Cost Management SIG Webinar ERPRA

7/28/2019 Cost Management SIG Webinar ERPRA

1/23

Risk-Based Assessment ofUser Access Controls andSegregation of

Duties for CompaniesRunning Oracle

Applications

Presented by:

Jeffrey T. Hare, CPA CISA CIA


2/23

Webinar Logistics

2009 ERPS

Hide and unhide the Webinar

control panel by clicking on the

arrow icon on the top right of

your screen

The small window icon toggles

between a windowed and fullscreen mode

Ask questions throughout the

presentation using the questions

window

Questions will be reviewed and

answered at the end of the

presentation; Ill open the lines

for interactive Q&A


3/23

Overview:

Introductions

Deficiencies in Current Approaches to SOD

Taking a Risk-Based Approach to User Access Controls

Q&A

Wrap Up

Presentation Agenda


4/23

IntroductionsJeffrey T. Hare, CPA CISA CIA

Founder of ERP Seminars and Oracle User Best Practices Board

Author Oracle E-Business Suite Controls: Application Security Best Practices

Contributing author Best Practices in Financial Risk Management

Published in ISACAs Control Journal (twice) and ACFEs Fraud Magazine;frequent contributor to OAUGs Insight magazine

Experience includes Big 4 audit, 6+ years in CFO/Controller rolesboth as

auditor and auditee

In Oracle applications space since 1998both as client and consultant

Founder of Internal Controls Repositorypublic domain repository

Written various white papers on Internal Controls and Security Best Practices

in an Oracle Applications environment


5/23

Taking a Risk-Based Approach toUser Access Controls

Types of Risks:Segregation of duties - a user having two or more business

processes that could result in compromise of the integrity of the

process or allow that person to commit fraud

Access to sensitive functionsa user having access to a functionthat, in and of itself, has risk

Access to sensitive dataa user having access to sensitive data

such as employee identification number (US= SSN), homeaddresses, credit card, bank account information, plus data unique

to your companycustomers, BOMs, routings ???


6/23

Risk Assessment Process Evaluate about 675 unique risks

CS*Comply covers up to 20,000 function based risks

Examples from R/A:

Single function risksbeing used w/ user exceptions(Menus), shouldnt be used (certain SQL forms

Quality Plans)

SoD risksnever acceptable (Enter Journal Entriesvs Journal Authorization Limits), acceptable for

certain users (user exceptionsEnter Journal Entries

vs Journal Sources)

2011ERPRA

fi i i i C


7/23

Deficiencies in CurrentApproaches to SOD Projects

Here are some common deficiencies in how companies are approaching SODprojects:

Relying on seeded content of software providers

Not taking a risk-based approach, considering current controls, in defining what

risks are for their companyNot considering all user access control risksaccess to sensitive functions and

access to sensitive data

Always looking at risks as one function in conflict with another, rather than

looking at real riskssingle function and two functions

Looking at SOX risks and ignoring some fraud risks below the materiality level

and other operational risks

T ki Ri k B d A h


8/23


Approach to Risk Assessment Project:1.Identify access control conflicts

2.Identify risks associated with each conflict

3.Identify, analyze, and document mitigating controls related to

each risk

4.Assess what is the residual risk after taking into account themitigating controls

5.Discuss residual risks with management and assess their

willingness to assume the risk

6.Document remediation steps for unmitigated risks7.Document whether the conflict (single or combination of two)

should be monitored in third party software

T ki Ri k B d A h


9/23


In our experience, a completed risk assessment process exposes thefollowing needs:

An SOD monitoring tool (or one with a preventive workflow)

Requirements for a trigger-based detailed audit trail

Various monitoring reports or processes not provided by OracleThe need to personalize forms to support defined controls.

Custom workflows to automate controls where Oracles

functionality is deficient

Process and/or controls changes

Documentation and testing of non-key controlsAccess control / security changes

Additional projects and research that need to be done

(customizations, profile options, updating BR100s, BR110s, etc.)


10/23

Responding to Auditors

Responding to auditors Have them identify the risk(s) that are inherent in the access or SOD

Evaluate controls that may be in place to mitigate the risks identified

Examples:

All journals are reviewed and approved Financial close processes

Budget to actual analysis / forecast to actual

Variance analysisPPV, IPV

Reconciliation of inventory balances to GL account

Review stale inventory

Cycle counting / physical inventories

Downgrade key controls to standard / non-key based on riskreduce

audit scope / rely more on entity level controls


11/23

Access Controls / R12 tips

Take advantage of MOAC to reduce number of responsibilitiesacross operating units / inventory orgs

Use the QUERY_ONLY=Yes to generate inquiry only forms

(make sure they are tested thoroughly)

Refresh Prod to non-Prod and allow more liberal access forreplication of issues and trouble-shooting

Use of trigger-based auditing solutions to generate detailed audit

trail to changes for key control configurations / critical changes

to item master / etc.


