FulcrumWay - Effective Ways to Assess ERP Controls 2014
-
Upload
fulcrumway -
Category
Technology
-
view
189 -
download
2
description
Transcript of FulcrumWay - Effective Ways to Assess ERP Controls 2014
Leverage T echnology: Move Your Business Forward™
Risk and Compliance Financial Reporting Internal Audit Controls Catalog Application Security Advanced Analytics
A Leader in Risk Based Enterprise Controls Management Solutions
Copyright ©. Fulcrum Information Technology, Inc. Give me a lever long enough and a fulcrum on which to place it, and I shall move the world - Archimedes
Is Oracle ERP in Scope for 2014 Audit Plan?
Learn, from our client case-studies, effective ways to assess ERP Controls
Webinar – January 28th, 2014
Adil Khan
Managing Director
www.fulcrumway.com Page 2 Copyright © FulcrumWay
Is Oracle ERP in Scope for 2014 Audit Plan?
Introductions
ERP Control Assessment Approach – 2014
ERP Controls in Scope for Audit
Audit Findings and Remediation
Oracle Advanced Controls – Case Study
Agenda
www.fulcrumway.com Page 3 Copyright © FulcrumWay
Is Oracle ERP in Scope for 2014 Audit Plan?
Introductions
ERP Control Assessment Approach – 2014
ERP Controls in Scope for Audit
Audit Findings and Remediation
Oracle Advanced Controls – Case Study
Agenda
www.fulcrumway.com Page 4 Copyright © FulcrumWay
A Leader in Risk Based Controls Management™
FulcrumWay: is the #1 End-to-End Provider of Risk Based Enterprise Controls Management
Solutions for Oracle EBS, PeopleSoft and JDE customers with over 200 Fortune-500 to Middle Market
clients. Since 2003, we have successfully assisted companies across all major industry segments.
Expertise: Risk Advisory Services. Advanced Controls Design for Enterprise Applications. Best
Practices for Risk Mitigation and Internal Controls Automation. Audit, Compliance, Financial,
Enterprise and Operational Risk Assessments. Risk Remediation Services.
Packaged Solutions: FulcrumWay is the #1 choice of Oracle customers for Oracle GRC Advanced
Controls, GRC Manager, and GRC Intelligence/OBIEE software implementation. Oracle has certified
us as the only partner with Accelerators for Oracle GRC. We also provide Managed Services
Software Services: Risk Assessment for ERP systems, Control Design and Management Tools,
Controls Catalog, Enterprise Risk Manager, Financial Reporting Manager, Audit Manager
USA Presence: Privately held Delaware Corporation with US offices in New York City, Dallas and San
Francisco
International Presence: in Auckland, Chennai, Johannesburg, London, Mexico City
FulcrumWay
www.fulcrumway.com Page 5 Copyright © FulcrumWay
FulcrumWay Clients Successful
Track Record Government Oil and Gas
Healthcare
Communications
Financial Services
Transportation Natural Resources
Manufacturing
Retail
High Tech Media/Entertainment Life Sciences
www.fulcrumway.com Page 6 Copyright © FulcrumWay
FulcrumWay™ Insight
Thought Leadership
Co-Authored GRC Book: First book on GRC for Oracle Applications
Webcasts – GRC Best Practices, Trends and Expert Insight – February 19th
Executive Round Table – GRC Advanced Controls Luncheon, Los Angeles, February 21st
Executive Round Table - March 13th Chicago: GRC Case Studies and Best Practices
Collaborate 14 – GRC Client Appreciation Dinner April 9th , 2014 Las Vegas
Oracle Open World – Annual GRC Dinner on September 23rd , 2014 W Hotel San Francisco
LinkedIn –FulcrumWay Risk, Compliance and Audit Software Group
YouTube Podcasts – FulcrumWay Instant Insight in 10 min or less
Proven Expertise
www.fulcrumway.com Page 7 Copyright © FulcrumWay
Is Oracle ERP in Scope for 2014 Audit Plan?
Introductions
ERP Control Assessment Approach – 2014
ERP Controls in Scope for Audit
Audit Findings and Remediation
Oracle Advanced Controls – Case Study
Agenda
www.fulcrumway.com Page 8 Copyright © FulcrumWay
Why include ERP Controls in Audit ?
