AUDITING ORACLE APPLICATIONS

PRESENTED BY

SHERRY DOUB, MSCIS, CISA

Jacksonville Chapter

Agenda

Key Business Risks

Security and Access

Implementation Impacts

Audit Challenges

Oracle Organizational Overview

Multi Organizational Access Control (MOAC)

Profile Options for Multi Organizations (MO)

Oracle Security Concepts

Oracle Version R12 Automated Controls

Key Business Risks

Data Conversions

Training

Project Governance

Management Involvement

Key Business Risks R11i to R12

11.9 set of books does not have a one to one relationship with the General Ledger where this has been addressed in R12

Functionality changes have been applied to the Masters and financials

Access has been improved and applies at the operational unit level

R12 allows easier transition from legacy systems with Fusion

Converting large quantities of historical data is challenging (one common database, thousands tables)

Key Business Risks

Oracle integrates all systems into a single system

Oracle therefore is a single point of failure

All transaction processing for all functional areas may be on a single system

If Oracle shuts down, the company operations cease

Disaster recovery planning is crucial

Security and Access

Oracle requires extensive, well thought out security access

Authorizations occur at the application level

Security and systems access is too relaxed so database and network security is necessary

Due to single point of access, there is a significant increase in users with access

Field personnel, vendor and customer

Implementation Impacts

Configurations cannot be over stressed as significant to security

Key opportunity during implementation to establish a control environment with configuration settings

May be difficult with Oracle to change configurations for certain controls after implementation

Audit Challenges

Oracle implementations are unique

Flexible and complex

Customizable

Oracle version, scope of implementation, configuration of business processes, and degree of customization contribute

Impossible to design a standard audit approach

Must invest time in customizing the audit program

Audit Challenges

First year audits in a changing environment

Enterprise Resource Planning knowledge

Enterprise Resource Planning tools utilized

Data retention processes

Data extraction

Interfacing with external audit

Relationship leveraging

Knowledge sharing

Expectation management

Oracle Organizational Model Overview

Oracle Applications

Two conceptual structures

Human Resources

Operations and Accounting

Required Financial Organization or Enterprise Structure

Design of the Organization Structure affects how scalable Oracle functionality becomes and must align with the strategic objectives

Human Resources Organization

Human Resources Organization Model

HR

Org

aniz

ation

al

Leve

l I

BG 1 BG 2

HR L 12 HR L 14 HR L 13 HR L 11

HR L 21 HR L 22 HR L 23 HR L 24

HR L 31 HR L 32

Bu

sin

ess

Gro

up

HR

Org

aniz

ation

al

Leve

l 2

HR

Org

aniz

ation

al

Leve

l 3

Financial Organization Structure

Financial Organization Structure

Business Groups (one or more, hierarchy: one to many relationship)

Ledger (Set of Books, one or more for each Business Group)

Legal Entity (one or more for each Ledger, hierarchy: one to one relationship)

Operating Unit

Inventory Organization

Human Resources Organization

Financial Organization Model

Bu

sin

ess

Gro

up

P

rim

ary

Le

dge

r

Le

ga

l

En

tity

Op

era

tin

g

Unit

BG 1 BG2

PL 12 PL 14 PL 13 PL 11

LE 1 LE 2 LE 3 LE 4

OU 2 OU 4

Inve

nto

ry

Org

an

iza

tio

n

OU 1 OU 3

IO 1 IO 2 IO 3 IO 5 IO 4

Business Group

Multiple ledgers can share the same business group if they share the same business group attributes

Ledger

One set of books shares:

1. Chart of Accounts

2. Calendar

3. Currency

Or, must be another ledger.

There can be multiple types of ledgers (secondary and consolidated ledgers are linked to the primary ledgers)

Legal Entity

Reporting or statutory entities

Viewed as a Legal entity Group or Tax Entity

Operating Unit

Transactional Data

Inventory Organization

Can only belong to one Ledger, Legal Entity, and Operating Unit Structure

Impact

Multiple Organizational structure access control allows one functional task set of users with a single responsibility access across multiple Legal Entities.

Perform multiple tasks across operating units without changing responsibilities

Release 12 of Oracle there is less custom code and more out of the box granularity allowed.

Multi Organizational Access Control Setup

Define Operational Units

Create Security Profile

Run Security Maintenance on List

Set Profile Options

Multi Organizational Access Control Process

Login to a Responsibility

Open the Application

Application Checks Access Privilege

Process Operating Units’ Data

Profile Option MO: Security Profile

Controls the list of operating units a responsibility can access

Profile Option MO: Default Operating Unit

When an Application Page is accessed this operation unit will display first

Profile Option MO: Operating Unit

R11i option that is retained for products and customers not leveraging multiple organizations (MO)

Oracle Security Concepts

Users

Roles

Responsibilities (Functionality or Modules like GL, Purchasing)

Forms

Menus (logical grouping of functions accessible via a responsibility)

Functions (Segregation of Duties, building blocks for security)

Request Groups (reports, concurrent programs assigned to a responsibility)

Oracle Automated Application Controls

Controls over System processing using an activity or transaction

System configurations are Preventive Control activities to prevent a financial error or misstatement

Detective controls are after the fact like the review of a report

Oracle Application Control Types

Flex Fields

Matching

Tolerances

Signing Limits

Workflow / Approvals

Alerts

Edit Checks

Cross Validation Rules

Holds

Automated Accounting Entries

Auto Numbering

Control Reports

Lists of Values

Audit Trails

General Ledger Key Controls

Journals are approved systematically in Oracle, according to the approval limits pre-defined in the system. Completeness/Valuation

Imported journals (from feeder modules) cannot be modified in the general ledger. Valuation

Oracle only allows balanced entries to be posted. If used, accounts used for suspense posting of journal entries are properly configured in Oracle and balances are reviewed and cleared on a regular basis. Valuation

General Ledger Key Controls (cont.)

