Risk-Based Assessment of User Access Controls and Segregation of Duties for Companies Running Oracle Applications

Similar documents
Risk-Based Assessment of User Access Controls and Segregation of Duties for Companies Running Oracle Applications

Building an Audit Trail in an Oracle EBS Environment. Presented by: Jeffrey T. Hare, CPA CISA CIA

Change Management Best Practices for ERP Applications, An Internal Auditor's Perspective. Jeffrey T. Hare, CPA CISA CIA ERP Risk Advisors

Best Practices for Protecting Sensitive Data in an Oracle Applications Environment. Presented by: Jeffrey T. Hare, CPA CISA CIA

Oracle E-Business Suite: SQL Forms Risks and. Presented by: Jeffrey T. Hare, CPA CISA CIA

Oracle E-Business Suite Controls: Application Security Best Practices

How to Audit the Top Ten E-Business Suite Security Risks

Decryption of Credit Card Data and Bank Account Data; Risks and Controls

Top Ten Fraud Risks in the Oracle E Business Suite

Risk Management in Role-based Applications Segregation of Duties in Oracle

Chapter 6: Developing a Proper Audit Trail for your EBS Environment

Governance, Risk & Compliance for Public Sector

Moving Forward with IT Governance and COBIT

Segregation of Duties

Complete Database Security. Thomas Kyte

INTERNAL AUDIT SOFTWARE BUYER S GUIDE

The Importance of IT Controls to Sarbanes-Oxley Compliance

Obtaining Value from Your Database Activity Monitoring (DAM) Solution

Feature. Multiagent Model for System User Access Rights Audit

Reduce Audit Time Using Automation, By Example. Jay Gohil Senior Manager

S24 - Governance, Risk, and Compliance (GRC) Automation Siamak Razmazma

Continuous Controls Monitoring ISACA, Houston Chapter. August 17, 2006

Using COBiT For Sarbanes Oxley. Japan November 18 th 2006 Gary A Bannister

Auditing Standard 5- Effective and Efficient SOX Compliance

Best Practices Report

Leverage T echnology: Move Your Business Forward

How To Ensure Financial Compliance

Understanding ERP Architectures, Security and Risk Brandon Sprankle PwC Partner March 2015

SAP BusinessObjects GRC Access Control 10.0 New Feature Highlights and Initial Lessons Learned

Advisory Services Oracle Alliance Case Study

The presentation will begin in a few moments

Oracle Database Security Myths

Moving your enterprise systems to the cloud? What do you need to know to manage the risks? Jamie Levitt, Director

Oracle Fusion Applications Security Guide. 11g Release 5 (11.1.5) Part Number E

Security Information & Event Management A Best Practices Approach

BENEFITS OF IMAGE ENABLING ORACLE E-BUSINESS SUITE:

IT audit updates. Current hot topics and key considerations. IT risk assessment leading practices

IT Audit Perspective on Continuous Auditing/ Continuous Monitoring KPMG LLP

Securing Oracle E-Business Suite in the Cloud

Developing Value from Oracle s Audit Vault For Auditors and IT Security Professionals

OFFICE OF AUDITS & ADVISORY SERVICES SHAREPOINT SECURITY AUDIT FINAL REPORT

Information Security and Governance in ERP Implementation (JD Edwards)

Database Security and Auditing

mission critical applications mission critical security Internal Auditor Primer: Oracle E-Business Suite Security Risks Primer

Sarbanes-Oxley Control Transformation Through Automation

Guide to Auditing and Logging in the Oracle E-Business Suite

Strategic IT audit. Develop an IT Strategic IT Assurance Plan

How to Use Oracle Account Generator for Project-Related Transactions

EnergySec Partnered Webinar with MetricStream Transitioning to NERC CIP Version 5: What Does it Mean for Electric Utilities JANUARY 28, 2015

