SlideShare a Scribd company logo

Auditing Oracle Applications Primer For Internal Auditors

J
jhare

Primer for internal auditors related to auditing Oracle E-Business Suite

1 of 5
Download to read offline
Auditing Oracle Applications Primer for Internal Auditors Detailed in this paper are some key concepts that internal auditors need to understand when auditing Oracle Applications. We hope this information will be valuable to you and your company. Application Security Design Most implementations do not take a proper approach to designing security. Often they use standard responsibilities and menus rather than a risk-based ‘principle of least privilege’ approach. Access is commonly given based on seeded responsibilities and menus with menu and function exclusions applied. Often, this results in excessive access to setups and functions that are not appropriate for all users. Also, the use of seeded menus and responsibilities introduces ‘upgrade risk.’ Upgrade risk in this context refers to the risk of new functionality and access to data being introduced when patches are provided by Oracle that grant new access to users that has not been properly evaluated. This could lead to segregation of duties violations, inappropriate access to sensitive functions, or inappropriate access to sensitive data. Generally, too little attention is paid to access to concurrent programs and access to sensitive data contained in standard reports. We recommend a ‘principle of least privilege’ approach including defining request group requirements for each responsibility individually. During many implementations standard request groups such as All Reports/Payables are used for all responsibilities within that module, which leads to excessive exposure to concurrent programs (those that update data or run interfaces) and access to sensitive data (like sensitive employee data stored in AP). We make the following recommendations: • Take a risk-based approach to design security that takes into account risks related to segregation of duties, access to sensitive functions, and access to sensitive data. • Discuss the approach to security with your system administrators and IT management to make sure the principle of least privilege was followed and is being followed in the design of security. This includes only giving access to those functions in Oracle that a user needs, not using a seeded menu and backing out those functions that don’t seem appropriate. • Discuss the upgrade risks associated with the use of standard menus or standard responsibilities with IT management. • Join the internal controls repository and download the white paper “Risk Based Assessment of UAC and SOD White Paper” • Discuss the methodology used for determining which concurrent programs and reports are granted to a given responsibility. © 2008 ERPS
• Join the internal controls repository and review the information in the file called “Reports with Access to Sensitive Data” which can be found in the Internal Controls Content folder. Participate in the development of public domain content by adding to this list. IT Security Oracle provides guidance in its Metalink Note (Note 189367.1) called “Best Practices for Securing your E- Business Suite” that companies often are not aware of or don’t take the time to follow the guidance. We make the following recommendations: • Monitor security resources that can be found at www.integrigy.com, www.solutionbeacon.com, and www.petefinnigan.com. • Download a primer on IT security from Integrigy • Discuss the guidance in Oracle’s best practices document with IT management to determine where your company may have deficiencies. • Consider having a firm specializing in Oracle Application security give you an assessment of your security. • Join the public domain listserver we host related to internal controls and security in an Oracle Applications environment. Review the archives and use the listserver to post questions. SQL Forms and Utilities: Diagnostics A user can execute SQL statements without a database login by embedding a SQL statement in several forms, most of which are documented in Appendix B of Oracle’s Best Practices for Securing your E- Business Suite” document. A user can also access the database directly when given access via the Utilities: Diagnostics profile option. Activity in the SQL forms can only be monitored through the use of a trigger-based or a log-based auditing solution. Not all trigger based solutions can effectively audit the activity because the SQL statement is stored in a column with a data type of ‘LONG’. When evaluating trigger-based auditing solutions, make sure you asked about this distinction and see a demo of the functionality related to auditing SQL forms. We make the following recommendations: • Consult with ERP Seminars when evaluating solutions to audit this data as we are working with several companies to develop public domain content for monitoring these forms and other forms with various levels of risk. • Join the internal controls repository that we host and download the white paper titled “Accessing the Database Without a Database Login” © 2008 ERPS
Internal Controls and Security Deficiencies We have developed a list of common internal controls and security deficiencies in the Oracle E-Business Suite and ways companies mitigate the risks associated with the deficiencies. Having an understanding of these deficiencies will most likely lead to a list of development efforts you would recommend to management that may include the following: • Forms personalization to provide preventive controls related to some identified risks • Custom reports or queries for monitoring of certain risks • Implementation of a solution to monitor or prevent SOD and user access control risks • Implementation of a solution to provide trigger-based or log-based auditing to provide a detailed audit trail for risks such as SQL forms, development and security activity, monitoring of setups related to application controls, and in support of your change management process We make the following recommendations: • We recommend that you join the internal controls repository and download the content to review. You should evaluate this list of deficiencies and discuss the risk identified in this list with your end users and management. • Participate in the development of this public domain list of deficiencies so other end users can share in this knowledge Sensitive Data in Non-Production Environments Sensitive data is just as important to protect in non-production environments as it is in your production environment. However, companies often provide more liberal access to employees and contractors at the application and database layers in non-production environments which leaves sensitive data excessively exposed. We make the following recommendations: • Sensitive data should be scrambled during the cloning process. Scrambling involves changing the data from its original value to a different value. For example, changing all salaries to an hourly rate of $7.00/hour • Download a listing of common sensitive data and in which tables and columns in the database it is stored by joining the internal controls repository and access the file “Oracle Apps Sensitive Data” in the Internal Controls Content folder in the Files section. • Participate in the development of this public content so other end users can share in this knowledge • Look for our full white paper on this topic that will be released soon. Sign up for our email list on our website. © 2008 ERPS
Application Controls We have written a white paper discussing the impact of the Institute of Internal Auditor’s guidance on the Auditing of Application Controls that would be helpful for you to read. We make the following recommendations: • Join the internal controls repository and download the white paper “Auditing Application Controls” • Download the IIA guidance to review Change Management We have identified several challenges related to the change management process common to most companies. We use the Institute of Internal Auditor’s guidance provided in the Global Technology Audit Guide called “Change and Patch Management Controls: Critical for Organizational Success”. Here is a listing of common change management challenges: • Profile Options not being considered • Changes to security not being considered • Failure to take into account access to sensitive data in security process changes • Failure to take into account request groups access in design of security • Forms-based setups not being considered • Change made in various forms that allow SQL statements embedded in them are not required to go through change management process • Excessive access to forms requiring change management • Failure to clearly document who is responsible for implementing change • Failure to test for unauthorized changes • Failure to remediate issues that allowed the unauthorized changes • Failure to maintain documentation • Poor impact analysis leading to a poor testing process We make the following recommendations: • Look for our full white paper on this topic that will be released soon. Sign up for our email list on our website. • Download the IIA guidance to review © 2008 ERPS
Other Resources and White Papers There are other sources of information for internal auditors. We make the following recommendations: • Stay current with information for auditors at AuditNet • Request other white papers at the Oracle Users Best Practices Board • Access other white papers not available to the public by joining the internal controls repository and checking the White Papers folder in the Files section Comments and feedback regarding this paper should be addressed to the author at jhare@erpseminars.com or by completing a reviewer feedback form. About the Author Jeffrey T. Hare, CPA CISA CIA is one of the leading experts on the development of internal controls and security in an Oracle Applications environment. Jeffrey founded ERP Seminars and the Oracle Users Best Practices Board and is leading the efforts for the development of a public domain internal controls repository. See a full bio for Jeffrey. Version Control Version Updated by Date Comments 1.0 Jeffrey Hare 25-Jan-08 Initial release © 2008 ERPS