An Audit of Internal Control Over Financial Reporting That is Integrated with An Audit of Financial Statements, states that benchmarking of application controls can be used because these controls are generally not subject to breakdowns due to human failure. If general controls that are used to monitor program changes, access to programs, and computer operations are effective and continue to be tested on a regular basis, the auditor can conclude that the application control is effective without having to repeat the previous year’s control test. This is especially true if the auditor verifies that the application control has not changed since the auditor last tested the application control
U.S. Public Company Accounting
Oversight Board’s (PCAOB)
ERP Controls
www.fulcrumway.com Page 9 Copyright © FulcrumWay
Audit Logs Data Archives
System Control Documents Business Policies
ERP Configurations
Data Storage
Inputs
User Inputs
External
Interface
Web Services
Banks
Output
Stockholders
Data Input Validation Posting Processing Output
Board of
Directors
What are ERP Application Controls
Control Points
www.fulcrumway.com Page 10 Copyright © FulcrumWay
Audit Logs Data Archives
System Control Documents Business Policies
ERP Configurations
Data Storage
Inputs
User Inputs
External
Interface
Web Services
Banks
Output
Stockholders
Data Input Validation Posting Processing Output
Board of
Directors
What are ERP Application Controls
Control Points
Input data is accurate, complete, authorized, and
correct
www.fulcrumway.com Page 11 Copyright © FulcrumWay
Audit Logs Data Archives
System Control Documents Business Policies
ERP Configurations
Data Storage
Inputs
User Inputs
External
Interface
Web Services
Banks
Output
Stockholders
Data Input Validation Posting Processing Output
Board of
Directors
What are ERP Application Controls
Control Points
Data is processed as intended in an acceptable time period
Input data is accurate, complete, authorized, and
correct
www.fulcrumway.com Page 12 Copyright © FulcrumWay
Audit Logs Data Archives
System Control Documents Business Policies
ERP Configurations
Data Storage
Inputs
User Inputs
External
Interface
Web Services
Banks
Output
Stockholders
Data Input Validation Posting Processing Output
Board of
Directors
What are ERP Application Controls
Control Points
Data stored is accurate and complete.
Data is processed as intended in an acceptable time period
Input data is accurate, complete, authorized, and
correct
www.fulcrumway.com Page 13 Copyright © FulcrumWay
Audit Logs Data Archives
System Control Documents Business Policies
ERP Configurations
Data Storage
Inputs
User Inputs
External
Interface
Web Services
Banks
Output
Stockholders
Data Input Validation Posting Processing Output
Board of
Directors
What are ERP Application Controls
Control Points
Data stored is accurate and complete.
Data is processed as intended in an acceptable time period
Input data is accurate, complete, authorized, and
correct
Outputs are accurate and complete.
www.fulcrumway.com Page 14 Copyright © FulcrumWay
Audit Logs Data Archives
System Control Documents Business Policies
ERP Configurations
Data Storage
Inputs
User Inputs
External
Interface
Web Services
Banks
Output
Stockholders
Data Input Validation Posting Processing Output
Board of
Directors
What are ERP Application Controls
Control Points
Data stored is accurate and complete.
Data is processed as intended in an acceptable time period
Input data is accurate, complete, authorized, and
correct
Outputs are accurate and complete.
A record is maintained to track the process of data from input to storage and to the eventual output
www.fulcrumway.com Page 15 Copyright © FulcrumWay
Top Down Risk Based Approach to Application
Controls
Assessment
Approach
What are the enterprise wide risks
that need to be
Assessed?
Which business processes are impacted by
these risks?
Which ERP apps are used to perform these processes
Where (business locations) are the processes performed
What application functions control the processes?
www.fulcrumway.com Page 16 Copyright © FulcrumWay
Is Oracle ERP in Scope for 2014 Audit Plan?
Introductions
ERP Control Assessment Approach – 2014
ERP Controls in Scope for Audit
Audit Findings and Remediation
Oracle Advanced Controls – Case Study
Agenda
www.fulcrumway.com Page 17 Copyright © FulcrumWay
Application Risk Factors
ERP Scope
Risk Threshold
AR
AP GL
INV INV
PR HR
OM PO
FA List of Apps
Primary Process Enabler
Financial /Sensitive Data
Custom Code
Freq. of Changes
Audit Logs
Risk Rating
GL 8 9 5 9 8 34
AP 7 7 6 8 9 32
AR 7 7 9 9 7 39
FA 5 5 5 5 5 25
PO 5 5 4 6 4 24
AP GL
AR Risk Scale: Highest 10
Risk Threshold: Over 30
www.fulcrumway.com Page 18 Copyright © FulcrumWay
Access Controls ERP Scope
Access Control Risk Description Process ERP App
Risk Type
Risk Rating
Enter Journal and Post Journal
Can cause frauds or errors resulting in over or under stated financial statements
R2R GL Fin High
Create Suppliers and Create Invoices - R12
Can lead to an overstatement of liabilities if fictitious suppliers are created and invoiced.
