Internal Controls & Compliance using Oracle Applications Deloitte & Touche LLP January 26, 2007 Ohio...
-
date post
18-Dec-2015 -
Category
Documents
-
view
216 -
download
0
Transcript of Internal Controls & Compliance using Oracle Applications Deloitte & Touche LLP January 26, 2007 Ohio...
Internal Controls & Compliance
using Oracle Applications
Deloitte & Touche LLPJanuary 26, 2007
Ohio Valley Oracle Application Users Group
Jeff TaylorPathik Mody
2Copyright © 2006 Deloitte Development LLC. All rights reserved.
Agenda• Sarbanes-Oxley Overview
• Internal Controls, Compliance, & Technology
• SOX Tools
• Segregation of Duties
• Process and Financial Statement Certifications
• Continuous Control Monitoring
• Case Study
• Questions
Sarbanes-Oxley Overview
4Copyright © 2006 Deloitte Development LLC. All rights reserved.
Background of Sarbanes-Oxley
• Passed by Congress on January 23rd, 2002 and signed by President Bush on July 30th, 2002
• Named after Senator Paul Sarbanes (D-MD) and Representative Michael Oxley (R-OH)
• Governs publicly traded firms, including all overseas firms traded on the US markets
5Copyright © 2006 Deloitte Development LLC. All rights reserved.
Sarbanes-Oxley Section 302 and 404 Internal Control Requirements Requires the CEO and CFO of a public company to certify quarterly and annually that they: Are responsible for disclosure controls, Have designed controls to ensure that material information is known to them, Have evaluated the effectiveness of controls, Have presented their conclusions in the filing, Have disclosed to the audit committee and auditors significant control deficiencies
and acts of fraud, Have indicated in the report significant changes to controls.
Requires the CEO and CFO to annually: State their responsibility for establishing and maintaining an adequate internal control
structure and procedures for financial reporting, Conduct and provide an assessment of the effectiveness of the enterprise’s internal
controls. Requires the external auditor to:
Attest to management’s assertion.
Sec
tio
n 3
02S
ecti
on
404
Regulatory Background
Internal Controls, Compliance & Technology
7Copyright © 2006 Deloitte Development LLC. All rights reserved.
What is an Internal Control?
Providing reasonable assurance of:
• Effectiveness and efficiency of operations
• Reliability of financial reporting
• Compliance with laws and regulations
or else…
8Copyright © 2006 Deloitte Development LLC. All rights reserved.
Compliance Steps
Policy &
ProcedureStandards Enforcement Monitor
SOX 404
COSO
COBIT
FDICIA
ISO
Common
Configuration
Standards
and
Operational
Policies
Automated
Enforcement and
Configuration
Auditing
Monitoring
Reporting
9Copyright © 2006 Deloitte Development LLC. All rights reserved.
Current Situation Analysis
• Companies today are thinking beyond initial compliance requirements
– Focusing on achieving sustained compliance
– Establishing systems to support compliance in year three/four and beyond that are integrated into their ongoing operations
• Technology plays a key role in helping companies sustain compliance effectively and efficiently
• Most companies adopted interim solutions to support their compliance efforts
• However, companies need an efficient and sustainable environment to enable the documentation, monitoring, assessment and reporting on internal controls
10Copyright © 2006 Deloitte Development LLC. All rights reserved.
End-State Architecture for Sustaining Compliance
Internal Control
Documentation &
Assessment
Financial Reporting
Control Monitoring
Content & Records
Mgmt
Compliance related applications and systems
Systems Mgmt
Integration and Collaboration
HR/TrainingAudit
Committee DisclosureCommitteeExternal
Audit InternalAuditField Audit
(404 App)Business UnitCIO
CEO/CFOSarbanes
PMO
Financial Systems
HR CRM
Hardware/Operating System/Network Infrastructure
Databases
Financial and related systems, platforms and databases –holds data, transactions and records
Document Retention
Supply Chain
Security
11Copyright © 2006 Deloitte Development LLC. All rights reserved.
The Compliance Direction
Detective
Manual
Fragmented
Local
Preventive
Automated
Integrated
Global
SOX Tools Oracle Internal Controls Manager
13Copyright © 2006 Deloitte Development LLC. All rights reserved.
Sarbanes-Oxley Section 404 Tools
• Many commercially available products offer integrated technology functionality
• Vendors offer different approaches to implementing and managing internal controls in their products.