Recommended

How to Migrate Drug Safety and Pharmacovigilance Data Cost-Effectively and wi...
How to Migrate Drug Safety and Pharmacovigilance Data Cost-Effectively and wi...How to Migrate Drug Safety and Pharmacovigilance Data Cost-Effectively and wi...
How to Migrate Drug Safety and Pharmacovigilance Data Cost-Effectively and wi...Perficient
 
Merging Multiple Drug Safety and Pharmacovigilance Databases
Merging Multiple Drug Safety and Pharmacovigilance DatabasesMerging Multiple Drug Safety and Pharmacovigilance Databases
Merging Multiple Drug Safety and Pharmacovigilance DatabasesPerficient
 
Thousands of Hours Saved and Risk Reduced for EBS Upgrades & Implementations
Thousands of Hours Saved and Risk Reduced for EBS Upgrades & ImplementationsThousands of Hours Saved and Risk Reduced for EBS Upgrades & Implementations
Thousands of Hours Saved and Risk Reduced for EBS Upgrades & ImplementationsOracle
 
Working with Argus Safety in a Global Community
Working with Argus Safety in a Global CommunityWorking with Argus Safety in a Global Community
Working with Argus Safety in a Global CommunityPerficient
 
Microservices: A Step Towards Modernizing Healthcare Applications
Microservices: A Step Towards Modernizing Healthcare ApplicationsMicroservices: A Step Towards Modernizing Healthcare Applications
Microservices: A Step Towards Modernizing Healthcare ApplicationsCitiusTech
 
IS audit checklist
IS audit checklistIS audit checklist
IS audit checklistiFour Consultancy Services
 
Automating Patient Management with ApplicationXtender Workflow
Automating Patient Management with ApplicationXtender WorkflowAutomating Patient Management with ApplicationXtender Workflow
Automating Patient Management with ApplicationXtender WorkflowChristopher Wynder
 
Ensuring document control for healthcare vendors
Ensuring document control for healthcare vendorsEnsuring document control for healthcare vendors
Ensuring document control for healthcare vendorsChristopher Wynder
 

Recommended

How to Migrate Drug Safety and Pharmacovigilance Data Cost-Effectively and wi...
How to Migrate Drug Safety and Pharmacovigilance Data Cost-Effectively and wi...How to Migrate Drug Safety and Pharmacovigilance Data Cost-Effectively and wi...
How to Migrate Drug Safety and Pharmacovigilance Data Cost-Effectively and wi...Perficient
 
Merging Multiple Drug Safety and Pharmacovigilance Databases
Merging Multiple Drug Safety and Pharmacovigilance DatabasesMerging Multiple Drug Safety and Pharmacovigilance Databases
Merging Multiple Drug Safety and Pharmacovigilance DatabasesPerficient
 
Thousands of Hours Saved and Risk Reduced for EBS Upgrades & Implementations
Thousands of Hours Saved and Risk Reduced for EBS Upgrades & ImplementationsThousands of Hours Saved and Risk Reduced for EBS Upgrades & Implementations
Thousands of Hours Saved and Risk Reduced for EBS Upgrades & ImplementationsOracle
 