P2P AP Fin High
Create Customer and Create Sales Order - R12
Can lead to an overstatement of revenues. O2C AR Fin High
FulcrumWay Controls Catalog
www.fulcrumway.com Page 19 Copyright © FulcrumWay
Configuration Controls ERP Scope
Configuration Control Risk Description Process ERP App
Risk Type
Risk Rating
Journal Authorization Limits
Authorization limits for employees. R2R GL Fin High
Payment Adjustment Controls
Adjustments made to invoice distributions after payment is issued can cause errors in reconciliation …
P2P AP Fin High
Define Credit Usage Rules In Credit Management, credit usage rule sets ensure that all transactions for the specified currencies are converted to the credit ...
O2C AR Fin High
FulcrumWay Controls Catalog
www.fulcrumway.com Page 20 Copyright © FulcrumWay
ERP Transaction Controls ERP Scope
Transaction Control Risk Description Process ERP App
Risk Type
Risk Rating
Exchange Rates Identify transactions after the fact monitoring of manual inputs of system exchange rates that are …more than 10% +/-
R2R GL Fin High
AP Invoice Over PO Invoice payments in excess of PO / user Invoice approval limit
P2P AP Fin High
AR Invoices Over Threshold
Control monitor returns a record of each customer invoice that is valued in excess of a specified threshold.
O2C AR Fin High
FulcrumWay Controls Catalog
www.fulcrumway.com Page 21 Copyright © FulcrumWay
ERP Control Methods
Monitor Controls
Mitigate Remediate & Prevent
Accept
High Risk
Medium Risk
Medium Risk
Low Risk
Low
High
High
I M P A C T
PROBABILITY
ERP Scope
www.fulcrumway.com Page 22 Copyright © FulcrumWay
ERP Preventive Controls ERP Scope
www.fulcrumway.com Page 23 Copyright © FulcrumWay
Is Oracle ERP in Scope for 2014 Audit Plan?
Introductions
ERP Control Assessment Approach – 2014
ERP Controls in Scope for Audit
Audit Findings and Remediation
Oracle Advanced Controls – Case Study
Agenda
www.fulcrumway.com Page 24 Copyright © FulcrumWay
ERP Audit Findings and Remediation
Findings /
Remediation
Assess Risk
Detect
Violations
Analyze
Issues
Remediate
Issues
Implement
Corrective
Actions
Monitor
Application
Environment
Scope
Application
Controls
Sample
ERP
Data
Manage
Exceptions
Setup
Mitigating
Controls
IT/Business
Control Teams Application Controls
Manager
Application
Security
Administrator
Application
Controls
Manager
Establish
Test
Environment
FulcrumWay DataProbe
www.fulcrumway.com Page 25 Copyright © FulcrumWay
Access Controls Violations Findings User: John
Doe
Role: Invoice
Manager
Permission List:
Invoices
Component: INVOICES-
GBL Page:
TD_INVOICES
Page:
PAYMENT_ACTION_IC
Role: Purchasing
User
Menu:
CREATE_PMTS
Role
Row
Security
Class
SOD
Conflict
Inherent
False
Positive
Locked
User
Panel
Group
Component
Authorized
Actions
www.fulcrumway.com Page 26 Copyright © FulcrumWay
Business Process Models Service Oriented Architecture
Corporate Performance Management Collaboration
Strategic Sourcing & Contract Mgmt
Supplier Collaboration
Spend Categories
Indirect & MRO
Direct
Materials
Services SWIFTNet
Settlement
Payment
Processors
Requisition Purchase
Goods /
Services
Receive
Goods /
Services
Invoice Issue
Payments
Banks
Oracle Procure-to-Pay
Control Points Findings
www.fulcrumway.com Page 27 Copyright © FulcrumWay
Business Process Models Service Oriented Architecture
Corporate Performance Management Collaboration
Supplier Collaboration
Spend Categories
Indirect & MRO
Direct
Materials
Services SWIFTNet
Settlement
Payment
Processors
Requisi-
tion
Purchase
Goods /
Services
Receive
Goods /
Services
Invoice Issue
Payments
Banks
Oracle Procure-to-Pay
Are your vendors compliant with trade regulations? Are the vendors
blacklisted?
Do you have duplicate suppliers?
Are there inappropriate associations between a
vendor and an employee?
Are there frequent changes to Supplier
information?
Are you missing critical supplier information? Is the information valid?
