Give me a lever long enough and a fulcrum on which to place it, and I shall move the world - Archimedes Copyright. Fulcrum Information Technology, Inc. Is Oracle ERP in Scope for 2014 Audit Plan? Learn, from our client case-studies, effective ways to assess ERP Controls A Leader in Risk Based Enterprise Controls Management Solutions Risk and Compliance Financial Reporting Internal Audit Controls Catalog Application Security Advanced Analytics Webinar January 28 th, 2014 Adil Khan Managing Director Leverage T echnology: Move Your Business Forward
Agenda Is Oracle ERP in Scope for 2014 Audit Plan? Introductions ERP Control Assessment Approach 2014 ERP Controls in Scope for Audit Audit Findings and Remediation Oracle Advanced Controls Case Study Page 2
Agenda Is Oracle ERP in Scope for 2014 Audit Plan? Introductions ERP Control Assessment Approach 2014 ERP Controls in Scope for Audit Audit Findings and Remediation Oracle Advanced Controls Case Study Page 3
FulcrumWay A Leader in Risk Based Controls Management FulcrumWay: is the #1 End-to-End Provider of Risk Based Enterprise Controls Management Solutions for Oracle EBS, PeopleSoft and JDE customers with over 200 Fortune-500 to Middle Market clients. Since 2003, we have successfully assisted companies across all major industry segments. Expertise: Risk Advisory Services. Advanced Controls Design for Enterprise Applications. Best Practices for Risk Mitigation and Internal Controls Automation. Audit, Compliance, Financial, Enterprise and Operational Risk Assessments. Risk Remediation Services. Packaged Solutions: FulcrumWay is the #1 choice of Oracle customers for Oracle GRC Advanced Controls, GRC Manager, and GRC Intelligence/OBIEE software implementation. Oracle has certified us as the only partner with Accelerators for Oracle GRC. We also provide Managed Services Software Services: Risk Assessment for ERP systems, Control Design and Management Tools, Controls Catalog, Enterprise Risk Manager, Financial Reporting Manager, Audit Manager USA Presence: Privately held Delaware Corporation with US offices in New York City, Dallas and San Francisco International Presence: in Auckland, Chennai, Johannesburg, London, Mexico City Page 4
Successful Track Record Government Oil and Gas FulcrumWay Clients Financial Services Retail Communications Manufacturing Transportation Natural Resources Media/Entertainment Healthcare High Tech Life Sciences Page 5
Proven Expertise FulcrumWay Insight Thought Leadership Co-Authored GRC Book: First book on GRC for Oracle Applications Webcasts GRC Best Practices, Trends and Expert Insight February 19 th Executive Round Table GRC Advanced Controls Luncheon, Los Angeles, February 21 st Executive Round Table - March 13 th Chicago: GRC Case Studies and Best Practices Collaborate 14 GRC Client Appreciation Dinner April 9 th, 2014 Las Vegas Oracle Open World Annual GRC Dinner on September 23 rd, 2014 W Hotel San Francisco LinkedIn FulcrumWay Risk, Compliance and Audit Software Group YouTube Podcasts FulcrumWay Instant Insight in 10 min or less Page 6
Agenda Is Oracle ERP in Scope for 2014 Audit Plan? Introductions ERP Control Assessment Approach 2014 ERP Controls in Scope for Audit Audit Findings and Remediation Oracle Advanced Controls Case Study Page 7
ERP Controls Why include ERP Controls in Audit? An Audit of Internal Control Over Financial Reporting That is Integrated with An Audit of Financial Statements, states that benchmarking of application controls can be used because these controls are generally not subject to breakdowns due to human failure. If general controls that are used to monitor program changes, access to programs, and computer operations are effective and continue to be tested on a regular basis, the auditor can conclude that the application control is effective without having to repeat the previous year s control test. This is especially true if the auditor verifies that the application control has not changed since the auditor last tested the application control U.S. Public Company Accounting Oversight Board s (PCAOB) Page 8
What are ERP Application Controls Inputs System Control Documents Business Policies Control Points Output ERP Configurations User Inputs Board of Directors Data Input Validation Posting Processing Output External Interface Stockholders Data Storage Web Services Audit Logs Data Archives Banks Page 9
Input data is accurate, complete, authorized, and correct What are ERP Application Controls Inputs System Control Documents Business Policies Control Points Output ERP Configurations User Inputs Board of Directors Data Input Validation Posting Processing Output External Interface Stockholders Data Storage Web Services Audit Logs Data Archives Banks Page 10
Input data is accurate, complete, authorized, and correct What are ERP Application Controls Inputs System Control Documents Business Policies Control Points Output ERP Configurations User Inputs Board of Directors Data Input Validation Posting Processing Output External Interface Stockholders Data Storage Web Services Audit Logs Data Archives Banks Data is processed as intended in an acceptable time period Page 11
