admins can achieve lower communication costs for distributed database systems if the data
is located close to where it is used the most. This is not possible in centralized systems.

Types of distributed databases

Replicated data is used to create instances of data in different parts of the database. By
using replicated data, distributed databases can access identical data locally, thus avoiding
traffic. Replicated data can be divided into two categories: read-only and writable data.
Read-only versions of replicated data allow revisions only to the first instance; subsequent
enterprise data replications are then adjusted. Writable data can be altered, but the first
instance is immediately changed.

Database
replication ensures the data in distributed databases remains up to date
Horizontally fragmented data involves the use of primary keys that refer to one record in
the database. Horizontal fragmentation is usually reserved for situations in which business
locations only need to access the database pertaining to their specific branch.

Vertically fragmented data involves using copies of primary keys that are available within
each section of the database and are accessible to each branch. Vertically fragmented data
is utilized when the branch of a business and the central location interact with the same
accounts in different ways.

Reorganized data is data that has been adjusted or altered for decision support databases.
Reorganized data is typically used when two different systems are handling transactions and
decision support. Decision support systems can be difficult to maintain and online
transaction processing requires reconfiguration when many requests are being made.

Separate schema data partitions the database and the software used to access it in order to
fit different departments and situations. There is usually an overlap between different
databases within separate schema data.

Examples of distributed databases

Though there are many distributed databases to choose from, some examples of distributed
databases include Apache Ignite, Apache Cassandra, Apache HBase, Couchbase
Server, Amazon SimpleDB, Clusterpoint, and FoundationDB.

Apache Ignite specializes in storing and computing large volumes of data across clusters of
nodes. In 2014, Ignite was open sourced by GridGain Systems and later accepted into the
Apache Incubator program. Apache Ignite's database uses RAM as the default storage and
processing tier.

Apache Cassandra offers support for clusters that span multiple locations, and it features its
own query language, Cassandra Query Language (CQL). Additionally, Cassandra's replication
strategies are configurable.

Apache HBase runs on top of the Hadoop Distributed File System and provides a fault-
tolerant way to store large quantities of sparse data. It also features compression, in-
memory operation and Bloom filters on a per-column basis. HBase is not intended as a
replacement for SQL database, although Apache Phoenix provides a SQL layer for HBase.

Couchbase Server is a NoSQL software package that is ideal for interactive applications that
serve multiple concurrent users by creating, storing, retrieving, aggregating, manipulating
and presenting data. To support these many application needs, Couchbase Server provides
scalable key value and JSON document access.

Amazon SimpleDB is used as a web service with Amazon Elastic Compute

Cloud and Amazon S3. Amazon SimpleDB enables developers to request and store data
with minimal database management and administrative responsibility.

Clusterpoint removes the complexity, scalability issues and performance limitations

of relational database architectures. Data is managed in XLM or JSON format using open
APIs. Because Clusterpoint is a schema-free document database, it removes the scalability
problems and performance issues that most relational database architectures face.

FoundationDB is a multimodel database designed around a core database that exposes an

ordered key valued store with each transaction. These transactions support ACID properties
and are capable of reading and writing keys that are stored on any machine within the
cluster. Additional features appear in layers around this core.
Database Security and Auditing: Protecting Data Integrity and Accessibility

Database auditing involves observing a database so as to be aware of the actions of

database users. Database administrators and consultants often set up auditing for security
purposes, for example, to ensure that those without the permission to access information
do not access it. Please click on the link to learn more.

Database auditing involves observing a database so as to be aware of the actions of

database users. Database administrators and consultants often set up auditing for security
purposes, for example, to ensure that those without the permission to access information do not
access it. Please click on the link to learn more.