21
TECHNICAL BRIEF ACL AuditExchange 3: Technology for Business Assurance

TECHNICAL BRIEF - acl.com · very important distinction for your IT and audit department to consider – because if an ACL Project is opened in a Unicode edition it ... Technical

Embed Size (px)

Citation preview

Page 1: TECHNICAL BRIEF - acl.com · very important distinction for your IT and audit department to consider – because if an ACL Project is opened in a Unicode edition it ... Technical

TECHNICAL BRIEF

ACL AuditExchange 3: Technology for Business Assurance

Page 2: TECHNICAL BRIEF - acl.com · very important distinction for your IT and audit department to consider – because if an ACL Project is opened in a Unicode edition it ... Technical

© Copyright 2011 ACL Services Ltd. ACL and the ACL logo are trademarks or registered trademarks of ACL Services Ltd. All other trademarks are the property of their respective owners. 2

CONTENTS

Introduction ................................................................................................................................... 3

Why Does Audit need ACL AuditExchange ................................................................................. 3

How ACL AuditExchange Can Help ............................................................................................. 3

What’s New in ACL AuditExchange 3 .......................................................................................... 4

Capability Overview by Platform Component ............................................................................... 5 AX Core Components ........................................................................................................... 5 Optional Components: For Advanced Data Access and Analytic Capability ........................ 6

AX Core Technical Description .................................................................................................... 7 Client Interfaces .................................................................................................................... 7 AX Core Server Modules ...................................................................................................... 7 Communication Ports ......................................................................................................... 10 System Security .................................................................................................................. 11 AX Core and AX Gateway Configuration ............................................................................ 11

Optional Components Technical Description ............................................................................. 12 AX™ Exception .................................................................................................................. 12 Communication Ports ......................................................................................................... 13 Direct Link™ ....................................................................................................................... 15 AX™ Datasource ................................................................................................................ 15 Communication Ports ......................................................................................................... 15

AuditExchange Platform: Deployment and Usage Considerations ............................................ 16 Repository Design .............................................................................................................. 16 Data Access ....................................................................................................................... 16 Data Management .............................................................................................................. 16 Security ............................................................................................................................... 17

AuditExchange Server Hardware architecture ........................................................................... 18 AX Core .............................................................................................................................. 18 AX Exception ...................................................................................................................... 19 AX Datasource ................................................................................................................... 20 Supported Configurations ................................................................................................... 20

Page 3: TECHNICAL BRIEF - acl.com · very important distinction for your IT and audit department to consider – because if an ACL Project is opened in a Unicode edition it ... Technical

© Copyright 2011 ACL Services Ltd. ACL and the ACL logo are trademarks or registered trademarks of ACL Services Ltd. All other trademarks are the property of their respective owners. 3

INTRODUCTION

ACL AuditExchange™ is a robust Java platform that is built using the best of open source technologies and adheres to many industry standards. This document is intended to provide technical details of the platform, including its components and underlying technical processes, for IT departments to help assess their requirements for implementation, upgrade, and/or ongoing maintenance.

There are two releases of ACL AuditExchange 3: one release supports Unicode data, and a separate release supports non-Unicode data. This is a very important distinction for your IT and audit department to consider – because if an ACL Project is opened in a Unicode edition it cannot be converted back to be opened in a non-Unicode ACL Desktop edition.

WHY DOES AUDIT NEED ACL AUDITEXCHANGE

All organizations face risk, and your audit department helps mediate your organization’s risk by testing data to ensure your business controls are effective – this is known as business assurance. Finance, IT, Operations and Fraud Prevention are all areas where audit can provide assurance and eliminate risks that can cost your organization money, and in worse case scenarios devastate an organization’s reputation.

Here are the challenges audit faces in providing that assurance: Data access – getting secure reliable access to your enterprise data when they need it. The largest

organizations may have more than a hundred different ERP or enterprise data systems, and the smallest organizations may only have a few but face equal challenges getting to those few.

Managed storage – security is paramount once the data is accessed from the source systems. Now audit needs a centralized place to store, manage, analyze and distribute any sensitive content in a controlled or restricted way across the broader audit team and to relevant stakeholders in the organization. This managed storage must meet or exceed the security requirements imposed by IT, organizational, regional and/or regulatory security policies.

Coverage – in facing both increasing business risks and volumes of transactions in the global economy, Audit is tasked with providing more assurance with the same or less resources; therefore Audit needs a toolset to help provide more coverage.

HOW ACL AUDITEXCHANGE CAN HELP

The ACL AuditExchange platform is designed to overcome the challenges that audit faces and in turn provide more coverage and ultimately the business assurance your organization needs. Data access – ACL AuditExchange provides multiple options for Audit to gain access to the

enterprise data it needs to test in order to provide assurance, without overburdening IT resources or compromising the data systems that IT ensures are available, protected and optimized.

» ACL AuditExchange and ACL™ Desktop can use native and direct data access to any existing data system or use a read only view to a data warehouse that IT already has in place, in an automated or ad hoc manner as required.

» Direct Link™ is an optional component required to access SAP ERP data directly.

Reasons why you need to consider Unicode

» Do you plan to analyze data with textual characters containing double-byte data or Cyrillic languages, such as: Chinese, Japanese, Korean, Turkish, Russian, Arabic, Hebrew or any other Asian or non-Western European language?

» Do you now or do you plan to connect to databases or Enterprise Resource Planning (ERP) systems (e.g., SAP) that have Unicode encoding?

If you are unsure, please check with your audit or IT department, and also with an ACL representative to discuss options and repercussions.

