Contenu connexe Similaire à FulcrumWay - Effective Ways to Assess ERP Controls 2014 (20) FulcrumWay - Effective Ways to Assess ERP Controls 20141. Is Oracle ERP in Scope for 2014 Audit Plan?
Learn, from our client case-studies, effective ways to assess ERP Controls
A Leader in Risk Based Enterprise Controls Management Solutions
Risk and Compliance
Financial Reporting
Internal Audit
Controls Catalog
Application Security
Advanced Analytics
Webinar – January 28th, 2014
Adil Khan
Managing Director
Leverage Technology:
Move Your Business Forward™
Give me a lever long enough and a fulcrum on which to place it, and I shall move the world - Archimedes
Copyright ©. Fulcrum Information Technology, Inc.
2. Agenda
Is Oracle ERP in Scope for 2014 Audit Plan?
Introductions
ERP Control Assessment Approach – 2014
ERP Controls in Scope for Audit
Audit Findings and Remediation
Oracle Advanced Controls – Case Study
Copyright © FulcrumWay
Page 2
www.fulcrumway.com
3. Agenda
Is Oracle ERP in Scope for 2014 Audit Plan?
Introductions
ERP Control Assessment Approach – 2014
ERP Controls in Scope for Audit
Audit Findings and Remediation
Oracle Advanced Controls – Case Study
Copyright © FulcrumWay
Page 3
www.fulcrumway.com
4. FulcrumWay
A Leader in Risk Based Controls Management™
FulcrumWay: is the #1 End-to-End Provider of Risk Based Enterprise Controls Management
Solutions for Oracle EBS, PeopleSoft and JDE customers with over 200 Fortune-500 to Middle Market
clients. Since 2003, we have successfully assisted companies across all major industry segments.
Expertise: Risk Advisory Services. Advanced Controls Design for Enterprise Applications. Best
Practices for Risk Mitigation and Internal Controls Automation. Audit, Compliance, Financial,
Enterprise and Operational Risk Assessments. Risk Remediation Services.
Packaged Solutions: FulcrumWay is the #1 choice of Oracle customers for Oracle GRC Advanced
Controls, GRC Manager, and GRC Intelligence/OBIEE software implementation. Oracle has certified
us as the only partner with Accelerators for Oracle GRC. We also provide Managed Services
Software Services: Risk Assessment for ERP systems, Control Design and Management Tools,
Controls Catalog, Enterprise Risk Manager, Financial Reporting Manager, Audit Manager
USA Presence: Privately held Delaware Corporation with US offices in New York City, Dallas and San
Francisco
International Presence: in Auckland, Chennai, Johannesburg, London, Mexico City
Copyright © FulcrumWay
Page 4
www.fulcrumway.com
6. FulcrumWay™ Insight
Proven Expertise
Thought Leadership
Co-Authored GRC Book: First book on GRC for
Oracle Applications
Webcasts – GRC Best Practices, Trends and Expert
Insight – February 19th
Executive Round Table – GRC Advanced
Controls Luncheon, Los Angeles, February 21st
Executive Round Table - March 13th Chicago:
GRC Case Studies and Best Practices
Collaborate 14 – GRC Client Appreciation Dinner
April 9th , 2014 Las Vegas
Oracle Open World – Annual GRC Dinner on
September 23rd , 2014 W Hotel San Francisco
LinkedIn –FulcrumWay Risk, Compliance and Audit
Software Group
YouTube Podcasts – FulcrumWay Instant Insight in
10 min or less
Copyright © FulcrumWay
Page 6
www.fulcrumway.com
7. Agenda
Is Oracle ERP in Scope for 2014 Audit Plan?
Introductions
ERP Control Assessment Approach – 2014
ERP Controls in Scope for Audit
Audit Findings and Remediation
Oracle Advanced Controls – Case Study
Copyright © FulcrumWay
Page 7
www.fulcrumway.com
8. ERP Controls
Why include ERP Controls in Audit ?
