Beruflich Dokumente
Kultur Dokumente
Presentation Agenda
Overview:
Segregation
of Duties Best Practices Instance Management Best Practices SuperUser Access Best Practices Application Security Best Practices IT Security Best Practices Key Setups Best Practices Tools and Automation Best Practices Change Management Best Practices Other SOX Issues
2004 ERPS
2004 ERPS
2004 ERPS
3. Not proactive.
4. Violations during future IT Audits will be costly as you try to prove that conflicts didnt have material impact on financial statements (hint: make sure you have an audit trail!) 5. Very manual.
2004 ERPS
2004 ERPS
Translate those conflicts from business terms into your applications terms. In Oracle terms these are functions that are assigned to a menu.
2004 ERPS
2004 ERPS
2004 ERPS
2004 ERPS
2004 ERPS
2004 ERPS
Have strict policy on SQL updates in all instances. Make sure any updates are well-documented and include management approval (functional and technical management). Develop and maintain audit trail. Have setups, new development, and SQL scripts migrated from non-Prod environments to Prod by DBA
2004 ERPS
2004 ERPS
2004 ERPS
Identify and end-date all generic logins since they hide the identity of the person and eliminate an effective audit trail.
2004 ERPS
2004 ERPS
2004 ERPS
Remember, most theft happens from within, not from external sources
2004 ERPS
2004 ERPS
IT Security BP
Here is a sampling of IT Security Best Practices: Apply overall framework of CobiT. See www.erpseminars.com/links for more information. Segregation of functions in IT for DBA, Sys Admin, and Developer roles.
Full System Administrator responsibility limited to Sys Admin group in all instances.
2004 ERPS
IT Security BP
Here is a sampling of IT Security Best Practices: Lock down Help -> Examine functionality by: Make applicable forms read only via QUERY_ONLY=YES in Form Functions screen Eliminate altogether by setting following profile options: Utilities:Diagnostics to No
ICX:Session Timeout default none, recommend 30 minutes times out sessions (still can re-authenticate)
ICX: Limit Time
2004 ERPS
IT Security BP
IT Security Best Practices Sampling, contd: Remediate Apps/Apps access from custom development (reports, VB, Access databases, BI systems, etc) Regularly change Apps password (no less than 90 days). Apps password limited to DBA group.
Change all Schema passwords upon initial installation. Have DBA maintain.
Mask or scramble sensitive data in non-production instances. Potential impact on testing plans and strategies when comparing to production results.
2004 ERPS
IT Security BP
IT Security Best Practices Sampling, contd:
2004 ERPS
IT Security BP
IT Security Best Practices Sampling, contd:
2004 ERPS
2004 ERPS
Key Setups BP
Key Setups Best Practices Overview: Foundational Setups Best Practices Core Financials Best Practices Using Request Sets to Disseminate Critical Business Information Using Workflow Mailer and the Scheduling Function to Monitor Key Controls Using ADI and the Analysis Wizard to Report and Analyze Financial Data
2004 ERPS
Key Setups BP
Foundational Setups Best Practices: Cross Validation Rules and Security Rules should be maintained by the same person or group that adds values to your Chart of Accounts segments and makes changes to your row sets for your FSGs.
Use Security Rules to prevent the update of control accounts such as AR, AP, PO Accrual, Prepayments, Unapplied Receipts, On Account Receipts, and Inventory Control Accounts. Also secure Owners Equity Accounts so that only key GL personnel can update them.
Use Suspense Accounts to isolate data, where possible, to isolate the data for reconciling ERPS 2004 purposes at month end.
Key Setups BP
Foundational Setups Best Practices: Lockdown the Value Set update form to allow only update to AKFF value set via Custom Library extension Remove setups menus from all users in Prod. Enable audit trail on setup forms for all applications and key masters (customer, supplier, item, etc.) to provide for proper audit trail
2004 ERPS
Key Setups BP
Core Financials Best Practices General Ledger: Implement new Journal Approval functionality Develop Spreadsheet Controls around spreadsheets that develop and upload Journal Entries Attach supporting spreadsheets to JE to facilitate journal approval review and on-line audit trail.
2004 ERPS
Key Setups BP
Core Financials Best Practices Accounts Receivable: Break apart Customer Form: Sales, Credit, Collections, Treasury based on update needs (custom library) Control access to Credit Memos via approval workflow (coming in 11.5.10) Implement lockbox to avoid handling cash and to automate cash receipts entry
Review Transaction Type Setups; allow access to high risk Transaction Types to only certain employees (custom library)
2004 ERPS
Key Setups BP
Core Financials Best Practices Accounts Receivable: Mask at DB and hide fields at forms level for sensitive customer credit card information Identify thresholds for major events and develop appropriate Alerts or Workflow process to monitor:
2004 ERPS
Key Setups BP
Core Financials Best Practices Accounts Payable: Send Positive Pay file daily Implement new Invoice Approval workflow process Mask at DB and hide fields at forms level for sensitive supplier bank information
2004 ERPS
Key Setups BP
Using ADI and the Analysis Wizard to Report and Analyze Financial Data:
Harness the power of ADI Publish a budget to actual P&L in ADI Use themes and conditional formatting to highlight categories greater than budget by a certain amount or % Double click on cells of actuals where they exceed budget figures to drill into the GL, then to Payables Use 11is new architecture in Payables to drill from the GL back into Payables detail information (supplier, invoice, purchase order, etc.)
2004 ERPS
2004 ERPS
2004 ERPS
Examples:
Dissemination of expense information via Account Analysis Report with Payables Detail (using shared parameter for period, but defaulting cost center for each request in the set) Dissemination of Aging by Salesperson queue it to run nightly or weekly for various salespersons (default salesperson for each request in the set), combine with scheduling function and deliver via workflow mailer so salespeople dont need access to the AR system Users of a Responsibility to Internal Audit for key responsibilities System Administrator, Workflow Administrator, etc.
2004 ERPS
In the Options tab when submitting a concurrent request, choose Name in the Notify section.
2004 ERPS
2004 ERPS
2004 ERPS
2004 ERPS
2004 ERPS
Change Management BP
Elements of a change management document:
Document Control section Reviewers section Recap of issue Nature of the change Impact Analysis of Change (DBA/Developer) Development Plan Training Plan (SOX) Testing Plan (SOX Communication Plan Documentation Plan (SOX) Process Documentation (SOX) Controls Testing Strategy (SOX) Segregation of Duties Impact Analysis (SOX) System Security Plan Transition Plan Contingency Plan Reviewer Sign-Off Section 2004 ERPS
2004 ERPS
Key transactional setups in each module (examples include Supplier Master, Customer Master, Item Master, etc.)
These will be heavily audited for compliance with proper change management practices. Efficient reporting of such needs to be developed.
2004 ERPS
2004 ERPS
Interface cleanup
Q4/Year End earnings release analyst calls 1/2005, 2/2005
2004 ERPS
Q&A
2004 ERPS
2004 ERPS
Cell for Jeff: 602-769-9049 E-mail: jhare@erpseminars.com Website: www.erpseminars.com (request various WPs) Fall seminar series: Dallas, Chicago, Minneapolis, NorCal, SoCal, Boston, Philadelphia Spring seminar series will probably include Atlanta #1 Action Point for you! Sign up for Oracle SOX eGroup at http://groups.yahoo.com/group/OracleSox/ Working on the following White Papers : BP for SuperUser Access, BP for IT Security, BP for DBAs, BP for Developers, BP in an Upgrade/ Implementation Leave card if you want copies of slides
2004 ERPS