Oracle E-Business Suite: SQL Forms Risks and. Presented by: Jeffrey T. Hare, CPA CISA CIA

Transcription

1 Oracle E-Business Suite: SQL Forms Risks and Controls Presented by: Jeffrey T. Hare, CPA CISA CIA

2 Presentation Agenda Overview: Introductions Overall system risks Audit Trails Change Management Implementation Practices What are SQL forms? Risks related to SQL forms Use of SQL forms to manipulate data and commit fraud Two Scenarios Best Practices for monitoring activity in SQL forms Wrap Up

3 Introductions Jeffrey T. Hare, CPA CISA CIA Founder of ERP Seminars and Oracle User Best Practices Board Author Solo book project: Oracle E-Business Suite Controls: Application Security Best Practices; Contributing author Best Practices in Financial Risk Management Written various white papers on Internal Controls and Security Best Practices in an Oracle Applications environment Frequent contributor to OAUG s Insight magazine Experience includes Big 4 audit, 6 years in CFO/Controller roles both as auditor and auditee In Oracle applications space since 1998 both as client and consultant Founder of Internal Controls Repository public domain repository

4 Overall system risks Here are various risks of which you need to be aware to understand risks related to auditing application controls: Deficiencies regarding audit trails Deficiencies in Change Management practices Deficiencies in implementation practices

5 Overall System Risks Audit Trails Disconnect between application and database layers Need to be concerned about application access as well as database access Audit trail only kept where application is built to do so Lack of audit all functionality to monitor privileged users Lack of detailed audit trail throughout the application Example: change(s) to columns in a table can cause confusion related to changes made - Journal Sources example

6 Overall System Risks Audit Trails Audit Trail deficiencies Journal Sources Example:

7 Overall System Risks Audit Trails Audit Trail deficiencies Journal Sources Example: After first change:

8 Overall System Risks Audit Trails Audit Trail deficiencies Journal Sources Example: After second change:

9 Overall System Risks Audit Trails Journal Sources example data: Initial Value After First Change After Second Change Value Checked Unchecked Checked Updated by AUTOINSTALL JTH9891 JTH9891 Update date 03-Jan :52:09 25-Aug :43:58 25-Aug :45:31 The only thing we can tell from this is that JTH9891 made a change, but we have no idea WHAT changed. The values as of the second change are the same as the initial values!

10 Overall System Risks Audit Trails For more on this topic, review recorded webinar Building in an Audit in an Oracle EBS Environment at: Also, down chapter 6 from my book at: Proper_Audit_Trail2.pdf Both links are available at

11 Overall System Risks Change Management Purpose of Change Management protect the system or protect the process? Are system configurations relevant to the design and performance of the business process? Would you let a developer change the code related to a process without going through your change management process? Would you give your developers access to the Apps password in Prod?

12 Overall System Risks Change Management Some common Change Management challenges for companies running Oracle EBS: Too narrowly define change management as IT changes Failure to develop non-it executive ownership for the change management process Failure to properly identify the setup forms that impact their business processes and key controls Failure to develop the necessary audit trail to test for unauthorized changes and to show auditors regarding key controls Failure to design security using the principle of least privilege Failure to address risks related to forms that allow SQL statements to be embedded in them

13 Poll 1 Represents my organization s change management maturity: All key control configurations go through CM process All SQL forms activity go through CM process A trigger/log based audit trail has been created for all activity in CM process We regularly reconcile system-level activity to CM approvals None of these apply Check all that apply

14 SQL Forms Survey Aware of risks related to SQL Forms? I was not aware of the risk 32.6% 0% 9% I have read about SQL forms, but didn't/don't understand the risks 13.0% My company is aware of the risks, but have chosen not to address them 4.3% 22% 4% 4% 11% 4% 13% 33% My company is aware of the risks, but feels monitoring software is too expensive 10.8% My company has put a third party trigger or log-based solution to monitor them 4.3% My company uses Oracle's Sys Admin audit trail to monitor the activity 4.3% My company requires all SQL form activity to go through IT Change Management 21.7% My company reconciles actually activity to our Change Management approvals 0.0% Other 8.6%

15 SQL Forms Survey How long live on Oracle? 3% 5% 5% 3% We are not yet live with the system 5.1% 20% We have been live less than 1 year 2.5% We have been live 2-4 years 20.5% We have been live 5 or more years 64.1% 64% Other 2.5% No Responses 5.1%

16 SQL Forms Survey Number of Oracle Users 13% 5% 11% % % % Over 5000

17 What are SQL Forms? Forms that accept SQL statements: Metalink Note (Best Practices for Securing E-Business Suite): LIMIT ACCESS TO FORMS ALLOWING SQL ENTRY To improve flexibility, some forms allow users to enter SQL statements. Unfortunately, this feature may be abused. Appendix B: Security Setup Forms That Accept SQL Statement on page 49 contains a list of Forms that allow the user to edit code, add code or otherwise affect executable code. Restrict access to these forms by assigning the responsibility to a small group of users. Consider auditing the database tables listed in the appendix.

