Building an Audit Trail in an Oracle EBS Environment. Presented by: Jeffrey T. Hare, CPA CISA CIA
|
|
- Kelly Hudson
- 8 years ago
- Views:
Transcription
1 Building an Audit Trail in an Oracle EBS Environment Presented by: Jeffrey T. Hare, CPA CISA CIA
2 Webinar Logistics Hide and unhide the Webinar control panel by clicking on the arrow icon on the top right of your screen The small window icon toggles between a windowed and full screen mode Ask questions throughout the presentation using the chat dialog Questions will be reviewed and answered at the end of the presentation; I ll open the lines for interactive Q&A During the presentation, we will be conducting a number of polls, please take the time to respond to all those that are applicable CPE will only be give to those that answer at least 3 of the 4 polls
3 Presentation Agenda Overview: Introduction Audit Trail Overview Audit Trail Example Audit Trail Technologies What to Audit Upcoming Webinars Other Comments Wrap Up
4 Introductions Jeffrey T. Hare, CPA CISA CIA Founder of ERP Seminars and Oracle User Best Practices Board Written various white papers on Internal Controls and Security Best Practices in an Oracle Applications environment Frequent contributor to OAUG s Insight magazine Experience includes Big 4 audit, 6 years in CFO/Controller roles both as auditor and auditee In Oracle applications space since 1998 both as client and consultant Founder of Internal Controls Repository public domain repository Author Oracle E-Business Suite Controls: Application Security Best Practices Contributing author Best Practices in Financial Risk Management Published in ISACA s Control Journal (twice) and ACFE s Fraud Magazine
5 Poll question: How are you identifying changes to application controls, security settings, and activity through SQL forms
6 Audit Trail Overview
7 Audit Trail Overview Disconnect between application and database layers Need to be concerned about application access as well as database access Audit trail only kept where application is built to do so Lack of audit all functionality to monitor privileged users Lack of detailed audit trail throughout the application In some cases as is the case with HR, update versus correct Example: change(s) to columns in a table can cause confusion related to changes made - Journal Sources example
8 Audit Trail Example
9 Audit Trail Example Audit Trail deficiencies Journal Sources Example:
10 Audit Trail Example Audit Trail deficiencies Journal Sources Example: After first change:
11 Audit Trail Example Audit Trail deficiencies Journal Sources Example: After second change:
12 Audit Trail Example Journal Sources example data: Initial Value After First Change After Second Change Value Checked Unchecked Checked Updated by AUTOINSTALL JTH9891 JTH9891 Update date 03-Jan :52:09 25-Aug :43:58 25-Aug :45:31 The only thing we can tell from this is that JTH9891 made a change, but we have no idea WHAT changed. The values as of the second change are the same as the initial values!
13 Audit Trail Technologies
14 Audit Trail Technologies Overview: Row Who / Alerts Sign On Audit Snapshot Log Triggers
15 Audit Trail Technologies Row Who / Alerts What is it: Created by, creation date, last updated by, last updated date When it is useful Monitoring things you don t expect to change (however, when it does ) Within an audit period, creation date and last updated date Transaction monitoring (high volume) some continuous controls monitoring (CCM) requirements
16 Audit Trail Technologies Row Who / Alerts Pros: Standard, embedded, no performance impact, no configuration Alerts can be proactive Cons Only contains values as of that point in time Alerts don t store values, therefore, cannot be audited
17 Audit Trail Technologies Sign On Audit What is it: Profile option SignOn:Audit Level set to Form When is it useful: Tracking user logins and use of professional forms Tracking login of generic users such as SYSADMIN, job scheduling users where activity should be limited by policy and procedure
18 Audit Trail Technologies Sign On Audit Pros: Relatively little performance impact Useful for comparing login activity to activity logged by users to hold them accountable versus the policies / standards Cons Only tracks activity via professional forms (not OA framework html pages), doesn t tell you WHAT the user did, just that they accessed the form
19 Audit Trail Technologies Snapshot What is it: Comparison of row who information between instances or between two points in time (prod versus 12/31 version) When is it useful: Identifying when something is changed that you wouldn t expect When comparisons are pre-mapped such as tools that compare objects between instances or versions Application support to identify when there is a configuration change (i.e. what broke the process)
20 Audit Trail Technologies Snapshot Pros: Insignificant performance impact Useful for comparing significant volumes of data Useful for support purposes comparing data across instances or points in time when processes are broken Cons: Only tells you delta as of two points in time, can miss incremental changes between periods
21 Audit Trail Technologies Logs What are they: Various types of incremental data Could be traffic flowing across the network or technology inherent to the database (redo or for mirroring) When are they useful: High volume transaction tables
22 Audit Trail Technologies Logs Pros: Insignificant performance impact Cons: Typically unable to map metadata to capture important cross reference information about the change
23 Audit Trail Technologies Triggers What are they: Core database technology Use by System Administrator audit trail Advanced software packages: May allow metadata to be mapped Usually have a central repository for easier reporting and data management May allow for alerting of information When are they useful: Setups (key control configurations), Master Data, Security, Development; SQL Forms
24 Audit Trail Technologies Triggers Pros: Allow for mapping of metadata Inherent technology within the application Captures detail changes and related metadata (most solutions) to provide an auditable system Cons: Can have a performance impact if deployed on high volume transaction tables. Therefore, performance impact needs to be evaluated and considered when using
