profile options: what are they and why should auditors care? · pdf fileprofile options: what...
TRANSCRIPT
![Page 1: Profile Options: What are they and why should auditors care? · PDF fileProfile Options: What are they and why should auditors care? Jeffrey T. Hare, CPA CISA CIA ERP Risk Advisors](https://reader030.vdocument.in/reader030/viewer/2022021421/5a7904677f8b9a217b8c13e3/html5/thumbnails/1.jpg)
Profile Options:
What are they and why should
auditors care?
Jeffrey T. Hare, CPA CISA CIA
ERP Risk Advisors
![Page 2: Profile Options: What are they and why should auditors care? · PDF fileProfile Options: What are they and why should auditors care? Jeffrey T. Hare, CPA CISA CIA ERP Risk Advisors](https://reader030.vdocument.in/reader030/viewer/2022021421/5a7904677f8b9a217b8c13e3/html5/thumbnails/2.jpg)
Webinar Logistics
• Hide and unhide the Webinar
control panel by clicking on the
arrow icon on the top right of
your screen
• The small window icon toggles
between a windowed and full
screen mode
• Ask questions throughout the
presentation using the chat
dialog
• Questions will be reviewed and
answered at the end of the
presentation
© 2013 ERPRA 3
![Page 3: Profile Options: What are they and why should auditors care? · PDF fileProfile Options: What are they and why should auditors care? Jeffrey T. Hare, CPA CISA CIA ERP Risk Advisors](https://reader030.vdocument.in/reader030/viewer/2022021421/5a7904677f8b9a217b8c13e3/html5/thumbnails/3.jpg)
4
Overview:
• What are they?
• How are they set?
• Example
• Control expectations
• Audit procedures
• Oracle E-Business Suite GRC Health Check
• Questions and Answers
Presentation Agenda
© 2013 ERPRA
![Page 4: Profile Options: What are they and why should auditors care? · PDF fileProfile Options: What are they and why should auditors care? Jeffrey T. Hare, CPA CISA CIA ERP Risk Advisors](https://reader030.vdocument.in/reader030/viewer/2022021421/5a7904677f8b9a217b8c13e3/html5/thumbnails/4.jpg)
5
Note: CPE will be offered for those that answer
at least 4 (of the 5) polls presented during the
webinar and attend at least 50 minutes.
CPE Requirements
© 2013 ERPRA
![Page 5: Profile Options: What are they and why should auditors care? · PDF fileProfile Options: What are they and why should auditors care? Jeffrey T. Hare, CPA CISA CIA ERP Risk Advisors](https://reader030.vdocument.in/reader030/viewer/2022021421/5a7904677f8b9a217b8c13e3/html5/thumbnails/5.jpg)
6
Introductions
Jeffrey T. Hare, CPA CISA CIA: •Founder of ERP Risk Advisors / Oracle User Best Practices Board
•Written various white papers on Internal Controls and Security
Best Practices in an Oracle Applications environment
•Frequent contributor to OAUG’s Insight magazine
•Experience includes Big 4 audit, 6 years in CFO/Controller roles –
both as auditor and auditee
•In Oracle applications space since 1998 – as client and consultant
•Founder of Internal Controls Repository
•Author Oracle E-Business Suite Controls: Application Security
Best Practices
•Contributing author Best Practices in Financial Risk Management
•Published in ISACA’s Control Journal and ACFE’s Fraud Magazine
© 2013 ERPRA
![Page 6: Profile Options: What are they and why should auditors care? · PDF fileProfile Options: What are they and why should auditors care? Jeffrey T. Hare, CPA CISA CIA ERP Risk Advisors](https://reader030.vdocument.in/reader030/viewer/2022021421/5a7904677f8b9a217b8c13e3/html5/thumbnails/6.jpg)
Poll 1: Will you be needing a CPE
Certificate?
