Improving Internal Controls While Saving Time & Money

A CaoSys White Paper

August 2010
Improving Internal Controls While Saving Time & Money

Contents

Introduction ....................................................................................................... 3
Overview ............................................................................................................ 4
Internal Controls ................................................................................................ 5
Segregation of Duties – Manual Review ....................................................... 5
Building an Audit Trail – Standard Audit ....................................................... 7
Data Security.................................................................................................. 8
Improving Internal Controls and Saving Time & Money ................................... 9
Handling SOD with CS*Comply...................................................................... 9
Effective Auditing with CS*Audit ................................................................. 11
Data Segregation with CS*Secure ............................................................... 12
Conclusion ........................................................................................................ 14
The CaoSys Solution Suite ................................................................................ 15

Reviewers:
The author would gratefully like to acknowledge the following who helped review this paper…

CEO, ERP Risk Advisors

Jeffrey T. Hare, CPA CISA CIA
Sam Alapati
Khalil Rehman, NLP (MPrac) MCIPS, PMP,OCP
Lewis Hopkins
Industry Analyst, Author, Audit Trail Evangelist
Senior Technical Director, Miro Consulting
Industry Expert and Author
Finance Programme Manager, NHS
CEO, Oracle Experts
Product Manager, Q Software

© 2010 CaoSys Limited. Page 2 of 16

Improving Internal Controls While Saving Time & Money

Introduction

Read the title of this paper again…

Improving Internal Controls While Saving Time and Money

What the title suggests is just not possible, is it?

How can you make something better and yet save your organization
time as well as money?

In this paper we will discuss 3 common GRC related topics that are
applicable to organizations using Oracle E-Business Suite. We will also
demonstrate how you can improve your internal controls while saving
time and money.

This paper is part 1 of 2; our second paper in the “Save Time &
Money” series will concentrate on improving core reporting in Oracle
E-Business Suite while saving time and money.

© 2010 CaoSys Limited. Page 3 of 16

Improving Internal Controls While Saving Time & Money

Overview

Oracle E-Business Suite is a collection of integrated applications that

can offer its users a full 360 degree view of their business. The suite
contains a vast array of functions and processes along with a colossal
amount of data stored in the underlying database.

Organizations that use Oracle E-Business Suite commonly endure very

similar issues when it comes to a number of activities, including (but
not limited to)…

Almost all organizations  Segregation of Duties - Controlling access to functions within

will at some point need to
addresses SOD, auditing
Oracle EBS
and security. The need for  Auditing – Ensuring a proper and effective audit trail is in place
solutions in this area is
often dictated by
for key controls/setups, master data and some transactional
legislation or financial data
risk/loss due to fraud.
 Security – Controlling data access and supplementing Oracle’s
function-based security

While Oracle EBS includes a number of features to help overcome

some of the above issues, what is available out of the box does not
provide a complete or effective solution. Most organizations will, at
some point, need to fulfil their requirements and objectives by other
means.

Now more than ever organizations are questioning why they should
invest in any software at a time when the global economic climate is
feeling the pinch of a bearish market. During these tough times,
application/data security and accountability are even more crucial.
Electing for what may seem an initially less costly route is more often
than not a false economy since it will not fully meet the business
needs and it will not save time or money.

The decision to invest in application audit tools is often taken too late,
in many cases 2 to 3 years after an organisation has invested heavily
in their enterprise applications. The audit profession should be
insisting that all implementations are supported by suitable audit
/GRC tools as part of the original investment.

This paper briefly discusses some of the problems inherent in dealing

with these issues and it goes on to discuss how you can improve your
internal controls while saving your organization time and money.

© 2010 CaoSys Limited. Page 4 of 16

Improving Internal Controls While Saving Time & Money

Internal Controls

There are certain activities that your organization may need to

undertake that take time to complete such as quarterly or annual
audits of application access and the auditing of key
controls/configurations. These kinds of processes are typically
conducted by external audit firms.
Internal controls are
methods and policies
designed to prevent fraud, The tightening legislation around financial controls and reporting and
minimize errors, promote
operating efficiency, and
the myriad of compliance frameworks that organizations often need
achieve compliance with to adhere too (PCI, PII, SOX…etc) is making it more and more difficult
established policies
to satisfy your auditors (in a timely fashion). There is an increasing
burden to prove that you are taking the appropriate steps to ensure
financial integrity and accountability as well as mitigating as much as
possible the risk of fraud and human error. If your internal controls
are not sufficient then not only is your organization more vulnerable
to financial loss by way of fraudulent activity but the internal controls
audit you will have to undergo will be a lengthy and likely very costly
process.

