A view from an auditor. What is important in Oracle E-Business suite?

Angela Carter Jeff Kim Jai Cullath

• • • • • What are the key IT considerations in audit? Why are IT Considerations a challenge? Key Controls for Oracle E-business suite Addressing Segregation of Duties Challenges Sustaining Compliance – Controls Integration

What are the Key IT Considerations of an Audit?
• Appropriate Access Controls – Role specific access – Non-conflicting access controls (Segregation of Duties) • Automated Business Process Controls – Application Controls • Configurations • Edits • Validations • Reports

Why are IT Controls a Challenge? “Mutually Dependent Control Domains”
Program Management Office – Risk Management
System Administration Change Management Disaster Recovery Asset Management Performance Process Documentation B us Control Design and in es Implementation s Pr Oracle Application oc Control Catalogs es IT s (Version 11.03 and higher) Control Areas User Profiles Infrastructure Security (Network, O/S and Database) Security Monitoring Master Data Data Conversion Data Interfaces Reconciliation


O pe ra t

io ns

Each control area is dependent on the others


at a


te gr

r cu Se ity

Why are IT Controls Important to the Audit? – Role of Application Controls
Significant Accounts in Financial Statements Significant Accounts in Financial Statements
Balance Balance Sheet Sheet Income Income Statement Statement SCFP SCFP Notes Notes Other Other

Classes of Transactions Classes of Transactions Business Processes Business Processes
Process A Process A Process B Process B Process C Process C

General General Controls Controls

Financial Applications (application controls) Financial Applications (application controls)
Business Events and Oracle Financial Application A Transactions

Application Application Controls Controls

•• Program development Program development •• Program changes Program changes •• Computer operations Computer operations •• Access control Access control •• Control environment Control environment

IT Infrastructure Services IT Infrastructure Services
Database Database Operating System Operating System Network Network

•• Interfaces Interfaces •• Configurations Configurations •• Reports Reports •• Access Access

Key Controls in an Oracle EBS Audit
• Process, risks and controls – Audits are often organized by business processes such as Order to Cash, Procure to Pay, etc. – ERP systems such as Oracle EBS support the execution of such processes – Risk and specifically information risk is inherent in processes and systems – Controls help to mitigate such risks
Let’s take a look at some processes, risks and Oracle EBS controls

Key High Focus Processes
• General Ledger – Journal Postings – Financial Consolidation • Purchasing – Purchase Order Processing – Receiving • Accounts Payables – Invoice Processing (3-Way Match..)

General Ledger – Potential Risk

GL Postings – Control Considerations
• What type of journal authorizations are in place? • Can users post journals to control accounts such as the cost of goods sold account? • Can users modify journals created by the interfaces systems such as Inventory, Order Management, Accounts Receivables...? • Are there any sensitive accounts that require management oversight?

GL-Financial Consolidation – Control Considerations
• Is the access to the consolidation “Chart of Accounts” mapping restricted? • What are the controls in place to monitor and authorize Inter-company elimination entries? • If FSG (Financial Statement Generator) is used, what are the controls in place to validate the changes to row set and column set is authorized and appropriate?

Purchasing – Potential Risk

Purchase Order Processing – Control Considerations
• Is there an automated approval workflow to manage purchase orders? • Is the system configured to enforce “Approved Supplier List” (ASL)? • Is the system configured to authorize the purchase orders to only the authorized buyer accounts? • Is the changes to supplier master details such as bank information and payment address monitored?

Accounts Payable – Potential Risk

AP Invoice Processing – Control Considerations
• Is Oracle Payables’ three-way (or four-way) match functionality utilized? • Is Oracle Payables configured to enforce price and quantity tolerances during the matching of an invoice to a corresponding purchase order and receipt? • Is Oracle Payables configuration for posting automatic accounting entries, defined appropriately?

AP Invoice Processing – Control Considerations
• Are Oracle access controls configured to ensure only properly authorized personnel can remove holds on Accounts Payable invoices? • Is Oracle configured to prevent adjustments to accounts payable invoices that have been approved and paid? • Is Oracle Payables configured to age invoices using date ranges that are appropriate given the descriptions of the aging buckets?

Controls Challenge: Segregation of Duties

Learning from SOX so far
• Top 10 Material Weaknesses In Oracle, security is: – Income tax matters – Revenue recognition COMPLEX DIFFICULT – Financial staffing/expertise – Leases accounting TECHNICAL PERVASIVE – Application of GAAP – Financial Close process Nine out of ten companies we – Monitoring Controls have audited have significant weaknesses in Oracle Security – Segregation of Duties – Derivatives – Subsidiaries/Remote locations

The Challenge of SOD
• Lack of Segregation of Duties (SOD) was one of the “Top 10 Material Weaknesses” in 2004 and 2005 • Informal polls noted eight out of ten companies had significant weaknesses in User Access. • Companies have spent millions of dollars remediating SOD and are still working at it. • Companies are finding new violations still being introduced into their systems

Managing Segregation of Duties and Sensitive Transactions
• What do we mean by segregation of duties and sensitive transactions? • Segregation of duties is an internal control activity to help prevent or decrease the occurrence of undetected innocent errors or intentional fraud • SOD conflicts need to be resolved by segregating the conflicting abilities or mitigating the SOD conflict risks by implementing sufficient mitigating controls

Managing Segregation of Duties and Sensitive Transactions
• What is a Sensitive Transaction? • Any single transaction in a system that allows a person to perform a high risk task which could result in a misstatement of financial statements or a significant operational risk. • Examples include: – Client administration – Delete client – Open and close accounting periods – Several other transactions

Approach to an SOD Solution
Develop an enterprisewide strategy

Global Rule-Set Implementation Remediation and Training Develop Global User Admin Process


Sustainable SOD Processes

Sustaining SOD
• There are several tools in the market place that enable companies to help analyze access and SOD issues as well as sustain the process.

