Building an Audit Trail in an Oracle EBS Environment. Presented by: Jeffrey T. Hare, CPA CISA CIA

Building an Audit Trail in an Oracle EBS Environment Presented by: Jeffrey T. Hare, CPA CISA CIA

Webinar Logistics Hide and unhide the Webinar control panel by clicking on the arrow icon on the top right of your screen The small window icon toggles between a windowed and full screen mode Ask questions throughout the presentation using the chat dialog Questions will be reviewed and answered at the end of the presentation; I ll open the lines for interactive Q&A During the presentation, we will be conducting a number of polls, please take the time to respond to all those that are applicable CPE will only be give to those that answer at least 3 of the 4 polls

Presentation Agenda Overview: Introduction Audit Trail Overview Audit Trail Example Audit Trail Technologies What to Audit Upcoming Webinars Other Comments Wrap Up

Introductions Jeffrey T. Hare, CPA CISA CIA Founder of ERP Seminars and Oracle User Best Practices Board Written various white papers on Internal Controls and Security Best Practices in an Oracle Applications environment Frequent contributor to OAUG s Insight magazine Experience includes Big 4 audit, 6 years in CFO/Controller roles both as auditor and auditee In Oracle applications space since 1998 both as client and consultant Founder of Internal Controls Repository public domain repository Author Oracle E-Business Suite Controls: Application Security Best Practices Contributing author Best Practices in Financial Risk Management Published in ISACA s Control Journal (twice) and ACFE s Fraud Magazine

Poll question: How are you identifying changes to application controls, security settings, and activity through SQL forms

Audit Trail Overview

Audit Trail Overview Disconnect between application and database layers Need to be concerned about application access as well as database access Audit trail only kept where application is built to do so Lack of audit all functionality to monitor privileged users Lack of detailed audit trail throughout the application In some cases as is the case with HR, update versus correct Example: change(s) to columns in a table can cause confusion related to changes made - Journal Sources example

Audit Trail Example

Audit Trail Example Audit Trail deficiencies Journal Sources Example:

Audit Trail Example Audit Trail deficiencies Journal Sources Example: After first change:

Audit Trail Example Audit Trail deficiencies Journal Sources Example: After second change:

Audit Trail Example Journal Sources example data: Initial Value After First Change After Second Change Value Checked Unchecked Checked Updated by AUTOINSTALL JTH9891 JTH9891 Update date 03-Jan-2007 21:52:09 25-Aug-2008 16:43:58 25-Aug-2008 16:45:31 The only thing we can tell from this is that JTH9891 made a change, but we have no idea WHAT changed. The values as of the second change are the same as the initial values!

Audit Trail Technologies

Audit Trail Technologies Overview: Row Who / Alerts Sign On Audit Snapshot Log Triggers

Audit Trail Technologies Row Who / Alerts What is it: Created by, creation date, last updated by, last updated date When it is useful Monitoring things you don t expect to change (however, when it does ) Within an audit period, creation date and last updated date Transaction monitoring (high volume) some continuous controls monitoring (CCM) requirements

Audit Trail Technologies Row Who / Alerts Pros: Standard, embedded, no performance impact, no configuration Alerts can be proactive Cons Only contains values as of that point in time Alerts don t store values, therefore, cannot be audited

Audit Trail Technologies Sign On Audit What is it: Profile option SignOn:Audit Level set to Form When is it useful: Tracking user logins and use of professional forms Tracking login of generic users such as SYSADMIN, job scheduling users where activity should be limited by policy and procedure

Audit Trail Technologies Sign On Audit Pros: Relatively little performance impact Useful for comparing login activity to activity logged by users to hold them accountable versus the policies / standards Cons Only tracks activity via professional forms (not OA framework html pages), doesn t tell you WHAT the user did, just that they accessed the form

Audit Trail Technologies Snapshot What is it: Comparison of row who information between instances or between two points in time (prod versus 12/31 version) When is it useful: Identifying when something is changed that you wouldn t expect When comparisons are pre-mapped such as tools that compare objects between instances or versions Application support to identify when there is a configuration change (i.e. what broke the process)

