Risk-Based Assessment of User Access Controls and Segregation of Duties for Companies Running Oracle Applications

Save this PDF as:

Size: px
Start display at page:

Download "Risk-Based Assessment of User Access Controls and Segregation of Duties for Companies Running Oracle Applications"

Transcription

1 Risk-Based Assessment of User Access Controls and Segregation of Duties for Companies Running Oracle Applications Presented by: Jeffrey T. Hare, CPA CISA CIA

2 Webinar Logistics Hide and unhide the Webinar control panel by clicking on the arrow icon on the top right of your screen The small window icon toggles between a windowed and full screen mode Ask questions throughout the presentation using the questions window Questions will be reviewed and answered at the end of the presentation; I ll open the lines for interactive Q&A 2009 ERPS

3 Presentation Agenda Overview: Introductions Deficiencies in Current Approaches to SOD Taking a Risk-Based Approach to User Access Controls Q&A Wrap Up

4 Introductions Jeffrey T. Hare, CPA CISA CIA Founder of ERP Seminars and Oracle User Best Practices Board Author Oracle E-Business Suite Controls: Application Security Best Practices Contributing author Best Practices in Financial Risk Management Published in ISACA s Control Journal (twice) and ACFE s Fraud Magazine; frequent contributor to OAUG s Insight magazine Experience includes Big 4 audit, 6+ years in CFO/Controller roles both as auditor and auditee In Oracle applications space since 1998 both as client and consultant Founder of Internal Controls Repository public domain repository Written various white papers on Internal Controls and Security Best Practices in an Oracle Applications environment

5 Taking a Risk-Based Approach to User Access Controls Types of Risks: Segregation of duties - a user having two or more business processes that could result in compromise of the integrity of the process or allow that person to commit fraud Access to sensitive functions a user having access to a function that, in and of itself, has risk Access to sensitive data a user having access to sensitive data such as employee identification number (US= SSN), home addresses, credit card, bank account information, plus data unique to your company customers, BOMs, routings???

6 Risk Assessment Process Evaluate about 675 unique risks CS*Comply covers up to 20,000 function based risks Examples from R/A: Single function risks being used w/ user exceptions (Menus), shouldn t be used (certain SQL forms Quality Plans) SoD risks never acceptable (Enter Journal Entries vs Journal Authorization Limits), acceptable for certain users (user exceptions Enter Journal Entries vs Journal Sources)

7 Deficiencies in Current Approaches to SOD Projects Here are some common deficiencies in how companies are approaching SOD projects: Relying on seeded content of software providers Not taking a risk-based approach, considering current controls, in defining what risks are for their company Not considering all user access control risks access to sensitive functions and access to sensitive data Always looking at risks as one function in conflict with another, rather than looking at real risks single function and two functions Looking at SOX risks and ignoring some fraud risks below the materiality level and other operational risks

8 Taking a Risk-Based Approach to User Access Controls Approach to Risk Assessment Project: 1.Identify access control conflicts 2.Identify risks associated with each conflict 3.Identify, analyze, and document mitigating controls related to each risk 4.Assess what is the residual risk after taking into account the mitigating controls 5.Discuss residual risks with management and assess their willingness to assume the risk 6.Document remediation steps for unmitigated risks 7.Document whether the conflict (single or combination of two) should be monitored in third party software

9 Taking a Risk-Based Approach to User Access Controls In our experience, a completed risk assessment process exposes the following needs: An SOD monitoring tool (or one with a preventive workflow) Requirements for a trigger-based detailed audit trail Various monitoring reports or processes not provided by Oracle The need to personalize forms to support defined controls. Custom workflows to automate controls where Oracle s functionality is deficient Process and/or controls changes Documentation and testing of non-key controls Access control / security changes Additional projects and research that need to be done (customizations, profile options, updating BR100s, BR110s, etc.)

10 Responding to Auditors Responding to auditors Have them identify the risk(s) that are inherent in the access or SOD Evaluate controls that may be in place to mitigate the risks identified Examples: All journals are reviewed and approved Financial close processes Budget to actual analysis / forecast to actual Variance analysis PPV, IPV Reconciliation of inventory balances to GL account Review stale inventory Cycle counting / physical inventories Downgrade key controls to standard / non-key based on risk reduce audit scope / rely more on entity level controls

11 Access Controls / R12 tips Take advantage of MOAC to reduce number of responsibilities across operating units / inventory orgs Use the QUERY_ONLY=Yes to generate inquiry only forms (make sure they are tested thoroughly) Refresh Prod to non-prod and allow more liberal access for replication of issues and trouble-shooting Use of trigger-based auditing solutions to generate detailed audit trail to changes for key control configurations / critical changes to item master / etc.

12 Recap / Wrap Up

13 Resources Resources: Application Security Best Practices Book 2 nd edition due out Jan 2012 Launching partially-public domain conflict matrix in conjunction with 2 nd edition of book (common elements will be included in Apps Security BP book) Oracle E-Business Suite Controls: Financial Close Cycle due out April 2012 focusing on design and implementation of controls and security related to Financial Close Cycle

14 Links Links: Recorded webinars: Blog: Video blog: Oracle Internal Controls and Security listserver (public domain/open group):

15 Links Links: Oracle Apps Internal Controls Repository (end users only / closed group): guid= LI Oracle GRC group: LI Oracle ERP Auditors group:

16 ERP Risk Advisory Services Project audit / QA we ll work under the direction of your PMO or Internal Audit to provide project audit or quality assurance whether the work is done internally or through a system integrator. In this role, we typically bring in other experts from companies like Integrigy, Solution Beacon, FSCP Solutions, and Colibri to be a part of our team. Security upgrade/implementation we ll upgrade your security from 11i to R12, adding new functionality in R12 while reducing upgrade risk by minimizing the use of standard sub-menus and using custom menus for all custom responsibility. We ll also help you implement role-based access control (RBAC) or help you to prepare for the implementation of RBAC, depending on the maturity of your organization. Controls upgrade we ll review your risk and control library, making sure all risks have been identified and recommending adequate level of controls; we ll ask look at what are defined as key controls and make recommendations to downgrade to non-key, where possible, to reduce audit fees; we ll also make recommendations on how to automate various controls.

