Auditing Application Controls webinarNov09 - erpra. · PDF fileAuditing Application Controls...
Transcript of Auditing Application Controls webinarNov09 - erpra. · PDF fileAuditing Application Controls...
Auditing Application Controls in an Oracle EBS
Environment
Presented by:
Jeffrey T. Hare, CPA CISA CIA
Overview:
�Introductions
�Overall system risks related to Application Controls
�Audit Trails
�Change Management
�Implementation Practices
�Application Controls Guidance
� Benchmarking Strategies
� Override at the Transaction Level
�Application Controls Recommendations
�IT General Controls Guidance and Risks
�Wrap Up
Presentation Agenda
© 2009 ERPS
IntroductionsJeffrey T. Hare, CPA CISA CIA
•Founder of ERP Seminars and Oracle User Best Practices Board
•Author – Solo book project: Oracle E-Business Suite Controls: Application
Security Best Practices; Contributing author “Best Practices in Financial Risk
Management”
•Written various white papers on Internal Controls and Security Best Practices
in an Oracle Applications environment
•Frequent contributor to OAUG’s Insight magazine , published by ISACA and
ACFE
•Experience includes Big 4 audit, 6 years in CFO/Controller roles – both as
auditor and auditee
•In Oracle applications space since 1998– both as client and consultant
•Founder of Internal Controls Repository – public domain repository
© 2009 ERPS
Overall system risks related to Application Controls
Here are various risks of which you need to be aware to understand
risks related to auditing application controls:
•Deficiencies regarding audit trails
•Deficiencies in Change Management practices
•Deficiencies in implementation practices
© 2009 ERPS
Overall System Risks – Audit Trails
•Disconnect between application and database layers
•Audit trail only kept where application is built to do so
•Lack of audit all functionality to monitor privileged users
•Lack of detailed audit trail throughout the application
including for configurations related to automated controls
•Example: change(s) to columns in a table can cause confusion
related to changes made - Journal Sources example
© 2009 ERPS
© 2009 ERPS
Overall System Risks – Audit Trails
•Audit Trail deficiencies – Journal Sources Example:
© 2009 ERPS
Overall System Risks – Audit Trails
Audit Trail deficiencies – Journal Sources Example:
After first change:
Overall System Risks – Audit Trails
Audit Trail deficiencies – Journal Sources Example:
After second change:
© 2009 ERPS
© 2009 ERPS
Overall System Risks – Audit Trails
Initial Value After First Change After Second
Change
Value Checked Unchecked Checked
Updated by AUTOINSTALL JTH9891 JTH9891
Update date 03-Jan-2007
21:52:09
25-Aug-2008
16:43:58
25-Aug-2008
16:45:31
The only thing we can tell from this is that JTH9891 made a change,
but we have no idea WHAT changed. The values as of the second
change are the same as the initial values!
Journal Sources example – data:
Overall System Risks – Change Management
•Purpose of Change Management – protect the system or protect
the process?
•Are system configurations relevant to the design and
performance of the business process?
•Would you let a developer change the code related to a process
without going through your change management process?
•Would you give your developers access to the Apps password in
Prod?
© 2009 ERPS
Overall System Risks –Implementation Practices
•Was the security related to your implementation designed with
the principle of least privilege concept?
•What about security for your privileged users?
•Using seeded responsibilities and/or menus/sub-menus?
•Upgrade risk
•Access to Supplier Maintenance from Buyer’s Workbench
•Access to Enter Journals from various subledger setup
menus
© 2009 ERPS
Auditing Application Controls
Application Controls Guidance
•Internal Auditors (IIA) Global Technology Auditing Guide:
Auditing Application Controls (GTAG 8)
•The guide states “the nature and extent of the evidence the auditor should obtain to
verify the control has not changed may vary, based on circumstances such as the
strength of the organization’s program change controls. As a result, when using a
benchmarking strategy for a particular control, the auditor should consider the effect of
related files, tables, data, and parameters on the application control’s functionality.”
•Two important concepts
•Look at system to determine whether application control setups are changed
•Review reliability of change management process to ascertain whether the
baselined values can be relied upon
© 2009 ERPS
Application Controls Guidance
•For Application Controls to be relied upon, you need to review:
•Setups specific to the application control
•Override of system-level controls during entry of transaction
•IT General Controls
© 2009 ERPS
Benchmarking
•Setups specific to the application control. Need to consider all
setups related to the application control to make sure the integrity
of the control is insured.