Third Party Risk Management 12 April 2012

Oracle E-Business Suite APPS, SYSADMIN, and oracle Securing Generic Privileged Accounts. Stephen Kost Chief Technology Officer Integrigy Corporation

The Information Systems Audit

ISACA PROFESSIONAL RESOURCES

PCI Compliance in Oracle E-Business Suite

Application Testing: Not Just for IT Auditors. Insert Logo Here

Functional and technical specifications. Background

Minimize Access Risk and Prevent Fraud With SAP Access Control

Fraud Prevention and Detection in a Manufacturing Environment

Auditing Applications. ISACA Seminar: February 10, 2012

Roles and Responsibilities Corporate Compliance and Internal Audit

JD Edwards EnterpriseOne: Governance, Risk, and Compliance

NetSuite Essentials. Course Description. Key Objectives

APPLICATION MANAGEMENT SUITE FOR ORACLE E-BUSINESS SUITE APPLICATIONS

Optimize procure-to-pay processes for profitability, efficiency, and compliance

New Oracle 12c Security Features Oracle E-Business Suite Perspective

KBACE Applied Service Oriented Architecture (SOA)

Sarbanes-Oxley Compliance for Cloud Applications

PCI Compliance in Oracle E-Business Suite

Data Analytics: Applying Data Analytics to a Continuous Controls Auditing / Monitoring Solution

Sarbanes-Oxley: Beyond. Using compliance requirements to boost business performance. An RIS White Paper Sponsored by:

Continuous Controls Monitoring. Virginia ISACA January Meeting 19 January 2010

Internal Controls over Financial Reporting. Integrating in Business Processes & Key Lessons learned

Larry Laine, Deputy Land Commissioner and Chief Clerk. Annual Report on the Internal Audit Quality Assurance and Improvement Program

New Security Features in Oracle E-Business Suite 12.2

<Insert Picture Here> Financial Audit Scoping Tool Blueprint for Oracle GRC Applications

Total Reconciliation Solution (T-Recs ) Enterprise A Control Framework for Governance, Risk Management and Compliance

Financial Management Information System Centralized Operations

Product Financial Control Solutions Spreadsheet Workbench

Secret Server Qualys Integration Guide

Hayri Tarhan, Sr. Manager, Public Sector Security, Oracle Ron Carovano, Manager, Business Development, F5 Networks

Connecting the dots: IT to Business

J u n e N a t i o n a l R e s e a r c h C o u n c i l C a n a d a. I n t e r n a l A u d i t, N R C. Audit of Risk Management.

Transcription:

Risk-Based Assessment of User Access Controls and Segregation of Duties for Companies Running Oracle Applications Presented by: Jeffrey T. Hare, CPA CISA CIA

Webinar Logistics Hide and unhide the Webinar control panel by clicking on the arrow icon on the top right of your screen The small window icon toggles between a windowed and full screen mode Ask questions throughout the presentation using the questions window Questions will be reviewed and answered at the end of the presentation; I ll open the lines for interactive Q&A 2009 ERPS

Presentation Agenda Overview: Introductions Deficiencies in Current Approaches to SOD Taking a Risk-Based Approach to User Access Controls Q&A Wrap Up

Introductions Jeffrey T. Hare, CPA CISA CIA Founder of ERP Seminars and Oracle User Best Practices Board Author Oracle E-Business Suite Controls: Application Security Best Practices Contributing author Best Practices in Financial Risk Management Published in ISACA s Control Journal (twice) and ACFE s Fraud Magazine; frequent contributor to OAUG s Insight magazine Experience includes Big 4 audit, 6+ years in CFO/Controller roles both as auditor and auditee In Oracle applications space since 1998 both as client and consultant Founder of Internal Controls Repository public domain repository Written various white papers on Internal Controls and Security Best Practices in an Oracle Applications environment

Taking a Risk-Based Approach to User Access Controls Types of Risks: Segregation of duties - a user having two or more business processes that could result in compromise of the integrity of the process or allow that person to commit fraud Access to sensitive functions a user having access to a function that, in and of itself, has risk Access to sensitive data a user having access to sensitive data such as employee identification number (US= SSN), home addresses, credit card, bank account information, plus data unique to your company customers, BOMs, routings???

