Auditing Application Controls in an Oracle EBS Environment. Presented by: Jeffrey T. Hare, CPA CISA CIA

Transcription

1 Auditing Application Controls in an Oracle EBS Environment Presented by: Jeffrey T. Hare, CPA CISA CIA

2 Presentation Agenda Overview: Introductions Overall system risks related to Application Controls Audit Trails Change Management Implementation Practices Application Controls Guidance Benchmarking Strategies Override at the Transaction Level Application Controls Recommendations IT General Controls Guidance and Risks Wrap Up

3 Introductions Jeffrey T. Hare, CPA CISA CIA Founder of ERP Seminars and Oracle User Best Practices Board Author Solo book project: Oracle E-Business Suite Controls: Application Security Best Practices; Contributing author Best Practices in Financial Risk Management Written various white papers on Internal Controls and Security Best Practices in an Oracle Applications environment Frequent contributor to OAUG s Insight magazine, published by ISACA and ACFE Experience includes Big 4 audit, 6 years in CFO/Controller roles both as auditor and auditee In Oracle applications space since 1998 both as client and consultant Founder of Internal Controls Repository public domain repository

4 Overall system risks related to Application Controls Here are various risks of which you need to be aware to understand risks related to auditing application controls: Deficiencies regarding audit trails Deficiencies in Change Management practices Deficiencies in implementation practices

5 Overall System Risks Audit Trails Disconnect between application and database layers Audit trail only kept where application is built to do so Lack of audit all functionality to monitor privileged users Lack of detailed audit trail throughout the application including for configurations related to automated controls Example: change(s) to columns in a table can cause confusion related to changes made - Journal Sources example

6 Overall System Risks Audit Trails Audit Trail deficiencies Journal Sources Example:

7 Overall System Risks Audit Trails Audit Trail deficiencies Journal Sources Example: After first change:

8 Overall System Risks Audit Trails Audit Trail deficiencies Journal Sources Example: After second change:

9 Overall System Risks Audit Trails Journal Sources example data: Initial Value After First Change After Second Change Value Checked Unchecked Checked Updated by AUTOINSTALL JTH9891 JTH9891 Update date 03-Jan :52:09 25-Aug :43:58 25-Aug :45:31 The only thing we can tell from this is that JTH9891 made a change, but we have no idea WHAT changed. The values as of the second change are the same as the initial values!

10 Overall System Risks Change Management Purpose of Change Management protect the system or protect the process? Are system configurations relevant to the design and performance of the business process? Would you let a developer change the code related to a process without going through your change management process? Would you give your developers access to the Apps password in Prod?

11 Overall System Risks Implementation Practices Was the security related to your implementation designed with the principle of least privilege concept? What about security for your privileged users? Using seeded responsibilities and/or menus/sub-menus? Upgrade risk Access to Supplier Maintenance from Buyer s Workbench Access to Enter Journals from various subledger setup menus

12 Auditing Application Controls

13 Application Controls Guidance Internal Auditors (IIA) Global Technology Auditing Guide: Auditing Application Controls (GTAG 8) The guide states the nature and extent of the evidence the auditor should obtain to verify the control has not changed may vary, based on circumstances such as the strength of the organization s program change controls. As a result, when using a benchmarking strategy for a particular control, the auditor should consider the effect of related files, tables, data, and parameters on the application control s functionality. Two important concepts Look at system to determine whether application control setups are changed Review reliability of change management process to ascertain whether the baselined values can be relied upon

14 Application Controls Guidance For Application Controls to be relied upon, you need to review: Setups specific to the application control Override of system-level controls during entry of transaction IT General Controls

15 Benchmarking Setups specific to the application control. Need to consider all setups related to the application control to make sure the integrity of the control is insured. Example related to PO approvals and matching requirements: workflow components, approval groups, approval assignments, document types, line types, supplier header, at the transaction level

16 Benchmarking Setup values are established:

17 Benchmarking But can be overridden at various levels

18 Benchmarking But can be overridden at various levels

19 Override at transaction level And sometimes overridden at the transaction level

20 Application Controls Recommendations For your application controls to be effective: Know your policies and procedures Know your process Make sure all system-related setups are documented and baselined Require changes to go through change management process be documented and approved Ability to change setups and objects should be tightly controlled just as you control object changes Changes to setups and objects related to application controls should be audited Which would require a detailed (log or trigger-based) audit trail to be built

21 IT General Controls Guidance Why IT General Controls are important: The critical commentary in the IIA guidance on the importance of ITGC s states that if the ITGC s that monitor program changes are not effective, then unauthorized, unapproved, an untested program changes can be introduced to the production environment, thereby compromising the overall integrity of the application controls.

22 IT General Controls Challenges Some common Change Management challenges for companies running Oracle EBS: Too narrowly define change management as IT changes Failure to develop non-it executive ownership for the change management process Failure to properly identify the setup forms that impact their business processes Failure to develop the necessary audit trail to test for unauthorized changes Failure to design security using the principle of least privilege Failure to address risks related to forms that allow SQL statements to be embedded in them Failure to maintain documentation

23 Q & A

24 Oracle Apps Internal Controls Repository Internal Controls Repository Content: White Papers such as Accessing the Database without having a Database Login, Best Practices for Bank Account Entry and Assignment, Using a Risk Based Assessment for User Access Controls, Internal Controls Best Practices for Oracle s Journal Approval Process Oracle apps internal controls deficiencies and common solutions Mapping of sensitive data to the tables and columns Identification of reports with access to sensitive data Recommended minimum tables to audit Not affiliated with Oracle Corporation

25 ERP Seminars Services Free one-hour consultation On-site seminars (1-2 days) custom tailored to your company s needs Various web-based seminars RFP / RFI management for Oracle-related third party software SOD / UAC Third Party software project management SOD / UAC remediation prioritization Controls review related to Oracle-related controls implementations and post-implementation

26 Seminars Offered Seminars planned: Tuesday, Dec 1-1 p.m. EST - Auditing Oracle E-Business Suite: Top Internal Controls and Security Risks Tuesday, Dec 8-1 p.m. EST - Auditing Oracle E-Business Suite: Internal Controls Deficiencies Thursday, Nov 17-1 p.m. EST - Auditing Oracle E-Business Suite: Application Security Thursday, Dec 10 - Risk-Based Assessment of User Access Controls and Segregation of Duties for Companies Running Oracle E-Business Suite See:

27 Best Practices Caveat Best Practices Caveat The Best Practices cited in this presentation have not been validated with your external auditors nor has there been any systematic study of industry practices to determine they are in fact Best Practices for a representative sample of companies attempting to comply with the Sarbanes-Oxley Act of 2002 or other corporate governance initiatives mentioned. The Best Practice examples given here should not substitute for accounting or legal advice for your organization and provide no indemnification from fraud, material misstatements in your financial statements, or control deficiencies.

28 Contact Information Jeffrey T. Hare, CPA CISA CIA Cell: Office: Websites: Oracle Internal Controls and Security listserver (public domain listsever) at Internal Controls Repository (end users only) ols/ Skype: jhareaz