Risk-Based Assessment of User Access Controls and

Segregation of Duties for Companies

Running Oracle Applications

Presented by:

Jeffrey T. Hare, CPA CISA CIA

Webinar Logistics

© 2009 ERPS

Hide and unhide the Webinar

control panel by clicking on the

arrow icon on the top right of

your screen

The small window icon toggles

between a windowed and full

screen mode

Ask questions throughout the

presentation using the questions

window

Questions will be reviewed and

answered at the end of the

presentation; I’ll open the lines

for interactive Q&A

Overview:

Introductions

Deficiencies in Current Approaches to SOD

Taking a Risk-Based Approach to User Access Controls

Q&A

Wrap Up

Presentation Agenda

Introductions Jeffrey T. Hare, CPA CISA CIA

•Founder of ERP Seminars and Oracle User Best Practices Board

•Author Oracle E-Business Suite Controls: Application Security Best Practices

•Contributing author Best Practices in Financial Risk Management

•Published in ISACA’s Control Journal (twice) and ACFE’s Fraud Magazine;

frequent contributor to OAUG’s Insight magazine

•Experience includes Big 4 audit, 6+ years in CFO/Controller roles – both as

auditor and auditee

•In Oracle applications space since 1998– both as client and consultant

•Founder of Internal Controls Repository – public domain repository

•Written various white papers on Internal Controls and Security Best Practices

in an Oracle Applications environment

Taking a Risk-Based Approach to User Access Controls

Types of Risks:

Segregation of duties - a user having two or more business

processes that could result in compromise of the integrity of the

process or allow that person to commit fraud

Access to sensitive functions – a user having access to a function

that, in and of itself, has risk

Access to sensitive data – a user having access to sensitive data

such as employee identification number (US= SSN), home

addresses, credit card, bank account information, plus data unique

to your company – customers, BOMs, routings… ???

Risk Assessment Process • Evaluate about 675 unique risks

• CS*Comply covers up to 20,000 function based risks

• Examples from R/A:

• Single function risks – being used w/ user exceptions

(Menus), shouldn’t be used (certain SQL forms –

Quality Plans)

• SoD risks – never acceptable (Enter Journal Entries

vs Journal Authorization Limits), acceptable for

certain users (user exceptions – Enter Journal Entries

vs Journal Sources)

© 2011ERPRA

Deficiencies in Current Approaches to SOD Projects

Here are some common deficiencies in how companies are approaching SOD

projects:

•Relying on seeded content of software providers

•Not taking a risk-based approach, considering current controls, in defining what

risks are for their company

•Not considering all user access control risks – access to sensitive functions and

access to sensitive data

•Always looking at risks as one function in conflict with another, rather than

looking at real risks – single function and two functions

•Looking at SOX risks and ignoring some fraud risks below the materiality level

and other operational risks

Taking a Risk-Based Approach to User Access Controls

Approach to Risk Assessment Project:

1.Identify access control conflicts

2.Identify risks associated with each conflict

3.Identify, analyze, and document mitigating controls related to

each risk

4.Assess what is the residual risk after taking into account the

mitigating controls

5.Discuss residual risks with management and assess their

willingness to assume the risk

6.Document remediation steps for unmitigated risks

7.Document whether the conflict (single or combination of two)

should be monitored in third party software

Taking a Risk-Based Approach to User Access Controls

In our experience, a completed risk assessment process exposes the

following needs:

•An SOD monitoring tool (or one with a preventive workflow)

•Requirements for a trigger-based detailed audit trail

•Various monitoring reports or processes not provided by Oracle

•The need to personalize forms to support defined controls.

•Custom workflows to automate controls where Oracle’s

functionality is deficient

•Process and/or controls changes

•Documentation and testing of non-key controls

•Access control / security changes

•Additional projects and research that need to be done

(customizations, profile options, updating BR100s, BR110s, etc.)

Responding to Auditors

Responding to auditors… • Have them identify the risk(s) that are inherent in the access or SOD

• Evaluate controls that may be in place to mitigate the risks identified

• Examples:

• All journals are reviewed and approved

• Financial close processes

• Budget to actual analysis / forecast to actual

• Variance analysis – PPV, IPV

• Reconciliation of inventory balances to GL account

• Review stale inventory

• Cycle counting / physical inventories

• Downgrade key controls to standard / non-key based on risk – reduce

audit scope / rely more on entity level controls

Access Controls / R12 tips

• Take advantage of MOAC to reduce number of responsibilities

across operating units / inventory orgs

• Use the QUERY_ONLY=Yes to generate inquiry only forms

(make sure they are tested thoroughly)

• Refresh Prod to non-Prod and allow more liberal access for

replication of issues and trouble-shooting

• Use of trigger-based auditing solutions to generate detailed audit

trail to changes for key control configurations / critical changes

to item master / etc.