Working with Argus Safety in a Global Community
Working with Argus Safety in a Global CommunityWorking with Argus Safety in a Global Community
Working with Argus Safety in a Global CommunityPerficient
 
Microservices: A Step Towards Modernizing Healthcare Applications
Microservices: A Step Towards Modernizing Healthcare ApplicationsMicroservices: A Step Towards Modernizing Healthcare Applications
Microservices: A Step Towards Modernizing Healthcare ApplicationsCitiusTech
 
IS audit checklist
IS audit checklistIS audit checklist
IS audit checklistiFour Consultancy Services
 
Automating Patient Management with ApplicationXtender Workflow
Automating Patient Management with ApplicationXtender WorkflowAutomating Patient Management with ApplicationXtender Workflow
Automating Patient Management with ApplicationXtender WorkflowChristopher Wynder
 
Ensuring document control for healthcare vendors
Ensuring document control for healthcare vendorsEnsuring document control for healthcare vendors
Ensuring document control for healthcare vendorsChristopher Wynder
 
IT Risk Assessment Tool
IT Risk Assessment ToolIT Risk Assessment Tool
IT Risk Assessment ToolKevinM48
 
AGSL brochure
AGSL brochureAGSL brochure
AGSL brochureMark Steel
 
Enterprise Risk Management Solutions
Enterprise Risk Management SolutionsEnterprise Risk Management Solutions
Enterprise Risk Management SolutionsLexComply
 
Unleashing agile testing under medical regulations
Unleashing agile testing under medical regulationsUnleashing agile testing under medical regulations
Unleashing agile testing under medical regulationsLuca Sturaro
 
Fusion techie - iBANK.UK.COM 07474222079
Fusion techie - iBANK.UK.COM 07474222079Fusion techie - iBANK.UK.COM 07474222079
Fusion techie - iBANK.UK.COM 07474222079ibankuk
 
Managing Global Studies with Oracle's Siebel Clinical Trial Management System...
Managing Global Studies with Oracle's Siebel Clinical Trial Management System...Managing Global Studies with Oracle's Siebel Clinical Trial Management System...
Managing Global Studies with Oracle's Siebel Clinical Trial Management System...Perficient
 
Learn About the Top Oracle E-Business Suite Security Vulnerabilities
Learn About the Top Oracle E-Business Suite Security VulnerabilitiesLearn About the Top Oracle E-Business Suite Security Vulnerabilities
Learn About the Top Oracle E-Business Suite Security VulnerabilitiesOAUGNJ
 
Oracle Enterprise Manager
Oracle Enterprise ManagerOracle Enterprise Manager
Oracle Enterprise Manageroracleonthebrain
 
OHSUG 2014: Implementing Argus Safety Japan in the Japan Affiliate Office of ...
OHSUG 2014: Implementing Argus Safety Japan in the Japan Affiliate Office of ...OHSUG 2014: Implementing Argus Safety Japan in the Japan Affiliate Office of ...
OHSUG 2014: Implementing Argus Safety Japan in the Japan Affiliate Office of ...November Research Group
 
Technology Controls in Business - End User Computing
Technology Controls in Business - End User ComputingTechnology Controls in Business - End User Computing
Technology Controls in Business - End User Computingguestc1bca2
 
VMworld 2013: VMware Horizon Workspace at Scale: Deploying to 15,000 VMware E...
VMworld 2013: VMware Horizon Workspace at Scale: Deploying to 15,000 VMware E...VMworld 2013: VMware Horizon Workspace at Scale: Deploying to 15,000 VMware E...
VMworld 2013: VMware Horizon Workspace at Scale: Deploying to 15,000 VMware E...VMworld
 
Lab automation with Calibration LIMS
Lab automation with Calibration LIMSLab automation with Calibration LIMS
Lab automation with Calibration LIMSSapon Naskar
 
Argus Safety Japan Benefits
Argus Safety Japan BenefitsArgus Safety Japan Benefits
Argus Safety Japan BenefitsPerficient
 
OOW15 - managing oracle e-business suite auditing and security
OOW15 - managing oracle e-business suite auditing and securityOOW15 - managing oracle e-business suite auditing and security
OOW15 - managing oracle e-business suite auditing and securityvasuballa
 
Audit Checklist for Information Systems
Audit Checklist for Information SystemsAudit Checklist for Information Systems
Audit Checklist for Information SystemsAhmad Tariq Bhatti
 
Agile Development And Medtech
Agile Development And MedtechAgile Development And Medtech
Agile Development And MedtechRobert Ginsberg
 
Webinar: The Power of Normalized Inventory
Webinar: The Power of Normalized InventoryWebinar: The Power of Normalized Inventory
Webinar: The Power of Normalized InventoryFlexera
 
How to Spot a Good Document Control System
How to Spot a Good Document Control SystemHow to Spot a Good Document Control System
How to Spot a Good Document Control SystemEtQ, Inc.
 
