Oracle E-Business Suite: SQL Forms Risks and. Presented by: Jeffrey T. Hare, CPA CISA CIA

Oracle E-Business Suite: SQL Forms Risks and Controls Presented by: Jeffrey T. Hare, CPA CISA CIA

Presentation Agenda Overview: Introductions Overall system risks Audit Trails Change Management Implementation Practices What are SQL forms? Risks related to SQL forms Use of SQL forms to manipulate data and commit fraud Two Scenarios Best Practices for monitoring activity in SQL forms Wrap Up

Introductions Jeffrey T. Hare, CPA CISA CIA Founder of ERP Seminars and Oracle User Best Practices Board Author Solo book project: Oracle E-Business Suite Controls: Application Security Best Practices; Contributing author Best Practices in Financial Risk Management Written various white papers on Internal Controls and Security Best Practices in an Oracle Applications environment Frequent contributor to OAUG s Insight magazine Experience includes Big 4 audit, 6 years in CFO/Controller roles both as auditor and auditee In Oracle applications space since 1998 both as client and consultant Founder of Internal Controls Repository public domain repository

Overall system risks Here are various risks of which you need to be aware to understand risks related to auditing application controls: Deficiencies regarding audit trails Deficiencies in Change Management practices Deficiencies in implementation practices

Overall System Risks Audit Trails Disconnect between application and database layers Need to be concerned about application access as well as database access Audit trail only kept where application is built to do so Lack of audit all functionality to monitor privileged users Lack of detailed audit trail throughout the application Example: change(s) to columns in a table can cause confusion related to changes made - Journal Sources example

Overall System Risks Audit Trails Audit Trail deficiencies Journal Sources Example:

Overall System Risks Audit Trails Audit Trail deficiencies Journal Sources Example: After first change:

Overall System Risks Audit Trails Audit Trail deficiencies Journal Sources Example: After second change:

Overall System Risks Audit Trails Journal Sources example data: Initial Value After First Change After Second Change Value Checked Unchecked Checked Updated by AUTOINSTALL JTH9891 JTH9891 Update date 03-Jan-2007 21:52:09 25-Aug-2008 16:43:58 25-Aug-2008 16:45:31 The only thing we can tell from this is that JTH9891 made a change, but we have no idea WHAT changed. The values as of the second change are the same as the initial values!

Overall System Risks Audit Trails For more on this topic, review recorded webinar Building in an Audit in an Oracle EBS Environment at: http://www.erpseminars.com/webinaraccessform.html. Also, down chapter 6 from my book at: http://www.erpseminars.com/files/chapter_6_developing_a_ Proper_Audit_Trail2.pdf Both links are available at www.erpseminars.com

Overall System Risks Change Management Purpose of Change Management protect the system or protect the process? Are system configurations relevant to the design and performance of the business process? Would you let a developer change the code related to a process without going through your change management process? Would you give your developers access to the Apps password in Prod?

Overall System Risks Change Management Some common Change Management challenges for companies running Oracle EBS: Too narrowly define change management as IT changes Failure to develop non-it executive ownership for the change management process Failure to properly identify the setup forms that impact their business processes and key controls Failure to develop the necessary audit trail to test for unauthorized changes and to show auditors regarding key controls Failure to design security using the principle of least privilege Failure to address risks related to forms that allow SQL statements to be embedded in them

Poll 1 Represents my organization s change management maturity: All key control configurations go through CM process All SQL forms activity go through CM process A trigger/log based audit trail has been created for all activity in CM process We regularly reconcile system-level activity to CM approvals None of these apply Check all that apply

SQL Forms Survey Aware of risks related to SQL Forms? I was not aware of the risk 32.6% 0% 9% I have read about SQL forms, but didn't/don't understand the risks 13.0% My company is aware of the risks, but have chosen not to address them 4.3% 22% 4% 4% 11% 4% 13% 33% My company is aware of the risks, but feels monitoring software is too expensive 10.8% My company has put a third party trigger or log-based solution to monitor them 4.3% My company uses Oracle's Sys Admin audit trail to monitor the activity 4.3% My company requires all SQL form activity to go through IT Change Management 21.7% My company reconciles actually activity to our Change Management approvals 0.0% Other 8.6%

SQL Forms Survey How long live on Oracle? 3% 5% 5% 3% We are not yet live with the system 5.1% 20% We have been live less than 1 year 2.5% We have been live 2-4 years 20.5% We have been live 5 or more years 64.1% 64% Other 2.5% No Responses 5.1%

SQL Forms Survey Number of Oracle Users 13% 5% 11% 1-50 3% 51-250 27% 251-1000 1001-2500 41% 2501-5000 Over 5000

What are SQL Forms? Forms that accept SQL statements: Metalink Note 189367.1 (Best Practices for Securing E-Business Suite): LIMIT ACCESS TO FORMS ALLOWING SQL ENTRY To improve flexibility, some forms allow users to enter SQL statements. Unfortunately, this feature may be abused. Appendix B: Security Setup Forms That Accept SQL Statement on page 49 contains a list of Forms that allow the user to edit code, add code or otherwise affect executable code. Restrict access to these forms by assigning the responsibility to a small group of users. Consider auditing the database tables listed in the appendix.

