Barrel Roll Ltd. is a major Perth-based manufacturer of equipment and clothing for water sports-for example, bodyboards, surfboards, water skis, bikinis, wetsuits, and T-shirts. It sells its products throughout Australia, New Zealand, and Southeast Asia.

You are an information systems auditor in the firm of external auditors that has just taken over the audit of Barrel Roll. Your partner has asked you to undertake an evaluation of the access controls used by Barrel Roll to protect its database. The company uses a major, widely sold relational database management system to manage its database. The database is maintained on a mainframe computer, and it can be accessed from a large number of microcomputers that are scattered throughout the various departments of the company. Most of the company's significant application systems are maintained using the database management system.

The audit procedures you undertake and the findings you obtain are as follows:

1. Audit procedure: Interview the system administrator and obtain the operating system user profiles to determine who has access to the database management system.

Finding: Four hundred twenty-two users have access to the mainframe. Of these, 356 have access to the database management system.

2. Audit procedure: Select a sample of 20 users from the list of users who have access to the database management system, determine their position and role within Barrel Roll, and evaluate whether they should have access to the database management system.

Finding: It is reasonable that each of the 20 users you investigate should have access to the database management system.

3. Audit procedure: The database management system maintains the list of authorized users, their authentication information, and the action privileges they have been assigned in its data dictionary. Select a sample of 50 users, evaluate whether their authentication information is likely to be secure, and check whether the action privileges they have been assigned are appropriate given their position and role within the organization.

Finding: The database management system forces users to choose passwords that are at least five characters long and that do not match words in a dictionary. The system also forces users to change their passwords every month and not to resubmit one of the last 10 passwords they have used. Interviews with users indicate they are aware of the importance of password security and that they take password security seriously. Except for two people, the action privileges assigned to users seem to be appropriate:

(a) a long-tenured clerk in the personnel department has access to payroil data, which he should not be able to access, and

(b) a production supervisor has access to inventory records, which she should not be able to access. When you discuss these two cases with the database administrator, she is surprised because her records indicate these privileges were not assigned to the personnel clerk and the production supervisor at the outset.

4. Audit procedure: Select a sample of 20 tables and 20 views from the data dictionary. For the tables, evaluate whether the level of access granted to them is appropriate. For the views, evaluate whether they have been implemented correctly.

Finding: The level of access granted to the tables seems reasonable. Some of the views are complex, but they appear to have been implemented correctly.

5. Audit procedure: Determine whether the database audit trail is activated and whether it is reviewed regularly.

Finding: The database audit trail has not been activated. The database administrator indicates that response times degrade to unacceptable levels when the audit trail facility is invoked.

Required: In light of your findings, how will you advise your partner to proceed with the remainder of the audit?