Presentation is loading. Please wait.

Presentation is loading. Please wait.

Best Practices for Implementing Third Party Software to Monitor SOD and User Access Controls Presented by: Jeffrey T. Hare, CPA CISA CIA ERP Seminars.

Published byAbigail Preston Modified over 8 years ago

Similar presentations

Presentation on theme: "Best Practices for Implementing Third Party Software to Monitor SOD and User Access Controls Presented by: Jeffrey T. Hare, CPA CISA CIA ERP Seminars."— Presentation transcript:

1 Best Practices for Implementing Third Party Software to Monitor SOD and User Access Controls Presented by: Jeffrey T. Hare, CPA CISA CIA ERP Seminars

2 © 2008 ERPS Overview: Introductions Success Factors Identifying Requirements RFP Process Likely Requirements Preventive Control Technologies Audit Trail Technologies Q&A Public Domain Collaboration Oracle Apps Internal Controls Repository Other Resources Contact Information Presentation Agenda

3 © 2008 ERPS Introductions Jeffrey T. Hare, CPA CISA CIA Founder of ERP Seminars and Oracle User Best Practices Board Written various white papers on SOX Best Practices in an Oracle Applications environment Frequent contributor to OAUG’s Insight magazine Experience includes Big 4 audit, 6 years in CFO/Controller roles – both auditor and audited perspectives In Oracle applications space since 1998– both client and consultant perspectives Founder of Internal Controls Repository - public domain internal controls repository for end users

4 © 2008 ERPS Success Factors Here are a few success factors for the acquisition and implementation of third party software: Management support – financially and physically Define requirements using a risk-based assessment process Choose an experienced partner to help you through the RFP process understands the requirements and can help add to requirements can help you differentiate the requirements in the RFP process will help you determine which technologies will best meet your requirements Choose an experienced partner to help implement the software

5 © 2008 ERPS Identifying Requirements Use a risk-based approach to identify the requirements that: Identifies risks with a user having access to a function or two functions – segregation of duties, access to a sensitive function or sensitive data Takes into account risks in the system as well as considers the process holistically – from manual process outside the system through process in the system; for example, supplier entry process Takes into account current controls in making an assessment of the residual risks Identifies risks that need monitoring, auditing, prevention for the software (may also identify other requirements such as additional manual controls, forms personalization, documentation or testing of non-key controls)

6 © 2008 ERPS RFP Process Here are some success factors for the RFP Process: Use proven RFP template or partner with firm with experience in the space Make sure the demo scripts help delineate the technology differences between the various vendors Make sure that all interested parties are present at the demos Insist on preventive controls to reduce internal and external audit costs

7 © 2008 ERPS Likely Requirements Here are some likely requirements that will come from a proper risk assessment process: Robust monitoring and reporting for initial remediation process to identify current conflicts Preventive controls – user provisioning, menus, responsibilities and related function and menu exclusions, functions, forms, and request groups Auditing of activity to track activity such as SQL forms, remit-to addresses, banks, suppliers, and profile options

8 © 2008 ERPS Pros and Cons of Various Preventive Control Technologies: Forms Personalization Custom.pll Triggers Preventive Control Technologies

9 © 2008 ERPS Audit Trail Technologies Pros and Cons of Various Audit Trail Technologies: Standard database fields – created by, creation date, last updated by, last updated date Log files – network and database Triggers

10 Q & A

11 © 2008 ERPS Public Domain Collaboration What is needed are standards for collection of: Tables to audit as data is migrated (for example banks) Additional functions and functionality is added Internal Controls Repository: http://tech.groups.yahoo.com/group/oracleappsinternalcontrols/ http://tech.groups.yahoo.com/group/oracleappsinternalcontrols/ Publishing list of critical forms, tables, columns to audit prioritized by risk Promoting use of our risk assessment process as the standard in the industry with agreement on language and mapped to the function level Public domain collaboration will insure consistency and quality

12 © 2008 ERPS Oracle Apps Internal Controls Repository Internal Controls Repository Content: White Papers such as Accessing the database without having a database login, Best Practices for Bank Account Entry and Assignment, Using a Risk Based Assessment for User Access Controls, Internal Controls Best Practices for Oracle’s Journal Approval Process Oracle apps internal controls deficiencies and common solutions Mapping of sensitive data to the table and columns Identification of reports with access to sensitive data http://tech.groups.yahoo.com/group/oracleappsinternalcontrols/

13 Other Resources © 2008 ERPS Oracle Users Best Practices Board: www.oubpb.comwww.oubpb.com Cam’s white paper on Auditing the DBA at: http://www.absolute-tech.com/products/whitepapers.htm http://www.absolute-tech.com/products/whitepapers.htm Integrigy white papers at: http://www.integrigy.com/security- resourceshttp://www.integrigy.com/security- resources Solution Beacon: http://www.solutionbeacon.com/security.htm http://www.solutionbeacon.com/security.htm Oracle internal controls and security public listserver: http://tech.groups.yahoo.com/group/OracleSox/ http://tech.groups.yahoo.com/group/OracleSox/

14 © 2008 ERPS Best Practices Caveat The Best Practices cited in this presentation have not been validated with your external auditors nor has there been any systematic study of industry practices to determine they are ‘in fact’ Best Practices for a representative sample of companies attempting to comply with the Sarbanes-Oxley Act of 2002 or other corporate governance initiatives mentioned. The Best Practice examples given here should not substitute for accounting or legal advice for your organization and provide no indemnification from fraud or material misstatements in your financial statements or control deficiencies.