An Audit of Internal Control Over Financial Reporting That is Integrated with An Audit
of Financial Statements, states that benchmarking of application controls can be used
because these controls are generally not subject to breakdowns due to human failure.
If general controls that are used to monitor program changes, access to programs, and
computer operations are effective and continue to be tested on a regular basis, the
auditor can conclude that the application control is effective without having to repeat
the previous year’s control test. This is especially true if the auditor verifies that the
application control has not changed since the auditor last tested the application
control
U.S. Public Company Accounting
Oversight Board’s (PCAOB)
Copyright © FulcrumWay
Page 8
www.fulcrumway.com
9. What are ERP Application Controls
Inputs
Control Points
System Control Documents
Business Policies
Output
ERP Configurations
Board of
Directors
User
Inputs
Data Input
Validation
Posting
Processing
Output
External
Interface
Stockholders
Data Storage
Web
Services
Banks
Copyright © FulcrumWay
Audit Logs
Page 9
Data Archives
www.fulcrumway.com
10. Input data is accurate,
complete, authorized, and
correct
Inputs
What are ERP Application Controls
Control Points
System Control Documents
Business Policies
Output
ERP Configurations
Board of
Directors
User
Inputs
Data Input
Validation
Posting
Processing
Output
External
Interface
Stockholders
Data Storage
Web
Services
Banks
Copyright © FulcrumWay
Audit Logs
Page 10
Data Archives
www.fulcrumway.com
11. Input data is accurate,
complete, authorized, and
correct
Inputs
What are ERP Application Controls
Control Points
System Control Documents
Business Policies
Output
ERP Configurations
Board of
Directors
User
Inputs
Data Input
Validation
Posting
Processing
Output
External
Interface
Stockholders
Data Storage
Web
Services
Banks
Audit Logs
Data Archives
Data is processed as intended in
an acceptable time period
Copyright © FulcrumWay
Page 11
www.fulcrumway.com
12. Input data is accurate,
complete, authorized, and
correct
Inputs
What are ERP Application Controls
Data stored is accurate and
complete.
System Control Documents
Business Policies
Control Points
Output
ERP Configurations
Board of
Directors
User
Inputs
Data Input
Validation
Posting
Processing
Output
External
Interface
Stockholders
Data Storage
Web
Services
Banks
Audit Logs
Data Archives
Data is processed as intended in
an acceptable time period
Copyright © FulcrumWay
Page 12
www.fulcrumway.com
13. Input data is accurate,
complete, authorized, and
correct
Inputs
What are ERP Application Controls
Data stored is accurate and
complete.
System Control Documents
Business Policies
Control Points
Output
ERP Configurations
Board of
Directors
User
Inputs
Data Input
Validation
Posting
Processing
Output
External
Interface
Stockholders
Data Storage
Web
Services
Outputs are accurate and
complete.
Banks
Audit Logs
Data Archives
Data is processed as intended in
an acceptable time period
Copyright © FulcrumWay
Page 13
www.fulcrumway.com
14. Input data is accurate,
complete, authorized, and
correct
Inputs
What are ERP Application Controls
Data stored is accurate and
complete.
System Control Documents
Business Policies
Control Points
Output
A record is maintained to track the process of data
ERP Configurations
from input to storage and to the eventual output
Board of
Directors
User
Inputs
Data Input
Validation
Posting
Processing
Output
External
Interface
Stockholders
Data Storage
Web
Services
Outputs are accurate and
complete.
Banks
Audit Logs
Data Archives
Data is processed as intended in
an acceptable time period
Copyright © FulcrumWay
Page 14
www.fulcrumway.com
15. Assessment
Approach
Top Down Risk Based Approach to Application
Controls
What are the enterprise wide risks
that need to be
Assessed?
Which business processes are impacted by
these risks?
Which ERP apps are used to perform these processes
Where (business locations) are the processes performed
What application functions control the processes?
