© 2007 protiviti inc. confidential: this document is for internal use only and may not be...
Post on 18-Dec-2015
213 views
TRANSCRIPT
© 2007 Protiviti Inc. Confidential: This document is for internal use only and may not be distributed to an outside party.
SOD Remediation for Oracle Applications
January 17, 2008NorCal OAUG Training Day
© 2008 Protiviti Inc. Confidential: This document is for internal use only and may not be distributed to an outside party.
Introduction
“Vision without action is a daydream. But action without vision is a nightmare.”
- Japanese Proverb
© 2008 Protiviti Inc. Confidential: This document is for internal use only and may not be distributed to an outside party.
Oracle Implementation/Upgrade
PEOPLE
PROCESSES
TECHNOLOGY
Users/Roles
Business Flows
Oracle Applications
© 2008 Protiviti Inc. Confidential: This document is for internal use only and may not be distributed to an outside party.
Training Objectives
Segregation of Duties Overview (SoD) SoD Assessment Approach Segregation of Duties Assessment Case Study Controls Areas to Consider During An Upgrade or
Implementation Project to Prevent Future Stand-Alone Remediation Projects
© 2007 Protiviti Inc. Confidential: This document is for internal use only and may not be distributed to an outside party.
Segregation of Duties Overview
© 2008 Protiviti Inc. Confidential: This document is for internal use only and may not be distributed to an outside party.
Common Compliance Pain Points
Using/customizing seeded responsibilities and menus Responsibilities were not designed with SOX in mind or
were not “designed” at all (seeded responsibilities are used out of the box)
Trying to find/assess SoD conflicts without a tool (manual methods will miss places where users have access)
© 2008 Protiviti Inc. Confidential: This document is for internal use only and may not be distributed to an outside party.
Segregation of Duties (SOD) Basics
Segregation of Duties is meant to reduce the risk of concealment of employee error or fraud by separating the following high level functions: The recording of a transaction The authorization of the transaction Custody of the asset Control procedure (i.e. reconciliation)
An essential feature of segregation of duties or responsibilities within an organization is that no one employee or group of employees has exclusive control over any transaction or group of transactions.
© 2008 Protiviti Inc. Confidential: This document is for internal use only and may not be distributed to an outside party.
Opportunities for Automated Controls to Enforce SoD
Transaction Processes
Transaction Approvals
Access to Physical Assets
Reconciliations
© 2008 Protiviti Inc. Confidential: This document is for internal use only and may not be distributed to an outside party.
Segregation of Duties (SOD) Conflict Types
Three-way SOD conflict - An individual can perform three of these four duties for a given asset: Custody of assets Authorization or approval of related transactions affecting those assets Execution of the transaction or transaction activity Reconciliation of related transactions
Two-way SOD conflict - An individual can perform two of these four duties for a given asset
© 2008 Protiviti Inc. Confidential: This document is for internal use only and may not be distributed to an outside party.
Segregation of Duty (SOD) Issues
Role-based access often drives potential SOD issues Access should be granted based on pre-defined job
descriptions Role-based security access should be customized per the
business needs – not using “out of the box” profiles that typically do not address SOD and grant powerful access
© 2008 Protiviti Inc. Confidential: This document is for internal use only and may not be distributed to an outside party.
Segregation of Duties (SOD) Examples
Users with Voucher Entry & Purchase Order Entry Users with Voucher Entry and Create Payments Users with Create Receipts and Enter Sales Invoices Users with access to business process should not have
access to post Journal Entries Users with Administer Payroll and Administer Workforce Users with access to Payroll and HR present a risk of
adjusting salaries, running payroll, then changing salaries back
Beware of “Sysadmin” , “Super User” and other IT users with powerful access!
© 2007 Protiviti Inc. Confidential: This document is for internal use only and may not be distributed to an outside party.
Segregation of DutiesAssessment Approach
© 2008 Protiviti Inc. Confidential: This document is for internal use only and may not be distributed to an outside party.
Our Approach to Optimizing & Sustaining ERP Compliance
SoD, Security, Access, Provisioning, Application & Process Controls
Project to Process
AutomateStandardizeAnalyze
Continuous Monitoring
Software
ERP Assessments
Consulting
&
Remediation
Services
Analyze
• Perform assessments via Protiviti Assure methodology
• Deploy on internal audit and SOX clients or new clients to “prove the case”
Standardize
• Clean-up Security/SOD issues
• Design automated controls
• Re-engineer SOX testing approach
• Design controls into new implementations
Automate
• Implement continuous monitoring systems
© 2008 Protiviti Inc. Confidential: This document is for internal use only and may not be distributed to an outside party.
