t3 - auditing oracle financials 11i - part 1
Post on 16-Jul-2015
68 Views
Preview:
TRANSCRIPT
5/14/2018 T3 - Auditing Oracle Financials 11i - Part 1 - slidepdf.com
http://slidepdf.com/reader/full/t3-auditing-oracle-financials-11i-part-1 1/43
Auditing Oracle ERPISACA Fall Conference
September 2005
5/14/2018 T3 - Auditing Oracle Financials 11i - Part 1 - slidepdf.com
http://slidepdf.com/reader/full/t3-auditing-oracle-financials-11i-part-1 2/43
Presented by: 2September 26/27/28, 2005
Agenda
1. Course Objectives
2. Challenges of an Oracle ERP Audit
3. Oracle ERP Overview
4. PwC Audit Approach to Oracle
5. Segregation of Duties
6. Configurable Controls
5/14/2018 T3 - Auditing Oracle Financials 11i - Part 1 - slidepdf.com
http://slidepdf.com/reader/full/t3-auditing-oracle-financials-11i-part-1 3/43
Presented by: 3September 26/27/28, 2005
1. Course Objectives
Become familiar with Oracle terminology and concepts
Understand the audit implications of Oracle and thePwC recommended approach to Oracle controls andsecurity
Recognize the implications of configurable controls(application controls), monitoring controls, generalcontrols, including “How to audit”
5/14/2018 T3 - Auditing Oracle Financials 11i - Part 1 - slidepdf.com
http://slidepdf.com/reader/full/t3-auditing-oracle-financials-11i-part-1 4/43Presented by: 4September 26/27/28, 2005
Agenda
1. Course Objectives
2. Challenges of an Oracle ERP Audit
3. Oracle ERP Overview
4. PwC Audit Approach to Oracle
5. Segregation of Duties
6. Configurable Controls
5/14/2018 T3 - Auditing Oracle Financials 11i - Part 1 - slidepdf.com
http://slidepdf.com/reader/full/t3-auditing-oracle-financials-11i-part-1 5/43
Presented by: 5September 26/27/28, 2005
2. Challenges with an Oracle ERP
AuditRecognizing control implications of Oracle ERP
Understanding the significant changes to business processes
Keeping up with changing risks
Identifying critical risk components of OracleMaintaining effective test plans
Updating the knowledge and skills required to audit
5/14/2018 T3 - Auditing Oracle Financials 11i - Part 1 - slidepdf.com
http://slidepdf.com/reader/full/t3-auditing-oracle-financials-11i-part-1 6/43
Presented by: 6September 26/27/28, 2005
Why audit?
Auditing will be done as part of:
• Statutory (external) audit
• Internal audit
• Process audit
Traditionally, controls were audited since:
• Volume of transactions (high volume low value)
• Auditing around the system not effective
5/14/2018 T3 - Auditing Oracle Financials 11i - Part 1 - slidepdf.com
http://slidepdf.com/reader/full/t3-auditing-oracle-financials-11i-part-1 7/43
Presented by: 7September 26/27/28, 2005
Why audit?
