Auditing Oracle ERP

ISACA Fall Conference September 2005

Agenda
1. 2. 3. 4. 5. 6.

Course Objectives Challenges of an Oracle ERP Audit Oracle ERP Overview PwC Audit Approach to Oracle Segregation of Duties Configurable Controls

September 26/27/28, 2005

Presented by:

1. Course Objectives
Become familiar with Oracle terminology and concepts Understand the audit implications of Oracle and the PwC recommended approach to Oracle controls and security Recognize the implications of configurable controls (application controls), monitoring controls, general controls, including How to audit

September 26/27/28, 2005

Presented by:

Agenda
1. 2. 3. 4. 5. 6.

Course Objectives Challenges of an Oracle ERP Audit Oracle ERP Overview PwC Audit Approach to Oracle Segregation of Duties Configurable Controls

September 26/27/28, 2005

Presented by:

2. Challenges with an Oracle ERP Audit

Recognizing control implications of Oracle ERP Understanding the significant changes to business processes Keeping up with changing risks Identifying critical risk components of Oracle Maintaining effective test plans Updating the knowledge and skills required to audit

September 26/27/28, 2005

Presented by:

Why audit?
Auditing will be done as part of:

Statutory (external) audit Internal audit Process audit Traditionally, controls were audited since:

Volume of transactions (high volume low value) Auditing around the system not effective

September 26/27/28, 2005

Presented by:

Why audit?

New environment Sarbanes Oxley Sections 302 and 404 REQUIRE controls audit
September 26/27/28, 2005 Presented by: 7

When to Audit
Prior to reporting date

During the year

Point in time

September 26/27/28, 2005

Presented by:

Agenda
1. 2. 3. 4. 5. 6.

Course Objectives Challenges of an Oracle ERP Audit Oracle ERP Overview PwC Audit Approach to Oracle Segregation of Duties Configurable Controls

September 26/27/28, 2005

Presented by:

3. Oracle ERP overview

Human Resources Payroll Human Resources Training Administration Time Management Advanced Benefits Finance General Ledger Financial Analyzer Cash Management Payables Receivables Fixed Assets Manufacturing Engineering Bills of Material Master Scheduling / MRP Capacity Work in Process Quality Human Front Office Resources Cost Management Process (OPM) Manufacturing Finance Applied Rhythm Factory Planning Technology Rhythm Advanced Scheduling Project Manufacturing Supply Chain Projects Flow Manufacturing CRM Marketing (3 modules) Sales (5 modules) Service (5 modules) Call Center (5 modules)

Self-Service Projects Project Costing Project Billing Personal Time & Expense Activity Management Gateway Self-Service Project Connect Applied Technology Web Customers Workflow Web Suppliers Alert (Business Agents) Web Employees Applications Data Warehouse EDI Gateway
September 26/27/28, 2005

Management

Supply Chain Management Order Entry Purchasing Product Configurator Supply Chain Planning Supplier Scheduling Inventory

Presented by:

10

Oracle workflow
What does it Do? Oracle Workflow automates standard business processes, allowing for transparency and a recorded history of process transactions Who uses it? Workflow Specialist configures workflow during install End Users Workflow Administrator
September 26/27/28, 2005 Presented by: 11

Audit Impacts of Workflow

Workflow allows customization Testing entails review or tracing Workflow processes can be forced through SOD function and workflow administrator access

September 26/27/28, 2005

Presented by:

12

Oracle Workflow and Oracle Alerts

Whats the Difference? Oracle Alerts Static, one way transmission of information alerting someone to change of already existing data Alerts must be built Similar to an FYI notification in Workflow Workflow Customizable process flows are available Hierarchy, timeout, and escalation features Can prevent an action
September 26/27/28, 2005 Presented by: 13

Oracle Workflow
Most Commonly Used Seeded Workflows
General Ledger Journal Entry Approval iExpense Expense Report Approvals Terminated Employees Accounts Payable Invoice Approval Process Pay (Positive Pay) Message Receivables Credit Memo Approvals Credit Application Approval Order Management Order and Return Processing Schedule, ship and pack delivery Purchasing Requisition and PO Document Approval Auto Document Creation Receipt Confirmation Exceeding of Price/Receipt Tolerances Projects Projects Approval Project Accounting iTime Timecard Approval
September 26/27/28, 2005 Presented by: 14

Agenda
1. 2. 3. 4. 5. 6.

