AUDITING ORACLE APPLICATIONS PRESENTED BY SHERRY · PDF fileAUDITING ORACLE APPLICATIONS...
Transcript of AUDITING ORACLE APPLICATIONS PRESENTED BY SHERRY · PDF fileAUDITING ORACLE APPLICATIONS...
AUDITING ORACLE APPLICATIONS
PRESENTED BY
SHERRY DOUB, MSCIS, CISA
Jacksonville Chapter
Agenda
Key Business Risks
Security and Access
Implementation Impacts
Audit Challenges
Oracle Organizational Overview
Multi Organizational Access Control (MOAC)
Profile Options for Multi Organizations (MO)
Oracle Security Concepts
Oracle Version R12 Automated Controls
Key Business Risks
Data Conversions
Training
Project Governance
Management Involvement
Key Business Risks R11i to R12
11.9 set of books does not have a one to one relationship with the General Ledger where this has been addressed in R12
Functionality changes have been applied to the Masters and financials
Access has been improved and applies at the operational unit level
R12 allows easier transition from legacy systems with Fusion
Converting large quantities of historical data is challenging (one common database, thousands tables)
Key Business Risks
Oracle integrates all systems into a single system
Oracle therefore is a single point of failure
All transaction processing for all functional areas may be on a single system
If Oracle shuts down, the company operations cease
Disaster recovery planning is crucial
Security and Access
Oracle requires extensive, well thought out security access
Authorizations occur at the application level
Security and systems access is too relaxed so database and network security is necessary
Due to single point of access, there is a significant increase in users with access
Field personnel, vendor and customer
Implementation Impacts
Configurations cannot be over stressed as significant to security
Key opportunity during implementation to establish a control environment with configuration settings
May be difficult with Oracle to change configurations for certain controls after implementation
Audit Challenges
Oracle implementations are unique
Flexible and complex
Customizable
Oracle version, scope of implementation, configuration of business processes, and degree of customization contribute
Impossible to design a standard audit approach
Must invest time in customizing the audit program
Audit Challenges
First year audits in a changing environment
Enterprise Resource Planning knowledge
Enterprise Resource Planning tools utilized
Data retention processes
Data extraction
Interfacing with external audit
Relationship leveraging
Knowledge sharing
Expectation management
Oracle Organizational Model Overview
Oracle Applications
Two conceptual structures
Human Resources
Operations and Accounting
Required Financial Organization or Enterprise Structure
Design of the Organization Structure affects how scalable Oracle functionality becomes and must align with the strategic objectives
Human Resources Organization
Human Resources Organization Model
HR
Org
aniz
ation
al
Leve
l I
BG 1 BG 2
HR L 12 HR L 14 HR L 13 HR L 11
HR L 21 HR L 22 HR L 23 HR L 24
HR L 31 HR L 32
Bu
sin
ess
Gro
up
HR
Org
aniz
ation
al
Leve
l 2
HR
Org
aniz
ation
al
Leve
l 3
Financial Organization Structure
Financial Organization Structure
Business Groups (one or more, hierarchy: one to many relationship)
Ledger (Set of Books, one or more for each Business Group)
Legal Entity (one or more for each Ledger, hierarchy: one to one relationship)
Operating Unit
Inventory Organization
Human Resources Organization
Financial Organization Model
Bu
sin
ess
Gro
up
P
rim
ary
Le
dge
r
Le
ga
l
En
tity
Op
era
tin
g
Unit
BG 1 BG2
PL 12 PL 14 PL 13 PL 11
LE 1 LE 2 LE 3 LE 4
OU 2 OU 4
Inve
nto
ry
Org
an
iza
tio
n
OU 1 OU 3
IO 1 IO 2 IO 3 IO 5 IO 4
Business Group
Multiple ledgers can share the same business group if they share the same business group attributes
Ledger
One set of books shares:
1. Chart of Accounts
2. Calendar
3. Currency
Or, must be another ledger.
There can be multiple types of ledgers (secondary and consolidated ledgers are linked to the primary ledgers)
Legal Entity
Reporting or statutory entities
Viewed as a Legal entity Group or Tax Entity
Operating Unit
Transactional Data
Inventory Organization
Can only belong to one Ledger, Legal Entity, and Operating Unit Structure
Impact
Multiple Organizational structure access control allows one functional task set of users with a single responsibility access across multiple Legal Entities.
Perform multiple tasks across operating units without changing responsibilities
Release 12 of Oracle there is less custom code and more out of the box granularity allowed.
Multi Organizational Access Control Setup
Define Operational Units
Create Security Profile
Run Security Maintenance on List
Set Profile Options
Multi Organizational Access Control Process
Login to a Responsibility
Open the Application
Application Checks Access Privilege
Process Operating Units’ Data
Profile Option MO: Security Profile
Controls the list of operating units a responsibility can access
Profile Option MO: Default Operating Unit
When an Application Page is accessed this operation unit will display first
Profile Option MO: Operating Unit
R11i option that is retained for products and customers not leveraging multiple organizations (MO)
Oracle Security Concepts
Users
Roles
Responsibilities (Functionality or Modules like GL, Purchasing)
Forms
Menus (logical grouping of functions accessible via a responsibility)
Functions (Segregation of Duties, building blocks for security)
Request Groups (reports, concurrent programs assigned to a responsibility)
Oracle Automated Application Controls
Controls over System processing using an activity or transaction
System configurations are Preventive Control activities to prevent a financial error or misstatement
Detective controls are after the fact like the review of a report
Oracle Application Control Types
Flex Fields
Matching
Tolerances
Signing Limits
Workflow / Approvals
Alerts
Edit Checks
Cross Validation Rules
Holds
Automated Accounting Entries
Auto Numbering
Control Reports
Lists of Values
Audit Trails
General Ledger Key Controls
Journals are approved systematically in Oracle, according to the approval limits pre-defined in the system. Completeness/Valuation
Imported journals (from feeder modules) cannot be modified in the general ledger. Valuation
Oracle only allows balanced entries to be posted. If used, accounts used for suspense posting of journal entries are properly configured in Oracle and balances are reviewed and cleared on a regular basis. Valuation
General Ledger Key Controls (cont.)
