Improving Internal Controls While Saving Time & Money. A CaoSys White Paper August 2010

Transcription

1 A CaoSys White Paper August 2010

2 Contents Introduction... 3 Overview... 4 Internal Controls... 5 Segregation of Duties Manual Review... 5 Building an Audit Trail Standard Audit... 7 Data Security... 8 Improving Internal Controls and Saving Time & Money... 9 Handling SOD with CS*Comply... 9 Effective Auditing with CS*Audit Data Segregation with CS*Secure Conclusion The CaoSys Solution Suite Reviewers: The author would gratefully like to acknowledge the following who helped review this paper Jeffrey T. Hare, CPA CISA CIA Sam Alapati Khalil Rehman, NLP (MPrac) MCIPS, PMP,OCP Lewis Hopkins CEO, ERP Risk Advisors Industry Analyst, Author, Audit Trail Evangelist Senior Technical Director, Miro Consulting Industry Expert and Author Finance Programme Manager, NHS CEO, Oracle Experts Product Manager, Q Software 2010 CaoSys Limited. Page 2 of 16

3 Introduction Read the title of this paper again Improving Internal Controls While Saving Time and Money What the title suggests is just not possible, is it? How can you make something better and yet save your organization time as well as money? In this paper we will discuss 3 common GRC related topics that are applicable to organizations using Oracle E-Business Suite. We will also demonstrate how you can improve your internal controls while saving time and money. This paper is part 1 of 2; our second paper in the Save Time & Money series will concentrate on improving core reporting in Oracle E-Business Suite while saving time and money CaoSys Limited. Page 3 of 16

4 Overview Oracle E-Business Suite is a collection of integrated applications that can offer its users a full 360 degree view of their business. The suite contains a vast array of functions and processes along with a colossal amount of data stored in the underlying database. Organizations that use Oracle E-Business Suite commonly endure very similar issues when it comes to a number of activities, including (but not limited to) Almost all organizations will at some point need to addresses SOD, auditing and security. The need for solutions in this area is often dictated by legislation or financial risk/loss due to fraud. Segregation of Duties - Controlling access to functions within Oracle EBS Auditing Ensuring a proper and effective audit trail is in place for key controls/setups, master data and some transactional data Security Controlling data access and supplementing Oracle s function-based security While Oracle EBS includes a number of features to help overcome some of the above issues, what is available out of the box does not provide a complete or effective solution. Most organizations will, at some point, need to fulfil their requirements and objectives by other means. Now more than ever organizations are questioning why they should invest in any software at a time when the global economic climate is feeling the pinch of a bearish market. During these tough times, application/data security and accountability are even more crucial. Electing for what may seem an initially less costly route is more often than not a false economy since it will not fully meet the business needs and it will not save time or money. The decision to invest in application audit tools is often taken too late, in many cases 2 to 3 years after an organisation has invested heavily in their enterprise applications. The audit profession should be insisting that all implementations are supported by suitable audit /GRC tools as part of the original investment. This paper briefly discusses some of the problems inherent in dealing with these issues and it goes on to discuss how you can improve your internal controls while saving your organization time and money CaoSys Limited. Page 4 of 16

