Your SlideShare is downloading. ×
  • Like
FulcrumWay - Effective Ways to Assess ERP Controls 2014
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Now you can save presentations on your phone or tablet

Available for both IPhone and Android

Text the download link to your phone

Standard text messaging rates apply

FulcrumWay - Effective Ways to Assess ERP Controls 2014

  • 111 views
Published

This was presented on Jan. 28, 2014 in FulcrumWay's monthly Webinar sessions, which occur on the 3rd Tuesday of every month. Anyone may attend, just go to …

This was presented on Jan. 28, 2014 in FulcrumWay's monthly Webinar sessions, which occur on the 3rd Tuesday of every month. Anyone may attend, just go to http://www.fulcrumway.com/events/upcoming-events for details. Hope to see you there!!

This presentation addresses:
ERP Control Assessment Approach – 2014
ERP Controls in Scope for Audit
Audit Findings and Remediation
Oracle Advanced Controls – Case Study

Published in Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
111
On SlideShare
0
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
7
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Is Oracle ERP in Scope for 2014 Audit Plan? Learn, from our client case-studies, effective ways to assess ERP Controls A Leader in Risk Based Enterprise Controls Management Solutions Risk and Compliance Financial Reporting Internal Audit Controls Catalog Application Security Advanced Analytics Webinar – January 28th, 2014 Adil Khan Managing Director Leverage Technology: Move Your Business Forward™ Give me a lever long enough and a fulcrum on which to place it, and I shall move the world - Archimedes Copyright ©. Fulcrum Information Technology, Inc.
  • 2. Agenda Is Oracle ERP in Scope for 2014 Audit Plan? Introductions ERP Control Assessment Approach – 2014 ERP Controls in Scope for Audit Audit Findings and Remediation Oracle Advanced Controls – Case Study Copyright © FulcrumWay Page 2 www.fulcrumway.com
  • 3. Agenda Is Oracle ERP in Scope for 2014 Audit Plan? Introductions ERP Control Assessment Approach – 2014 ERP Controls in Scope for Audit Audit Findings and Remediation Oracle Advanced Controls – Case Study Copyright © FulcrumWay Page 3 www.fulcrumway.com
  • 4. FulcrumWay A Leader in Risk Based Controls Management™ FulcrumWay: is the #1 End-to-End Provider of Risk Based Enterprise Controls Management Solutions for Oracle EBS, PeopleSoft and JDE customers with over 200 Fortune-500 to Middle Market clients. Since 2003, we have successfully assisted companies across all major industry segments. Expertise: Risk Advisory Services. Advanced Controls Design for Enterprise Applications. Best Practices for Risk Mitigation and Internal Controls Automation. Audit, Compliance, Financial, Enterprise and Operational Risk Assessments. Risk Remediation Services. Packaged Solutions: FulcrumWay is the #1 choice of Oracle customers for Oracle GRC Advanced Controls, GRC Manager, and GRC Intelligence/OBIEE software implementation. Oracle has certified us as the only partner with Accelerators for Oracle GRC. We also provide Managed Services Software Services: Risk Assessment for ERP systems, Control Design and Management Tools, Controls Catalog, Enterprise Risk Manager, Financial Reporting Manager, Audit Manager USA Presence: Privately held Delaware Corporation with US offices in New York City, Dallas and San Francisco International Presence: in Auckland, Chennai, Johannesburg, London, Mexico City Copyright © FulcrumWay Page 4 www.fulcrumway.com
  • 5. Successful Track Record Government Communications Media/Entertainment Copyright © FulcrumWay FulcrumWay Clients Oil and Gas Financial Services Transportation Manufacturing Healthcare High Tech Page 5 Retail Natural Resources Life Sciences www.fulcrumway.com
  • 6. FulcrumWay™ Insight Proven Expertise Thought Leadership Co-Authored GRC Book: First book on GRC for Oracle Applications Webcasts – GRC Best Practices, Trends and Expert Insight – February 19th Executive Round Table – GRC Advanced Controls Luncheon, Los Angeles, February 21st Executive Round Table - March 13th Chicago: GRC Case Studies and Best Practices Collaborate 14 – GRC Client Appreciation Dinner April 9th , 2014 Las Vegas Oracle Open World – Annual GRC Dinner on September 23rd , 2014 W Hotel San Francisco LinkedIn –FulcrumWay Risk, Compliance and Audit Software Group YouTube Podcasts – FulcrumWay Instant Insight in 10 min or less Copyright © FulcrumWay Page 6 www.fulcrumway.com
  • 7. Agenda Is Oracle ERP in Scope for 2014 Audit Plan? Introductions ERP Control Assessment Approach – 2014 ERP Controls in Scope for Audit Audit Findings and Remediation Oracle Advanced Controls – Case Study Copyright © FulcrumWay Page 7 www.fulcrumway.com