18 What are SQL Forms? Examples of SQL Forms: Define Concurrent Program, Define Concurrent Program Executable, Define User Profile Option, Applications, Define Data Group, Register Oracle IDs, Attribute Mapping Details, Define Data Stream, Custom Stream Advanced Setup, Audit Statements, Define Dynamic Resource Groups, Business Rule Workbench, Define Validation Templates, Defaulting Rules, Foundation Objects, Spreadtable Metadata, Administration, SpreadTable Diagnostics Form, JTFGANTT, Define WMS Rules, Define Pricing Formulas, Attribute Mapping, Workflow Process Configuration Framework, Workflow Activity Approval, Configuration Framework, PL/SQL tester, Write Formula, Define Function, Create QuickPaint Inquiry, Define Assignment Set, Dynamic Trigger Maintenance, Define Security Profile, Define Descriptive Flexfield Segments, Define Value Set, QA - Collection Plan Workbench Some not documented in Oracle Metalink document Original list developed by Integrigy Excerpts of documents [IntA, IntB] reproduced with permission from Integrigy Corporation (page ii)

19 Risks Related to SQL Forms Risks related to SQL Forms Execution of any SQL Statements insert, update, delete, select as well as database structure commands drop, truncate, alter, create, etc.; OS scripts Leading to fraud, data theft, taking over powerful accounts such as SYSADMIN, circumvention of policy such as change management, internal control deficiencies, additional audit fees, etc.

20 Poll 2 Question: The following represents my understanding of SQL forms prior to this webinar (check all the apply): I was fully aware of the risks related to SQL Forms I was not aware that SQL and OS scripts could be executed using these forms I was not aware of the number of forms with these risks I didn't know anything about SQL Forms Other

21 Examples Using SQL Forms Scenarios Fraudulent bank account updates for the purpose of misdirecting payments to a valid supplier Reset of SYSADMIN login for the purpose of unapproved access and system updates

22 Examples Using SQL Forms Scenario 1: Change Bank Account

23 Examples Using SQL Forms

24 Examples Using SQL Forms Before the Alert:

25 Examples Using SQL Forms The Alert is Fired

26 Examples Using SQL Forms After Alert

27 Examples Using SQL Forms Scenario 2: Reset SYSADMIN Password often with powerful access

28 Examples Using SQL Forms

29 Examples Using SQL Forms

30 Examples Using SQL Forms Once a plan is created you need only define your action condition that triggers your action. You then pick your method to execute. Top half sets the condition for the trigger Bottom half defines the action

31 Examples Using SQL Forms Update statement to reset SYSADMIN password

32 Examples Using SQL Forms Enter results to trigger the trigger

33 Examples Using SQL Forms When the trigger condition is entered and saved a periodic alert is run. This is really the only indicator that something has been done. The alert itself is not really traceable since we can delete the collection plan and remove any audit trail.

34 Poll 3 Question: Represents maturity of my organization re: SQL forms (check all the apply): We are limiting access to known / relevant SQL forms We are limiting access to all SQL forms All activity re: SQL forms goes through CM Monitoring activity via log/trigger based solution Reconciling actual activity to approved activityother

35 Best Practices for monitoring activity in SQL forms Forms that accept SQL statements Access should be tightly restricted to just the users management approves having access suggest SaaS service to find out who has access to all SQL forms All activity in the forms should go through your change management process All code going through the forms should be subject to a peer review before it is entered All activity within the forms should be audited using a trigger or log-based solution All activity should be reconciled back to approved activity For unauthorized changes, appropriate actions must be taken to plug the holes

36 Special Thanks Special Thanks to: Daryl Geryol, Practice Director - GRC Services, KBACE dgeryol@kbace.com Office (262) Cell (847)

37 Q & A

38 Poll 4 Question: Require any follow up from today's webinar I need a CPE certificate I'd like to set up a follow up call with Jeffrey I'd like to understand available monitoring tools I'd like copies of the slides None necessary

39 Oracle Apps Internal Controls Repository Internal Controls Repository Content: White Papers such as Accessing the Database without having a Database Login, Best Practices for Bank Account Entry and Assignment, Using a Risk Based Assessment for User Access Controls, Internal Controls Best Practices for Oracle s Journal Approval Process Oracle apps internal controls deficiencies and common solutions Mapping of sensitive data to the tables and columns Identification of reports with access to sensitive data Recommended minimum tables to audit Not affiliated with Oracle Corporation

40 ERP Seminars Services Free one-hour consultation Risk advisory services On-site seminars (1-2 days) custom tailored to your company s needs Various web-based seminars SOD / UAC Third Party software project management SOD / UAC remediation prioritization Controls review related to Oracle-related controls implementations and post-implementation

41 Seminars Offered and Planned Seminars offered: Internal Controls and Application Security Best Practices in an Oracle e-business Suite Environment Application Security Design: Fundamentals Implementing Oracle e-business Suite: Internal Controls Challenges Introduction to Oracle s User Management Module and Related Risks Auditing Oracle E-Business Suite: Application Security Monitoring Privileged Users in an Oracle E-Business Suite Environment Risk-Based Assessment of User Access Controls and Segregation of Duties for Companies Running Oracle E-Business Suite See:

42 Contact Information Jeffrey T. Hare, CPA CISA CIA Cell: Office: Websites: Oracle Internal Controls and Security listserver (public domain listsever) at Internal Controls Repository (end users only) Skype: jhareaz

43 Best Practices Caveat Best Practices Caveat The Best Practices cited in this presentation have not been validated with your external auditors nor has there been any systematic study of industry practices to determine they are in fact Best Practices for a representative sample of companies attempting to comply with the Sarbanes-Oxley Act of 2002 or other corporate governance initiatives mentioned. The Best Practice examples given here should not substitute for accounting or legal advice for your organization and provide no indemnification from fraud, material misstatements in your financial statements, or control deficiencies.