Upload
afzallodhi736
View
214
Download
0
Embed Size (px)
Citation preview
7/28/2019 Cost Management SIG Webinar ERPRA
1/23
Risk-Based Assessment ofUser Access Controls andSegregation of
Duties for CompaniesRunning Oracle
Applications
Presented by:
Jeffrey T. Hare, CPA CISA CIA
7/28/2019 Cost Management SIG Webinar ERPRA
2/23
Webinar Logistics
2009 ERPS
Hide and unhide the Webinar
control panel by clicking on the
arrow icon on the top right of
your screen
The small window icon toggles
between a windowed and fullscreen mode
Ask questions throughout the
presentation using the questions
window
Questions will be reviewed and
answered at the end of the
presentation; Ill open the lines
for interactive Q&A
7/28/2019 Cost Management SIG Webinar ERPRA
3/23
Overview:
Introductions
Deficiencies in Current Approaches to SOD
Taking a Risk-Based Approach to User Access Controls
Q&A
Wrap Up
Presentation Agenda
7/28/2019 Cost Management SIG Webinar ERPRA
4/23
IntroductionsJeffrey T. Hare, CPA CISA CIA
Founder of ERP Seminars and Oracle User Best Practices Board
Author Oracle E-Business Suite Controls: Application Security Best Practices
Contributing author Best Practices in Financial Risk Management
Published in ISACAs Control Journal (twice) and ACFEs Fraud Magazine;frequent contributor to OAUGs Insight magazine
Experience includes Big 4 audit, 6+ years in CFO/Controller rolesboth as
auditor and auditee
In Oracle applications space since 1998both as client and consultant
Founder of Internal Controls Repositorypublic domain repository
Written various white papers on Internal Controls and Security Best Practices
in an Oracle Applications environment
7/28/2019 Cost Management SIG Webinar ERPRA
5/23
Taking a Risk-Based Approach toUser Access Controls
Types of Risks:Segregation of duties - a user having two or more business
processes that could result in compromise of the integrity of the
process or allow that person to commit fraud
Access to sensitive functionsa user having access to a functionthat, in and of itself, has risk
Access to sensitive dataa user having access to sensitive data
such as employee identification number (US= SSN), homeaddresses, credit card, bank account information, plus data unique
to your companycustomers, BOMs, routings ???
7/28/2019 Cost Management SIG Webinar ERPRA
6/23
Risk Assessment Process Evaluate about 675 unique risks
CS*Comply covers up to 20,000 function based risks
Examples from R/A:
Single function risksbeing used w/ user exceptions(Menus), shouldnt be used (certain SQL forms
Quality Plans)
SoD risksnever acceptable (Enter Journal Entriesvs Journal Authorization Limits), acceptable for
certain users (user exceptionsEnter Journal Entries
vs Journal Sources)
2011ERPRA
fi i i i C
7/28/2019 Cost Management SIG Webinar ERPRA
7/23
Deficiencies in CurrentApproaches to SOD Projects
Here are some common deficiencies in how companies are approaching SODprojects:
Relying on seeded content of software providers
Not taking a risk-based approach, considering current controls, in defining what
risks are for their companyNot considering all user access control risksaccess to sensitive functions and
access to sensitive data
Always looking at risks as one function in conflict with another, rather than
looking at real riskssingle function and two functions
Looking at SOX risks and ignoring some fraud risks below the materiality level
and other operational risks
T ki Ri k B d A h
7/28/2019 Cost Management SIG Webinar ERPRA
8/23
Taking a Risk-Based Approach toUser Access Controls
Approach to Risk Assessment Project:1.Identify access control conflicts
2.Identify risks associated with each conflict
3.Identify, analyze, and document mitigating controls related to
each risk
4.Assess what is the residual risk after taking into account themitigating controls
5.Discuss residual risks with management and assess their
willingness to assume the risk
6.Document remediation steps for unmitigated risks7.Document whether the conflict (single or combination of two)
should be monitored in third party software
T ki Ri k B d A h
7/28/2019 Cost Management SIG Webinar ERPRA
9/23
Taking a Risk-Based Approach toUser Access Controls
In our experience, a completed risk assessment process exposes thefollowing needs:
An SOD monitoring tool (or one with a preventive workflow)
Requirements for a trigger-based detailed audit trail
Various monitoring reports or processes not provided by OracleThe need to personalize forms to support defined controls.