New environment…
Sarbanes Oxley
Sections 302 and 404REQUIRE controls audit
5/14/2018 T3 - Auditing Oracle Financials 11i - Part 1 - slidepdf.com
http://slidepdf.com/reader/full/t3-auditing-oracle-financials-11i-part-1 8/43
Presented by: 8September 26/27/28, 2005
When to Audit
•Prior to reporting date
•During the year
•Point in time
5/14/2018 T3 - Auditing Oracle Financials 11i - Part 1 - slidepdf.com
http://slidepdf.com/reader/full/t3-auditing-oracle-financials-11i-part-1 9/43
Presented by: 9September 26/27/28, 2005
Agenda
1. Course Objectives
2. Challenges of an Oracle ERP Audit
3. Oracle ERP Overview
4. PwC Audit Approach to Oracle
5. Segregation of Duties
6. Configurable Controls
5/14/2018 T3 - Auditing Oracle Financials 11i - Part 1 - slidepdf.com
http://slidepdf.com/reader/full/t3-auditing-oracle-financials-11i-part-1 10/43
Presented by: 10September 26/27/28, 2005
3. Oracle ERP overview
HumanResources
Finance
Projects
Self-Service
Supply Chain Management
Manufacturing
Front Office
Applied
Technology
Finance
General Ledger
Financial Analyzer
Cash ManagementPayables
Receivables
Fixed Assets
Manufacturing
Engineering
Bills of Material
Master Scheduling / MRPCapacity
Work in Process
Quality
Cost Management
Process (OPM)
Rhythm Factory PlanningRhythm Advanced Scheduling
Project Manufacturing
Flow Manufacturing
Supply Chain Management
Order Entry
Purchasing
Product Configurator
Supply Chain Planning
Supplier Scheduling
Inventory
Projects
Project Costing
Project BillingPersonal Time & Expense
Activity Management Gateway
Project Connect
CRM
Marketing (3 modules)
Sales (5 modules)
Service (5 modules)Call Center (5 modules)
Human Resources
Payroll
Human Resources
Training Administration
Time Management
Advanced Benefits
Applied Technology
Workflow
Alert (Business Agents)
Applications Data WarehouseEDI Gateway
Self-Service
Web Customers
Web Suppliers
Web Employees
5/14/2018 T3 - Auditing Oracle Financials 11i - Part 1 - slidepdf.com
http://slidepdf.com/reader/full/t3-auditing-oracle-financials-11i-part-1 11/43
Presented by: 11September 26/27/28, 2005
Oracle workflow
What does it Do?
Oracle Workflow automates standard businessprocesses, allowing for transparency and a
recorded history of process transactions
Who uses it?
Workflow Specialist configures workflow during
installEnd Users
Workflow Administrator
5/14/2018 T3 - Auditing Oracle Financials 11i - Part 1 - slidepdf.com
http://slidepdf.com/reader/full/t3-auditing-oracle-financials-11i-part-1 12/43
Presented by: 12September 26/27/28, 2005
Audit Impacts of Workflow
•Workflow allows customization
•Testing entails review or tracing•Workflow processes can be forced through
•SOD function and workflow administrator access
5/14/2018 T3 - Auditing Oracle Financials 11i - Part 1 - slidepdf.com
http://slidepdf.com/reader/full/t3-auditing-oracle-financials-11i-part-1 13/43
Presented by: 13September 26/27/28, 2005
Oracle Workflow and Oracle Alerts
What’s the Difference?
Oracle Alerts
•Static, one way transmission of information alerting
someone to change of already existing data
•Alerts must be built
•Similar to an FYI notification in Workflow
Workflow•Customizable process flows are available
•Hierarchy, timeout, and escalation features
•Can prevent an action
5/14/2018 T3 - Auditing Oracle Financials 11i - Part 1 - slidepdf.com
http://slidepdf.com/reader/full/t3-auditing-oracle-financials-11i-part-1 14/43
Presented by: 14September 26/27/28, 2005
Oracle Workflow
Most Commonly Used Seeded Workflows
General LedgerJournal Entry Approval
iExpense
Expense Report
Approvals
Terminated Employees
Accounts Payable
Invoice Approval
Process Pay (Positive
Pay) MessageReceivables
Credit Memo Approvals
Credit Application
Approval
Order Management
Order and Return Processing
Schedule, ship and pack delivery
Purchasing
Requisition and PO Document
ApprovalAuto Document Creation
Receipt Confirmation
Exceeding of Price/Receipt
TolerancesProjects
