Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Introduction
2008 Protiviti Inc. Confidential: This document is for internal use only and may not be distributed to an outside party.
Oracle Implementation/Upgrade
PEOPLE
Users/Roles
PROCESSES
Business Flows
TECHNOLOGY
Oracle Applications
2008 Protiviti Inc. Confidential: This document is for internal use only and may not be distributed to an outside party.
Training Objectives
Segregation of Duties Overview (SoD) SoD Assessment Approach Segregation of Duties Assessment Case Study Controls Areas to Consider During An Upgrade or Implementation Project to Prevent Future Stand-Alone Remediation Projects
2008 Protiviti Inc. Confidential: This document is for internal use only and may not be distributed to an outside party.
2007 Protiviti Inc. Confidential: This document is for internal use only and may not be distributed to an outside party.
2008 Protiviti Inc. Confidential: This document is for internal use only and may not be distributed to an outside party.
An essential feature of segregation of duties or responsibilities within an organization is that no one employee or group of employees has exclusive control over any transaction or group of transactions.
2008 Protiviti Inc. Confidential: This document is for internal use only and may not be distributed to an outside party.
Transaction Processes
Transaction Approvals
Reconciliations
2008 Protiviti Inc. Confidential: This document is for internal use only and may not be distributed to an outside party.
Two-way SOD conflict - An individual can perform two of these four duties for a given asset
2008 Protiviti Inc. Confidential: This document is for internal use only and may not be distributed to an outside party.
2008 Protiviti Inc. Confidential: This document is for internal use only and may not be distributed to an outside party.
2008 Protiviti Inc. Confidential: This document is for internal use only and may not be distributed to an outside party.
2007 Protiviti Inc. Confidential: This document is for internal use only and may not be distributed to an outside party.
Analyze
Perform assessments via Protiviti Assure methodology Deploy on internal audit and SOX clients or new clients to prove the case
ERP Assessments
Standardize
Continuous Monitoring Software Automate Clean-up Security/SOD issues Design automated controls Re-engineer SOX testing approach Design controls into new implementations
Analyze
Automate
Implement continuous monitoring systems
2008 Protiviti Inc. Confidential: This document is for internal use only and may not be distributed to an outside party.
2007 Protiviti Inc. Confidential: This document is for internal use only and may not be distributed to an outside party.
Approach:
1. Review the initial SoD conflict and Sensitive Abilities results using ICM constraint reports 2. Identify any false positives and enter the appropriate waivers in ICM 3. Review the remaining SoD conflict and Sensitive Abilities results with the appropriate business owners to determine what security changes can be made to resolve the issues 4. Develop mitigating control suggestions based on input from management to address remaining conflicts
2008 Protiviti Inc. Confidential: This document is for internal use only and may not be distributed to an outside party.
2008 Protiviti Inc. Confidential: This document is for internal use only and may not be distributed to an outside party.
Inter-Responsibility Conflict
2008 Protiviti Inc. Confidential: This document is for internal use only and may not be distributed to an outside party.
Intra-Responsibility Conflict
2008 Protiviti Inc. Confidential: This document is for internal use only and may not be distributed to an outside party.
2008 Protiviti Inc. Confidential: This document is for internal use only and may not be distributed to an outside party.
Enter Cash Receipts / Approve Invoice Adjustments Maintain Customer Profile / Enter Sales Orders Maintain Customer Profile / Maintain Misc Cash Receipts
Customer Statements; SoD of handling, logging and depositing of checks received from customers; bank reconciliations Unauthorized credit given to Customer Statements, review of open customers RMAs Unauthorized sales order and Configurable Control: Sales Order shipment of goods Approval workflow Hide cash receipt Review of Reversed Cash Receipts; Cash Receipt deletion not allowed by the system Unauthorized credit given to Customer Statements; Review of AR customers; Unauthorized Aging; SoD of handling, logging and changes to customer records; depositing of checks received from hide cash receipt customers; bank reconciliations Unauthorized write off of Configurable Control: Approval Limits invoices Unauthorized sales order and Configurable Control: Sales Order shipment of goods Approval workflow Hide cash receipt SoD of handling, logging and depositing of checks received; bank reconciliations
2008 Protiviti Inc. Confidential: This document is for internal use only and may not be distributed to an outside party.
Additional Recommendations
The following are improvements that would eliminate the need for compensating controls:
Restrict Access for Release Holds and Sales Order entry. Access to the Sales Order form is required to be able to release holds. The ability to Release Holds, however, should be excluded from those users who should NOT be able to release an order. The best practice is to restrict this access to those in credit management who approve the release of credit hold on an order. This is normally considered the higher risk area with regards to Sales Order processing. Rearranging department responsibilities to make supervisors only an approver and reviewer, not doers. This would mean that access for supervisors is mostly View Only, except for the approval of transactions. The team would have the access to process transactions. Supervisors would approve any changes or adjustments and delegate to processing to their teams. Functions with Inquiry Only access should by designated as View Only in the function name to simplify future audit related activities. This can be done by creating a copy of the normal function, giving it a name with View Only in it, and adding the parameter in the function, QUERY_ONLY="YES". By designating these functions clearly, the access would be more easily justified.
2008 Protiviti Inc. Confidential: This document is for internal use only and may not be distributed to an outside party.
2008 Protiviti Inc. Confidential: This document is for internal use only and may not be distributed to an outside party.
Control Areas to Consider During An Upgrade or Implementation Project to Prevent Future Stand-Alone Remediation Projects
2007 Protiviti Inc. Confidential: This document is for internal use only and may not be distributed to an outside party.
2008 Protiviti Inc. Confidential: This document is for internal use only and may not be distributed to an outside party.
Security Administration
Security strategies, tools, personnel, and processes should be coordinated effectively to address the following key components:
Administration
provisioning (granting, termination, and modification) of user IDs workflow / approvals tool administration password resetting password parameters
Segregation of duties
separation of incompatible functions data owner monitoring of access levels
Sensitive access
powerful authorities post-implementation support
2008 Protiviti Inc. Confidential: This document is for internal use only and may not be distributed to an outside party.
Data Management
As part of the implementation, data must be converted and then maintained to ensure the integrity of system processing. The following are critical considerations in this area:
Data Conversions
data mappings conversion design conversion testing reconciliation
Data Archiving
system performance and storage requirements data access requirements data redundancy
Data Cleansing
inactive data duplicative data erroneous data
During an upgrade data management activities may just relate to completing the upgrade process steps of what to correct by module (i.e. data re-mapping, etc.)
2008 Protiviti Inc. Confidential: This document is for internal use only and may not be distributed to an outside party.
All development and implementation efforts must include thorough testing to ensure defined solutions are complete and accurate. This effort includes:
Comprehensive test plan for functionality, security, and controls Documented test cases and test results Sign-off and acceptance Use of positive and negative testing techniques
2008 Protiviti Inc. Confidential: This document is for internal use only and may not be distributed to an outside party.
2008 Protiviti Inc. Confidential: This document is for internal use only and may not be distributed to an outside party.
Summary
Segregation of Duties Overview (SoD) SoD Assessment Approach Segregation of Duties Assessment Case Study Control Areas to Consider During An Upgrade or Implementation Project to Prevent Future Stand-Alone Remediation Projects
Questions?
2008 Protiviti Inc. Confidential: This document is for internal use only and may not be distributed to an outside party.