Audit Trail Technologies Snapshot Pros: Insignificant performance impact Useful for comparing significant volumes of data Useful for support purposes comparing data across instances or points in time when processes are broken Cons: Only tells you delta as of two points in time, can miss incremental changes between periods

Audit Trail Technologies Logs What are they: Various types of incremental data Could be traffic flowing across the network or technology inherent to the database (redo or for mirroring) When are they useful: High volume transaction tables

Audit Trail Technologies Logs Pros: Insignificant performance impact Cons: Typically unable to map metadata to capture important cross reference information about the change

Audit Trail Technologies Triggers What are they: Core database technology Use by System Administrator audit trail Advanced software packages: May allow metadata to be mapped Usually have a central repository for easier reporting and data management May allow for alerting of information When are they useful: Setups (key control configurations), Master Data, Security, Development; SQL Forms

Audit Trail Technologies Triggers Pros: Allow for mapping of metadata Inherent technology within the application Captures detail changes and related metadata (most solutions) to provide an auditable system Cons: Can have a performance impact if deployed on high volume transaction tables. Therefore, performance impact needs to be evaluated and considered when using

Audit Trail Technologies Metadata Mapping Example: fnd_responsibility table:

Audit Trail Technologies Metadata Mapping Example: fnd_menus table:

Audit Trail Technologies Metadata Mapping Example: fnd_menus_tl table:

Poll 2: How are you baselining configurations and tracking changes related to automated controls?

Audit Trail: What to Audit

Audit Trail: What to Audit What to audit: Category Application Controls Affect Business Process Development Security Fraud Related Form / Function Journal Sources (GL), Journal Authorization Limits (GL), Approval Groups (PO), Adjustment Approval Limits (AR), Receivables Activities (AR), OM Holds (OM), Line Types (PO), Document Types (PO), Approval Groups (PO), Approval Group Assignments (PO), Approval Group Hierarchies (PO), Tolerances, Item Master Setups, Item Categories Profile Options, DFFs, KFFs, Value Set Changes Concurrent Programs, Executables, Functions, SQL forms, Objects Menus, Roles, Responsibilities, Request Groups, Security Profiles, SQL forms such as Dynamic Trigger Maintenance, Define Profile Options, Alerts, Collection Plans, etc (see Metalink Note 189367.1 for more information on SQL forms) Suppliers, Remit-To Addresses, Locations, Bank Accounts Poll 2: How are you baselining configurations and tracking changes related to automated controls?

Audit Trail Technologies Software providers: Trigger-based: Absolute Technologies: Application Auditor CaoSys: CS*Audit (part of CS*Compliance) Greenlight Technologies: RESQ Oracle: Configuration Controls Governor; Audit Vault Log-based: Guardium, Lumigent Snapshot: Approva

Upcoming Webinars ERP Seminars TBD Absolute Technologies: 7 Oct, 2 p.m. EDT - Application Auditor http://www.absolutetech.com/services/webinar_signup_request_aa.phtml CaoSys: 6 Oct, 2 p.m. EDT CS*Compliance http://www.caosys.com/events.php

Other Comments

Poll 3: Will you require a CPE certificate for a professional designation such as CPA, CISA, CISM, or CIA?

Sample Risk Assessment Application Controls / SOD Conflict Risk Description Typical Mitigating Controls Enter Journals vs Maintain Journal Sources Enter Journals vs. Journal Sources: User could override controls by changing configuration "Require Journal Approval" which is set in the Journal Sources form and determines which sources are required to go through the journal approval process. This could also lead to changing "Freeze Journals" as Journal Sources which could allow a user to delete or change a JE from a subledger. Either change could lead to compromise in controls related to the journal entry approval process. This could lead to a compromise in the integrity of the financial statements and control violations under SOX. Do not allow those involved in JE process to maintain Journal Sources. No user should have access to both of these functions, including support users. Changes to Journal Sources should go through change management and approved by appropriate personnel that has reviewed and understands the impact of this change on the process and controls related to journal entries.. Changes to Journal Sources should be audited at the system level via a logbased or trigger-based mechanism. A change management audit should be performed with a 100% sample size done by comparing actual changes pull from a system level audit trail to approvals in the change management documentation by an independent auditor.