Page 4: TECHNICAL BRIEF - acl.com · very important distinction for your IT and audit department to consider – because if an ACL Project is opened in a Unicode edition it ... Technical

© Copyright 2011 ACL Services Ltd. ACL and the ACL logo are trademarks or registered trademarks of ACL Services Ltd. All other trademarks are the property of their respective owners. 4

» AX™ Datasource is an optional component that partners with Informatica’s PowerCenter ETL solution (extract, transform, load) to help gather more complex organizational and data environments, and to help meet the most sophisticated analytic requirements – continuous audit and monitoring that provides the ultimate in coverage and business assurance.

Managed Storage – ACL AuditExchange provides a managed and secure platform for audit and IT to ensure and govern which users have access to which data or sensitive content.

Coverage – ACL AuditExchange helps audit provide more coverage in a number of ways: » It reduces the amount of time required for data access, especially if automated processes

are established. This frees up specialized data auditors to utilize their skills in other areas. » The managed platform allows data that is required for many audit tests to be re-used and

re-purposed, whilst providing maximum security and flexibility for sharing and distribution when required.

» Lastly, the optional component AX™ Exception allows the data analytic experts in audit to prepare the analytic tests to find transactions that exceed your business controls and then distribute to business stakeholders for review and follow-up based on your organizations remediation process for high risk business areas.

WHAT’S NEW IN ACL AUDITEXCHANGE 3

New architectural features for IT to consider: Oracle 10 & 11 is now supported as a database for AX™ Core and AX Exception. Single Sign On is supported for the AuditExchange platform using Integrated Windows

Authentication, which extends to any 3rd Party SSO Solution that uses the same. Unicode or non-Unicode data can now be analyzed and stored using the platform. 64-bit server architecture is supported and recommended, but the analytic engine is still a 32-bit

application that requires 32-bit drivers.

New features for the specialist auditor using AX Core Client: AX Core Client (formerly AX GatewayPro) now contains an editor to view and edit existing AX

analytics and ACL Desktop scripts. AX Core Client can now run or schedule AX Analytics in the Library. AX Core Client can now create Master, Linked or Standalone ACL Tables by copying. AX Core Client can now create Master, Linked or Standalone AX Analytics by copying. AX Analytics now support an encrypted password parameter. A single AX Analytic can now publish multiple result tables to AX Exception.

New features for the broader audit team using AX ™Gateway: ACL Tables can now be opened in Microsoft Excel from AX Gateway. A new menu and home page for improved navigation and easier access to working items.

New features for the business stakeholders using AX Exception: Attachments can now be uploaded to a single or batch of exceptions. User Interface improvements for easier navigation and filtering. Usability improved for editing, scrolling and selecting exceptions for remediation.

Page 5: TECHNICAL BRIEF - acl.com · very important distinction for your IT and audit department to consider – because if an ACL Project is opened in a Unicode edition it ... Technical

© Copyright 2011 ACL Services Ltd. ACL and the ACL logo are trademarks or registered trademarks of ACL Services Ltd. All other trademarks are the property of their respective owners. 5

CAPABIL ITY OVERVIEW BY PLATFORM COMPONENT

AX Core Components

Following is a capability overview of each component of the ACL AuditExchange platform. As your audit department becomes more sophisticated in its analytic capabilities, it will need more of the optional components in order to meet increasing assurance needs.

AX™ Core — the hub of AuditExchange

AX Core is the hub of ACL’s business assurance platform. It contains both the AX Core application server and the AX Core database server, though it is recommended they be distributed to optimize performance. AX Core stores and manages all audit content, regardless of file type, including associated audit documents. Leveraging server security and speed, AX Core provides powerful analytic processing capabilities and the ability to easily schedule and automate analysis in a secure environment.

AX Core Client is the thin client user interface that supports specialized data analysts, and provides administrative setup of your audit projects in the repository, management of users and content permissions, and manual loading of audit content to the AX Core to support remote and ad hoc analysis. The AX Core Client requires an instance of ACL Desktop in order to startup.

ACL™ Desktop Edition

ACL Desktop is recognized worldwide as the leading PC-based data analysis software for audit and financial professionals. Providing a unique and powerful combination of data access, analysis and integrated reporting, ACL Desktop enables you to gain immediate visibility into transactional data critical to your organization. Whether as a standalone tool, or as part of the more powerful AuditExchange solution, ACL Desktop allows you to analyze entire data populations in search for transactional anomalies. ACL Desktop provides the tool for remote and ad hoc analysis, as well as the development environment to create analytics and prepare data for loading to AX Core.

AX™ Gateway

AX Gateway is an optional web-based server and client which allows your audit specialists to share work that is tasked to the broader, less specialized audit staff in a secure manner, and provides easy-to-use analysis capabilities. The AX Gateway web server is embedded and installed in AX Core, but it may require separate activation if licensed separately. AX Gateway now allows users to open ACL tables in Excel 2003, 2007 or 2010, but the optional Add-ins are required to do this.

AX Add-ins for Microsoft Office

AX Add-ins for Microsoft Office are an optional component that provides the ability to Open, Save or Insert URLs to/from AX Core content within six Microsoft Office applications: Excel, Outlook, Word, PowerPoint, Project or Visio. AX Add-ins are required for Gateway users to open ACL tables directly to Excel in AuditExchange 3.

Page 6: TECHNICAL BRIEF - acl.com · very important distinction for your IT and audit department to consider – because if an ACL Project is opened in a Unicode edition it ... Technical

© Copyright 2011 ACL Services Ltd. ACL and the ACL logo are trademarks or registered trademarks of ACL Services Ltd. All other trademarks are the property of their respective owners. 6

Optional Components: For Advanced Data Access and Analytic Capability

AX™ Exception — quickly correct fraud, error and inefficiency

An add-on component to ACL AuditExchange, AX Exception is a web-based application that offers the ability to immediately manage the distribution, assignment, escalation and remediation of each exception found during data analysis testing – limiting the impact of fraud, error and inefficiencies on the organization. This component requires the most sophisticated analytic capability targeted at audit departments that are ready to transition from continuous audit, where the audit team investigates all results, to continuous monitoring where investigation is turned over to business stakeholders using the AX Exception system.