Bos 3651 unit viii course project
Bos 3651 unit viii course projectBos 3651 unit viii course project
Bos 3651 unit viii course projectWalter Bartlett
 
Management Documentation System Application
Management Documentation System ApplicationManagement Documentation System Application
Management Documentation System Applicationjohaver
 
PPA - Unit 8 - Auditing Standards and Procedures
PPA - Unit 8 - Auditing Standards and ProceduresPPA - Unit 8 - Auditing Standards and Procedures
PPA - Unit 8 - Auditing Standards and ProceduresAjay Nazarene
 
PPA - Unit 6 - Company Auditor
PPA - Unit 6 - Company AuditorPPA - Unit 6 - Company Auditor
PPA - Unit 6 - Company AuditorAjay Nazarene
 

More Related Content

What's hot

IT Risk Assessment Tool
IT Risk Assessment ToolIT Risk Assessment Tool
IT Risk Assessment ToolKevinM48
 
Enterprise Risk Management Solutions
Enterprise Risk Management SolutionsEnterprise Risk Management Solutions
Enterprise Risk Management SolutionsLexComply
 
Unleashing agile testing under medical regulations
Unleashing agile testing under medical regulationsUnleashing agile testing under medical regulations
Unleashing agile testing under medical regulationsLuca Sturaro
 
Fusion techie - iBANK.UK.COM 07474222079
Fusion techie - iBANK.UK.COM 07474222079Fusion techie - iBANK.UK.COM 07474222079
Fusion techie - iBANK.UK.COM 07474222079ibankuk
 
Managing Global Studies with Oracle's Siebel Clinical Trial Management System...
Managing Global Studies with Oracle's Siebel Clinical Trial Management System...Managing Global Studies with Oracle's Siebel Clinical Trial Management System...
Managing Global Studies with Oracle's Siebel Clinical Trial Management System...Perficient
 
Learn About the Top Oracle E-Business Suite Security Vulnerabilities
Learn About the Top Oracle E-Business Suite Security VulnerabilitiesLearn About the Top Oracle E-Business Suite Security Vulnerabilities
Learn About the Top Oracle E-Business Suite Security VulnerabilitiesOAUGNJ
 
OHSUG 2014: Implementing Argus Safety Japan in the Japan Affiliate Office of ...
OHSUG 2014: Implementing Argus Safety Japan in the Japan Affiliate Office of ...OHSUG 2014: Implementing Argus Safety Japan in the Japan Affiliate Office of ...
OHSUG 2014: Implementing Argus Safety Japan in the Japan Affiliate Office of ...November Research Group
 
Technology Controls in Business - End User Computing
Technology Controls in Business - End User ComputingTechnology Controls in Business - End User Computing
Technology Controls in Business - End User Computingguestc1bca2
 
VMworld 2013: VMware Horizon Workspace at Scale: Deploying to 15,000 VMware E...
VMworld 2013: VMware Horizon Workspace at Scale: Deploying to 15,000 VMware E...VMworld 2013: VMware Horizon Workspace at Scale: Deploying to 15,000 VMware E...
VMworld 2013: VMware Horizon Workspace at Scale: Deploying to 15,000 VMware E...VMworld
 
Lab automation with Calibration LIMS
Lab automation with Calibration LIMSLab automation with Calibration LIMS
Lab automation with Calibration LIMSSapon Naskar
 
Argus Safety Japan Benefits
Argus Safety Japan BenefitsArgus Safety Japan Benefits
Argus Safety Japan BenefitsPerficient
 
OOW15 - managing oracle e-business suite auditing and security
OOW15 - managing oracle e-business suite auditing and securityOOW15 - managing oracle e-business suite auditing and security
OOW15 - managing oracle e-business suite auditing and securityvasuballa
 
Audit Checklist for Information Systems
Audit Checklist for Information SystemsAudit Checklist for Information Systems
Audit Checklist for Information SystemsAhmad Tariq Bhatti
 
Agile Development And Medtech
Agile Development And MedtechAgile Development And Medtech
Agile Development And MedtechRobert Ginsberg
 
Webinar: The Power of Normalized Inventory
Webinar: The Power of Normalized InventoryWebinar: The Power of Normalized Inventory
Webinar: The Power of Normalized InventoryFlexera
 
How to Spot a Good Document Control System
How to Spot a Good Document Control SystemHow to Spot a Good Document Control System
How to Spot a Good Document Control SystemEtQ, Inc.
 
Bos 3651 unit viii course project
Bos 3651 unit viii course projectBos 3651 unit viii course project
Bos 3651 unit viii course projectWalter Bartlett
 
Management Documentation System Application
Management Documentation System ApplicationManagement Documentation System Application
Management Documentation System Applicationjohaver
 

What's hot (20)

IT Risk Assessment Tool
IT Risk Assessment ToolIT Risk Assessment Tool
IT Risk Assessment Tool
 
AGSL brochure
AGSL brochureAGSL brochure
AGSL brochure
 
Enterprise Risk Management Solutions
Enterprise Risk Management SolutionsEnterprise Risk Management Solutions
Enterprise Risk Management Solutions
 
Unleashing agile testing under medical regulations
Unleashing agile testing under medical regulationsUnleashing agile testing under medical regulations
Unleashing agile testing under medical regulations
 
Fusion techie - iBANK.UK.COM 07474222079
Fusion techie - iBANK.UK.COM 07474222079Fusion techie - iBANK.UK.COM 07474222079
Fusion techie - iBANK.UK.COM 07474222079
 
Managing Global Studies with Oracle's Siebel Clinical Trial Management System...
Managing Global Studies with Oracle's Siebel Clinical Trial Management System...Managing Global Studies with Oracle's Siebel Clinical Trial Management System...
Managing Global Studies with Oracle's Siebel Clinical Trial Management System...
 
