Presentation is loading. Please wait.

Presentation is loading. Please wait.

Best Practices for User Access Controls and Segregation of Duties Presented by: Jeffrey T. Hare, CPA CISA CIA ERP Seminars.

Published byPatience Strickland Modified over 8 years ago

Similar presentations

Presentation on theme: "Best Practices for User Access Controls and Segregation of Duties Presented by: Jeffrey T. Hare, CPA CISA CIA ERP Seminars."— Presentation transcript:

1 Best Practices for User Access Controls and Segregation of Duties Presented by: Jeffrey T. Hare, CPA CISA CIA ERP Seminars

2 © 2008 ERPS Overview: Introductions Deficiencies in Current Approaches to SOD Taking a Risk-Based Approach to User Access Controls Q&A Public Domain Collaboration Oracle Apps Internal Controls Repository OUBPB / ERP Seminars Initiatives Other Resources Contact Information Presentation Agenda

3 © 2008 ERPS Introductions Jeffrey T. Hare, CPA CISA CIA Founder of ERP Seminars and Oracle User Best Practices Board Written various white papers on SOX Best Practices in an Oracle Applications environment Frequent contributor to OAUG’s Insight magazine Experience includes Big 4 audit, 6 years in CFO/Controller roles – both auditor and audited perspectives In Oracle applications space since 1998– both client and consultant perspectives Founder of Internal Controls Repository - public domain internal controls repository for end users

4 © 2008 ERPS Deficiencies in Current Approaches to SOD Projects Here are some common deficiencies in how companies are approaching SOD projects: Relying on seeded content of software providers Not taking a risk-based approach, considering current controls, in defining what risks there are for their company Not considering all user access control risks – access to sensitive functions and access to sensitive data Not looking at business process risk holistically – from outside the system through access and processes inside the system. Examples, suppliers, AR write offs, access to cash Not having a good grasp on requirements for the RFP

5 © 2008 ERPS Taking a Risk-Based Approach to User Access Controls Types of Risks: Segregation of duties - a user having two or more business processes that could result in compromise of the integrity of the process or allow that person to commit fraud Access to sensitive functions – a user having access to a high risk function that, in and of itself, has risk Access to sensitive data – a user having access to sensitive data such as employee identification number (US= SSN), home addresses, credit card, and/or bank account information.

6 © 2008 ERPS Taking a Risk-Based Approach to User Access Controls Approach to Risk Assessment Project: 1.Identify access control conflicts 2.Identify risks associated with each conflict 3.Identify, analyze, and document mitigating controls related to each risk 4.Assess what is the residual risk after taking into account the mitigating controls 5.Discuss residual risks with management and assess their willingness to assume the risk 6.Document remediation steps for unmitigated risks 7.Document whether the conflict (single of combination of access) should be monitored in third party software and use as basis for RFP

7 © 2008 ERPS Taking a Risk-Based Approach to User Access Controls In our experience, a completed risk assessment process exposes the following needs: An SOD monitoring tool (or one with a preventive workflow) A tool to develop a detailed audit trail Various monitoring reports or processes not provided by Oracle The need to personalize forms to support defined controls. Custom workflows to automate controls where Oracle’s functionality is deficient Process and/or controls changes Documentation and testing of non-key controls Access control changes Additional projects and research that need to be done

8 Q & A

9 © 2008 ERPS Public Domain Collaboration What is needed are standards for collection of: Tables to audit as data is migrated (for example banks) Additional functions and functionality is added Internal Controls Repository: http://tech.groups.yahoo.com/group/oracleappsinternalcontrols/ http://tech.groups.yahoo.com/group/oracleappsinternalcontrols/ Publishing list of critical forms, tables, columns to audit prioritized by risk Promoting use of our risk assessment process as the standard in the industry with agreement on language and mapped to the function level Public domain collaboration will insure consistency and quality

10 © 2008 ERPS Oracle Apps Internal Controls Repository Internal Controls Repository Content: White Papers such as Accessing the database without having a database login, Best Practices for Bank Account Entry and Assignment, Using a Risk Based Assessment for User Access Controls, Internal Controls Best Practices for Oracle’s Journal Approval Process Oracle apps internal controls deficiencies and common solutions Mapping of sensitive data to the table and columns Identification of reports with access to sensitive data http://tech.groups.yahoo.com/group/oracleappsinternalcontrols/

11 Other Resources © 2008 ERPS Oracle Users Best Practices Board: www.oubpb.comwww.oubpb.com Cam’s white paper on Auditing the DBA at: http://www.absolute-tech.com/products/whitepapers.htm http://www.absolute-tech.com/products/whitepapers.htm Integrigy white papers at: http://www.integrigy.com/security- resourceshttp://www.integrigy.com/security- resources Solution Beacon: http://www.solutionbeacon.com/security.htm http://www.solutionbeacon.com/security.htm Oracle internal controls and security public listserver: http://tech.groups.yahoo.com/group/OracleSox/ http://tech.groups.yahoo.com/group/OracleSox/

12 © 2008 ERPS Best Practices Caveat The Best Practices cited in this presentation have not been validated with your external auditors nor has there been any systematic study of industry practices to determine they are ‘in fact’ Best Practices for a representative sample of companies attempting to comply with the Sarbanes-Oxley Act of 2002 or other corporate governance initiatives mentioned. The Best Practice examples given here should not substitute for accounting or legal advice for your organization and provide no indemnification from fraud or material misstatements in your financial statements or control deficiencies.