17 ERP Risk Advisory Services Security and Controls monitoring both security and controls need to be monitored on an on-going basis as changes are introduced in your system. We ll help identify the processes and, perhaps, software that needs to be put in place for proper monitoring Building of system-based audit trails we ll evaluate your current trigger-based auditing and make recommendations on what should be added or changed. If you aren t using a trigger-based auditing tool, we ll recommend one that fits your budget and help you implement it. Enhancement of change management (CM) controls we ll review and recommend enhancements to your change control process to provide better protect the integrity of your data and business processes. We ll focus on all four different aspects of CM development, patching, security, and configurations and help you implement an quality assurance program to monitor the effectiveness of your CM process. encryption, where it is not provided by Oracle.

18 ERP Risk Advisory Services Implementation of user access controls software we ll design and implement preventive and detective controls related to Segregation of Duties, single function risks, and sensitive data risks. This is best done in conjunction with the upgrade of your security. Implementation of data security software we ll implement a security solution that locks down access to sensitive data both at the application and database levels. This software is more flexible and cost effective than implementing encryption, where it is not provided by Oracle.

19 Q & A

20 ERP Risk Advisory Services Security and Controls monitoring both security and controls need to be monitored on an on-going basis as changes are introduced in your system. We ll help identify the processes and, perhaps, software that needs to be put in place for proper monitoring Building of system-based audit trails we ll evaluate your current trigger-based auditing and make recommendations on what should be added or changed. If you aren t using a trigger-based auditing tool, we ll recommend one that fits your budget and help you implement it. Enhancement of change management (CM) controls we ll review and recommend enhancements to your change control process to provide better protect the integrity of your data and business processes. We ll focus on all four different aspects of CM development, patching, security, and configurations and help you implement an quality assurance program to monitor the effectiveness of your CM process. encryption, where it is not provided by Oracle.

21 ERP Risk Advisory Services Implementation of user access controls software we ll design and implement preventive and detective controls related to Segregation of Duties, single function risks, and sensitive data risks. This is best done in conjunction with the upgrade of your security. Implementation of data security software we ll implement a security solution that locks down access to sensitive data both at the application and database levels. This software is more flexible and cost effective than implementing encryption, where it is not provided by Oracle.

22 Best Practices Caveat Best Practices Caveat The Best Practices cited in this presentation have not been validated with your external auditors nor has there been any systematic study of industry practices to determine they are in fact Best Practices for a representative sample of companies attempting to comply with the Sarbanes-Oxley Act of 2002 or other corporate governance initiatives mentioned. The Best Practice examples given here should not substitute for accounting or legal advice for your organization and provide no indemnification from fraud, material misstatements in your financial statements, or control deficiencies.

23 Contact Information Jeffrey T. Hare, CPA CISA CIA Cell: Office: Sales: Phil Reimann Sales: Websites:

Risk-Based Assessment of User Access Controls and Segregation of Duties for Companies Running Oracle Applications

Risk-Based Assessment of User Access Controls and Segregation of Duties for Companies Running Oracle Applications Risk-Based Assessment of User Access Controls and Segregation of Duties for Companies Running Oracle Applications Presented by: Jeffrey T. Hare, CPA CISA CIA Webinar Logistics Hide and unhide the Webinar

More information

Building an Audit Trail in an Oracle EBS Environment. Presented by: Jeffrey T. Hare, CPA CISA CIA

Building an Audit Trail in an Oracle EBS Environment. Presented by: Jeffrey T. Hare, CPA CISA CIA Building an Audit Trail in an Oracle EBS Environment Presented by: Jeffrey T. Hare, CPA CISA CIA Webinar Logistics Hide and unhide the Webinar control panel by clicking on the arrow icon on the top right

More information

Change Management Best Practices for ERP Applications, An Internal Auditor's Perspective. Jeffrey T. Hare, CPA CISA CIA ERP Risk Advisors

Change Management Best Practices for ERP Applications, An Internal Auditor's Perspective. Jeffrey T. Hare, CPA CISA CIA ERP Risk Advisors Change Management Best Practices for ERP Applications, An Internal Auditor's Perspective Jeffrey T. Hare, CPA CISA CIA ERP Risk Advisors Webinar Logistics Hide and unhide the Webinar control panel by clicking

More information

Best Practices for Protecting Sensitive Data in an Oracle Applications Environment. Presented by: Jeffrey T. Hare, CPA CISA CIA

Best Practices for Protecting Sensitive Data in an Oracle Applications Environment. Presented by: Jeffrey T. Hare, CPA CISA CIA Best Practices for Protecting Sensitive Data in an Oracle Applications Environment Presented by: Jeffrey T. Hare, CPA CISA CIA Webinar Logistics Hide and unhide the Webinar control panel by clicking on

More information

Oracle E-Business Suite: SQL Forms Risks and. Presented by: Jeffrey T. Hare, CPA CISA CIA

Oracle E-Business Suite: SQL Forms Risks and. Presented by: Jeffrey T. Hare, CPA CISA CIA Oracle E-Business Suite: SQL Forms Risks and Controls Presented by: Jeffrey T. Hare, CPA CISA CIA Presentation Agenda Overview: Introductions Overall system risks Audit Trails Change Management Implementation