Learn About the Top Oracle E-Business Suite Security Vulnerabilities
Learn About the Top Oracle E-Business Suite Security VulnerabilitiesLearn About the Top Oracle E-Business Suite Security Vulnerabilities
Learn About the Top Oracle E-Business Suite Security Vulnerabilities
 
Oracle Enterprise Manager
Oracle Enterprise ManagerOracle Enterprise Manager
Oracle Enterprise Manager
 
OHSUG 2014: Implementing Argus Safety Japan in the Japan Affiliate Office of ...
OHSUG 2014: Implementing Argus Safety Japan in the Japan Affiliate Office of ...OHSUG 2014: Implementing Argus Safety Japan in the Japan Affiliate Office of ...
OHSUG 2014: Implementing Argus Safety Japan in the Japan Affiliate Office of ...
 
Technology Controls in Business - End User Computing
Technology Controls in Business - End User ComputingTechnology Controls in Business - End User Computing
Technology Controls in Business - End User Computing
 
VMworld 2013: VMware Horizon Workspace at Scale: Deploying to 15,000 VMware E...
VMworld 2013: VMware Horizon Workspace at Scale: Deploying to 15,000 VMware E...VMworld 2013: VMware Horizon Workspace at Scale: Deploying to 15,000 VMware E...
VMworld 2013: VMware Horizon Workspace at Scale: Deploying to 15,000 VMware E...
 
Lab automation with Calibration LIMS
Lab automation with Calibration LIMSLab automation with Calibration LIMS
Lab automation with Calibration LIMS
 
Argus Safety Japan Benefits
Argus Safety Japan BenefitsArgus Safety Japan Benefits
Argus Safety Japan Benefits
 
OOW15 - managing oracle e-business suite auditing and security
OOW15 - managing oracle e-business suite auditing and securityOOW15 - managing oracle e-business suite auditing and security
OOW15 - managing oracle e-business suite auditing and security
 
Audit Checklist for Information Systems
Audit Checklist for Information SystemsAudit Checklist for Information Systems
Audit Checklist for Information Systems
 
Agile Development And Medtech
Agile Development And MedtechAgile Development And Medtech
Agile Development And Medtech
 
Webinar: The Power of Normalized Inventory
Webinar: The Power of Normalized InventoryWebinar: The Power of Normalized Inventory
Webinar: The Power of Normalized Inventory
 
How to Spot a Good Document Control System
How to Spot a Good Document Control SystemHow to Spot a Good Document Control System
How to Spot a Good Document Control System
 
Bos 3651 unit viii course project
Bos 3651 unit viii course projectBos 3651 unit viii course project
Bos 3651 unit viii course project
 
Management Documentation System Application
Management Documentation System ApplicationManagement Documentation System Application
Management Documentation System Application
 

Viewers also liked

PPA - Unit 8 - Auditing Standards and Procedures
PPA - Unit 8 - Auditing Standards and ProceduresPPA - Unit 8 - Auditing Standards and Procedures
PPA - Unit 8 - Auditing Standards and ProceduresAjay Nazarene
 
PPA - Unit 6 - Company Auditor
PPA - Unit 6 - Company AuditorPPA - Unit 6 - Company Auditor
PPA - Unit 6 - Company AuditorAjay Nazarene
 
3CD and 3CB by CA Rajesh Condoor
3CD and 3CB by CA Rajesh Condoor3CD and 3CB by CA Rajesh Condoor
3CD and 3CB by CA Rajesh CondoorPSPCL
 
Unit 3 Internal Audit
Unit 3 Internal AuditUnit 3 Internal Audit
Unit 3 Internal AuditAjay Nazarene
 
Unit 1 Introduction to Audit
Unit 1 Introduction to AuditUnit 1 Introduction to Audit
Unit 1 Introduction to AuditAjay Nazarene
 

Viewers also liked (6)

PPA - Unit 8 - Auditing Standards and Procedures
PPA - Unit 8 - Auditing Standards and ProceduresPPA - Unit 8 - Auditing Standards and Procedures
PPA - Unit 8 - Auditing Standards and Procedures
 
PPA - Unit 6 - Company Auditor
PPA - Unit 6 - Company AuditorPPA - Unit 6 - Company Auditor
PPA - Unit 6 - Company Auditor
 
3CD and 3CB by CA Rajesh Condoor
3CD and 3CB by CA Rajesh Condoor3CD and 3CB by CA Rajesh Condoor
3CD and 3CB by CA Rajesh Condoor
 
Unit 3 Internal Audit
Unit 3 Internal AuditUnit 3 Internal Audit
Unit 3 Internal Audit
 
Unit 1 Introduction to Audit
Unit 1 Introduction to AuditUnit 1 Introduction to Audit
Unit 1 Introduction to Audit
 
Auditing notes
Auditing notesAuditing notes
Auditing notes
 

Similar to Auditing Oracle Applications Primer For Internal Auditors

Baltimore share point user group june 2015
Baltimore share point user group june 2015Baltimore share point user group june 2015
Baltimore share point user group june 2015Toby McGrail
 
Alliance session 4373 risk management from on premise to the cloud – a foc...
Alliance session 4373 risk management from on premise to the cloud – a foc...Alliance session 4373 risk management from on premise to the cloud – a foc...
Alliance session 4373 risk management from on premise to the cloud – a foc...Smart ERP Solutions, Inc.
 