13 © 2008 ERPS Contact Information Jeffrey T. Hare, CPA CISA CIA Phone: 602-769-9049 E-mail: jhare@erpseminars.com Websites: www.erpseminars.com, www.oubpb.comwww.erpseminars.comwww.oubpb.com Oracle SOX eGroup at http://groups.yahoo.com/group/OracleSox http://groups.yahoo.com/group/OracleSox Internal Controls Repository http://tech.groups.yahoo.com/group/oracleappsinternalc ontrols/ http://tech.groups.yahoo.com/group/oracleappsinternalc ontrols/

Download ppt "Best Practices for User Access Controls and Segregation of Duties Presented by: Jeffrey T. Hare, CPA CISA CIA ERP Seminars."

Similar presentations

Travel and Expense Management Scenario Overview

Travel and Expense Management Scenario Overview
Improving SOX Remediation Through Automated Testing of Internal Controls November 4, 2005.

Improving SOX Remediation Through Automated Testing of Internal Controls November 4, 2005.
Introduction to Enterprise Risk Management (ERM)

Introduction to Enterprise Risk Management (ERM)
1 FACTA ID Theft Programs Auditing for Compliance Steven Nyren, CRCM Sheshunoff Consulting & Solutions BCAC Program – September 2008.

1 FACTA ID Theft Programs Auditing for Compliance Steven Nyren, CRCM Sheshunoff Consulting & Solutions BCAC Program – September 2008.
© 2004 ERPS Sarbanes-Oxley Best Practices in an Oracle Applications Environment Jeffrey T. Hare, CPA ERP Seminars.

© 2004 ERPS Sarbanes-Oxley Best Practices in an Oracle Applications Environment Jeffrey T. Hare, CPA ERP Seminars.
Travel and Expense Management Scenario Overview

Travel and Expense Management Scenario Overview
SAP Travel OnDemand Travel and Expense Management

SAP Travel OnDemand Travel and Expense Management
Sarbanes-Oxley Compliance Process Automation

Sarbanes-Oxley Compliance Process Automation
SOX and IT Audit Programs John R. Robles Thursday, May 31, 2007 Tel: 787-647-396.

SOX and IT Audit Programs John R. Robles Thursday, May 31, Tel:
The TRUTH About SOX, Auditors & Oracle Applimation is the leading provider of Application Lifecycle Management solutions.

The TRUTH About SOX, Auditors & Oracle Applimation is the leading provider of Application Lifecycle Management solutions.
OAUG SOX Panel Krista Ladd Oracle Applications Manager Silicon Image, Inc.

OAUG SOX Panel Krista Ladd Oracle Applications Manager Silicon Image, Inc.
…optimise your IT investments Spreadsheet Management Maturity Model Philip Howard Research Director – Bloor Research.

…optimise your IT investments Spreadsheet Management Maturity Model Philip Howard Research Director – Bloor Research.
ProCognis SOX 404 & COSO Implementation Presentation

ProCognis SOX 404 & COSO Implementation Presentation
1 SAP Security and Controls Use of Security Compliance Tools to Detect and Prevent Security and Controls Violations.

1 SAP Security and Controls Use of Security Compliance Tools to Detect and Prevent Security and Controls Violations.
COSO Framework A company should include IT in all five COSO components: –Control Environment –Risk Assessment –Control activities –Information and communication.

COSO Framework A company should include IT in all five COSO components: –Control Environment –Risk Assessment –Control activities –Information and communication.
Sales & Cash Receipts Transactions By David N. Ricchiute

Sales & Cash Receipts Transactions By David N. Ricchiute
1 Business Continuity and Compliance Working Together Kristy Justice, AVP WaMu Card Services 08/19/2008.

1 Business Continuity and Compliance Working Together Kristy Justice, AVP WaMu Card Services 08/19/2008.
Common Change Management Challenges for Companies Running Oracle Applications Presented by: Jeffrey T. Hare, CPA CISA CIA ERP Seminars.

Common Change Management Challenges for Companies Running Oracle Applications Presented by: Jeffrey T. Hare, CPA CISA CIA ERP Seminars.
SAS 112: The New Auditing Standard Jim Corkill Controller Accounting Services & Controls.

SAS 112: The New Auditing Standard Jim Corkill Controller Accounting Services & Controls.
Database Auditing Models Dr. Gabriel. 2 Auditing Overview Audit examines: documentation that reflects (from business or individuals); actions, practices,

Database Auditing Models Dr. Gabriel. 2 Auditing Overview Audit examines: documentation that reflects (from business or individuals); actions, practices,

Similar presentations

Ads by Google