Nobody should ever have direct access to the database tables

Another thing you should be aware of in accounting systems is that no one should have direct access to the tables. This means all access to the accounting system must be through stored procs. This is prevent fraud not just SQL injection attacks. An intenal user who wants to commit fraud should not have the ability to directly change data in the database tables, ever. This is a critcal internal control on your system. Do you really want some disgruntled employee to go to the backend of your database and have it start wrting them checks? Or hide that they approved an expense to an unauthorized vendor when they don’t have approval authority? Only two people in your whole organization should be able to directly access data in your financial database, your dba and his backup. If you have many dbas, only two of them should have this access.

This entry was posted on Thursday, April 16th, 2009 at 11:31 pm and is filed under Databases, Internal Control. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

You must be logged in to post a comment.

Accounting Software Development

Nobody should ever have direct access to the database tables

Leave a Reply

Pages

Archives

Categories

Recent Entries