Upload
josephine-cross
View
218
Download
0
Tags:
Embed Size (px)
Citation preview
SOX Compliance with SOX Compliance with Application AuditorApplication Auditor
Presented ByPresented By Sunita SarathySunita Sarathy Product ManagerProduct ManagerAbsolute Technologies, Inc.Absolute Technologies, Inc.At SROAUG, Los Angeles, March 24, 2006 v2At SROAUG, Los Angeles, March 24, 2006 v2
HighlightsHighlights
Sarbanes Oxley Sarbanes Oxley – Common knowledge? Common knowledge? – Your situation?Your situation?
Internal Controls Internal Controls IT Best Practices for SOX ComplianceIT Best Practices for SOX Compliance Auditing Options in OracleAuditing Options in Oracle Application AuditorApplication Auditor
Sarbanes Oxley ActSarbanes Oxley Act
SOX – Signed into law on July 30, 2002 as a SOX – Signed into law on July 30, 2002 as a result of various accounting scandalsresult of various accounting scandals
Section 404 requires public companies to Section 404 requires public companies to attest to the effectiveness of their internal attest to the effectiveness of their internal controls over financial reportingcontrols over financial reporting
Section 302 requires that CEO’s and CFO’s Section 302 requires that CEO’s and CFO’s vouch for the integrity of their financial vouch for the integrity of their financial statementsstatements
Section 404 Section 404 ComplianceCompliance Compliance with SOX 404 has 4 stepsCompliance with SOX 404 has 4 steps
1.1. Identify Key Internal ControlsIdentify Key Internal Controls
2.2. Document the identified Internal ControlsDocument the identified Internal Controls
3.3. Management - Test Internal ControlsManagement - Test Internal Controls
4.4. Auditor - Test Internal ControlsAuditor - Test Internal Controls
What are Internal What are Internal Controls?Controls? Measures adopted by an Organization to: Measures adopted by an Organization to:
– Ensure integrity and reliability of informationEnsure integrity and reliability of information– Ensure Compliance with policies, laws and regulationsEnsure Compliance with policies, laws and regulations– Safeguard assetsSafeguard assets– Promote economic and efficient use of resourcesPromote economic and efficient use of resources– Accomplish established objectives and goalsAccomplish established objectives and goals
Mature controls are recognized by:Mature controls are recognized by:– Real-time monitoringReal-time monitoring– Continuous improvement, enterprise risk managementContinuous improvement, enterprise risk management– Automation support, ability to make rapid changes to Automation support, ability to make rapid changes to
controlscontrols
When Internal Controls When Internal Controls are missing or are missing or inadequateinadequate1.1. Control DeficiencyControl Deficiency
– Remote likelihood of undetected material Remote likelihood of undetected material misstatement in financialsmisstatement in financials
– No requirement to report itNo requirement to report it– Significant DeficiencySignificant Deficiency
– Adversely affects processes, more than remote Adversely affects processes, more than remote likelihood of consequential misstatement likelihood of consequential misstatement
– Must be reported to the audit committee, but not to Must be reported to the audit committee, but not to the publicthe public
1.1. Material WeaknessMaterial Weakness– Significant deficiency, possible material misstatementSignificant deficiency, possible material misstatement– Needs to be disclosed publicly, in company financial Needs to be disclosed publicly, in company financial
statementsstatements
How is IT Affected?How is IT Affected?
SOX Section 404 - “Management has to SOX Section 404 - “Management has to ensure appropriate internal controls of ensure appropriate internal controls of financial reporting” financial reporting”
Most companies have software applications Most companies have software applications that impact Financial Reporting, like Oracle, that impact Financial Reporting, like Oracle, SAP etcSAP etc
Therefore, most IT Applications would need Therefore, most IT Applications would need to be regulated as per SOX requirements!to be regulated as per SOX requirements!
Internal Controls in ITInternal Controls in IT
Best Practices in the development cycle:Best Practices in the development cycle:
– DocumentationDocumentation– ApprovalsApprovals– Segregation of Duties (SOD)Segregation of Duties (SOD)– TestingTesting– AUDITINGAUDITING
Why Audit?Why Audit?