Sample Risk Assessment Application Control Configs Conflict Risk Description Typical Mitigating Controls Maintain Journal Authorization Limits Maintain Journal Authorization Limits: Access allows a user to define journal approval limits. Risk is unapproved changes to journal approval limits resulting in posted journal entries not properly approved by management and overriding defined controls. This could lead to a compromise in the integrity of the financial statements and control violations under SOX. Changes to Journal Authorization Limits should go through change management and approved by appropriate personnel that has reviewed and understands the impact of this change on the process and controls related to journal entries. Changes to Journal Authorization Limits should be audited at the system level via a log-based or trigger-based mechanism. A change management audit should be performed with a 100% sample size done by comparing actual changes pull from a system level audit trail to approvals in the change management documentation by an independent auditor.

Wrap Up

Oracle Apps Internal Controls Repository Internal Controls Repository Content: White Papers such as Accessing the Database without having a Database Login, Best Practices for Bank Account Entry and Assignment, Using a Risk Based Assessment for User Access Controls, Internal Controls Best Practices for Oracle s Journal Approval Process Oracle apps internal controls deficiencies and common solutions Mapping of sensitive data to the tables and columns Identification of reports with access to sensitive data Recommended minimum tables to audit http://tech.groups.yahoo.com/group/oracleappsinternalcontrols/ Not affiliated with Oracle Corporation

ERP Seminars Services Free one-hour consultation On-site seminars (1-2 days) custom tailored to your company s needs as well as various web-based seminars RFP / RFI management for Oracle-related GRC software SOD / UAC Third Party software projects / remediation Audit trail software projects Controls review related to Oracle-related controls implementations and post-implementation Level I and Level II assessment services see: http://www.erpseminars.com/services.html

Seminars Offered Seminars offered: Internal Controls and Application Security Best Practices in an Oracle e-business Suite Environment Application Security Design: Fundamentals Application Security Design: Advanced Concepts Implementing Oracle e-business Suite: Internal Controls Challenges Introduction to Oracle s User Management Module and Related Risks Auditing Oracle E-Business Suite: Application Security Monitoring Privileged Users in an Oracle E-Business Suite Environment Risk-Based Assessment of User Access Controls and Segregation of Duties for Companies Running Oracle E-Business Suite

About ERP Seminars Thought Leadership, Best Practices Aggregator of public domain content and best practices A hands-on, Oracle Applications focused analyst firm - but not an analyst firm that only covers those pay for coverage NOT a consulting firm, although I do some limited consulting Independent of any 3 rd party software attempt to cover all relevant solutions in the Oracle Apps Controls Automation space

Q & A

Poll 4: I'd like to follow up this webinar with:

Contact Information Jeffrey T. Hare, CPA CISA CIA Cell: 970-324-1450 Office: 970-785-6455 E-mail: jhare@erpseminars.com Websites: www.erpseminars.com, www.oubpb.com Oracle Internal Controls and Security listserver (public domain listsever) at http://groups.yahoo.com/group/oraclesox Internal Controls Repository (end users only) http://tech.groups.yahoo.com/group/oracleappsinternalcontrols/

Best Practices Caveat Best Practices Caveat The Best Practices cited in this presentation have not been validated with your external auditors nor has there been any systematic study of industry practices to determine they are in fact Best Practices for a representative sample of companies attempting to comply with the Sarbanes-Oxley Act of 2002 or other corporate governance initiatives mentioned. The Best Practice examples given here should not substitute for accounting or legal advice for your organization and provide no indemnification from fraud, material misstatements in your financial statements, or control deficiencies.