Documente Academic
Documente Profesional
Documente Cultură
Webinar Logistics
Hide and unhide the Webinar control panel by clicking on the arrow icon on the top right of your screen The small window icon toggles between a windowed and full screen mode Ask questions throughout the presentation using the questions window
Questions will be reviewed and answered at the end of the presentation; Ill open the lines for interactive Q&A
2009 ERPS
Presentation Agenda
Overview: Introductions Deficiencies in Current Approaches to SOD Taking a Risk-Based Approach to User Access Controls Q&A Wrap Up
Introductions
Jeffrey T. Hare, CPA CISA CIA
Founder of ERP Seminars and Oracle User Best Practices Board
Access to sensitive functions a user having access to a function that, in and of itself, has risk
Access to sensitive data a user having access to sensitive data such as employee identification number (US= SSN), home addresses, credit card, bank account information, plus data unique to your company customers, BOMs, routings ???
SoD risks never acceptable (Enter Journal Entries vs Journal Authorization Limits), acceptable for certain users (user exceptions Enter Journal Entries vs Journal Sources)
2011ERPRA
Responding to Auditors
Responding to auditors
Have them identify the risk(s) that are inherent in the access or SOD Evaluate controls that may be in place to mitigate the risks identified
Examples: All journals are reviewed and approved Financial close processes Budget to actual analysis / forecast to actual Variance analysis PPV, IPV Reconciliation of inventory balances to GL account Review stale inventory Cycle counting / physical inventories
Downgrade key controls to standard / non-key based on risk reduce audit scope / rely more on entity level controls
Recap / Wrap Up
2011ERPRA
Resources
Resources:
Application Security Best Practices Book 2nd edition due out Jan 2012 Launching partially-public domain conflict matrix in conjunction with 2nd edition of book (common elements will be included in Apps Security BP book) Oracle E-Business Suite Controls: Financial Close Cycle due out April 2012 focusing on design and implementation of controls and security related to Financial Close Cycle
2011ERPRA
Links
Links:
Recorded webinars: http://www.erpra.net/WebinarAccessForm.html Blog: http://jeffreythare.blogspot.com/ Video blog: http://www.youtube.com/ERPSeminars Oracle Internal Controls and Security listserver (public domain/open group): http://tech.groups.yahoo.com/group/OracleSox/?yguid=192922351
2011ERPRA
Links
Links:
Oracle Apps Internal Controls Repository (end users only / closed group): http://tech.groups.yahoo.com/group/oracleappsinternalcontrols/?y guid=440489739 LI Oracle GRC group: http://www.linkedin.com/groups?gid=2017790 LI Oracle ERP Auditors group: http://www.linkedin.com/groups?gid=2354934
2011ERPRA
2011ERPRA
2011ERPRA
Q&A
2011ERPRA
2011ERPRA
2011ERPRA
2011ERPRA
Contact Information
Jeffrey T. Hare, CPA CISA CIA Cell: 970-324-1450 Office: 970-785-6455 Sales: Phil Reimann preimann@erpra.net Sales: 774-999-0527 E-mail: jhare@erpra.net Websites: www.erpra.net, www.oubpb.com
2011ERPRA