Recap / Wrap Up

© 2011ERPRA

Resources

Resources: • Application Security Best Practices Book – 2nd edition due out

Jan 2012

• Launching partially-public domain conflict matrix in

conjunction with 2nd edition of book (common elements

will be included in Apps Security BP book)

• Oracle E-Business Suite Controls: Financial Close Cycle – due

out April 2012 – focusing on design and implementation of

controls and security related to Financial Close Cycle

© 2011ERPRA

Links

Links: •Recorded webinars:

http://www.erpra.net/WebinarAccessForm.html

•Blog: http://jeffreythare.blogspot.com/

•Video blog: http://www.youtube.com/ERPSeminars

•Oracle Internal Controls and Security listserver (public

domain/open group):

http://tech.groups.yahoo.com/group/OracleSox/?yguid=192922351

© 2011ERPRA

Links

Links: •Oracle Apps Internal Controls Repository (end users only /

closed group):

http://tech.groups.yahoo.com/group/oracleappsinternalcontrols/?y

guid=440489739

•LI Oracle GRC group:

http://www.linkedin.com/groups?gid=2017790

•LI Oracle ERP Auditors group:

http://www.linkedin.com/groups?gid=2354934

© 2011ERPRA

ERP Risk Advisory Services

• Project audit / QA – we’ll work under the direction of your PMO or

Internal Audit to provide project audit or quality assurance – whether the

work is done internally or through a system integrator. In this role, we

typically bring in other experts from companies like Integrigy, Solution

Beacon, FSCP Solutions, and Colibri to be a part of our team.

• Security upgrade/implementation – we’ll upgrade your security from 11i

to R12, adding new functionality in R12 while reducing ‘upgrade’ risk by

minimizing the use of standard sub-menus and using custom menus for all

custom responsibility. We’ll also help you implement role-based access

control (RBAC) or help you to prepare for the implementation of RBAC,

depending on the maturity of your organization.

• Controls upgrade – we’ll review your risk and control library, making

sure all risks have been identified and recommending adequate level of

controls; we’ll ask look at what are defined as key controls and make

recommendations to downgrade to non-key, where possible, to reduce audit

fees; we’ll also make recommendations on how to automate various

controls. © 2011ERPRA

ERP Risk Advisory Services

• Security and Controls monitoring – both security and controls need to be

monitored on an on-going basis as changes are introduced in your

system. We’ll help identify the processes and, perhaps, software that needs

to be put in place for proper monitoring

• Building of system-based audit trails – we’ll evaluate your current

trigger-based auditing and make recommendations on what should be

added or changed. If you aren’t using a trigger-based auditing tool, we’ll

recommend one that fits your budget and help you implement it.

• Enhancement of change management (CM) controls – we’ll review and

recommend enhancements to your change control process to provide better

protect the integrity of your data and business processes. We’ll focus on all

four different aspects of CM – development, patching, security, and

configurations – and help you implement an quality assurance program to

monitor the effectiveness of your CM process.

· encryption, where it is not provided by Oracle.

© 2011ERPRA

ERP Risk Advisory Services

• Implementation of user access controls software – we’ll design and

implement preventive and detective controls related to Segregation of

Duties, single function risks, and sensitive data risks. This is best done in

conjunction with the upgrade of your security.

• Implementation of data security software – we’ll implement a security

solution that ‘locks down’ access to sensitive data – both at the application

and database levels. This software is more flexible and cost effective than

implementing encryption, where it is not provided by Oracle.

© 2011ERPRA

Q & A

© 2011ERPRA

ERP Risk Advisory Services

• Security and Controls monitoring – both security and controls need to be

monitored on an on-going basis as changes are introduced in your

system. We’ll help identify the processes and, perhaps, software that needs

to be put in place for proper monitoring

• Building of system-based audit trails – we’ll evaluate your current

trigger-based auditing and make recommendations on what should be

added or changed. If you aren’t using a trigger-based auditing tool, we’ll

recommend one that fits your budget and help you implement it.

• Enhancement of change management (CM) controls – we’ll review and

recommend enhancements to your change control process to provide better

protect the integrity of your data and business processes. We’ll focus on all

four different aspects of CM – development, patching, security, and

configurations – and help you implement an quality assurance program to

monitor the effectiveness of your CM process.

· encryption, where it is not provided by Oracle.

© 2011ERPRA

ERP Risk Advisory Services

• Implementation of user access controls software – we’ll design and

implement preventive and detective controls related to Segregation of

Duties, single function risks, and sensitive data risks. This is best done in

conjunction with the upgrade of your security.

• Implementation of data security software – we’ll implement a security

solution that ‘locks down’ access to sensitive data – both at the application

and database levels. This software is more flexible and cost effective than

implementing encryption, where it is not provided by Oracle.

© 2011ERPRA

Best Practices Caveat

Best Practices Caveat

The Best Practices cited in this presentation have not been

validated with your external auditors nor has there been any

systematic study of industry practices to determine they are ‘in

fact’ Best Practices for a representative sample of companies

attempting to comply with the Sarbanes-Oxley Act of 2002 or

other corporate governance initiatives mentioned. The Best

Practice examples given here should not substitute for accounting

or legal advice for your organization and provide no

indemnification from fraud, material misstatements in your

financial statements, or control deficiencies.

© 2011ERPRA

Contact Information

Jeffrey T. Hare, CPA CISA CIA

Cell: 970-324-1450

Office: 970-785-6455

Sales: Phil Reimann – preimann@erpra.net

Sales: 774-999-0527

E-mail: jhare@erpra.net

Websites: www.erpra.net, www.oubpb.com

© 2011ERPRA