What are SQL Forms? Examples of SQL Forms: Define Concurrent Program, Define Concurrent Program Executable, Define User Profile Option, Applications, Define Data Group, Register Oracle IDs, Attribute Mapping Details, Define Data Stream, Custom Stream Advanced Setup, Audit Statements, Define Dynamic Resource Groups, Business Rule Workbench, Define Validation Templates, Defaulting Rules, Foundation Objects, Spreadtable Metadata, Administration, SpreadTable Diagnostics Form, JTFGANTT, Define WMS Rules, Define Pricing Formulas, Attribute Mapping, Workflow Process Configuration Framework, Workflow Activity Approval, Configuration Framework, PL/SQL tester, Write Formula, Define Function, Create QuickPaint Inquiry, Define Assignment Set, Dynamic Trigger Maintenance, Define Security Profile, Define Descriptive Flexfield Segments, Define Value Set, QA - Collection Plan Workbench Some not documented in Oracle Metalink document Original list developed by Integrigy Excerpts of documents [IntA, IntB] reproduced with permission from Integrigy Corporation (page ii)

Risks Related to SQL Forms Risks related to SQL Forms Execution of any SQL Statements insert, update, delete, select as well as database structure commands drop, truncate, alter, create, etc.; OS scripts Leading to fraud, data theft, taking over powerful accounts such as SYSADMIN, circumvention of policy such as change management, internal control deficiencies, additional audit fees, etc.

Poll 2 Question: The following represents my understanding of SQL forms prior to this webinar (check all the apply): I was fully aware of the risks related to SQL Forms I was not aware that SQL and OS scripts could be executed using these forms I was not aware of the number of forms with these risks I didn't know anything about SQL Forms Other

Examples Using SQL Forms Scenarios Fraudulent bank account updates for the purpose of misdirecting payments to a valid supplier Reset of SYSADMIN login for the purpose of unapproved access and system updates

Examples Using SQL Forms Scenario 1: Change Bank Account

Examples Using SQL Forms

Examples Using SQL Forms Before the Alert:

Examples Using SQL Forms The Alert is Fired

Examples Using SQL Forms After Alert

Examples Using SQL Forms Scenario 2: Reset SYSADMIN Password often with powerful access

Examples Using SQL Forms

Examples Using SQL Forms

Examples Using SQL Forms Once a plan is created you need only define your action condition that triggers your action. You then pick your method to execute. Top half sets the condition for the trigger Bottom half defines the action

Examples Using SQL Forms Update statement to reset SYSADMIN password

Examples Using SQL Forms Enter results to trigger the trigger

Examples Using SQL Forms When the trigger condition is entered and saved a periodic alert is run. This is really the only indicator that something has been done. The alert itself is not really traceable since we can delete the collection plan and remove any audit trail.

Poll 3 Question: Represents maturity of my organization re: SQL forms (check all the apply): We are limiting access to known / relevant SQL forms We are limiting access to all SQL forms All activity re: SQL forms goes through CM Monitoring activity via log/trigger based solution Reconciling actual activity to approved activityother

Best Practices for monitoring activity in SQL forms Forms that accept SQL statements Access should be tightly restricted to just the users management approves having access suggest SaaS service to find out who has access to all SQL forms All activity in the forms should go through your change management process All code going through the forms should be subject to a peer review before it is entered All activity within the forms should be audited using a trigger or log-based solution All activity should be reconciled back to approved activity For unauthorized changes, appropriate actions must be taken to plug the holes

Special Thanks Special Thanks to: Daryl Geryol, Practice Director - GRC Services, KBACE dgeryol@kbace.com www.kbace.com Office (262) 649-2916 Cell (847) 858-3809

Q & A

Poll 4 Question: Require any follow up from today's webinar I need a CPE certificate I'd like to set up a follow up call with Jeffrey I'd like to understand available monitoring tools I'd like copies of the slides None necessary

Oracle Apps Internal Controls Repository Internal Controls Repository Content: White Papers such as Accessing the Database without having a Database Login, Best Practices for Bank Account Entry and Assignment, Using a Risk Based Assessment for User Access Controls, Internal Controls Best Practices for Oracle s Journal Approval Process Oracle apps internal controls deficiencies and common solutions Mapping of sensitive data to the tables and columns Identification of reports with access to sensitive data Recommended minimum tables to audit http://tech.groups.yahoo.com/group/oracleappsinternalcontrols/ Not affiliated with Oracle Corporation

ERP Seminars Services Free one-hour consultation Risk advisory services On-site seminars (1-2 days) custom tailored to your company s needs Various web-based seminars SOD / UAC Third Party software project management SOD / UAC remediation prioritization Controls review related to Oracle-related controls implementations and post-implementation

Seminars Offered and Planned Seminars offered: Internal Controls and Application Security Best Practices in an Oracle e-business Suite Environment Application Security Design: Fundamentals Implementing Oracle e-business Suite: Internal Controls Challenges Introduction to Oracle s User Management Module and Related Risks Auditing Oracle E-Business Suite: Application Security Monitoring Privileged Users in an Oracle E-Business Suite Environment Risk-Based Assessment of User Access Controls and Segregation of Duties for Companies Running Oracle E-Business Suite See: http://www.erpseminars.com/seminars.html

Contact Information Jeffrey T. Hare, CPA CISA CIA Cell: 970-324-1450 Office: 970-785-6455 E-mail: jhare@erpseminars.com Websites: www.erpseminars.com, www.oubpb.com Oracle Internal Controls and Security listserver (public domain listsever) at http://groups.yahoo.com/group/oraclesox Internal Controls Repository (end users only) http://tech.groups.yahoo.com/group/oracleappsinternalcontrols/ Skype: jhareaz

Best Practices Caveat Best Practices Caveat The Best Practices cited in this presentation have not been validated with your external auditors nor has there been any systematic study of industry practices to determine they are in fact Best Practices for a representative sample of companies attempting to comply with the Sarbanes-Oxley Act of 2002 or other corporate governance initiatives mentioned. The Best Practice examples given here should not substitute for accounting or legal advice for your organization and provide no indemnification from fraud, material misstatements in your financial statements, or control deficiencies.