More information

Oracle E-Business Suite Controls: Application Security Best Practices

Oracle E-Business Suite Controls: Application Security Best Practices Table of Contents Table of Contents vi Acknowledgements 1 Foreword 2 What Makes This Book Different 3 Who Should Read this Book 3 Organization of this Book 4 Chapter 1: Introduction 5 Chapter 2: Introduction

More information

How to Audit the Top Ten E-Business Suite Security Risks

How to Audit the Top Ten E-Business Suite Security Risks In-Source Your IT Audit Series How to Audit the Top Ten E-Business Suite Security Risks February 28, 2012 Jeffrey T. Hare, CPA CISA CIA Industry Analyst, Author, Consultant ERP Risk Advisors Stephen Kost

More information

Decryption of Credit Card Data and Bank Account Data; Risks and Controls

Decryption of Credit Card Data and Bank Account Data; Risks and Controls Overview: Oracle provides its customers the ability to decrypt certain encrypted credit card and bank account data that is likely subject to PCI-DSS compliance and other compliance requirements. The following

More information

Top Ten Fraud Risks in the Oracle E Business Suite

Top Ten Fraud Risks in the Oracle E Business Suite Top Ten Fraud Risks in the Oracle E Business Suite Jeffrey T. Hare, CPA CISA CIA Industry Analyst, Author, Consultant ERP Risk Advisors Stephen Kost Chief Technology Officer Integrigy Corporation February

More information

Risk Management in Role-based Applications Segregation of Duties in Oracle

Risk Management in Role-based Applications Segregation of Duties in Oracle Risk Management in Role-based Applications Segregation of Duties in Oracle Sundar Venkat, Senior Manager, Protiviti Tai Tam, Accounting Manager, Electronic Arts Core Competencies C23 Page 0 of 29 Agenda

More information

Chapter 6: Developing a Proper Audit Trail for your EBS Environment

Chapter 6: Developing a Proper Audit Trail for your EBS Environment Chapter 6: Developing a Proper Audit Trail for your EBS Environment In Chapter 2, we looked at the inherent architecture of EBS and some implications regarding the lack of a detailed audit trail. Three

More information

Governance, Risk & Compliance for Public Sector

Governance, Risk & Compliance for Public Sector Governance, Risk & Compliance for Public Sector Steve Hagner EMEA GRC Solution Sales From egovernment to Oracle igovernment Increase Efficiency and Transparency Oracle igovernment

More information

Moving Forward with IT Governance and COBIT

Moving Forward with IT Governance and COBIT Moving Forward with IT Governance and COBIT Los Angeles ISACA COBIT User Group Tuesday 27, March 2007 IT GRC Questions from the CIO Today s discussion focuses on the typical challenges facing the CIO around

More information

Rapidly Growing Mid-Stream Energy Refinery and Transportation firm Monitors Master Data for Controls

Rapidly Growing Mid-Stream Energy Refinery and Transportation firm Monitors Master Data for Controls Rapidly Growing Mid-Stream Energy Refinery and Transportation firm Monitors Master Data for Controls FulcrumWay Leading Provider of Enterprise Risk Assessment Mitigation and Remediation Solutions Enterprise

More information

Segregation of Duties

Segregation of Duties Segregation of Duties Scott Mitchell, Senior Manager (503) 478-2193 John Earl, Manager (503) 478-2188 January 5, 2010 Our Objectives Clarify the role of Segregation of Duties (SOD) Identify alternatives

More information

Complete Database Security. Thomas Kyte http://asktom.oracle.com/

Complete Database Security. Thomas Kyte http://asktom.oracle.com/ Complete Database Security Thomas Kyte http://asktom.oracle.com/ Agenda Enterprise Data Security Challenges Database Security Strategy Oracle Database Security Solutions Defense-in-Depth Q&A 2 Copyright

More information

INTERNAL AUDIT SOFTWARE BUYER S GUIDE

INTERNAL AUDIT SOFTWARE BUYER S GUIDE BarnOwl Solutions INTERNAL AUDIT SOFTWARE BUYER S GUIDE CONTENTS 1. The need for internal audit 2. What do the standards say? 3. Why implement internal audit software 4. Steps to the successful implementation

More information

The Importance of IT Controls to Sarbanes-Oxley Compliance

The Importance of IT Controls to Sarbanes-Oxley Compliance Hosted by Deloitte, PricewaterhouseCoopers and ISACA/ITGI The Importance of IT Controls to Sarbanes-Oxley Compliance 15 December 2003 1 Presenters Chris Fox, CA Sr. Manager, Internal Audit Services PricewaterhouseCoopers

More information

Obtaining Value from Your Database Activity Monitoring (DAM) Solution

Obtaining Value from Your Database Activity Monitoring (DAM) Solution Obtaining Value from Your Database Activity Monitoring (DAM) Solution September 23, 2015 Mike Miller Chief Security Officer Integrigy Corporation Stephen Kost Chief Technology Officer Integrigy Corporation

More information

Feature. Multiagent Model for System User Access Rights Audit

Feature. Multiagent Model for System User Access Rights Audit Feature Christopher A. Moturi is the head of School of Computing and Informatics at the University of Nairobi (Kenya) and has more than 20 years of experience teaching and researching on databases and

More information

Reduce Audit Time Using Automation, By Example. Jay Gohil Senior Manager

Reduce Audit Time Using Automation, By Example. Jay Gohil Senior Manager Reduce Audit Time Using Automation, By Example Jay Gohil Senior Manager Today s Session Speaker Bio: Jay Gohil, Protiviti Jay is a Senior Manager in the ERP Services practice in Atlanta. In the past seven