  • 8. ERP Controls Why include ERP Controls in Audit ? An Audit of Internal Control Over Financial Reporting That is Integrated with An Audit of Financial Statements, states that benchmarking of application controls can be used because these controls are generally not subject to breakdowns due to human failure. If general controls that are used to monitor program changes, access to programs, and computer operations are effective and continue to be tested on a regular basis, the auditor can conclude that the application control is effective without having to repeat the previous year’s control test. This is especially true if the auditor verifies that the application control has not changed since the auditor last tested the application control U.S. Public Company Accounting Oversight Board’s (PCAOB) Copyright © FulcrumWay Page 8 www.fulcrumway.com
  • 9. What are ERP Application Controls Inputs  Control Points System Control Documents  Business Policies Output ERP Configurations Board of Directors User Inputs Data Input Validation Posting Processing Output External Interface Stockholders Data Storage Web Services Banks  Copyright © FulcrumWay Audit Logs  Page 9 Data Archives www.fulcrumway.com
  • 10. Input data is accurate, complete, authorized, and correct Inputs  What are ERP Application Controls Control Points System Control Documents  Business Policies Output ERP Configurations Board of Directors User Inputs Data Input Validation Posting Processing Output External Interface Stockholders Data Storage Web Services Banks  Copyright © FulcrumWay Audit Logs  Page 10 Data Archives www.fulcrumway.com
  • 11. Input data is accurate, complete, authorized, and correct Inputs  What are ERP Application Controls Control Points System Control Documents  Business Policies Output ERP Configurations Board of Directors User Inputs Data Input Validation Posting Processing Output External Interface Stockholders Data Storage Web Services Banks  Audit Logs  Data Archives Data is processed as intended in an acceptable time period Copyright © FulcrumWay Page 11 www.fulcrumway.com
  • 12. Input data is accurate, complete, authorized, and correct Inputs  What are ERP Application Controls Data stored is accurate and complete. System Control Documents  Business Policies Control Points Output ERP Configurations Board of Directors User Inputs Data Input Validation Posting Processing Output External Interface Stockholders Data Storage Web Services Banks  Audit Logs  Data Archives Data is processed as intended in an acceptable time period Copyright © FulcrumWay Page 12 www.fulcrumway.com
  • 13. Input data is accurate, complete, authorized, and correct Inputs  What are ERP Application Controls Data stored is accurate and complete. System Control Documents  Business Policies Control Points Output ERP Configurations Board of Directors User Inputs Data Input Validation Posting Processing Output External Interface Stockholders Data Storage Web Services Outputs are accurate and complete. Banks  Audit Logs  Data Archives Data is processed as intended in an acceptable time period Copyright © FulcrumWay Page 13 www.fulcrumway.com
  • 14. Input data is accurate, complete, authorized, and correct Inputs  What are ERP Application Controls Data stored is accurate and complete. System Control Documents  Business Policies Control Points Output A record is maintained to track the process of data ERP Configurations from input to storage and to the eventual output Board of Directors User Inputs Data Input Validation Posting Processing Output External Interface Stockholders Data Storage Web Services Outputs are accurate and complete. Banks  Audit Logs  Data Archives Data is processed as intended in an acceptable time period Copyright © FulcrumWay Page 14 www.fulcrumway.com
  • 15. Assessment Approach Top Down Risk Based Approach to Application Controls What are the enterprise wide risks that need to be Assessed? Which business processes are impacted by these risks? Which ERP apps are used to perform these processes Where (business locations) are the processes performed What application functions control the processes? Copyright © FulcrumWay Page 15 www.fulcrumway.com
  • 16. Agenda Is Oracle ERP in Scope for 2014 Audit Plan? Introductions ERP Control Assessment Approach – 2014 ERP Controls in Scope for Audit Audit Findings and Remediation Oracle Advanced Controls – Case Study Copyright © FulcrumWay Page 16 www.fulcrumway.com