Copyright © FulcrumWay
Page 15
www.fulcrumway.com
16. Agenda
Is Oracle ERP in Scope for 2014 Audit Plan?
Introductions
ERP Control Assessment Approach – 2014
ERP Controls in Scope for Audit
Audit Findings and Remediation
Oracle Advanced Controls – Case Study
Copyright © FulcrumWay
Page 16
www.fulcrumway.com
17. Application Risk Factors
ERP Scope
INV
INV
PR
List of
Apps
HR
PO
Custom
Code
Freq. of
Changes
Audit
Logs
Risk
Rating
8
9
5
9
8
34
7
7
6
8
9
32
AR
7
7
9
9
7
39
FA
5
5
5
5
5
25
PO
GL
AP
AR
Financial
/Sensitive
Data
AP
OM
Primary
Process
Enabler
GL
FA
5
5
4
6
4
24
AR
Risk Threshold
Copyright © FulcrumWay
AP
GL
Page 17
Risk Scale: Highest 10
Risk Threshold: Over 30
www.fulcrumway.com
18. Access Controls
ERP Scope
FulcrumWay Controls Catalog
Access Control
Process
ERP
App
Risk
Type
Risk
Rating
Enter Journal and Post
Journal
Can cause frauds or errors resulting in
over or under stated financial statements
R2R
GL
Fin
High
Create Suppliers and
Create Invoices - R12
Can lead to an overstatement of liabilities if
fictitious suppliers are created and invoiced.
P2P
AP
Fin
High
Create Customer and
Create Sales Order - R12
Copyright © FulcrumWay
Risk Description
Can lead to an overstatement of revenues.
O2C
AR
Fin
High
Page 18
www.fulcrumway.com
19. ERP Scope
Configuration Controls
FulcrumWay Controls Catalog
Configuration Control
Process
ERP
App
Risk
Type
Risk
Rating
R2R
GL
Fin
High
Adjustments made to invoice distributions
P2P
after payment is issued can cause errors in
reconciliation …
Define Credit Usage Rules In Credit Management, credit usage rule sets O2C
ensure that all transactions for the specified
currencies are converted to the credit ...
AP
Fin
High
AR
Fin
High
Journal Authorization
Limits
Risk Description
Authorization limits for employees.
Payment Adjustment
Controls
Copyright © FulcrumWay
Page 19
www.fulcrumway.com
20. ERP Scope
ERP Transaction Controls
FulcrumWay Controls Catalog
Transaction Control
Exchange Rates
AP Invoice Over PO
AR Invoices Over
Threshold
Copyright © FulcrumWay
Risk Description
ERP
App
Risk
Type
Risk
Rating
Identify transactions after the fact
R2R
monitoring of manual inputs of system
exchange rates that are …more than 10% +/Invoice payments in excess of PO / user
P2P
Invoice approval limit
GL
Fin
High
AP
Fin
High
Control monitor returns a record of each
O2C
customer invoice that is valued in excess of a
specified threshold.
AR
Fin
High
Page 20
Process
www.fulcrumway.com
21. ERP Control Methods
ERP Scope
High
I
M
P
A
C
T
Medium Risk
Mitigate
Remediate & Prevent
Low Risk
Copyright © FulcrumWay
Medium Risk
Monitor Controls
Accept
Low
High Risk
PROBABILITY
Page 21
High
www.fulcrumway.com
23. Agenda
Is Oracle ERP in Scope for 2014 Audit Plan?