25 Audit Trail Technologies Metadata Mapping Example: fnd_responsibility table:
26 Audit Trail Technologies Metadata Mapping Example: fnd_menus table:
27 Audit Trail Technologies Metadata Mapping Example: fnd_menus_tl table:
28 Poll 2: How are you baselining configurations and tracking changes related to automated controls?
29 Audit Trail: What to Audit
30 Audit Trail: What to Audit What to audit: Category Application Controls Affect Business Process Development Security Fraud Related Form / Function Journal Sources (GL), Journal Authorization Limits (GL), Approval Groups (PO), Adjustment Approval Limits (AR), Receivables Activities (AR), OM Holds (OM), Line Types (PO), Document Types (PO), Approval Groups (PO), Approval Group Assignments (PO), Approval Group Hierarchies (PO), Tolerances, Item Master Setups, Item Categories Profile Options, DFFs, KFFs, Value Set Changes Concurrent Programs, Executables, Functions, SQL forms, Objects Menus, Roles, Responsibilities, Request Groups, Security Profiles, SQL forms such as Dynamic Trigger Maintenance, Define Profile Options, Alerts, Collection Plans, etc (see Metalink Note for more information on SQL forms) Suppliers, Remit-To Addresses, Locations, Bank Accounts Poll 2: How are you baselining configurations and tracking changes related to automated controls?
31 Audit Trail Technologies Software providers: Trigger-based: Absolute Technologies: Application Auditor CaoSys: CS*Audit (part of CS*Compliance) Greenlight Technologies: RESQ Oracle: Configuration Controls Governor; Audit Vault Log-based: Guardium, Lumigent Snapshot: Approva
32 Upcoming Webinars ERP Seminars TBD Absolute Technologies: 7 Oct, 2 p.m. EDT - Application Auditor CaoSys: 6 Oct, 2 p.m. EDT CS*Compliance
33 Other Comments
34 Poll 3: Will you require a CPE certificate for a professional designation such as CPA, CISA, CISM, or CIA?
35 Sample Risk Assessment Application Controls / SOD Conflict Risk Description Typical Mitigating Controls Enter Journals vs Maintain Journal Sources Enter Journals vs. Journal Sources: User could override controls by changing configuration "Require Journal Approval" which is set in the Journal Sources form and determines which sources are required to go through the journal approval process. This could also lead to changing "Freeze Journals" as Journal Sources which could allow a user to delete or change a JE from a subledger. Either change could lead to compromise in controls related to the journal entry approval process. This could lead to a compromise in the integrity of the financial statements and control violations under SOX. Do not allow those involved in JE process to maintain Journal Sources. No user should have access to both of these functions, including support users. Changes to Journal Sources should go through change management and approved by appropriate personnel that has reviewed and understands the impact of this change on the process and controls related to journal entries.. Changes to Journal Sources should be audited at the system level via a logbased or trigger-based mechanism. A change management audit should be performed with a 100% sample size done by comparing actual changes pull from a system level audit trail to approvals in the change management documentation by an independent auditor.
36 Sample Risk Assessment Application Control Configs Conflict Risk Description Typical Mitigating Controls Maintain Journal Authorization Limits Maintain Journal Authorization Limits: Access allows a user to define journal approval limits. Risk is unapproved changes to journal approval limits resulting in posted journal entries not properly approved by management and overriding defined controls. This could lead to a compromise in the integrity of the financial statements and control violations under SOX. Changes to Journal Authorization Limits should go through change management and approved by appropriate personnel that has reviewed and understands the impact of this change on the process and controls related to journal entries. Changes to Journal Authorization Limits should be audited at the system level via a log-based or trigger-based mechanism. A change management audit should be performed with a 100% sample size done by comparing actual changes pull from a system level audit trail to approvals in the change management documentation by an independent auditor.
