Professional Documents
Culture Documents
Agenda
1. 2. 3. 4. 5. 6.
Course Objectives Challenges of an Oracle ERP Audit Oracle ERP Overview PwC Audit Approach to Oracle Segregation of Duties Configurable Controls
Presented by:
1. Course Objectives
Become familiar with Oracle terminology and concepts Understand the audit implications of Oracle and the PwC recommended approach to Oracle controls and security Recognize the implications of configurable controls (application controls), monitoring controls, general controls, including How to audit
Presented by:
Agenda
1. 2. 3. 4. 5. 6.
Course Objectives Challenges of an Oracle ERP Audit Oracle ERP Overview PwC Audit Approach to Oracle Segregation of Duties Configurable Controls
Presented by:
Presented by:
Why audit?
Auditing will be done as part of:
Statutory (external) audit Internal audit Process audit Traditionally, controls were audited since:
Volume of transactions (high volume low value) Auditing around the system not effective
Presented by:
Why audit?
New environment Sarbanes Oxley Sections 302 and 404 REQUIRE controls audit
September 26/27/28, 2005 Presented by: 7
When to Audit
Prior to reporting date
Point in time
Presented by:
Agenda
1. 2. 3. 4. 5. 6.
Course Objectives Challenges of an Oracle ERP Audit Oracle ERP Overview PwC Audit Approach to Oracle Segregation of Duties Configurable Controls
Presented by:
Self-Service Projects Project Costing Project Billing Personal Time & Expense Activity Management Gateway Self-Service Project Connect Applied Technology Web Customers Workflow Web Suppliers Alert (Business Agents) Web Employees Applications Data Warehouse EDI Gateway
September 26/27/28, 2005
Management
Supply Chain Management Order Entry Purchasing Product Configurator Supply Chain Planning Supplier Scheduling Inventory
Presented by:
10
Oracle workflow
What does it Do? Oracle Workflow automates standard business processes, allowing for transparency and a recorded history of process transactions Who uses it? Workflow Specialist configures workflow during install End Users Workflow Administrator
September 26/27/28, 2005 Presented by: 11
Presented by:
12
Oracle Workflow
Most Commonly Used Seeded Workflows
General Ledger Journal Entry Approval iExpense Expense Report Approvals Terminated Employees Accounts Payable Invoice Approval Process Pay (Positive Pay) Message Receivables Credit Memo Approvals Credit Application Approval Order Management Order and Return Processing Schedule, ship and pack delivery Purchasing Requisition and PO Document Approval Auto Document Creation Receipt Confirmation Exceeding of Price/Receipt Tolerances Projects Projects Approval Project Accounting iTime Timecard Approval
September 26/27/28, 2005 Presented by: 14
Agenda
1. 2. 3. 4. 5. 6.
Course Objectives Challenges of an Oracle ERP Audit Oracle ERP Overview PwC Audit Approach to Oracle Segregation of Duties Configurable Controls
Presented by:
15
ORACLE ORACLE
Linked Systems
Application controls
Application Security and Segregation of Duties Application Change Control Management
IT Infrastructure
Business Processes
Business Processes Controls E - Commerce Internal Interface Controls Concurrent Process Controls Integrity of Reporting Business Continuity Planning Shared Services Information Integrity
Business Processes
Control structure
Internal and External Control Structure
Upstream
Suppliers EDI E - Commerce External Controls
Interfaces Data Feeds
ORACLE ORACLE Linked Systems IT Infrastructure Internal Controls Interfaces Data Feeds Business Processes Internal Controls
Interfaces Data Feeds
Downstream
Customers EDI E - Commerce
External Controls
Non-Linked Suppliers
Non-Linked Suppliers
Controls reliance is achieved through a convergence of efficient systems and effective internal and external controls
September 26/27/28, 2005 Presented by: 17
Access Controls - controls over access to Inherent business processes & transaction processing exist, are properly maintained & are managed by appropriate management within the organization Processing Controls - adequate controls are implemented (Inherent, Configurable, Manual and Customizable) to ensure data integrity Rejection Controls - edit and validation controls Controlled exist to ensure inappropriate data is rejected Processes from processing and monitoring controls exist to review rejected output E-Commerce - controls are adequately implemented Shared Services - issues and risks are mitigated through controlled processes
Custom
Configure
September 26/27/28, 2005
Manual
Presented by: 18
Application security
Managing Risk by Ensuring that Key Controls are Adequately Implemented Over APPLICATION SECURITY:
Security Administration - managed by appropriate management within the organization Security Impact Assessment - on business processes and user environment Security Design - current and future needs are assessed and implemented with high priority controls environment Security Strategy/Approach - controls over application to ensure unauthorized users can not access the production environment Segregation of Duties - controls over business process are adequate and implemented Security Functionality - comprehensively utilized and maintained On-going Security Administration - managed and maintained by appropriate management within the organization
Business Process Team Controls & Security Team Oracle Apps Functionality
Business Requirements
Presented by:
19
Presented by:
22
Manual and monitoring controls Application Controls General Computer Controls Control Environment
Presented by:
23
How to ensure that the IPO is: Complete Accurate, and Valid, AND Restricted access = segregation of duties + security review
September 26/27/28, 2005 Presented by: 24
Agenda
1. 2. 3. 4. 5. 6.
