risk-based assessment of user access controls and ... · pdf filerisk-based assessment of user...
TRANSCRIPT
Risk-Based Assessment of User Access Controls and
Segregation of Duties for Companies
Running Oracle Applications
Presented by:
Jeffrey T. Hare, CPA CISA CIA
Webinar Logistics
© 2009 ERPS
Hide and unhide the Webinar
control panel by clicking on the
arrow icon on the top right of
your screen
The small window icon toggles
between a windowed and full
screen mode
Ask questions throughout the
presentation using the questions
window
Questions will be reviewed and
answered at the end of the
presentation; I’ll open the lines
for interactive Q&A
Overview:
Introductions
Deficiencies in Current Approaches to SOD
Taking a Risk-Based Approach to User Access Controls
Q&A
Wrap Up
Presentation Agenda
Introductions Jeffrey T. Hare, CPA CISA CIA
•Founder of ERP Seminars and Oracle User Best Practices Board
•Author Oracle E-Business Suite Controls: Application Security Best Practices
•Contributing author Best Practices in Financial Risk Management
•Published in ISACA’s Control Journal (twice) and ACFE’s Fraud Magazine;
frequent contributor to OAUG’s Insight magazine
•Experience includes Big 4 audit, 6+ years in CFO/Controller roles – both as
auditor and auditee
•In Oracle applications space since 1998– both as client and consultant
•Founder of Internal Controls Repository – public domain repository
•Written various white papers on Internal Controls and Security Best Practices
in an Oracle Applications environment
Taking a Risk-Based Approach to User Access Controls
Types of Risks:
Segregation of duties - a user having two or more business
processes that could result in compromise of the integrity of the
process or allow that person to commit fraud
Access to sensitive functions – a user having access to a function
that, in and of itself, has risk
Access to sensitive data – a user having access to sensitive data
such as employee identification number (US= SSN), home
addresses, credit card, bank account information, plus data unique
to your company – customers, BOMs, routings… ???
Risk Assessment Process • Evaluate about 675 unique risks
• CS*Comply covers up to 20,000 function based risks
• Examples from R/A:
• Single function risks – being used w/ user exceptions
(Menus), shouldn’t be used (certain SQL forms –
Quality Plans)
• SoD risks – never acceptable (Enter Journal Entries
vs Journal Authorization Limits), acceptable for
certain users (user exceptions – Enter Journal Entries
vs Journal Sources)
© 2011ERPRA
Deficiencies in Current Approaches to SOD Projects
Here are some common deficiencies in how companies are approaching SOD
projects:
•Relying on seeded content of software providers
•Not taking a risk-based approach, considering current controls, in defining what
risks are for their company
•Not considering all user access control risks – access to sensitive functions and
access to sensitive data
•Always looking at risks as one function in conflict with another, rather than
looking at real risks – single function and two functions
•Looking at SOX risks and ignoring some fraud risks below the materiality level
and other operational risks
Taking a Risk-Based Approach to User Access Controls
Approach to Risk Assessment Project:
1.Identify access control conflicts
2.Identify risks associated with each conflict
3.Identify, analyze, and document mitigating controls related to
each risk
4.Assess what is the residual risk after taking into account the
mitigating controls
5.Discuss residual risks with management and assess their
willingness to assume the risk
6.Document remediation steps for unmitigated risks
7.Document whether the conflict (single or combination of two)
should be monitored in third party software
Taking a Risk-Based Approach to User Access Controls
In our experience, a completed risk assessment process exposes the
following needs:
•An SOD monitoring tool (or one with a preventive workflow)
•Requirements for a trigger-based detailed audit trail
•Various monitoring reports or processes not provided by Oracle
•The need to personalize forms to support defined controls.
•Custom workflows to automate controls where Oracle’s
functionality is deficient
•Process and/or controls changes
•Documentation and testing of non-key controls
•Access control / security changes
•Additional projects and research that need to be done
(customizations, profile options, updating BR100s, BR110s, etc.)
Responding to Auditors
Responding to auditors… • Have them identify the risk(s) that are inherent in the access or SOD
• Evaluate controls that may be in place to mitigate the risks identified
• Examples:
• All journals are reviewed and approved
• Financial close processes
• Budget to actual analysis / forecast to actual
• Variance analysis – PPV, IPV
• Reconciliation of inventory balances to GL account
• Review stale inventory
• Cycle counting / physical inventories
• Downgrade key controls to standard / non-key based on risk – reduce
audit scope / rely more on entity level controls
Access Controls / R12 tips
• Take advantage of MOAC to reduce number of responsibilities
across operating units / inventory orgs
• Use the QUERY_ONLY=Yes to generate inquiry only forms
(make sure they are tested thoroughly)
• Refresh Prod to non-Prod and allow more liberal access for
replication of issues and trouble-shooting
• Use of trigger-based auditing solutions to generate detailed audit
trail to changes for key control configurations / critical changes
to item master / etc.