37 Wrap Up
38 Oracle Apps Internal Controls Repository Internal Controls Repository Content: White Papers such as Accessing the Database without having a Database Login, Best Practices for Bank Account Entry and Assignment, Using a Risk Based Assessment for User Access Controls, Internal Controls Best Practices for Oracle s Journal Approval Process Oracle apps internal controls deficiencies and common solutions Mapping of sensitive data to the tables and columns Identification of reports with access to sensitive data Recommended minimum tables to audit Not affiliated with Oracle Corporation
39 ERP Seminars Services Free one-hour consultation On-site seminars (1-2 days) custom tailored to your company s needs as well as various web-based seminars RFP / RFI management for Oracle-related GRC software SOD / UAC Third Party software projects / remediation Audit trail software projects Controls review related to Oracle-related controls implementations and post-implementation Level I and Level II assessment services see:
40 Seminars Offered Seminars offered: Internal Controls and Application Security Best Practices in an Oracle e-business Suite Environment Application Security Design: Fundamentals Application Security Design: Advanced Concepts Implementing Oracle e-business Suite: Internal Controls Challenges Introduction to Oracle s User Management Module and Related Risks Auditing Oracle E-Business Suite: Application Security Monitoring Privileged Users in an Oracle E-Business Suite Environment Risk-Based Assessment of User Access Controls and Segregation of Duties for Companies Running Oracle E-Business Suite
41 About ERP Seminars Thought Leadership, Best Practices Aggregator of public domain content and best practices A hands-on, Oracle Applications focused analyst firm - but not an analyst firm that only covers those pay for coverage NOT a consulting firm, although I do some limited consulting Independent of any 3 rd party software attempt to cover all relevant solutions in the Oracle Apps Controls Automation space
42 Q & A
43 Poll 4: I'd like to follow up this webinar with:
44 Contact Information Jeffrey T. Hare, CPA CISA CIA Cell: Office: Websites: Oracle Internal Controls and Security listserver (public domain listsever) at Internal Controls Repository (end users only)
45 Best Practices Caveat Best Practices Caveat The Best Practices cited in this presentation have not been validated with your external auditors nor has there been any systematic study of industry practices to determine they are in fact Best Practices for a representative sample of companies attempting to comply with the Sarbanes-Oxley Act of 2002 or other corporate governance initiatives mentioned. The Best Practice examples given here should not substitute for accounting or legal advice for your organization and provide no indemnification from fraud, material misstatements in your financial statements, or control deficiencies.
Risk-Based Assessment of User Access Controls and Segregation of Duties for Companies Running Oracle Applications
Risk-Based Assessment of User Access Controls and Segregation of Duties for Companies Running Oracle Applications Presented by: Jeffrey T. Hare, CPA CISA CIA Webinar Logistics Hide and unhide the Webinar
More informationOracle E-Business Suite: SQL Forms Risks and. Presented by: Jeffrey T. Hare, CPA CISA CIA
Oracle E-Business Suite: SQL Forms Risks and Controls Presented by: Jeffrey T. Hare, CPA CISA CIA Presentation Agenda Overview: Introductions Overall system risks Audit Trails Change Management Implementation
More informationBest Practices for Protecting Sensitive Data in an Oracle Applications Environment. Presented by: Jeffrey T. Hare, CPA CISA CIA
Best Practices for Protecting Sensitive Data in an Oracle Applications Environment Presented by: Jeffrey T. Hare, CPA CISA CIA Webinar Logistics Hide and unhide the Webinar control panel by clicking on
More informationChange Management Best Practices for ERP Applications, An Internal Auditor's Perspective. Jeffrey T. Hare, CPA CISA CIA ERP Risk Advisors
Change Management Best Practices for ERP Applications, An Internal Auditor's Perspective Jeffrey T. Hare, CPA CISA CIA ERP Risk Advisors Webinar Logistics Hide and unhide the Webinar control panel by clicking
More informationRisk-Based Assessment of User Access Controls and Segregation of Duties for Companies Running Oracle Applications
Risk-Based Assessment of User Access Controls and Segregation of Duties for Companies Running Oracle Applications Presented by: Jeffrey T. Hare, CPA CISA CIA Webinar Logistics Hide and unhide the Webinar
More informationChapter 6: Developing a Proper Audit Trail for your EBS Environment
Chapter 6: Developing a Proper Audit Trail for your EBS Environment In Chapter 2, we looked at the inherent architecture of EBS and some implications regarding the lack of a detailed audit trail. Three
More informationHow to Audit the Top Ten E-Business Suite Security Risks
In-Source Your IT Audit Series How to Audit the Top Ten E-Business Suite Security Risks February 28, 2012 Jeffrey T. Hare, CPA CISA CIA Industry Analyst, Author, Consultant ERP Risk Advisors Stephen Kost
More informationDecryption of Credit Card Data and Bank Account Data; Risks and Controls
Overview: Oracle provides its customers the ability to decrypt certain encrypted credit card and bank account data that is likely subject to PCI-DSS compliance and other compliance requirements. The following
