building an audit trail in an oracle ebs · pdf filebuilding an audit trail in an oracle ebs...
TRANSCRIPT
Building an Audit Trail in an Oracle EBS Environment
Presented by:
Jeffrey T. Hare, CPA CISA CIA
Webinar Logistics
© 2009 ERPS
� Hide and unhide the Webinar control panel by clicking on the arrow icon on the top right of your screen
� The small window icon toggles between a windowed and full screen mode
� Ask questions throughout the presentation using the chat dialog
� Questions will be reviewed and answered at the end of the presentation; I’ll open the lines for interactive Q&A
� During the presentation, we will be conducting a number of polls, please take the time to respond to all those that are applicable
� CPE will only be give to those that answer at least 3 of the 4 polls
Overview:
�Introduction
�Audit Trail Overview
�Audit Trail Example
�Audit Trail Technologies
�What to Audit
�Upcoming Webinars
�Other Comments
�Wrap Up
Presentation Agenda
© 2009 ERPS
IntroductionsJeffrey T. Hare, CPA CISA CIA
•Founder of ERP Seminars and Oracle User Best Practices Board
•Written various white papers on Internal Controls and Security Best Practices
in an Oracle Applications environment
•Frequent contributor to OAUG’s Insight magazine
•Experience includes Big 4 audit, 6 years in CFO/Controller roles – both as
auditor and auditee
•In Oracle applications space since 1998– both as client and consultant
•Founder of Internal Controls Repository – public domain repository
•Author Oracle E-Business Suite Controls: Application Security Best Practices
•Contributing author Best Practices in Financial Risk Management
•Published in ISACA’s Control Journal (twice) and ACFE’s Fraud Magazine
© 2009 ERPS
Poll question: How are you identifying changes to
application controls, security settings, and activity through
SQL forms
© 2009 ERPS
Audit Trail Overview
© 2009 ERPS
Audit Trail Overview
•Disconnect between application and database layers
•Need to be concerned about application access as well as
database access
•Audit trail only kept where application is built to do so
•Lack of audit all functionality to monitor privileged users
•Lack of detailed audit trail throughout the application
•In some cases as is the case with HR, update versus correct
•Example: change(s) to columns in a table can cause confusion
related to changes made - Journal Sources example
© 2009 ERPS
Audit Trail Example
© 2009 ERPS
© 2009 ERPS
Audit Trail Example
•Audit Trail deficiencies – Journal Sources Example:
© 2009 ERPS
Audit Trail Example
Audit Trail deficiencies – Journal Sources Example:
After first change:
Audit Trail Example
Audit Trail deficiencies – Journal Sources Example:
After second change:
© 2009 ERPS
© 2009 ERPS
Audit Trail Example
Initial Value After First Change After Second
Change
Value Checked Unchecked Checked
Updated by AUTOINSTALL JTH9891 JTH9891
Update date 03-Jan-2007
21:52:09
25-Aug-2008
16:43:58
25-Aug-2008
16:45:31
The only thing we can tell from this is that JTH9891 made a change,
but we have no idea WHAT changed. The values as of the second
change are the same as the initial values!
Journal Sources example – data:
Audit Trail Technologies
© 2009 ERPS
Audit Trail Technologies
Overview:
•Row Who / Alerts
•Sign On Audit
•Snapshot
•Log
•Triggers
© 2009 ERPS
Audit Trail Technologies
Row Who / Alerts
•What is it:•Created by, creation date, last updated by, last updated date
•When it is useful•Monitoring things you don’t expect to change (however,
when it does…)
•Within an audit period, creation date and last updated date
•Transaction monitoring (high volume) – some continuous
controls monitoring (CCM) requirements
© 2009 ERPS
Audit Trail Technologies
Row Who / Alerts
•Pros:•Standard, embedded, no performance impact, no
configuration
•Alerts can be proactive
•Cons•Only contains values as of that point in time
•Alerts don’t store values, therefore, cannot be audited
© 2009 ERPS
Audit Trail Technologies
Sign On Audit
•What is it: •Profile option “SignOn:Audit Level” – set to Form
•When is it useful:•Tracking user logins and use of professional forms
•Tracking login of generic users such as SYSADMIN, job
scheduling users where activity should be limited by policy
and procedure
© 2009 ERPS
Audit Trail Technologies
Sign On Audit
•Pros:•Relatively little performance impact
•Useful for comparing login activity to activity logged by
users to hold them accountable versus the policies / standards
•Cons•Only tracks activity via professional forms (not OA
framework html pages), doesn’t tell you WHAT the user did,
just that they accessed the form
© 2009 ERPS
Audit Trail Technologies
Snapshot
•What is it: •Comparison of row who information between instances or