Inputs Input data is accurate, complete, authorized, and correct System Control Documents What are ERP Application Controls ERP Configurations Data stored is accurate and complete. Business Policies Control Points Output User Inputs Board of Directors Data Input Validation Posting Processing Output External Interface Stockholders Data Storage Web Services Audit Logs Data Archives Banks Data is processed as intended in an acceptable time period Page 12
Inputs Input data is accurate, complete, authorized, and correct System Control Documents What are ERP Application Controls ERP Configurations Data stored is accurate and complete. Business Policies Control Points Output User Inputs Board of Directors Data Input Validation Posting Processing Output External Interface Stockholders Web Services Audit Logs Data Storage Outputs are accurate and complete. Data Archives Banks Data is processed as intended in an acceptable time period Page 13
Inputs Input data is accurate, complete, authorized, and correct System Control Documents What are ERP Application Controls Data stored is accurate and complete. Business Policies Control Points Output User Inputs External Interface A record ERP is maintained Configurations to track the process of data from input to storage and to the eventual output Data Input Validation Posting Processing Output Board of Directors Stockholders Web Services Audit Logs Data Storage Outputs are accurate and complete. Data Archives Banks Data is processed as intended in an acceptable time period Page 14
Assessment Approach Top Down Risk Based Approach to Application Controls What are the enterprise wide risks that need to be Assessed? Which business processes are impacted by these risks? Which ERP apps are used to perform these processes Where (business locations) are the processes performed What application functions control the processes? Page 15
Agenda Is Oracle ERP in Scope for 2014 Audit Plan? Introductions ERP Control Assessment Approach 2014 ERP Controls in Scope for Audit Audit Findings and Remediation Oracle Advanced Controls Case Study Page 16
ERP Scope Application Risk Factors INV INV PR HR AP FA PO GL OM List of Apps Primary Process Enabler Financial /Sensitive Data Custom Code Freq. of Changes Audit Logs Risk Rating GL 8 9 5 9 8 34 AP 7 7 6 8 9 32 AR 7 7 9 9 7 39 AR FA 5 5 5 5 5 25 PO 5 5 4 6 4 24 Risk Threshold AP AR GL Risk Scale: Highest 10 Risk Threshold: Over 30 Page 17
ERP Scope Access Controls FulcrumWay Controls Catalog Access Control Risk Description Process ERP App Risk Type Risk Rating Enter Journal and Post Journal Can cause frauds or errors resulting in over or under stated financial statements R2R GL Fin High Create Suppliers and Create Invoices - R12 Can lead to an overstatement of liabilities if fictitious suppliers are created and invoiced. P2P AP Fin High Create Customer and Create Sales Order - R12 Can lead to an overstatement of revenues. O2C AR Fin High Page 18
ERP Scope Configuration Controls FulcrumWay Controls Catalog Configuration Control Risk Description Process ERP App Risk Type Risk Rating Journal Authorization Limits Authorization limits for employees. R2R GL Fin High Payment Adjustment Controls Adjustments made to invoice distributions after payment is issued can cause errors in reconciliation Define Credit Usage Rules In Credit Management, credit usage rule sets ensure that all transactions for the specified currencies are converted to the credit... P2P AP Fin High O2C AR Fin High Page 19
ERP Scope ERP Transaction Controls FulcrumWay Controls Catalog Transaction Control Risk Description Process ERP App Risk Type Risk Rating Exchange Rates AP Invoice Over PO AR Invoices Over Threshold Identify transactions after the fact monitoring of manual inputs of system exchange rates that are more than 10% +/- Invoice payments in excess of PO / user Invoice approval limit Control monitor returns a record of each customer invoice that is valued in excess of a specified threshold. R2R GL Fin High P2P AP Fin High O2C AR Fin High Page 20
ERP Scope High Medium Risk ERP Control Methods High Risk I M P A C T Mitigate Low Risk Remediate & Prevent Medium Risk Accept Monitor Controls Low PROBABILITY Page 21 High
ERP Scope ERP Preventive Controls Page 22
Agenda Is Oracle ERP in Scope for 2014 Audit Plan? Introductions ERP Control Assessment Approach 2014 ERP Controls in Scope for Audit Audit Findings and Remediation Oracle Advanced Controls Case Study Page 23
Findings / Remediation ERP Audit Findings and Remediation Scope Application Controls Manage Exceptions Setup Mitigating Controls Assess Risk Establish Test Environment Detect Violations Analyze Issues Remediate Issues Implement Corrective Actions Monitor Application Environment Sample ERP Data Application Controls Manager FulcrumWay DataProbe IT/Business Control Teams Application Security Administrator Application Controls Manager Page 24