Recap / Wrap Up
© 2011ERPRA
Resources
Resources: • Application Security Best Practices Book – 2nd edition due out
Jan 2012
• Launching partially-public domain conflict matrix in
conjunction with 2nd edition of book (common elements
will be included in Apps Security BP book)
• Oracle E-Business Suite Controls: Financial Close Cycle – due
out April 2012 – focusing on design and implementation of
controls and security related to Financial Close Cycle
© 2011ERPRA
Links
Links: •Recorded webinars:
http://www.erpra.net/WebinarAccessForm.html
•Blog: http://jeffreythare.blogspot.com/
•Video blog: http://www.youtube.com/ERPSeminars
•Oracle Internal Controls and Security listserver (public
domain/open group):
http://tech.groups.yahoo.com/group/OracleSox/?yguid=192922351
© 2011ERPRA
Links
Links: •Oracle Apps Internal Controls Repository (end users only /
closed group):
http://tech.groups.yahoo.com/group/oracleappsinternalcontrols/?y
guid=440489739
•LI Oracle GRC group:
http://www.linkedin.com/groups?gid=2017790
•LI Oracle ERP Auditors group:
http://www.linkedin.com/groups?gid=2354934
© 2011ERPRA
ERP Risk Advisory Services
• Project audit / QA – we’ll work under the direction of your PMO or
Internal Audit to provide project audit or quality assurance – whether the
work is done internally or through a system integrator. In this role, we
typically bring in other experts from companies like Integrigy, Solution
Beacon, FSCP Solutions, and Colibri to be a part of our team.
• Security upgrade/implementation – we’ll upgrade your security from 11i
to R12, adding new functionality in R12 while reducing ‘upgrade’ risk by
minimizing the use of standard sub-menus and using custom menus for all
custom responsibility. We’ll also help you implement role-based access
control (RBAC) or help you to prepare for the implementation of RBAC,
depending on the maturity of your organization.
• Controls upgrade – we’ll review your risk and control library, making
sure all risks have been identified and recommending adequate level of
controls; we’ll ask look at what are defined as key controls and make
recommendations to downgrade to non-key, where possible, to reduce audit
fees; we’ll also make recommendations on how to automate various
controls. © 2011ERPRA
ERP Risk Advisory Services
• Security and Controls monitoring – both security and controls need to be
monitored on an on-going basis as changes are introduced in your
system. We’ll help identify the processes and, perhaps, software that needs
to be put in place for proper monitoring
• Building of system-based audit trails – we’ll evaluate your current
trigger-based auditing and make recommendations on what should be
added or changed. If you aren’t using a trigger-based auditing tool, we’ll
recommend one that fits your budget and help you implement it.
• Enhancement of change management (CM) controls – we’ll review and
recommend enhancements to your change control process to provide better
protect the integrity of your data and business processes. We’ll focus on all
four different aspects of CM – development, patching, security, and
configurations – and help you implement an quality assurance program to
monitor the effectiveness of your CM process.
· encryption, where it is not provided by Oracle.
© 2011ERPRA
ERP Risk Advisory Services
• Implementation of user access controls software – we’ll design and
implement preventive and detective controls related to Segregation of
Duties, single function risks, and sensitive data risks. This is best done in
conjunction with the upgrade of your security.
• Implementation of data security software – we’ll implement a security
solution that ‘locks down’ access to sensitive data – both at the application
and database levels. This software is more flexible and cost effective than
implementing encryption, where it is not provided by Oracle.
© 2011ERPRA
Q & A
© 2011ERPRA
ERP Risk Advisory Services
• Security and Controls monitoring – both security and controls need to be
monitored on an on-going basis as changes are introduced in your
system. We’ll help identify the processes and, perhaps, software that needs
to be put in place for proper monitoring
• Building of system-based audit trails – we’ll evaluate your current
trigger-based auditing and make recommendations on what should be
added or changed. If you aren’t using a trigger-based auditing tool, we’ll
recommend one that fits your budget and help you implement it.
• Enhancement of change management (CM) controls – we’ll review and
recommend enhancements to your change control process to provide better
protect the integrity of your data and business processes. We’ll focus on all
four different aspects of CM – development, patching, security, and
configurations – and help you implement an quality assurance program to
monitor the effectiveness of your CM process.
· encryption, where it is not provided by Oracle.
© 2011ERPRA
ERP Risk Advisory Services
• Implementation of user access controls software – we’ll design and
implement preventive and detective controls related to Segregation of
Duties, single function risks, and sensitive data risks. This is best done in
conjunction with the upgrade of your security.
• Implementation of data security software – we’ll implement a security
solution that ‘locks down’ access to sensitive data – both at the application
and database levels. This software is more flexible and cost effective than
implementing encryption, where it is not provided by Oracle.
© 2011ERPRA
Best Practices Caveat
Best Practices Caveat
The Best Practices cited in this presentation have not been
validated with your external auditors nor has there been any
systematic study of industry practices to determine they are ‘in
fact’ Best Practices for a representative sample of companies
attempting to comply with the Sarbanes-Oxley Act of 2002 or
other corporate governance initiatives mentioned. The Best
Practice examples given here should not substitute for accounting
or legal advice for your organization and provide no
indemnification from fraud, material misstatements in your
financial statements, or control deficiencies.
© 2011ERPRA
Contact Information
Jeffrey T. Hare, CPA CISA CIA
Cell: 970-324-1450
Office: 970-785-6455
Sales: Phil Reimann – [email protected]
Sales: 774-999-0527
E-mail: [email protected]
Websites: www.erpra.net, www.oubpb.com
© 2011ERPRA