Internal Controls & Compliance using Oracle Applications Deloitte & Touche LLP January 26, 2007 Ohio Valley Oracle Application Users Group Jeff Taylor

Internal Controls & Compliance

using Oracle Applications

Deloitte & Touche LLPJanuary 26, 2007

Ohio Valley Oracle Application Users Group

Jeff TaylorPathik Mody

2Copyright © 2006 Deloitte Development LLC. All rights reserved.

Agenda• Sarbanes-Oxley Overview

• Internal Controls, Compliance, & Technology

• SOX Tools

• Segregation of Duties

• Process and Financial Statement Certifications

• Continuous Control Monitoring

• Case Study

• Questions

Sarbanes-Oxley Overview


Background of Sarbanes-Oxley

• Passed by Congress on January 23rd, 2002 and signed by President Bush on July 30th, 2002

• Named after Senator Paul Sarbanes (D-MD) and Representative Michael Oxley (R-OH)

• Governs publicly traded firms, including all overseas firms traded on the US markets


Sarbanes-Oxley Section 302 and 404 Internal Control Requirements Requires the CEO and CFO of a public company to certify quarterly and annually that they: Are responsible for disclosure controls, Have designed controls to ensure that material information is known to them, Have evaluated the effectiveness of controls, Have presented their conclusions in the filing, Have disclosed to the audit committee and auditors significant control deficiencies

and acts of fraud, Have indicated in the report significant changes to controls.

Requires the CEO and CFO to annually: State their responsibility for establishing and maintaining an adequate internal control

structure and procedures for financial reporting, Conduct and provide an assessment of the effectiveness of the enterprise’s internal

controls. Requires the external auditor to:

Attest to management’s assertion.

Sec

tio

n 3

02S

ecti

on

404

Regulatory Background

Internal Controls, Compliance & Technology


What is an Internal Control?

Providing reasonable assurance of:

• Effectiveness and efficiency of operations

• Reliability of financial reporting

• Compliance with laws and regulations

or else…


Compliance Steps

Policy &

ProcedureStandards Enforcement Monitor

SOX 404

COSO

COBIT

FDICIA

ISO

Common

Configuration

Standards

and

Operational

Policies

Automated

Enforcement and

Configuration

Auditing

Monitoring

Reporting


Current Situation Analysis

• Companies today are thinking beyond initial compliance requirements

– Focusing on achieving sustained compliance

– Establishing systems to support compliance in year three/four and beyond that are integrated into their ongoing operations

• Technology plays a key role in helping companies sustain compliance effectively and efficiently

• Most companies adopted interim solutions to support their compliance efforts

• However, companies need an efficient and sustainable environment to enable the documentation, monitoring, assessment and reporting on internal controls


End-State Architecture for Sustaining Compliance

Internal Control

Documentation &

Assessment

Financial Reporting

Control Monitoring

Content & Records

Mgmt

Compliance related applications and systems

Systems Mgmt

Integration and Collaboration

HR/TrainingAudit

Committee DisclosureCommitteeExternal

Audit InternalAuditField Audit

(404 App)Business UnitCIO

CEO/CFOSarbanes

PMO

Financial Systems

HR CRM

Hardware/Operating System/Network Infrastructure

Databases

Financial and related systems, platforms and databases –holds data, transactions and records

Document Retention

Supply Chain

Security


The Compliance Direction

Detective

Manual

Fragmented

Local

Preventive

Automated

Integrated

Global

SOX Tools Oracle Internal Controls Manager


Sarbanes-Oxley Section 404 Tools

• Many commercially available products offer integrated technology functionality

• Vendors offer different approaches to implementing and managing internal controls in their products.

• There are a number of option available in the market from ERP vendors, large integrated software vendors and specialty vendors and more should be expected in the future

• Many of these products can provide product functionality such as Integration with ERPs, financial reporting systems, and other backend systems that can support SOX sustained compliance efforts

• The ERP vendors are expected to possess an advantage for companies that already use their systems

• However, companies must consider their technology environment and business requirements to determine which option is best

• With most product in the market, companies should be able to migrate their risk and control information to vendors’ product through the use of a variety of export/import tools


Sample Vendors and Products

ERPs Large Software Vendors

Specialty Vendors

ICM

MIC

ICE


What is Oracle Internal Controls Manager?• ICM is a application developed to facilitate the collection,

management, testing and remediation of control data and risk related efforts.

• ICM Integrates seamlessly with your ERP Oracle application!

• ICM is a tool that can be used by:

• Controllers, Internal Auditors, Operational Managers, and External Auditor to perform assessments, review and monitor ongoing compliance

• Process Owners to document and validate business processes and track issues

• Signing Officers to certify financial statements

Test

Experts

Monitor

ICMDocument


Why Implement ICM?