Introduction To Software Concepts Unit 1 & 2
Introduction To Software Concepts Unit 1 & 2Introduction To Software Concepts Unit 1 & 2
Introduction To Software Concepts Unit 1 & 2Raj vardhan
 
Cryptography is the application of algorithms to ensure the confiden.docx
Cryptography is the application of algorithms to ensure the confiden.docxCryptography is the application of algorithms to ensure the confiden.docx
Cryptography is the application of algorithms to ensure the confiden.docxmydrynan
 
Internal controls over excel and other user directed aps[feb4.10
Internal controls over excel and other user directed aps[feb4.10Internal controls over excel and other user directed aps[feb4.10
Internal controls over excel and other user directed aps[feb4.10Marc Engel
 
Optimizing order to-cash (e-business suite) with GRC Advanced Controls
Optimizing order to-cash (e-business suite) with GRC Advanced ControlsOptimizing order to-cash (e-business suite) with GRC Advanced Controls
Optimizing order to-cash (e-business suite) with GRC Advanced ControlsOracle
 
NetWrix Change Reporter Suite - Product Review by Don Jones
NetWrix Change Reporter Suite - Product Review by Don JonesNetWrix Change Reporter Suite - Product Review by Don Jones
NetWrix Change Reporter Suite - Product Review by Don JonesNetwrix Corporation
 
Con8154 controlling for multiple erp systems with oracle advanced controls
Con8154 controlling for multiple erp systems with oracle advanced controlsCon8154 controlling for multiple erp systems with oracle advanced controls
Con8154 controlling for multiple erp systems with oracle advanced controlsOracle
 
Customers talk about controlling access for multiple erp systems with oracle ...
Customers talk about controlling access for multiple erp systems with oracle ...Customers talk about controlling access for multiple erp systems with oracle ...
Customers talk about controlling access for multiple erp systems with oracle ...Oracle
 
DevOps Introduction - Main Concepts Description
DevOps Introduction - Main Concepts DescriptionDevOps Introduction - Main Concepts Description
DevOps Introduction - Main Concepts DescriptionBrunoOliveira631137
 
Application hardening, Secure Socket Layer(SSL) & Secure Electronic Transacti...
Application hardening, Secure Socket Layer(SSL) & Secure Electronic Transacti...Application hardening, Secure Socket Layer(SSL) & Secure Electronic Transacti...
Application hardening, Secure Socket Layer(SSL) & Secure Electronic Transacti...Jayesh Naik
 
Application hardening
Application hardeningApplication hardening
Application hardeningJayesh Naik
 
LOW LEVEL DESIGN INSPECTION SECURE CODING
LOW LEVEL DESIGN INSPECTION SECURE CODINGLOW LEVEL DESIGN INSPECTION SECURE CODING
LOW LEVEL DESIGN INSPECTION SECURE CODINGSri Latha
 
Fixnix GRC Suite A Glance
Fixnix GRC Suite A GlanceFixnix GRC Suite A Glance
Fixnix GRC Suite A GlanceFixNix Inc.,
 
Oracle Database 11g Security and Compliance Solutions - By Tom Kyte
Oracle Database 11g Security and Compliance Solutions - By Tom KyteOracle Database 11g Security and Compliance Solutions - By Tom Kyte
Oracle Database 11g Security and Compliance Solutions - By Tom KyteEdgar Alejandro Villegas
 
Agile in a highly regulated organization
Agile in a highly regulated organizationAgile in a highly regulated organization
Agile in a highly regulated organizationTami Flowers
 

Similar to Auditing Oracle Applications Primer For Internal Auditors (20)

GRC in Australia slides
GRC in Australia slidesGRC in Australia slides
GRC in Australia slides
 
Baltimore share point user group june 2015
Baltimore share point user group june 2015Baltimore share point user group june 2015
Baltimore share point user group june 2015
 
Alliance session 4373 risk management from on premise to the cloud – a foc...
Alliance session 4373 risk management from on premise to the cloud – a foc...Alliance session 4373 risk management from on premise to the cloud – a foc...
Alliance session 4373 risk management from on premise to the cloud – a foc...
 
