building an audit trail in an oracle ebs · pdf filebuilding an audit trail in an oracle ebs...

Building an Audit Trail in an Oracle EBS Environment

Presented by:

Jeffrey T. Hare, CPA CISA CIA

Webinar Logistics

© 2009 ERPS

� Hide and unhide the Webinar control panel by clicking on the arrow icon on the top right of your screen

� The small window icon toggles between a windowed and full screen mode

� Ask questions throughout the presentation using the chat dialog

� Questions will be reviewed and answered at the end of the presentation; I’ll open the lines for interactive Q&A

� During the presentation, we will be conducting a number of polls, please take the time to respond to all those that are applicable

� CPE will only be give to those that answer at least 3 of the 4 polls

Overview:

�Introduction

�Audit Trail Overview

�Audit Trail Example

�Audit Trail Technologies

�What to Audit

�Upcoming Webinars

�Other Comments

�Wrap Up

Presentation Agenda

© 2009 ERPS

IntroductionsJeffrey T. Hare, CPA CISA CIA

•Founder of ERP Seminars and Oracle User Best Practices Board

•Written various white papers on Internal Controls and Security Best Practices

in an Oracle Applications environment

•Frequent contributor to OAUG’s Insight magazine

•Experience includes Big 4 audit, 6 years in CFO/Controller roles – both as

auditor and auditee

•In Oracle applications space since 1998– both as client and consultant

•Founder of Internal Controls Repository – public domain repository

•Author Oracle E-Business Suite Controls: Application Security Best Practices

•Contributing author Best Practices in Financial Risk Management

•Published in ISACA’s Control Journal (twice) and ACFE’s Fraud Magazine

© 2009 ERPS

Poll question: How are you identifying changes to

application controls, security settings, and activity through

SQL forms

© 2009 ERPS

Audit Trail Overview

© 2009 ERPS

Audit Trail Overview

•Disconnect between application and database layers

•Need to be concerned about application access as well as

database access

•Audit trail only kept where application is built to do so

•Lack of audit all functionality to monitor privileged users

•Lack of detailed audit trail throughout the application

•In some cases as is the case with HR, update versus correct

•Example: change(s) to columns in a table can cause confusion

related to changes made - Journal Sources example

© 2009 ERPS

Audit Trail Example

© 2009 ERPS

© 2009 ERPS

Audit Trail Example

•Audit Trail deficiencies – Journal Sources Example:

© 2009 ERPS

Audit Trail Example

Audit Trail deficiencies – Journal Sources Example:

After first change:

Audit Trail Example

Audit Trail deficiencies – Journal Sources Example:

After second change:

© 2009 ERPS

© 2009 ERPS

Audit Trail Example

Initial Value After First Change After Second

Change

Value Checked Unchecked Checked

Updated by AUTOINSTALL JTH9891 JTH9891

Update date 03-Jan-2007

21:52:09

25-Aug-2008

16:43:58

25-Aug-2008

16:45:31

The only thing we can tell from this is that JTH9891 made a change,

but we have no idea WHAT changed. The values as of the second

change are the same as the initial values!

Journal Sources example – data:

Audit Trail Technologies

© 2009 ERPS


Overview:

•Row Who / Alerts

•Sign On Audit

•Snapshot

•Log

•Triggers

© 2009 ERPS


Row Who / Alerts

•What is it:•Created by, creation date, last updated by, last updated date

•When it is useful•Monitoring things you don’t expect to change (however,

when it does…)

•Within an audit period, creation date and last updated date

•Transaction monitoring (high volume) – some continuous

controls monitoring (CCM) requirements

© 2009 ERPS


Row Who / Alerts

•Pros:•Standard, embedded, no performance impact, no

configuration

•Alerts can be proactive

•Cons•Only contains values as of that point in time

•Alerts don’t store values, therefore, cannot be audited

© 2009 ERPS


Sign On Audit

•What is it: •Profile option “SignOn:Audit Level” – set to Form

•When is it useful:•Tracking user logins and use of professional forms

•Tracking login of generic users such as SYSADMIN, job

scheduling users where activity should be limited by policy

and procedure

© 2009 ERPS


Sign On Audit

•Pros:•Relatively little performance impact

•Useful for comparing login activity to activity logged by

users to hold them accountable versus the policies / standards

•Cons•Only tracks activity via professional forms (not OA

framework html pages), doesn’t tell you WHAT the user did,

just that they accessed the form

© 2009 ERPS


Snapshot

•What is it: •Comparison of row who information between instances or

between two points in time (prod versus 12/31 version)