Many organizations try to ease the pain of the audit process and
mitigate risk by implementing a number of solutions, two of the more
common are...

 Manually reviewing user access at responsibility (role) level on

a quarterly or annual basis
 Enabling the built-in audit trail that is included with Oracle EBS

The problem with both of the above is that while they are certainly
better than doing nothing, they don’t solve any part of the problem at
hand. Neither will do a very good job of preventing fraud from taking
place and neither will fully satisfy your auditors that you are taking
the appropriate steps to improve your internal controls. So you will
still be susceptible to fraud and your audit process will still be lengthy
and costly.

Segregation of Duties – Manual Review

Manually reviewing user access at a given interval is one way to deal

with Segregation of Duties. This allows you to take the time to review
what each user has access to and then to take appropriate action to
remove access where required. As stated above, it is certainly better
than doing nothing but it is essentially a flawed process for many
reasons…

© 2010 CaoSys Limited. Page 5 of 16

Improving Internal Controls While Saving Time & Money

 Oracle E-Business is very complex, it consists of hundreds of

responsibilities/roles and many thousands of functions which
are likely to be spread across hundreds if not thousands of
different menus. Attempting to review which functions each
user can access is an almost insurmountable task even with a
Segregation of Duties modest number of users. Most organizations typically only
(SOD) has as its primary review access at the responsibility/role level. For this approach
objective the prevention
of fraud and errors. This to stand any chance of being slightly effective. There is a
objective is achieved by reliance on good responsibility and menu design which in itself
separating the tasks and
associated privileges for a is difficult to achieve. Moreover, reviewing user access at
specific business process responsibility level will not take into account any changes to
among multiple users.
the responsibility/menu design. Furthermore, reviewing at this
level is not granular enough since many risks from an SOD
perspective are likely to be intra-responsibility.
 Performing a manual review for each responsibility is a time
consuming task even for a relatively small number of users.
Let’s assume you have 400 users and to review access at
responsibility level takes you a week to complete (a very
optimistic estimate), now imagine how long it will take if you
have 4,000 users.
 A manual review is something that can practically only be
done once every few months, perhaps quarterly or even
annually, so at the time of the review you will have what is
effectively an inaccurate picture of who can do what but the
review does not take into account all the access changes that
take place between reviews. It merely provide a very narrow
picture at a given point in time.
 A manual review is in no way a pro-active approach to dealing
with SOD. Manually reviewing access cannot provide you with
the required preventive controls you really need to ensure
SOD is effective.
 The likely deliverables from manual review will probably be
severely lacking in almost every area mainly down to the fact
that you are not reviewing SOD risks at the correct level. The
reporting you get from a manual review will make it difficult
for you to determine where to start with you
remediation/user provisioning processes.
 …and many more

Manually reviewing user access at function level is practically

impossible due to the sheer volume of data that will needs to be
reviewed and so most organizations will settle for a review at
responsibility/role level.

This kind of user access review is time consuming, expensive and

ineffective and it does little to prevent fraud and little to satisfy

© 2010 CaoSys Limited. Page 6 of 16

Improving Internal Controls While Saving Time & Money

auditors that you have the appropriate internal controls. Ultimately, it

does not save your organization time or money.

Building an Audit Trail – Standard Audit

Having a detailed audit trail is essential for any business regardless of

whether or not you need to comply with any particular regulations or
legislation.

Quite often, organizations neglect to implement a proper audit trail

until it is dictated to them by one of the following…

 Legislation requires that they have an audit trail

 Auditors insist that they have an audit trail
 Financial risk or loss by way of fraud

An audit trail should ideally be put in place during the implementation

of your applications but in most cases it is an afterthought.

At whatever point you determine that an audit trail is needed you will
no doubt explore the built-in audit trail that is part of Oracle E-
Business Suite.

The audit functionality provided out of the box does allow you to
Implementing the
standard audit create an audit trail on any part of the Oracle E-Business Suite but it
functionality within Oracle is lacking in many areas, including (but not limited to)…
EBS is better than no audit
trail but it is lacking in
many areas.  It is not fine grained or rule driven. You don’t have control
over exactly what is audited on a given table or when to audit
which can lead to audit overkill which is a major problem in its
own right.
 It cannot pull in additional metadata at the time of audit. This
can mean the data captured in the audit trail is not easy to
understand.
 It is awkward to use. The user interface is clunky and hard to
use.
 Audit reporting is not adequate.
 It offers no means to allow you to maintain documentary
evidence against the audit trail of reviews and approvals.
 It does not allow for real-time notifications to be sent when a
given audit transaction is generated – no means of pro-active
monitoring.
 It does not help you know “what” you audit. There is no pre-
seeded content available for use with the standard audit
functionality.