More information

S24 - Governance, Risk, and Compliance (GRC) Automation Siamak Razmazma

S24 - Governance, Risk, and Compliance (GRC) Automation Siamak Razmazma S24 - Governance, Risk, and Compliance (GRC) Automation Siamak Razmazma Governance, Risk, Compliance (GRC) Automation Siamak Razmazma Siamak.razmazma@protiviti.com September 2009 Agenda Introduction to

More information

Continuous Controls Monitoring ISACA, Houston Chapter. August 17, 2006

Continuous Controls Monitoring ISACA, Houston Chapter. August 17, 2006 Continuous Controls Monitoring ISACA, Houston Chapter August 17, 2006 Purpose of Discussion Understand impact of Continuous Controls Monitoring (CCM) on the Information Systems Audit community To perform

More information

Using COBiT For Sarbanes Oxley. Japan November 18 th 2006 Gary A Bannister

Using COBiT For Sarbanes Oxley. Japan November 18 th 2006 Gary A Bannister Using COBiT For Sarbanes Oxley Japan November 18 th 2006 Gary A Bannister Who Am I? Who am I & What I Do? I am an accountant with 28 years experience working in various International Control & IT roles.

More information

Auditing Standard 5- Effective and Efficient SOX Compliance

Auditing Standard 5- Effective and Efficient SOX Compliance Auditing Standard 5- Effective and Efficient SOX Compliance September 6, 2007 Presented to: The Dallas Chapter of the Institute of Internal Auditors These slides are incomplete without the benefit of the

More information

Best Practices Report

Best Practices Report Overview As an IT leader within your organization, you face new challenges every day from managing user requirements and operational needs to the burden of IT Compliance. Developing a strong IT general

More information

Leverage T echnology: Move Your Business Forward

Leverage T echnology: Move Your Business Forward Give me a lever long enough and a fulcrum on which to place it, and I shall move the world - Archimedes Copyright. Fulcrum Information Technology, Inc. Is Oracle ERP in Scope for 2014 Audit Plan? Learn,

More information

Evolving from Financial Compliance to Next Generation GRC. Gary Prince Principal Solution Specialist - GRC

Evolving from Financial Compliance to Next Generation GRC. Gary Prince Principal Solution Specialist - GRC Evolving from Financial Compliance to Next Generation GRC Gary Prince Principal Solution Specialist - GRC Agenda Business Challenges Oracle s Leadership in Governance, Risk and Compliance Solution Overview

More information

www.pwc.com Understanding ERP Architectures, Security and Risk Brandon Sprankle PwC Partner March 2015

www.pwc.com Understanding ERP Architectures, Security and Risk Brandon Sprankle PwC Partner March 2015 www.pwc.com Understanding ERP Architectures, Security and Risk Brandon Sprankle Partner Agenda 1. Introduction 2. Overview of ERP security architecture 3. Key ERP security models 4. Building and executing

More information

Leading investor communications firm serving brokerdealers, and investment banks protects sensitive data

Leading investor communications firm serving brokerdealers, and investment banks protects sensitive data Leading investor communications firm serving brokerdealers, and investment banks protects sensitive data FulcrumWay Leading Provider of Enterprise Risk Assessment Mitigation and Remediation Solutions Enterprise

More information

SAP BusinessObjects GRC Access Control 10.0 New Feature Highlights and Initial Lessons Learned

SAP BusinessObjects GRC Access Control 10.0 New Feature Highlights and Initial Lessons Learned SAP BusinessObjects GRC Access Control 10.0 New Feature Highlights and Initial Lessons Learned Executive Summary Organizations evaluating technology solutions to enhance their governance, risk and compliance

More information

www.pwc.com Advisory Services Oracle Alliance Case Study

www.pwc.com Advisory Services Oracle Alliance Case Study www.pwc.com Advisory Services Oracle Alliance Case Study A global software company turns a Sarbanes-Oxley challenge into an opportunity for cost reduction and performance improvement Client s challenge

More information

The presentation will begin in a few moments

The presentation will begin in a few moments Welcome To Today s Webinar: Top 5 SOX Concerns for Dynamics AX The presentation will begin in a few moments Participants will receive an email within 48 hours with a link to the slide deck and recording.

More information

It s been six years since Sarbanes-Oxley (SOX) was signed into law, yet. many of the software products designed to handle SOX s complex demands

It s been six years since Sarbanes-Oxley (SOX) was signed into law, yet. many of the software products designed to handle SOX s complex demands RUBRIC: Making Sense of SOX By Roberta Ann Barra and Arline Savage It s been six years since Sarbanes-Oxley (SOX) was signed into law, yet many of the software products designed to handle SOX s complex

More information

Oracle Database Security Myths

Oracle Database Security Myths Oracle Database Security Myths December 13, 2012 Stephen Kost Chief Technology Officer Integrigy Corporation Phil Reimann Director of Business Development Integrigy Corporation About Integrigy ERP Applications

More information

Moving your enterprise systems to the cloud? What do you need to know to manage the risks? Jamie Levitt, Director

Moving your enterprise systems to the cloud? What do you need to know to manage the risks? Jamie Levitt, Director www.pwc.com Moving your enterprise systems to the cloud? What do you need to know to manage the risks? November 2015 Jamie Levitt, Director Disclaimer Certain matters reviewed today may represent services

More information

Oracle Fusion Applications Security Guide. 11g Release 5 (11.1.5) Part Number E16689-05

Oracle Fusion Applications Security Guide. 11g Release 5 (11.1.5) Part Number E16689-05 Oracle Fusion Applications Security Guide 11g Release 5 (11.1.5) Part Number E16689-05 June 2012 Oracle Fusion Applications Security Guide Part Number E16689-05 Copyright 2011-2012, Oracle and/or its affiliates.