Course Objectives Challenges of an Oracle ERP Audit Oracle ERP Overview PwC Audit Approach to Oracle Segregation of Duties Configurable Controls

September 26/27/28, 2005

Presented by:

15

4. PwC approach to Oracle

Controls Environment
Business and Industry Risks Regulatory and Compliance requirements Internal and External Reporting and Audit

ORACLE ORACLE
Linked Systems

System of Internal & External Controls

Application controls
Application Security and Segregation of Duties Application Change Control Management

IT Infrastructure

Business Processes
Business Processes Controls E - Commerce Internal Interface Controls Concurrent Process Controls Integrity of Reporting Business Continuity Planning Shared Services Information Integrity

Business Processes

Legacy/Bolt-Ons Technical Infrastructure

General Access Technology Integrity Data Warehousing and Reporting Controls Security Guidelines Disaster Recovery Planning September 26/27/28, 2005 Bolt-On Security Interface Controls Conversion Processes and Controls Information Integrity Presented by: 16

Control structure
Internal and External Control Structure

Upstream
Suppliers EDI E - Commerce External Controls
Interfaces Data Feeds

ORACLE ORACLE Linked Systems IT Infrastructure Internal Controls Interfaces Data Feeds Business Processes Internal Controls
Interfaces Data Feeds

Downstream
Customers EDI E - Commerce

Interfaces Data Feeds

External Controls

Non-Linked Suppliers

Non-Linked Suppliers

Controls reliance is achieved through a convergence of efficient systems and effective internal and external controls
September 26/27/28, 2005 Presented by: 17

Business Process controls

Access Controls - controls over access to Inherent business processes & transaction processing exist, are properly maintained & are managed by appropriate management within the organization Processing Controls - adequate controls are implemented (Inherent, Configurable, Manual and Customizable) to ensure data integrity Rejection Controls - edit and validation controls Controlled exist to ensure inappropriate data is rejected Processes from processing and monitoring controls exist to review rejected output E-Commerce - controls are adequately implemented Shared Services - issues and risks are mitigated through controlled processes

Custom

Configure
September 26/27/28, 2005

Manual
Presented by: 18

Application security
Managing Risk by Ensuring that Key Controls are Adequately Implemented Over APPLICATION SECURITY:
Security Administration - managed by appropriate management within the organization Security Impact Assessment - on business processes and user environment Security Design - current and future needs are assessed and implemented with high priority controls environment Security Strategy/Approach - controls over application to ensure unauthorized users can not access the production environment Segregation of Duties - controls over business process are adequate and implemented Security Functionality - comprehensively utilized and maintained On-going Security Administration - managed and maintained by appropriate management within the organization
Business Process Team Controls & Security Team Oracle Apps Functionality

Control Requirements & Oracle Security Expertise

Oracle Apps (User Responsibility Profiles)

Change Management (Stakeholder)

Business Requirements

September 26/27/28, 2005

Presented by:

19

Auditing Oracle Applications

Audit mindset: Least privilege basis Prevention is better than cure What could go wrong Factors that affect amount of testing: Objective of the audit Level of reliance on the system Level of manual controls (that may compensate)
September 26/27/28, 2005 Presented by: 20

Risk Based Approach Identification of Controls to Test

First year (SOX) results have indicated that more controls were identified, documented and tested than necessary Only need to document and test controls over relevant assertions related to significant accounts (i.e., only those controls that provide evidence that the control objective is met) Need to understand the interaction between preventive and detective controls Need to identify the points at which errors or fraud could occur and then identify the controls that prevent or detect the errors or fraud
September 26/27/28, 2005 Presented by: 21

Auditing an Oracle Environment

Oracle Applications audit: Segregation of duties Configurable controls review General Computer Controls audit: Information security Computer operations Existing system maintenance New system development and implementation

September 26/27/28, 2005

Presented by:

22

General Computer Controls

Where do General Computer Controls fit in?

Manual and monitoring controls Application Controls General Computer Controls Control Environment

September 26/27/28, 2005

Presented by:

23

Application Controls Review

Application controls audit consists of: Input what information is going in? Process what is being done to the information? Output what information comes out?

How to ensure that the IPO is: Complete Accurate, and Valid, AND Restricted access = segregation of duties + security review
September 26/27/28, 2005 Presented by: 24

Agenda
1. 2. 3. 4. 5. 6.

