T3 - Auditing Oracle Financials 11i - Part 1

5/14/2018 T3 - Auditing Oracle Financials 11i - Part 1 - slidepdf.com

http://slidepdf.com/reader/full/t3-auditing-oracle-financials-11i-part-1 1/43

Auditing Oracle ERPISACA Fall Conference

September 2005



Presented by: 2September 26/27/28, 2005

Agenda

1. Course Objectives

2. Challenges of an Oracle ERP Audit

3. Oracle ERP Overview

4. PwC Audit Approach to Oracle

5. Segregation of Duties

6. Configurable Controls





Become familiar with Oracle terminology and concepts

Understand the audit implications of Oracle and thePwC recommended approach to Oracle controls andsecurity

Recognize the implications of configurable controls(application controls), monitoring controls, generalcontrols, including “How to audit”


http://slidepdf.com/reader/full/t3-auditing-oracle-financials-11i-part-1 4/43Presented by: 4September 26/27/28, 2005

Agenda










2. Challenges with an Oracle ERP

AuditRecognizing control implications of Oracle ERP

Understanding the significant changes to business processes

Keeping up with changing risks

Identifying critical risk components of OracleMaintaining effective test plans

Updating the knowledge and skills required to audit




Why audit?

Auditing will be done as part of:

• Statutory (external) audit

• Internal audit

• Process audit

Traditionally, controls were audited since:

• Volume of transactions (high volume low value)

• Auditing around the system not effective




Why audit?

New environment…

Sarbanes Oxley

Sections 302 and 404REQUIRE controls audit




When to Audit

•Prior to reporting date

•During the year

•Point in time




Agenda










3. Oracle ERP overview

HumanResources

Finance

Projects

Self-Service

Supply Chain Management

Manufacturing

Front Office

Applied

Technology

Finance

General Ledger

Financial Analyzer

Cash ManagementPayables

Receivables

Fixed Assets

Manufacturing

Engineering

Bills of Material

Master Scheduling / MRPCapacity

Work in Process

Quality

Cost Management

Process (OPM)

Rhythm Factory PlanningRhythm Advanced Scheduling

Project Manufacturing

Flow Manufacturing

Supply Chain Management

Order Entry

Purchasing

Product Configurator

Supply Chain Planning

Supplier Scheduling

Inventory

Projects

Project Costing

Project BillingPersonal Time & Expense

Activity Management Gateway

Project Connect

CRM

Marketing (3 modules)

Sales (5 modules)

Service (5 modules)Call Center (5 modules)

Human Resources

Payroll

Human Resources

Training Administration

Time Management

Advanced Benefits

Applied Technology

Workflow

Alert (Business Agents)

Applications Data WarehouseEDI Gateway

Self-Service

Web Customers

Web Suppliers

Web Employees




Oracle workflow

What does it Do?

Oracle Workflow automates standard businessprocesses, allowing for transparency and a

recorded history of process transactions

Who uses it?

Workflow Specialist configures workflow during

installEnd Users

Workflow Administrator




Audit Impacts of Workflow

•Workflow allows customization

•Testing entails review or tracing•Workflow processes can be forced through

•SOD function and workflow administrator access




Oracle Workflow and Oracle Alerts

What’s the Difference?