An integrated implementation approach is necessary to design effective internal controls, understanding that system-based controls are more reliable and desirable. This pertains to both General Computer Controls as well as “embedded” application-specific controls. It is more efficient to get these right at the time of implementation.
System-System-BasedBased
DetectiveDetective ControlsControls
System-System-BasedBased
DetectiveDetective ControlsControls
System-System-Based Based
Preventive Preventive ControlControl
System-System-Based Based
Preventive Preventive ControlControl
People-People-Based Based
Detective Detective ControlControl
People-People-Based Based
Detective Detective ControlControl
People-People-Based Based
Preventive Preventive ControlControl
People-People-Based Based
Preventive Preventive ControlControl
DesirableDesirable
Rel
iab
leR
elia
ble
Standard within the Software
Configuration Options
Application Security
Effectiveness in SOX Testing Efforts
Policies
Procedures
Monitoring Exception Reporting
Reconciliations
Extensive SOX Testing Efforts
Optimize Automated Controls
© 2007 Protiviti Inc. Confidential: This document is for internal use only and may not be distributed to an outside party.
Segregation of Duties Assessment Case Study
© 2008 Protiviti Inc. Confidential: This document is for internal use only and may not be distributed to an outside party.
Case Study Scenario
Project: SoD Remediation Objective: To assist the client with remediation of SoD
conflicts and user access to sensitive abilities in Oracle prior to their External Audit.
Tools: Oracle Internal Controls Manager (ICM) The client's corporate SoD Rule Set
Approach:1. Review the initial SoD conflict and Sensitive Abilities results using ICM
constraint reports2. Identify any false positives and enter the appropriate waivers in ICM3. Review the remaining SoD conflict and Sensitive Abilities results with
the appropriate business owners to determine what security changes can be made to resolve the issues
4. Develop mitigating control suggestions based on input from management to address remaining conflicts
© 2008 Protiviti Inc. Confidential: This document is for internal use only and may not be distributed to an outside party.
Examples from the Procure to Pay (PTP) Cycle
Sensitive Ability Constraints Reviewed:Transaction Maintain Buyers - BuyersSet Up Maintain Approvals – Signing limits
SOD Constraints Reviewed:Create PO/Blanket PO Maintain BuyersMaintain PO/Blanket PO Maintain BuyersReceive Goods Create PO/Blanket POReceive Goods Maintain PO/Blanket POProcess Invoices Process PaymentsProcess and Maintain Invoices Create PO/Blanket POProcess and Maintain Invoices Maintain PO/Blanket POProcess and Maintain Invoices Receive GoodsProcess and Maintain Invoices Maintain GoodsProcess Debit/Credit Memos Maintain PO/Blanket POProcess Debit/Credit Memos Receive GoodsProcess Debit/Credit Memos Maintain GoodsProcess Debit/Credit Memos Process and Maintain PaymentsRelease Invoice Holds Receive Goods
© 2008 Protiviti Inc. Confidential: This document is for internal use only and may not be distributed to an outside party.
Examples from the Order to Cash (OTC) Cycle
Sensitive Ability Constraints Reviewed:Set Up AR and OM SetupSet Up Interface Processing
SoD Constraints Reviewed:Enter Cash Receipts Enter Sales OrdersEnter Cash Receipts Approve Invoice AdjustmentsEnter Cash Receipts Process AR InvoicesCreate Customers Enter Sales OrdersCreate Customers Enter RMACreate Customers Process Debit/Credit MemosCreate Customers Process AR InvoicesCreate Customers Process TransactionsCreate Customers Enter / Maintain Cash Receipts (2)Create Customers Maintain Misc Cash ReceiptsMaintain Customers Profile Enter Sales OrdersMaintain Customers Profile Enter Cash ReceiptsMaintain Customers Profile Maintain Cash ReceiptsMaintain Customers Profile Maintain Misc Cash ReceiptsApp Invoice Adj Process Inv AdjProcess AR Inv / Process Trans Approve Invoice Adj (2)App Invoice Adj Maint Inv Adj
© 2008 Protiviti Inc. Confidential: This document is for internal use only and may not be distributed to an outside party.
Sample PTP ICM Violation Report
Inter-Responsibility Conflict
© 2008 Protiviti Inc. Confidential: This document is for internal use only and may not be distributed to an outside party.