Direct Link™ — Seamless access to SAP ERP table data

The Direct Link solution provides ACL Desktop and AuditExchange users direct and secure access to SAP® ERP data when it’s needed without having to rely on busy IT resources. Direct Link has achieved SAP interface certification designation for all SAP ERP releases. Direct Link requires the installation of: a Direct Link SAP Add-on component on the SAP system(s); a Direct Link client on the ACL Desktop(s); and an AX Link client on the AuditExchange server(s).

AX™ Datasource — Direct access to enterprise data types

Powered by Informatica® PowerCenter®, the worldwide market leader in Extract, Transform and Load (ETL) technology, AX Datasource provides access to more enterprise data types than any other technology on the market. It also supports automated data extracts and the ability to mask sensitive data, allowing for faster and more comprehensive repetitive and continuous analysis.

Figure 1: AuditExchange Platform Summary

Page 7: TECHNICAL BRIEF - acl.com · very important distinction for your IT and audit department to consider – because if an ACL Project is opened in a Unicode edition it ... Technical

© Copyright 2011 ACL Services Ltd. ACL and the ACL logo are trademarks or registered trademarks of ACL Services Ltd. All other trademarks are the property of their respective owners. 7

AX CORE TECHNICAL DESCRIPTION

Client Interfaces

AX Core Client

Formerly named AX GatewayPro, AX Core Client is a thin client Java application that provides the user interface for managing the content, security, and users of AX Core. It comes with its own Java Runtime Environment (JRE), so a separate JRE need not be installed on each user’s PC.

ACL™ Desktop Edition

ACL Desktop Edition runs on a user’s PC, where it provides a user interface and analytic engine for ad hoc or remote data analysis. ACL Desktop is also the environment for developing analytics that can be run and scheduled in AX Core.

When accessing server-side data and performing ad hoc desktop analysis or running scripts locally, ACL Desktop accesses server resources using AX Core Desktop Connector (see “AX Core Server Modules” below) over TCP/IP, using default port 10000. While connected to the server, the data remains on AX Core for security, and ACL commands are processed server-side, using server resources. This is also the recommended way to utilize existing ACL Desktop scripts without the necessary conversion or migration to AX analytics if not required for distribution to other users or automation.

Important: For the Unicode release, a different edition of ACL Desktop is required, so existing customers may need to replace their existing ACL Desktop client if their organization requires analysis of Unicode data.

AX™ Gateway

AX Gateway is the optional browser-based interface that supports Internet Explorer 6, 7, and 8. Internet Explorer connects to AX Core using https (http over SSL). AX Gateway is used to open ACL data tables in Excel for secondary analysis or reporting, but requires AX Add-ins.

AX Core Server Modules

AX Core is composed of the following six server modules.

1. AX Core (application server)

AX Core is central to the ACL AuditExchange platform, providing the following: AuditExchange repository – storage and retrieval of analytics, tables, ACL projects, data files, and

any associated audit documents, for example MS® Word (.doc, docx), Excel® (.xls, .xlsx), .pdf, or other media files.

AuditExchange user management, including user setup and managing permissions on repository content.

Page 8: TECHNICAL BRIEF - acl.com · very important distinction for your IT and audit department to consider – because if an ACL Project is opened in a Unicode edition it ... Technical

© Copyright 2011 ACL Services Ltd. ACL and the ACL logo are trademarks or registered trademarks of ACL Services Ltd. All other trademarks are the property of their respective owners. 8

Quartz scheduler - Quartz is used by AX Core to run and schedule AX analytics for automation, and continuous audit and monitoring.

Analytic engine for AX analytic and ACL script execution. Central Authentication Service (CAS) is used by AuditExchange to provide form-based

username/password authentication or silent, also known as integrated windows authentication. Authentication is described in later sections.

Analytic engine executes any commands, functions or scripts in ACL Desktop when an ACL Project is opened in AX Core Client from the server and the source data .fil file remains on the server.

2. AX analytic server

The analytic server is the execution environment for analytics initiated through AX Core. ACL AuditExchange allows you to move analytic processing off of the AX Core server, and only the smallest of audit departments with light audit usage should consider not deploying this distributed server in their hardware architectural configuration. By configuring one or more analytic servers, you can schedule many long running, data intensive analytics, or even run analytics during working hours, without impacting the AX Core server. By moving analytic processing away from the AX Core server, AX Core will be able to dedicate its resources to handing end user requests from AX Gateway and AX Core Client. AX Gateway and AX Core Client will be more responsive, providing increased productivity and a better user experience.

Analytic servers are easily installed and configured. Once the software is installed, the AX Core administration console provides the ability to add, remove, and configure analytic servers. Each analytic server can be configured with a maximum number of concurrent analytics, allowing each server to be configured based on capability and performance. If the analytic servers are processing their maximum number of concurrent analytics, any further analytics are automatically queued by AX Core until an available core processor becomes free.

Performance Information

When an analytic is run or triggered via schedule, an ACLScript.exe process is launched. The ACLScript.exe process exits when the analytic script finishes.

To reduce load on the AX Core server, one or more analytic servers should be used. Analytic servers are dedicated to running analytics. When at least one AX Analytic server is deployed separate from AX Core, AX Core stops processing analytics and only governs dispatching queued analytics until an available core processor is available on the AX Analytic server.