Course Objectives Challenges of an Oracle ERP Audit Oracle ERP Overview PwC Audit Approach to Oracle Segregation of Duties Configurable Controls
Presented by:
25
5. Segregation of Duties
What is Segregation of Duties (SOD)? The principle of separating incompatible functions from an individual Designed to prevent, rather than detect Reduces risk, as circumventing a well designed SOD environment requires collusion SOD includes system level segregation as well as segregation of manual processes
September 26/27/28, 2005 Presented by: 26
Segregation of Duties
What must be segregated?
Record Keeping
Custody of Assets
Authorization
Reconciliation
Presented by:
27
Segregation of Duties
In a practical way, SOD is enforced in Oracle through responsibilities! A responsibility defines a set of menu options and functions that are accessible to a user and defines reports and processes which may be run Responsibilities usually grant access to just one Oracle module, such as General Ledger or Accounts Payable A user can be assigned more than one responsibility
Presented by:
28
Segregation of Duties
Main Menu
Menu Forms
Menu Forms
Security Rules
Flexfield Values Report Parameters
September 26/27/28, 2005 Presented by: 29
Presented by:
30
Presented by:
31
Manual processes (e.g. who has physical access to blank cheque stock)
Presented by:
32
SOD Matrix
Segregation of Duties matrix a way to test, a way to document
Presented by:
35
Segregation of Duties
# 1 Observation The Belgium Payables, Operations responsibility has the ability to: Risk Recommendation Remove the ability to process payments from this responsibility Users with these responsibilities can create themselves as vendors and process invoices and payments Enter Invoices (via against such invoices to Invoice Workbench) expropriate cash from Enter / maintain vendors the entity. and
Process payments (via Payment workbench, Payment Print Check and Payment Batches) Note in this example that a compensating control may be the fact that 3 way matching is required and the Belgium Payables, Operations responsibility cannot process receipts and purchase orders
September 26/27/28, 2005 Presented by: 36
Segregation of Duties
Potential traps with SOD reviews: Oracle standard menus / forms Custom plls Customised forms or functions IT users with superuser responsibilities
Presented by:
37
Segregation of Duties
Finally
The strength of the change control environment will impact the ability to rely on the baseline of segregation of duties and user access
Presented by:
38
Agenda
1. 2. 3. 4. 5. 6.
Course Objectives Challenges of an Oracle ERP Audit Oracle ERP Overview PwC Audit Approach to Oracle Segregation of Duties Configurable Controls
Presented by:
39
6. Configurable controls
A configurable control is: Any setting in Oracle Apps that can be modified, and which can affect the operation of a function in Oracle Apps Profile options Transaction type settings Financial options Payment options Invoice options Different from inherent controls, which are pre-programmed settings that are generally not overrideable or modifiable (e.g. quantity values not allowing non-numeric characters)
September 26/27/28, 2005 Presented by: 40
Configurable controls
Create a process flow and narrative
Identify key controls (including where users rely on Oracle Applications to automatically perform specific actions)
Presented by:
41
Questions
Presented by:
42
Thank you!
Presented by:
43