Beruflich Dokumente
Kultur Dokumente
and Risk
Brandon Sprankle, Director, PwC
In-Depth Seminars D31
CRISC
CGEIT
CISM
CISA
Agenda
1. Introduction
2. Overview of ERP security architecture
3. Key ERP security models
4. Building and executing ERP security audit plan
5. ERP security audit example Oracle ebusiness suite R12
6. Summary
7. Questions
2013 Fall Conference Sail to Success
September 30 October 2, 2013
INTRODUCTION
9/24/2013
CRISC
CGEIT
CISM
CISA 3
9/24/2013
CRISC
CGEIT
CISM
CISA 4
ERP
Database
Operating System
Network
ERP Security
ERP security depends on the application for
specifics, but overall each share the major traits
in common:
User accounts superuser, admin
Roles / responsibilities functions, forms,
data, reports
Permissions allowable functions within or
outside roles
2013 Fall Conference Sail to Success
September 30 October 2, 2013
9/24/2013
CRISC
CGEIT
CISM
CISA 9
10
Organization
Responsibility
Ledger 1
GL Controller
AR Inquiry
Ledger 2
AP Payment
Supervisor
Menu
Sub-Menu
11
Profiles (simple vs
composite)
SAP Authorization
Structure
User
Authorizations (with
field value)
Authorization
objects (with
fields)
Authorization
class
Profile
Authorization
12
9/24/2013
CRISC
CGEIT
CISM
CISA13
Long-term Sustainability
14
15
16
ERP
Database
Operating System
Network
17
18
19
20
21
22
9/24/2013
CRISC
CGEIT
CISM
CISA23
24
25
26
Responsibility
Ledger 1
GL Controller
Ledger 2
AR Inquiry
AP Payment
Supervisor
Menu
Sub-Menu
27
28
29
30
31
Control:
32
33
Control:
Proxy user related privileges are granted only on an exceptional basis based on
proper approval and there is a procedure to monitor the proxy user activity. Such
access delegation should also end-dated by the delegating user.
34
Remediation Efforts
Company accepted all findings after discussion
Access issues were remediated in
approximately two months
Decided to implement Oracle GRC going
forward to actively monitor security
35
SUMMARY
9/24/2013
CRISC
CGEIT
CISM
CISA36
37
Questions?
Thank you for your time
38