  • 17. Application Risk Factors ERP Scope INV INV PR List of Apps HR PO Custom Code Freq. of Changes Audit Logs Risk Rating 8 9 5 9 8 34 7 7 6 8 9 32 AR 7 7 9 9 7 39 FA 5 5 5 5 5 25 PO GL AP AR Financial /Sensitive Data AP OM Primary Process Enabler GL FA 5 5 4 6 4 24 AR Risk Threshold Copyright © FulcrumWay AP GL Page 17 Risk Scale: Highest 10 Risk Threshold: Over 30 www.fulcrumway.com
  • 18. Access Controls ERP Scope FulcrumWay Controls Catalog Access Control Process ERP App Risk Type Risk Rating Enter Journal and Post Journal Can cause frauds or errors resulting in over or under stated financial statements R2R GL Fin High Create Suppliers and Create Invoices - R12 Can lead to an overstatement of liabilities if fictitious suppliers are created and invoiced. P2P AP Fin High Create Customer and Create Sales Order - R12 Copyright © FulcrumWay Risk Description Can lead to an overstatement of revenues. O2C AR Fin High Page 18 www.fulcrumway.com
  • 19. ERP Scope Configuration Controls FulcrumWay Controls Catalog Configuration Control Process ERP App Risk Type Risk Rating R2R GL Fin High Adjustments made to invoice distributions P2P after payment is issued can cause errors in reconciliation … Define Credit Usage Rules In Credit Management, credit usage rule sets O2C ensure that all transactions for the specified currencies are converted to the credit ... AP Fin High AR Fin High Journal Authorization Limits Risk Description Authorization limits for employees. Payment Adjustment Controls Copyright © FulcrumWay Page 19 www.fulcrumway.com
  • 20. ERP Scope ERP Transaction Controls FulcrumWay Controls Catalog Transaction Control Exchange Rates AP Invoice Over PO AR Invoices Over Threshold Copyright © FulcrumWay Risk Description ERP App Risk Type Risk Rating Identify transactions after the fact R2R monitoring of manual inputs of system exchange rates that are …more than 10% +/Invoice payments in excess of PO / user P2P Invoice approval limit GL Fin High AP Fin High Control monitor returns a record of each O2C customer invoice that is valued in excess of a specified threshold. AR Fin High Page 20 Process www.fulcrumway.com
  • 21. ERP Control Methods ERP Scope High I M P A C T Medium Risk Mitigate Remediate & Prevent Low Risk Copyright © FulcrumWay Medium Risk Monitor Controls Accept Low High Risk PROBABILITY Page 21 High www.fulcrumway.com
  • 22. ERP Scope Copyright © FulcrumWay ERP Preventive Controls Page 22 www.fulcrumway.com
  • 23. Agenda Is Oracle ERP in Scope for 2014 Audit Plan? Introductions ERP Control Assessment Approach – 2014 ERP Controls in Scope for Audit Audit Findings and Remediation Oracle Advanced Controls – Case Study Copyright © FulcrumWay Page 23 www.fulcrumway.com
  • 24. Findings / Remediation ERP Audit Findings and Remediation Scope Application Controls Assess Risk Establish Test Environment Setup Mitigating Controls Manage Exceptions Detect Violations Analyze Issues Remediate Issues Implement Corrective Actions Monitor Application Environment Application Security Administrator Application Controls Manager Sample ERP Data FulcrumWay DataProbe Application Controls Manager Copyright © FulcrumWay IT/Business Control Teams Page 24 www.fulcrumway.com
  • 25. Findings Access Controls Violations User: John Doe Role: Purchasing User Menu: CREATE_PMTS Locked User Role Authorized Actions Page: PAYMENT_ACTION_IC Row Security Class Role: Invoice Manager Panel Group Component Component: INVOICESGBL Permission List: Invoices Page: TD_INVOICES Inherent SOD False Conflict Positive Copyright © FulcrumWay Page 25 www.fulcrumway.com
  • 26. Findings Spend Categories  Oracle Procure-to-Pay Corporate Performance Management  Collaboration Control Points Settlement Strategic Sourcing & Contract Mgmt Indirect & MRO Banks Requisition Direct Materials Purchase Goods / Services Receive Goods / Services Invoice Issue Payments Payment Processors Supplier Collaboration Services SWIFTNet  Copyright © FulcrumWay Business Process Models  Page 26 Service Oriented Architecture www.fulcrumway.com
  • 27. Oracle Procure-to-Pay Findings Spend Categories  Corporate Performance Management  Collaboration Settlement Strategic Sourcing & Contract Mgmt CONTROLS Indirect & MRO Banks Are there inappropriate associations between a Requisivendor and an employee? tion Direct Materials Do you have duplicate suppliers? Services Receive Goods / Services Invoice Are your vendors compliant with trade regulations? Are the vendors Supplier Collaboration blacklisted? Payment Processors Are you missing critical supplier information? Is the information valid? SWIFTNet  Copyright © FulcrumWay Purchase Goods / Services Are there frequent changes to Supplier Issue information? Payments Business Process Models  Page 27 Service Oriented Architecture www.fulcrumway.com