5 Internal Controls Internal controls are methods and policies designed to prevent fraud, minimize errors, promote operating efficiency, and achieve compliance with established policies There are certain activities that your organization may need to undertake that take time to complete such as quarterly or annual audits of application access and the auditing of key controls/configurations. These kinds of processes are typically conducted by external audit firms. The tightening legislation around financial controls and reporting and the myriad of compliance frameworks that organizations often need to adhere too (PCI, PII, SOX etc) is making it more and more difficult to satisfy your auditors (in a timely fashion). There is an increasing burden to prove that you are taking the appropriate steps to ensure financial integrity and accountability as well as mitigating as much as possible the risk of fraud and human error. If your internal controls are not sufficient then not only is your organization more vulnerable to financial loss by way of fraudulent activity but the internal controls audit you will have to undergo will be a lengthy and likely very costly process. Many organizations try to ease the pain of the audit process and mitigate risk by implementing a number of solutions, two of the more common are... Manually reviewing user access at responsibility (role) level on a quarterly or annual basis Enabling the built-in audit trail that is included with Oracle EBS The problem with both of the above is that while they are certainly better than doing nothing, they don t solve any part of the problem at hand. Neither will do a very good job of preventing fraud from taking place and neither will fully satisfy your auditors that you are taking the appropriate steps to improve your internal controls. So you will still be susceptible to fraud and your audit process will still be lengthy and costly. Segregation of Duties Manual Review Manually reviewing user access at a given interval is one way to deal with Segregation of Duties. This allows you to take the time to review what each user has access to and then to take appropriate action to remove access where required. As stated above, it is certainly better than doing nothing but it is essentially a flawed process for many reasons 2010 CaoSys Limited. Page 5 of 16

6 Segregation of Duties (SOD) has as its primary objective the prevention of fraud and errors. This objective is achieved by separating the tasks and associated privileges for a specific business process among multiple users. Oracle E-Business is very complex, it consists of hundreds of responsibilities/roles and many thousands of functions which are likely to be spread across hundreds if not thousands of different menus. Attempting to review which functions each user can access is an almost insurmountable task even with a modest number of users. Most organizations typically only review access at the responsibility/role level. For this approach to stand any chance of being slightly effective. There is a reliance on good responsibility and menu design which in itself is difficult to achieve. Moreover, reviewing user access at responsibility level will not take into account any changes to the responsibility/menu design. Furthermore, reviewing at this level is not granular enough since many risks from an SOD perspective are likely to be intra-responsibility. Performing a manual review for each responsibility is a time consuming task even for a relatively small number of users. Let s assume you have 400 users and to review access at responsibility level takes you a week to complete (a very optimistic estimate), now imagine how long it will take if you have 4,000 users. A manual review is something that can practically only be done once every few months, perhaps quarterly or even annually, so at the time of the review you will have what is effectively an inaccurate picture of who can do what but the review does not take into account all the access changes that take place between reviews. It merely provide a very narrow picture at a given point in time. A manual review is in no way a pro-active approach to dealing with SOD. Manually reviewing access cannot provide you with the required preventive controls you really need to ensure SOD is effective. The likely deliverables from manual review will probably be severely lacking in almost every area mainly down to the fact that you are not reviewing SOD risks at the correct level. The reporting you get from a manual review will make it difficult for you to determine where to start with you remediation/user provisioning processes. and many more Manually reviewing user access at function level is practically impossible due to the sheer volume of data that will needs to be reviewed and so most organizations will settle for a review at responsibility/role level. This kind of user access review is time consuming, expensive and ineffective and it does little to prevent fraud and little to satisfy 2010 CaoSys Limited. Page 6 of 16

7 auditors that you have the appropriate internal controls. Ultimately, it does not save your organization time or money. Building an Audit Trail Standard Audit Having a detailed audit trail is essential for any business regardless of whether or not you need to comply with any particular regulations or legislation. Quite often, organizations neglect to implement a proper audit trail until it is dictated to them by one of the following Legislation requires that they have an audit trail Auditors insist that they have an audit trail Financial risk or loss by way of fraud An audit trail should ideally be put in place during the implementation of your applications but in most cases it is an afterthought. At whatever point you determine that an audit trail is needed you will no doubt explore the built-in audit trail that is part of Oracle E- Business Suite. Implementing the standard audit functionality within Oracle EBS is better than no audit trail but it is lacking in many areas. The audit functionality provided out of the box does allow you to create an audit trail on any part of the Oracle E-Business Suite but it is lacking in many areas, including (but not limited to) It is not fine grained or rule driven. You don t have control over exactly what is audited on a given table or when to audit which can lead to audit overkill which is a major problem in its own right. It cannot pull in additional metadata at the time of audit. This can mean the data captured in the audit trail is not easy to understand. It is awkward to use. The user interface is clunky and hard to use. Audit reporting is not adequate. It offers no means to allow you to maintain documentary evidence against the audit trail of reviews and approvals. It does not allow for real-time notifications to be sent when a given audit transaction is generated no means of pro-active monitoring. It does not help you know what you audit. There is no preseeded content available for use with the standard audit functionality CaoSys Limited. Page 7 of 16

