Risk-Based Assessment of User Access Controls and Segregation of Duties for Companies Running Oracle Applications

Presented by: Jeffrey T. Hare, CPA CISA CIA

Webinar Logistics

Hide and unhide the Webinar control panel by clicking on the arrow icon on the top right of your screen The small window icon toggles between a windowed and full screen mode Ask questions throughout the presentation using the questions window

Questions will be reviewed and answered at the end of the presentation; Ill open the lines for interactive Q&A

2009 ERPS

Presentation Agenda
Overview: Introductions Deficiencies in Current Approaches to SOD Taking a Risk-Based Approach to User Access Controls Q&A Wrap Up

Introductions
Jeffrey T. Hare, CPA CISA CIA
Founder of ERP Seminars and Oracle User Best Practices Board

Author Oracle E-Business Suite Controls: Application Security Best Practices

Contributing author Best Practices in Financial Risk Management Published in ISACAs Control Journal (twice) and ACFEs Fraud Magazine; frequent contributor to OAUGs Insight magazine Experience includes Big 4 audit, 6+ years in CFO/Controller roles both as auditor and auditee

In Oracle applications space since 1998 both as client and consultant

Founder of Internal Controls Repository public domain repository Written various white papers on Internal Controls and Security Best Practices in an Oracle Applications environment

Taking a Risk-Based Approach to User Access Controls

Types of Risks: Segregation of duties - a user having two or more business processes that could result in compromise of the integrity of the process or allow that person to commit fraud

Access to sensitive functions a user having access to a function that, in and of itself, has risk
Access to sensitive data a user having access to sensitive data such as employee identification number (US= SSN), home addresses, credit card, bank account information, plus data unique to your company customers, BOMs, routings ???

Risk Assessment Process

Evaluate about 675 unique risks
CS*Comply covers up to 20,000 function based risks

Examples from R/A:

Single function risks being used w/ user exceptions (Menus), shouldnt be used (certain SQL forms Quality Plans)

SoD risks never acceptable (Enter Journal Entries vs Journal Authorization Limits), acceptable for certain users (user exceptions Enter Journal Entries vs Journal Sources)
2011ERPRA

Deficiencies in Current Approaches to SOD Projects

Here are some common deficiencies in how companies are approaching SOD projects: Relying on seeded content of software providers Not taking a risk-based approach, considering current controls, in defining what risks are for their company Not considering all user access control risks access to sensitive functions and access to sensitive data Always looking at risks as one function in conflict with another, rather than looking at real risks single function and two functions Looking at SOX risks and ignoring some fraud risks below the materiality level and other operational risks

Taking a Risk-Based Approach to User Access Controls

Approach to Risk Assessment Project: 1.Identify access control conflicts 2.Identify risks associated with each conflict 3.Identify, analyze, and document mitigating controls related to each risk 4.Assess what is the residual risk after taking into account the mitigating controls 5.Discuss residual risks with management and assess their willingness to assume the risk 6.Document remediation steps for unmitigated risks 7.Document whether the conflict (single or combination of two) should be monitored in third party software

Taking a Risk-Based Approach to User Access Controls

In our experience, a completed risk assessment process exposes the following needs: An SOD monitoring tool (or one with a preventive workflow) Requirements for a trigger-based detailed audit trail Various monitoring reports or processes not provided by Oracle The need to personalize forms to support defined controls. Custom workflows to automate controls where Oracles functionality is deficient Process and/or controls changes Documentation and testing of non-key controls Access control / security changes Additional projects and research that need to be done (customizations, profile options, updating BR100s, BR110s, etc.)

Responding to Auditors
Responding to auditors
Have them identify the risk(s) that are inherent in the access or SOD Evaluate controls that may be in place to mitigate the risks identified
Examples: All journals are reviewed and approved Financial close processes Budget to actual analysis / forecast to actual Variance analysis PPV, IPV Reconciliation of inventory balances to GL account Review stale inventory Cycle counting / physical inventories

Downgrade key controls to standard / non-key based on risk reduce audit scope / rely more on entity level controls

Access Controls / R12 tips

Take advantage of MOAC to reduce number of responsibilities across operating units / inventory orgs Use the QUERY_ONLY=Yes to generate inquiry only forms (make sure they are tested thoroughly) Refresh Prod to non-Prod and allow more liberal access for replication of issues and trouble-shooting Use of trigger-based auditing solutions to generate detailed audit trail to changes for key control configurations / critical changes to item master / etc.