  • 28. Oracle Procure-to-Pay Findings Spend Categories  Corporate Performance Management Collaboration Do you have duplicate Purchase Orders? Strategic Sourcing & Contract Mgmt Indirect & MRO Requisition Direct Materials Purchase Goods / Services Receive Goods / Services Are POs created on the Banks same day as goods arrive? Issue Invoice Payments Supplier Collaboration purchases with nonAre there preferred vendors?  Settlement Payment Are there split POs? Processors CONTROLS Services Copyright © FulcrumWay  Business Process Models  Page 28 SWIFTNet Service Oriented Architecture www.fulcrumway.com
  • 29. Oracle Procure-to-Pay Findings Spend  Corporate Performance Management Categories Are you making accurate and  Collaboration timely payments? Settlement Strategic Sourcing & Contract Mgmt Are payment term changes reviewed before payment? Indirect Banks & MRO Are there duplicate invoice Requisiamounts being processed? tion Direct Purchase Goods / Services Receive Goods / Services Did the person making the Materials payment create or modify the vendor? Invoice Issue Payments CONTROLS Payment Processors Supplier Collaboration Services Are there discrepancies in freight charges?  Copyright © FulcrumWay SWIFTNet Business Process Models  Page 29 Service Oriented Architecture www.fulcrumway.com
  • 30. Agenda Is Oracle ERP in Scope for 2014 Audit Plan? Introductions ERP Control Assessment Approach – 2014 ERP Controls in Scope for Audit Audit Findings and Remediation Oracle Advanced Controls – Case Study Copyright © FulcrumWay Page 30 www.fulcrumway.com
  • 31. Case Study Company Overview  Corporate Overview • Large Mining, Chemical, Energy & Oil company headquartered in West Palm Beach, FL • 1,200 Employees worldwide and $4B annual revenue • Own Oracle E Business Suite R12 and several Non-Oracle Systems  Overall Challenges and the Need for ERP Controls • Heterogeneous business application environment • Inability to track unusual activity on sensitive financial data • Lack of proper internal controls in various processes • Insufficient documentation on access, configurations and transaction controls Copyright © FulcrumWay Page 31 31 www.fulcrumway.com
  • 32. Controls in Scope User security to prevent improper access to business functions Segregation of Requisitions from Purchase Orders – Auto Create of Purchase Orders/RFQ from Requisitions One, Two or Three way matching of purchases to payments Purchasing and Payment tolerances Vendor purchasing/pay site configuration One-time vendor indicator Purchasing Approvals – Based on dollar value – Commodity Type Copyright © FulcrumWay Page 32 www.fulcrumway.com
  • 33. Controls in Scope Purchasing – – – – – – Compare Vendor Address with Employee address, looking for similarities Duplicate Suppliers, similar names or same tax ID One time vendors, Audit rules on the one-time vendor flag changes PO creation date is the same as the receiving date Split purchase orders Duplicate purchase orders Accounts Payable – – – Copyright © FulcrumWay Change rule for change in payment terms & Change tracking object for terms and tolerances Duplicate Invoices Control Same employee create vendor and invoice to vendor Page 33 www.fulcrumway.com
  • 34. Controls in Scope Open/Closing Accounting Periods Adding KFF Account values Hiding private/sensitive data – Social Security Number – Bank Account information – Home addresses Automated period close and consolidation process Copyright © FulcrumWay Page 34 www.fulcrumway.com
  • 35. IT/Super User Change Tracking Security Rules Cross Validation Rules Foreign Currency exchange rate changes Key Flexfield Segments System Profiles ERP Responsibilities Payment Terms and Tolerances Form Changes Alert Changes Bank Account Information Journal Sources and Categories Copyright © FulcrumWay Page 35 www.fulcrumway.com
  • 36. Oracle Advanced Controls Implementation Access Controls Transaction Controls Copyright © FulcrumWay 36 Segregation of Duties i.e. Policy Load User Provisioning i.e. Detection and remediation of SODs Conflict Reports i.e. Report on Intra and Inter Responsibility conflicts Form Rules i.e. limiting access to a field Flow Rules i.e. approval rule informational message on trigger Audit Rules i.e. track changes Change Control Rules i.e. reason code as to why a field is changed Business Objects i.e. Tables and fields within EBS Suite Parameters i.e. Filters, Patterns and Functions TCG Models i.e. string of business objects that generate suspects Page 36 Snapshots i.e. capturing specific setup/configuration info Comparisons i.e. comparing snapshots between ledgers, operating units, instances Change Tracking i.e. monitor any change to configuration Preventive Controls Configuration Controls www.fulcrumway.com