Custom workflows to automate controls where Oracles
functionality is deficient
Process and/or controls changes
Documentation and testing of non-key controlsAccess control / security changes
Additional projects and research that need to be done
(customizations, profile options, updating BR100s, BR110s, etc.)
7/28/2019 Cost Management SIG Webinar ERPRA
10/23
Responding to Auditors
Responding to auditors Have them identify the risk(s) that are inherent in the access or SOD
Evaluate controls that may be in place to mitigate the risks identified
Examples:
All journals are reviewed and approved Financial close processes
Budget to actual analysis / forecast to actual
Variance analysisPPV, IPV
Reconciliation of inventory balances to GL account
Review stale inventory
Cycle counting / physical inventories
Downgrade key controls to standard / non-key based on riskreduce
audit scope / rely more on entity level controls
7/28/2019 Cost Management SIG Webinar ERPRA
11/23
Access Controls / R12 tips
Take advantage of MOAC to reduce number of responsibilitiesacross operating units / inventory orgs
Use the QUERY_ONLY=Yes to generate inquiry only forms
(make sure they are tested thoroughly)
Refresh Prod to non-Prod and allow more liberal access forreplication of issues and trouble-shooting
Use of trigger-based auditing solutions to generate detailed audit
trail to changes for key control configurations / critical changes
to item master / etc.
7/28/2019 Cost Management SIG Webinar ERPRA
12/23
Recap / Wrap Up
2011ERPRA
7/28/2019 Cost Management SIG Webinar ERPRA
13/23
Resources
Resources: Application Security Best Practices Book2nd edition due outJan 2012
Launching partially-public domain conflict matrix in
conjunction with 2nd edition of book (common elements
will be included in Apps Security BP book)
Oracle E-Business Suite Controls: Financial Close Cycledue
out April 2012focusing on design and implementation of
controls and security related to Financial Close Cycle
2011ERPRA
7/28/2019 Cost Management SIG Webinar ERPRA
14/23
Links
Links:Recorded webinars:http://www.erpra.net/WebinarAccessForm.html
Blog: http://jeffreythare.blogspot.com/
Video blog: http://www.youtube.com/ERPSeminars
Oracle Internal Controls and Security listserver (public
domain/open group):
http://tech.groups.yahoo.com/group/OracleSox/?yguid=192922351
2011ERPRA
7/28/2019 Cost Management SIG Webinar ERPRA
15/23
Links
Links:Oracle Apps Internal Controls Repository (end users only /closed group):
http://tech.groups.yahoo.com/group/oracleappsinternalcontrols/?y
guid=440489739
LI Oracle GRC group:
http://www.linkedin.com/groups?gid=2017790
LI Oracle ERP Auditors group:
http://www.linkedin.com/groups?gid=2354934
2011ERPRA
7/28/2019 Cost Management SIG Webinar ERPRA
16/23
ERP Risk Advisory Services Project audit / QAwell work under the direction of your PMO or
Internal Audit to provide project audit or quality assurancewhether thework is done internally or through a system integrator. In this role, we
typically bring in other experts from companies like Integrigy, Solution
Beacon, FSCP Solutions, and Colibri to be a part of our team.
Security upgrade/implementationwell upgrade your security from 11i
to R12, adding new functionality in R12 while reducing upgrade risk byminimizing the use of standard sub-menus and using custom menus for all
custom responsibility. Well also help you implement role-based access
control (RBAC) or help you to prepare for the implementation of RBAC,
depending on the maturity of your organization.
