Auditing Application Controls in an Oracle EBS

Environment

Presented by:

Jeffrey T. Hare, CPA CISA CIA

Overview:

�Introductions

�Overall system risks related to Application Controls

�Audit Trails

�Change Management

�Implementation Practices

�Application Controls Guidance

� Benchmarking Strategies

� Override at the Transaction Level

�Application Controls Recommendations

�IT General Controls Guidance and Risks

�Wrap Up

Presentation Agenda

© 2009 ERPS

IntroductionsJeffrey T. Hare, CPA CISA CIA

•Founder of ERP Seminars and Oracle User Best Practices Board

•Author – Solo book project: Oracle E-Business Suite Controls: Application

Security Best Practices; Contributing author “Best Practices in Financial Risk

Management”

•Written various white papers on Internal Controls and Security Best Practices

in an Oracle Applications environment

•Frequent contributor to OAUG’s Insight magazine , published by ISACA and

ACFE

•Experience includes Big 4 audit, 6 years in CFO/Controller roles – both as

auditor and auditee

•In Oracle applications space since 1998– both as client and consultant

•Founder of Internal Controls Repository – public domain repository

© 2009 ERPS

Overall system risks related to Application Controls

Here are various risks of which you need to be aware to understand

risks related to auditing application controls:

•Deficiencies regarding audit trails

•Deficiencies in Change Management practices

•Deficiencies in implementation practices

© 2009 ERPS

Overall System Risks – Audit Trails

•Disconnect between application and database layers

•Audit trail only kept where application is built to do so

•Lack of audit all functionality to monitor privileged users

•Lack of detailed audit trail throughout the application

including for configurations related to automated controls

•Example: change(s) to columns in a table can cause confusion

related to changes made - Journal Sources example

© 2009 ERPS

© 2009 ERPS

Overall System Risks – Audit Trails

•Audit Trail deficiencies – Journal Sources Example:

© 2009 ERPS

Overall System Risks – Audit Trails

Audit Trail deficiencies – Journal Sources Example:

After first change:

Overall System Risks – Audit Trails

Audit Trail deficiencies – Journal Sources Example:

After second change:

© 2009 ERPS

© 2009 ERPS

Overall System Risks – Audit Trails

Initial Value After First Change After Second

Change

Value Checked Unchecked Checked

Updated by AUTOINSTALL JTH9891 JTH9891

Update date 03-Jan-2007

21:52:09

25-Aug-2008

16:43:58

25-Aug-2008

16:45:31

The only thing we can tell from this is that JTH9891 made a change,

but we have no idea WHAT changed. The values as of the second

change are the same as the initial values!

Journal Sources example – data:

Overall System Risks – Change Management

•Purpose of Change Management – protect the system or protect

the process?

•Are system configurations relevant to the design and

performance of the business process?

•Would you let a developer change the code related to a process

without going through your change management process?

•Would you give your developers access to the Apps password in

Prod?

© 2009 ERPS

Overall System Risks –Implementation Practices

•Was the security related to your implementation designed with

the principle of least privilege concept?

•What about security for your privileged users?

•Using seeded responsibilities and/or menus/sub-menus?

•Upgrade risk

•Access to Supplier Maintenance from Buyer’s Workbench

•Access to Enter Journals from various subledger setup

menus

© 2009 ERPS

Auditing Application Controls

Application Controls Guidance

•Internal Auditors (IIA) Global Technology Auditing Guide:

Auditing Application Controls (GTAG 8)

•The guide states “the nature and extent of the evidence the auditor should obtain to

verify the control has not changed may vary, based on circumstances such as the

strength of the organization’s program change controls. As a result, when using a

benchmarking strategy for a particular control, the auditor should consider the effect of

related files, tables, data, and parameters on the application control’s functionality.”

•Two important concepts

•Look at system to determine whether application control setups are changed

•Review reliability of change management process to ascertain whether the

baselined values can be relied upon

© 2009 ERPS

Application Controls Guidance

•For Application Controls to be relied upon, you need to review:

•Setups specific to the application control

•Override of system-level controls during entry of transaction

•IT General Controls

© 2009 ERPS

Benchmarking

•Setups specific to the application control. Need to consider all

setups related to the application control to make sure the integrity

of the control is insured.