Answers:
• Yes
• No
• Not Sure
© 2013 ERPRA 7
![Page 7: Profile Options: What are they and why should auditors care? · PDF fileProfile Options: What are they and why should auditors care? Jeffrey T. Hare, CPA CISA CIA ERP Risk Advisors](https://reader030.vdocument.in/reader030/viewer/2022021421/5a7904677f8b9a217b8c13e3/html5/thumbnails/7.jpg)
8
Profile Options – What Are They
• What are they:
© 2013 ERPRA
8,591 profile
options in this
12.1.3 environment
Can be set at:
• Site
• Application
• Responsibility
• Server
• Organization
• User
![Page 8: Profile Options: What are they and why should auditors care? · PDF fileProfile Options: What are they and why should auditors care? Jeffrey T. Hare, CPA CISA CIA ERP Risk Advisors](https://reader030.vdocument.in/reader030/viewer/2022021421/5a7904677f8b9a217b8c13e3/html5/thumbnails/8.jpg)
9
Profile Options – What Are They
Impact:
• Process design
• Control design
• Security
• Data security
© 2013 ERPRA
![Page 9: Profile Options: What are they and why should auditors care? · PDF fileProfile Options: What are they and why should auditors care? Jeffrey T. Hare, CPA CISA CIA ERP Risk Advisors](https://reader030.vdocument.in/reader030/viewer/2022021421/5a7904677f8b9a217b8c13e3/html5/thumbnails/9.jpg)
10
Profile Options – What Are They
Level of Risk - Black, Grey, White
• Black – Definitely High Risk
• Grey – Could be High Risk
• White – Most Likely Low Risk
Examples will be presented later in the presentation
© 2013 ERPRA
![Page 10: Profile Options: What are they and why should auditors care? · PDF fileProfile Options: What are they and why should auditors care? Jeffrey T. Hare, CPA CISA CIA ERP Risk Advisors](https://reader030.vdocument.in/reader030/viewer/2022021421/5a7904677f8b9a217b8c13e3/html5/thumbnails/10.jpg)
Poll 2: If you are an auditor, have you
performed an audit of profile option
values?
Answers:
• Yes
• No
• Not Sure
• Am not an auditor
© 2013 ERPRA 11
![Page 11: Profile Options: What are they and why should auditors care? · PDF fileProfile Options: What are they and why should auditors care? Jeffrey T. Hare, CPA CISA CIA ERP Risk Advisors](https://reader030.vdocument.in/reader030/viewer/2022021421/5a7904677f8b9a217b8c13e3/html5/thumbnails/11.jpg)
12 © 2012 ERPRA
Profile Option can be set via the following forms :
Profile Options – How are they set?
Form Function Name User Function Name
Update Personal Profile Values FND_FNDPOMSV Profile User Values
![Page 12: Profile Options: What are they and why should auditors care? · PDF fileProfile Options: What are they and why should auditors care? Jeffrey T. Hare, CPA CISA CIA ERP Risk Advisors](https://reader030.vdocument.in/reader030/viewer/2022021421/5a7904677f8b9a217b8c13e3/html5/thumbnails/12.jpg)
13 © 2012 ERPRA
Profile Option can be set via the following forms:
Profile Options – How are they set?
Form Function Name User Function Name
Update System Profile Values FND_FNDPOMPV Profile System Values
![Page 13: Profile Options: What are they and why should auditors care? · PDF fileProfile Options: What are they and why should auditors care? Jeffrey T. Hare, CPA CISA CIA ERP Risk Advisors](https://reader030.vdocument.in/reader030/viewer/2022021421/5a7904677f8b9a217b8c13e3/html5/thumbnails/13.jpg)
14 © 2013 ERPRA
Profile Options – How are they set?
5,038 profile options of 8,691 are “Updatable” through
Personal Profile Values form
![Page 14: Profile Options: What are they and why should auditors care? · PDF fileProfile Options: What are they and why should auditors care? Jeffrey T. Hare, CPA CISA CIA ERP Risk Advisors](https://reader030.vdocument.in/reader030/viewer/2022021421/5a7904677f8b9a217b8c13e3/html5/thumbnails/14.jpg)
15 © 2013 ERPRA
Profile Options – How are they set?