between two points in time (prod versus 12/31 version)
•When is it useful:•Identifying when something is changed that you wouldn’t
expect
•When comparisons are pre-mapped such as tools that
compare objects between instances or versions
•Application support to identify when there is a configuration
change (i.e. what broke the process)
© 2009 ERPS
Audit Trail Technologies
Snapshot
•Pros:•Insignificant performance impact
•Useful for comparing significant volumes of data
•Useful for support purposes – comparing data across
instances or points in time when processes are broken
•Cons:•Only tells you delta as of two points in time, can miss
incremental changes between periods
© 2009 ERPS
Audit Trail Technologies
Logs
•What are they: •Various types of incremental data
•Could be traffic flowing across the network or technology
inherent to the database (redo or for mirroring)
•When are they useful:•High volume transaction tables
© 2009 ERPS
Audit Trail Technologies
Logs
•Pros:•Insignificant performance impact
•Cons:•Typically unable to map metadata to capture important cross
reference information about the change
© 2009 ERPS
Audit Trail Technologies
Triggers•What are they:
•Core database technology
•Use by System Administrator audit trail
•Advanced software packages:
•May allow metadata to be mapped
•Usually have a central repository for easier reporting and
data management
•May allow for alerting of information
•When are they useful:•Setups (key control configurations), Master Data, Security,
Development; SQL Forms
© 2009 ERPS
Audit Trail Technologies
Triggers
•Pros:•Allow for mapping of metadata
•Inherent technology within the application
•Captures detail changes and related metadata (most
solutions) to provide an auditable system
•Cons:•Can have a performance impact if deployed on high volume
transaction tables. Therefore, performance impact needs to be
evaluated and considered when using
© 2009 ERPS
Audit Trail Technologies
Metadata Mapping Example:
•fnd_responsibility table:
© 2009 ERPS
Audit Trail Technologies
Metadata Mapping Example:
•fnd_menus table:
© 2009 ERPS
Audit Trail Technologies
Metadata Mapping Example:
•fnd_menus_tl table:
© 2009 ERPS
Poll 2: How are you baselining configurations and tracking
changes related to automated controls?
© 2009 ERPS
Audit Trail: What to Audit
© 2009 ERPS
Audit Trail: What to Audit
What to audit:
© 2009 ERPS
Category
Form / Function
Application Controls Journal Sources (GL), Journal Authorization Limits (GL), Approval Groups (PO),
Adjustment Approval Limits (AR), Receivables Activities (AR), OM Holds (OM),
Line Types (PO), Document Types (PO), Approval Groups (PO), Approval Group
Assignments (PO), Approval Group Hierarchies (PO), Tolerances, Item Master
Setups, Item Categories
Affect Business Process Profile Options, DFFs, KFFs, Value Set Changes
Development Concurrent Programs, Executables, Functions, SQL forms, Objects
Security Menus, Roles, Responsibilities, Request Groups, Security Profiles, SQL forms such
as Dynamic Trigger Maintenance, Define Profile Options, Alerts, Collection Plans,
etc (see Metalink Note 189367.1 for more information on SQL forms)
Fraud Related Suppliers, Remit-To Addresses, Locations, Bank Accounts
Poll 2: How are you baselining configurations and tracking changes
related to automated controls?
Audit Trail Technologies
Software providers:Trigger-based:
Absolute Technologies: Application Auditor
CaoSys: CS*Audit (part of CS*Compliance)
Greenlight Technologies: RESQ
Oracle: Configuration Controls Governor; Audit Vault
Log-based:
Guardium, Lumigent
Snapshot:
Approva
© 2009 ERPS
Upcoming Webinars
ERP SeminarsTBD
Absolute Technologies:7 Oct, 2 p.m. EDT - Application Auditor
http://www.absolute-
tech.com/services/webinar_signup_request_AA.phtml
CaoSys:6 Oct, 2 p.m. EDT – CS*Compliance
http://www.caosys.com/events.php
© 2009 ERPS
Other Comments
© 2009 ERPS
Poll 3: Will you require a CPE certificate for a professional
designation such as CPA, CISA, CISM, or CIA?
© 2009 ERPS
Sample Risk Assessment Application Controls / SOD
© 2009 ERPS
Conflict Risk Description Typical Mitigating Controls
Enter Journals vs Maintain Journal Sources
Enter Journals vs. Journal Sources: User could override controls by changing configuration "Require Journal Approval" which is set in the Journal Sources form and determines which sources are required to go through the journal approval process . This could also lead to changing "Freeze Journals" as Journal Sources which could allow a user to delete or change a JE from a subledger. Either change could lead to compromise in controls related to the journal entry approval process. This could lead to a compromise in the integrity of the financial statements and control violations under SOX.