Projects Approval
Project Accounting
iTime
Timecard Approval
5/14/2018 T3 - Auditing Oracle Financials 11i - Part 1 - slidepdf.com
http://slidepdf.com/reader/full/t3-auditing-oracle-financials-11i-part-1 15/43
Presented by: 15September 26/27/28, 2005
Agenda
1. Course Objectives
2. Challenges of an Oracle ERP Audit
3. Oracle ERP Overview
4. PwC Audit Approach to Oracle
5. Segregation of Duties
6. Configurable Controls
5/14/2018 T3 - Auditing Oracle Financials 11i - Part 1 - slidepdf.com
http://slidepdf.com/reader/full/t3-auditing-oracle-financials-11i-part-1 16/43
Presented by: 16September 26/27/28, 2005
4. PwC approach to Oracle
• Application Security
and Segregation ofDuties
• Application ChangeControl Management
• Business Processes Controls
• E - Commerce
• Internal Interface Controls• Concurrent Process Controls
• Integrity of Reporting
• Business ContinuityPlanning
• Shared Services
• Information Integrity
Business Processes
• Bolt-On Security
• Interface Controls
• ConversionProcesses andControls
• Information
Integrity
Legacy/Bolt-Ons
Technical Infrastructure• General Access
• Technology Integrity
• Data Warehousing and Reporting Controls
• Security Guidelines
• Disaster Recovery Planning
ORACLEORACLE
Linked Systems
IT Infrastructure
System of Internal &External Controls
Business Processes
• Business and Industry
Risks• Regulatory andCompliancerequirements
• Internal and ExternalReporting and Audit
Controls Environment
Application controls
5/14/2018 T3 - Auditing Oracle Financials 11i - Part 1 - slidepdf.com
http://slidepdf.com/reader/full/t3-auditing-oracle-financials-11i-part-1 17/43
Presented by: 17September 26/27/28, 2005
Control structure
Internal and External Control Structure
IT Infrastructure
ORACLEORACLE
Linked Systems
Upstream Downstream
Suppliers
EDIE - Commerce
Customers
EDIE - Commerce
Interfaces
Data Feeds
Interfaces
Data Feeds
ExternalControls
InternalControls
InternalControls
ExternalControls
InterfacesData Feeds
Non-LinkedSuppliers
BusinessProcesses
InterfacesData Feeds
Non-LinkedSuppliers
Controls reliance is achieved through a convergence of
efficient systems and effective internal and external controls
5/14/2018 T3 - Auditing Oracle Financials 11i - Part 1 - slidepdf.com
http://slidepdf.com/reader/full/t3-auditing-oracle-financials-11i-part-1 18/43
Presented by: 18September 26/27/28, 2005
Business Process controls
• Access Controls - controls over access tobusiness processes & transaction processingexist, are properly maintained & are managed byappropriate management within the organization
• Processing Controls - adequate controls are
implemented (Inherent, Configurable, Manualand Customizable) to ensure data integrity• Rejection Controls - edit and validation controls
exist to ensure inappropriate data is rejectedfrom processing and monitoring controls exist toreview rejected output
• E-Commerce - controls are adequatelyimplemented
• Shared Services - issues and risks are mitigatedthrough controlled processes
Inherent Custom
ControlledProcesses
ManualConfigure
5/14/2018 T3 - Auditing Oracle Financials 11i - Part 1 - slidepdf.com
http://slidepdf.com/reader/full/t3-auditing-oracle-financials-11i-part-1 19/43
Presented by: 19September 26/27/28, 2005
Application security
Managing Risk by Ensuring that
Key Controls are Adequately Implemented Over
APPLICATION SECURITY:• Security Administration - managed by
appropriate management within the organization• Security Impact Assessment - on business
processes and user environment• Security Design - current and future needs areassessed and implemented with high prioritycontrols environment
• Security Strategy/Approach - controls overapplication to ensure unauthorized users can notaccess the production environment
• Segregation of Duties - controls over businessprocess are adequate and implemented
• Security Functionality - comprehensivelyutilized and maintained