© 2010 CaoSys Limited. Page 7 of 16

Improving Internal Controls While Saving Time & Money

So in a similar fashion to the flaws with a manual SOD review, the

standard audit trail does not really help you solve the problems at
hand. It remains extremely difficult to ensure you have an effective
audit trail which will go towards saving your organization time and
money during your audit processes. Neither will it ensure effective
accountability to help mitigate against the risks of fraud.

Data Security

When we talk about data security, we are referring to securing the

actual data within the Oracle E-Business Suite rather than the security
around application access. Whereas SOD deals with the separation of
processes and tasks, data security goes beyond this to allow for the
separation and hiding of data.

Oracle E-Business Suite has a number of built-in features that allow

you to implement data segregation and hiding, here are a few you
may be aware of…

 Multi-organisations Access Control (MOAC)

 HR Security Profiles
 Forms Personalization

The above features basically allow you to segregate data within the
Oracle E-Business based on some predefined context such as
Organization; or in other words it is a means of ensuring only the
appropriate users can see data that is applicable to them. Also, these
features secure data only when accessed through Oracle EBS, they do
not take into account scenario’s where the data is being accessed
outside of the applications (i.e. through tools such as SQL*Plus, TOAD,
Discovers, custom applications).

However, Oracle E-Business Suite does not come with any generic
means of implementing your own data segregation, data hiding
internal controls. As such when you need to segregate data based on
some other context then you have no choice but to look for an
alternative solution.

There are several frameworks and a whole myriad of rules and

regulations surrounding the concept of data segregation and without
an effective solution at hand then ensuring compliance is going to be
difficult, time consuming and costly.

© 2010 CaoSys Limited. Page 8 of 16

Improving Internal Controls While Saving Time & Money

Improving Internal Controls and Saving Time & Money

A question we are asked all the time is…

“So how does the CaoSys Solution Suite help us improve our internal
controls?”

The answer is simple, we provide several tools that can automate

your existing manual processes as well as greatly improve on those
where some level of automation has already been implemented.

When we answer the above question, the very next question is

often…

“Okay great, so you can improve our internal controls but in the
current economic climate how can you help our organization save
time and money?”

The CaoSys Solution suite consists of several modules all designed and
built specifically for Oracle E-Business Suite. Those modules related to
CS*Applications is SOD, audit and security are…
available for Oracle
EBS 11i and R12.
CS*Comply Segregation of Duties (SOD)/Access Controls
CS*Audit For building an effective audit trail
CS*Secure Data segregation/hiding based security controls

The CaoSys Solution Suite, referred to as CS*Applications is a fully

integrated suite that is completely embedded into Oracle E-Business
Suite.

We will now take a quick look at each of these modules to see how
your internal controls can be greatly improved as well as how you
save time and money.

Handling SOD with CS*Comply

If you need to deal with Segregation of Duties, then as discussed

earlier, you really need to handle the problem at the process/task
level (function level) and the only way to do this is through software
automation. CS*Comply provides all the tools you need to be able to
effectively identify all SOD conflicts within your system and also to
handle them accordingly.

Not only can CS*Comply help you report on where all your SOD
conflicts are, it can also help you prevent new conflicts from being

© 2010 CaoSys Limited. Page 9 of 16

Improving Internal Controls While Saving Time & Money

created moving forward, thus it offers a much more pro-active

approach to dealing with the risks.

Furthermore, CS*Comply not only helps you handle what might be

considered traditional SOD which is where one function conflicts with
another, but it goes much further than this to allow you to deal with
application access to functions that present a risk in their own right
(high risk single functions).
All modules within
CS*Applications have a On a system with 400 users or 4,000 users, you would never be able
native Oracle EBS look and
feel, this can help users
to effectively handle SOD without automation, because you would
feel at home when using never be able to complete the task of reviewing all user access at
the tools.
process/task (function) level. Using CS*Comply this is very simple and
very fast; based on a predefined rule set (or your own SOD rule set),
our conflict scanning engine can process millions of access
combinations in just a matter of minutes.