More information

Security Information & Event Management A Best Practices Approach

Security Information & Event Management A Best Practices Approach Security Information & Event Management A Best Practices Approach Implementing a best-of-class IT compliance framework using iservice help desk and EventSentry monitoring software A white paper written

More information

BENEFITS OF IMAGE ENABLING ORACLE E-BUSINESS SUITE:

BENEFITS OF IMAGE ENABLING ORACLE E-BUSINESS SUITE: Content Management How does it apply to Oracle E-Business Suite? Carol Mitchell C.M. Mitchell Consulting Corporation OVERVIEW: ERP applications do a great job at managing structured data, which is the

More information

IT audit updates. Current hot topics and key considerations. IT risk assessment leading practices

IT audit updates. Current hot topics and key considerations. IT risk assessment leading practices IT audit updates Current hot topics and key considerations Contents IT risk assessment leading practices IT risks to consider in your audit plan IT SOX considerations and risks COSO 2013 and IT considerations

More information

Training Courses Fiscal Year 2015:

Training Courses Fiscal Year 2015: Training Courses Fiscal Year 2015: 1 - Using Data Analysis to Detect Fraud & Error Instructor: Scott Langlinais Courtney Thompson & Associates http://www.ctassoc.com/scott Langlinais Profile Date: October

More information

IT Audit Perspective on Continuous Auditing/ Continuous Monitoring KPMG LLP

IT Audit Perspective on Continuous Auditing/ Continuous Monitoring KPMG LLP IT Audit Perspective on Continuous Auditing/ Continuous Monitoring KPMG LLP IT Audit Perspective on Continuous Auditing/Continuous Monitoring INTRODUCTION New demands from the board, senior organizational

More information

Securing Oracle E-Business Suite in the Cloud

Securing Oracle E-Business Suite in the Cloud Securing Oracle E-Business Suite in the Cloud November 18, 2015 Stephen Kost Chief Technology Officer Integrigy Corporation Phil Reimann Director of Business Development Integrigy Corporation Agenda The

More information

Developing Value from Oracle s Audit Vault For Auditors and IT Security Professionals

Developing Value from Oracle s Audit Vault For Auditors and IT Security Professionals Developing Value from Oracle s Audit Vault For Auditors and IT Security Professionals November 13, 2014 Michael Miller Chief Security Officer Integrigy Corporation Stephen Kost Chief Technology Officer

More information

OFFICE OF AUDITS & ADVISORY SERVICES SHAREPOINT SECURITY AUDIT FINAL REPORT

OFFICE OF AUDITS & ADVISORY SERVICES SHAREPOINT SECURITY AUDIT FINAL REPORT County of San Diego Auditor and Controller OFFICE OF AUDITS & ADVISORY SERVICES SHAREPOINT SECURITY AUDIT FINAL REPORT Chief of Audits: Juan R. Perez Senior Audit Manager: Lynne Prizzia, CISA, CRISC Senior

More information

SecureGRC TM - Cloud based SaaS

SecureGRC TM - Cloud based SaaS - Cloud based SaaS Single repository for regulations and standards Centralized repository for compliance related organizational data Electronic workflow to speed up communications between various entries

More information

Private Companies Banking in a Sarbanes-Oxley World

Private Companies Banking in a Sarbanes-Oxley World Private Companies Banking in a Sarbanes-Oxley World While SOX was largely intended to apply to public companies only, the pain has extended to private companies. INTRODUCTION The Sarbanes-Oxley Act of

More information

Information Security and Governance in ERP Implementation (JD Edwards)

Information Security and Governance in ERP Implementation (JD Edwards) Information Security and Governance in ERP Implementation (JD Edwards) Table of Contents Information Security... 2 Information Security in ERP Environment... 3 J D Edwards Security and Governance Features...

More information

SuperUser Access Best Practices in an Oracle Applications Environment Jeffrey T. Hare, CPA ERP Seminars

SuperUser Access Best Practices in an Oracle Applications Environment Jeffrey T. Hare, CPA ERP Seminars SuperUser Access Best Practices in an Oracle Applications Environment Jeffrey T. Hare, CPA ERP Seminars The Sarbanes-Oxley Act is resulting in increased scrutiny on the access that companies have given

More information

Database Security and Auditing

Database Security and Auditing Database Security and Auditing COURSE DESCRIPTION: This seminar aims to provide the Database Administrators, System Administrators, Auditors and IT Security Officers an overview on how to secure and audit

More information

mission critical applications mission critical security Internal Auditor Primer: Oracle E-Business Suite Security Risks Primer

mission critical applications mission critical security Internal Auditor Primer: Oracle E-Business Suite Security Risks Primer mission critical applications mission critical security Internal Auditor Primer: Oracle E-Business Suite Security Risks Primer Stephen Kost Chief Technology Officer Integrigy Corporation Phil Reimann Director

More information

Copyright 2012, Oracle and/or its affiliates. All rights reserved.

Copyright 2012, Oracle and/or its affiliates. All rights reserved. 1 Seguridad en profundidad Jaime Briggs MSc CS, CISSP, CCSK Sales Manager Strategic accounts Agenda Los Controles ISO 27001 Defensa en Profundidad Productos que dan respuesta Roadmap a seguridad Q&A 3

More information

Sarbanes-Oxley Control Transformation Through Automation

Sarbanes-Oxley Control Transformation Through Automation Sarbanes-Oxley Control Transformation Through Automation An Executive White Paper By BLUE LANCE, Inc. Where have we been? Where are we going? BLUE LANCE INC. www.bluelance.com 713.255.4800 info@bluelance.com

More information

Founded in 1993 OSI has grown to become a leading technology consulting and services firm with over 450 professionals both from US and India