• Organizes process documentation• Organizes risk assessments and control evaluations• Identify control weaknesses more easily• Provides flexibility to tailor audit process• ICM’s flexibility enables reporting from different points of

view (e.g., financial, operational, organizational)• Segregation of Duties, IT Audit Capabilities• Integrates with Oracle Financials Suite• Useful for all levels of managements


Oracle ICM Process

Define Organizations

Define Parent Processes

Define Controls

Define Risks

Define Processes

CertifyDefine Audit Procedures

Audit Results Conclude

Findings / Remediation

Administration, Security Roles and Access, Reports

DataRepository

Audit / Review Process


Oracle ICM Current Features


Populating the Data Repository

Risks Controls Audit

Procedures Processes

Understand the Business processes that run the business

Process are exposed to various risks

Controls are put in place to mitigate

risks

Audit procedures test the effectiveness of

controls

• Create Business process using

• Web ADI• Workflow• Tutor

• Associate procedures to processes

• Link Key accounts to Processes

• Associate Risks, Controls, and Audit Procedures with processes

• Map Processes to Organizations

• Import risks using • Import process

(Web ADI)

• Identify the risks associated with each business process

• Classify each risk for its probability and impact

• Create/maintain a library of reusable risks

• Import controls using

• Import process (Web ADI)

• Associate controls with risks

• Capture Control Objectives, control assertions, and physical evidence detail

• Categorize controls using control type

• Import Audit Procedures using

• Import process (Web ADI)

• Keep track of audit history for each procedures

• Procedures provide detailed steps to be performed during the audit field work

• Procedures can be setup to verify design, operational effectiveness or both


Documenting Processes, Risks and Controls

Processes – Sub Processes – Sub ProcessProcess

Risk & Control Risk & Control AssociationAssociation


Process Details

Process

Control

Objective

Control Activity

RiskRisk


ICM Other Features

• Process associated with audit procedures• Audit procedures associated with control• Create Audit Engagement• Add Organization and Process to an Audit Engagement• Associate process to an Audit Engagement• Create/Add procedure to an Audit Engagement• Document findings and remediation

Segregation of Duties


SOD Features and Benefits

– Constraints for Incompatible Responsibilities/Functions– Waivers for Users or Responsibilities– Spreadsheet Upload for Constraints– XML Publisher Report for Constraint Violations

– Segregate Duties by Operating Units– Allow Super Users to be Exempted from Constraints– Reduce Implementation Effort in Constraint Set Up– Facilitate Sharing of Constraint Violation Report

Features

Benefits


Incompatible Responsibilities/Functions


SOD – XML Reports

Process and Financial Statement Certifications


Business Process Certification Dashboard


Financial Statement Certification Dashboard


Certifying Compliance Dashboard


What reports are available?

• Reports

– Design Assessment

– Operating Effectiveness

– Risk Assessment

– Control Testing

– Open Issues / Findings

– Control Gaps

• Dashboard

• Several XML reports


What We Learned

• Reduce the scope of the effort by focusing on key processes, transactions and controls

• Grow into extensive ICM functionality

• Ensure management understands the level of involvement required throughout the organization

• Standardize compliance process throughout the organization

• Spend time upfront loading Risk Library

• Leverage software to monitor the compliance effort, document testing and promote management responsibility

Continuous Control Monitoring


Controls Automation & Monitoring

• Why Controls Automation and Continuous Controls Monitoring are Important

– Reduces effort, cost, and reliance on external consultants by increasing control reliability and efficiency.

– Enhances the effectiveness of Internal Audit and line manager/staff.

– Provides real-time information for proactive preventive measures.

– Leverages real-time information and compliance investment for business value generation.

– Provides a sustainable and repeatable process to enable data and control quality improvement.

– Decreases learning curve and training requirements.


Controls MonitoringCategory Features Benefits

Transaction Monitoring

• Identify suspicious transactions• Identify suspicious transactions for further review• Flag anomalies for investigation• Isolate transactions not in compliance with business

rules

• Identify inappropriate flows (e.g., duplicate payments)

• Provide evidence of control operation / quickly identify issues

Master Data Monitoring

• Monitor changes to master data files (e.g., Supplier Master) for suspicious activity

• Identify and address suspicious changes to master data

• Detect stale master file records

Access Control Monitoring

• Monitor changes to user access / roles • Detect unauthorized modifications to user access / roles

• Monitor access to sensitive transactions and data

Segregation of Duties Monitoring

• Identify SOD violations• Detect executed transactions that violate SOD rules

• Prevent SOD conflicts that increase the risk of fraud & error

Configuration Monitoring

• Detect changes to system configurations that may increase risks of fraud & error

• Demonstrate the continued effectiveness of application controls

Manual Process & Control Monitoring

• Ensure the initiation and completion of manual business & IT processes & controls

• Provide an audit trail for manual processes• Increase effectiveness & efficiency of manual

business & IT processes and controls

IT General Controls

• Security / access controls• Change management controls• IT Operations controls

• Enable increased reliance on automated business process controls


Oracle Application Controls Manager

• Detect fraud or errors by tracking changes to Oracle Applications control settings

• Assess the current state of the Oracle Application control environment

• Confirm that Oracle Application control settings remain to industry standards

• Detect Oracle Application control settings changes by user id and date.