Introductions
ERP Control Assessment Approach – 2014
ERP Controls in Scope for Audit
Audit Findings and Remediation
Oracle Advanced Controls – Case Study
Copyright © FulcrumWay
Page 23
www.fulcrumway.com
24. Findings /
Remediation
ERP Audit Findings and Remediation
Scope
Application
Controls
Assess Risk
Establish
Test
Environment
Setup
Mitigating
Controls
Manage
Exceptions
Detect
Violations
Analyze
Issues
Remediate
Issues
Implement
Corrective
Actions
Monitor
Application
Environment
Application
Security
Administrator
Application
Controls
Manager
Sample
ERP
Data
FulcrumWay DataProbe
Application Controls
Manager
Copyright © FulcrumWay
IT/Business
Control Teams
Page 24
www.fulcrumway.com
25. Findings
Access Controls Violations
User: John
Doe
Role: Purchasing
User
Menu:
CREATE_PMTS
Locked
User
Role
Authorized
Actions
Page:
PAYMENT_ACTION_IC
Row
Security
Class
Role: Invoice
Manager
Panel
Group
Component
Component: INVOICESGBL
Permission List:
Invoices
Page:
TD_INVOICES
Inherent
SOD
False
Conflict
Positive
Copyright © FulcrumWay
Page 25
www.fulcrumway.com
26. Findings
Spend
Categories
Oracle Procure-to-Pay
Corporate Performance Management
Collaboration
Control Points
Settlement
Strategic Sourcing & Contract Mgmt
Indirect
& MRO
Banks
Requisition
Direct
Materials
Purchase
Goods /
Services
Receive
Goods /
Services
Invoice
Issue
Payments
Payment
Processors
Supplier Collaboration
Services
SWIFTNet
Copyright © FulcrumWay
Business Process Models
Page 26
Service Oriented Architecture
www.fulcrumway.com
27. Oracle Procure-to-Pay
Findings
Spend
Categories
Corporate Performance Management
Collaboration
Settlement
Strategic Sourcing & Contract Mgmt
CONTROLS
Indirect
& MRO
Banks
Are there inappropriate
associations between a
Requisivendor and an employee?
tion
Direct
Materials
Do you have duplicate
suppliers?
Services
Receive
Goods /
Services
Invoice
Are your vendors compliant with trade
regulations? Are the vendors
Supplier Collaboration
blacklisted?
Payment
Processors
Are you missing critical
supplier information? Is
the information valid?
SWIFTNet
Copyright © FulcrumWay
Purchase
Goods /
Services
Are there frequent
changes to Supplier
Issue
information?
Payments
Business Process Models
Page 27
Service Oriented Architecture
www.fulcrumway.com
28. Oracle Procure-to-Pay
Findings
Spend
Categories
Corporate Performance Management
Collaboration
Do you have duplicate
Purchase Orders?
Strategic Sourcing & Contract Mgmt
Indirect
& MRO
Requisition
Direct
Materials
Purchase
Goods /
Services
Receive
Goods /
Services
Are POs created on the Banks
same day as goods
arrive?
Issue
Invoice
Payments
Supplier Collaboration purchases with nonAre there
preferred vendors?
Settlement
Payment
Are there split POs?
Processors
CONTROLS
Services
Copyright © FulcrumWay
Business Process Models
Page 28
SWIFTNet
Service Oriented Architecture
www.fulcrumway.com
29. Oracle Procure-to-Pay
Findings
Spend
Corporate Performance Management
Categories Are you making accurate and
Collaboration
timely payments?
Settlement
Strategic Sourcing & Contract Mgmt
Are payment term changes
reviewed before payment?
Indirect
Banks
& MRO
Are there duplicate invoice
Requisiamounts being processed?
tion
Direct
Purchase
Goods /
Services
Receive
Goods /
Services
Did the person making the
Materials
payment create or modify
the vendor?
Invoice
Issue
Payments
CONTROLS
Payment
Processors
Supplier Collaboration
Services
Are there discrepancies
in freight charges?
Copyright © FulcrumWay
SWIFTNet
Business Process Models
Page 29
Service Oriented Architecture
www.fulcrumway.com
30. Agenda
Is Oracle ERP in Scope for 2014 Audit Plan?