If you don’t properly audit transactions If you don’t properly audit transactions that impact that impact
(a) financial data, and(a) financial data, and(b) application setups …(b) application setups …
… … there is exposure that mistakes or there is exposure that mistakes or fraudulent activity may be fraudulent activity may be undetected …undetected …… … resulting in incorrect financial resulting in incorrect financial statementsstatements
Auditors may identify inconsistencies as Auditors may identify inconsistencies as significant deficiency or material weaknesssignificant deficiency or material weakness
How data is changed How data is changed in Oracle eBusiness in Oracle eBusiness SuiteSuite In Oracle, data can be modified through two In Oracle, data can be modified through two
mechanisms:mechanisms:– eBusiness Suite of ApplicationseBusiness Suite of Applications– Directly at the database level, through tools such Directly at the database level, through tools such
as SQL*Plus, TOAD, SQL*Navigator, etcas SQL*Plus, TOAD, SQL*Navigator, etc
Most conventional Auditing options audit one Most conventional Auditing options audit one or the other methodor the other method
Auditing in OracleAuditing in Oracle
There are several auditing options* in Oracle:There are several auditing options* in Oracle:
Oracle Database – Audit FeatureOracle Database – Audit Feature eBusiness Suite – Row Who ColumnseBusiness Suite – Row Who Columns eBusiness Suite – End User AccesseBusiness Suite – End User Access eBusiness Suite – Oracle AlertseBusiness Suite – Oracle Alerts eBusiness Suite – Audit Trail eBusiness Suite – Audit Trail
* Part of Oracle’s products prior to SOX legislation, oriented toward instrumentation and debugging.
1. Database Audit 1. Database Audit FeatureFeature Set Set audit_trailaudit_trail parameter = TRUE in init.ora file parameter = TRUE in init.ora file Execute SQL audit commands from SYSTEM user Execute SQL audit commands from SYSTEM user
in SQL*Plus. Transactions are captured in in SQL*Plus. Transactions are captured in SYS.AUD$ tableSYS.AUD$ table
LimitationsLimitations No Before and After values for changes. No No Before and After values for changes. No
standard reporting, or form level access to datastandard reporting, or form level access to data User Notification not possible, as table is owned User Notification not possible, as table is owned
by SYSby SYS
2. EBS – Row Who2. EBS – Row Who
Creation_Date, Created_By, Last_Updated_By, Creation_Date, Created_By, Last_Updated_By, Last_Update_Date, Last_Update_LoginLast_Update_Date, Last_Update_Login
Navigate to Help > Record History, in the Navigate to Help > Record History, in the Oracle Applications Menu, or select from within Oracle Applications Menu, or select from within SQLSQL
LimitationsLimitations Only records identities of Initial and Last UserOnly records identities of Initial and Last User Does not store Old and New ValuesDoes not store Old and New Values Cannot handle changes made by processes Cannot handle changes made by processes
external to the security of Oracle Applicationsexternal to the security of Oracle Applications
3. EBS – End User 3. EBS – End User AccessAccess System profile option “Sign-On: Audit Level”
controls the level of end user access auditing Audit using standard reports like SignOn
Audit Users, SignOn Audit Responsibilities, SignOn Audit Forms, etc
Limitations Only audits user access, or end user usage of
specified forms Does not audit changes at the database level
4. EBS – Oracle Alerts4. EBS – Oracle Alerts
Oracle’s Exception Reporting ToolOracle’s Exception Reporting Tool Use SQL statements to define exception Use SQL statements to define exception
conditionsconditions Can be Periodic (schedule based) or Event Can be Periodic (schedule based) or Event
(creates a database trigger)(creates a database trigger)
LimitationsLimitations Event Alerts fire on any change to a record within Event Alerts fire on any change to a record within
a defined table, generating unwanted a defined table, generating unwanted transactionstransactions
May cause Concurrent Request bottlenecksMay cause Concurrent Request bottlenecks
5. EBS – Audit Trail5. EBS – Audit Trail
Set System Profile Option AuditTrail: Activate =Yes
As System Administrator, select Security > AuditTrail > Install
Define applications, tables and columns to audit Run Audit Trail Update Tables program to
activate
Limitations Can’t toggle audits On/Off for selected tablesCan’t toggle audits On/Off for selected tables Can’t capture data outside the scope of the Can’t capture data outside the scope of the
audited tableaudited table
Keys to SOX Keys to SOX ComplianceCompliance The Audit triggering process should be The Audit triggering process should be