Sample OTC ICM Violation Report
Intra-Responsibility Conflict
© 2008 Protiviti Inc. Confidential: This document is for internal use only and may not be distributed to an outside party.
PTP Conflict – Compensating Control Suggestions
Conflict Risk Possible Compensating ControlCreate PO / Maintain Buyers Unauthorized Buyer can
create POConfigurable Control: PO Approval Groups and Assignments; Do not allow "Owner can Approve" his own PO
Process DM CM / Process Payments
Erroneous or unauthorized payments to vendors
Check Signatures, Invoice Matching Process; Hold Unmatched Invoices
Process Invoices / Create PO Erroneous or unauthorized payments to vendors
PO Approval hierarchy, Invoice Matching Process; Hold Unmatched Invoices
Process Invoices / Maintain (Receive) Goods
Erroneous or unauthorized payments to vendors
Inventory Cycle Counting, Invoice Matching Process; Hold Unmatched Invoices
Process Invoices / Maintain PO Erroneous or unauthorized payments to vendors
PO Approval hierarchy, Invoice Matching Process; Hold Unmatched Invoices
Process Invoices / Process Payments
Erroneous or unauthorized payments to vendors
Check Signatures, Invoice Matching Process; Hold Unmatched Invoices
Receive Goods / Create or Maintain POs
Unauthorized purchase or erroneous recording of liability
PO Approval hierarchy, Invoice Matching Process; Hold Unmatched Invoices
Release Invoice Holds / Receive Goods
Erroneous or unauthorized payments to vendors
Inventory Cycle Counting, Invoice Matching Process; Hold Unmatched Invoices
© 2008 Protiviti Inc. Confidential: This document is for internal use only and may not be distributed to an outside party.
OTC Conflict – Compensating Control Suggestions
Conflict Risk Possible Compensating ControlApprove Invoice Adjustment / Maintain Invoice Adjustment
Unauthorized write off of invoices
Configurable Control: Approval Limits
Create Customer / Enter Cash Receipts
Fictitious customer; hide cash receipt
Customer Statements; SoD of handling, logging and depositing of checks received from customers; bank reconciliations
Create Customer / Enter RMAs Unauthorized credit given to customers
Customer Statements, review of open RMAs
Create Customer / Enter Sales Orders
Unauthorized sales order and shipment of goods
Configurable Control: Sales Order Approval workflow
Create Customer / Maintain Cash Receipts
Hide cash receipt Review of Reversed Cash Receipts; Cash Receipt deletion not allowed by the system
Create Customer / Process DM CM
Unauthorized credit given to customers; Unauthorized changes to customer records; hide cash receipt
Customer Statements; Review of AR Aging; SoD of handling, logging and depositing of checks received from customers; bank reconciliations
Enter Cash Receipts / Approve Invoice Adjustments
Unauthorized write off of invoices
Configurable Control: Approval Limits
Maintain Customer Profile / Enter Sales Orders
Unauthorized sales order and shipment of goods
Configurable Control: Sales Order Approval workflow
Maintain Customer Profile / Maintain Misc Cash Receipts
Hide cash receipt SoD of handling, logging and depositing of checks received; bank reconciliations
© 2008 Protiviti Inc. Confidential: This document is for internal use only and may not be distributed to an outside party.
Additional Recommendations
The following are improvements that would eliminate the need for compensating controls: Restrict Access for Release Holds and Sales Order entry. Access to the
Sales Order form is required to be able to release holds. The ability to Release Holds, however, should be excluded from those users who should NOT be able to release an order. The best practice is to restrict this access to those in credit management who “approve” the release of credit hold on an order. This is normally considered the higher risk area with regards to Sales Order processing.
Rearranging department responsibilities to make supervisors only an approver and reviewer, not “doers”. This would mean that access for supervisors is mostly View Only, except for the approval of transactions. The team would have the access to process transactions. Supervisors would approve any changes or adjustments and delegate to processing to their teams.
Functions with Inquiry Only access should by designated as View Only in the function name to simplify future audit related activities. This can be done by creating a copy of the normal function, giving it a name with “View Only” in it, and adding the parameter in the function, QUERY_ONLY="YES". By designating these functions clearly, the access would be more easily justified.
© 2008 Protiviti Inc. Confidential: This document is for internal use only and may not be distributed to an outside party.
Additional Recommendations (Cont.)
