© 2007 protiviti inc. confidential: this document is for internal use only and may not be...

© 2007 Protiviti Inc. Confidential: This document is for internal use only and may not be distributed to an outside party.

SOD Remediation for Oracle Applications

January 17, 2008NorCal OAUG Training Day


Introduction

“Vision without action is a daydream. But action without vision is a nightmare.”

- Japanese Proverb


Oracle Implementation/Upgrade

PEOPLE

PROCESSES

TECHNOLOGY

Users/Roles

Business Flows

Oracle Applications


Training Objectives

Segregation of Duties Overview (SoD) SoD Assessment Approach Segregation of Duties Assessment Case Study Controls Areas to Consider During An Upgrade or

Implementation Project to Prevent Future Stand-Alone Remediation Projects


Segregation of Duties Overview


Common Compliance Pain Points

Using/customizing seeded responsibilities and menus Responsibilities were not designed with SOX in mind or

were not “designed” at all (seeded responsibilities are used out of the box)

Trying to find/assess SoD conflicts without a tool (manual methods will miss places where users have access)


Segregation of Duties (SOD) Basics

Segregation of Duties is meant to reduce the risk of concealment of employee error or fraud by separating the following high level functions: The recording of a transaction The authorization of the transaction Custody of the asset Control procedure (i.e. reconciliation)

An essential feature of segregation of duties or responsibilities within an organization is that no one employee or group of employees has exclusive control over any transaction or group of transactions.


Opportunities for Automated Controls to Enforce SoD

Transaction Processes

Transaction Approvals

Access to Physical Assets

Reconciliations


Segregation of Duties (SOD) Conflict Types

Three-way SOD conflict - An individual can perform three of these four duties for a given asset: Custody of assets Authorization or approval of related transactions affecting those assets Execution of the transaction or transaction activity Reconciliation of related transactions

Two-way SOD conflict - An individual can perform two of these four duties for a given asset


Segregation of Duty (SOD) Issues

Role-based access often drives potential SOD issues Access should be granted based on pre-defined job

descriptions Role-based security access should be customized per the

business needs – not using “out of the box” profiles that typically do not address SOD and grant powerful access


Segregation of Duties (SOD) Examples

Users with Voucher Entry & Purchase Order Entry Users with Voucher Entry and Create Payments Users with Create Receipts and Enter Sales Invoices Users with access to business process should not have

access to post Journal Entries Users with Administer Payroll and Administer Workforce Users with access to Payroll and HR present a risk of

adjusting salaries, running payroll, then changing salaries back

Beware of “Sysadmin” , “Super User” and other IT users with powerful access!


Segregation of DutiesAssessment Approach


Our Approach to Optimizing & Sustaining ERP Compliance

SoD, Security, Access, Provisioning, Application & Process Controls

Project to Process

AutomateStandardizeAnalyze

Continuous Monitoring

Software

ERP Assessments

Consulting

&

Remediation

Services

Analyze

• Perform assessments via Protiviti Assure methodology

• Deploy on internal audit and SOX clients or new clients to “prove the case”

Standardize

• Clean-up Security/SOD issues

• Design automated controls

• Re-engineer SOX testing approach

• Design controls into new implementations

Automate

• Implement continuous monitoring systems


An integrated implementation approach is necessary to design effective internal controls, understanding that system-based controls are more reliable and desirable. This pertains to both General Computer Controls as well as “embedded” application-specific controls. It is more efficient to get these right at the time of implementation.

System-System-BasedBased

DetectiveDetective ControlsControls

System-System-BasedBased

DetectiveDetective ControlsControls

System-System-Based Based

Preventive Preventive ControlControl

System-System-Based Based


People-People-Based Based

Detective Detective ControlControl


Detective Detective ControlControl





DesirableDesirable

Rel

iab

leR

elia

ble

Standard within the Software

Configuration Options

Application Security

Effectiveness in SOX Testing Efforts

Policies

Procedures

Monitoring Exception Reporting

Reconciliations

Extensive SOX Testing Efforts

Optimize Automated Controls


Segregation of Duties Assessment Case Study


Case Study Scenario

Project: SoD Remediation Objective: To assist the client with remediation of SoD

conflicts and user access to sensitive abilities in Oracle prior to their External Audit.