Strategic Sourcing & Contract Mgmt CONTROLS
Findings
www.fulcrumway.com Page 28 Copyright © FulcrumWay
Business Process Models Service Oriented Architecture
Corporate Performance Management Collaboration
Strategic Sourcing & Contract Mgmt
Supplier Collaboration
Spend Categories
Indirect & MRO
Direct
Materials
Services SWIFTNet
Settlement
Payment
Processors
Receive
Goods /
Services
Invoice Issue
Payments
Banks
Oracle Procure-to-Pay
Do you have duplicate Purchase Orders?
Are there purchases with non-preferred vendors?
Are there split POs?
Are POs created on the same day as goods
arrive? Requisition
Purchase
Goods /
Services
CONTROLS
Findings
www.fulcrumway.com Page 29 Copyright © FulcrumWay
Business Process Models Service Oriented Architecture
Corporate Performance Management Collaboration
Strategic Sourcing & Contract Mgmt
Supplier Collaboration
Spend Categories
Indirect & MRO
Direct
Materials
Services SWIFTNet
Settlement
Payment
Processors
Requisi-
tion
Purchase
Goods /
Services
Banks
Oracle Procure-to-Pay
Are you making accurate and timely payments?
Did the person making the payment create or modify
the vendor?
Are there discrepancies in freight charges?
Receive
Goods /
Services Invoice
Issue
Payments
CONTROLS
Are payment term changes reviewed before payment?
Are there duplicate invoice amounts being processed?
Findings
www.fulcrumway.com Page 30 Copyright © FulcrumWay
Is Oracle ERP in Scope for 2014 Audit Plan?
Introductions
ERP Control Assessment Approach – 2014
ERP Controls in Scope for Audit
Audit Findings and Remediation
Oracle Advanced Controls – Case Study
Agenda
www.fulcrumway.com Page 31 Copyright © FulcrumWay
Company Overview
Corporate Overview
• Large Mining, Chemical, Energy & Oil company headquartered in
West Palm Beach, FL
• 1,200 Employees worldwide and $4B annual revenue
• Own Oracle E Business Suite R12 and several Non-Oracle Systems
Overall Challenges and the Need for ERP Controls
• Heterogeneous business application environment
• Inability to track unusual activity on sensitive financial data
• Lack of proper internal controls in various processes
• Insufficient documentation on access, configurations and transaction
controls
31
Case Study
www.fulcrumway.com Page 32 Copyright © FulcrumWay
Controls in Scope
User security to prevent improper access to business functions
Segregation of Requisitions from Purchase Orders
– Auto Create of Purchase Orders/RFQ from Requisitions
One, Two or Three way matching of purchases to payments
Purchasing and Payment tolerances
Vendor purchasing/pay site configuration
One-time vendor indicator
Purchasing Approvals
– Based on dollar value
– Commodity Type
www.fulcrumway.com Page 33 Copyright © FulcrumWay
Purchasing – Compare Vendor Address with Employee address, looking for similarities
– Duplicate Suppliers, similar names or same tax ID
– One time vendors, Audit rules on the one-time vendor flag changes
– PO creation date is the same as the receiving date
– Split purchase orders
– Duplicate purchase orders
Accounts Payable – Change rule for change in payment terms & Change tracking object for terms and tolerances
– Duplicate Invoices Control
– Same employee create vendor and invoice to vendor
Controls in Scope
www.fulcrumway.com Page 34 Copyright © FulcrumWay
Open/Closing Accounting Periods
Adding KFF Account values
Hiding private/sensitive data
– Social Security Number
– Bank Account information
– Home addresses
Automated period close and consolidation process
Controls in Scope
www.fulcrumway.com Page 35 Copyright © FulcrumWay
IT/Super User Change Tracking
Security Rules
Cross Validation Rules
Foreign Currency exchange rate changes
Key Flexfield Segments
System Profiles
ERP Responsibilities
Payment Terms and Tolerances
Form Changes
Alert Changes
Bank Account Information
Journal Sources and Categories
www.fulcrumway.com Page 36 Copyright © FulcrumWay
36
Oracle Advanced Controls Implementation
Form Rules i.e. limiting
access to a field
Flow Rules i.e. approval rule
informational message on
trigger
Audit Rules i.e. track changes
Change Control Rules i.e. reason
code as to why a field is changed
Preventive Controls
Snapshots i.e. capturing specific
setup/configuration info
Comparisons i.e. comparing snapshots
between ledgers, operating
units, instances
Change Tracking i.e.
monitor any change
to configuration
Configuration Controls
Segregation of Duties i.e.
Policy Load
User Provisioning i.e.
Detection and remediation
of SODs
Conflict Reports i.e.