• There are a number of option available in the market from ERP vendors, large integrated software vendors and specialty vendors and more should be expected in the future
• Many of these products can provide product functionality such as Integration with ERPs, financial reporting systems, and other backend systems that can support SOX sustained compliance efforts
• The ERP vendors are expected to possess an advantage for companies that already use their systems
• However, companies must consider their technology environment and business requirements to determine which option is best
• With most product in the market, companies should be able to migrate their risk and control information to vendors’ product through the use of a variety of export/import tools
14Copyright © 2006 Deloitte Development LLC. All rights reserved.
Sample Vendors and Products
ERPs Large Software Vendors
Specialty Vendors
ICM
MIC
ICE
15Copyright © 2006 Deloitte Development LLC. All rights reserved.
What is Oracle Internal Controls Manager?• ICM is a application developed to facilitate the collection,
management, testing and remediation of control data and risk related efforts.
• ICM Integrates seamlessly with your ERP Oracle application!
• ICM is a tool that can be used by:
• Controllers, Internal Auditors, Operational Managers, and External Auditor to perform assessments, review and monitor ongoing compliance
• Process Owners to document and validate business processes and track issues
• Signing Officers to certify financial statements
Test
Experts
Monitor
ICMDocument
16Copyright © 2006 Deloitte Development LLC. All rights reserved.
Why Implement ICM?
• Organizes process documentation• Organizes risk assessments and control evaluations• Identify control weaknesses more easily• Provides flexibility to tailor audit process• ICM’s flexibility enables reporting from different points of
view (e.g., financial, operational, organizational)• Segregation of Duties, IT Audit Capabilities• Integrates with Oracle Financials Suite• Useful for all levels of managements
17Copyright © 2006 Deloitte Development LLC. All rights reserved.
Oracle ICM Process
Define Organizations
Define Parent Processes
Define Controls
Define Risks
Define Processes
CertifyDefine Audit Procedures
Audit Results Conclude
Findings / Remediation
Administration, Security Roles and Access, Reports
DataRepository
Audit / Review Process
18Copyright © 2006 Deloitte Development LLC. All rights reserved.
Oracle ICM Current Features
19Copyright © 2006 Deloitte Development LLC. All rights reserved.
Populating the Data Repository
Risks Controls Audit
Procedures Processes
Understand the Business processes that run the business
Process are exposed to various risks
Controls are put in place to mitigate
risks
Audit procedures test the effectiveness of
controls
• Create Business process using
• Web ADI• Workflow• Tutor
• Associate procedures to processes
• Link Key accounts to Processes
• Associate Risks, Controls, and Audit Procedures with processes
• Map Processes to Organizations
• Import risks using • Import process
(Web ADI)
• Identify the risks associated with each business process
• Classify each risk for its probability and impact
• Create/maintain a library of reusable risks
• Import controls using
• Import process (Web ADI)
• Associate controls with risks
• Capture Control Objectives, control assertions, and physical evidence detail
• Categorize controls using control type
• Import Audit Procedures using
• Import process (Web ADI)
• Keep track of audit history for each procedures
• Procedures provide detailed steps to be performed during the audit field work
• Procedures can be setup to verify design, operational effectiveness or both
20Copyright © 2006 Deloitte Development LLC. All rights reserved.
Documenting Processes, Risks and Controls
Processes – Sub Processes – Sub ProcessProcess
Risk & Control Risk & Control AssociationAssociation
21Copyright © 2006 Deloitte Development LLC. All rights reserved.
Process Details
Process
Control
Objective
Control Activity
RiskRisk
22Copyright © 2006 Deloitte Development LLC. All rights reserved.
ICM Other Features
• Process associated with audit procedures• Audit procedures associated with control• Create Audit Engagement• Add Organization and Process to an Audit Engagement• Associate process to an Audit Engagement• Create/Add procedure to an Audit Engagement• Document findings and remediation
Segregation of Duties
24Copyright © 2006 Deloitte Development LLC. All rights reserved.
SOD Features and Benefits
– Constraints for Incompatible Responsibilities/Functions– Waivers for Users or Responsibilities– Spreadsheet Upload for Constraints– XML Publisher Report for Constraint Violations
– Segregate Duties by Operating Units– Allow Super Users to be Exempted from Constraints– Reduce Implementation Effort in Constraint Set Up– Facilitate Sharing of Constraint Violation Report
Features
Benefits
25Copyright © 2006 Deloitte Development LLC. All rights reserved.
Incompatible Responsibilities/Functions
26Copyright © 2006 Deloitte Development LLC. All rights reserved.