8 So in a similar fashion to the flaws with a manual SOD review, the standard audit trail does not really help you solve the problems at hand. It remains extremely difficult to ensure you have an effective audit trail which will go towards saving your organization time and money during your audit processes. Neither will it ensure effective accountability to help mitigate against the risks of fraud. Data Security When we talk about data security, we are referring to securing the actual data within the Oracle E-Business Suite rather than the security around application access. Whereas SOD deals with the separation of processes and tasks, data security goes beyond this to allow for the separation and hiding of data. Oracle E-Business Suite has a number of built-in features that allow you to implement data segregation and hiding, here are a few you may be aware of Multi-organisations Access Control (MOAC) HR Security Profiles Forms Personalization The above features basically allow you to segregate data within the Oracle E-Business based on some predefined context such as Organization; or in other words it is a means of ensuring only the appropriate users can see data that is applicable to them. Also, these features secure data only when accessed through Oracle EBS, they do not take into account scenario s where the data is being accessed outside of the applications (i.e. through tools such as SQL*Plus, TOAD, Discovers, custom applications). However, Oracle E-Business Suite does not come with any generic means of implementing your own data segregation, data hiding internal controls. As such when you need to segregate data based on some other context then you have no choice but to look for an alternative solution. There are several frameworks and a whole myriad of rules and regulations surrounding the concept of data segregation and without an effective solution at hand then ensuring compliance is going to be difficult, time consuming and costly CaoSys Limited. Page 8 of 16

9 Improving Internal Controls and Saving Time & Money A question we are asked all the time is So how does the CaoSys Solution Suite help us improve our internal controls? The answer is simple, we provide several tools that can automate your existing manual processes as well as greatly improve on those where some level of automation has already been implemented. When we answer the above question, the very next question is often Okay great, so you can improve our internal controls but in the current economic climate how can you help our organization save time and money? CS*Applications is available for Oracle EBS 11i and R12. The CaoSys Solution suite consists of several modules all designed and built specifically for Oracle E-Business Suite. Those modules related to SOD, audit and security are CS*Comply Segregation of Duties (SOD)/Access Controls CS*Audit For building an effective audit trail CS*Secure Data segregation/hiding based security controls The CaoSys Solution Suite, referred to as CS*Applications is a fully integrated suite that is completely embedded into Oracle E-Business Suite. We will now take a quick look at each of these modules to see how your internal controls can be greatly improved as well as how you save time and money. Handling SOD with CS*Comply If you need to deal with Segregation of Duties, then as discussed earlier, you really need to handle the problem at the process/task level (function level) and the only way to do this is through software automation. CS*Comply provides all the tools you need to be able to effectively identify all SOD conflicts within your system and also to handle them accordingly. Not only can CS*Comply help you report on where all your SOD conflicts are, it can also help you prevent new conflicts from being 2010 CaoSys Limited. Page 9 of 16