Report on Intra and Inter
Responsibility conflicts
Access Controls
Transaction Controls
Business Objects i.e.
Tables and fields within
EBS Suite
Parameters i.e. Filters,
Patterns and Functions
TCG Models i.e. string of
business objects that
generate suspects
www.fulcrumway.com Page 37 Copyright © FulcrumWay
Transaction Control Monitors
AP Invoices Over Threshold Identify AP Invoices that are over a certain Threshold Amount
Dormant Inventory Items Check for Dormant Inventory Items
Dormant User IDs Identify dormant user IDs
Duplicate Vendor Payments Identify Duplicate Vendor Payments within a specified time period
Enter Post Journals SOD Violation Identify Journals that are entered and posted by the same user.
Manual Journal Entries over Threshold Amount Identify Manual Journals created in General Ledger that are above the specified
threshold amount
PO Over Threshold Amount Identify Purchase Orders that are over a certain Threshold Amount.
Sales Order Over Credit Limit Control Monitor for Sales Order over Credit Limit
Sales Order Over Threshold Amount Identify Sales Orders that were booked for a value over a threshold amount
SOD Violation between AP Invoices and PO
Documents
Identify purchasing and payables documents entered by the same user.
Terminated Employees with Active User Ids Identify Terminated Employees with Active User Ids
www.fulcrumway.com Page 38 Copyright © FulcrumWay
Define credit usage rules In Order Management, credit usage rule sets define the set of
currencies that will share a predefined credit limit during the credit checking process, and enable
the grouping currencies for global credit checking.
Customer reporting hierarchy Receivables uses the following hierarchy to determine the
default payment term for your transactions, stopping when one is found:
1. Bill–to site
2. Customer Address
3. Customer
4. Transaction Type
Approval limits Approval limits affect the Adjustments, Submit Auto Adjustments, and Approve
Adjustments windows as well as the Credit Memo Request Workflow. Define approval limits to
determine whether a Receivables user can approve adjustments or credit memo requests. You
define approval limits by document type, dollar amount, reason code, and currency.
Aging buckets Define aging buckets to review and report on open receivables based on the
number of days each item is past due. For example, the 4–Bucket Aging bucket that Receivables
provides consists of four periods: –999 to 0 days past due, 1 to 30 days past due, 31–61 days
past due, and 61–91 days past due.
38
Transaction Control Monitors
www.fulcrumway.com Page 39 Copyright © FulcrumWay
Change Tracking
Query a change tracker to identify changes across multiple instances.
Select multiple applications to monitor
Query requires Change Tracking Transfer program to run before any data can be collected. (This program transfers change tracking data from the ERP instances to CCG.)
www.fulcrumway.com Page 40 Copyright © FulcrumWay
Change Tracking
Monitor Configuration Changes
Users and administrators can monitor before-and-after values, responsible user, and time stamp
www.fulcrumway.com Page 41 Copyright © FulcrumWay
EBS Form Rule Capabilities
Set security attributes Compile lists of values (LOV)
Establish navigation paths Set field attributes
Display messages Run SQL statements
Define default values for fields Execute Flow Rule process
41
• Defines what actions the element performs
• Empowers the user to make changes to EBS forms and processes
www.fulcrumway.com Page 42 Copyright © FulcrumWay
Form Rule Highlights
Modify Security Settings
Create Messages
Edit Field Properties
Hidden Field
Field Required
Edit Background
Edit Prompt Hide Field Data
Edit Messages
www.fulcrumway.com Page 43 Copyright © FulcrumWay
Unapproved or Illegal Suppliers
Business Risks
Delayed Supplier payments
Unauthorized Purchases
Capture all Discounts
Controls Objectives
Accurate Supplier Information
Valid Purchase Orders
Ensure Separation of Duties in
Procurement
Split purchase orders
Continuous Monitors
Discounts Lost due to Delays in Payment
Multiple Suppliers with the same Tax ID
Multiple Suppliers with the same Bank Account
Number
Supplier and Invoices Created by Same User
Multiple Suppliers with the similar email domain
Purchase Orders issued to Blocked Suppliers
Monitor purchases of unauthorized items, such as contraband
Prevent Leakage Cash Flow Optimization
Incident !
Incident !
Incident !
Investigate
Close
Incident !
Procure to Pay with Oracle Advanced Controls
www.fulcrumway.com Page 44 Copyright © FulcrumWay
Leader in Risk Based Enterprise Controls Q & A
One-on-One with Experts Download DataProbe
Follow FulcrumWay on LinkedIn for ERP Risk and Controls