Tools: Oracle Internal Controls Manager (ICM) The client's corporate SoD Rule Set

Approach:1. Review the initial SoD conflict and Sensitive Abilities results using ICM

constraint reports2. Identify any false positives and enter the appropriate waivers in ICM3. Review the remaining SoD conflict and Sensitive Abilities results with

the appropriate business owners to determine what security changes can be made to resolve the issues

4. Develop mitigating control suggestions based on input from management to address remaining conflicts


Examples from the Procure to Pay (PTP) Cycle

Sensitive Ability Constraints Reviewed:Transaction Maintain Buyers - BuyersSet Up Maintain Approvals – Signing limits

SOD Constraints Reviewed:Create PO/Blanket PO Maintain BuyersMaintain PO/Blanket PO Maintain BuyersReceive Goods Create PO/Blanket POReceive Goods Maintain PO/Blanket POProcess Invoices Process PaymentsProcess and Maintain Invoices Create PO/Blanket POProcess and Maintain Invoices Maintain PO/Blanket POProcess and Maintain Invoices Receive GoodsProcess and Maintain Invoices Maintain GoodsProcess Debit/Credit Memos Maintain PO/Blanket POProcess Debit/Credit Memos Receive GoodsProcess Debit/Credit Memos Maintain GoodsProcess Debit/Credit Memos Process and Maintain PaymentsRelease Invoice Holds Receive Goods

lilkal01

Ability to create a buyer in purchasing


Examples from the Order to Cash (OTC) Cycle

Sensitive Ability Constraints Reviewed:Set Up AR and OM SetupSet Up Interface Processing

SoD Constraints Reviewed:Enter Cash Receipts Enter Sales OrdersEnter Cash Receipts Approve Invoice AdjustmentsEnter Cash Receipts Process AR InvoicesCreate Customers Enter Sales OrdersCreate Customers Enter RMACreate Customers Process Debit/Credit MemosCreate Customers Process AR InvoicesCreate Customers Process TransactionsCreate Customers Enter / Maintain Cash Receipts (2)Create Customers Maintain Misc Cash ReceiptsMaintain Customers Profile Enter Sales OrdersMaintain Customers Profile Enter Cash ReceiptsMaintain Customers Profile Maintain Cash ReceiptsMaintain Customers Profile Maintain Misc Cash ReceiptsApp Invoice Adj Process Inv AdjProcess AR Inv / Process Trans Approve Invoice Adj (2)App Invoice Adj Maint Inv Adj

lilkal01

AR-Ability to update credit profileAR – Invoice adjustment approval limit (access and SoD)


Sample PTP ICM Violation Report

Inter-Responsibility Conflict


Sample OTC ICM Violation Report

Intra-Responsibility Conflict


PTP Conflict – Compensating Control Suggestions

Conflict Risk Possible Compensating ControlCreate PO / Maintain Buyers Unauthorized Buyer can

create POConfigurable Control: PO Approval Groups and Assignments; Do not allow "Owner can Approve" his own PO

Process DM CM / Process Payments

Erroneous or unauthorized payments to vendors

Check Signatures, Invoice Matching Process; Hold Unmatched Invoices

Process Invoices / Create PO Erroneous or unauthorized payments to vendors

PO Approval hierarchy, Invoice Matching Process; Hold Unmatched Invoices

Process Invoices / Maintain (Receive) Goods


Inventory Cycle Counting, Invoice Matching Process; Hold Unmatched Invoices

Process Invoices / Maintain PO Erroneous or unauthorized payments to vendors


Process Invoices / Process Payments


Check Signatures, Invoice Matching Process; Hold Unmatched Invoices

Receive Goods / Create or Maintain POs

Unauthorized purchase or erroneous recording of liability


Release Invoice Holds / Receive Goods


Inventory Cycle Counting, Invoice Matching Process; Hold Unmatched Invoices


OTC Conflict – Compensating Control Suggestions

Conflict Risk Possible Compensating ControlApprove Invoice Adjustment / Maintain Invoice Adjustment

Unauthorized write off of invoices

Configurable Control: Approval Limits

Create Customer / Enter Cash Receipts

Fictitious customer; hide cash receipt

Customer Statements; SoD of handling, logging and depositing of checks received from customers; bank reconciliations

Create Customer / Enter RMAs Unauthorized credit given to customers

Customer Statements, review of open RMAs

Create Customer / Enter Sales Orders

Unauthorized sales order and shipment of goods

Configurable Control: Sales Order Approval workflow

Create Customer / Maintain Cash Receipts

Hide cash receipt Review of Reversed Cash Receipts; Cash Receipt deletion not allowed by the system

Create Customer / Process DM CM

Unauthorized credit given to customers; Unauthorized changes to customer records; hide cash receipt

Customer Statements; Review of AR Aging; SoD of handling, logging and depositing of checks received from customers; bank reconciliations

Enter Cash Receipts / Approve Invoice Adjustments

Unauthorized write off of invoices

Configurable Control: Approval Limits

Maintain Customer Profile / Enter Sales Orders

Unauthorized sales order and shipment of goods

Configurable Control: Sales Order Approval workflow

Maintain Customer Profile / Maintain Misc Cash Receipts

Hide cash receipt SoD of handling, logging and depositing of checks received; bank reconciliations


Additional Recommendations

The following are improvements that would eliminate the need for compensating controls: Restrict Access for Release Holds and Sales Order entry. Access to the

Sales Order form is required to be able to release holds. The ability to Release Holds, however, should be excluded from those users who should NOT be able to release an order. The best practice is to restrict this access to those in credit management who “approve” the release of credit hold on an order. This is normally considered the higher risk area with regards to Sales Order processing.