Oracle Alerts

•Static, one way transmission of information alerting

someone to change of already existing data

•Alerts must be built

•Similar to an FYI notification in Workflow

Workflow•Customizable process flows are available

•Hierarchy, timeout, and escalation features

•Can prevent an action




Oracle Workflow

Most Commonly Used Seeded Workflows

General LedgerJournal Entry Approval

iExpense

Expense Report

Approvals

Terminated Employees

Accounts Payable

Invoice Approval

Process Pay (Positive

Pay) MessageReceivables

Credit Memo Approvals

Credit Application

Approval

Order Management

Order and Return Processing

Schedule, ship and pack delivery

Purchasing

Requisition and PO Document

ApprovalAuto Document Creation

Receipt Confirmation

Exceeding of Price/Receipt

TolerancesProjects

Projects Approval

Project Accounting

iTime

Timecard Approval




Agenda










4. PwC approach to Oracle

• Application Security

and Segregation ofDuties

• Application ChangeControl Management

• Business Processes Controls

• E - Commerce

• Internal Interface Controls• Concurrent Process Controls

• Integrity of Reporting

• Business ContinuityPlanning

• Shared Services

• Information Integrity

Business Processes

• Bolt-On Security

• Interface Controls

• ConversionProcesses andControls

• Information

Integrity

Legacy/Bolt-Ons

Technical Infrastructure• General Access

• Technology Integrity

• Data Warehousing and Reporting Controls

• Security Guidelines

• Disaster Recovery Planning

ORACLEORACLE

Linked Systems

IT Infrastructure

System of Internal &External Controls

Business Processes

• Business and Industry

Risks• Regulatory andCompliancerequirements

• Internal and ExternalReporting and Audit

Controls Environment

Application controls




Control structure

Internal and External Control Structure

IT Infrastructure

ORACLEORACLE

Linked Systems

Upstream Downstream

Suppliers

EDIE - Commerce

Customers

EDIE - Commerce

Interfaces

Data Feeds

Interfaces

Data Feeds

ExternalControls

InternalControls

InternalControls

ExternalControls

InterfacesData Feeds

Non-LinkedSuppliers

BusinessProcesses

InterfacesData Feeds

Non-LinkedSuppliers

Controls reliance is achieved through a convergence of

efficient systems and effective internal and external controls




Business Process controls

• Access Controls - controls over access tobusiness processes & transaction processingexist, are properly maintained & are managed byappropriate management within the organization

• Processing Controls - adequate controls are

implemented (Inherent, Configurable, Manualand Customizable) to ensure data integrity• Rejection Controls - edit and validation controls

exist to ensure inappropriate data is rejectedfrom processing and monitoring controls exist toreview rejected output

• E-Commerce - controls are adequatelyimplemented

• Shared Services - issues and risks are mitigatedthrough controlled processes

Inherent Custom

ControlledProcesses

ManualConfigure




Application security

Managing Risk by Ensuring that

Key Controls are Adequately Implemented Over

APPLICATION SECURITY:• Security Administration - managed by

appropriate management within the organization• Security Impact Assessment - on business

processes and user environment• Security Design - current and future needs areassessed and implemented with high prioritycontrols environment

• Security Strategy/Approach - controls overapplication to ensure unauthorized users can notaccess the production environment

• Segregation of Duties - controls over businessprocess are adequate and implemented

• Security Functionality - comprehensivelyutilized and maintained

• On-going Security Administration - managedand maintained by appropriate managementwithin the organization

BusinessProcessTeam

Controls& SecurityTeam

ChangeManagement(Stakeholder)

Oracle AppsFunctionality

ControlRequirements &Oracle SecurityExpertise

BusinessRequirements

Oracle Apps(UserResponsibility

Profiles)




Auditing Oracle Applications

Audit mindset:

•Least privilege basis•Prevention is better than cure

•What could go wrong

Factors that affect amount of testing:

•Objective of the audit

•Level of reliance on the system•Level of manual controls (that may

compensate)

Ri k B d A h




Risk Based Approach –

Identification of Controls to Test•First year (SOX) results have indicated that more controls were

identified, documented and tested than necessary

•Only need to document and test controls over relevant

assertions related to significant accounts (i.e., only those controls

that provide evidence that the control objective is met)

•Need to understand the interaction between preventive and

detective controls

•Need to identify the points at which errors or fraud could occur

and then identify the controls that prevent or detect the errors or

fraud




Auditing an Oracle Environment

•Oracle Applications audit:

•Segregation of duties•Configurable controls review

•General Computer Controls audit:•Information security

•Computer operations

•Existing system maintenance•New system development and implementation




General Computer Controls

Where do General Computer Controls fit in?

Manual and monitoringcontrols

Application Controls

General ComputerControls

Control Environment




Application Controls Review

Application controls audit consists of:

Input – what information is going in?

Process – what is being done to the information?

Output – what information comes out?