Cross-validation rules have been enabled and developed to ensure the accuracy of data entry. Valuation

Cross-validation rules overwrite Dynamic Inserts Flexfield definitions are frozen so that account code combinations are enforced. Completeness/Existence or Occurrence

Rollup Groups are frozen indicating that they cannot be changed. Completeness/Presentation & Disclosure

General Ledger Key Controls (cont.)

Journal Approval

Journal Authorization Limits

Flexfield Definition

Cross validation rules

Flexfield Security rules

GL Accounts definition

Ledger accounting options

Open/Close GL Periods

GL Calendar definition

Fixed Assets Key Controls

The Asset Number is automatically assigned by the system. The Asset Numbers are sequential. Completeness

Depreciation can only be calculated once in a month. Completeness

Asset to be retired must 1) exist on system, 2) cannot be retired in same month as entered, and 3) Units retired must be less than or equal to active units. Completeness, Rights & Obligations

Fixed Assets Key Controls (cont.)

The Depreciation Run process automatically generates the GL Journal entries for depreciation, additions and retirements transferring unposted journal entries to GL. Completeness, Valuation

Standard programmed algorithms perform depreciation calculations based on the asset life. Valuation

Fixed Assets Key Controls (cont.)

Fiscal Years and Calendars

Prorate convention

Books controls

Asset Categories

System Controls

Assets Key Reports

Asset Register Report

Asset Cost Balance Report

Asset Addition Report

Depreciation Projection Report

Payables Key Controls

Invoices are authorized through a systematic match of the PO price, invoice price and quantity received; Holds are automatically generated for discrepancies. Valuation, Right & Obligations

System holds on the invoices cannot be released unless the error is rectified. Valuation

Date used for accounting date for invoices during accounting entry agrees to business process. Completeness

Employee expense reports are approved by managers per established approval limits. Valuation, Completeness

Payables Key Controls (cont.)

Invoice tolerances

Expense signing limits

Invoice Holds

Payable Options

Financial Options

Key Reports

Purchasing Key Controls

Edit checks ensure valid purchase order data entry based on predefined values. Completeness

Purchase orders and requisitions are approved systematically in Oracle, according to the approval limits pre-defined in Oracle. Valuation, Right & Obligations

Requisitions, purchase orders, and receipts are automatically/sequentially numbered. Completeness

Edit checks ensure valid purchase order data entry based on predefined values. Completeness

Purchase orders and requisitions are approved systematically in Oracle, according to the approval limits pre-defined in Oracle. Valuation, Right & Obligations

Requisitions, purchase orders, and receipts are automatically/sequentially numbered. Completeness

Purchasing Key Controls (cont.)

Document Types

Approval groups/Limits

Buyers definition

Purchasing Options

Receiving Options

Financial Options

Key Reports

Order Management Key Controls

Edit checks verify that valid data is entered or updated in the customer master files. Valuation

System places an automatic hold on orders that fail credit check. The hold prevents the order from being shipped out. Valuation

Sales Orders are automatically numbered. Completeness Order data entered in the Order Organizer is validated

through a system of defaults and edit checks. Valuation System denies shipping of items in excess of the quantity on

hand which prevents negative inventory balances. Valuation, Rights & Obligations

Oracle system functionality copies important shipping and delivery information from customer master file to the pick list. Valuation, Completeness

Order Management Key Controls (cont.)

Processing constraints

Transaction Types Enforce List Price

Credit Check Rules and assignment Define

Assign

Profile Classes

Credit Check Hold

Sequencing of Order Numbers

Privileges

Inventory Key Controls

Edit checks verify that valid data is entered or updated in the item master files. Completeness

Oracle prevents modifications to key attributes of inventory items that are set in a centralized organization. Completeness

Oracle tracks lots for receipt, issues, and transactions for items defined under Lot Control. Completeness

Inventory Key Controls (cont.)

Oracle is configured to facilitate and process inventory counting and count adjustments. Completeness, Valuation

Oracle inventory automatically performs inventory tracking, movements, and the financial entries for the majority of inventory processes. Completeness, Valuation

Inventory Reports

Inactive Items Report

Sub-Inventory Report

Physical Inventory Adjustments Report

Cycle Count Entries and Adjustments Report

Physical Inventory Missing Tag Listing

Period Close Reconciliation Report

Physical Inventory Trend Report

Thank You

Questions?

Contact Information

Sherry Doub, MSCIS, CISA

IT Internal Auditor

EverBank Internal Audit Dept.

8120 Nations Way, Suite 205

Jacksonville, FL 32256

904-245-7313