Recap / Wrap Up

2011ERPRA

Resources
Resources:
Application Security Best Practices Book 2nd edition due out Jan 2012 Launching partially-public domain conflict matrix in conjunction with 2nd edition of book (common elements will be included in Apps Security BP book) Oracle E-Business Suite Controls: Financial Close Cycle due out April 2012 focusing on design and implementation of controls and security related to Financial Close Cycle

2011ERPRA

Links
Links:
Recorded webinars: http://www.erpra.net/WebinarAccessForm.html Blog: http://jeffreythare.blogspot.com/ Video blog: http://www.youtube.com/ERPSeminars Oracle Internal Controls and Security listserver (public domain/open group): http://tech.groups.yahoo.com/group/OracleSox/?yguid=192922351

2011ERPRA

Links
Links:
Oracle Apps Internal Controls Repository (end users only / closed group): http://tech.groups.yahoo.com/group/oracleappsinternalcontrols/?y guid=440489739 LI Oracle GRC group: http://www.linkedin.com/groups?gid=2017790 LI Oracle ERP Auditors group: http://www.linkedin.com/groups?gid=2354934

2011ERPRA

ERP Risk Advisory Services

Project audit / QA well work under the direction of your PMO or Internal Audit to provide project audit or quality assurance whether the work is done internally or through a system integrator. In this role, we typically bring in other experts from companies like Integrigy, Solution Beacon, FSCP Solutions, and Colibri to be a part of our team. Security upgrade/implementation well upgrade your security from 11i to R12, adding new functionality in R12 while reducing upgrade risk by minimizing the use of standard sub-menus and using custom menus for all custom responsibility. Well also help you implement role-based access control (RBAC) or help you to prepare for the implementation of RBAC, depending on the maturity of your organization. Controls upgrade well review your risk and control library, making sure all risks have been identified and recommending adequate level of controls; well ask look at what are defined as key controls and make recommendations to downgrade to non-key, where possible, to reduce audit fees; well also make recommendations on how to automate various controls.
2011ERPRA

ERP Risk Advisory Services

Security and Controls monitoring both security and controls need to be monitored on an on-going basis as changes are introduced in your system. Well help identify the processes and, perhaps, software that needs to be put in place for proper monitoring Building of system-based audit trails well evaluate your current trigger-based auditing and make recommendations on what should be added or changed. If you arent using a trigger-based auditing tool, well recommend one that fits your budget and help you implement it. Enhancement of change management (CM) controls well review and recommend enhancements to your change control process to provide better protect the integrity of your data and business processes. Well focus on all four different aspects of CM development, patching, security, and configurations and help you implement an quality assurance program to monitor the effectiveness of your CM process. encryption, where it is not provided by Oracle.

2011ERPRA

ERP Risk Advisory Services

Implementation of user access controls software well design and implement preventive and detective controls related to Segregation of Duties, single function risks, and sensitive data risks. This is best done in conjunction with the upgrade of your security. Implementation of data security software well implement a security solution that locks down access to sensitive data both at the application and database levels. This software is more flexible and cost effective than implementing encryption, where it is not provided by Oracle.

2011ERPRA

Q&A

2011ERPRA

ERP Risk Advisory Services

Security and Controls monitoring both security and controls need to be monitored on an on-going basis as changes are introduced in your system. Well help identify the processes and, perhaps, software that needs to be put in place for proper monitoring Building of system-based audit trails well evaluate your current trigger-based auditing and make recommendations on what should be added or changed. If you arent using a trigger-based auditing tool, well recommend one that fits your budget and help you implement it. Enhancement of change management (CM) controls well review and recommend enhancements to your change control process to provide better protect the integrity of your data and business processes. Well focus on all four different aspects of CM development, patching, security, and configurations and help you implement an quality assurance program to monitor the effectiveness of your CM process. encryption, where it is not provided by Oracle.

2011ERPRA

ERP Risk Advisory Services

Implementation of user access controls software well design and implement preventive and detective controls related to Segregation of Duties, single function risks, and sensitive data risks. This is best done in conjunction with the upgrade of your security. Implementation of data security software well implement a security solution that locks down access to sensitive data both at the application and database levels. This software is more flexible and cost effective than implementing encryption, where it is not provided by Oracle.

2011ERPRA

Best Practices Caveat

Best Practices Caveat The Best Practices cited in this presentation have not been validated with your external auditors nor has there been any systematic study of industry practices to determine they are in fact Best Practices for a representative sample of companies attempting to comply with the Sarbanes-Oxley Act of 2002 or other corporate governance initiatives mentioned. The Best Practice examples given here should not substitute for accounting or legal advice for your organization and provide no indemnification from fraud, material misstatements in your financial statements, or control deficiencies.

2011ERPRA

Contact Information
Jeffrey T. Hare, CPA CISA CIA Cell: 970-324-1450 Office: 970-785-6455 Sales: Phil Reimann preimann@erpra.net Sales: 774-999-0527 E-mail: jhare@erpra.net Websites: www.erpra.net, www.oubpb.com

2011ERPRA