© 2004 erps sarbanes-oxley best practices in an oracle applications environment jeffrey t. hare,...
TRANSCRIPT
© 2004 ERPS
Sarbanes-Oxley Best Practices in Sarbanes-Oxley Best Practices in an Oracle Applications an Oracle Applications
EnvironmentEnvironment
Jeffrey T. Hare, CPA
ERP Seminars
© 2004 ERPS
IntroductionIntroduction
Overview:Function Security and your Control EnvironmentKey Setups that Influence your Control EnvironmentTools to Help Manage your ControlsChange Management Best Practices
© 2004 ERPS
Function Security and your Function Security and your Control EnvironmentControl Environment
© 2004 ERPS
Function Security and your Function Security and your Control EnvironmentControl Environment
•Responsibilities drive segregation of duties•Ex. Accounts Payable Manager responsibility includes Supplier setup
•Menus can allow access to critical Setup screens
•Ex. Standard menus include access to Setup screens
•Request Groups drive access to reports and the information they provide
•Ex. Custom HR reports could be given to wrong people
© 2004 ERPS
Function Security and your Function Security and your Control EnvironmentControl Environment
Areas you might want to monitor:
1. Active Users, Active Responsibilities, Users of a Responsibility reports – reports you may want to monitor or have scheduled to run regularly via the Workflow Mailer.
2. Regularly review makeup of menus, request groups, responsibilities, and the users that have them. Check for segregation of duties issues and unauthorized access.
© 2004 ERPS
Function Security and your Function Security and your Control EnvironmentControl Environment
UsersResponsibilitiesRequest GroupsMenusProfile Options
© 2004 ERPS
UsersUsers
Sample Users screen:
© 2004 ERPS
ResponsibilitiesResponsibilities
Sample Responsibilities screen:
© 2004 ERPS
Request GroupsRequest Groups
Sample Request Groups screen:
© 2004 ERPS
MenusMenus
Sample Menus screen:
© 2004 ERPS
Key Setups that Influence your Key Setups that Influence your Control EnvironmentControl Environment
© 2004 ERPS
Key Setups that Influence your Control Key Setups that Influence your Control Environment – Profile Options OverviewEnvironment – Profile Options Overview
Profile Options:•Varying levels of changes for profile options:
•Site
•Application
•Responsibility
•User
•Server
•Organization
•Example: ‘Printer’
Caveat: As with any change, please make sure you thoroughly test a profile option change before moving it to a production environment
© 2004 ERPS
Key Setups that Influence your Control Key Setups that Influence your Control Environment – Profile Options ExampleEnvironment – Profile Options Example
Profile Options Example:
© 2004 ERPS
Key Setups that Influence your Control Key Setups that Influence your Control Environment – Profile Options ExampleEnvironment – Profile Options Example
Profile Options Example:
© 2004 ERPS
Key Setups that Influence your Key Setups that Influence your Control - GLControl - GL
General Ledger Setups:•Various Approval Hierarchy setups
General Ledger Profile Options:•Various Approval Hierarchy Profile Options
Caveat: As with any change, please make sure you thoroughly test a profile option change before moving it to a production environment
© 2004 ERPS
Key Setups – Accounts ReceivableKey Setups – Accounts Receivable
Accounts Receivable Setups:Transaction Types – post to GL, post to subledgerSystem Options – Allow Transaction Deletion System Options – Allow Change to Printed Transactions Bank Setups / Remittance Bank Setups – Unapplied Receipts, Unidentified Receipts, On Account Receipts
Caveat: As with any change, please make sure you thoroughly test a profile option change before moving it to a production environment
© 2004 ERPS
Key Setups – AR, Cont’dKey Setups – AR, Cont’d
AR: Profile Options:Tax: Allow Manual Tax LinesTax: Allow Override of Customer ExemptionsTax: Allow Override of Tax CodeAR: Update Due DateAR: Allow Update of Existing Sales CreditsAR: Cash – Allow ActionsSequential NumberingAR: Receipt Batch SourceAR: Use Invoice Accounting For Credit MemosMO: Operating UnitMO: Top Reporting Level
© 2004 ERPS
Accounts Payable Setups:Financial Options – GL Accounts – Prepayment
Caveat: As with any change, please make sure you thoroughly test a profile option change before moving it to a production environment
Key Setups – Accounts PayableKey Setups – Accounts Payable
© 2004 ERPS
Key Setups that Influence your Control Key Setups that Influence your Control Environment – AP, cont’dEnvironment – AP, cont’d
AP: Profile OptionsTax: Allow Override of Tax CodeGL: Create Interfund Entries (Public Sector)Budgetary Control GroupAP: Use Invoice Batch ControlsMO: Operating Unit
Caveat: As with any change, please make sure you thoroughly test a profile option change before moving it to a production environment
© 2004 ERPS
Key Setups – Cash ManagementKey Setups – Cash Management
Cash Management Setups:
Cash Management Profile Options:•CE:Bank Account Security
Caveat: As with any change, please make sure you thoroughly test a profile option change before moving it to a production environment
© 2004 ERPS
Tools to Help Manage your Tools to Help Manage your ControlsControls
© 2004 ERPS
Tools to Help Manage your Tools to Help Manage your ControlsControls
Using and Maintaining Security Rules Using and Maintaining Cross Validation RulesUsing Suspense Accounts Developing your Financial Statements (FSGs) to Keep Them in Balance Using Request Sets to Disseminate Critical Business Information Using ADI and the Analysis Wizard to Report and Analyze Financial Data
© 2004 ERPS
Tools to Help Manage your Tools to Help Manage your Controls (cont’d)Controls (cont’d)