SOD – XML Reports
Process and Financial Statement Certifications
28Copyright © 2006 Deloitte Development LLC. All rights reserved.
Business Process Certification Dashboard
29Copyright © 2006 Deloitte Development LLC. All rights reserved.
Financial Statement Certification Dashboard
30Copyright © 2006 Deloitte Development LLC. All rights reserved.
Certifying Compliance Dashboard
31Copyright © 2006 Deloitte Development LLC. All rights reserved.
What reports are available?
• Reports
– Design Assessment
– Operating Effectiveness
– Risk Assessment
– Control Testing
– Open Issues / Findings
– Control Gaps
• Dashboard
• Several XML reports
32Copyright © 2006 Deloitte Development LLC. All rights reserved.
What We Learned
• Reduce the scope of the effort by focusing on key processes, transactions and controls
• Grow into extensive ICM functionality
• Ensure management understands the level of involvement required throughout the organization
• Standardize compliance process throughout the organization
• Spend time upfront loading Risk Library
• Leverage software to monitor the compliance effort, document testing and promote management responsibility
Continuous Control Monitoring
34Copyright © 2006 Deloitte Development LLC. All rights reserved.
Controls Automation & Monitoring
• Why Controls Automation and Continuous Controls Monitoring are Important
– Reduces effort, cost, and reliance on external consultants by increasing control reliability and efficiency.
– Enhances the effectiveness of Internal Audit and line manager/staff.
– Provides real-time information for proactive preventive measures.
– Leverages real-time information and compliance investment for business value generation.
– Provides a sustainable and repeatable process to enable data and control quality improvement.
– Decreases learning curve and training requirements.
35Copyright © 2006 Deloitte Development LLC. All rights reserved.
Controls MonitoringCategory Features Benefits
Transaction Monitoring
• Identify suspicious transactions• Identify suspicious transactions for further review• Flag anomalies for investigation• Isolate transactions not in compliance with business
rules
• Identify inappropriate flows (e.g., duplicate payments)
• Provide evidence of control operation / quickly identify issues
Master Data Monitoring
• Monitor changes to master data files (e.g., Supplier Master) for suspicious activity
• Identify and address suspicious changes to master data
• Detect stale master file records
Access Control Monitoring
• Monitor changes to user access / roles • Detect unauthorized modifications to user access / roles
• Monitor access to sensitive transactions and data
Segregation of Duties Monitoring
• Identify SOD violations• Detect executed transactions that violate SOD rules
• Prevent SOD conflicts that increase the risk of fraud & error
Configuration Monitoring
• Detect changes to system configurations that may increase risks of fraud & error
• Demonstrate the continued effectiveness of application controls
Manual Process & Control Monitoring
• Ensure the initiation and completion of manual business & IT processes & controls
• Provide an audit trail for manual processes• Increase effectiveness & efficiency of manual
business & IT processes and controls
IT General Controls
• Security / access controls• Change management controls• IT Operations controls
• Enable increased reliance on automated business process controls
36Copyright © 2006 Deloitte Development LLC. All rights reserved.
Oracle Application Controls Manager
• Detect fraud or errors by tracking changes to Oracle Applications control settings
• Assess the current state of the Oracle Application control environment
• Confirm that Oracle Application control settings remain to industry standards
• Detect Oracle Application control settings changes by user id and date.
• Identify configuration mismatches across instances
37Copyright © 2006 Deloitte Development LLC. All rights reserved.
Recommended Control SettingsOnce recommended values have been setup, they are displayed in the ‘Application Control History’ pages along with the change history. This screenshot shows comparison between the recommended values and actual parameter settings. Non-conforming values are highlighted with a red icon.
38Copyright © 2006 Deloitte Development LLC. All rights reserved.
Oracle – Database and Audit Vault
• Specialized warehouse for audit data• Leverages Database vault security to block DBA from viewing audit
data• SOD / Defined roles• Audit vault and Compliance report• Setup Audit AlertsD
atab
ase
Vau
ltA
udit
Vau
lt • Restrict the DBA and other privileged users from accessing application data
• Protect the database and applications from unauthorized changes• Enforce strong controls over who, when, and where application can
be accessed
Visit: Oracle .com/securityTry Software: OTN: OTN.Oracle.com
Coming
Soon
Case StudyIntegrating Security & Controls
40Copyright © 2006 Deloitte Development LLC. All rights reserved.