•When is it useful:•Identifying when something is changed that you wouldn’t

expect

•When comparisons are pre-mapped such as tools that

compare objects between instances or versions

•Application support to identify when there is a configuration

change (i.e. what broke the process)

© 2009 ERPS


Snapshot

•Pros:•Insignificant performance impact

•Useful for comparing significant volumes of data

•Useful for support purposes – comparing data across

instances or points in time when processes are broken

•Cons:•Only tells you delta as of two points in time, can miss

incremental changes between periods

© 2009 ERPS


Logs

•What are they: •Various types of incremental data

•Could be traffic flowing across the network or technology

inherent to the database (redo or for mirroring)

•When are they useful:•High volume transaction tables

© 2009 ERPS


Logs

•Pros:•Insignificant performance impact

•Cons:•Typically unable to map metadata to capture important cross

reference information about the change

© 2009 ERPS


Triggers•What are they:

•Core database technology

•Use by System Administrator audit trail

•Advanced software packages:

•May allow metadata to be mapped

•Usually have a central repository for easier reporting and

data management

•May allow for alerting of information

•When are they useful:•Setups (key control configurations), Master Data, Security,

Development; SQL Forms

© 2009 ERPS


Triggers

•Pros:•Allow for mapping of metadata

•Inherent technology within the application

•Captures detail changes and related metadata (most

solutions) to provide an auditable system

•Cons:•Can have a performance impact if deployed on high volume

transaction tables. Therefore, performance impact needs to be

evaluated and considered when using

© 2009 ERPS


Metadata Mapping Example:

•fnd_responsibility table:

© 2009 ERPS



•fnd_menus table:

© 2009 ERPS



•fnd_menus_tl table:

© 2009 ERPS

Poll 2: How are you baselining configurations and tracking

changes related to automated controls?

© 2009 ERPS

Audit Trail: What to Audit

© 2009 ERPS

Audit Trail: What to Audit

What to audit:

© 2009 ERPS

Category

Form / Function

Application Controls Journal Sources (GL), Journal Authorization Limits (GL), Approval Groups (PO),

Adjustment Approval Limits (AR), Receivables Activities (AR), OM Holds (OM),

Line Types (PO), Document Types (PO), Approval Groups (PO), Approval Group

Assignments (PO), Approval Group Hierarchies (PO), Tolerances, Item Master

Setups, Item Categories

Affect Business Process Profile Options, DFFs, KFFs, Value Set Changes

Development Concurrent Programs, Executables, Functions, SQL forms, Objects

Security Menus, Roles, Responsibilities, Request Groups, Security Profiles, SQL forms such

as Dynamic Trigger Maintenance, Define Profile Options, Alerts, Collection Plans,

etc (see Metalink Note 189367.1 for more information on SQL forms)

Fraud Related Suppliers, Remit-To Addresses, Locations, Bank Accounts

Poll 2: How are you baselining configurations and tracking changes

related to automated controls?


Software providers:Trigger-based:

Absolute Technologies: Application Auditor

CaoSys: CS*Audit (part of CS*Compliance)

Greenlight Technologies: RESQ

Oracle: Configuration Controls Governor; Audit Vault

Log-based:

Guardium, Lumigent

Snapshot:

Approva

© 2009 ERPS

Upcoming Webinars

ERP SeminarsTBD

Absolute Technologies:7 Oct, 2 p.m. EDT - Application Auditor

http://www.absolute-

tech.com/services/webinar_signup_request_AA.phtml

CaoSys:6 Oct, 2 p.m. EDT – CS*Compliance

http://www.caosys.com/events.php

© 2009 ERPS

Sample Risk Assessment Application Controls / SOD

© 2009 ERPS

Conflict Risk Description Typical Mitigating Controls

Enter Journals vs Maintain Journal Sources

Enter Journals vs. Journal Sources: User could override controls by changing configuration "Require Journal Approval" which is set in the Journal Sources form and determines which sources are required to go through the journal approval process . This could also lead to changing "Freeze Journals" as Journal Sources which could allow a user to delete or change a JE from a subledger. Either change could lead to compromise in controls related to the journal entry approval process. This could lead to a compromise in the integrity of the financial statements and control violations under SOX.