10 created moving forward, thus it offers a much more pro-active approach to dealing with the risks. Furthermore, CS*Comply not only helps you handle what might be considered traditional SOD which is where one function conflicts with another, but it goes much further than this to allow you to deal with application access to functions that present a risk in their own right (high risk single functions). All modules within CS*Applications have a native Oracle EBS look and feel, this can help users feel at home when using the tools. On a system with 400 users or 4,000 users, you would never be able to effectively handle SOD without automation, because you would never be able to complete the task of reviewing all user access at process/task (function) level. Using CS*Comply this is very simple and very fast; based on a predefined rule set (or your own SOD rule set), our conflict scanning engine can process millions of access combinations in just a matter of minutes. Utilising CS*Comply to identify your SOD conflicts is something that can be done as on on-going process, whereas with a manual process it is merely a point-in-time process maybe once or twice a year. The built-in reporting and analysis tools allow you to gain valuable insight into why your SOD conflicts exist and help you with your user provisioning and remediation processes. CS*Comply includes multiple preventive controls to help ensure you applications remain free from SOD violations moving forward. CS*Comply includes many features and functionality to simplify the process and make it more effective. From the powerful and fast SOD scanning engine, the built-in exception system, the notification engine, the conflict workbench for detailed analysis and drill down to the SOD trend analysis, everything is included to make sure you can deal with SOD quickly and efficiently. There are a number of solutions available for dealing with SOD in Oracle E-Business Suite but none offer the ease of use, the tight integration or the power that CS*Comply offers. Many other solutions require additional hardware and software. CS*Comply is embedded into Oracle EBS and requires no additional hardware or software. When considering the total cost of ownership, you need to take into account every aspect of what a given solution requires, from software licensing, to hardware requirements to training requirements, to installation to implementation and on-going support. CS*Comply can help ensure that the TCO is kept down through Very competitive software licensing No additional hardware/software requirements Reduced training Very rapid installation 2010 CaoSys Limited. Page 10 of 16

11 Reduced implementation Our optional content packs (referred to as Enterprise Packs or E*Packs) have been developed in collaboration with ERP Risk Advisors, an industry thought leader in best practices and content-creation for internal controls and security in Oracle EBS environments. CS*Comply is also available with our pre-seeded content pack which can further help you save time and money. Our content pack contains all the required Oracle EBS function mappings and hundreds SOD rules which cover tens of thousands of known risks within the Oracle E-Business Suite. The bottom line is that using CS*Comply addresses all of the requirements and objectives and does not suffer with any of the problems of the manual review process Greatly reduces the risk of fraud Satisfies auditors that you are taking the appropriate steps to mitigate against inappropriate access Speeds up the SOD audit process considerably Allows you to be pro-active when dealing with SOD risks Saves your organization time and money Effective Auditing with CS*Audit As discussed earlier, you may already be using the standard audit functionality that is included out of the box with Oracle EBS or perhaps you are only just coming around to the idea that you need to build an effective audit trail. Whatever your position, CS*Audit has been designed from the ground up to be easy to use while also ensuring that your auditors will be satisfied and that your organization has accountability. CS*Audit addresses all of the shortfalls in the standard audit trail Fine grained auditing so that you have complete control over what goes into the audit trail and when. The ability to pull additional metadata into the audit trail. Easy to use user interface. Powerful and very easy to use audit trail reporting tools. The ability to maintain documentary evidence of audit approvals and reviews directly against the audit trail. Built-in real-time notification engine to allow you to do proactive monitoring of changes. Available with our pre-seeded content pack to help you know what to audit. Just as with CS*Comply, when you come to do your quarterly or annual audit, CS*Audit ensures that you can quickly and easily satisfy 2010 CaoSys Limited. Page 11 of 16

12 your auditors that you have implemented appropriate internal controls to ensure complete accountability. Your audit process is likely to be a much smoother and less costly process and you are also likely to help mitigate the risk of financial loss by way of fraudulent activity. Since CS*Audit is part of the CaoSys Suite, it is also embedded into Oracle EBS and does not require any additional hardware or software which further helps ensure the TCO is kept to a minimum. Data Segregation with CS*Secure There could be many reasons why you need to segregate or hide your data within Oracle E-Business Suite, these could include To ensure you can comply with various national and international data protection regulations. To ensure personal data is not visible without appropriate authority. To ensure that sensitive data is not visible without appropriate authority. To ensure that high risk data is not visible without appropriate authority. One approach some organizations take to solving this problem is to identify all the areas where the data can be accessed and then implement a custom solution to segregate/hide the data in a given scenario. This approach does not provide a practical, efficient or even an effective solution since there could literally be hundreds of places within an application (or even outside of the application) where the data in question can be accessed. Opting for this kind of solution is likely to take a huge amount of technical development along with just as much testing, then once you have the finished solution the ongoing support requirements are likely to be just as time consuming and costly. CS*Secure can help you implement your data security requirements with relative ease since it allows for the creation security policies that are database wide. In other words a policy is applicable to every form, report, process, etc that accesses the data. This allows you to implement one policy and everything will be taken it into account - even backdoor access is protected along with access via tools other than Oracle E-Business Suite (i.e. Discoverer, ApEx, TOAD, Custom Applications etc). CS*Secure can be used to implement 3 different types of security 2010 CaoSys Limited. Page 12 of 16