Do not allow those involved in JE process to maintain Journal Sources. No user should have access to both of these functions, including support users. Changes to Journal Sources should go through change management and approved by appropriate personnel that has reviewed and understands the impact of this change on the process and controls related to journal entries. . Changes to Journal Sources should be audited at the system level via a log-based or trigger-based mechanism. A change management audit should be performed with a 100% sample size done by comparing actual changes pull from a system level audit trail to approvals in the change management documentation by an independent auditor.
Sample Risk Assessment Application Control Configs
© 2009 ERPS
Conflict Risk Description Typical Mitigating Controls
Maintain Journal Authorization Limits
Maintain Journal Authorization Limits: Access allows a user to define journal approval limits. Risk is unapproved changes to journal approval limits resulting in posted journal entries not properly approved by management and overriding defined controls. This could lead to a compromise in the integrity of the financial statements and control violations under SOX.
Changes to Journal Authorization Limits should go through change management and approved by appropriate personnel that has reviewed and understands the impact of this change on the process and controls related to journal entries. Changes to Journal Authorization Limits should be audited at the system level via a log-based or trigger-based mechanism. A change management audit should be performed with a 100% sample size done by comparing actual changes pull from a system level audit trail to approvals in the change management documentation by an independent auditor.
Wrap Up
© 2009 ERPS
Oracle Apps Internal Controls Repository
Internal Controls Repository Content:
•White Papers such as Accessing the Database without having a Database
Login, Best Practices for Bank Account Entry and Assignment, Using a Risk
Based Assessment for User Access Controls, Internal Controls Best Practices
for Oracle’s Journal Approval Process
•Oracle apps internal controls deficiencies and common solutions
•Mapping of sensitive data to the tables and columns
•Identification of reports with access to sensitive data
•Recommended minimum tables to audit
•http://tech.groups.yahoo.com/group/oracleappsinternalcontrols/
•Not affiliated with Oracle Corporation
© 2009 ERPS
ERP Seminars Services
•Free one-hour consultation
•On-site seminars (1 - 2 days) – custom tailored to your
company’s needs as well as various web-based seminars
•RFP / RFI management for Oracle-related GRC software
•SOD / UAC Third Party software projects / remediation
•Audit trail software projects
•Controls review related to Oracle-related controls –
implementations and post-implementation
•Level I and Level II assessment services – see:
http://www.erpseminars.com/Services.html
© 2009 ERPS
Seminars Offered
Seminars offered:• Internal Controls and Application Security Best Practices in an
Oracle e-Business Suite Environment
• Application Security Design: Fundamentals
• Application Security Design: Advanced Concepts
• Implementing Oracle e-Business Suite: Internal Controls Challenges
• Introduction to Oracle’s User Management Module and Related
Risks
• Auditing Oracle E-Business Suite: Application Security
• Monitoring Privileged Users in an Oracle E-Business Suite
Environment
• Risk-Based Assessment of User Access Controls and Segregation of
Duties for Companies Running Oracle E-Business Suite
© 2009 ERPS
About ERP Seminars
•Thought Leadership, Best Practices
•Aggregator of public domain content and best practices
•A hands-on, Oracle Applications focused analyst firm - but not an
analyst firm that only covers those pay for coverage
•NOT a consulting firm, although I do some limited consulting
•Independent of any 3rd party software – attempt to cover all
relevant solutions in the Oracle Apps ‘Controls Automation’ space
© 2009 ERPS
Q & A
Poll 4: I'd like to follow up this webinar with:
Contact Information
Jeffrey T. Hare, CPA CISA CIA
� Cell: 970-324-1450
� Office: 970-785-6455
� E-mail: [email protected]
� Websites: www.erpseminars.com, www.oubpb.com
� Oracle Internal Controls and Security listserver (public
domain listsever) at http://groups.yahoo.com/group/OracleSox
� Internal Controls Repository (end users only) http://tech.groups.yahoo.com/group/oracleappsinternalcontrols/
© 2009 ERPS
Best Practices Caveat
Best Practices Caveat
The Best Practices cited in this presentation have not been
validated with your external auditors nor has there been any
systematic study of industry practices to determine they are ‘in
fact’ Best Practices for a representative sample of companies
attempting to comply with the Sarbanes-Oxley Act of 2002 or
other corporate governance initiatives mentioned. The Best
Practice examples given here should not substitute for accounting
or legal advice for your organization and provide no
indemnification from fraud, material misstatements in your
financial statements, or control deficiencies.
© 2009 ERPS