Risk-Based Assessment of User Access Controls and Segregation of Duties for Companies Running Oracle Applications Presented by: Jeffrey T. Hare, CPA CISA CIA
Webinar Logistics
Hide and unhide the Webinar control panel by clicking on the arrow icon on the top right of your screen
The small window icon toggles between a windowed and full screen mode
Ask questions throughout the presentation using the questions window
Questions will be reviewed and answered at the end of the presentation; I’ll open the lines for interactive Q&A
© 2009 ERPS
Presentation Agenda Overview: Introductions Deficiencies in Current Approaches to SOD Taking a Risk-Based Approach to User Access Controls Q&A Wrap Up
Introductions Jeffrey T. Hare, CPA CISA CIA •Founder of ERP Seminars and Oracle User Best Practices Board
•Author Oracle E-Business Suite Controls: Application Security Best Practices •Contributing author Best Practices in Financial Risk Management •Published in ISACA’s Control Journal (twice) and ACFE’s Fraud Magazine; frequent contributor to OAUG’s Insight magazine •Experience includes Big 4 audit, 6+ years in CFO/Controller roles – both as auditor and auditee
•In Oracle applications space since 1998– both as client and consultant •Founder of Internal Controls Repository – public domain repository •Written various white papers on Internal Controls and Security Best Practices in an Oracle Applications environment
Taking a Risk-Based Approach to User Access Controls Types of Risks: Segregation of duties - a user having two or more business processes that could result in compromise of the integrity of the process or allow that person to commit fraud
Access to sensitive functions – a user having access to a function that, in and of itself, has risk Access to sensitive data – a user having access to sensitive data such as employee identification number (US= SSN), home addresses, credit card, bank account information, plus data unique to your company – customers, BOMs, routings… ???
Risk Assessment Process • Evaluate about 675 unique risks • CS*Comply covers up to 20,000 function based risks
• Examples from R/A: • Single function risks – being used w/ user exceptions (Menus), shouldn’t be used (certain SQL forms – Quality Plans)
• SoD risks – never acceptable (Enter Journal Entries vs Journal Authorization Limits), acceptable for certain users (user exceptions – Enter Journal Entries vs Journal Sources) © 2011ERPRA
Deficiencies in Current Approaches to SOD Projects Here are some common deficiencies in how companies are approaching SOD projects: •Relying on seeded content of software providers •Not taking a risk-based approach, considering current controls, in defining what risks are for their company •Not considering all user access control risks – access to sensitive functions and access to sensitive data •Always looking at risks as one function in conflict with another, rather than looking at real risks – single function and two functions •Looking at SOX risks and ignoring some fraud risks below the materiality level and other operational risks
Taking a Risk-Based Approach to User Access Controls Approach to Risk Assessment Project: 1.Identify access control conflicts 2.Identify risks associated with each conflict 3.Identify, analyze, and document mitigating controls related to each risk 4.Assess what is the residual risk after taking into account the mitigating controls 5.Discuss residual risks with management and assess their willingness to assume the risk 6.Document remediation steps for unmitigated risks 7.Document whether the conflict (single or combination of two) should be monitored in third party software
Taking a Risk-Based Approach to User Access Controls In our experience, a completed risk assessment process exposes the following needs: •An SOD monitoring tool (or one with a preventive workflow) •Requirements for a trigger-based detailed audit trail •Various monitoring reports or processes not provided by Oracle •The need to personalize forms to support defined controls. •Custom workflows to automate controls where Oracle’s functionality is deficient •Process and/or controls changes •Documentation and testing of non-key controls •Access control / security changes •Additional projects and research that need to be done (customizations, profile options, updating BR100s, BR110s, etc.)
Responding to Auditors Responding to auditors… • Have them identify the risk(s) that are inherent in the access or SOD • Evaluate controls that may be in place to mitigate the risks identified • Examples: • All journals are reviewed and approved • Financial close processes • Budget to actual analysis / forecast to actual • Variance analysis – PPV, IPV • Reconciliation of inventory balances to GL account • Review stale inventory • Cycle counting / physical inventories
• Downgrade key controls to standard / non-key based on risk – reduce audit scope / rely more on entity level controls
Access Controls / R12 tips • Take advantage of MOAC to reduce number of responsibilities across operating units / inventory orgs • Use the QUERY_ONLY=Yes to generate inquiry only forms (make sure they are tested thoroughly) • Refresh Prod to non-Prod and allow more liberal access for replication of issues and trouble-shooting • Use of trigger-based auditing solutions to generate detailed audit trail to changes for key control configurations / critical changes to item master / etc.
