Post on 04-Jun-2018
transcript
8/13/2019 Apps Segregation of Duties
1/31
2007 Protiviti Inc. Confidential: This document is for internal use only and may not be distributed to an outside party.
SOD Remediation for Oracle Applications
January 17, 2008
NorCal OAUG Training Day
8/13/2019 Apps Segregation of Duties
2/31
2008 Protiviti Inc. Confidential: This document is for internal use only and may not be distributed to an outside party.
Introduction
Vision without action is a daydream. But action withoutvision is a nightmare.
- Japanese Proverb
8/13/2019 Apps Segregation of Duties
3/31
2008 Protiviti Inc. Confidential: This document is for internal use only and may not be distributed to an outside party.
Oracle Implementation/Upgrade
PEOPLE
PROCESSES
TECHNOLOGY
Users/Roles
Business Flows
Oracle Applications
8/13/2019 Apps Segregation of Duties
4/31
2008 Protiviti Inc. Confidential: This document is for internal use only and may not be distributed to an outside party.
Training Objectives
Segregation of Duties Overview (SoD)
SoD Assessment Approach
Segregation of Duties Assessment Case Study
Controls Areas to Consider During An Upgrade or ImplementationProject to Prevent Future Stand-Alone Remediation Projects
8/13/2019 Apps Segregation of Duties
5/31
2007 Protiviti Inc. Confidential: This document is for internal use only and may not be distributed to an outside party.
Segregation of Duties Overview
8/13/2019 Apps Segregation of Duties
6/31
2008 Protiviti Inc. Confidential: This document is for internal use only and may not be distributed to an outside party.
Common Compliance Pain Points
Using/customizing seeded responsibilities and menus
Responsibilities were not designed with SOX in mind or were notdesigned at all (seeded responsibilities are used out of the box)
Trying to find/assess SoD conflicts without a tool (manual methodswill miss places where users have access)
8/13/2019 Apps Segregation of Duties
7/31 2008 Protiviti Inc. Confidential: This document is for internal use only and may not be distributed to an outside party.
Segregation of Duties (SOD) Basics
Segregation of Duties is meant to reduce the risk of concealment ofemployee error or fraud by separating the following high levelfunctions:
The recording of a transaction
The authorization of the transaction
Custody of the asset Control procedure (i.e. reconciliation)
An essential feature of segregation of duties or responsibilitieswithin an organization is that no one employee or group ofemployees has exclusive control over any transaction or group oftransactions.
8/13/2019 Apps Segregation of Duties
8/31 2008 Protiviti Inc. Confidential: This document is for internal use only and may not be distributed to an outside party.
Opportunities for Automated Controls to Enforce SoD
Transact ion
Processes
Transact ion
Approvals
Access to
Physical AssetsReconci l iat ions
8/13/2019 Apps Segregation of Duties
9/31 2008 Protiviti Inc. Confidential: This document is for internal use only and may not be distributed to an outside party.
Segregation of Duties (SOD) Conflict Types
Three-way SOD conflict - An individual can perform three of thesefour duties for a given asset:
Custody of assets
Authorization or approval of related transactions affecting those assets
Execution of the transaction or transaction activity
Reconciliation of related transactions
Two-way SOD conflict - An individual can perform two of these fourduties for a given asset
8/13/2019 Apps Segregation of Duties
10/31 2008 Protiviti Inc. Confidential: This document is for internal use only and may not be distributed to an outside party.
Segregation of Duty (SOD) Issues
Role-based access often drives potential SOD issues
Access should be granted based on pre-defined job descriptions
Role-based security access should be customized per the businessneedsnot using out of the box profiles that typically do notaddress SOD and grant powerful access
8/13/2019 Apps Segregation of Duties
11/31 2008 Protiviti Inc. Confidential: This document is for internal use only and may not be distributed to an outside party.
Segregation of Duties (SOD) Examples
Users with Voucher Entry & Purchase Order Entry
Users with Voucher Entry and Create Payments
Users with Create Receipts and Enter Sales Invoices
Users with access to business process should not have access topost Journal Entries
Users with Administer Payroll and Administer Workforce
Users with access to Payroll and HR present a risk of adjustingsalaries, running payroll, then changing salaries back
Beware of Sysadmin , Super User and other IT users withpowerful access!