More informationTop Ten Fraud Risks in the Oracle E Business Suite
Top Ten Fraud Risks in the Oracle E Business Suite Jeffrey T. Hare, CPA CISA CIA Industry Analyst, Author, Consultant ERP Risk Advisors Stephen Kost Chief Technology Officer Integrigy Corporation February
More informationGuide to Auditing and Logging in the Oracle E-Business Suite
Guide to Auditing and Logging in the Oracle E-Business Suite February 13, 2014 Stephen Kost Chief Technology Officer Integrigy Corporation Mike Miller Chief Security Officer Integrigy Corporation Phil
More informationOracle E-Business Suite Controls: Application Security Best Practices
Table of Contents Table of Contents vi Acknowledgements 1 Foreword 2 What Makes This Book Different 3 Who Should Read this Book 3 Organization of this Book 4 Chapter 1: Introduction 5 Chapter 2: Introduction
More informationLeverage T echnology: Move Your Business Forward
Give me a lever long enough and a fulcrum on which to place it, and I shall move the world - Archimedes Copyright. Fulcrum Information Technology, Inc. Is Oracle ERP in Scope for 2014 Audit Plan? Learn,
More informationSolihull Metropolitan Borough Council. IT Audit Findings Report September 2015
Solihull Metropolitan Borough Council IT Audit Findings Report September 2015 Version: Responses v6.0 SMBC Management Response July 2015 Financial Year: 2014/2015 Key to assessment of internal control
More informationDeveloping Value from Oracle s Audit Vault For Auditors and IT Security Professionals
Developing Value from Oracle s Audit Vault For Auditors and IT Security Professionals November 13, 2014 Michael Miller Chief Security Officer Integrigy Corporation Stephen Kost Chief Technology Officer
More informationFeature. Multiagent Model for System User Access Rights Audit
Feature Christopher A. Moturi is the head of School of Computing and Informatics at the University of Nairobi (Kenya) and has more than 20 years of experience teaching and researching on databases and
More informationMinimize Access Risk and Prevent Fraud With SAP Access Control
SAP Solution in Detail SAP Solutions for Governance, Risk, and Compliance SAP Access Control Minimize Access Risk and Prevent Fraud With SAP Access Control Table of Contents 3 Quick Facts 4 The Access
More informationGovernance, Risk & Compliance for Public Sector
Governance, Risk & Compliance for Public Sector Steve Hagner EMEA GRC Solution Sales From egovernment to Oracle igovernment Increase Efficiency and Transparency Oracle igovernment
More informationwww.pwc.com Advisory Services Oracle Alliance Case Study
www.pwc.com Advisory Services Oracle Alliance Case Study A global software company turns a Sarbanes-Oxley challenge into an opportunity for cost reduction and performance improvement Client s challenge
More informationwww.pwc.com Understanding ERP Architectures, Security and Risk Brandon Sprankle PwC Partner March 2015
www.pwc.com Understanding ERP Architectures, Security and Risk Brandon Sprankle Partner Agenda 1. Introduction 2. Overview of ERP security architecture 3. Key ERP security models 4. Building and executing
More informationHow To Ensure Financial Compliance
Evolving from Financial Compliance to Next Generation GRC Gary Prince Principal Solution Specialist - GRC Agenda Business Challenges Oracle s Leadership in Governance, Risk and Compliance Solution Overview
More informationContinuous Controls Monitoring ISACA, Houston Chapter. August 17, 2006
Continuous Controls Monitoring ISACA, Houston Chapter August 17, 2006 Purpose of Discussion Understand impact of Continuous Controls Monitoring (CCM) on the Information Systems Audit community To perform
More informationS24 - Governance, Risk, and Compliance (GRC) Automation Siamak Razmazma
S24 - Governance, Risk, and Compliance (GRC) Automation Siamak Razmazma Governance, Risk, Compliance (GRC) Automation Siamak Razmazma Siamak.razmazma@protiviti.com September 2009 Agenda Introduction to
More informationObtaining Value from Your Database Activity Monitoring (DAM) Solution
Obtaining Value from Your Database Activity Monitoring (DAM) Solution September 23, 2015 Mike Miller Chief Security Officer Integrigy Corporation Stephen Kost Chief Technology Officer Integrigy Corporation
More informationRisk Management in Role-based Applications Segregation of Duties in Oracle
Risk Management in Role-based Applications Segregation of Duties in Oracle Sundar Venkat, Senior Manager, Protiviti Tai Tam, Accounting Manager, Electronic Arts Core Competencies C23 Page 0 of 29 Agenda
More informationApplication Testing: Not Just for IT Auditors. Insert Logo Here
Application Testing: Not Just for IT Auditors Huntington Ingalls Industries Who We Are Over a century designing, building, overhauling and repairing ships for the U.S. Navy, the U.S. Coast Guard and world
More informationSecurity Compliance and Data Governance: Dual problems, single solution CON8015
Security Compliance and Data Governance: Dual problems, single solution CON8015 David Wolf Director of Product Management Oracle Development, Enterprise Manager Steve Ries Senior Systems Architect Technology
More informationTo Cross-Validate or Not? Best Practices to Enforce Valid GL Combinations. Helene Abrams CEO eprentise habrams@eprentise.com
To Cross-Validate or Not? Best Practices to Enforce Valid GL Combinations Helene Abrams CEO eprentise habrams@eprentise.com Webinar Mechanics Open and close your panel. View, select, and test your audio.