Client Background
• $12 billion global technology manufacturing• Primary legacy Oracle 10.7 character system • Other Oracle legacy instances on various versions• Located in 70 countries
• North America, EMEA, APAC, and LATAM regions • Over 10,000 users• Re-implementing Oracle 11.5.10 platform • Phased functionality deployment approach • Extensive application footprint
41Copyright © 2006 Deloitte Development LLC. All rights reserved.
Implementation Scope
Implementation Scope
HR including Self-Service Accounts Receivable Advanced Pricing Order Management Trading Community Architecture (TCA)
TeleSales Accounts Payable Purchasing iProcurement Bill of Materials
Cash Management General Ledger Projects Costing Engineering Shipping
Procurement Contracts Fixed Assets Projects Billings Projects Mgt Advanced Budgeting & Planning
Advanced Benefits Inventory Cost Management TeleService Treasury
Service Contracts Warehouse Mgt Configurator
Advanced Supply Chain Planning
Incentive Comp Work in Process Projects Resourcing Quoting
Learning Mgt ICM Mobile Field Service Advanced Scheduling Advanced Inbound
Scripting iSupplier Quality iSupport Depot Repair
Spares Mgt Proposals iExpense Demand Planning Collaborative Planning
Knowledge Mgt Field Service Time and Labor Install Base CRM Foundation
42Copyright © 2006 Deloitte Development LLC. All rights reserved.
Engagement Objectives
• Deloitte was engaged to • Design, build, and implementation of the application security
model for a global deployment of Oracle 11i.• design and implementation of new global Oracle 11i
Security Responsibilities for new functionality and users. • Identify and document the Oracle 11i automated controls. • Design a global Oracle security structure that incorporates
appropriate segregation of duties, controls compliance, administration efficiencies, standardization, and flexibility to adapt to on-going business and technology changes.
43Copyright © 2006 Deloitte Development LLC. All rights reserved.
Security & Controls Objectives
• Elimination of significant segregation of duty conflicts in the Oracle 11i application
• Completion of SOX documentation as it relates to Oracle 11i automated control implementation (i.e. control matrices)
• Standardization of the Oracle 11i security practices/procedures, including naming conventions
• Ease of compliance enforcement for the Oracle 11i system and on-going SOX compliance
• Security staff trained in the new Oracle 11i security practices/procedures
• Internal control and regulatory compliance concerns appropriately addressed
44Copyright © 2006 Deloitte Development LLC. All rights reserved.
Contact Information
Jeff Taylor, Sr. Manager, Deloitte Consulting
Pathik Mody, Manger, Deloitte & Touche, LLP
45Copyright © 2006 Deloitte Development LLC. All rights reserved.
About Deloitte
Deloitte refers to one or more of Deloitte Touche Tohmatsu, a Swiss Verein, its member firms and their respective subsidiaries and affiliates. Deloitte Touche Tohmatsu is an organization of member firms around the world devoted to excellence in providing professional services and advice, focused on client service through a global strategy executed locally in nearly 150 countries. With access to the deep intellectual capital of 120,000 people worldwide, Deloitte delivers services in four professional areas, audit, tax, consulting and financial advisory services, and serves more than one-half of the world’s largest companies, as well as large national enterprises, public institutions, locally important clients, and successful, fast-growing global growth companies. Services are not provided by the Deloitte Touche Tohmatsu Verein and, for regulatory and other reasons, certain member firms do not provide services in all four professional areas.
As a Swiss Verein (association), neither Deloitte Touche Tohmatsu nor any of its member firms has any liability for each other’s acts or omissions. Each of the member firms is a separate and independent legal entity operating under the names Deloitte, Deloitte & Touche, Deloitte Touche Tohmatsu, or other related names.
In the US, Deloitte & Touche USA LLP is the US member firm of Deloitte Touche Tohmatsu and services are provided by the subsidiaries of Deloitte & Touche USA LLP (Deloitte & Touche LLP, Deloitte Consulting LLP, Deloitte Financial Advisory Services LLP, Deloitte Tax LLP and their subsidiaries), and not by Deloitte & Touche USA LLP. The subsidiaries of the US member firm are among the nation's leading professional services firms, providing audit, tax, consulting and financial advisory services through nearly 30,000 people in more than 80 cities. Known as employers of choice for innovative human resources programs, they are dedicated to helping their clients and their people excel. For more information, please visit the US member firm’s web site at www.deloitte.com/us.
Copyright © 2006 Deloitte Development LLC. All rights reserved.