How to ensure that the IPO is:

Complete

Accurate, and

Valid, AND

Restricted access = segregation of duties + security review




Agenda











What is ‘Segregation of Duties’ (SOD)?

•The principle of separating incompatible functions from anindividual

•Designed to prevent, rather than detect

•Reduces risk, as circumventing a well designed SOD

environment requires collusion

•SOD includes system level segregation as well as

segregation of manual processes




Segregation of Duties

What must be segregated?

Record

Keeping

Custody of

Assets

Authorization Reconciliation





•In a practical way, SOD is enforced in Oracle through

responsibilities!•A responsibility defines a set of menu options and functions

that are accessible to a user and defines reports and processes

which may be run

•Responsibilities usually grant access to just one Oracle

module, such as General Ledger or Accounts Payable

•A user can be assigned more than one responsibility





ApplicationsUser

User Name

Password

Responsibility

Main Menu

Menu

Forms

Menu

Forms

Request Security Group

Reports

Request Sets

Concurrent Programs

Security Rules

Flexfield Values

Report Parameters




SOD and user review

Segregation of duties and user review involves testing of:

•Responsibility assignments (which responsibilities are given to

which users), this will include:

•Generic users (e.g. AP_LOGIN)

•Seeded responsibilities

•Default logins (e.g. AP/AP, OPERATIONS/WELCOME)

•User addition, removal, modification and monitoring




SOD and user review

•Cross-module SOD involves reviewing incompatible

functions across applications (e.g. AP user with general

ledger responsibilities)

•Responsibility name = usually a factor•Dormant user review

•Periodic cleanup of users

•Password length, strength, timeout




SOD and user review

•Responsibility design (which functions are given to aspecific responsibility)

•Request Groups and Report access

•Manual processes (e.g. who has physical access to blank cheque stock)




SOD and user review

•A responsibility design and user assignment review may leverage:

•Custom tool / script•Oracle standard reports (limited information, hard to manipulate)

•Active responsibilities

•Active users

•Users of a responsibility

•Function security function report

•Function security menu report

SOD d i




SOD and user review

•Oracle audit history reports

•Sign-on audit concurrent requests report

•Sign-on audit forms report

•Sign-on audit responsibilities report

•Sign-on audit unsuccessful logon report

•Sign-on audit users report

•Ability to audit specific tables, objects or

actions

SOD M i




SOD Matrix

Segregation of Duties matrix – a way to test, a way to document

S ti f D ti





# Observation Risk Recommendation

1 The ‘Belgium Payables,

Operations’responsibility has theability to:

Enter Invoices (viaInvoice Workbench)

Enter / maintain vendorsand

Process payments (via

Payment workbench,Payment Print Checkand Payment Batches)

Users with these

responsibilities cancreate themselves asvendors and processinvoices and paymentsagainst such invoices to

expropriate cash fromthe entity.

Remove the ability

to processpayments from thisresponsibility

Note in this example that a compensating control may be the fact that 3 way matching is

required and the ‘Belgium Payables, Operations’ responsibility cannot process receipts and

purchase orders

S ti f D ti





Potential traps with SOD reviews:

•Oracle standard menus / forms

•Custom pll’s

•Customised forms or functions

•IT users with superuser responsibilities

S ti f D ti





Finally…

Baseline testing of user access is a critical step

The strength of the change control environment will

impact the ability to rely on the baseline of segregationof duties and user access

A d




Agenda







6 Configurable controls




6. Configurable controls

A ‘configurable control’ is:

•Any setting in Oracle Apps that can be modified, and which canaffect the operation of a function in Oracle Apps

–Profile options

–Transaction type settings

–Financial options

–Payment options

–Invoice options

•Different from ‘inherent’ controls, which are pre-programmedsettings that are generally not overrideable or modifiable (e.g.quantity values not allowing non-numeric characters)

Configurable controls




Configurable controls

•Create a process flow and narrative

•Identify key controls (including where users rely on Oracle

Applications to automatically perform specific actions)

•Test the controls identified




Questions




Thank you!

Documents

T3 - Auditing Oracle Financials 11i - Part 1