More informationComplete Database Security. Thomas Kyte http://asktom.oracle.com/
Complete Database Security Thomas Kyte http://asktom.oracle.com/ Agenda Enterprise Data Security Challenges Database Security Strategy Oracle Database Security Solutions Defense-in-Depth Q&A 2 Copyright
More informationMaking Database Security an IT Security Priority
Sponsored by Oracle Making Database Security an IT Security Priority A SANS Whitepaper November 2009 Written by Tanya Baccam Security Strategy Overview Why a Database Security Strategy? Making Databases
More informationHow To Help Your Business Succeed
Rapidly Growing Mid-Stream Energy Refinery and Transportation firm Monitors Master Data for Controls FulcrumWay Leading Provider of Enterprise Risk Assessment Mitigation and Remediation Solutions Enterprise
More informationAuditing Data Access Without Bringing Your Database To Its Knees
Auditing Data Access Without Bringing Your Database To Its Knees Black Hat USA 2006 August 1-3 Kimber Spradlin, CISA, CISSP, CPA Sr. Manager Security Solutions Dale Brocklehurst Sr. Sales Consultant Agenda
More informationDatabase Auditing & Security. Brian Flasck - IBM Louise Joosse - BPSolutions
Database Auditing & Security Brian Flasck - IBM Louise Joosse - BPSolutions Agenda Introduction Drivers for Better DB Security InfoSphere Guardium Solution Summary Netherlands Case Study The need for additional
More informationAPPLICATION MANAGEMENT SUITE FOR ORACLE E-BUSINESS SUITE APPLICATIONS
APPLICATION MANAGEMENT SUITE FOR ORACLE E-BUSINESS SUITE APPLICATIONS Oracle Application Management Suite for Oracle E-Business Suite delivers capabilities that helps to achieve high levels of application
More informationReduce Audit Time Using Automation, By Example. Jay Gohil Senior Manager
Reduce Audit Time Using Automation, By Example Jay Gohil Senior Manager Today s Session Speaker Bio: Jay Gohil, Protiviti Jay is a Senior Manager in the ERP Services practice in Atlanta. In the past seven
More informationMoving your enterprise systems to the cloud? What do you need to know to manage the risks? Jamie Levitt, Director
www.pwc.com Moving your enterprise systems to the cloud? What do you need to know to manage the risks? November 2015 Jamie Levitt, Director Disclaimer Certain matters reviewed today may represent services
More informationCredit Cards and Oracle E-Business Suite Security and PCI Compliance Issues
Credit Cards and Oracle E-Business Suite Security and PCI Compliance Issues August 16, 2012 Stephen Kost Chief Technology Officer Integrigy Corporation Phil Reimann Director of Business Development Integrigy
More informationHayri Tarhan, Sr. Manager, Public Sector Security, Oracle Ron Carovano, Manager, Business Development, F5 Networks
EXTENDING ACCESS WHILE ENHANCING CONTROL FOR YOUR ORGANIZATION S DATA LEVERAGE THE POWER OF F5 AND ORACLE TO DELIVER SECURE ACCESS TO APPLICATIONS AND DATABASES Hayri Tarhan, Sr. Manager, Public Sector
More informationIT audit updates. Current hot topics and key considerations. IT risk assessment leading practices
IT audit updates Current hot topics and key considerations Contents IT risk assessment leading practices IT risks to consider in your audit plan IT SOX considerations and risks COSO 2013 and IT considerations
More informationwww.pwc.com Leveraging Continuous Auditing / Continuous Monitoring in internal audit April 10, 2012
www.pwc.com Leveraging Continuous Auditing / Continuous Monitoring in internal audit April 10, 2012 Agenda 1. Introductions to DA, CA & CM [] 2. Inventory management continuous monitoring [The Gap] 3.
More informationHow To Secure A Database From A Leaky, Unsecured, And Unpatched Server
InfoSphere Guardium Ingmārs Briedis (ingmars.briedis@also.com) IBM SW solutions Agenda Any questions unresolved? The Guardium Architecture Integration with Existing Infrastructure Summary Any questions
More informationBest Practices Report
Overview As an IT leader within your organization, you face new challenges every day from managing user requirements and operational needs to the burden of IT Compliance. Developing a strong IT general
More informationOracle Database Security Myths
Oracle Database Security Myths December 13, 2012 Stephen Kost Chief Technology Officer Integrigy Corporation Phil Reimann Director of Business Development Integrigy Corporation About Integrigy ERP Applications
More informationThe Information Systems Audit
November 25, 2009 e q 1 Institute of of Pakistan ICAP Auditorium, Karachi Sajid H. Khan Executive Director Technology and Security Risk Services e q 2 IS Environment Back Office Batch Apps MIS Online Integrated
More informationCopyright 2012, Oracle and/or its affiliates. All rights reserved.
1 Seguridad en profundidad Jaime Briggs MSc CS, CISSP, CCSK Sales Manager Strategic accounts Agenda Los Controles ISO 27001 Defensa en Profundidad Productos que dan respuesta Roadmap a seguridad Q&A 3
More informationORACLE APPLICATION ACCESS CONTROLS GOVERNOR FOR PEOPLESOFT
ORACLE APPLICATION ACCESS CONTROLS GOVERNOR FOR PEOPLESOFT KEY FEATURES Continuously monitors application users access from high-level ERP roles and permissions to detailed access points 550 + Delivered,
More informationOracle Business Intelligence Applications
Oracle Business Intelligence Applications Security Guide 11g Release 1 (11.1.1.8.1) E51484-01 March 2014 Explains security considerations for Oracle BI Applications. Oracle Business Intelligence Applications
More informationInformation Security and Governance in ERP Implementation (JD Edwards)
Information Security and Governance in ERP Implementation (JD Edwards) Table of Contents Information Security... 2 Information Security in ERP Environment... 3 J D Edwards Security and Governance Features...