Utilising CS*Comply to identify your SOD conflicts is something that

can be done as on on-going process, whereas with a manual process it
is merely a point-in-time process maybe once or twice a year. The
built-in reporting and analysis tools allow you to gain valuable insight
into why your SOD conflicts exist and help you with your user
provisioning and remediation processes.

CS*Comply includes many features and functionality to simplify the

process and make it more effective. From the powerful and fast SOD
CS*Comply includes
multiple preventive scanning engine, the built-in exception system, the notification
controls to help ensure engine, the conflict workbench for detailed analysis and drill down to
you applications remain
free from SOD violations the SOD trend analysis, everything is included to make sure you can
moving forward. deal with SOD quickly and efficiently.

There are a number of solutions available for dealing with SOD in

Oracle E-Business Suite but none offer the ease of use, the tight
integration or the power that CS*Comply offers. Many other solutions
require additional hardware and software. CS*Comply is embedded
into Oracle EBS and requires no additional hardware or software.

When considering the total cost of ownership, you need to take into
account every aspect of what a given solution requires, from software
licensing, to hardware requirements to training requirements, to
installation to implementation and on-going support. CS*Comply can
help ensure that the TCO is kept down through…

 Very competitive software licensing

 No additional hardware/software requirements
 Reduced training
 Very rapid installation

© 2010 CaoSys Limited. Page 10 of 16

Improving Internal Controls While Saving Time & Money

 Reduced implementation

CS*Comply is also available with our pre-seeded content pack which

can further help you save time and money. Our content pack contains
all the required Oracle EBS function mappings and hundreds SOD
Our optional content
packs (referred to as rules which cover tens of thousands of known risks within the Oracle
Enterprise Packs or E-Business Suite.
E*Packs) have been
developed in collaboration
with ERP Risk Advisors, an The bottom line is that using CS*Comply addresses all of the
industry thought leader in
best practices and
requirements and objectives and does not suffer with any of the
content-creation for problems of the manual review process…
internal controls and
security in Oracle EBS
environments.  Greatly reduces the risk of fraud
 Satisfies auditors that you are taking the appropriate steps to
mitigate against inappropriate access
 Speeds up the SOD audit process considerably
 Allows you to be pro-active when dealing with SOD risks
 Saves your organization time and money

Effective Auditing with CS*Audit

As discussed earlier, you may already be using the standard audit

functionality that is included out of the box with Oracle EBS or
perhaps you are only just coming around to the idea that you need to
build an effective audit trail. Whatever your position, CS*Audit has
been designed from the ground up to be easy to use while also
ensuring that your auditors will be satisfied and that your organization
has accountability.

CS*Audit addresses all of the shortfalls in the standard audit trail…

 Fine grained auditing so that you have complete control over

what goes into the audit trail and when.
 The ability to pull additional metadata into the audit trail.
 Easy to use user interface.
 Powerful and very easy to use audit trail reporting tools.
 The ability to maintain documentary evidence of audit
approvals and reviews directly against the audit trail.
 Built-in real-time notification engine to allow you to do
proactive monitoring of changes.
 Available with our pre-seeded content pack to help you know
“what” to audit.

Just as with CS*Comply, when you come to do your quarterly or

annual audit, CS*Audit ensures that you can quickly and easily satisfy

© 2010 CaoSys Limited. Page 11 of 16

Improving Internal Controls While Saving Time & Money

your auditors that you have implemented appropriate internal

controls to ensure complete accountability. Your audit process is likely
to be a much smoother and less costly process and you are also likely
to help mitigate the risk of financial loss by way of fraudulent activity.

Since CS*Audit is part of the CaoSys Suite, it is also embedded into

Oracle EBS and does not require any additional hardware or software
which further helps ensure the TCO is kept to a minimum.

Data Segregation with CS*Secure

There could be many reasons why you need to segregate or hide your
data within Oracle E-Business Suite, these could include…

 To ensure you can comply with various national and

international data protection regulations.
 To ensure personal data is not visible without appropriate
authority.
 To ensure that sensitive data is not visible without appropriate
authority.
 To ensure that high risk data is not visible without appropriate
authority .

One approach some organizations take to solving this problem is to

identify all the areas where the data can be accessed and then
implement a custom solution to segregate/hide the data in a given
scenario. This approach does not provide a practical, efficient or even
an effective solution since there could literally be hundreds of places
within an application (or even outside of the application) where the
data in question can be accessed. Opting for this kind of solution is
likely to take a huge amount of technical development along with just
as much testing, then once you have the finished solution the on-
going support requirements are likely to be just as time consuming
and costly.