Risk Assessment Process Evaluate about 675 unique risks CS*Comply covers up to 20,000 function based risks Examples from R/A: Single function risks being used w/ user exceptions (Menus), shouldn t be used (certain SQL forms Quality Plans) SoD risks never acceptable (Enter Journal Entries vs Journal Authorization Limits), acceptable for certain users (user exceptions Enter Journal Entries vs Journal Sources)

Deficiencies in Current Approaches to SOD Projects Here are some common deficiencies in how companies are approaching SOD projects: Relying on seeded content of software providers Not taking a risk-based approach, considering current controls, in defining what risks are for their company Not considering all user access control risks access to sensitive functions and access to sensitive data Always looking at risks as one function in conflict with another, rather than looking at real risks single function and two functions Looking at SOX risks and ignoring some fraud risks below the materiality level and other operational risks

Taking a Risk-Based Approach to User Access Controls Approach to Risk Assessment Project: 1.Identify access control conflicts 2.Identify risks associated with each conflict 3.Identify, analyze, and document mitigating controls related to each risk 4.Assess what is the residual risk after taking into account the mitigating controls 5.Discuss residual risks with management and assess their willingness to assume the risk 6.Document remediation steps for unmitigated risks 7.Document whether the conflict (single or combination of two) should be monitored in third party software

Taking a Risk-Based Approach to User Access Controls In our experience, a completed risk assessment process exposes the following needs: An SOD monitoring tool (or one with a preventive workflow) Requirements for a trigger-based detailed audit trail Various monitoring reports or processes not provided by Oracle The need to personalize forms to support defined controls. Custom workflows to automate controls where Oracle s functionality is deficient Process and/or controls changes Documentation and testing of non-key controls Access control / security changes Additional projects and research that need to be done (customizations, profile options, updating BR100s, BR110s, etc.)

Responding to Auditors Responding to auditors Have them identify the risk(s) that are inherent in the access or SOD Evaluate controls that may be in place to mitigate the risks identified Examples: All journals are reviewed and approved Financial close processes Budget to actual analysis / forecast to actual Variance analysis PPV, IPV Reconciliation of inventory balances to GL account Review stale inventory Cycle counting / physical inventories Downgrade key controls to standard / non-key based on risk reduce audit scope / rely more on entity level controls

Access Controls / R12 tips Take advantage of MOAC to reduce number of responsibilities across operating units / inventory orgs Use the QUERY_ONLY=Yes to generate inquiry only forms (make sure they are tested thoroughly) Refresh Prod to non-prod and allow more liberal access for replication of issues and trouble-shooting Use of trigger-based auditing solutions to generate detailed audit trail to changes for key control configurations / critical changes to item master / etc.

Recap / Wrap Up

Resources Resources: Application Security Best Practices Book 2 nd edition due out Jan 2012 Launching partially-public domain conflict matrix in conjunction with 2 nd edition of book (common elements will be included in Apps Security BP book) Oracle E-Business Suite Controls: Financial Close Cycle due out April 2012 focusing on design and implementation of controls and security related to Financial Close Cycle

Links Links: Recorded webinars: http://www.erpra.net/webinaraccessform.html Blog: http://jeffreythare.blogspot.com/ Video blog: http://www.youtube.com/erpseminars Oracle Internal Controls and Security listserver (public domain/open group): http://tech.groups.yahoo.com/group/oraclesox/?yguid=192922351

Links Links: Oracle Apps Internal Controls Repository (end users only / closed group): http://tech.groups.yahoo.com/group/oracleappsinternalcontrols/?y guid=440489739 LI Oracle GRC group: http://www.linkedin.com/groups?gid=2017790 LI Oracle ERP Auditors group: http://www.linkedin.com/groups?gid=2354934

