Performing a Data Warehouse Audit
By: Mitchell H. Levine, CISA
Audit Serve, Inc.
A data warehouse is defined as a central database which allows for user access. Data warehouses are established in a manner which allow easy extraction of data using tools supported by the data warehouse. The data itself is commonly needed information which is used by multiple areas within an organization to support different business processes.
Users of the data warehouse share a common goal which is to ensure that the data is accurate, current, and accessible. These three goals serve as the basis for establishing the methods to perform an audit of a data warehouse.
The first preparation step in order to perform a data warehouse audit is to identify the auditable entities. A system could be named as a data warehouse but in many cases systems function as a data warehouse but do not carry the name and therefore would go undetected by an audit. Therefore, a definition of a system which carries the characteristics needs to be defined and distributed to all system owners to allow the proper identification of data warehouse systems.
The next step is to identify the risk level of these data warehouses. Since these data warehouses are used by a wide variety of departments for different purpose, using a survey to measure the risk would be the best course of action.
Accuracy of Data
The first goal is to ensure that the data is accurate. The first control objective is to determine whether the system owners of the data warehouse have established roles and responsibilities with respect to how data should be extracted from the originating system and transported to the data warehouse system. The management of how data is received by the data warehouse is necessary to maintain the integrity of the data.
The second control objective is to ensure that security is established within the data warehouse. All users accessing the data warehouse must only have read access. Ensuring that the data warehouse is structured as read-only files is the most critical control objective of the entire data warehouse review. To ensure compliance with this control objective the typical data security review of the platform, operating system, and data warehouse application should be performed.
Data is Current
Since the users of the data warehouse files will be using it to support predefined business processes, it is critical that data is current. The method in which data is stored in the data warehouse needs to be reviewed by the auditor. This is to determine whether it provides for a structured approach for storing and retrieving data where the end user is aware of the time period that the data represents.
Data is Accessible
Data Mining tools are typically used to query the data warehouse's. The audit should determine whether an adequate set of tools has been provided to users for extracting data from the data warehouse. Determining the accessibility of data also requires the audit of backup and recovery procedures.
When performing an audit of the data warehouse, most of the time will be spent auditing the infrastructure group which supports the data warehouse. However, in order to ensure the accuracy of the data, it may be necessary to review all of the system areas which provide data to the data warehouse.
For a free proposal to perform an audit of your organization or provide SOX support & testing services, contact Mitchell Levine of Audit Serve at (203) 972-3567 or via e-mail at Levinemh@auditserve.com.
Copyright 2006, Audit Serve, Inc. All rights reserved. Reproduction, which includes links from other Web sites, is prohibited except by permission in writing.