•Example related to PO approvals and matching

requirements: workflow components, approval groups,

approval assignments, document types, line types, supplier

header, at the transaction level

© 2009 ERPS

Benchmarking

Setup values are established:

© 2009 ERPS

Benchmarking

But can be overridden at various levels…

© 2009 ERPS

Benchmarking

But can be overridden at various levels…

© 2009 ERPS

Override at transaction level

And sometimes overridden at the transaction level

© 2009 ERPS

Application Controls Recommendations

For your application controls to be effective:•Know your policies and procedures

•Know your process

•Make sure all system-related setups are documented and

baselined

•Require changes to go through change management process – be

documented and approved

•Ability to change setups and objects should be tightly controlled

just as you control object changes

•Changes to setups and objects related to application controls

should be audited

•Which… would require a detailed (log or trigger-based) audit trail

to be built

© 2009 ERPS

IT General Controls Guidance

Why IT General Controls are important:

The critical commentary in the IIA guidance on the

importance of ITGC’s states that “if the ITGC’s that

monitor program changes are not effective, then

unauthorized, unapproved, an untested program changes

can be introduced to the production environment, thereby

compromising the overall integrity of the application

controls.”

© 2009 ERPS

IT General Controls Challenges

Some common Change Management challenges for companies

running Oracle EBS:•Too narrowly define change management as IT changes

•Failure to develop non-IT executive ownership for the change

management process

•Failure to properly identify the setup forms that impact their

business processes

•Failure to develop the necessary audit trail to test for

unauthorized changes

•Failure to design security using the principle of least privilege

•Failure to address risks related to forms that allow SQL

statements to be embedded in them

•Failure to maintain documentation

© 2009 ERPS

Q & A

Oracle Apps Internal Controls Repository

Internal Controls Repository Content:

•White Papers such as Accessing the Database without having a Database

Login, Best Practices for Bank Account Entry and Assignment, Using a Risk

Based Assessment for User Access Controls, Internal Controls Best Practices

for Oracle’s Journal Approval Process

•Oracle apps internal controls deficiencies and common solutions

•Mapping of sensitive data to the tables and columns

•Identification of reports with access to sensitive data

•Recommended minimum tables to audit

•http://tech.groups.yahoo.com/group/oracleappsinternalcontrols/

•Not affiliated with Oracle Corporation

© 2009 ERPS

ERP Seminars Services

•Free one-hour consultation

•On-site seminars (1 - 2 days) – custom tailored to your

company’s needs

•Various web-based seminars

•RFP / RFI management for Oracle-related third party software

•SOD / UAC Third Party software project management

•SOD / UAC remediation prioritization

•Controls review related to Oracle-related controls –

implementations and post-implementation

© 2009 ERPS

Seminars Offered

Seminars planned:

• Tuesday, Dec 1 - 1 p.m. EST - Auditing Oracle E-Business

Suite: Top Internal Controls and Security Risks

• Tuesday, Dec 8 - 1 p.m. EST - Auditing Oracle E-Business

Suite: Internal Controls Deficiencies

• Thursday, Nov 17 - 1 p.m. EST - Auditing Oracle E-Business

Suite: Application Security

• Thursday, Dec 10 - Risk-Based Assessment of User Access

Controls and Segregation of Duties for Companies Running

Oracle E-Business Suite

• See: http://www.erpseminars.com/seminars.html

© 2009 ERPS

Best Practices Caveat

Best Practices Caveat

The Best Practices cited in this presentation have not been

validated with your external auditors nor has there been any

systematic study of industry practices to determine they are ‘in

fact’ Best Practices for a representative sample of companies

attempting to comply with the Sarbanes-Oxley Act of 2002 or

other corporate governance initiatives mentioned. The Best

Practice examples given here should not substitute for accounting

or legal advice for your organization and provide no

indemnification from fraud, material misstatements in your

financial statements, or control deficiencies.

© 2009 ERPS

Contact Information

Jeffrey T. Hare, CPA CISA CIA

� Cell: 970-324-1450

� Office: 970-785-6455

� E-mail: jhare@erpseminars.com

� Websites: www.erpseminars.com, www.oubpb.com

� Oracle Internal Controls and Security listserver (public

domain listsever) at

http://groups.yahoo.com/group/OracleSox

� Internal Controls Repository (end users only)

http://tech.groups.yahoo.com/group/oracleappsinternalcontr

ols/

� Skype: jhareaz

© 2009 ERPS