Sample SOD Rule Set
Rule # 1 Rule Description AP Invoice Entry, and Vendor Master Maintenance Assessment Master Maintenance, & Assessment Execution Customer Credit Approval, and Sales Invoicing Customer Master, Sales Rebates, and AR Cash Application Fixed Assets, and AP Payments GL Entry, and GL Master Maintenance GL Entry, and Business Processes Material Master, Purchase Agreement, and Goods Receipt Possible Risk A user could setup a fictitious vendor, subsequently enter fictitious vendor invoices and possibly have the invoice process for automatic payment as long as other mitigating controls fail to exist. A user could modify existing reporting/costing areas or create new reporting/costing areas, then move costs against those reporting/costing areas for fraudulent purposes or to create a more favorable position for their department. A user could inappropriately increase a customer's credit limit and create a sales invoice for an amount greater than the customer is normally authorized to purchase on credit to either inappropriately inflate sales revenues or for a return of favors received from specified customers. A user could modify customer information, such as the customer name and bill to address, process unauthorized sales rebates, inappropriately reapply the customer's cash remittances and have rebate checks sent to an invalid address. A user could process for payment the purchase of an unauthorized fixed asset, adjust the fixed asset records to conceal the purchase and possibly obtain or use the assets. A user with both the ability to maintain general ledger accounts and the ability to process journal entries could conceal fraudulent transactions or activity in general ledger accounts under the individual's control. A user could initiate an inappropriate business transaction and update the corresponding GL entries to hide the actual impact of such activity for an extended period of time. A user could create a material master that normally is not ordered by the company and enter a purchase agreement for such items from the material list for personal use. Once the goods are shipped, the employee could receive those goods and take possession for their own/personal use.




5 6

7 8

Sustaining Compliance Controls Integration

Sustaining Compliance Leverage your ERP environment
• Have to automate in order to reduce control and compliance costs • Need to leverage all capabilities within your Oracle environment • Need to tie SOD management to overall user provisioning process • Need to incorporate “controls” mindset into your development lifecycle

How Automation Impacts Compliance Costs: Total Cost of Control

• The cost of control is directly associated with the number, type and frequency of controls so ultimately the largest cost driver is in reducing the number of controls and transforming them to low cost performance types
Control Performance Cost Drivers (Example) On-going Design and Implementation FTE’s performance of controls Systems Costs (applications and support) Failure Rate Management Supervision Training Compliance Cost Drivers (Example) Control Documentation & Change Management Testing (Size and nature of control portfolio) Audit fees Program admin & staffing Remediation Education/Training

Largely “Hidden”

Control Performance

Total Cost of Control

S-O “Visible”

Initial Compliance, Ongoing Assessment and Monitoring


Business Controls Integration into System/ERPDevelopment the Initiative People & Organization Process Plan Design Build Test Deploy Lifecycle Design Build Deploy Plan Test Technology Risk & Controls

Four dimensions are addressed throughout any development lifecycle: People & Organization, Process, Technology, and Risk & Controls. Aligning controls specialists with project teams to help ensure appropriate knowledge is applied timely, can save significant effort throughout the process. These specialists, or “controls integrators,” provide specialized knowledge in applicable control categories as shown below.
Program Management

Key Attributes

Control Categories
Business Process Controls Application Controls Segregation of Duties User Access & Security Data Integrity IT General Controls

Program risks are managed effectively – with quality and meeting expectations Controls Specialist assigned to each initiative/ project Controls framework integrated into initiative/project Controls integrated into the business Avoids end cycle re-work Supports compliance sustainability vision

• • • • •

Potential Business Benefits from Improved Oracle ERP Controls
Feature Increased control automation and reduction in manual controls Centralized control maintenance Reduced cost of testing controls Increased data reliability, integrity and accuracy Improved reporting and monitoring of information Potential Benefit Reduce cost of operation by eliminating less effective manual controls

Controls are configured and maintained centrally rather than within every operating unit Automated controls require less testing and provides greater assurance Cost to identify and correct data error is high

Quicker and more reliable information for management allows for more precise and responsive business decisions

Concluding Thoughts
• IT is a critical component of financial statement, SOX and other regulatory audits • Control complexity in a system such as Oracle can be high for auditors and their clients • Controls automation and design can provide demonstrated regulatory and business benefits to an organization • Effective control design and implementation in a system such as Oracle can help to deliver regulatory and business benefits organizations are seeking.

Who Are We? KPMG LLP
Audit Advisory Tax

Technology M&A Regulatory Compliance

Finance Operations Accounting


Focus on the Office of the CFO Value Preservation and Value Creation Independent, Objective Advisor

Questions? Thank You For Attending!