The following are improvements that would eliminate the need for compensating controls: Access to Setups should be limited to Inquiry Only Access. The IT and
Business Analysts should be given a responsibility that has Inquiry Only access to all setups in production, but read/write access in a development environment. This would enable them to view any setup for troubleshooting. When they determine that a change should be made in the system, they should follow the Change Management process: file a change request and have it tested in dev and approved by the business owner. When the approval is received, the System Administrator would grant the BA temporary access to the Super User responsibility to make the change in production. This is considered a best practice, as it keeps Super Access to a minimum.
Access to Super User responsibilities should also be granted on a temporary basis only and be controlled through the change management process. The process should require appropriate business/process owner approval prior to granting temporary access. Responsibilities granted temporarily should be end dated at the time the access is granted based on the amount of time access is needed.
© 2007 Protiviti Inc. Confidential: This document is for internal use only and may not be distributed to an outside party.
Control Areas to Consider During An Upgrade or Implementation Project to
Prevent Future Stand-Alone Remediation Projects
© 2008 Protiviti Inc. Confidential: This document is for internal use only and may not be distributed to an outside party.
Transaction Processing Controls
Business processes supported and impacted by applications must ensure information integrity through effective design, development, and usage of:
Manual Process Controls • policies and procedures• reconciliations, reviews and approvals• management reporting
Application Interface Controls• restart and recovery procedures• control totals• job monitoring• error handling
Facilitation of Audit Needs• transaction logs• historical data access• transaction references• meaningful descriptions/ classifications
Automated Application Controls• field edits• workflow approvals• error messages• matching tolerances• number ranges• default values• posting keys• document matching• recurring entries
© 2008 Protiviti Inc. Confidential: This document is for internal use only and may not be distributed to an outside party.
Security Administration
Security strategies, tools, personnel, and processes should be coordinated effectively to address the following key components: Administration
• provisioning (granting, termination, and modification) of user IDs • workflow / approvals• tool administration• password resetting• password parameters
Segregation of duties • separation of incompatible functions • data owner monitoring of access levels
Sensitive access • powerful authorities• post-implementation support
© 2008 Protiviti Inc. Confidential: This document is for internal use only and may not be distributed to an outside party.
Data Management
As part of the implementation, data must be converted and then maintained to ensure the integrity of system processing. The following are critical considerations in this area:
Master Data Maintenance• data ownership• policies and procedures• impact analysis
Data Archiving • system performance and storage
requirements• data access requirements • data redundancy
Data Conversions• data mappings• conversion design• conversion testing• reconciliation
Data Cleansing• inactive data• duplicative data• erroneous data
During an upgrade data management activities may just relate to completing the upgrade process steps of what to correct by module (i.e. data re-mapping, etc.)
© 2008 Protiviti Inc. Confidential: This document is for internal use only and may not be distributed to an outside party.
Change Management & Testing
Change management is critical for ensuring consistency of processing throughout an application’s life cycle. This effort includes: Client strategy (e.g. dev, test, prod) Image refreshes Object migration Problem management for ongoing changes Version control
All development and implementation efforts must include thorough testing to ensure defined solutions are complete and accurate. This effort includes: Comprehensive test plan for functionality, security, and controls Documented test cases and test results Sign-off and acceptance Use of positive and negative testing techniques
© 2008 Protiviti Inc. Confidential: This document is for internal use only and may not be distributed to an outside party.
Things to Consider When Implementing/Upgrading
ERP systems are already built with standard business process functionality and it is best to try to avoid “programming”, meaning we want to implement the “out of the box” solution, and limit customizing the application as much as possible
Limiting customizations and designing them correctly can prevent problems when upgrading in the future. For example, creating new customized menus with unique names with prevent overrides during upgrades which can occur if you customize a standard menu.
The difference between a manual control and an automated one is mostly a change of focus from detective to preventive control. Preventive controls are considered to be stronger and therefore preferred controls.
The more automated controls you can implement (instead of relying on manual controls) can significantly reduce audit/testing efforts. Automated controls can be tested immediately and require only 1 sample , while manual controls must be demonstrated over time and multiple samples must be tested based on control frequency (i.e. daily, monthly, etc.).
© 2008 Protiviti Inc. Confidential: This document is for internal use only and may not be distributed to an outside party.
Summary
Segregation of Duties Overview (SoD) SoD Assessment Approach Segregation of Duties Assessment Case Study Control Areas to Consider During An Upgrade or
Implementation Project to Prevent Future Stand-Alone Remediation Projects
Questions?