Cross-validation rules have been enabled and developed to ensure the accuracy of data entry. Valuation
Cross-validation rules overwrite Dynamic Inserts Flexfield definitions are frozen so that account code combinations are enforced. Completeness/Existence or Occurrence
Rollup Groups are frozen indicating that they cannot be changed. Completeness/Presentation & Disclosure
General Ledger Key Controls (cont.)
Journal Approval
Journal Authorization Limits
Flexfield Definition
Cross validation rules
Flexfield Security rules
GL Accounts definition
Ledger accounting options
Open/Close GL Periods
GL Calendar definition
Fixed Assets Key Controls
The Asset Number is automatically assigned by the system. The Asset Numbers are sequential. Completeness
Depreciation can only be calculated once in a month. Completeness
Asset to be retired must 1) exist on system, 2) cannot be retired in same month as entered, and 3) Units retired must be less than or equal to active units. Completeness, Rights & Obligations
Fixed Assets Key Controls (cont.)
The Depreciation Run process automatically generates the GL Journal entries for depreciation, additions and retirements transferring unposted journal entries to GL. Completeness, Valuation
Standard programmed algorithms perform depreciation calculations based on the asset life. Valuation
Fixed Assets Key Controls (cont.)
Fiscal Years and Calendars
Prorate convention
Books controls
Asset Categories
System Controls
Assets Key Reports
Asset Register Report
Asset Cost Balance Report
Asset Addition Report
Depreciation Projection Report
Payables Key Controls
Invoices are authorized through a systematic match of the PO price, invoice price and quantity received; Holds are automatically generated for discrepancies. Valuation, Right & Obligations
System holds on the invoices cannot be released unless the error is rectified. Valuation
Date used for accounting date for invoices during accounting entry agrees to business process. Completeness
Employee expense reports are approved by managers per established approval limits. Valuation, Completeness
Payables Key Controls (cont.)
Invoice tolerances
Expense signing limits
Invoice Holds
Payable Options
Financial Options
Key Reports
Purchasing Key Controls
Edit checks ensure valid purchase order data entry based on predefined values. Completeness
Purchase orders and requisitions are approved systematically in Oracle, according to the approval limits pre-defined in Oracle. Valuation, Right & Obligations
Requisitions, purchase orders, and receipts are automatically/sequentially numbered. Completeness
Edit checks ensure valid purchase order data entry based on predefined values. Completeness
Purchase orders and requisitions are approved systematically in Oracle, according to the approval limits pre-defined in Oracle. Valuation, Right & Obligations
Requisitions, purchase orders, and receipts are automatically/sequentially numbered. Completeness
Purchasing Key Controls (cont.)
Document Types
Approval groups/Limits
Buyers definition
Purchasing Options
Receiving Options
Financial Options
Key Reports
Order Management Key Controls
Edit checks verify that valid data is entered or updated in the customer master files. Valuation
System places an automatic hold on orders that fail credit check. The hold prevents the order from being shipped out. Valuation
Sales Orders are automatically numbered. Completeness Order data entered in the Order Organizer is validated
through a system of defaults and edit checks. Valuation System denies shipping of items in excess of the quantity on
hand which prevents negative inventory balances. Valuation, Rights & Obligations
Oracle system functionality copies important shipping and delivery information from customer master file to the pick list. Valuation, Completeness
Order Management Key Controls (cont.)
Processing constraints
Transaction Types Enforce List Price
Credit Check Rules and assignment Define
Assign
Profile Classes
Credit Check Hold
Sequencing of Order Numbers
Privileges
Inventory Key Controls
Edit checks verify that valid data is entered or updated in the item master files. Completeness
Oracle prevents modifications to key attributes of inventory items that are set in a centralized organization. Completeness
Oracle tracks lots for receipt, issues, and transactions for items defined under Lot Control. Completeness
Inventory Key Controls (cont.)
Oracle is configured to facilitate and process inventory counting and count adjustments. Completeness, Valuation
Oracle inventory automatically performs inventory tracking, movements, and the financial entries for the majority of inventory processes. Completeness, Valuation
Inventory Reports
Inactive Items Report
Sub-Inventory Report
Physical Inventory Adjustments Report
Cycle Count Entries and Adjustments Report
Physical Inventory Missing Tag Listing
Period Close Reconciliation Report
Physical Inventory Trend Report
Thank You
Questions?
Contact Information
Sherry Doub, MSCIS, CISA
IT Internal Auditor
EverBank Internal Audit Dept.
8120 Nations Way, Suite 205
Jacksonville, FL 32256
904-245-7313