System resource usage by the analytic server depends on how many analytics are concurrently run, the ACL commands used, and the amount of data being analyzed. Another factor impacting performance is for analytic script authors to perform an extract on the data, so that subsequent scripting commands are not congesting throughput from the source data to the analytic server. Even though an ACLScript.exe process is single-threaded, multiple CPU cores are taken advantage of if running multiple analytics simultaneously governed by AX Core. The Windows operating system determines which CPU core is assigned to an ACLScript.exe process. Analytics should be scheduled to make efficient use of server resources. The analytic server will benefit from fast CPUs and fast disk I/O throughput, but running many analytics simultaneously can affect performance, particularly when analyzing large data sets. For heavy analytic usage against large data sets, a Storage Area Network or Network Attached Storage application with fibre channel is recommended.

Page 9: TECHNICAL BRIEF - acl.com · very important distinction for your IT and audit department to consider – because if an ACL Project is opened in a Unicode edition it ... Technical

© Copyright 2011 ACL Services Ltd. ACL and the ACL logo are trademarks or registered trademarks of ACL Services Ltd. All other trademarks are the property of their respective owners. 9

3. AX Core desktop connector

The AX Core desktop connector is embedded within AX Core. It provides communication for data access between AX Core and the ACL Desktop client interfaces, using an aclse.exe process.

When AX data tables or ACL projects/AX analytics are exported from AX Core, the default behavior is for data files (.fil) to remain on the server machine (although exporting of data files for offline work is supported). Using ACL Desktop’s ability to connect to AX Core desktop connector, AuditExchange allows remote access to data files residing in the AX Core repository. Sensitive data files remain on the server. This type of usage might be favored by your audit or IT department in order for your audit department to meet your organizational or regulatory security policy.

Database Access

The AX Core desktop connector supports direct access to Oracle, DB2® and SQL Server™ databases. When reading data from the direct database interfaces, the database provides only raw data via SQL SELECT statements, as the data analysis is performed by ACL’s analytical algorithms, not SQL statements. Direct database access in this mode uses native, RDBMS vendor-provided drivers to connect to the database, inheriting security and functionality such as tie-ins to Active Directory and support for clusters from the drivers. Using the vendor-provided drivers also means that the AX Core desktop connector can function in any database topology supported by the vendor, such as accessing OS/400-based DB2 data using DB2 Connect from a Windows server.

Performance Information

Each connection from the ACL Desktop Edition client to the AX Core desktop connector creates a new aclse.exe process on the AX Core server machine. The aclse.exe process exits when the ACL Desktop connection is closed.

Server resource usage by the ACL server depends on how many ACL Desktop users are connected, which ACL commands are executed, and the size of the data being analyzed. Even though an aclse.exe process is single-threaded, multiple CPU cores are taken advantage of since each ACL Desktop connection creates an aclse.exe process. The Windows operating system determines which CPU core is assigned to an aclse.exe process.

While ACL Desktop is connected to the AX Core server, ACL commands are executed by the AX Core desktop connector. This impacts server resources since CPU cycles, disk I/O, and memory are consumed by each aclse.exe process. Depending on the ACL command executed, and the size of data file, aclse.exe processes can consume significant CPU cycles and disk I/O. Memory is less of a concern since each aclse.exe has a relatively low memory requirement of a few MBs, plus an additional (up to) 5MB while sorting data (configurable up to 100MB for improving sort performance at the expense of memory). As more users open and work with AX Core repository data files, more AX Core server resources are consumed.

The AX Core server will benefit from fast CPUs and fast disk I/O throughput. Understanding your audit department’s usage requirements will help IT deploy the appropriate hardware configuration to optimize performance.

Page 10: TECHNICAL BRIEF - acl.com · very important distinction for your IT and audit department to consider – because if an ACL Project is opened in a Unicode edition it ... Technical

© Copyright 2011 ACL Services Ltd. ACL and the ACL logo are trademarks or registered trademarks of ACL Services Ltd. All other trademarks are the property of their respective owners. 10

4. Geronimo Application Server

Apache Geronimo is an enterprise Java application server, providing similar services and functionality as IBM Websphere and Oracle Weblogic. AX Core, AX Core Client, AX Gateway, AX Core administration, AX Exception, and AX Exception administration all run within the Geronimo Application Server.

5. Tomcat Web Server

In AX3, AX Gateway is an optional component. For new installations, the Gateway web server is included in the AX Core Geronimo application server, and although it is only one installation, it does require separate activation from AX Core. For customers upgrading from AX2.x no extra steps are required to activate Gateway.

6. AX Core database

The AX Core database can be either Oracle or PostgreSQL. For PostgreSQL, the PostgreSQL server and the AX Core database can be installed and configured by the AX Core installer. For organizations that require Oracle, an Oracle DBA is first required to create a schema for AX use, and the DBA will provide connection information that the AX Core installer can use when creating AX Core database tables, stored procedures, etc.

The AX Core database holds the AX Core repository content, with the exception of data files (.fil). Data files are stored outside the database due to their potential size, and because the AX Core desktop connector and the AuditExchange analytic engine require direct access to the data files.

The AX Core database also holds ACL AuditExchange user and role information, which accommodates AX Core and AX Exception (optional component).

Important: For Oracle and the Unicode release of AuditExchange, an Oracle instance with the database character set and the national character sets set to either UTF-8 or UTF-16 is required.

The AX Core database is recommended to be installed on a separate server from AX Core for all but the smallest of audit departments and resulting usage.

7. AX Core administration

It provides remote access to AX Core configuration settings, including configuration of analytic servers. These are the same settings that are noted below as are set within the aclAuditExchange.xml file. This console is accessed using a web browser.