Founded in 1993 OSI has grown to become a leading technology consulting and services firm with over 450 professionals both from US and India R12 Period CloseProcess Chitti, OSIConsulting, Chairperson, India OAUG About OSI Founded in 1993 OSI has grown to become a leading technology consulting and services firm with over 450 professionals both

More information

Guide to Auditing and Logging in the Oracle E-Business Suite

Guide to Auditing and Logging in the Oracle E-Business Suite Guide to Auditing and Logging in the Oracle E-Business Suite February 13, 2014 Stephen Kost Chief Technology Officer Integrigy Corporation Mike Miller Chief Security Officer Integrigy Corporation Phil

More information

Strategic IT audit. Develop an IT Strategic IT Assurance Plan

Strategic IT audit. Develop an IT Strategic IT Assurance Plan Strategic IT audit Develop an IT Strategic IT Assurance Plan Speaker Biography Hans Henrik Berthing is Partner at Verifica and Senior Advisor & Associated Professor at Aalborg University. He is specialized

More information

How to Use Oracle Account Generator for Project-Related Transactions

How to Use Oracle Account Generator for Project-Related Transactions How to Use Oracle Account Generator for Project-Related Transactions Marian Crkon 3Gs Consulting OAUG Forum at COLLABORATE 07 Copyright 2007 3Gs Consulting Page 1 of 40 Introduction Account Generators

More information

EnergySec Partnered Webinar with MetricStream Transitioning to NERC CIP Version 5: What Does it Mean for Electric Utilities JANUARY 28, 2015

EnergySec Partnered Webinar with MetricStream Transitioning to NERC CIP Version 5: What Does it Mean for Electric Utilities JANUARY 28, 2015 EnergySec Partnered Webinar with MetricStream Transitioning to NERC CIP Version 5: What Does it Mean for Electric Utilities JANUARY 28, 2015 Housekeeping Items Submit questions using control panel Contact

More information

www.pwc.com Third Party Risk Management 12 April 2012

www.pwc.com Third Party Risk Management 12 April 2012 www.pwc.com Third Party Risk Management 12 April 2012 Agenda 1. Introductions 2. Drivers of Increased Focus on Third Parties 3. Governance 4. Third Party Risks and Scope 5. Third Party Risk Profiling 6.

More information

Oracle E-Business Suite APPS, SYSADMIN, and oracle Securing Generic Privileged Accounts. Stephen Kost Chief Technology Officer Integrigy Corporation

Oracle E-Business Suite APPS, SYSADMIN, and oracle Securing Generic Privileged Accounts. Stephen Kost Chief Technology Officer Integrigy Corporation Oracle E-Business Suite APPS, SYSADMIN, and oracle Securing Generic Privileged Accounts May 15, 2014 Mike Miller Chief Security Officer Integrigy Corporation Stephen Kost Chief Technology Officer Integrigy

More information

The Information Systems Audit

The Information Systems Audit November 25, 2009 e q 1 Institute of of Pakistan ICAP Auditorium, Karachi Sajid H. Khan Executive Director Technology and Security Risk Services e q 2 IS Environment Back Office Batch Apps MIS Online Integrated

More information

ISACA PROFESSIONAL RESOURCES

ISACA PROFESSIONAL RESOURCES ISACA PROFESSIONAL RESOURCES SEGREGATION OF DUTIES WITHIN INFORMATION SYSTEMS This is an excerpt from the CISA Review Manual 2005 Chapter 2 - Management, Planning and Organization of IS CISA Review Manual

More information

PCI Compliance in Oracle E-Business Suite

PCI Compliance in Oracle E-Business Suite PCI Compliance in Oracle E-Business Suite May 14, 2015 Mike Miller Chief Security Officer Integrigy Corporation David Kilgallon Oracle Integration Manager CardConnect Moderated by Phil Reimann, Director

More information

Senior Oracle Developer Call us today to schedule this resource. CENDIEN CORP: (214) 245-4580 http://www.cendien.com

Senior Oracle Developer Call us today to schedule this resource. CENDIEN CORP: (214) 245-4580 http://www.cendien.com Senior Oracle Developer Cendien Oracle Experts Oracle Technical Skills Applications Audited: Oracle Financials SAP Peoplesoft Hyperion (Enterprise and Essbase) Lawson (FA & GL) Equity Edge AMAPS MAS200

More information

Application Testing: Not Just for IT Auditors. Insert Logo Here

Application Testing: Not Just for IT Auditors. Insert Logo Here Application Testing: Not Just for IT Auditors Huntington Ingalls Industries Who We Are Over a century designing, building, overhauling and repairing ships for the U.S. Navy, the U.S. Coast Guard and world

More information

Functional and technical specifications. Background

Functional and technical specifications. Background Functional and technical specifications Background In terms of the Public Audit Act, 2004 (Act No. 25 of 2004) (PAA), the deputy auditor-general (DAG) is responsible for maintaining an effective, efficient

More information

Minimize Access Risk and Prevent Fraud With SAP Access Control

Minimize Access Risk and Prevent Fraud With SAP Access Control SAP Solution in Detail SAP Solutions for Governance, Risk, and Compliance SAP Access Control Minimize Access Risk and Prevent Fraud With SAP Access Control Table of Contents 3 Quick Facts 4 The Access

More information

Fraud Prevention and Detection in a Manufacturing Environment

Fraud Prevention and Detection in a Manufacturing Environment Fraud Prevention and Detection in a Manufacturing Environment Introduction The Association of Certified Fraud Examiners (ACFE) estimated in its 2008 Report to the Nation on Occupational Fraud and Abuse

More information

Auditing Applications. ISACA Seminar: February 10, 2012

Auditing Applications. ISACA Seminar: February 10, 2012 Auditing Applications ISACA Seminar: February 10, 2012 Planning Objectives Mapping Controls Functionality Tests Complications Financial Assertions Tools Reporting AGENDA 2 PLANNING Consideration / understanding