Introductions
ERP Control Assessment Approach – 2014
ERP Controls in Scope for Audit
Audit Findings and Remediation
Oracle Advanced Controls – Case Study
Copyright © FulcrumWay
Page 30
www.fulcrumway.com
31. Case Study
Company Overview
Corporate Overview
• Large Mining, Chemical, Energy & Oil company headquartered in
West Palm Beach, FL
• 1,200 Employees worldwide and $4B annual revenue
• Own Oracle E Business Suite R12 and several Non-Oracle Systems
Overall Challenges and the Need for ERP Controls
• Heterogeneous business application environment
• Inability to track unusual activity on sensitive financial data
• Lack of proper internal controls in various processes
• Insufficient documentation on access, configurations and transaction
controls
Copyright © FulcrumWay
Page 31
31
www.fulcrumway.com
32. Controls in Scope
User security to prevent improper access to business functions
Segregation of Requisitions from Purchase Orders
– Auto Create of Purchase Orders/RFQ from Requisitions
One, Two or Three way matching of purchases to payments
Purchasing and Payment tolerances
Vendor purchasing/pay site configuration
One-time vendor indicator
Purchasing Approvals
– Based on dollar value
– Commodity Type
Copyright © FulcrumWay
Page 32
www.fulcrumway.com
33. Controls in Scope
Purchasing
–
–
–
–
–
–
Compare Vendor Address with Employee address, looking for similarities
Duplicate Suppliers, similar names or same tax ID
One time vendors, Audit rules on the one-time vendor flag changes
PO creation date is the same as the receiving date
Split purchase orders
Duplicate purchase orders
Accounts Payable
–
–
–
Copyright © FulcrumWay
Change rule for change in payment terms & Change tracking object for terms and tolerances
Duplicate Invoices Control
Same employee create vendor and invoice to vendor
Page 33
www.fulcrumway.com
34. Controls in Scope
Open/Closing Accounting Periods
Adding KFF Account values
Hiding private/sensitive data
– Social Security Number
– Bank Account information
– Home addresses
Automated period close and consolidation process
Copyright © FulcrumWay
Page 34
www.fulcrumway.com
35. IT/Super User Change Tracking
Security Rules
Cross Validation Rules
Foreign Currency exchange rate changes
Key Flexfield Segments
System Profiles
ERP Responsibilities
Payment Terms and Tolerances
Form Changes
Alert Changes
Bank Account Information
Journal Sources and Categories
Copyright © FulcrumWay
Page 35
www.fulcrumway.com
36. Oracle Advanced Controls Implementation
Access Controls
Transaction Controls
Copyright © FulcrumWay
36
Segregation of Duties i.e.
Policy Load
User Provisioning i.e.
Detection and remediation
of SODs
Conflict Reports i.e.
Report on Intra and Inter
Responsibility conflicts
Form Rules i.e. limiting
access to a field
Flow Rules i.e. approval rule
informational message on
trigger
Audit Rules i.e. track changes
Change Control Rules i.e. reason
code as to why a field is changed
Business Objects i.e.
Tables and fields within
EBS Suite
Parameters i.e. Filters,
Patterns and Functions
TCG Models i.e. string of
business objects that
generate suspects
Page 36
Snapshots i.e. capturing specific
setup/configuration info
Comparisons i.e. comparing snapshots
between ledgers, operating
units, instances
Change Tracking i.e.
monitor any change
to configuration
Preventive Controls
Configuration Controls
www.fulcrumway.com
37. Transaction Control Monitors
AP Invoices Over Threshold
Identify AP Invoices that are over a certain Threshold Amount
Dormant Inventory Items
Check for Dormant Inventory Items
Dormant User IDs
Identify dormant user IDs
Duplicate Vendor Payments
Identify Duplicate Vendor Payments within a specified time period
Enter Post Journals SOD Violation
Identify Journals that are entered and posted by the same user.
Manual Journal Entries over Threshold Amount Identify Manual Journals created in General Ledger that are above the specified
threshold amount
PO Over Threshold Amount
Identify Purchase Orders that are over a certain Threshold Amount.