More information<Insert Picture Here> Oracle Database Security Overview
Oracle Database Security Overview Tammy Bednar Sr. Principal Product Manager tammy.bednar@oracle.com Data Security Challenges What to secure? Sensitive Data: Confidential, PII, regulatory
More informationHosting Users Guide 2011
Hosting Users Guide 2011 eofficemgr technology support for small business Celebrating a decade of providing innovative cloud computing services to small business. Table of Contents Overview... 3 Configure
More informationSOX Compliance & Your Database
SOX Compliance & Your Database Achieving & Maintaining Database Compliance for SOX Complying with SOX data requirements can be confusing, especially with so many products providing protection on only a
More informationOracle Fusion Applications Security Guide. 11g Release 5 (11.1.5) Part Number E16689-05
Oracle Fusion Applications Security Guide 11g Release 5 (11.1.5) Part Number E16689-05 June 2012 Oracle Fusion Applications Security Guide Part Number E16689-05 Copyright 2011-2012, Oracle and/or its affiliates.
More informationLeveraging advanced controls with E-Business suite implementation and upgrade projects
www.pwc.com PwC Oracle practice 2013 Leveraging advanced controls with E-Business suite implementation and upgrade projects Leveraging the advanced financial controls in the Oracle Governance, Risk, and
More informationSecurity and Control Issues within Relational Databases
Security and Control Issues within Relational Databases David C. Ogbolumani, CISA, CISSP, CIA, CISM Practice Manager Information Security Preview of Key Points The Database Environment Top Database Threats
More informationApplication Monitoring for SAP
Application Monitoring for SAP Detect Fraud in Real-Time by Monitoring Application User Activities Highlights: Protects SAP data environments from fraud, external or internal attack, privilege abuse and
More informationOFFICE OF AUDITS & ADVISORY SERVICES ACCOUNTS PAYABLE VENDOR MASTER FILE AUDIT FINAL REPORT
County of San Diego Auditor and Controller OFFICE OF AUDITS & ADVISORY SERVICES ACCOUNTS PAYABLE VENDOR MASTER FILE AUDIT FINAL REPORT Chief of Audits: Juan R. Perez Senior Audit Manager: Lynne Prizzia,
More informationKnowledge Coach. User Guide
Knowledge Coach User Guide October 2009 Copyright 2009, CCH INCORPORATED. A Wolters Kluwer business. All Rights Reserved. Material in this publication may not be reproduced or transmitted, in any form
More informationwww.pwc.com Third Party Risk Management 12 April 2012
www.pwc.com Third Party Risk Management 12 April 2012 Agenda 1. Introductions 2. Drivers of Increased Focus on Third Parties 3. Governance 4. Third Party Risks and Scope 5. Third Party Risk Profiling 6.
More informationWHITE PAPER. Guide to Auditing and Logging in the Oracle E-Business Suite
WHITE PAPER Guide to Auditing and Logging in the Oracle E-Business Suite FEBRUARY 2014 GUIDE TO AUDITING AND LOGGING IN THE ORACLE E-BUSINESS SUITE Version 1.0 March 2003 Version 1.1 February 2004 Version
More informationSegregation of Duties
Segregation of Duties Scott Mitchell, Senior Manager (503) 478-2193 John Earl, Manager (503) 478-2188 January 5, 2010 Our Objectives Clarify the role of Segregation of Duties (SOD) Identify alternatives
More informationSecuring SharePoint 101. Rob Rachwald Imperva
Securing SharePoint 101 Rob Rachwald Imperva Major SharePoint Deployment Types Internal Portal Uses include SharePoint as a file repository Only accessible by internal users Company Intranet External Portal
More informationOFFICE OF THE CITY CONTROLLER
OFFICE OF THE CITY CONTROLLER INFORMATION TECHNOLOGY DEPARTMENT ENTERPRISE RESOURE PLANNING (SAP) SECURITY LIMITED REVIEW PERFORMANCE AUDIT Ronald C. Green, City Controller David A. Schroeder, City Auditor
More informationSecret Server Qualys Integration Guide
Secret Server Qualys Integration Guide Table of Contents Secret Server and Qualys Cloud Platform... 2 Authenticated vs. Unauthenticated Scanning... 2 What are the Advantages?... 2 Integrating Secret Server
More informationFileMaker Security Guide The Key to Securing Your Apps
FileMaker Security Guide The Key to Securing Your Apps Table of Contents Overview... 3 Configuring Security Within FileMaker Pro or FileMaker Pro Advanced... 5 Prompt for Password... 5 Give the Admin Account
More informationApplication Control Effectiveness for SAP. December 2007
Application Control Effectiveness for SAP December 2007 Meeting Objectives Application Control Effectiveness Compliance at a glance Trends and challenges Technology issues Application Control Business
More informationApprovals Management Engine R12 (AME) Demystified
Approvals Management Engine R12 (AME) Demystified By Sujay Kamath Prisio Technologies Introduction In today s world, many organizations are in need of implementing proper controls in place for faster transaction
More informationLosing Control: Controls, Risks, Governance, and Stewardship of Enterprise Data
Losing Control: Controls, Risks, Governance, and Stewardship of Enterprise Data an eprentise white paper tel: 407.290.6952 toll-free: 1.888.943.5363 web: www.eprentise.com Author: Helene Abrams Published:
More informationLeading investor communications firm serving brokerdealers, and investment banks protects sensitive data
Leading investor communications firm serving brokerdealers, and investment banks protects sensitive data FulcrumWay Leading Provider of Enterprise Risk Assessment Mitigation and Remediation Solutions Enterprise
More informationSarbanes-Oxley Control Transformation Through Automation
Sarbanes-Oxley Control Transformation Through Automation An Executive White Paper By BLUE LANCE, Inc. Where have we been? Where are we going? BLUE LANCE INC. www.bluelance.com 713.255.4800 info@bluelance.com
More informationBest Approaches to Database Auditing: Strengths and Weaknesses. henry.parnell@lumigent.com
Best Approaches to Database Auditing: Strengths and Weaknesses henry.parnell@lumigent.com Agenda Why are audit records of Database Operations required in some cases? And why is collecting them difficult?