12/23

Recap / Wrap Up

2011ERPRA


13/23

Resources

Resources: Application Security Best Practices Book2nd edition due outJan 2012

Launching partially-public domain conflict matrix in

conjunction with 2nd edition of book (common elements

will be included in Apps Security BP book)

Oracle E-Business Suite Controls: Financial Close Cycledue

out April 2012focusing on design and implementation of

controls and security related to Financial Close Cycle

2011ERPRA


14/23

Links

Links:Recorded webinars:http://www.erpra.net/WebinarAccessForm.html

Blog: http://jeffreythare.blogspot.com/

Video blog: http://www.youtube.com/ERPSeminars

Oracle Internal Controls and Security listserver (public

domain/open group):

http://tech.groups.yahoo.com/group/OracleSox/?yguid=192922351

2011ERPRA


15/23

Links

Links:Oracle Apps Internal Controls Repository (end users only /closed group):

http://tech.groups.yahoo.com/group/oracleappsinternalcontrols/?y

guid=440489739

LI Oracle GRC group:

http://www.linkedin.com/groups?gid=2017790

LI Oracle ERP Auditors group:

http://www.linkedin.com/groups?gid=2354934

2011ERPRA


16/23

ERP Risk Advisory Services Project audit / QAwell work under the direction of your PMO or

Internal Audit to provide project audit or quality assurancewhether thework is done internally or through a system integrator. In this role, we

typically bring in other experts from companies like Integrigy, Solution

Beacon, FSCP Solutions, and Colibri to be a part of our team.

Security upgrade/implementationwell upgrade your security from 11i

to R12, adding new functionality in R12 while reducing upgrade risk byminimizing the use of standard sub-menus and using custom menus for all

custom responsibility. Well also help you implement role-based access

control (RBAC) or help you to prepare for the implementation of RBAC,

depending on the maturity of your organization.

Controls upgradewell review your risk and control library, making

sure all risks have been identified and recommending adequate level of

controls; well ask look at what are defined as key controls and make

recommendations to downgrade to non-key, where possible, to reduce audit

fees; well also make recommendations on how to automate various

controls. 2011ERPRA


17/23

ERP Risk Advisory Services Security and Controls monitoringboth security and controls need to be

monitored on an on-going basis as changes are introduced in yoursystem. Well help identify the processes and, perhaps, software that needs

to be put in place for proper monitoring

Building of system-based audit trailswell evaluate your current

trigger-based auditing and make recommendations on what should be

added or changed. If you arent using a trigger-based auditing tool, wellrecommend one that fits your budget and help you implement it.

Enhancement of change management (CM) controlswell review and

recommend enhancements to your change control process to provide better

protect the integrity of your data and business processes. Well focus on all

four different aspects of CMdevelopment, patching, security, and

configurationsand help you implement an quality assurance program to

monitor the effectiveness of your CM process.

encryption, where it is not provided by Oracle.

2011ERPRA


18/23

ERP Risk Advisory Services Implementation of user access controls softwarewell design and

implement preventive and detective controls related to Segregation ofDuties, single function risks, and sensitive data risks. This is best done in

conjunction with the upgrade of your security.

Implementation of data security softwarewell implement a security

solution that locks down access to sensitive data both at the application

and database levels. This software is more flexible and cost effective thanimplementing encryption, where it is not provided by Oracle.

2011ERPRA


19/23

Q & A

2011ERPRA


20/23

ERP Risk Advisory Services Security and Controls monitoringboth security and controls need to be

monitored on an on-going basis as changes are introduced in yoursystem. Well help identify the processes and, perhaps, software that needs

to be put in place for proper monitoring

Building of system-based audit trailswell evaluate your current

trigger-based auditing and make recommendations on what should be

added or changed. If you arent using a trigger-based auditing tool, wellrecommend one that fits your budget and help you implement it.

Enhancement of change management (CM) controlswell review and

recommend enhancements to your change control process to provide better

protect the integrity of your data and business processes. Well focus on all

four different aspects of CMdevelopment, patching, security, and

configurationsand help you implement an quality assurance program to

monitor the effectiveness of your CM process.

encryption, where it is not provided by Oracle.

2011ERPRA


21/23

ERP Risk Advisory Services Implementation of user access controls softwarewell design and

implement preventive and detective controls related to Segregation ofDuties, single function risks, and sensitive data risks. This is best done in

conjunction with the upgrade of your security.

Implementation of data security softwarewell implement a security

solution that locks down access to sensitive data both at the application

and database levels. This software is more flexible and cost effective thanimplementing encryption, where it is not provided by Oracle.

2011ERPRA


22/23

Best Practices CaveatBest Practices Caveat

The Best Practices cited in this presentation have not been

validated with your external auditors nor has there been any

systematic study of industry practices to determine they are in

fact Best Practices for a representative sample of companies

attempting to comply with the Sarbanes-Oxley Act of 2002 or

other corporate governance initiatives mentioned. The Best

Practice examples given here should not substitute for accounting

or legal advice for your organization and provide no

indemnification from fraud, material misstatements in yourfinancial statements, or control deficiencies.

2011ERPRA


23/23

Contact Information

Jeffrey T. Hare, CPA CISA CIA

Cell: 970-324-1450

Office: 970-785-6455

Sales: Phil [email protected]

Sales: 774-999-0527 E-mail: [email protected]

Websites: www.erpra.net, www.oubpb.com

2011ERPRA
mailto:[email protected]:[email protected]

Documents

Cost Management SIG Webinar ERPRA