Using Workflow Mailer and the Scheduling Function to Monitor Key Controls Metalink Note: 189367.1 – Best Practices for Securing the E-Business Suite
© 2004 ERPS
Using and Maintaining Security Using and Maintaining Security RulesRules
Security Rules “secure” your chart of accounts from entries being made to certain accounts
AR, AP, PO Accrual, Prepayments, Unapplied Receipts, On Account Receipts, and Inventory Control AccountsOwners’ Equity AccountsAre applied to responsibilities – can set up different security rules to apply to different levels of the organization. For example, you may want to allow entries to owners’ equity accounts to your GL Manager responsibility, but not your GL User responsibility
© 2004 ERPS
Using and Maintaining Cross Using and Maintaining Cross Validation RulesValidation Rules
Cross Validation Rules restrict the CREATION of certain combinations that are not desired.Example:
Company.Cost Center.AccountValues for Company are 01 and 02Values for Cost Center include 000 (no department) and 500 Sales DepartmentValues for Account include 1000 Cash, 5000 Sales, and 7000 Salary ExpenseIn this example, you may want to prevent the creation of the following account string 01.0000.7000 because you always want a department associated with Salary Expense and 01.500.1000 because you don’t want a cost center associated with a Balance Sheet account
© 2004 ERPS
Using Suspense Accounts Using Suspense Accounts
Use of Suspense Accounts:A suspense account is an account that you expect to have a $0 balance at period end and is used to be certain both sides of a transaction are completed when transactions are made across modules.For example, AR Refunds would want to use a suspense account as follows:AR Entry when writing off credit balance
Dr. Accounts ReceivableCr. Suspense Account
AP Entry when entering Invoice so that a payment can be made:Dr. Suspense AccountCr. Accounts Payable
© 2004 ERPS
Developing your Financial Statements Developing your Financial Statements (FSGs) to Keep Them in Balance (FSGs) to Keep Them in Balance
Total Assets $ 1,000
Liabilities 500
Retained Earnings 500
Total Liab’s / OE $ 1,000
Total Assets $ 1,000
Liabilities 500
Retained Earnings 465
YTD P&L 35
Total Liab’s / OE $ 1,000
Sample Balance Sheets
© 2004 ERPS
Using Request Sets to Disseminate Using Request Sets to Disseminate Critical Business InformationCritical Business Information
What are Request Sets?A grouping of concurrent requests that a user can submit all at once
Advantages of Request Sets:Parameters can be shared or defaultedMany reports can be run with one submission
© 2004 ERPS
Examples:•Dissemination of Aging by Salesperson – queue it to run nightly or weekly for various salespersons (default salesperson for each request in the set), combine with scheduling function and deliver via workflow mailer so salespeople don’t need access to the AR system
•Dissemination of expense information via Account Analysis Report with Payables Detail (using shared parameter for period, but defaulting cost center for each request in the set)
Examples of Using Request SetsExamples of Using Request Sets
© 2004 ERPS
Using ADI and Analysis Wizard to Using ADI and Analysis Wizard to Report and Analyze Financial Data Report and Analyze Financial Data
Harness the power of ADI…•Publish a budget to actual P&L in ADI
•Use themes and conditional formatting to highlight categories greater than budget by a certain amount or percent
•Double click on cells of actuals where they exceed budget figures to drill into the GL
•Use 11i’s new architecture in Payables to drill from the GL back into Payables detail information (supplier, invoice, etc.)
© 2004 ERPS
Using Workflow Mailer and the Scheduling Using Workflow Mailer and the Scheduling Function to Monitor Key ControlsFunction to Monitor Key Controls
Sample workflow generated e-mail:
© 2004 ERPS
Using Workflow Mailer and the Scheduling Using Workflow Mailer and the Scheduling Function to Monitor Key ControlsFunction to Monitor Key Controls
In the Options tab when submitting a concurrent request, choose Name
© 2004 ERPS
Change Management Best Change Management Best PracticesPractices
© 2004 ERPS
Change Management Best Change Management Best PracticesPractices
Why Change Management?
•This isn’t your father’s Oldsmobile…
•Your system is as stake
•Sarbanes Oxley adding complexity
•Additional modules, international rollouts, patches, family packs, new functionality, etc.
•Sarbanes Oxley adding complexity
© 2004 ERPS
What is Change Management?
•Managing change in your applications
What does it include?
•Much more than just technical changes in your applications
Change Management Best Change Management Best PracticesPractices
© 2004 ERPS
Implementing a Change Implementing a Change Management PlanManagement PlanSample Change Management documentation:
© 2004 ERPS
Implementing a Change Implementing a Change Management PlanManagement Plan
Elements of a change management document:•Document Control section•Reviewers section•Recap of issue•Nature of the change•Technical Analysis of Change (DBA/Developer)•Development Plan•Training Plan•Testing Plan•Communication Plan•Documentation Plan •Controls/SarbOx Documentation and Testing Plan•System Security Plan•Transition Plan•Contingency Plan•Section to allow Reviewers to sign off on the document
© 2004 ERPS
Q&A’sQ&A’s
© 2004 ERPS
Contact InformationContact Information
Jeffrey T. Hare, CPA•Cell 602-769-9049
•E-mail: [email protected]
•www.erpseminars.com
Request full white paper “Sarbanes-Oxley Best Practices in an Oracle Applications Environment” at www.erpseminars.com/whitepapers.html
© 2004 ERPS
Partners of ERP SeminarsPartners of ERP Seminars
kbace.com bluepuppysolutions.com dotsolved.com
Please support the partners of ERP Seminars:
top-team.com internext-group.com