With all the areas under an IT auditor’s purview, it is challenging, perhaps impossible, to be as proficient as we would like to be in all areas. Even if auditors did have time, the ever-changing landscape that introduces new technologies, modifies existing technologies and identifies new risk quickly reduces any “free” time that could be used to develop expertise. Under that scenario, IT auditors are in a position where prioritization is the best tool to manage what can be an overwhelming amount of knowledge that must be mastered. If I could identify one area that is worthy of being prioritized at the top of the list, it would be databases.
Recent events are reminders that because of their widespread use and the volume of data that are confidential and/or sensitive, databases remain consistent targets of malicious actors. In 2021, a database housing the personal information of 106 million visitors to Thailand was breached. Also, the largest data breach in Brazil’s history occurred, leaving tax information, addresses, credit scores and more information exposed. The vulnerability of databases has continued into 2022, when the British Defense Recruitment System was hacked and the personal information of 124 British military recruits was obtained and was offered for sale on the dark web. The sensitive nature of the data in the British Defense Recruitment System Number was an additional reminder that – despite severity of data breaches frequently being measured in number of records – data confidentiality and sensitivity at the national security level is severe regardless of the number of records compromised.
The very real risk of database breaches together with the extensive use of databases positions IT auditors to assist enterprises in gaining assurance over database security and data integrity. The first step in providing this assurance is gaining an understanding of how the enterprise uses databases (e.g., what data are housed and how the data flows). From there, auditors should make sure that they can perform tests of general database controls. These include controls over the database host, configuration, data classification and change management, as examples. For additional audit considerations, please refer to ISACA’s Database Audit Program. This audit program provides auditors with an evaluative framework useful for assessing the adequacy and effectiveness of the implemented controls, enabling the enterprise to take additional actions as required to strengthen the confidentiality, integrity and availability of database deployments.
As critical as databases are, and as busy as auditors are, it is a worthy pursuit for IT auditors to gain an understanding of the risk associated with the use of databases. You don’t have to become an expert because we can’t develop and maintain expert level knowledge in all areas we would like to. However, a proficient understanding of databases as outlined here allows auditors an opportunity to add value in an area that is high on most enterprises’ priority lists.