Course Objectives Challenges of an Oracle ERP Audit Oracle ERP Overview PwC Audit Approach to Oracle Segregation of Duties Configurable Controls

September 26/27/28, 2005

Presented by:

25

5. Segregation of Duties
What is Segregation of Duties (SOD)? The principle of separating incompatible functions from an individual Designed to prevent, rather than detect Reduces risk, as circumventing a well designed SOD environment requires collusion SOD includes system level segregation as well as segregation of manual processes
September 26/27/28, 2005 Presented by: 26

Segregation of Duties
What must be segregated?

Record Keeping

Custody of Assets

Authorization

Reconciliation

September 26/27/28, 2005

Presented by:

27

Segregation of Duties
In a practical way, SOD is enforced in Oracle through responsibilities! A responsibility defines a set of menu options and functions that are accessible to a user and defines reports and processes which may be run Responsibilities usually grant access to just one Oracle module, such as General Ledger or Accounts Payable A user can be assigned more than one responsibility

September 26/27/28, 2005

Presented by:

28

Segregation of Duties
Main Menu
Menu Forms

Applications User Responsibility

User Name Password

Menu Forms

Request Security Group

Reports Request Sets Concurrent Programs

Security Rules
Flexfield Values Report Parameters
September 26/27/28, 2005 Presented by: 29

SOD and user review

Segregation of duties and user review involves testing of: Responsibility assignments (which responsibilities are given to which users), this will include: Generic users (e.g. AP_LOGIN) Seeded responsibilities Default logins (e.g. AP/AP, OPERATIONS/WELCOME) User addition, removal, modification and monitoring

September 26/27/28, 2005

Presented by:

30

SOD and user review

Cross-module SOD involves reviewing incompatible functions across applications (e.g. AP user with general ledger responsibilities) Responsibility name = usually a factor Dormant user review Periodic cleanup of users Password length, strength, timeout

September 26/27/28, 2005

Presented by:

31

SOD and user review

Responsibility design (which functions are given to a specific responsibility)

Request Groups and Report access

Manual processes (e.g. who has physical access to blank cheque stock)

September 26/27/28, 2005

Presented by:

32

SOD and user review

A responsibility design and user assignment review may leverage: Custom tool / script Oracle standard reports (limited information, hard to manipulate) Active responsibilities Active users Users of a responsibility Function security function report Function security menu report
September 26/27/28, 2005 Presented by: 33

SOD and user review

Oracle audit history reports Sign-on audit concurrent requests report Sign-on audit forms report Sign-on audit responsibilities report Sign-on audit unsuccessful logon report Sign-on audit users report Ability to audit specific tables, objects or actions
September 26/27/28, 2005 Presented by: 34

SOD Matrix
Segregation of Duties matrix a way to test, a way to document

September 26/27/28, 2005

Presented by:

35

Segregation of Duties
# 1 Observation The Belgium Payables, Operations responsibility has the ability to: Risk Recommendation Remove the ability to process payments from this responsibility Users with these responsibilities can create themselves as vendors and process invoices and payments Enter Invoices (via against such invoices to Invoice Workbench) expropriate cash from Enter / maintain vendors the entity. and

Process payments (via Payment workbench, Payment Print Check and Payment Batches) Note in this example that a compensating control may be the fact that 3 way matching is required and the Belgium Payables, Operations responsibility cannot process receipts and purchase orders
September 26/27/28, 2005 Presented by: 36

Segregation of Duties
Potential traps with SOD reviews: Oracle standard menus / forms Custom plls Customised forms or functions IT users with superuser responsibilities

September 26/27/28, 2005

Presented by:

37

Segregation of Duties
Finally

Baseline testing of user access is a critical step

The strength of the change control environment will impact the ability to rely on the baseline of segregation of duties and user access

September 26/27/28, 2005

Presented by:

38

Agenda
1. 2. 3. 4. 5. 6.

Course Objectives Challenges of an Oracle ERP Audit Oracle ERP Overview PwC Audit Approach to Oracle Segregation of Duties Configurable Controls

September 26/27/28, 2005

Presented by:

39

6. Configurable controls
A configurable control is: Any setting in Oracle Apps that can be modified, and which can affect the operation of a function in Oracle Apps Profile options Transaction type settings Financial options Payment options Invoice options Different from inherent controls, which are pre-programmed settings that are generally not overrideable or modifiable (e.g. quantity values not allowing non-numeric characters)
September 26/27/28, 2005 Presented by: 40

Configurable controls
Create a process flow and narrative

Identify key controls (including where users rely on Oracle Applications to automatically perform specific actions)

Test the controls identified

September 26/27/28, 2005

Presented by:

41

Questions

September 26/27/28, 2005

Presented by:

42

Thank you!

September 26/27/28, 2005

Presented by:

43