13 Data Segregation The ability to actually segregate (or partition) data based on any given context. Data Hiding The ability to hide only specific items of data in any given context. Data Protection The ability to help ensure data is rendered read-only in any given context. A key factor when considering whether CS*Secure is suitable for your organizations data security requirements is the fact that it does not physically alter the data in any way; the data itself is left untouched which helps ensure the integrity of the data is maintained. Other solutions offer data encryption technology but this is often misused or misunderstood since the only time you should really encrypt production/live data (other than perhaps things like credit card details and passwords) is to protect your organizations data from loss or theft. To protect against this you should consider encrypting data atrest using any of Oracle s built-in data encryption technologies such as Transparent Data Encryption (TDE) which physically encrypts the data as it is written to disk and then decrypts data as it is accessed. Since CS*Secure is part of the CaoSys Suite, it is also embedded into Oracle EBS and does not require any additional hardware or software which further helps ensure the TCO is kept to a minimum. Whilst not specific to quarterly or annual audits as such, the capabilities offered by CS*Secure can help your organization save time and money by ensuring that you can comply with regulation and satisfy management that you data is protected and it helps you implement the businesses security requirements and meet its objectives in a timely and cost effective fashion CaoSys Limited. Page 13 of 16

14 Conclusion In conclusion, we have discussed some common issues that most organization who have implemented Oracle E-Business Suite face include dealing with Segregation of Duties, implementing an effective audit trail and data security. It is fair to say that the majority of Oracle EBS users will at some point in the life of their applications need to address one of more of these kinds of issues. Several options are available and different organizations take different approaches but in most cases some level of software automation is needed to ensure that the business requirements are satisfied. Given the current economic climate, many organizations are understandably very reluctant to spend any money on new software projects, however, this paper demonstrates for some organizations doing something is mandatory. If the right choices are made now then some capital expenditure today can ultimately save time and money in the medium to long term. The CaoSys Solution Suite offers cost and time effective solutions to all of these issues as well as offering various other productivity solutions that can also save a great deal of time and money. More information about the solutions discussed in this paper as well as our other solutions can be found online at CaoSys Limited. Page 14 of 16

15 The CaoSys Solution Suite CS*Applications consists of several integrated modules that have all been designed and built specifically for Oracle E-Business Suite that offer solutions to many day to day problems that users of the suite face. CS*Comply CS*Audit CS*Secure CS*Form CS*Accelerate CS*Enquire Segregation of Duties (SOD)/Access Controls For building an effective audit trail Data segregation/hiding based security controls Our flagship productivity solution for building core reporting extensions for Oracle EBS as well as building application extensions and miniapplications. We refer to CS*Form as an Extreme- RAD tool Our solution for implementing intra-form internal controls and augmentations as well as complex navigational enhancements An embedded, ad-hoc data query tools for building, sharing and running queries. CS*Applications delivers multiple capabilities 2010 CaoSys Limited. Page 15 of 16

16 How to Improve Internal Controls and Save Time & Money August 2010 Author: Craig O'Neill Website: Copying in any form is strictly prohibited without prior written consent of CaoSys Limited. Copyright CaoSys Limited. All rights reserved. Various product and service names mentioned are trademarks of CaoSys Limited. Oracle and Oracle E-Business Suite are trademarks or registered trademarks of Oracle Corporation. Any other names are used for references only and may be trademarks of their respective owners.