Communication Ports Default Port Component – Protocol Encryption Remote connectivity required? 4201 Geronimo EJB - Remote Method

Invocation (RMI) SSL Yes – AX Core Client

5432 PostgreSQL Database – custom Supported Yes(*) – AX Exception 8443 Geronimo Web Server – https SSL Yes – AX Gateway (web browser) &

AX Core Client & AX Datasource importer

Page 11: TECHNICAL BRIEF - acl.com · very important distinction for your IT and audit department to consider – because if an ACL Project is opened in a Unicode edition it ... Technical

© Copyright 2011 ACL Services Ltd. ACL and the ACL logo are trademarks or registered trademarks of ACL Services Ltd. All other trademarks are the property of their respective owners. 11

Default Port Component – Protocol Encryption Remote connectivity required? 10000 ACL server – custom TwoFish 128bit Yes – ACL Desktop 1099 Geronimo Naming – JNDI None No 1527 Geronimo System Database - custom None No 8009 Geronimo Web Server – AJP None No 8080 Geronimo Web Server – http None No 9999 Geronimo Management – JMXMP None No 61613 Geronimo Messaging – Stomp None No 61616 Geronimo Messaging – OpenWire None No

* Remote connectivity to the AX Core database is required if AX Exception is running on a separate machine.

Note: Your IT will stipulate which port is required when Oracle is used as the AX Core database server.

System Security

The following system accounts are required by AX Core and are optionally created by the AX Core server installation (if not already existing): A Geronimo service account An AX database service account for PostgreSQL or Oracle

Additionally, AX Core requires a PostgreSQL user account (also specified during the AX Core installation).

The table below notes how the AX Core system performs specific background actions: Action Run By Scheduled AX Analytic Geronimo service account “Run Now” AX Analytic Geronimo service account AX Core desktop connector session (initiated via ACL Desktop Edition)

Logged in user

AX Core and AX Gateway Configuration

The following files contain configuration settings for the AX Core and AX Gateway servers. Notable settings are described for each of them below.

aclAuditExchange.xml: AX Core data directory – The file path where AuditExchange stores repository data files (.fil). AX Core file transfer directory – The file path used for temporary file storage during upload and

download operations. AX Core analytic engine working directory – The file path used by AX Core as the default

location for storing ACL table data files (.fil). For each user that connects to AX Core via the AX Core desktop connector from the ACL Desktop client, a directory is created here named after the user’s name.

AX Core analytic engine port number – The port number used by the AX Core desktop connector (ACLSE) service.

Page 12: TECHNICAL BRIEF - acl.com · very important distinction for your IT and audit department to consider – because if an ACL Project is opened in a Unicode edition it ... Technical

© Copyright 2011 ACL Services Ltd. ACL and the ACL logo are trademarks or registered trademarks of ACL Services Ltd. All other trademarks are the property of their respective owners. 12

Default domain – The Active Directory domain to use by default if a user does not specify a domain when they log in.

AX Exception data upload URL – The URL that AX Core uses to publishing exception results to AX Exception. This text box is only displayed if AX Exception is installed.

AX Datasource address – The IP address of the AX Datasource server. This text box only requires a value if AX Datasource is used to automatically send data extracts to the AX Core repository.

aclDatabase.xml: Contains the hostname or IP address of the AX Core database server, the database driver type

(Oracle or PostgreSQL), along with the database username and password. Because aclDatabase.xml contains sensitive user and password information, it is automatically encrypted by AX Core. Once encrypted, the settings cannot be modified except by recreating the file.

aclQuartz.properties: Contains configuration for the Quartz scheduler.

aclSchedulerCluster.xml Controls the number of concurrent analytics which can be executed by AX Core. This file also

contains the settings for analytic servers.

aclScriptEngine.xml Contains configuration settings for the analytic engine, such as the path to the ASCLScript.exe

axGateway.properties: Temporary work directory when opening an ACL data table in Excel. The Excel template file to use when opening an ACL data table in Excel. Maximum number of items displayed within the Recent Work screen – default 25. Number of days past to display Recent Work items – default value 7. Maximum single file upload size into the repository.

» Default is 2Gb » Maximum is 2Gb

Maximum number of items returned by a Search – default value 50. » If Search query returns more than this maximum, user will be prompted to refine their

search.

OPTIONAL COMPONENTS TECHNICAL DESCRIPTION

AX™ Exception

AX Exception is a browser-based application providing audit exception remediation workflow, reporting, and notification. Exceptions are fed into AX Exception from scheduled analytics running in AX Core. Internet Explorer connects to AX Exception using https (http over SSL).

Page 13: TECHNICAL BRIEF - acl.com · very important distinction for your IT and audit department to consider – because if an ACL Project is opened in a Unicode edition it ... Technical

© Copyright 2011 ACL Services Ltd. ACL and the ACL logo are trademarks or registered trademarks of ACL Services Ltd. All other trademarks are the property of their respective owners. 13

Analytics scheduled to run in AX Core can be configured to publish exceptions to AX Exception. AX Core opens an https connection to the AX Exception server and the publish operation transfers exception data (records), parameter values, and metadata.

AX Exception Administration

It provides AX Exception user management, allowing initial creation of users, as well as ongoing management of entity and role assignment to each user. The Entity determines which data a user is allowed to view, and the role determines which actions they can undertake in the remediation workflow. This component is accessed using a web browser.

Geronimo Application Server

Apache Geronimo is an enterprise Java application server, providing similar services and functionality as IBM Websphere and Oracle Weblogic. AX Exception runs within the Geronimo Application Server.

AX Exception database

The AX Exception database can be either Oracle or Microsoft SQL Server. For SQL Server, the AX Exception database can be installed and configured by the AX Exception installer. For Oracle, an Oracle DBA is first required to create a schema for AX use, and the DBA will provide connection information that the AX Exception installer can use when creating AX Core database tables, stored procedures, etc.