CS*Secure can help you implement your data security requirements

with relative ease since it allows for the creation security policies that
are database wide. In other words a policy is applicable to every form,
report, process, etc that accesses the data. This allows you to
implement one policy and everything will be taken it into account -
even “backdoor” access is protected along with access via tools other
than Oracle E-Business Suite (i.e. Discoverer, ApEx, TOAD, Custom
Applications…etc).

CS*Secure can be used to implement 3 different types of security…

© 2010 CaoSys Limited. Page 12 of 16

Improving Internal Controls While Saving Time & Money

 Data Segregation – The ability to actually segregate (or

partition) data based on any given context.
 Data Hiding – The ability to hide only specific items of data in
any given context.
 Data Protection – The ability to help ensure data is rendered
read-only in any given context.

A key factor when considering whether CS*Secure is suitable for your

organizations data security requirements is the fact that it does not
physically alter the data in any way; the data itself is left untouched
which helps ensure the integrity of the data is maintained. Other
solutions offer data encryption technology but this is often misused or
misunderstood since the only time you should really encrypt
production/live data (other than perhaps things like credit card details
and passwords) is to protect your organizations data from loss or
theft. To protect against this you should consider encrypting data “at-
rest” using any of Oracle’s built-in data encryption technologies such
as Transparent Data Encryption (TDE) which physically encrypts the
data as it is written to disk and then decrypts data as it is accessed.

Since CS*Secure is part of the CaoSys Suite, it is also embedded into

Oracle EBS and does not require any additional hardware or software
which further helps ensure the TCO is kept to a minimum.

Whilst not specific to quarterly or annual audits as such, the

capabilities offered by CS*Secure can help your organization save
time and money by ensuring that you can comply with regulation and
satisfy management that you data is protected and it helps you
implement the businesses security requirements and meet its
objectives in a timely and cost effective fashion.

© 2010 CaoSys Limited. Page 13 of 16

Improving Internal Controls While Saving Time & Money

Conclusion

In conclusion, we have discussed some common issues that most

organization who have implemented Oracle E-Business Suite face
include dealing with Segregation of Duties, implementing an effective
audit trail and data security. It is fair to say that the majority of Oracle
EBS users will at some point in the life of their applications need to
address one of more of these kinds of issues.

Several options are available and different organizations take

different approaches but in most cases some level of software
automation is needed to ensure that the business requirements are
satisfied.

Given the current economic climate, many organizations are

understandably very reluctant to spend any money on new software
projects, however, this paper demonstrates for some organizations
“doing something” is mandatory. If the right choices are made now
then some capital expenditure today can ultimately save time and
money in the medium to long term.

The CaoSys Solution Suite offers cost and time effective solutions to
all of these issues as well as offering various other productivity
solutions that can also save a great deal of time and money.

More information about the solutions discussed in this paper as well

as our other solutions can be found online at www.caosys.com.

© 2010 CaoSys Limited. Page 14 of 16

Improving Internal Controls While Saving Time & Money

The CaoSys Solution Suite

CS*Applications consists of several integrated modules that have all

been designed and built specifically for Oracle E-Business Suite that
offer solutions to many day to day problems that users of the suite
face.

CS*Comply Segregation of Duties (SOD)/Access Controls

CS*Audit For building an effective audit trail
CS*Secure Data segregation/hiding based security controls
CS*Form Our flagship productivity solution for building core
reporting extensions for Oracle EBS as well as
building application extensions and mini-
applications. We refer to CS*Form as an Extreme-
RAD tool
CS*Accelerate Our solution for implementing intra-form internal
controls and augmentations as well as complex
navigational enhancements
CS*Enquire An embedded, ad-hoc data query tools for building,
sharing and running queries.

CS*Applications delivers multiple capabilities…

© 2010 CaoSys Limited. Page 15 of 16

 How to Improve Internal Controls and Save Time & Money
August 2010
Author: Craig O'Neill

Email: info@CaoSys.com
Website: www.CaoSys.com

Copying in any form is strictly prohibited without prior written consent of CaoSys Limited.

Copyright  1999 - 2010 CaoSys Limited. All rights reserved.

Various product and service names mentioned are trademarks of CaoSys Limited. Oracle and Oracle E-Business Suite are trademarks or registered
trademarks of Oracle Corporation. Any other names are used for references only and may be trademarks of their respective owners.