8/13/2019 Apps Segregation of Duties
12/31
2007 Protiviti Inc. Confidential: This document is for internal use only and may not be distributed to an outside party.
Segregation of Duties
Assessment Approach
8/13/2019 Apps Segregation of Duties
13/31
2008 Protiviti Inc. Confidential: This document is for internal use only and may not be distributed to an outside party.
Our Approach to Optimizing & Sustaining ERP Compliance
SoD, Security, Access, Provisioning, Application &Process Controls
Project to Process
AutomateStandardizeAnalyze
ContinuousMonitoring
Software
ERPAssessments
Consulting
&
Remediation
Services
Analyze
Perform assessments via Protiviti Assure
methodology
Deploy on internal audit and SOX clients
or new clients to prove the case
Standardize
Clean-up Security/SOD issues
Design automated controls
Re-engineer SOX testing approach
Design controls into new implementations
Automate
Implement continuous monitoring systems
8/13/2019 Apps Segregation of Duties
14/31
2008 Protiviti Inc. Confidential: This document is for internal use only and may not be distributed to an outside party.
An integrated implementation approach is necessary to design effective internal controls,understanding that system-based controls are more reliable and desirable. This pertains to
both General Computer Controls as well as embeddedapplication-specific controls. It is
more efficient to get these right at the time of implementation.
System-
Based
Detective
Controls
System-
Based
Preventive
Control
People-Based
Detective
Control
People-Based
Preventive
Control
Desirable
Rel
iable
Standard within the
Software
Configuration Options
Application Security
Effectiveness in SOX
Testing Efforts
Policies
Procedures
Monitoring Exception
Reporting
Reconciliations
Extensive SOX Testing
Efforts
Optimize Automated Controls
8/13/2019 Apps Segregation of Duties
15/31
2007 Protiviti Inc. Confidential: This document is for internal use only and may not be distributed to an outside party.
Segregation of Duties
Assessment Case Study
8/13/2019 Apps Segregation of Duties
16/31
2008 Protiviti Inc. Confidential: This document is for internal use only and may not be distributed to an outside party.
Case Study Scenario
Project: SoD Remediation
Objective: To assist the client with remediation of SoD conflictsand user access to sensitive abilities in Oracle prior to theirExternal Audit.
Tools:
Oracle Internal Controls Manager (ICM) The client's corporate SoD Rule Set
Approach:1. Review the initial SoD conflict and Sensitive Abilities results using ICM constraint
reports
2. Identify any false positives and enter the appropriate waivers in ICM
3. Review the remaining SoD conflict and Sensitive Abilities results with theappropriate business owners to determine what security changes can be made toresolve the issues
4. Develop mitigating control suggestions based on input from management toaddress remaining conflicts
8/13/2019 Apps Segregation of Duties
17/31
2008 Protiviti Inc. Confidential: This document is for internal use only and may not be distributed to an outside party.
Examples from the Procure to Pay (PTP) Cycle
Sensitive Ability Constraints Reviewed:Transaction Maintain Buyers - BuyersSet Up Maintain ApprovalsSigning limits
SOD Constraints Reviewed:Create PO/Blanket PO Maintain Buyers
Maintain PO/Blanket PO Maintain BuyersReceive Goods Create PO/Blanket POReceive Goods Maintain PO/Blanket POProcess Invoices Process PaymentsProcess and Maintain Invoices Create PO/Blanket POProcess and Maintain Invoices Maintain PO/Blanket POProcess and Maintain Invoices Receive Goods
Process and Maintain Invoices Maintain GoodsProcess Debit/Credit Memos Maintain PO/Blanket POProcess Debit/Credit Memos Receive GoodsProcess Debit/Credit Memos Maintain GoodsProcess Debit/Credit Memos Process and Maintain PaymentsRelease Invoice Holds Receive Goods
8/13/2019 Apps Segregation of Duties
18/31
2008 Protiviti Inc. Confidential: This document is for internal use only and may not be distributed to an outside party.
Examples from the Order to Cash (OTC) Cycle
Sensitive Ability Constraints Reviewed:Set Up AR and OM SetupSet Up Interface Processing
SoD Constraints Reviewed:Enter Cash Receipts Enter Sales OrdersEnter Cash Receipts Approve Invoice AdjustmentsEnter Cash Receipts Process AR Invoices
Create Customers Enter Sales OrdersCreate Customers Enter RMACreate Customers Process Debit/Credit MemosCreate Customers Process AR InvoicesCreate Customers Process TransactionsCreate Customers Enter / Maintain Cash Receipts (2)Create Customers Maintain Misc Cash ReceiptsMaintain Customers Profile Enter Sales OrdersMaintain Customers Profile Enter Cash ReceiptsMaintain Customers Profile Maintain Cash ReceiptsMaintain Customers Profile Maintain Misc Cash ReceiptsApp Invoice Adj Process Inv AdjProcess AR Inv / Process Trans Approve Invoice Adj (2)