The AX Exception database stores information for the AX Exception application, with the exception of users and roles. Users and roles are shared with AX Core via the AX Core database.

The AX Exception database should be installed on a separate machine from AX Exception. Encryption of the communications between AX Exception and the database is controlled by database server configuration.

Important: For Oracle and the Unicode release of AuditExchange, an Oracle instance with the database character set and the national character sets set to either UTF-8 or UTF-16 is required.

Communication Ports Default Port Component – Protocol Encryption Remote connectivity required? 1433 SQL Server – custom supported No 8443 Geronimo Web Server –

https SSL Yes - AX Exception (web browser)

1099 Geronimo Naming – JNDI None No 1527 Geronimo System Database

– custom None No

8009 Geronimo Web Server – AJP None No 8080 Geronimo Web Server – http None No 9999 Geronimo Management –

JMXMP None No

61613 Geronimo Messaging – Stomp

None No

61616 Geronimo Messaging – OpenWire

None No

Page 14: TECHNICAL BRIEF - acl.com · very important distinction for your IT and audit department to consider – because if an ACL Project is opened in a Unicode edition it ... Technical

© Copyright 2011 ACL Services Ltd. ACL and the ACL logo are trademarks or registered trademarks of ACL Services Ltd. All other trademarks are the property of their respective owners. 14

Page 15: TECHNICAL BRIEF - acl.com · very important distinction for your IT and audit department to consider – because if an ACL Project is opened in a Unicode edition it ... Technical

© Copyright 2011 ACL Services Ltd. ACL and the ACL logo are trademarks or registered trademarks of ACL Services Ltd. All other trademarks are the property of their respective owners. 15

Direct Link™

Direct Link provides direct access to SAP data from AuditExchange analytics via the AuditExchange analytic engine. Communications to an SAP system can be configured for encryption.

Note: There is an additional component of Direct Link that must be installed on each SAP server that is to be accessed by AuditExchange or ACL Desktop.

AX™ Datasource

ACL embeds Informatica® PowerCenter® within the AX Datasource application for specific use with the AuditExchange platform in order to source data from various formats within an organization for audit usage within the AX Core repository.

In addition to the components described below, there are several data connectors that are available to provide format-specific connectivity to a variety of business applications.

Informatica PowerCenter Client

The PowerCenter client connects to PowerCenter server and is used to setup data mappings, workflows and tasks for extracting data from hundreds of different data sources.

Informatica PowerCenter Server

PowerCenter provides data extract and transformation capabilities from hundreds of different data sources. Data is extracted to data files in a format that is compatible with ACL Desktop Edition, the AX Core desktop connector, and the AuditExchange analytic engine. Extracted data files are then imported into AX Core using the AX Datasource importer.

AX Datasource Importer

This component resides on the AX Core server and allows PowerCenter data extracts to be automatically imported into AX Core. Data files and metadata are transferred to AX Core securely using https.

Communication Ports Default Port Component – Protocol Encryption Remote connectivity required? 6001 Informatica PowerCenter Node – custom None Yes – PowerCenter client 6002 Informatica PowerCenter Service

Manager – custom None No

6005(+) Informatica PowerCenter Services – custom

None Yes – PowerCenter client

+ Depending on services configuration, PowerCenter may use default ports 6005-6015

Page 16: TECHNICAL BRIEF - acl.com · very important distinction for your IT and audit department to consider – because if an ACL Project is opened in a Unicode edition it ... Technical

© Copyright 2011 ACL Services Ltd. ACL and the ACL logo are trademarks or registered trademarks of ACL Services Ltd. All other trademarks are the property of their respective owners. 16

AUDITEXCHANGE PLATFORM: DEPLOYMENT AND USAGE CONSIDERATIONS

Repository Design

ACL AuditExchange 3 is designed to reflect how auditors work and organize their information – around the concept of the Audit Engagement. Engagements are constructs that allow the audit team to organize their audit resources, including working papers, associated audit documentation, data sets and analytics in a manner consistent with their audit objectives for discrete audit projects. Within Engagements are the Activities that audit teams can follow to efficiently execute according to their audit plans.

There are two sections to the AX Core repository, a Working directory and a Library. The Working directory is the place where each audit engagement is planned and carried out.

All key elements of the audit engagement are kept together within the repository – Data tables, AuditExchange analytics, all planning and explanatory documentation and all resulting audit evidence. ACL AuditExchange supports storage of all electronic file formats in addition to all ACL file types.

The Library directory provides an area for data or analytic specialists to store and apply further restrictions on access to highly sensitive but re-usable audit resources, such as Master data and Master analytics.

Data Access

The AX Core desktop connector features the broad range of ACL data access capabilities. These capabilities permit end-user access to a wide range of data sources for investigative and exploratory analysis. Typically, this step is a precursor to repetitive and continuous analysis that is best enabled by the AX Datasource add-on module discussed in the previous section. The following describes the data access approaches available from within the AX Core desktop connector.

File System Access

The AX Core desktop connector and ACL Desktop Edition support fixed and variable record length (CR/LF) files stored on network drives accessible by the server machine. These include direct-connect disks, network file systems (NFS) or SMB shared file systems and storage area networks (SANs). Textual report, or “print image,” formats are also supported on these ACL platforms. ACL can, in many cases, automatically determine tabular data within a textual report file, and use it for further analysis. Internally, ACL uses a fixed-record length format for temporary and imported data storage.

Data Management

AX Core/AX Core Client

When an ACL table is imported into the AX Core repository through AX Core Client, the table definition (layout) information is stored within the AX Core repository database and the data file itself is stored within the Windows file system under an AuditExchange-managed directory structure.