More informationSecurity Trends and Client Approaches
Security Trends and Client Approaches May 2010 Bob Bocchino, CISA ERM Security and Compliance Business Advisor IBU Technology Sales Support Industries Business Unit, Technology Sales Support 1 Mark Dixon
More informationKBACE Applied Service Oriented Architecture (SOA)
KBACE Applied Service Oriented Architecture (SOA) Bhaskar Reddy Technical Director, KBACE Advanced Technology Group (ATG) March 3 rd, 2009 1 Webinar Logistics Hide (and unhide) the Webinar control panel
More informationSEGPAY SUITE MERCHANT SETUP CONFIGURATION REPORTS
SEGPAY SUITE MERCHANT SETUP CONFIGURATION REPORTS AUGUST 27, 2013 VERSION 1.01 TABLE OF CONTENTS 1 MERCHANT SETUP CONFIGURATION REPORTS...3 1.1 HOW TO GET THE MERCHANT SETUP CONFIGURATIONS REPORT... 3
More informationInstall and Configure Fusion Applications - DBA perspective. Masthan Babu Phani Kottapalli AST Corporation August 14, 2014
Install and Configure Fusion Applications - DBA perspective Masthan Babu Phani Kottapalli AST Corporation August 14, 2014 Specialized. Recognized. Preferred. The right partner makes all the difference.
More informationWHITE PAPER. Guide to Auditing and Logging in the Oracle E-Business Suite
WHITE PAPER Guide to Auditing and Logging in the Oracle E-Business Suite APRIL 2016 GUIDE TO AUDITING AND LOGGING IN THE ORACLE E-BUSINESS SUITE Version 1.0 March 2003 Version 1.1 February 2004 Version
More informationOracle Audit Vault Administrator s Guide Oracle Audit Vault Auditor s Guide Oracle Enterprise Manager Cloud Control Administrator s Guide
Oracle Enterprise Manager System Monitoring Plug-in Installation Guide for Oracle Audit Vault Release 12.1 (12.1.0.2.0) E26595-02 September 2012 Oracle Audit Vault is used to transparently collect and
More informationGlobal Industrial Manufacturer
Global Industrial Manufacturer Implements Control Self Assessment Solution Overview FulcrumWay Leading Provider of Enterprise Risk Assessment Mitigation and Remediation Solutions Enterprise Risk Management
More informationAPPLICATION COMPLIANCE AUDIT & ENFORCEMENT
TELERAN SOLUTION BRIEF Building Better Intelligence APPLICATION COMPLIANCE AUDIT & ENFORCEMENT For Exadata and Oracle 11g Data Warehouse Environments BUILDING BETTER INTELLIGENCE WITH BI/DW COMPLIANCE
More informationSAP SECURITY CLEARING THE CONFUSION AND TAKING A HOLISTIC APPROACH
SAP SECURITY CLEARING THE CONFUSION AND TAKING A HOLISTIC APPROACH WWW.MANTRANCONSULTING.COM 25 Mar 2011, ISACA Singapore SOD SAS70 Project Controls Infrastructure security Configurable controls Change
More informationTable of Contents. Copyright 2010-2015 Symphonic Source, Inc. All rights reserved. Salesforce is a registered trademark of salesforce.