Sales Order Over Credit Limit
Control Monitor for Sales Order over Credit Limit
Sales Order Over Threshold Amount
Identify Sales Orders that were booked for a value over a threshold amount
SOD Violation between AP Invoices and PO
Documents
Identify purchasing and payables documents entered by the same user.
Terminated Employees with Active User Ids
Identify Terminated Employees with Active User Ids
Copyright © FulcrumWay
Page 37
www.fulcrumway.com
38. Transaction Control Monitors
Define credit usage rules In Order Management, credit usage rule sets define the set of
currencies that will share a predefined credit limit during the credit checking process, and enable
the grouping currencies for global credit checking.
Customer reporting hierarchy Receivables uses the following hierarchy to determine the
default payment term for your transactions, stopping when one is found:
1. Bill–to site
2. Customer Address
3. Customer
4. Transaction Type
Approval limits Approval limits affect the Adjustments, Submit Auto Adjustments, and Approve
Adjustments windows as well as the Credit Memo Request Workflow. Define approval limits to
determine whether a Receivables user can approve adjustments or credit memo requests. You
define approval limits by document type, dollar amount, reason code, and currency.
Aging buckets Define aging buckets to review and report on open receivables based on the
number of days each item is past due. For example, the 4–Bucket Aging bucket that Receivables
provides consists of four periods: –999 to 0 days past due, 1 to 30 days past due, 31–61 days
past due, and 61–91 days past due.
Copyright © FulcrumWay
Page 38
38
www.fulcrumway.com
39. Change Tracking
Query a change tracker to identify changes across multiple instances.
Select multiple applications to monitor
Query requires Change Tracking Transfer program to run before any data can be collected.
(This program transfers change tracking data from the ERP instances to CCG.)
Copyright © FulcrumWay
Page 39
www.fulcrumway.com
40. Change Tracking
Monitor Configuration Changes
Users and administrators can monitor before-and-after values, responsible user, and time stamp
Copyright © FulcrumWay
Page 40
www.fulcrumway.com
41. EBS Form Rule Capabilities
•
Defines what actions the element performs
•
Empowers the user to make changes to EBS forms and processes
Set security attributes
Compile lists of values (LOV)
Establish navigation paths
Set field attributes
Display messages
Run SQL statements
Define default values for fields
Execute Flow Rule process
Copyright © FulcrumWay
41
Page 41
www.fulcrumway.com
42. Form Rule Highlights
Hidden Field
Modify Security
Settings
Create Messages
Field Required
Edit Messages
Edit Background
Edit Field Properties
Hide Field Data
Copyright © FulcrumWay
Page 42
Edit Prompt
www.fulcrumway.com
43. Procure to Pay with Oracle Advanced Controls
Optimization
Business Risks
Unapproved or
Illegal Suppliers
Delayed Supplier
payments
Unauthorized
Purchases
Continuous Monitors
Controls Objectives
Capture all
Discounts
Accurate Supplier
Information
Split purchase orders
Discounts Lost due to
Delays in Payment
Supplier and Invoices
Created by Same User
Multiple Suppliers with
the similar email domain
Incident !
Incident !
Incident !
Valid Purchase
Orders
Ensure Separation of
Duties in
Procurement
Copyright © FulcrumWay
Prevent Leakage
Cash Flow
Multiple Suppliers with
the same Tax ID
Multiple Suppliers with
the same Bank Account
Number
Page 43
Purchase Orders issued to
Blocked Suppliers
Monitor purchases of
unauthorized items, such
as contraband
Incident !
Investigate
Close
www.fulcrumway.com
44. Q&A
Download DataProbe
Leader in Risk Based Enterprise Controls
One-on-One with Experts
Follow FulcrumWay on LinkedIn for ERP Risk and Controls
Copyright © FulcrumWay
Page 44
www.fulcrumway.com