  • 37. Transaction Control Monitors AP Invoices Over Threshold Identify AP Invoices that are over a certain Threshold Amount Dormant Inventory Items Check for Dormant Inventory Items Dormant User IDs Identify dormant user IDs Duplicate Vendor Payments Identify Duplicate Vendor Payments within a specified time period Enter Post Journals SOD Violation Identify Journals that are entered and posted by the same user. Manual Journal Entries over Threshold Amount Identify Manual Journals created in General Ledger that are above the specified threshold amount PO Over Threshold Amount Identify Purchase Orders that are over a certain Threshold Amount. Sales Order Over Credit Limit Control Monitor for Sales Order over Credit Limit Sales Order Over Threshold Amount Identify Sales Orders that were booked for a value over a threshold amount SOD Violation between AP Invoices and PO Documents Identify purchasing and payables documents entered by the same user. Terminated Employees with Active User Ids Identify Terminated Employees with Active User Ids Copyright © FulcrumWay Page 37 www.fulcrumway.com
  • 38. Transaction Control Monitors Define credit usage rules In Order Management, credit usage rule sets define the set of currencies that will share a predefined credit limit during the credit checking process, and enable the grouping currencies for global credit checking. Customer reporting hierarchy Receivables uses the following hierarchy to determine the default payment term for your transactions, stopping when one is found: 1. Bill–to site 2. Customer Address 3. Customer 4. Transaction Type Approval limits Approval limits affect the Adjustments, Submit Auto Adjustments, and Approve Adjustments windows as well as the Credit Memo Request Workflow. Define approval limits to determine whether a Receivables user can approve adjustments or credit memo requests. You define approval limits by document type, dollar amount, reason code, and currency. Aging buckets Define aging buckets to review and report on open receivables based on the number of days each item is past due. For example, the 4–Bucket Aging bucket that Receivables provides consists of four periods: –999 to 0 days past due, 1 to 30 days past due, 31–61 days past due, and 61–91 days past due. Copyright © FulcrumWay Page 38 38 www.fulcrumway.com
  • 39. Change Tracking Query a change tracker to identify changes across multiple instances. Select multiple applications to monitor Query requires Change Tracking Transfer program to run before any data can be collected. (This program transfers change tracking data from the ERP instances to CCG.) Copyright © FulcrumWay Page 39 www.fulcrumway.com
  • 40. Change Tracking Monitor Configuration Changes Users and administrators can monitor before-and-after values, responsible user, and time stamp Copyright © FulcrumWay Page 40 www.fulcrumway.com
  • 41. EBS Form Rule Capabilities • Defines what actions the element performs • Empowers the user to make changes to EBS forms and processes Set security attributes Compile lists of values (LOV) Establish navigation paths Set field attributes Display messages Run SQL statements Define default values for fields Execute Flow Rule process Copyright © FulcrumWay 41 Page 41 www.fulcrumway.com
  • 42. Form Rule Highlights Hidden Field Modify Security Settings Create Messages Field Required Edit Messages Edit Background Edit Field Properties Hide Field Data Copyright © FulcrumWay Page 42 Edit Prompt www.fulcrumway.com
  • 43. Procure to Pay with Oracle Advanced Controls Optimization Business Risks Unapproved or Illegal Suppliers Delayed Supplier payments Unauthorized Purchases Continuous Monitors Controls Objectives Capture all Discounts Accurate Supplier Information Split purchase orders Discounts Lost due to Delays in Payment Supplier and Invoices Created by Same User Multiple Suppliers with the similar email domain Incident ! Incident ! Incident ! Valid Purchase Orders Ensure Separation of Duties in Procurement Copyright © FulcrumWay Prevent Leakage Cash Flow Multiple Suppliers with the same Tax ID Multiple Suppliers with the same Bank Account Number Page 43 Purchase Orders issued to Blocked Suppliers Monitor purchases of unauthorized items, such as contraband Incident ! Investigate Close www.fulcrumway.com
  • 44. Q&A Download DataProbe Leader in Risk Based Enterprise Controls One-on-One with Experts Follow FulcrumWay on LinkedIn for ERP Risk and Controls Copyright © FulcrumWay Page 44 www.fulcrumway.com