• On-going Security Administration - managedand maintained by appropriate managementwithin the organization
BusinessProcessTeam
Controls& SecurityTeam
ChangeManagement(Stakeholder)
Oracle AppsFunctionality
ControlRequirements &Oracle SecurityExpertise
BusinessRequirements
Oracle Apps(UserResponsibility
Profiles)
5/14/2018 T3 - Auditing Oracle Financials 11i - Part 1 - slidepdf.com
http://slidepdf.com/reader/full/t3-auditing-oracle-financials-11i-part-1 20/43
Presented by: 20September 26/27/28, 2005
Auditing Oracle Applications
Audit mindset:
•Least privilege basis•Prevention is better than cure
•What could go wrong
Factors that affect amount of testing:
•Objective of the audit
•Level of reliance on the system•Level of manual controls (that may
compensate)
Ri k B d A h
5/14/2018 T3 - Auditing Oracle Financials 11i - Part 1 - slidepdf.com
http://slidepdf.com/reader/full/t3-auditing-oracle-financials-11i-part-1 21/43
Presented by: 21September 26/27/28, 2005
Risk Based Approach –
Identification of Controls to Test•First year (SOX) results have indicated that more controls were
identified, documented and tested than necessary
•Only need to document and test controls over relevant
assertions related to significant accounts (i.e., only those controls
that provide evidence that the control objective is met)
•Need to understand the interaction between preventive and
detective controls
•Need to identify the points at which errors or fraud could occur
and then identify the controls that prevent or detect the errors or
fraud
5/14/2018 T3 - Auditing Oracle Financials 11i - Part 1 - slidepdf.com
http://slidepdf.com/reader/full/t3-auditing-oracle-financials-11i-part-1 22/43
Presented by: 22September 26/27/28, 2005
Auditing an Oracle Environment
•Oracle Applications audit:
•Segregation of duties•Configurable controls review
•General Computer Controls audit:•Information security
•Computer operations
•Existing system maintenance•New system development and implementation
5/14/2018 T3 - Auditing Oracle Financials 11i - Part 1 - slidepdf.com
http://slidepdf.com/reader/full/t3-auditing-oracle-financials-11i-part-1 23/43
Presented by: 23September 26/27/28, 2005
General Computer Controls
Where do General Computer Controls fit in?
Manual and monitoringcontrols
Application Controls
General ComputerControls
Control Environment
5/14/2018 T3 - Auditing Oracle Financials 11i - Part 1 - slidepdf.com
http://slidepdf.com/reader/full/t3-auditing-oracle-financials-11i-part-1 24/43
Presented by: 24September 26/27/28, 2005
Application Controls Review
Application controls audit consists of:
Input – what information is going in?
Process – what is being done to the information?
Output – what information comes out?
How to ensure that the IPO is:
Complete
Accurate, and
Valid, AND
Restricted access = segregation of duties + security review
5/14/2018 T3 - Auditing Oracle Financials 11i - Part 1 - slidepdf.com
http://slidepdf.com/reader/full/t3-auditing-oracle-financials-11i-part-1 25/43
Presented by: 25September 26/27/28, 2005
Agenda
1. Course Objectives
2. Challenges of an Oracle ERP Audit
3. Oracle ERP Overview
4. PwC Audit Approach to Oracle
5. Segregation of Duties
6. Configurable Controls
5/14/2018 T3 - Auditing Oracle Financials 11i - Part 1 - slidepdf.com
http://slidepdf.com/reader/full/t3-auditing-oracle-financials-11i-part-1 26/43
Presented by: 26September 26/27/28, 2005
5. Segregation of Duties
What is ‘Segregation of Duties’ (SOD)?
•The principle of separating incompatible functions from anindividual
•Designed to prevent, rather than detect
•Reduces risk, as circumventing a well designed SOD
environment requires collusion
•SOD includes system level segregation as well as
segregation of manual processes
5/14/2018 T3 - Auditing Oracle Financials 11i - Part 1 - slidepdf.com
http://slidepdf.com/reader/full/t3-auditing-oracle-financials-11i-part-1 27/43
Presented by: 27September 26/27/28, 2005
Segregation of Duties
What must be segregated?