automatedautomated
Audit trail (record of transaction, the activity Audit trail (record of transaction, the activity & data) should be meaningful and & data) should be meaningful and comprehensivecomprehensive
Audit Reporting should be convenientAudit Reporting should be convenient
The Auditing Application should be secureThe Auditing Application should be secure
Enter Application Enter Application Auditor Auditor
(Aa)(Aa) Comprehensive auditing solution Comprehensive auditing solution Can be installed and configured in less than an Can be installed and configured in less than an
hourhour Create Audit Configurations, for tables and Create Audit Configurations, for tables and
columns to be auditedcolumns to be audited User InterfaceUser Interface
– Defines the work flow of defining, creating, Defines the work flow of defining, creating, configuring, installing, using, and reporting audits configuring, installing, using, and reporting audits
– Based on Oracle Developer tools, familiar look & feelBased on Oracle Developer tools, familiar look & feel Simplifies audit reporting – all audit trail records Simplifies audit reporting – all audit trail records
go to one tablego to one table All audits are created in custom Aa schemaAll audits are created in custom Aa schema
Application AuditorApplication Auditor
Source Table(FND_USER)
Source Table(AP_CHECKS)
Source Table(ORDER_HOLDS)
App Auditor
TransactionDetails
(Destination)Table
Create Audit ConfigCreate Audit Config
Select a Select a Source Table Source Table - the table to be audited- the table to be audited Register standard Aa Register standard Aa Destination tableDestination table Identify Identify Source Columns Source Columns - Columns to be tracked - Columns to be tracked Aa automatically collects standard Aa automatically collects standard
Reference information Reference information for each recordfor each record Create Create ConditionsConditions, if any, to limit auditing, if any, to limit auditing Aa Aa mapsmaps the Source and Reference Column values the Source and Reference Column values
to columns in the standard Destination Audit to columns in the standard Destination Audit Table.Table.
Compile the configuration - It is now ready to Compile the configuration - It is now ready to audit! audit!
Audit MappingAudit Mapping
(Source Columns)(Source Columns) (Mapped Columns)(Mapped Columns)START_DATE*START_DATE* OLD_COLUMN_VALUEOLD_COLUMN_VALUESTART_DATE*START_DATE* NEW_COLUMN_VALUENEW_COLUMN_VALUELAST_UPDATED_BYLAST_UPDATED_BY LAST_UPDATED_BYLAST_UPDATED_BYTRANSACTED_DATETRANSACTED_DATE TRANSACTED_DATETRANSACTED_DATED_EMAILD_EMAIL EMAILEMAILD_TERMINALD_TERMINAL TERMINALTERMINAL
Source Table(FND_USER)
Destination Table(ai_ce_change_trx)
Audit DesignAudit Design
App Auditor dynamically creates trigger-App Auditor dynamically creates trigger-procedure combinationprocedure combination
Database Objects are created in the Aa Database Objects are created in the Aa schemaschema
Trigger is defined on Source Table, to be fired Trigger is defined on Source Table, to be fired upon change to Source Columnsupon change to Source Columns
Procedure collects…Procedure collects…– Before and After Values of Source ColumnsBefore and After Values of Source Columns– Reference Columns and other identifying ElementsReference Columns and other identifying Elements
… … and inserts them into the Transactions tableand inserts them into the Transactions table
Source Table is ChangedSource Table is Changed
Audit FlowAudit Flow
Table based Trigger fires, calls ProcedureTable based Trigger fires, calls Procedure
Procedure collects Old and New Values of Procedure collects Old and New Values of Changed Column, and other Reference Changed Column, and other Reference
ColumnsColumns
Inserts audit data into Destination TableInserts audit data into Destination Table
Audit FeaturesAudit Features
Single audit table stores – Single audit table stores – Before and After values of Source Column Before and After values of Source Column Source Table and Column nameSource Table and Column name Trigger Action (Insert, Update or Delete)Trigger Action (Insert, Update or Delete) Primary Key of Source TablePrimary Key of Source Table Who changed Column and WhenWho changed Column and When Reference additional column values from Source Reference additional column values from Source
tabletable Embedded SQL to select additional data from Embedded SQL to select additional data from
other tablesother tables Audit Notification can be set up via emailAudit Notification can be set up via email
Revision ArchitectureRevision Architecture
Aa uses Revisions to create separate audit binsAa uses Revisions to create separate audit bins