Can be set at the Site, Application, Responsibility, and
User levels in the Profile System Values form – also at
Organization and Server, but rare
![Page 15: Profile Options: What are they and why should auditors care? · PDF fileProfile Options: What are they and why should auditors care? Jeffrey T. Hare, CPA CISA CIA ERP Risk Advisors](https://reader030.vdocument.in/reader030/viewer/2022021421/5a7904677f8b9a217b8c13e3/html5/thumbnails/15.jpg)
16 © 2013 ERPRA
Profile Options – How are they set?
But also able to be maintained via the Personal Profile
Values form (aka Profile User Values)
![Page 16: Profile Options: What are they and why should auditors care? · PDF fileProfile Options: What are they and why should auditors care? Jeffrey T. Hare, CPA CISA CIA ERP Risk Advisors](https://reader030.vdocument.in/reader030/viewer/2022021421/5a7904677f8b9a217b8c13e3/html5/thumbnails/16.jpg)
Poll 3: Have you identified the setting of
profile values through the User Profile
Values form as a significant risk?
© 2013 ERPRA 17
Answers:
• Yes
• No
• Not Sure
• Am not an auditor
![Page 17: Profile Options: What are they and why should auditors care? · PDF fileProfile Options: What are they and why should auditors care? Jeffrey T. Hare, CPA CISA CIA ERP Risk Advisors](https://reader030.vdocument.in/reader030/viewer/2022021421/5a7904677f8b9a217b8c13e3/html5/thumbnails/17.jpg)
18
Profile Options – Examples
© 2012 ERPRA
Utilities: Diagnostics profile option
![Page 18: Profile Options: What are they and why should auditors care? · PDF fileProfile Options: What are they and why should auditors care? Jeffrey T. Hare, CPA CISA CIA ERP Risk Advisors](https://reader030.vdocument.in/reader030/viewer/2022021421/5a7904677f8b9a217b8c13e3/html5/thumbnails/18.jpg)
19
Profile Options – Examples
© 2012 ERPRA
Utilities: Diagnostics profile option
![Page 19: Profile Options: What are they and why should auditors care? · PDF fileProfile Options: What are they and why should auditors care? Jeffrey T. Hare, CPA CISA CIA ERP Risk Advisors](https://reader030.vdocument.in/reader030/viewer/2022021421/5a7904677f8b9a217b8c13e3/html5/thumbnails/19.jpg)
20
Profile Options – Examples
© 2012 ERPRA
Utilities: Diagnostics profile option
![Page 20: Profile Options: What are they and why should auditors care? · PDF fileProfile Options: What are they and why should auditors care? Jeffrey T. Hare, CPA CISA CIA ERP Risk Advisors](https://reader030.vdocument.in/reader030/viewer/2022021421/5a7904677f8b9a217b8c13e3/html5/thumbnails/20.jpg)
21
Profile Options – Examples
© 2012 ERPRA
Utilities: Diagnostics profile option
![Page 21: Profile Options: What are they and why should auditors care? · PDF fileProfile Options: What are they and why should auditors care? Jeffrey T. Hare, CPA CISA CIA ERP Risk Advisors](https://reader030.vdocument.in/reader030/viewer/2022021421/5a7904677f8b9a217b8c13e3/html5/thumbnails/21.jpg)
22
Profile Options – Examples
© 2012 ERPRA
Utilities: Diagnostics profile option
![Page 22: Profile Options: What are they and why should auditors care? · PDF fileProfile Options: What are they and why should auditors care? Jeffrey T. Hare, CPA CISA CIA ERP Risk Advisors](https://reader030.vdocument.in/reader030/viewer/2022021421/5a7904677f8b9a217b8c13e3/html5/thumbnails/22.jpg)
23
Profile Options – Examples
© 2012 ERPRA
GL: Journal Review Required profile option
![Page 23: Profile Options: What are they and why should auditors care? · PDF fileProfile Options: What are they and why should auditors care? Jeffrey T. Hare, CPA CISA CIA ERP Risk Advisors](https://reader030.vdocument.in/reader030/viewer/2022021421/5a7904677f8b9a217b8c13e3/html5/thumbnails/23.jpg)
24
Profile Options – Examples
© 2012 ERPRA
GL: Journal Review Required profile option