15 © 2008 ERPS Contact Information Jeffrey T. Hare, CPA CISA CIA Phone: 602-769-9049 E-mail: jhare@erpseminars.com Websites: www.erpseminars.com, www.oubpb.comwww.erpseminars.comwww.oubpb.com Oracle SOX eGroup at http://groups.yahoo.com/group/OracleSox http://groups.yahoo.com/group/OracleSox Internal Controls Repository http://tech.groups.yahoo.com/group/oracleappsinternalcontr ols/ http://tech.groups.yahoo.com/group/oracleappsinternalcontr ols/ Cam Larner Phone: 888.270.3012 Website: www.absolute-tech.comwww.absolute-tech.com

Download ppt "Best Practices for Implementing Third Party Software to Monitor SOD and User Access Controls Presented by: Jeffrey T. Hare, CPA CISA CIA ERP Seminars."

Similar presentations

Travel and Expense Management Scenario Overview

Travel and Expense Management Scenario Overview
Improving SOX Remediation Through Automated Testing of Internal Controls November 4, 2005.

Improving SOX Remediation Through Automated Testing of Internal Controls November 4, 2005.
GP2013 (R2) New features in GP2013 (R2). New Ribbon for windows Edit List is the Print button on the right without the paper background Action pane can.

GP2013 (R2) New features in GP2013 (R2). New Ribbon for windows Edit List is the Print button on the right without the paper background Action pane can.
© 2004 ERPS Sarbanes-Oxley Best Practices in an Oracle Applications Environment Jeffrey T. Hare, CPA ERP Seminars.

© 2004 ERPS Sarbanes-Oxley Best Practices in an Oracle Applications Environment Jeffrey T. Hare, CPA ERP Seminars.
Travel and Expense Management Scenario Overview

Travel and Expense Management Scenario Overview
Sarbanes-Oxley Compliance Process Automation

Sarbanes-Oxley Compliance Process Automation
SOX and IT Audit Programs John R. Robles Thursday, May 31, 2007 Tel: 787-647-396.

SOX and IT Audit Programs John R. Robles Thursday, May 31, Tel:
The TRUTH About SOX, Auditors & Oracle Applimation is the leading provider of Application Lifecycle Management solutions.

The TRUTH About SOX, Auditors & Oracle Applimation is the leading provider of Application Lifecycle Management solutions.
…optimise your IT investments Spreadsheet Management Maturity Model Philip Howard Research Director – Bloor Research.

…optimise your IT investments Spreadsheet Management Maturity Model Philip Howard Research Director – Bloor Research.
1 SAP Security and Controls Use of Security Compliance Tools to Detect and Prevent Security and Controls Violations.

1 SAP Security and Controls Use of Security Compliance Tools to Detect and Prevent Security and Controls Violations.
April 28, 2015 Virginia Tech. Data Analytics “Analytics is the combustion engine of business, and it will be necessary for organizations that want to.

April 28, 2015 Virginia Tech. Data Analytics “Analytics is the combustion engine of business, and it will be necessary for organizations that want to.
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.

Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
Copyright © 2009 Rolta International, Inc., All Rights Reserved a c c e l R12™ Upgrade Approach.

Copyright © 2009 Rolta International, Inc., All Rights Reserved a c c e l R12™ Upgrade Approach.
SilentWhistle Overview June 22, 2015. Allegiance at a Glance Headquarters: Salt Lake City, Utah 700+ companies; 3 million+ employees & students Global.

SilentWhistle Overview June 22, Allegiance at a Glance Headquarters: Salt Lake City, Utah 700+ companies; 3 million+ employees & students Global.
Chapter 7 Database Auditing Models

Chapter 7 Database Auditing Models
[ Solution Overview ] 1 of 11 7/13/2015 Lead Delivery System White Paper Directory Sales Lead & Marketing Tool Olympic Technology Consulting Services,

[ Solution Overview ] 1 of 11 7/13/2015 Lead Delivery System White Paper Directory Sales Lead & Marketing Tool Olympic Technology Consulting Services,
Effort in hours Duration Over Weeks Or Months Inception Launch Web Lifecycle Methodology Maintenance Phases 1234576891011 Copyright Wonderlane Studios.

Effort in hours Duration Over Weeks Or Months Inception Launch Web Lifecycle Methodology Maintenance Phases Copyright Wonderlane Studios.
Oracle Security and GRC Professional Development Program.

Oracle Security and GRC Professional Development Program.
Common Change Management Challenges for Companies Running Oracle Applications Presented by: Jeffrey T. Hare, CPA CISA CIA ERP Seminars.

Common Change Management Challenges for Companies Running Oracle Applications Presented by: Jeffrey T. Hare, CPA CISA CIA ERP Seminars.
Best Practices for User Access Controls and Segregation of Duties Presented by: Jeffrey T. Hare, CPA CISA CIA ERP Seminars.

Best Practices for User Access Controls and Segregation of Duties Presented by: Jeffrey T. Hare, CPA CISA CIA ERP Seminars.

Similar presentations

Ads by Google