Introduction To Software Concepts Unit 1 & 2
Introduction To Software Concepts Unit 1 & 2Introduction To Software Concepts Unit 1 & 2
Introduction To Software Concepts Unit 1 & 2
 
Cryptography is the application of algorithms to ensure the confiden.docx
Cryptography is the application of algorithms to ensure the confiden.docxCryptography is the application of algorithms to ensure the confiden.docx
Cryptography is the application of algorithms to ensure the confiden.docx
 
Internal controls over excel and other user directed aps[feb4.10
Internal controls over excel and other user directed aps[feb4.10Internal controls over excel and other user directed aps[feb4.10
Internal controls over excel and other user directed aps[feb4.10
 
Optimizing order to-cash (e-business suite) with GRC Advanced Controls
Optimizing order to-cash (e-business suite) with GRC Advanced ControlsOptimizing order to-cash (e-business suite) with GRC Advanced Controls
Optimizing order to-cash (e-business suite) with GRC Advanced Controls
 
NetWrix Change Reporter Suite - Product Review by Don Jones
NetWrix Change Reporter Suite - Product Review by Don JonesNetWrix Change Reporter Suite - Product Review by Don Jones
NetWrix Change Reporter Suite - Product Review by Don Jones
 
Con8154 controlling for multiple erp systems with oracle advanced controls
Con8154 controlling for multiple erp systems with oracle advanced controlsCon8154 controlling for multiple erp systems with oracle advanced controls
Con8154 controlling for multiple erp systems with oracle advanced controls
 
Customers talk about controlling access for multiple erp systems with oracle ...
Customers talk about controlling access for multiple erp systems with oracle ...Customers talk about controlling access for multiple erp systems with oracle ...
Customers talk about controlling access for multiple erp systems with oracle ...
 
DevOps Introduction - Main Concepts Description
DevOps Introduction - Main Concepts DescriptionDevOps Introduction - Main Concepts Description
DevOps Introduction - Main Concepts Description
 
Fa10 mcs-005
Fa10 mcs-005Fa10 mcs-005
Fa10 mcs-005
 
Aim crisp handout
Aim crisp handoutAim crisp handout
Aim crisp handout
 
Application hardening, Secure Socket Layer(SSL) & Secure Electronic Transacti...
Application hardening, Secure Socket Layer(SSL) & Secure Electronic Transacti...Application hardening, Secure Socket Layer(SSL) & Secure Electronic Transacti...
Application hardening, Secure Socket Layer(SSL) & Secure Electronic Transacti...
 
Application hardening
Application hardeningApplication hardening
Application hardening
 
LOW LEVEL DESIGN INSPECTION SECURE CODING
LOW LEVEL DESIGN INSPECTION SECURE CODINGLOW LEVEL DESIGN INSPECTION SECURE CODING
LOW LEVEL DESIGN INSPECTION SECURE CODING
 
Fixnix GRC Suite A Glance
Fixnix GRC Suite A GlanceFixnix GRC Suite A Glance
Fixnix GRC Suite A Glance
 
Oracle Database 11g Security and Compliance Solutions - By Tom Kyte
Oracle Database 11g Security and Compliance Solutions - By Tom KyteOracle Database 11g Security and Compliance Solutions - By Tom Kyte
Oracle Database 11g Security and Compliance Solutions - By Tom Kyte
 
Bug Tracking Java Project
Bug Tracking Java ProjectBug Tracking Java Project
Bug Tracking Java Project
 
Agile in a highly regulated organization
Agile in a highly regulated organizationAgile in a highly regulated organization
Agile in a highly regulated organization
 