App Invoice Adj Maint Inv Adj
8/13/2019 Apps Segregation of Duties
19/31
2008 Protiviti Inc. Confidential: This document is for internal use only and may not be distributed to an outside party.
Sample PTP ICM Violation Report
Inter-Responsibility
Conflict
8/13/2019 Apps Segregation of Duties
20/31
2008 Protiviti Inc. Confidential: This document is for internal use only and may not be distributed to an outside party.
Sample OTC ICM Violation Report
Intra-Responsibility
Conflict
8/13/2019 Apps Segregation of Duties
21/31
2008 Protiviti Inc. Confidential: This document is for internal use only and may not be distributed to an outside party.
PTP Conflict Compensating Control Suggestions
Conflict Risk Possible Compensating ControlCreate PO / Maintain Buyers Unauthorized Buyer can
create POConfigurable Control: PO ApprovalGroups and Assignments; Do not allow"Owner can Approve" his own PO
Process DM CM / Process Payments Erroneous or unauthorizedpayments to vendors
Check Signatures, Invoice MatchingProcess; Hold Unmatched Invoices
Process Invoices / Create PO Erroneous or unauthorizedpayments to vendors
PO Approval hierarchy, Invoice MatchingProcess; Hold Unmatched Invoices
Process Invoices / Maintain(Receive) Goods
Erroneous or unauthorizedpayments to vendors
Inventory Cycle Counting, InvoiceMatching Process; Hold UnmatchedInvoices
Process Invoices / Maintain PO Erroneous or unauthorizedpayments to vendors
PO Approval hierarchy, Invoice MatchingProcess; Hold Unmatched Invoices
Process Invoices / Process Payments Erroneous or unauthorizedpayments to vendors
Check Signatures, Invoice MatchingProcess; Hold Unmatched Invoices
Receive Goods / Create or MaintainPOs
Unauthorized purchase orerroneous recording of liability
PO Approval hierarchy, Invoice MatchingProcess; Hold Unmatched Invoices
Release Invoice Holds / ReceiveGoods
Erroneous or unauthorizedpayments to vendors
Inventory Cycle Counting, InvoiceMatching Process; Hold UnmatchedInvoices
8/13/2019 Apps Segregation of Duties
22/31
2008 Protiviti Inc. Confidential: This document is for internal use only and may not be distributed to an outside party.
OTC Conflict Compensating Control Suggestions
Conflict Risk Possible Compensating ControlApprove Invoice Adjustment /Maintain Invoice Adjustment
Unauthorized write off ofinvoices
Configurable Control: Approval Limits
Create Customer / Enter CashReceipts
Fictitious customer; hide cashreceipt
Customer Statements; SoD of handling,logging and depositing of checks receivedfrom customers; bank reconciliations
Create Customer / Enter RMAs Unauthorized credit given tocustomers
Customer Statements, review of openRMAs
Create Customer / Enter SalesOrders
Unauthorized sales order andshipment of goods
Configurable Control: Sales OrderApproval workflow
Create Customer / Maintain CashReceipts
Hide cash receipt Review of Reversed Cash Receipts; CashReceipt deletion not allowed by the system
Create Customer / Process DM CM Unauthorized credit given tocustomers; Unauthorizedchanges to customer records;
hide cash receipt
Customer Statements; Review of ARAging; SoD of handling, logging anddepositing of checks received from
customers; bank reconciliationsEnter Cash Receipts / ApproveInvoice Adjustments
Unauthorized write off ofinvoices
Configurable Control: Approval Limits
Maintain Customer Profile / EnterSales Orders
Unauthorized sales order andshipment of goods
Configurable Control: Sales OrderApproval workflow
Maintain Customer Profile /Maintain Misc Cash Receipts
Hide cash receipt SoD of handling, logging and depositing ofchecks received; bank reconciliations
8/13/2019 Apps Segregation of Duties
23/31
2008 Protiviti Inc. Confidential: This document is for internal use only and may not be distributed to an outside party.
Additional Recommendations
The following are improvements that would eliminate the need forcompensating controls: Restrict Access for Release Holds and Sales Order entry. Access to the Sales Order
form is required to be able to release holds. The ability to Release Holds,however, should be excluded from those users who should NOT be able to releasean order. The best practice is to restrict this access to those in credit management
who approve the release of credit hold on an order. This is normally consideredthe higher risk area with regards to Sales Order processing.
Rearranging department responsibilities to make supervisors only an approver andreviewer, not doers. This would mean that access for supervisors is mostly ViewOnly, except for the approval of transactions. The team would have the access toprocess transactions. Supervisors would approve any changes or adjustments anddelegate to processing to their teams.
Functions with Inquiry Only access should by designated as View Only in thefunction name to simplify future audit related activities. This can be done bycreating a copy of the normal function, giving it a name with View Only in it, andadding the parameter in the function, QUERY_ONLY="YES". By designating thesefunctions clearly, the access would be more easily justified.
8/13/2019 Apps Segregation of Duties
24/31
2008 Protiviti Inc. Confidential: This document is for internal use only and may not be distributed to an outside party.
Additional Recommendations (Cont.)