![Page 24: Profile Options: What are they and why should auditors care? · PDF fileProfile Options: What are they and why should auditors care? Jeffrey T. Hare, CPA CISA CIA ERP Risk Advisors](https://reader030.vdocument.in/reader030/viewer/2022021421/5a7904677f8b9a217b8c13e3/html5/thumbnails/24.jpg)
25
Profile Options – Examples
© 2012 ERPRA
GL: Journal Review Required profile option
![Page 25: Profile Options: What are they and why should auditors care? · PDF fileProfile Options: What are they and why should auditors care? Jeffrey T. Hare, CPA CISA CIA ERP Risk Advisors](https://reader030.vdocument.in/reader030/viewer/2022021421/5a7904677f8b9a217b8c13e3/html5/thumbnails/25.jpg)
26
Profile Options – Examples
© 2012 ERPRA
GL: Journal Review Required profile option
From the GL User Guide:
![Page 26: Profile Options: What are they and why should auditors care? · PDF fileProfile Options: What are they and why should auditors care? Jeffrey T. Hare, CPA CISA CIA ERP Risk Advisors](https://reader030.vdocument.in/reader030/viewer/2022021421/5a7904677f8b9a217b8c13e3/html5/thumbnails/26.jpg)
27
Profile Options – Examples
© 2012 ERPRA
Profile Options Risk Assessment
![Page 27: Profile Options: What are they and why should auditors care? · PDF fileProfile Options: What are they and why should auditors care? Jeffrey T. Hare, CPA CISA CIA ERP Risk Advisors](https://reader030.vdocument.in/reader030/viewer/2022021421/5a7904677f8b9a217b8c13e3/html5/thumbnails/27.jpg)
Control Expectations
• A risk assessment has been performed to identify
which profile options should be subject to the change
management process, or all profile option changes
are subject to the change management process
• The change management documentation clearly
identifies the profile options that are subject to the
change management process or states that all profile
option changes are subject to the change
management process
• A log-based or trigger-based auditing solution has
been deployed to build a detailed audit trail of profile
option changes
© 2013 ERPRA
28
![Page 28: Profile Options: What are they and why should auditors care? · PDF fileProfile Options: What are they and why should auditors care? Jeffrey T. Hare, CPA CISA CIA ERP Risk Advisors](https://reader030.vdocument.in/reader030/viewer/2022021421/5a7904677f8b9a217b8c13e3/html5/thumbnails/28.jpg)
• A quality assurance process is in place that
tests for unauthorized changes by tracing
actual changes back to approved changes
• Testing of the change management process
is performed to verify that the procedures
have been followed and properly
documented – approvals obtained, etc
Control Expectations
© 2013 ERPRA 29
![Page 29: Profile Options: What are they and why should auditors care? · PDF fileProfile Options: What are they and why should auditors care? Jeffrey T. Hare, CPA CISA CIA ERP Risk Advisors](https://reader030.vdocument.in/reader030/viewer/2022021421/5a7904677f8b9a217b8c13e3/html5/thumbnails/29.jpg)
Control Expectations
Risks associated with the Personal Profile Values / User
Profile Values form have been addressed:
• User profile values form is NOT accessible by any
users in the production environment
• The form is restricted through development into the
custom.pll that restricts access to just certain profile
options that are low risk
© 2013 ERPRA 30
![Page 30: Profile Options: What are they and why should auditors care? · PDF fileProfile Options: What are they and why should auditors care? Jeffrey T. Hare, CPA CISA CIA ERP Risk Advisors](https://reader030.vdocument.in/reader030/viewer/2022021421/5a7904677f8b9a217b8c13e3/html5/thumbnails/30.jpg)
• Review change management procedures to review
for expected controls
• Ask security administrators about expected controls
• Ask security administrators about access to the
User Profile Values form and whether any
development has been put in place to address the
risks associated with access to the form
• Query profile options that are set and trace a
sample back to the approval process