Recap / Wrap Up
© 2011ERPRA
Resources Resources: • Application Security Best Practices Book – 2nd edition due out Jan 2012 • Launching partially-public domain conflict matrix in conjunction with 2nd edition of book (common elements will be included in Apps Security BP book) • Oracle E-Business Suite Controls: Financial Close Cycle – due out April 2012 – focusing on design and implementation of controls and security related to Financial Close Cycle
© 2011ERPRA
Links Links: •Recorded webinars: http://www.erpra.net/WebinarAccessForm.html •Blog: http://jeffreythare.blogspot.com/ •Video blog: http://www.youtube.com/ERPSeminars •Oracle Internal Controls and Security listserver (public domain/open group): http://tech.groups.yahoo.com/group/OracleSox/?yguid=192922351
© 2011ERPRA
Links Links: •Oracle Apps Internal Controls Repository (end users only / closed group): http://tech.groups.yahoo.com/group/oracleappsinternalcontrols/?y guid=440489739 •LI Oracle GRC group: http://www.linkedin.com/groups?gid=2017790 •LI Oracle ERP Auditors group: http://www.linkedin.com/groups?gid=2354934
© 2011ERPRA
ERP Risk Advisory Services • Project audit / QA – we’ll work under the direction of your PMO or Internal Audit to provide project audit or quality assurance – whether the work is done internally or through a system integrator. In this role, we typically bring in other experts from companies like Integrigy, Solution Beacon, FSCP Solutions, and Colibri to be a part of our team. • Security upgrade/implementation – we’ll upgrade your security from 11i to R12, adding new functionality in R12 while reducing ‘upgrade’ risk by minimizing the use of standard sub-menus and using custom menus for all custom responsibility. We’ll also help you implement role-based access control (RBAC) or help you to prepare for the implementation of RBAC, depending on the maturity of your organization. • Controls upgrade – we’ll review your risk and control library, making sure all risks have been identified and recommending adequate level of controls; we’ll ask look at what are defined as key controls and make recommendations to downgrade to non-key, where possible, to reduce audit fees; we’ll also make recommendations on how to automate various controls. © 2011ERPRA
ERP Risk Advisory Services • Security and Controls monitoring – both security and controls need to be monitored on an on-going basis as changes are introduced in your system. We’ll help identify the processes and, perhaps, software that needs to be put in place for proper monitoring • Building of system-based audit trails – we’ll evaluate your current trigger-based auditing and make recommendations on what should be added or changed. If you aren’t using a trigger-based auditing tool, we’ll recommend one that fits your budget and help you implement it. • Enhancement of change management (CM) controls – we’ll review and recommend enhancements to your change control process to provide better protect the integrity of your data and business processes. We’ll focus on all four different aspects of CM – development, patching, security, and configurations – and help you implement an quality assurance program to monitor the effectiveness of your CM process. · encryption, where it is not provided by Oracle.
© 2011ERPRA
ERP Risk Advisory Services • Implementation of user access controls software – we’ll design and implement preventive and detective controls related to Segregation of Duties, single function risks, and sensitive data risks. This is best done in conjunction with the upgrade of your security. • Implementation of data security software – we’ll implement a security solution that ‘locks down’ access to sensitive data – both at the application and database levels. This software is more flexible and cost effective than implementing encryption, where it is not provided by Oracle.
© 2011ERPRA
Q&A
© 2011ERPRA
ERP Risk Advisory Services • Security and Controls monitoring – both security and controls need to be monitored on an on-going basis as changes are introduced in your system. We’ll help identify the processes and, perhaps, software that needs to be put in place for proper monitoring • Building of system-based audit trails – we’ll evaluate your current trigger-based auditing and make recommendations on what should be added or changed. If you aren’t using a trigger-based auditing tool, we’ll recommend one that fits your budget and help you implement it. • Enhancement of change management (CM) controls – we’ll review and recommend enhancements to your change control process to provide better protect the integrity of your data and business processes. We’ll focus on all four different aspects of CM – development, patching, security, and configurations – and help you implement an quality assurance program to monitor the effectiveness of your CM process. · encryption, where it is not provided by Oracle.
© 2011ERPRA
ERP Risk Advisory Services • Implementation of user access controls software – we’ll design and implement preventive and detective controls related to Segregation of Duties, single function risks, and sensitive data risks. This is best done in conjunction with the upgrade of your security. • Implementation of data security software – we’ll implement a security solution that ‘locks down’ access to sensitive data – both at the application and database levels. This software is more flexible and cost effective than implementing encryption, where it is not provided by Oracle.
© 2011ERPRA
Best Practices Caveat Best Practices Caveat The Best Practices cited in this presentation have not been validated with your external auditors nor has there been any systematic study of industry practices to determine they are ‘in fact’ Best Practices for a representative sample of companies attempting to comply with the Sarbanes-Oxley Act of 2002 or other corporate governance initiatives mentioned. The Best Practice examples given here should not substitute for accounting or legal advice for your organization and provide no indemnification from fraud, material misstatements in your financial statements, or control deficiencies.
© 2011ERPRA
Contact Information Jeffrey T. Hare, CPA CISA CIA Cell: 970-324-1450 Office: 970-785-6455 Sales: Phil Reimann –
[email protected] Sales: 774-999-0527 E-mail:
[email protected] Websites: www.erpra.net, www.oubpb.com
© 2011ERPRA