More information

Roles and Responsibilities Corporate Compliance and Internal Audit

Roles and Responsibilities Corporate Compliance and Internal Audit Roles and Responsibilities and By Mark P. Ruppert, CPA, CIA, CISA, CHFP The focus group of Health Care Compliance Association (HCCA) and Association of Healthcare ors (AHIA) members continues to explore

More information

JD Edwards EnterpriseOne: Governance, Risk, and Compliance

JD Edwards EnterpriseOne: Governance, Risk, and Compliance JD Edwards EnterpriseOne: Governance, Risk, and Compliance Solutions for Sarbanes-Oxley and Other Compliance Requirements ORACLE WHITE PAPER MAY 2015 Disclaimer The following is intended to outline our

More information

NetSuite Essentials. Course Description. Key Objectives

NetSuite Essentials. Course Description. Key Objectives NetSuite Essentials Key Objectives How do I: Configure NetSuite to meet business requirements? Determine user roles and permissions? Customize the user interface to align with business needs? Plan for

More information

APPLICATION MANAGEMENT SUITE FOR ORACLE E-BUSINESS SUITE APPLICATIONS

APPLICATION MANAGEMENT SUITE FOR ORACLE E-BUSINESS SUITE APPLICATIONS APPLICATION MANAGEMENT SUITE FOR ORACLE E-BUSINESS SUITE APPLICATIONS Oracle Application Management Suite for Oracle E-Business Suite delivers capabilities that helps to achieve high levels of application

More information

Optimize procure-to-pay processes for profitability, efficiency, and compliance

Optimize procure-to-pay processes for profitability, efficiency, and compliance www.pwc.com/oracle PwC Oracle Practice September 2012 Optimize procure-to-pay processes for profitability, efficiency, and compliance Optimize procure-to-pay processes for profitability, efficiency, and

More information

New Oracle 12c Security Features Oracle E-Business Suite Perspective

New Oracle 12c Security Features Oracle E-Business Suite Perspective New Oracle 12c Security Features Oracle E-Business Suite Perspective December 18, 2014 Michael Miller Chief Security Officer Integrigy Corporation Stephen Kost Chief Technology Officer Integrigy Corporation

More information

KBACE Applied Service Oriented Architecture (SOA)

KBACE Applied Service Oriented Architecture (SOA) KBACE Applied Service Oriented Architecture (SOA) Bhaskar Reddy Technical Director, KBACE Advanced Technology Group (ATG) March 3 rd, 2009 1 Webinar Logistics Hide (and unhide) the Webinar control panel

More information

Sarbanes-Oxley Compliance for Cloud Applications

Sarbanes-Oxley Compliance for Cloud Applications Sarbanes-Oxley Compliance for Cloud Applications What Is Sarbanes-Oxley? Sarbanes-Oxley Act (SOX) aims to protect investors and the general public from accounting errors and fraudulent practices. For this

More information

OFFICE OF THE CITY AUDITOR

OFFICE OF THE CITY AUDITOR CITY OF SAN ANTONIO OFFICE OF THE CITY AUDITOR Audit of Information Technology Services Department Project No. AU10-012 September 1, 2011 Audit of Information Technology Services Department Executive Summary

More information

PCI Compliance in Oracle E-Business Suite

PCI Compliance in Oracle E-Business Suite PCI Compliance in Oracle E-Business Suite October 22, 2014 Mike Miller Chief Security Officer Integrigy Corporation Megan Kelly Senior Director of ERP Integrations CardConnect Moderated by Phil Reimann,

More information

Data Analytics: Applying Data Analytics to a Continuous Controls Auditing / Monitoring Solution

Data Analytics: Applying Data Analytics to a Continuous Controls Auditing / Monitoring Solution Data Analytics: Applying Data Analytics to a Continuous Controls Auditing / Monitoring Solution December 10, 2014 Parm Lalli, CISA, ACDA Sunera Snapshot Professional consultancy with core competency in:

More information

Sarbanes-Oxley: Beyond. Using compliance requirements to boost business performance. An RIS White Paper Sponsored by:

Sarbanes-Oxley: Beyond. Using compliance requirements to boost business performance. An RIS White Paper Sponsored by: Beyond Sarbanes-Oxley: Using compliance requirements to boost business performance The business regulatory environment in the United States has changed. Public companies have new obligations to report

More information

Continuous Controls Monitoring. Virginia ISACA January Meeting 19 January 2010

Continuous Controls Monitoring. Virginia ISACA January Meeting 19 January 2010 Continuous Controls Monitoring Virginia ISACA January Meeting 19 January 2010 Today s Agenda What We Are Hearing About Risk Internal Controls Continuous Control Monitoring What is CCM? Framework EY Point

More information

Internal Controls over Financial Reporting. Integrating in Business Processes & Key Lessons learned

Internal Controls over Financial Reporting. Integrating in Business Processes & Key Lessons learned Internal Controls over Financial Reporting Integrating in Business Processes & Key Lessons learned Introduction Stephen McIntyre, CA, CPA (Illinois) Senior Manager at Ernst & Young in the Risk Advisory

More information

Larry Laine, Deputy Land Commissioner and Chief Clerk. Annual Report on the Internal Audit Quality Assurance and Improvement Program

Larry Laine, Deputy Land Commissioner and Chief Clerk. Annual Report on the Internal Audit Quality Assurance and Improvement Program DATE: TO: FROM: SUBJECT: Larry Laine, Deputy Land Commissioner and Chief Clerk Tracey Hall, Deputy Commissioner of Internal Audit Annual Report on the Internal Audit The following report is presented in