•Example related to PO approvals and matching
requirements: workflow components, approval groups,
approval assignments, document types, line types, supplier
header, at the transaction level
© 2009 ERPS
Benchmarking
Setup values are established:
© 2009 ERPS
Benchmarking
But can be overridden at various levels…
© 2009 ERPS
Benchmarking
But can be overridden at various levels…
© 2009 ERPS
Override at transaction level
And sometimes overridden at the transaction level
© 2009 ERPS
Application Controls Recommendations
For your application controls to be effective:•Know your policies and procedures
•Know your process
•Make sure all system-related setups are documented and
baselined
•Require changes to go through change management process – be
documented and approved
•Ability to change setups and objects should be tightly controlled
just as you control object changes
•Changes to setups and objects related to application controls
should be audited
•Which… would require a detailed (log or trigger-based) audit trail
to be built
© 2009 ERPS
IT General Controls Guidance
Why IT General Controls are important:
The critical commentary in the IIA guidance on the
importance of ITGC’s states that “if the ITGC’s that
monitor program changes are not effective, then
unauthorized, unapproved, an untested program changes
can be introduced to the production environment, thereby
compromising the overall integrity of the application
controls.”
© 2009 ERPS
IT General Controls Challenges
Some common Change Management challenges for companies
running Oracle EBS:•Too narrowly define change management as IT changes
•Failure to develop non-IT executive ownership for the change
management process
•Failure to properly identify the setup forms that impact their
business processes
•Failure to develop the necessary audit trail to test for
unauthorized changes
•Failure to design security using the principle of least privilege
•Failure to address risks related to forms that allow SQL
statements to be embedded in them
•Failure to maintain documentation
© 2009 ERPS
Q & A
Oracle Apps Internal Controls Repository
Internal Controls Repository Content:
•White Papers such as Accessing the Database without having a Database
Login, Best Practices for Bank Account Entry and Assignment, Using a Risk
Based Assessment for User Access Controls, Internal Controls Best Practices
for Oracle’s Journal Approval Process
•Oracle apps internal controls deficiencies and common solutions
•Mapping of sensitive data to the tables and columns
•Identification of reports with access to sensitive data
•Recommended minimum tables to audit
•http://tech.groups.yahoo.com/group/oracleappsinternalcontrols/
•Not affiliated with Oracle Corporation
© 2009 ERPS
ERP Seminars Services
•Free one-hour consultation
•On-site seminars (1 - 2 days) – custom tailored to your
company’s needs
•Various web-based seminars
•RFP / RFI management for Oracle-related third party software
•SOD / UAC Third Party software project management
•SOD / UAC remediation prioritization
•Controls review related to Oracle-related controls –
implementations and post-implementation
© 2009 ERPS
Seminars Offered
Seminars planned:
• Tuesday, Dec 1 - 1 p.m. EST - Auditing Oracle E-Business
Suite: Top Internal Controls and Security Risks
• Tuesday, Dec 8 - 1 p.m. EST - Auditing Oracle E-Business
Suite: Internal Controls Deficiencies
• Thursday, Nov 17 - 1 p.m. EST - Auditing Oracle E-Business
Suite: Application Security
• Thursday, Dec 10 - Risk-Based Assessment of User Access
Controls and Segregation of Duties for Companies Running
Oracle E-Business Suite
• See: http://www.erpseminars.com/seminars.html
© 2009 ERPS
Best Practices Caveat
Best Practices Caveat
The Best Practices cited in this presentation have not been
validated with your external auditors nor has there been any
systematic study of industry practices to determine they are ‘in
fact’ Best Practices for a representative sample of companies
attempting to comply with the Sarbanes-Oxley Act of 2002 or
other corporate governance initiatives mentioned. The Best
Practice examples given here should not substitute for accounting
or legal advice for your organization and provide no
indemnification from fraud, material misstatements in your
financial statements, or control deficiencies.
© 2009 ERPS
Contact Information
Jeffrey T. Hare, CPA CISA CIA
� Cell: 970-324-1450
� Office: 970-785-6455
� E-mail: [email protected]
� Websites: www.erpseminars.com, www.oubpb.com
� Oracle Internal Controls and Security listserver (public
domain listsever) at
http://groups.yahoo.com/group/OracleSox
� Internal Controls Repository (end users only)
http://tech.groups.yahoo.com/group/oracleappsinternalcontr
ols/
� Skype: jhareaz
© 2009 ERPS