Do not allow those involved in JE process to maintain Journal Sources. No user should have access to both of these functions, including support users. Changes to Journal Sources should go through change management and approved by appropriate personnel that has reviewed and understands the impact of this change on the process and controls related to journal entries. . Changes to Journal Sources should be audited at the system level via a log-based or trigger-based mechanism. A change management audit should be performed with a 100% sample size done by comparing actual changes pull from a system level audit trail to approvals in the change management documentation by an independent auditor.

Sample Risk Assessment Application Control Configs

© 2009 ERPS

Conflict Risk Description Typical Mitigating Controls

Maintain Journal Authorization Limits

Maintain Journal Authorization Limits: Access allows a user to define journal approval limits. Risk is unapproved changes to journal approval limits resulting in posted journal entries not properly approved by management and overriding defined controls. This could lead to a compromise in the integrity of the financial statements and control violations under SOX.

Changes to Journal Authorization Limits should go through change management and approved by appropriate personnel that has reviewed and understands the impact of this change on the process and controls related to journal entries. Changes to Journal Authorization Limits should be audited at the system level via a log-based or trigger-based mechanism. A change management audit should be performed with a 100% sample size done by comparing actual changes pull from a system level audit trail to approvals in the change management documentation by an independent auditor.

Oracle Apps Internal Controls Repository

Internal Controls Repository Content:

•White Papers such as Accessing the Database without having a Database

Login, Best Practices for Bank Account Entry and Assignment, Using a Risk

Based Assessment for User Access Controls, Internal Controls Best Practices

for Oracle’s Journal Approval Process

•Oracle apps internal controls deficiencies and common solutions

•Mapping of sensitive data to the tables and columns

•Identification of reports with access to sensitive data

•Recommended minimum tables to audit

•http://tech.groups.yahoo.com/group/oracleappsinternalcontrols/

•Not affiliated with Oracle Corporation

© 2009 ERPS

ERP Seminars Services

•Free one-hour consultation

•On-site seminars (1 - 2 days) – custom tailored to your

company’s needs as well as various web-based seminars

•RFP / RFI management for Oracle-related GRC software

•SOD / UAC Third Party software projects / remediation

•Audit trail software projects

•Controls review related to Oracle-related controls –

implementations and post-implementation

•Level I and Level II assessment services – see:

http://www.erpseminars.com/Services.html

© 2009 ERPS

Seminars Offered

Seminars offered:• Internal Controls and Application Security Best Practices in an

Oracle e-Business Suite Environment

• Application Security Design: Fundamentals

• Application Security Design: Advanced Concepts

• Implementing Oracle e-Business Suite: Internal Controls Challenges

• Introduction to Oracle’s User Management Module and Related

Risks

• Auditing Oracle E-Business Suite: Application Security

• Monitoring Privileged Users in an Oracle E-Business Suite

Environment

• Risk-Based Assessment of User Access Controls and Segregation of

Duties for Companies Running Oracle E-Business Suite

© 2009 ERPS

About ERP Seminars

•Thought Leadership, Best Practices

•Aggregator of public domain content and best practices

•A hands-on, Oracle Applications focused analyst firm - but not an

analyst firm that only covers those pay for coverage

•NOT a consulting firm, although I do some limited consulting

•Independent of any 3rd party software – attempt to cover all

relevant solutions in the Oracle Apps ‘Controls Automation’ space

© 2009 ERPS

Poll 4: I'd like to follow up this webinar with:

Contact Information

Jeffrey T. Hare, CPA CISA CIA

� Cell: 970-324-1450

� Office: 970-785-6455

� E-mail: [email protected]

� Websites: www.erpseminars.com, www.oubpb.com

� Oracle Internal Controls and Security listserver (public

domain listsever) at http://groups.yahoo.com/group/OracleSox

� Internal Controls Repository (end users only) http://tech.groups.yahoo.com/group/oracleappsinternalcontrols/

© 2009 ERPS

Best Practices Caveat

Best Practices Caveat

The Best Practices cited in this presentation have not been

validated with your external auditors nor has there been any

systematic study of industry practices to determine they are ‘in

fact’ Best Practices for a representative sample of companies

attempting to comply with the Sarbanes-Oxley Act of 2002 or

other corporate governance initiatives mentioned. The Best

Practice examples given here should not substitute for accounting

or legal advice for your organization and provide no

indemnification from fraud, material misstatements in your

financial statements, or control deficiencies.

© 2009 ERPS

building an audit trail in an oracle ebs · pdf filebuilding an audit trail in an oracle ebs...

Documents