ERP Risk Advisory Services Project audit / QA we ll work under the direction of your PMO or Internal Audit to provide project audit or quality assurance whether the work is done internally or through a system integrator. In this role, we typically bring in other experts from companies like Integrigy, Solution Beacon, FSCP Solutions, and Colibri to be a part of our team. Security upgrade/implementation we ll upgrade your security from 11i to R12, adding new functionality in R12 while reducing upgrade risk by minimizing the use of standard sub-menus and using custom menus for all custom responsibility. We ll also help you implement role-based access control (RBAC) or help you to prepare for the implementation of RBAC, depending on the maturity of your organization. Controls upgrade we ll review your risk and control library, making sure all risks have been identified and recommending adequate level of controls; we ll ask look at what are defined as key controls and make recommendations to downgrade to non-key, where possible, to reduce audit fees; we ll also make recommendations on how to automate various controls.

ERP Risk Advisory Services Security and Controls monitoring both security and controls need to be monitored on an on-going basis as changes are introduced in your system. We ll help identify the processes and, perhaps, software that needs to be put in place for proper monitoring Building of system-based audit trails we ll evaluate your current trigger-based auditing and make recommendations on what should be added or changed. If you aren t using a trigger-based auditing tool, we ll recommend one that fits your budget and help you implement it. Enhancement of change management (CM) controls we ll review and recommend enhancements to your change control process to provide better protect the integrity of your data and business processes. We ll focus on all four different aspects of CM development, patching, security, and configurations and help you implement an quality assurance program to monitor the effectiveness of your CM process. encryption, where it is not provided by Oracle.

ERP Risk Advisory Services Implementation of user access controls software we ll design and implement preventive and detective controls related to Segregation of Duties, single function risks, and sensitive data risks. This is best done in conjunction with the upgrade of your security. Implementation of data security software we ll implement a security solution that locks down access to sensitive data both at the application and database levels. This software is more flexible and cost effective than implementing encryption, where it is not provided by Oracle.

Q & A

ERP Risk Advisory Services Security and Controls monitoring both security and controls need to be monitored on an on-going basis as changes are introduced in your system. We ll help identify the processes and, perhaps, software that needs to be put in place for proper monitoring Building of system-based audit trails we ll evaluate your current trigger-based auditing and make recommendations on what should be added or changed. If you aren t using a trigger-based auditing tool, we ll recommend one that fits your budget and help you implement it. Enhancement of change management (CM) controls we ll review and recommend enhancements to your change control process to provide better protect the integrity of your data and business processes. We ll focus on all four different aspects of CM development, patching, security, and configurations and help you implement an quality assurance program to monitor the effectiveness of your CM process. encryption, where it is not provided by Oracle.

ERP Risk Advisory Services Implementation of user access controls software we ll design and implement preventive and detective controls related to Segregation of Duties, single function risks, and sensitive data risks. This is best done in conjunction with the upgrade of your security. Implementation of data security software we ll implement a security solution that locks down access to sensitive data both at the application and database levels. This software is more flexible and cost effective than implementing encryption, where it is not provided by Oracle.

Best Practices Caveat Best Practices Caveat The Best Practices cited in this presentation have not been validated with your external auditors nor has there been any systematic study of industry practices to determine they are in fact Best Practices for a representative sample of companies attempting to comply with the Sarbanes-Oxley Act of 2002 or other corporate governance initiatives mentioned. The Best Practice examples given here should not substitute for accounting or legal advice for your organization and provide no indemnification from fraud, material misstatements in your financial statements, or control deficiencies.

Contact Information Jeffrey T. Hare, CPA CISA CIA Cell: 970-324-1450 Office: 970-785-6455 Sales: Phil Reimann preimann@erpra.net Sales: 774-999-0527 E-mail: jhare@erpra.net Websites: www.erpra.net, www.oubpb.com

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information