Record
Keeping
Custody of
Assets
Authorization Reconciliation
5/14/2018 T3 - Auditing Oracle Financials 11i - Part 1 - slidepdf.com
http://slidepdf.com/reader/full/t3-auditing-oracle-financials-11i-part-1 28/43
Presented by: 28September 26/27/28, 2005
Segregation of Duties
•In a practical way, SOD is enforced in Oracle through
responsibilities!•A responsibility defines a set of menu options and functions
that are accessible to a user and defines reports and processes
which may be run
•Responsibilities usually grant access to just one Oracle
module, such as General Ledger or Accounts Payable
•A user can be assigned more than one responsibility
5/14/2018 T3 - Auditing Oracle Financials 11i - Part 1 - slidepdf.com
http://slidepdf.com/reader/full/t3-auditing-oracle-financials-11i-part-1 29/43
Presented by: 29September 26/27/28, 2005
Segregation of Duties
ApplicationsUser
User Name
Password
Responsibility
Main Menu
Menu
Forms
Menu
Forms
Request Security Group
Reports
Request Sets
Concurrent Programs
Security Rules
Flexfield Values
Report Parameters
5/14/2018 T3 - Auditing Oracle Financials 11i - Part 1 - slidepdf.com
http://slidepdf.com/reader/full/t3-auditing-oracle-financials-11i-part-1 30/43
Presented by: 30September 26/27/28, 2005
SOD and user review
Segregation of duties and user review involves testing of:
•Responsibility assignments (which responsibilities are given to
which users), this will include:
•Generic users (e.g. AP_LOGIN)
•Seeded responsibilities
•Default logins (e.g. AP/AP, OPERATIONS/WELCOME)
•User addition, removal, modification and monitoring
5/14/2018 T3 - Auditing Oracle Financials 11i - Part 1 - slidepdf.com
http://slidepdf.com/reader/full/t3-auditing-oracle-financials-11i-part-1 31/43
Presented by: 31September 26/27/28, 2005
SOD and user review
•Cross-module SOD involves reviewing incompatible
functions across applications (e.g. AP user with general
ledger responsibilities)
•Responsibility name = usually a factor•Dormant user review
•Periodic cleanup of users
•Password length, strength, timeout
5/14/2018 T3 - Auditing Oracle Financials 11i - Part 1 - slidepdf.com
http://slidepdf.com/reader/full/t3-auditing-oracle-financials-11i-part-1 32/43
Presented by: 32September 26/27/28, 2005
SOD and user review
•Responsibility design (which functions are given to aspecific responsibility)
•Request Groups and Report access
•Manual processes (e.g. who has physical access to blank cheque stock)
5/14/2018 T3 - Auditing Oracle Financials 11i - Part 1 - slidepdf.com
http://slidepdf.com/reader/full/t3-auditing-oracle-financials-11i-part-1 33/43
Presented by: 33September 26/27/28, 2005
SOD and user review
•A responsibility design and user assignment review may leverage:
•Custom tool / script•Oracle standard reports (limited information, hard to manipulate)
•Active responsibilities
•Active users
•Users of a responsibility
•Function security function report
•Function security menu report
SOD d i
5/14/2018 T3 - Auditing Oracle Financials 11i - Part 1 - slidepdf.com
http://slidepdf.com/reader/full/t3-auditing-oracle-financials-11i-part-1 34/43
Presented by: 34September 26/27/28, 2005
SOD and user review
•Oracle audit history reports
•Sign-on audit concurrent requests report
•Sign-on audit forms report
•Sign-on audit responsibilities report
•Sign-on audit unsuccessful logon report
•Sign-on audit users report
•Ability to audit specific tables, objects or
actions
SOD M i
5/14/2018 T3 - Auditing Oracle Financials 11i - Part 1 - slidepdf.com
http://slidepdf.com/reader/full/t3-auditing-oracle-financials-11i-part-1 35/43
Presented by: 35September 26/27/28, 2005
SOD Matrix
Segregation of Duties matrix – a way to test, a way to document
S ti f D ti
5/14/2018 T3 - Auditing Oracle Financials 11i - Part 1 - slidepdf.com
http://slidepdf.com/reader/full/t3-auditing-oracle-financials-11i-part-1 36/43
Presented by: 36September 26/27/28, 2005
Segregation of Duties
# Observation Risk Recommendation
1 The ‘Belgium Payables,
Operations’responsibility has theability to:
Enter Invoices (viaInvoice Workbench)
Enter / maintain vendorsand
Process payments (via
Payment workbench,Payment Print Checkand Payment Batches)
Users with these
responsibilities cancreate themselves asvendors and processinvoices and paymentsagainst such invoices to
expropriate cash fromthe entity.