Audits may be migrated across revisions, Audits may be migrated across revisions, across schemas, or even across database across schemas, or even across database instances.instances.– Migrate Audit from Revision 1 to Revision 2Migrate Audit from Revision 1 to Revision 2– Migrate entire Revision from Dev to Prod instanceMigrate entire Revision from Dev to Prod instance
Only one compiled revision can exist at a point Only one compiled revision can exist at a point in timein time
Revision ArchitectureRevision Architecture
Allows the separation of audits based on user Allows the separation of audits based on user criteriacriteria
Allows one-step compilation of all audits in a Allows one-step compilation of all audits in a revisionrevision
Compiled Audits Revision
(example)
Development Revision
(example)
Audit ReportingAudit Reporting
Audit Transactions Audit Transactions Report Report – Displays the old and new values of the column, the Displays the old and new values of the column, the
database user who updated the record, and the database user who updated the record, and the identity of the terminal used to make the change identity of the terminal used to make the change
Audit Configurations Audit Configurations Report Report – Facilitates review discussion with external auditorFacilitates review discussion with external auditor– Documents all audit configurations defined in Documents all audit configurations defined in
Application AuditorApplication Auditor View Transactions View Transactions Form Form
– Displays the various audited transactions created Displays the various audited transactions created as a result of triggered auditsas a result of triggered audits
SOX Audit PackageSOX Audit Package
Pre-defined set of 80+ table level audits, Pre-defined set of 80+ table level audits, based on key setup and transaction tables based on key setup and transaction tables that can impact Financial reporting and that can impact Financial reporting and controls in Oracle eBusiness Suitecontrols in Oracle eBusiness Suite
Package can be loaded and compiled within Package can be loaded and compiled within minutesminutes
Aa AdministratorAa Administrator
Audit the Auditor!Audit the Auditor!
Create and maintain Aa Audit usersCreate and maintain Aa Audit users
Track changes to database objects in any Track changes to database objects in any schemaschema
Maintain Admin email accounts, which receive a Maintain Admin email accounts, which receive a copy of all email notifications sent from Aa copy of all email notifications sent from Aa
Define content for Aa email alertsDefine content for Aa email alerts
Aa CustomerAa Customer
Silicon ImageSilicon Image
RequirementRequirement Differentiate updates made fromDifferentiate updates made from SQL*Plus SQL*Plus Oracle AppsOracle Apps
SolutionSolution Aa’s Check Terminal feature Aa’s Check Terminal feature allows the user to identify how allows the user to identify how the transaction was performed.the transaction was performed.
Aa CustomerAa Customer
HarmonicHarmonic
RequirementRequirement Monitor selected users’ Monitor selected users’ transactionstransactions
SolutionSolution Aa provides notification when Aa provides notification when unauthorized transactions occurunauthorized transactions occur
Condition feature allows Condition feature allows tracking to be limited based on tracking to be limited based on user criteriauser criteria
– Changes made via external Changes made via external processesprocesses
– Changes made by a specific userChanges made by a specific user
Aa CustomerAa Customer
TektronixTektronix
RequirementRequirement Track Sales Order changes for Track Sales Order changes for separate business and financial separate business and financial reviewreview
SolutionSolution Aa’s custom table option allows Aa’s custom table option allows for audit records to be mapped to for audit records to be mapped to separate audit trail tableseparate audit trail table
Finally…Finally…
HighlightsHighlights– Can audit database and Oracle E-Business Suite Can audit database and Oracle E-Business Suite
transactionstransactions– Email Notification when audit is triggeredEmail Notification when audit is triggered– Auditing can be limited to user defined criteriaAuditing can be limited to user defined criteria– Custom Schema to ensure audit integrity and Custom Schema to ensure audit integrity and
securitysecurity Application Auditor is highly performance Application Auditor is highly performance
optimized…no performance issuesoptimized…no performance issues User-friendly Forms InterfaceUser-friendly Forms Interface Audit security maximized by dual role Audit security maximized by dual role
auditing (Auditor and Audit Administrator)auditing (Auditor and Audit Administrator)