Controls upgradewell review your risk and control library, making
sure all risks have been identified and recommending adequate level of
controls; well ask look at what are defined as key controls and make
recommendations to downgrade to non-key, where possible, to reduce audit
fees; well also make recommendations on how to automate various
controls. 2011ERPRA
7/28/2019 Cost Management SIG Webinar ERPRA
17/23
ERP Risk Advisory Services Security and Controls monitoringboth security and controls need to be
monitored on an on-going basis as changes are introduced in yoursystem. Well help identify the processes and, perhaps, software that needs
to be put in place for proper monitoring
Building of system-based audit trailswell evaluate your current
trigger-based auditing and make recommendations on what should be
added or changed. If you arent using a trigger-based auditing tool, wellrecommend one that fits your budget and help you implement it.
Enhancement of change management (CM) controlswell review and
recommend enhancements to your change control process to provide better
protect the integrity of your data and business processes. Well focus on all
four different aspects of CMdevelopment, patching, security, and
configurationsand help you implement an quality assurance program to
monitor the effectiveness of your CM process.
encryption, where it is not provided by Oracle.
2011ERPRA
7/28/2019 Cost Management SIG Webinar ERPRA
18/23
ERP Risk Advisory Services Implementation of user access controls softwarewell design and
implement preventive and detective controls related to Segregation ofDuties, single function risks, and sensitive data risks. This is best done in
conjunction with the upgrade of your security.
Implementation of data security softwarewell implement a security
solution that locks down access to sensitive data both at the application
and database levels. This software is more flexible and cost effective thanimplementing encryption, where it is not provided by Oracle.
2011ERPRA
7/28/2019 Cost Management SIG Webinar ERPRA
19/23
Q & A
2011ERPRA
7/28/2019 Cost Management SIG Webinar ERPRA
20/23
ERP Risk Advisory Services Security and Controls monitoringboth security and controls need to be
monitored on an on-going basis as changes are introduced in yoursystem. Well help identify the processes and, perhaps, software that needs
to be put in place for proper monitoring
Building of system-based audit trailswell evaluate your current
trigger-based auditing and make recommendations on what should be
added or changed. If you arent using a trigger-based auditing tool, wellrecommend one that fits your budget and help you implement it.
Enhancement of change management (CM) controlswell review and
recommend enhancements to your change control process to provide better
protect the integrity of your data and business processes. Well focus on all
four different aspects of CMdevelopment, patching, security, and
configurationsand help you implement an quality assurance program to
monitor the effectiveness of your CM process.
encryption, where it is not provided by Oracle.
2011ERPRA
7/28/2019 Cost Management SIG Webinar ERPRA
21/23
ERP Risk Advisory Services Implementation of user access controls softwarewell design and
implement preventive and detective controls related to Segregation ofDuties, single function risks, and sensitive data risks. This is best done in
conjunction with the upgrade of your security.
Implementation of data security softwarewell implement a security
solution that locks down access to sensitive data both at the application
and database levels. This software is more flexible and cost effective thanimplementing encryption, where it is not provided by Oracle.
2011ERPRA
7/28/2019 Cost Management SIG Webinar ERPRA
22/23
Best Practices CaveatBest Practices Caveat
The Best Practices cited in this presentation have not been
validated with your external auditors nor has there been any
systematic study of industry practices to determine they are in
fact Best Practices for a representative sample of companies
attempting to comply with the Sarbanes-Oxley Act of 2002 or
other corporate governance initiatives mentioned. The Best
Practice examples given here should not substitute for accounting
or legal advice for your organization and provide no
indemnification from fraud, material misstatements in yourfinancial statements, or control deficiencies.
2011ERPRA
7/28/2019 Cost Management SIG Webinar ERPRA
23/23
Contact Information
Jeffrey T. Hare, CPA CISA CIA
Cell: 970-324-1450
Office: 970-785-6455
Sales: Phil [email protected]
Sales: 774-999-0527 E-mail: [email protected]
Websites: www.erpra.net, www.oubpb.com
2011ERPRA
mailto:[email protected]:[email protected]