DupeCatcher is a real-time deduplication app designed specifically for Salesforce. It is a 100% APEX developed and deployed managed package, and is installed via the Salesforce AppExchange, eliminating
More informationConnecting the dots: IT to Business
Connecting the dots: IT to Business Jason Wood, CPA, CISA, CIA, CITP, CFF April 2015 1 Speaker Bio Jason Wood Over 18 years of international business experience in planning, conducting, and quality reviewing
More informationBENEFITS OF IMAGE ENABLING ORACLE E-BUSINESS SUITE:
Content Management How does it apply to Oracle E-Business Suite? Carol Mitchell C.M. Mitchell Consulting Corporation OVERVIEW: ERP applications do a great job at managing structured data, which is the
More informationJD Edwards EnterpriseOne: Governance, Risk, and Compliance
JD Edwards EnterpriseOne: Governance, Risk, and Compliance Solutions for Sarbanes-Oxley and Other Compliance Requirements ORACLE WHITE PAPER MAY 2015 Disclaimer The following is intended to outline our
More informationStrategic IT audit. Develop an IT Strategic IT Assurance Plan
Strategic IT audit Develop an IT Strategic IT Assurance Plan Speaker Biography Hans Henrik Berthing is Partner at Verifica and Senior Advisor & Associated Professor at Aalborg University. He is specialized
More informationApplication Security Review
Internal Audit Department 350 South 5th Street, Suite 302 Minneapolis, MN 55415-1316 (612) 673-2056 Audit Team on the Engagement: Kim Anderson, PwC Chris Bevan, PwC Jonny Brennan, Undergraduate Student
More informationOracle EBS Interface Connector User Guide V1.4
Oracle EBS Interface Connector User Guide V1.4 Contents Oracle EBS Interface Connector User Guide V1.4... 1 1. Introduction... 3 2. Technologies... 4 3. High level Architectural Diagram... 4 4. About Oracle
More informationTREENO ELECTRONIC DOCUMENT MANAGEMENT. Administration Guide
TREENO ELECTRONIC DOCUMENT MANAGEMENT Administration Guide October 2012 Contents Introduction... 8 About This Guide... 9 About Treeno... 9 Managing Security... 10 Treeno Security Overview... 10 Administrator
More informationContinuous Controls Monitoring. Virginia ISACA January Meeting 19 January 2010
Continuous Controls Monitoring Virginia ISACA January Meeting 19 January 2010 Today s Agenda What We Are Hearing About Risk Internal Controls Continuous Control Monitoring What is CCM? Framework EY Point
More informationIdentity & Access Management new complex so don t start?
IT Advisory Identity & Access Management new complex so don t start? Ing. John A.M. Hermans RE Associate Partner March 2009 ADVISORY Agenda 1 KPMG s view on IAM 2 KPMG s IAM Survey 2008 3 Best approach
More informationApplication controls testing in an integrated audit
Application controls testing in Application controls testing in an integrated audit Learning objectives Describe types of controls Describe application controls and classifications Discuss the nature,
More informationORACLE ENTERPRISE GOVERNANCE, RISK, AND COMPLIANCE MANAGER FUSION EDITION
ORACLE ENTERPRISE GOVERNANCE, RISK, AND COMPLIANCE MANAGER FUSION EDITION KEY FEATURES AND BENEFITS Manage multiple GRC initiatives on a single consolidated platform Support unique areas of operation with
More informationIowa Student Loan Online Privacy Statement
Iowa Student Loan Online Privacy Statement Revision date: Jan.6, 2014 Iowa Student Loan Liquidity Corporation ("Iowa Student Loan") understands that you are concerned about the privacy and security of
More informationHow to leverage SAP NetWeaver Identity Management and SAP Access Control combined solutions
How to leverage SAP NetWeaver Identity Management and SAP Access Control combined solutions Introduction This paper provides an overview of the integrated solution and a summary of implementation options
More informationOAUG Webinar Series Seminar #4
OAUG Webinar Series Seminar #4 Oracle R12 AP Invoice to Payment Process Paul Kirch Principal, Process & Domain, Infosys OAUG Accounts Payable SIG Chairman September 8, 2011 Agenda Introduction Procure
More informationManaging Open Source Code Best Practices
Managing Open Source Code Best Practices September 24, 2008 Agenda Welcome and Introduction Eran Strod Open Source Best Practices Hal Hearst Questions & Answers Next Steps About Black Duck Software Accelerate
More informationOracle E-Business Suite APPS, SYSADMIN, and oracle Securing Generic Privileged Accounts. Stephen Kost Chief Technology Officer Integrigy Corporation
Oracle E-Business Suite APPS, SYSADMIN, and oracle Securing Generic Privileged Accounts May 15, 2014 Mike Miller Chief Security Officer Integrigy Corporation Stephen Kost Chief Technology Officer Integrigy
More informationOnline Transaction Processing in SQL Server 2008
Online Transaction Processing in SQL Server 2008 White Paper Published: August 2007 Updated: July 2008 Summary: Microsoft SQL Server 2008 provides a database platform that is optimized for today s applications,
More informationContent Management System
OIT Training and Documentation Services Content Management System End User Training Guide OIT TRAINING AND DOCUMENTATION oittraining@uta.edu http://www.uta.edu/oit/cs/training/index.php 2009 CONTENTS 1.
More informationAchieving PCI COMPLIANCE with the 2020 Audit & Control Suite. www.lepide.com/2020-suite/
Achieving PCI COMPLIANCE with the 2020 Audit & Control Suite 7. Restrict access to cardholder data by business need to know PCI Article (PCI DSS 3) Report Mapping How we help 7.1 Limit access to system
More informationRisk and Controls 101
Risk and Controls 101 Agenda What is a Risk and Control? Controls 101 What is Risk and Control? Control Types Control Execution Control Categories A-123 Process here at LBNL Wrap-up Process Risk Map Control
More informationmission critical applications mission critical security Internal Auditor Primer: Oracle E-Business Suite Security Risks Primer
mission critical applications mission critical security Internal Auditor Primer: Oracle E-Business Suite Security Risks Primer Stephen Kost Chief Technology Officer Integrigy Corporation Phil Reimann Director
More information