**Note: It is up to the administrator of the Windows server where AuditExchange is stored to ensure appropriate security access is applied to these Windows directories.

AuditExchange supports the re-use of data within the repository via copying and linking the table across Engagements – both within the Working area and between the Library and Working areas. When a data

Page 17: TECHNICAL BRIEF - acl.com · very important distinction for your IT and audit department to consider – because if an ACL Project is opened in a Unicode edition it ... Technical

© Copyright 2011 ACL Services Ltd. ACL and the ACL logo are trademarks or registered trademarks of ACL Services Ltd. All other trademarks are the property of their respective owners. 17

table is copied and linked through the AX Core Client interface, only a link between master table and link table is created; similar to a shortcut in Windows, it does not make a separate copy of the underlying data file. The AX Core repository manages a single copy of this data file and maintains a referential link to all places that the master table is linked.

When a user double-clicks on a data table from within the AX Core Client interface, the table definition will be exported into an ACL project format so that it can be viewed using the ACL Desktop Edition interface. At this time, the user will be prompted as to whether or not they wish to create a local copy of the data file itself, or whether or not they want to leave the data on the server and under the management of AuditExchange (the default is to have the data remain on the server).

Running an Analytic

ACL AuditExchange analytics can be run against any data table that is within the Data folder of the Activity where the analytic resides. Any data table that is generated as an output of the analytic can either be posted to the AX Core repository as a result (using the //RESULT syntax) or directly within the Data folder of the same Activity (using the //DATA syntax).

Refreshing Data

It is recommended that the refresh of data within the repository (outside of refreshing data using AX Datasource) be accomplished through the use of analytics. By specifying that the resulting data table(s) from an analytic be copied back to the Data folder within the Activity (if the data table already exists there), the underlying data file will be overwritten when the table definition is overwritten as well.

Back-up and Archive of Repository Data

Currently neither of these functions is automatically accomplished by AuditExchange. Archiving of the AX Core database and the Windows file directories housing the data files should be coordinated with your network administrator. ACL recommends a cold backup: that is turn off the AX Core services to ensure no system activity is in progress and therefore data is static.

Security

Authentication

User Accounts

AuditExchange platform user authentication is supported via Microsoft Active Directory. A user must be a valid Windows domain user. AuditExchange supports forests of trusted Active Directory domains. Users can then be added to the AuditExchange user list. AuditExchange does not store any passwords within our system, authentication is confirmed via the Windows API each time a user attempts to login to the system, but AuditExchange does not interface directly with Active Directory itself.

If an organization does not employ Active Directory as their network authentication system, AuditExchange supports creation and use of local users on the AX Core server machine.

Single Sign On

AX Core integrates with the Central Authentication Service (CAS), which is installed with AX Core, and can be configured for form-based or silent integrated Windows authentication. If configured to use form-

Page 18: TECHNICAL BRIEF - acl.com · very important distinction for your IT and audit department to consider – because if an ACL Project is opened in a Unicode edition it ... Technical

© Copyright 2011 ACL Services Ltd. ACL and the ACL logo are trademarks or registered trademarks of ACL Services Ltd. All other trademarks are the property of their respective owners. 18

based authentication, users must enter a username and password to logon to an AuditExchange application.

Silent authentication does not require the user to enter a username or password, it uses integrated Windows Authentication and Kerberos to validate the user who is accessing an AuditExchange application. The same user account that is logged into the PC is also the user account which is silently authenticated to access AuditExchange. Only Active Directory users are able to use silent authentication, and CAS must be registered on the Active Directory domain controller as a Service Principal Name (SPN). If silent authentication is configured, local user accounts can still be used, but they will require username and password entry.

Application Security

Security is maintained centrally in the AX Core for the entire AX platform. Application security is role-based, with two primary roles supported.

Users can either be an Administrator or a User of the AX Core system. Administrators are able to see and manage all Engagements and their contents within the AX Core repository.

Users are only able to access Engagements or associated Activities for which they have been granted permissions. Permissions to an Engagement or Activity are either: Full: Includes permission to create, modify and delete content or structure within a particular

Engagement or Activity. This includes the ability to run and schedule any Analytics within the Activity. Anyone with Full permission to the Engagement may grant additional users permission to that Engagement.

Read Only: Includes permission to view all content within the Engagement or Activity. Does not include the ability to run Analytics.

When a new Engagement is created (in the Working area), the creator has Full permissions by default. They must add any additional users (Full or Read Only) to the Engagement manually to share it with other users. Users that are added to the Engagement level will automatically inherit the same permissions for all Activities within the Engagement. These permissions can be modified at the Activity level.

Only Administrators are able to create new Engagements within the Library. They may subsequently grant additional users (non-Administrators) either Full or Read Only permission to the Engagements within the Library.

AUDITEXCHANGE SERVER HARDWARE ARCHITECTURE

AX Core

AX Core hardware requirements will be unique for each installation based on usage and data storage needs. Each running analytic, ACL Desktop user, AX Core Client user, AX Gateway user, and AX Datasource import, will consume AX Core server resources. ACL recommends a distributed hardware architecture including the AX Core server, AX Database

server, and the storage location of source (.fil) data files for all but the smallest of number of users/audit teams and/or light analysis requirements.

SAN or NAS Storage: for heavy data analytic requirements, the AX Database server and source data files are recommended to be stored in a SAN or NAS with fibre channel or otherwise fast/large throughput. Throughput is the single biggest bottleneck in the hardware along with disk i/o speed.