Rearranging department responsibilities to make supervisors only an approver and reviewer, not “doers”. This would mean that access for supervisors is mostly View Only, except for the approval of transactions. The team would have the access to process transactions. Supervisors would approve any changes or adjustments and delegate to processing to their teams.

Functions with Inquiry Only access should by designated as View Only in the function name to simplify future audit related activities. This can be done by creating a copy of the normal function, giving it a name with “View Only” in it, and adding the parameter in the function, QUERY_ONLY="YES". By designating these functions clearly, the access would be more easily justified.


Additional Recommendations (Cont.)

The following are improvements that would eliminate the need for compensating controls: Access to Setups should be limited to Inquiry Only Access. The IT and

Business Analysts should be given a responsibility that has Inquiry Only access to all setups in production, but read/write access in a development environment. This would enable them to view any setup for troubleshooting. When they determine that a change should be made in the system, they should follow the Change Management process: file a change request and have it tested in dev and approved by the business owner. When the approval is received, the System Administrator would grant the BA temporary access to the Super User responsibility to make the change in production. This is considered a best practice, as it keeps Super Access to a minimum.

Access to Super User responsibilities should also be granted on a temporary basis only and be controlled through the change management process. The process should require appropriate business/process owner approval prior to granting temporary access. Responsibilities granted temporarily should be end dated at the time the access is granted based on the amount of time access is needed.


Control Areas to Consider During An Upgrade or Implementation Project to

Prevent Future Stand-Alone Remediation Projects


Transaction Processing Controls

Business processes supported and impacted by applications must ensure information integrity through effective design, development, and usage of:

Manual Process Controls • policies and procedures• reconciliations, reviews and approvals• management reporting

Application Interface Controls• restart and recovery procedures• control totals• job monitoring• error handling

Facilitation of Audit Needs• transaction logs• historical data access• transaction references• meaningful descriptions/ classifications

Automated Application Controls• field edits• workflow approvals• error messages• matching tolerances• number ranges• default values• posting keys• document matching• recurring entries


Security Administration

Security strategies, tools, personnel, and processes should be coordinated effectively to address the following key components: Administration

• provisioning (granting, termination, and modification) of user IDs • workflow / approvals• tool administration• password resetting• password parameters

Segregation of duties • separation of incompatible functions • data owner monitoring of access levels

Sensitive access • powerful authorities• post-implementation support


Data Management

As part of the implementation, data must be converted and then maintained to ensure the integrity of system processing. The following are critical considerations in this area:

Master Data Maintenance• data ownership• policies and procedures• impact analysis

Data Archiving • system performance and storage

requirements• data access requirements • data redundancy

Data Conversions• data mappings• conversion design• conversion testing• reconciliation

Data Cleansing• inactive data• duplicative data• erroneous data

During an upgrade data management activities may just relate to completing the upgrade process steps of what to correct by module (i.e. data re-mapping, etc.)


Change Management & Testing

Change management is critical for ensuring consistency of processing throughout an application’s life cycle. This effort includes: Client strategy (e.g. dev, test, prod) Image refreshes Object migration Problem management for ongoing changes Version control

All development and implementation efforts must include thorough testing to ensure defined solutions are complete and accurate. This effort includes: Comprehensive test plan for functionality, security, and controls Documented test cases and test results Sign-off and acceptance Use of positive and negative testing techniques


Things to Consider When Implementing/Upgrading

ERP systems are already built with standard business process functionality and it is best to try to avoid “programming”, meaning we want to implement the “out of the box” solution, and limit customizing the application as much as possible

Limiting customizations and designing them correctly can prevent problems when upgrading in the future. For example, creating new customized menus with unique names with prevent overrides during upgrades which can occur if you customize a standard menu.

The difference between a manual control and an automated one is mostly a change of focus from detective to preventive control. Preventive controls are considered to be stronger and therefore preferred controls.

The more automated controls you can implement (instead of relying on manual controls) can significantly reduce audit/testing efforts. Automated controls can be tested immediately and require only 1 sample , while manual controls must be demonstrated over time and multiple samples must be tested based on control frequency (i.e. daily, monthly, etc.).


Summary

Segregation of Duties Overview (SoD) SoD Assessment Approach Segregation of Duties Assessment Case Study Control Areas to Consider During An Upgrade or

Implementation Project to Prevent Future Stand-Alone Remediation Projects

Questions?

© 2007 protiviti inc. confidential: this document is for internal use only and may not be...

Documents

internal use

outside party

access slide

sod remediation

given asset slide

transaction custody

japanese proverb slide

findassess sod conflicts