Findings Access Controls Violations Role: Purchasing User User: John Doe Menu: CREATE_PMTS Authorized Actions Role Role: Invoice Manager Locked User Row Security Class Page: PAYMENT_ACTION_IC Inherent SOD False Conflict Positive Panel Group Component Component: INVOICES- GBL Permission List: Invoices Page: TD_INVOICES Page 25
Findings Oracle Procure-to-Pay Control Points Spend Categories Corporate Performance Management Collaboration Settlement Strategic Sourcing & Contract Mgmt Indirect & MRO Banks Direct Materials Requisition Purchase Goods / Services Receive Goods / Services Invoice Issue Payments Payment Processors Supplier Collaboration Services Business Process Models Service Oriented Architecture SWIFTNet Page 26
Findings Oracle Procure-to-Pay Spend Categories Corporate Performance Management Collaboration Settlement Indirect & MRO Are there inappropriate associations between Requisi- a vendor and an employee? tion Direct Materials Do you have duplicate suppliers? Services Strategic Sourcing & Contract Mgmt CONTROLS Purchase Goods / Services Business Process Models Receive Goods / Services Invoice Are your vendors compliant with trade regulations? Supplier Collaboration Are the vendors blacklisted? Service Oriented Architecture Banks Are there frequent changes to Supplier Issue information? Payments Payment Processors Are you missing critical supplier information? Is the information valid? SWIFTNet Page 27
Findings Oracle Procure-to-Pay Spend Categories Corporate Performance Management Collaboration Do you have duplicate Purchase Orders? Strategic Sourcing & Contract Mgmt Settlement Indirect & MRO Direct Materials Requisition CONTROLS Purchase Goods / Services Receive Goods / Services Invoice Are POs created on the same day as goods arrive? Issue Payments Are there split POs? Banks Payment Processors Services Business Process Models Supplier Collaboration Are there purchases with nonpreferred vendors? Service Oriented Architecture SWIFTNet Page 28
Findings Oracle Procure-to-Pay Spend Categories Indirect & MRO Are you making Corporate accurate Performance and Management timely payments? Are payment term changes reviewed before payment? Are there duplicate invoice Requisiamounts being processed? tion Strategic Sourcing & Contract Mgmt Collaboration Purchase Receive Issue Goods / Goods / Invoice Payments Services Services Direct Did Materials the person making the CONTROLS payment create or modify the vendor? Supplier Collaboration Services Are there discrepancies in freight charges? Business Process Models Service Oriented Architecture Settlement Banks Payment Processors SWIFTNet Page 29
Agenda Is Oracle ERP in Scope for 2014 Audit Plan? Introductions ERP Control Assessment Approach 2014 ERP Controls in Scope for Audit Audit Findings and Remediation Oracle Advanced Controls Case Study Page 30
Case Study Company Overview Corporate Overview Large Mining, Chemical, Energy & Oil company headquartered in West Palm Beach, FL 1,200 Employees worldwide and $4B annual revenue Own Oracle E Business Suite R12 and several Non-Oracle Systems Overall Challenges and the Need for ERP Controls Heterogeneous business application environment Inability to track unusual activity on sensitive financial data Lack of proper internal controls in various processes Insufficient documentation on access, configurations and transaction controls Page 31 31
Controls in Scope User security to prevent improper access to business functions Segregation of Requisitions from Purchase Orders Auto Create of Purchase Orders/RFQ from Requisitions One, Two or Three way matching of purchases to payments Purchasing and Payment tolerances Vendor purchasing/pay site configuration One-time vendor indicator Purchasing Approvals Based on dollar value Commodity Type Page 32
Controls in Scope Purchasing Compare Vendor Address with Employee address, looking for similarities Duplicate Suppliers, similar names or same tax ID One time vendors, Audit rules on the one-time vendor flag changes PO creation date is the same as the receiving date Split purchase orders Duplicate purchase orders Accounts Payable Change rule for change in payment terms & Change tracking object for terms and tolerances Duplicate Invoices Control Same employee create vendor and invoice to vendor Page 33
Controls in Scope Open/Closing Accounting Periods Adding KFF Account values Hiding private/sensitive data Social Security Number Bank Account information Home addresses Automated period close and consolidation process Page 34
IT/Super User Change Tracking Security Rules Cross Validation Rules Foreign Currency exchange rate changes Key Flexfield Segments System Profiles ERP Responsibilities Payment Terms and Tolerances Form Changes Alert Changes Bank Account Information Journal Sources and Categories Page 35