More information

STATE OF NORTH CAROLINA

STATE OF NORTH CAROLINA STATE OF NORTH CAROLINA INFORMATION SYSTEMS AUDIT OFFICE OF INFORMATION TECHNOLOGY SERVICES INFORMATION TECHNOLOGY GENERAL CONTROLS OCTOBER 2014 OFFICE OF THE STATE AUDITOR BETH A. WOOD, CPA STATE AUDITOR

More information

New Security Features in Oracle E-Business Suite 12.2

New Security Features in Oracle E-Business Suite 12.2 New Security Features in Oracle E-Business Suite 12.2 October 24, 2013 Stephen Kost Chief Technology Officer Integrigy Corporation Phil Reimann Director of Business Development Integrigy Corporation About

More information

Optimize procure-topay processes for profitability, efficiency, and compliance

Optimize procure-topay processes for profitability, efficiency, and compliance www.pwc.com PwC Oracle Practice September 2012 Optimize procure-topay processes for profitability, efficiency, and compliance Table of contents Executive summary... 2 Return on investment... 3 The challenges...

More information

<Insert Picture Here> Financial Audit Scoping Tool Blueprint for Oracle GRC Applications

<Insert Picture Here> Financial Audit Scoping Tool Blueprint for Oracle GRC Applications Financial Audit Scoping Tool Blueprint for Oracle GRC Applications Implement Audit Standard 5 (AS5) scoping to streamline financial reporting compliance Agenda Financial Audit Scoping

More information

Total Reconciliation Solution (T-Recs ) Enterprise A Control Framework for Governance, Risk Management and Compliance

Total Reconciliation Solution (T-Recs ) Enterprise A Control Framework for Governance, Risk Management and Compliance Total Reconciliation Solution (T-Recs ) Enterprise A Control Framework for Governance, Risk Management and Compliance power No activity is more central to preparing accurate financial statements than timely

More information

Copyright 2012, Oracle and/or its affiliates. All rights reserved.

Copyright 2012, Oracle and/or its affiliates. All rights reserved. 1 The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any

More information

State of Wisconsin Division of Enterprise Technology (DET) SharePoint 2010 Service Offering Definition (SOD)

State of Wisconsin Division of Enterprise Technology (DET) SharePoint 2010 Service Offering Definition (SOD) State of Wisconsin Division of Enterprise Technology (DET) SharePoint 2010 Service Offering Definition (SOD) 1 Document Revision History Date Version Creator Notes 07/15/2011 1.0 Lisa Jorgensen Initial

More information

Financial Management Information System Centralized Operations

Financial Management Information System Centralized Operations Audit Report Financial Management Information System Centralized Operations March 2003 This report and any related follow-up correspondence are available to the public. Alternate formats may also be requested

More information

Product Financial Control Solutions Spreadsheet Workbench

Product Financial Control Solutions Spreadsheet Workbench Product Financial Control Solutions Spreadsheet Workbench Supporting Financial Transformation Through Increased Efficiency, Risk Mitigation and Control Product In many respects spreadsheets represent the

More information

SSi Consulting, Inc.

SSi Consulting, Inc. SSi Consulting, Inc. New and Improved Reporting Tools in Microsoft Dynamics GP Webinar Presentation by Lisa Armstrong, Senior GP Consultant Agenda Smartlist Designer Deploy Excel Reports and Data Connections

More information

Security Trends and Client Approaches

Security Trends and Client Approaches Security Trends and Client Approaches May 2010 Bob Bocchino, CISA ERM Security and Compliance Business Advisor IBU Technology Sales Support Industries Business Unit, Technology Sales Support 1 Mark Dixon

More information

Secret Server Qualys Integration Guide

Secret Server Qualys Integration Guide Secret Server Qualys Integration Guide Table of Contents Secret Server and Qualys Cloud Platform... 2 Authenticated vs. Unauthenticated Scanning... 2 What are the Advantages?... 2 Integrating Secret Server

More information

Hayri Tarhan, Sr. Manager, Public Sector Security, Oracle Ron Carovano, Manager, Business Development, F5 Networks

Hayri Tarhan, Sr. Manager, Public Sector Security, Oracle Ron Carovano, Manager, Business Development, F5 Networks EXTENDING ACCESS WHILE ENHANCING CONTROL FOR YOUR ORGANIZATION S DATA LEVERAGE THE POWER OF F5 AND ORACLE TO DELIVER SECURE ACCESS TO APPLICATIONS AND DATABASES Hayri Tarhan, Sr. Manager, Public Sector

More information

Creating Effective Security Controls: A Ten Year Study of High Performing IT Security

Creating Effective Security Controls: A Ten Year Study of High Performing IT Security Configuration Assessment & & Change Auditing Solutions COMPLIANCE SECURITY CONTROL Creating Effective Security Controls: A Ten Year Study of High Performing IT Security Gene Kim, CISA CTO and Co-Founder

More information

Connecting the dots: IT to Business

Connecting the dots: IT to Business Connecting the dots: IT to Business Jason Wood, CPA, CISA, CIA, CITP, CFF April 2015 1 Speaker Bio Jason Wood Over 18 years of international business experience in planning, conducting, and quality reviewing

More information

J u n e 2 0 1 0. N a t i o n a l R e s e a r c h C o u n c i l C a n a d a. I n t e r n a l A u d i t, N R C. Audit of Risk Management.

J u n e 2 0 1 0. N a t i o n a l R e s e a r c h C o u n c i l C a n a d a. I n t e r n a l A u d i t, N R C. Audit of Risk Management. N a t i o n a l R e s e a r c h C o u n c i l C a n a d a Audit of Risk Management I n t e r n a l A u d i t, N R C J u n e 2 0 1 0 June 2010 i 1.0 Executive Summary and Conclusion Background This audit

More information