The following are improvements that would eliminate the need forcompensating controls:
Access to Setups should be limited to Inquiry Only Access. The IT and BusinessAnalysts should be given a responsibility that has Inquiry Only access to all setupsin production, but read/write access in a development environment. This wouldenable them to view any setup for troubleshooting. When they determine that achange should be made in the system, they should follow the Change Managementprocess: file a change request and have it tested in dev and approved by thebusiness owner. When the approval is received, the System Administrator wouldgrant the BA temporary access to the Super User responsibility to make thechange in production. This is considered a best practice, as it keeps Super Accessto a minimum.
Access to Super User responsibilities should also be granted on a temporary basisonly and be controlled through the change management process. The processshould require appropriate business/process owner approval prior to grantingtemporary access. Responsibilities granted temporarily should be end dated at thetime the access is granted based on the amount of time access is needed.
8/13/2019 Apps Segregation of Duties
25/31
2007 Protiviti Inc. Confidential: This document is for internal use only and may not be distributed to an outside party.
Control Areas to Consider During An
Upgrade or Implementation Project to
Prevent Future Stand-Alone RemediationProjects
8/13/2019 Apps Segregation of Duties
26/31
2008 Protiviti Inc. Confidential: This document is for internal use only and may not be distributed to an outside party.
Transaction Processing Controls
Business processes supported and impacted by applications must ensure informationintegrity through effective design, development, and usage of:
Manual Process Controls
policies and procedures
reconciliations, reviews and approvals
management reporting Application Interface Controls
restart and recovery procedures
control totals
job monitoring
error handling
Facilitation of Audit Needs
transaction logs
historical data access
transaction references
meaningful descriptions/ classifications
Automated Application Controls
field edits
workflow approvals
error messages matching tolerances
number ranges
default values
posting keys
document matching
recurring entries
8/13/2019 Apps Segregation of Duties
27/31
2008 Protiviti Inc. Confidential: This document is for internal use only and may not be distributed to an outside party.
Security Administration
Security strategies, tools, personnel, and processes should be coordinatedeffectively to address the following key components:
Administration
provisioning (granting, termination, and modification) of user IDs
workflow / approvals
tool administration
password resetting password parameters
Segregation of duties
separation of incompatible functions
data owner monitoring of access levels
Sensitive access
powerful authorities
post-implementation support
8/13/2019 Apps Segregation of Duties
28/31
2008 Protiviti Inc. Confidential: This document is for internal use only and may not be distributed to an outside party.
Data Management
As part of the implementation, data must be converted and then maintained to ensurethe integrity of system processing. The following are critical considerations in this area:
Master Data Maintenance
data ownership policies and procedures
impact analysis
Data Archiving
system performance and storagerequirements
data access requirements
data redundancy
Data Conversions
data mappings conversion design
conversion testing
reconciliation
Data Cleansing
inactive data
duplicative data
erroneous data
During an upgrade data management activities may just relate to completing theupgrade process steps of what to correct by module (i.e. data re-mapping, etc.)
8/13/2019 Apps Segregation of Duties
29/31
2008 Protiviti Inc. Confidential: This document is for internal use only and may not be distributed to an outside party.
Change Management & Testing
Change management is critical for ensuring consistency of processing throughoutan applications life cycle. This effort includes:
Client strategy (e.g. dev, test, prod)
Image refreshes
Object migration
Problem management for ongoing changes
Version control
All development and implementation efforts must include thorough testing toensure defined solutions are complete and accurate. This effort includes:
Comprehensive test plan for functionality, security, and controls
Documented test cases and test results
Sign-off and acceptance
Use of positive and negative testing techniques
8/13/2019 Apps Segregation of Duties
30/31
2008 Protiviti Inc. Confidential: This document is for internal use only and may not be distributed to an outside party.
Things to Consider When Implementing/Upgrading
ERP systems are already built with standard business process functionalityand it is best to try to avoid programming, meaning we want toimplement the out of the box solution, and limit customizing theapplication as much as possible
Limiting customizations and designing them correctly can prevent problemswhen upgrading in the future. For example, creating new customized
menus with unique names with prevent overrides during upgrades whichcan occur if you customize a standard menu.
The difference between a manual control and an automated one is mostly achange of focus from detective to preventive control. Preventive controlsare considered to be stronger and therefore preferred controls.
The more automated controls you can implement (instead of relying on
manual controls) can significantly reduce audit/testing efforts. Automatedcontrols can be tested immediately and require only 1 sample , whilemanual controls must be demonstrated over time and multiple samplesmust be tested based on control frequency (i.e. daily, monthly, etc.).
8/13/2019 Apps Segregation of Duties
31/31
Summary
Segregation of Duties Overview (SoD)
SoD Assessment Approach
Segregation of Duties Assessment Case Study
Control Areas to Consider During An Upgrade or ImplementationProject to Prevent Future Stand-Alone Remediation Projects
Questions?