Auditing Oracle Applications Primer For Internal Auditors

  • 1. Auditing Oracle Applications Primer for Internal Auditors Detailed in this paper are some key concepts that internal auditors need to understand when auditing Oracle Applications. We hope this information will be valuable to you and your company. Application Security Design Most implementations do not take a proper approach to designing security. Often they use standard responsibilities and menus rather than a risk-based ‘principle of least privilege’ approach. Access is commonly given based on seeded responsibilities and menus with menu and function exclusions applied. Often, this results in excessive access to setups and functions that are not appropriate for all users. Also, the use of seeded menus and responsibilities introduces ‘upgrade risk.’ Upgrade risk in this context refers to the risk of new functionality and access to data being introduced when patches are provided by Oracle that grant new access to users that has not been properly evaluated. This could lead to segregation of duties violations, inappropriate access to sensitive functions, or inappropriate access to sensitive data. Generally, too little attention is paid to access to concurrent programs and access to sensitive data contained in standard reports. We recommend a ‘principle of least privilege’ approach including defining request group requirements for each responsibility individually. During many implementations standard request groups such as All Reports/Payables are used for all responsibilities within that module, which leads to excessive exposure to concurrent programs (those that update data or run interfaces) and access to sensitive data (like sensitive employee data stored in AP). We make the following recommendations: • Take a risk-based approach to design security that takes into account risks related to segregation of duties, access to sensitive functions, and access to sensitive data. • Discuss the approach to security with your system administrators and IT management to make sure the principle of least privilege was followed and is being followed in the design of security. This includes only giving access to those functions in Oracle that a user needs, not using a seeded menu and backing out those functions that don’t seem appropriate. • Discuss the upgrade risks associated with the use of standard menus or standard responsibilities with IT management. • Join the internal controls repository and download the white paper “Risk Based Assessment of UAC and SOD White Paper” • Discuss the methodology used for determining which concurrent programs and reports are granted to a given responsibility. © 2008 ERPS
  • 2. Join the internal controls repository and review the information in the file called “Reports with Access to Sensitive Data” which can be found in the Internal Controls Content folder. Participate in the development of public domain content by adding to this list. IT Security Oracle provides guidance in its Metalink Note (Note 189367.1) called “Best Practices for Securing your E- Business Suite” that companies often are not aware of or don’t take the time to follow the guidance. We make the following recommendations: • Monitor security resources that can be found at www.integrigy.com, www.solutionbeacon.com, and www.petefinnigan.com. • Download a primer on IT security from Integrigy • Discuss the guidance in Oracle’s best practices document with IT management to determine where your company may have deficiencies. • Consider having a firm specializing in Oracle Application security give you an assessment of your security. • Join the public domain listserver we host related to internal controls and security in an Oracle Applications environment. Review the archives and use the listserver to post questions. SQL Forms and Utilities: Diagnostics A user can execute SQL statements without a database login by embedding a SQL statement in several forms, most of which are documented in Appendix B of Oracle’s Best Practices for Securing your E- Business Suite” document. A user can also access the database directly when given access via the Utilities: Diagnostics profile option. Activity in the SQL forms can only be monitored through the use of a trigger-based or a log-based auditing solution. Not all trigger based solutions can effectively audit the activity because the SQL statement is stored in a column with a data type of ‘LONG’. When evaluating trigger-based auditing solutions, make sure you asked about this distinction and see a demo of the functionality related to auditing SQL forms. We make the following recommendations: • Consult with ERP Seminars when evaluating solutions to audit this data as we are working with several companies to develop public domain content for monitoring these forms and other forms with various levels of risk. • Join the internal controls repository that we host and download the white paper titled “Accessing the Database Without a Database Login” © 2008 ERPS
  • 3. Internal Controls and Security Deficiencies We have developed a list of common internal controls and security deficiencies in the Oracle E-Business Suite and ways companies mitigate the risks associated with the deficiencies. Having an understanding of these deficiencies will most likely lead to a list of development efforts you would recommend to management that may include the following: • Forms personalization to provide preventive controls related to some identified risks • Custom reports or queries for monitoring of certain risks • Implementation of a solution to monitor or prevent SOD and user access control risks • Implementation of a solution to provide trigger-based or log-based auditing to provide a detailed audit trail for risks such as SQL forms, development and security activity, monitoring of setups related to application controls, and in support of your change management process We make the following recommendations: • We recommend that you join the internal controls repository and download the content to review. You should evaluate this list of deficiencies and discuss the risk identified in this list with your end users and management. • Participate in the development of this public domain list of deficiencies so other end users can share in this knowledge Sensitive Data in Non-Production Environments Sensitive data is just as important to protect in non-production environments as it is in your production environment. However, companies often provide more liberal access to employees and contractors at the application and database layers in non-production environments which leaves sensitive data excessively exposed. We make the following recommendations: • Sensitive data should be scrambled during the cloning process. Scrambling involves changing the data from its original value to a different value. For example, changing all salaries to an hourly rate of $7.00/hour • Download a listing of common sensitive data and in which tables and columns in the database it is stored by joining the internal controls repository and access the file “Oracle Apps Sensitive Data” in the Internal Controls Content folder in the Files section. • Participate in the development of this public content so other end users can share in this knowledge • Look for our full white paper on this topic that will be released soon. Sign up for our email list on our website. © 2008 ERPS
  • 4. Application Controls We have written a white paper discussing the impact of the Institute of Internal Auditor’s guidance on the Auditing of Application Controls that would be helpful for you to read. We make the following recommendations: • Join the internal controls repository and download the white paper “Auditing Application Controls” • Download the IIA guidance to review Change Management We have identified several challenges related to the change management process common to most companies. We use the Institute of Internal Auditor’s guidance provided in the Global Technology Audit Guide called “Change and Patch Management Controls: Critical for Organizational Success”. Here is a listing of common change management challenges: • Profile Options not being considered • Changes to security not being considered • Failure to take into account access to sensitive data in security process changes • Failure to take into account request groups access in design of security • Forms-based setups not being considered • Change made in various forms that allow SQL statements embedded in them are not required to go through change management process • Excessive access to forms requiring change management • Failure to clearly document who is responsible for implementing change • Failure to test for unauthorized changes • Failure to remediate issues that allowed the unauthorized changes • Failure to maintain documentation • Poor impact analysis leading to a poor testing process We make the following recommendations: • Look for our full white paper on this topic that will be released soon. Sign up for our email list on our website. • Download the IIA guidance to review © 2008 ERPS
  • 5. Other Resources and White Papers There are other sources of information for internal auditors. We make the following recommendations: • Stay current with information for auditors at AuditNet • Request other white papers at the Oracle Users Best Practices Board • Access other white papers not available to the public by joining the internal controls repository and checking the White Papers folder in the Files section Comments and feedback regarding this paper should be addressed to the author at jhare@erpseminars.com or by completing a reviewer feedback form. About the Author Jeffrey T. Hare, CPA CISA CIA is one of the leading experts on the development of internal controls and security in an Oracle Applications environment. Jeffrey founded ERP Seminars and the Oracle Users Best Practices Board and is leading the efforts for the development of a public domain internal controls repository. See a full bio for Jeffrey. Version Control Version Updated by Date Comments 1.0 Jeffrey Hare 25-Jan-08 Initial release © 2008 ERPS