• Identify configuration mismatches across instances


Recommended Control SettingsOnce recommended values have been setup, they are displayed in the ‘Application Control History’ pages along with the change history. This screenshot shows comparison between the recommended values and actual parameter settings. Non-conforming values are highlighted with a red icon.


Oracle – Database and Audit Vault

• Specialized warehouse for audit data• Leverages Database vault security to block DBA from viewing audit

data• SOD / Defined roles• Audit vault and Compliance report• Setup Audit AlertsD

atab

ase

Vau

ltA

udit

Vau

lt • Restrict the DBA and other privileged users from accessing application data

• Protect the database and applications from unauthorized changes• Enforce strong controls over who, when, and where application can

be accessed

Visit: Oracle .com/securityTry Software: OTN: OTN.Oracle.com

Coming

Soon

Case StudyIntegrating Security & Controls


Client Background

• $12 billion global technology manufacturing• Primary legacy Oracle 10.7 character system • Other Oracle legacy instances on various versions• Located in 70 countries

• North America, EMEA, APAC, and LATAM regions • Over 10,000 users• Re-implementing Oracle 11.5.10 platform • Phased functionality deployment approach • Extensive application footprint


Implementation Scope

Implementation Scope

HR including Self-Service Accounts Receivable Advanced Pricing Order Management Trading Community Architecture (TCA)

TeleSales Accounts Payable Purchasing iProcurement Bill of Materials

Cash Management General Ledger Projects Costing Engineering Shipping

Procurement Contracts Fixed Assets Projects Billings Projects Mgt Advanced Budgeting & Planning

Advanced Benefits Inventory Cost Management TeleService Treasury

Service Contracts Warehouse Mgt Configurator

Advanced Supply Chain Planning

Incentive Comp Work in Process Projects Resourcing Quoting

Learning Mgt ICM Mobile Field Service Advanced Scheduling Advanced Inbound

Scripting iSupplier Quality iSupport Depot Repair

Spares Mgt Proposals iExpense Demand Planning Collaborative Planning

Knowledge Mgt Field Service Time and Labor Install Base CRM Foundation


Engagement Objectives

• Deloitte was engaged to • Design, build, and implementation of the application security

model for a global deployment of Oracle 11i.• design and implementation of new global Oracle 11i

Security Responsibilities for new functionality and users. • Identify and document the Oracle 11i automated controls. • Design a global Oracle security structure that incorporates

appropriate segregation of duties, controls compliance, administration efficiencies, standardization, and flexibility to adapt to on-going business and technology changes.


Security & Controls Objectives

• Elimination of significant segregation of duty conflicts in the Oracle 11i application

• Completion of SOX documentation as it relates to Oracle 11i automated control implementation (i.e. control matrices)

• Standardization of the Oracle 11i security practices/procedures, including naming conventions

• Ease of compliance enforcement for the Oracle 11i system and on-going SOX compliance

• Security staff trained in the new Oracle 11i security practices/procedures

• Internal control and regulatory compliance concerns appropriately addressed


Contact Information

Jeff Taylor, Sr. Manager, Deloitte Consulting

[email protected]

Pathik Mody, Manger, Deloitte & Touche, LLP

[email protected]


About Deloitte

Deloitte refers to one or more of Deloitte Touche Tohmatsu, a Swiss Verein, its member firms and their respective subsidiaries and affiliates. Deloitte Touche Tohmatsu is an organization of member firms around the world devoted to excellence in providing professional services and advice, focused on client service through a global strategy executed locally in nearly 150 countries. With access to the deep intellectual capital of 120,000 people worldwide, Deloitte delivers services in four professional areas, audit, tax, consulting and financial advisory services, and serves more than one-half of the world’s largest companies, as well as large national enterprises, public institutions, locally important clients, and successful, fast-growing global growth companies. Services are not provided by the Deloitte Touche Tohmatsu Verein and, for regulatory and other reasons, certain member firms do not provide services in all four professional areas.

As a Swiss Verein (association), neither Deloitte Touche Tohmatsu nor any of its member firms has any liability for each other’s acts or omissions. Each of the member firms is a separate and independent legal entity operating under the names Deloitte, Deloitte & Touche, Deloitte Touche Tohmatsu, or other related names.

In the US, Deloitte & Touche USA LLP is the US member firm of Deloitte Touche Tohmatsu and services are provided by the subsidiaries of Deloitte & Touche USA LLP (Deloitte & Touche LLP, Deloitte Consulting LLP, Deloitte Financial Advisory Services LLP, Deloitte Tax LLP and their subsidiaries), and not by Deloitte & Touche USA LLP. The subsidiaries of the US member firm are among the nation's leading professional services firms, providing audit, tax, consulting and financial advisory services through nearly 30,000 people in more than 80 cities. Known as employers of choice for innovative human resources programs, they are dedicated to helping their clients and their people excel. For more information, please visit the US member firm’s web site at www.deloitte.com/us.

Copyright © 2006 Deloitte Development LLC. All rights reserved.

Documents

Internal Controls & Compliance using Oracle Applications Deloitte & Touche LLP January 26, 2007 Ohio Valley Oracle Application Users Group Jeff Taylor