Page 19: TECHNICAL BRIEF - acl.com · very important distinction for your IT and audit department to consider – because if an ACL Project is opened in a Unicode edition it ... Technical

© Copyright 2011 ACL Services Ltd. ACL and the ACL logo are trademarks or registered trademarks of ACL Services Ltd. All other trademarks are the property of their respective owners. 19

Disk space: ACL table data files (ACL .fil files) are stored by AX Core as regular disk files, and all other data and metadata is stored in the AX Core database. Disk space needs are directly proportional to the size and amount of data stored in the AX Core repository.

Disk performance: AX Core, particularly the AX analytic engine will perform better using disk hardware with fast read and write times. Disks on a SAN are supported, but performance will be dependent on network and SAN specifications.

Processors: AX Core will utilize multiple processors when handling AX Gateway and AX Core Client user sessions. Analytics are executed by the AX analytic engine and the Windows OS will schedule each AX analytic engine process on a separate CPU core as needed.

Memory: The memory requirements of AX Core itself are not large, but as more users access AX Core, and analytics are scheduled, memory usage will increase accordingly.

Suggested Hardware Configurations Users Analytic Usage Analytic Server(s) Suggested Hardware 5 Light Not needed 2 CPU cores, 4GB memory, 200+ GB Disk Space(*) 5 Moderate Recommended 2 CPU cores, 4GB memory, 200+ GB Disk Space(*) 5 Heavy Yes 2 CPU cores, 4GB memory, 200+ GB Disk Space(*) 20 Light Recommended 4 CPU cores, 4GB memory, 500+ GB Disk Space(*) 20 Moderate -

Heavy Yes 4 CPU cores, 4GB memory, 500+ GB Disk Space(*)

20+ Varying Yes 4+ CPU cores, 4+GB memory, 500+ GB Disk Space(*)

* Disk space requirements depend largely on the size and number of files stored in the AX Core repository.

Note: If the AX Core database is PostgreSQL, and is located on the AX Core server, there should be at least double the amount of memory and CPU cores allocated.

Analytic Usage

Light – Infrequent analytics being run by users, and/or a small number, (e.g. less than 5), of short-duration analytics scheduled to run periodically at night.

Moderate – Users run short-duration analytics frequently. A small number, (e.g. 5–10), of analytics of mixed duration are scheduled to run – most at night, some concurrently. Once you’ve reached moderate analytic usage, it’s time to consider using an analytic server to reduce the load on the AX Core server.

Heavy – Analytics of varying duration are run by users at any time. Many analytics scheduled to run periodically on varying schedules, some concurrently, some are long-running, (e.g. 2 hours or more). With heavy analytic usage, ACL strongly recommends setting up one or more analytic servers in addition to your main AX Core server.

AX Exception Users Suggested Hardware 5 2 CPU cores, 4GB memory 20 2 CPU cores, 8GB memory 20+ 4+ CPU cores, 8+GB memory

Note: If the AX Exception database is located on the same server, there should be at least double the amount of memory and CPU cores allocated.

Page 20: TECHNICAL BRIEF - acl.com · very important distinction for your IT and audit department to consider – because if an ACL Project is opened in a Unicode edition it ... Technical

© Copyright 2011 ACL Services Ltd. ACL and the ACL logo are trademarks or registered trademarks of ACL Services Ltd. All other trademarks are the property of their respective owners. 20

AX Datasource A quad-core processor, or two dual-core processors, at 2.5 GHz or faster (quad-core processor

recommended). When installing Informatica PowerCenter, you are limited by licensing restrictions to a four-core

processor server. 8 GB of RAM. At least 3 GB of disk space for the PowerCenter and AX Datasource application components. Significant additional disk space may be required to store data extracts, for configurations where

this server is being used to host data. Please see following paragraphs for Supported Configurations.

Supported Configurations

All on One Server

AX Core, AX Exception, and AX Datasource can be installed on a single server machine. This configuration is recommended only for installations with a small number of users, (e.g. 5 users or less) with only light analytic usage requirements.

Multiple Servers AX Core, AX Exception, and AX Datasource can each be installed on its own dedicated server,

which is recommended for installations with more than 5 users or with moderate to heavy analytic usage.

Multiple AX Core servers can be installed, but they cannot share content. Each AX Core server will have its own content repository.

Multiple AX Core servers can publish transactions to a single AX Exception. In this case, AX Exception will be configured to use the database from one of the AX Cores for user and role information. The other AX Core servers will have their own database, with their own user and role information.

Multiple AX Datasource servers can be configured to import data to a single AX Core. AX Core does not support publishing to multiple AX Exception servers. The AX Core publish

operation can only be configured with a single URL for publishing to a single AX Exception server.

_____________________________

For technical support and contact information, visit the ACL Support Center: www.acl.com/supportcenter

Page 21: TECHNICAL BRIEF - acl.com · very important distinction for your IT and audit department to consider – because if an ACL Project is opened in a Unicode edition it ... Technical

© 2011 ACL Services Ltd. TB/AX2/02072011 ACL Services Ltd. ACL and the ACL logo are trademarks or registered trademarks of ACL Services Ltd. All other trademarks are the property of their respective owners.

ACL Headquarters

T +1 604 669 4225 F +1 604 669 3557

acl.com

[email protected]

About ACL Services Ltd. ACL Services Ltd. is the leading global provider of business assurance technology for audit and compliance professionals. Combining market-leading audit analytics software with centralized content management and exception reporting, ACL technology provides a complete end-to-end business assurance platform that is flexible and scalable to meet the needs of any organization.

Since 1987, ACL technology has helped organizations reduce risk, detect fraud, enhance profitability, and improve business performance. ACL delivers its solutions to 14,700 organizations in over 150 countries through a global network of ACL offices and channel partners. Our customers include 98 percent of Fortune 100 companies, 89 percent of the Fortune 500 and over two-thirds of the Global 500, as well as hundreds of national, state and local governments, and the Big Four public accounting firms.