Oracle Advanced Controls Implementation Access Controls Segregation of Duties i.e. Policy Load User Provisioning i.e. Detection and remediation of SODs Conflict Reports i.e. Report on Intra and Inter Responsibility conflicts Form Rules i.e. limiting access to a field Flow Rules i.e. approval rule informational message on trigger Audit Rules i.e. track changes Change Control Rules i.e. reason code as to why a field is changed Preventive Controls Transaction Controls Business Objects i.e. Tables and fields within EBS Suite Parameters i.e. Filters, Patterns and Functions TCG Models i.e. string of business objects that generate suspects Snapshots i.e. capturing specific setup/configuration info Comparisons i.e. comparing snapshots between ledgers, operating units, instances Change Tracking i.e. monitor any change to configuration Configuration Controls 36 Page 36
Transaction Control Monitors AP Invoices Over Threshold Dormant Inventory Items Identify AP Invoices that are over a certain Threshold Amount Check for Dormant Inventory Items Dormant User IDs Duplicate Vendor Payments Enter Post Journals SOD Violation Identify dormant user IDs Identify Duplicate Vendor Payments within a specified time period Identify Journals that are entered and posted by the same user. Manual Journal Entries over Threshold Amount Identify Manual Journals created in General Ledger that are above the specified threshold amount PO Over Threshold Amount Sales Order Over Credit Limit Sales Order Over Threshold Amount SOD Violation between AP Invoices and PO Documents Terminated Employees with Active User Ids Identify Purchase Orders that are over a certain Threshold Amount. Control Monitor for Sales Order over Credit Limit Identify Sales Orders that were booked for a value over a threshold amount Identify purchasing and payables documents entered by the same user. Identify Terminated Employees with Active User Ids Page 37
Transaction Control Monitors Define credit usage rules In Order Management, credit usage rule sets define the set of currencies that will share a predefined credit limit during the credit checking process, and enable the grouping currencies for global credit checking. Customer reporting hierarchy Receivables uses the following hierarchy to determine the default payment term for your transactions, stopping when one is found: 1. Bill to site 2. Customer Address 3. Customer 4. Transaction Type Approval limits Approval limits affect the Adjustments, Submit Auto Adjustments, and Approve Adjustments windows as well as the Credit Memo Request Workflow. Define approval limits to determine whether a Receivables user can approve adjustments or credit memo requests. You define approval limits by document type, dollar amount, reason code, and currency. Aging buckets Define aging buckets to review and report on open receivables based on the number of days each item is past due. For example, the 4 Bucket Aging bucket that Receivables provides consists of four periods: 999 to 0 days past due, 1 to 30 days past due, 31 61 days past due, and 61 91 days past due. Page 38 38
Change Tracking Query a change tracker to identify changes across multiple instances. Select multiple applications to monitor Query requires Change Tracking Transfer program to run before any data can be collected. (This program transfers change tracking data from the ERP instances to CCG.) Page 39
Change Tracking Monitor Configuration Changes Users and administrators can monitor before-and-after values, responsible user, and time stamp Page 40
EBS Form Rule Capabilities Defines what actions the element performs Empowers the user to make changes to EBS forms and processes Set security attributes Establish navigation paths Display messages Define default values for fields Compile lists of values (LOV) Set field attributes Run SQL statements Execute Flow Rule process 41 Page 41
Form Rule Highlights Hidden Field Modify Security Settings Field Required Create Messages Edit Messages Edit Background Edit Field Properties Hide Field Data Edit Prompt Page 42
Procure to Pay with Oracle Advanced Controls Optimization Cash Flow Prevent Leakage Business Risks Controls Objectives Continuous Monitors Unapproved or Illegal Suppliers Delayed Supplier payments Unauthorized Purchases Capture all Discounts Accurate Supplier Information Valid Purchase Orders Ensure Separation of Duties in Procurement Split purchase orders Discounts Lost due to Delays in Payment Multiple Suppliers with the same Tax ID Multiple Suppliers with the same Bank Account Number Supplier and Invoices Created by Same User Multiple Suppliers with the similar email domain Purchase Orders issued to Blocked Suppliers Monitor purchases of unauthorized items, such as contraband Incident! Incident! Incident! Incident! Investigate Close Page 43
Q & A Leader in Risk Based Enterprise Controls Download DataProbe One-on-One with Experts Follow FulcrumWay on LinkedIn for ERP Risk and Controls Page 44