Remove the ability
to processpayments from thisresponsibility
Note in this example that a compensating control may be the fact that 3 way matching is
required and the ‘Belgium Payables, Operations’ responsibility cannot process receipts and
purchase orders
S ti f D ti
5/14/2018 T3 - Auditing Oracle Financials 11i - Part 1 - slidepdf.com
http://slidepdf.com/reader/full/t3-auditing-oracle-financials-11i-part-1 37/43
Presented by: 37September 26/27/28, 2005
Segregation of Duties
Potential traps with SOD reviews:
•Oracle standard menus / forms
•Custom pll’s
•Customised forms or functions
•IT users with superuser responsibilities
S ti f D ti
5/14/2018 T3 - Auditing Oracle Financials 11i - Part 1 - slidepdf.com
http://slidepdf.com/reader/full/t3-auditing-oracle-financials-11i-part-1 38/43
Presented by: 38September 26/27/28, 2005
Segregation of Duties
Finally…
Baseline testing of user access is a critical step
The strength of the change control environment will
impact the ability to rely on the baseline of segregationof duties and user access
A d
5/14/2018 T3 - Auditing Oracle Financials 11i - Part 1 - slidepdf.com
http://slidepdf.com/reader/full/t3-auditing-oracle-financials-11i-part-1 39/43
Presented by: 39September 26/27/28, 2005
Agenda
1. Course Objectives
2. Challenges of an Oracle ERP Audit
3. Oracle ERP Overview
4. PwC Audit Approach to Oracle
5. Segregation of Duties
6. Configurable Controls
6 Configurable controls
5/14/2018 T3 - Auditing Oracle Financials 11i - Part 1 - slidepdf.com
http://slidepdf.com/reader/full/t3-auditing-oracle-financials-11i-part-1 40/43
Presented by: 40September 26/27/28, 2005
6. Configurable controls
A ‘configurable control’ is:
•Any setting in Oracle Apps that can be modified, and which canaffect the operation of a function in Oracle Apps
–Profile options
–Transaction type settings
–Financial options
–Payment options
–Invoice options
•Different from ‘inherent’ controls, which are pre-programmedsettings that are generally not overrideable or modifiable (e.g.quantity values not allowing non-numeric characters)
Configurable controls
5/14/2018 T3 - Auditing Oracle Financials 11i - Part 1 - slidepdf.com
http://slidepdf.com/reader/full/t3-auditing-oracle-financials-11i-part-1 41/43
Presented by: 41September 26/27/28, 2005
Configurable controls
•Create a process flow and narrative
•Identify key controls (including where users rely on Oracle
Applications to automatically perform specific actions)
•Test the controls identified
5/14/2018 T3 - Auditing Oracle Financials 11i - Part 1 - slidepdf.com
http://slidepdf.com/reader/full/t3-auditing-oracle-financials-11i-part-1 42/43
Presented by: 42September 26/27/28, 2005
Questions
5/14/2018 T3 - Auditing Oracle Financials 11i - Part 1 - slidepdf.com
http://slidepdf.com/reader/full/t3-auditing-oracle-financials-11i-part-1 43/43
Presented by: 43September 26/27/28, 2005
Thank you!
top related