Audit Procedures
© 2013 ERPRA 31
![Page 31: Profile Options: What are they and why should auditors care? · PDF fileProfile Options: What are they and why should auditors care? Jeffrey T. Hare, CPA CISA CIA ERP Risk Advisors](https://reader030.vdocument.in/reader030/viewer/2022021421/5a7904677f8b9a217b8c13e3/html5/thumbnails/31.jpg)
Poll 4: Our organization has done the
following with respect to profile options: (multiple answers allowed)
Answers:
• Identified profile option changes as needing to go
through the change management process
• Performed a risk assessment to identify the profile
options need to go through the CM process
• Have built a system based audit trail of profile option
values changes to allow QA over the changes
• Have restricted User Profile Values form / put in
development to restrict
• None of the above / Not sure
© 2013 ERPRA 32
![Page 32: Profile Options: What are they and why should auditors care? · PDF fileProfile Options: What are they and why should auditors care? Jeffrey T. Hare, CPA CISA CIA ERP Risk Advisors](https://reader030.vdocument.in/reader030/viewer/2022021421/5a7904677f8b9a217b8c13e3/html5/thumbnails/32.jpg)
Oracle E-Business Suite GRC Health Check
This Level I Assessment covers a broad array of best
practices noted in the book Oracle E-Business Suite
Controls: Application Security Best Practices written by
Jeffrey T. Hare, CPA CISA CIA. This assessment offers
a 10,000’ view of your organization’s compliance with
various application security best practices. The
assessment will give you a great ‘first look’ at your
organization’s application security environment. The
assessment includes analysis, interaction and expertise
from one of the industry’s top experts, Jeffrey Hare.
© 2013 ERPRA 33
![Page 33: Profile Options: What are they and why should auditors care? · PDF fileProfile Options: What are they and why should auditors care? Jeffrey T. Hare, CPA CISA CIA ERP Risk Advisors](https://reader030.vdocument.in/reader030/viewer/2022021421/5a7904677f8b9a217b8c13e3/html5/thumbnails/33.jpg)
Oracle E-Business Suite GRC Health Check
• No charge
• Will do up to four per month / need to schedule them
about one / week
• Contact Phil Reimann @ [email protected] or at
774-999-0527 for more information
** Assessment being performed in conjunction with CaoSys using
CS*ComplyXE software
© 2013 ERPRA 34
![Page 34: Profile Options: What are they and why should auditors care? · PDF fileProfile Options: What are they and why should auditors care? Jeffrey T. Hare, CPA CISA CIA ERP Risk Advisors](https://reader030.vdocument.in/reader030/viewer/2022021421/5a7904677f8b9a217b8c13e3/html5/thumbnails/34.jpg)
Next webinar
SQL Forms in Oracle E-Business Suite - what are they and
why should auditors care?
Description: SQL Forms are forms that accept SQL statements (or portions thereof) withing an
application form. Having access to certain forms give users the abiltiy to execute ad
hoc SQL statements (and in some cases OS scripts). In this educational webinar, we
will provide examples of how these forms can be used to manipulate data and commit
fraud. We will then discuss policies, procedures, and controls necessary to mitigate the
risks associated with these SQL forms.
Date: Tue, Feb 12, 2013 2:00 PM - 3:00 PM EST
Registration url:
https://www1.gotomeeting.com/register/745316449
© 2013 ERPRA 35
![Page 35: Profile Options: What are they and why should auditors care? · PDF fileProfile Options: What are they and why should auditors care? Jeffrey T. Hare, CPA CISA CIA ERP Risk Advisors](https://reader030.vdocument.in/reader030/viewer/2022021421/5a7904677f8b9a217b8c13e3/html5/thumbnails/35.jpg)
Questions and
Answers
© 2013 ERPRA 36
![Page 36: Profile Options: What are they and why should auditors care? · PDF fileProfile Options: What are they and why should auditors care? Jeffrey T. Hare, CPA CISA CIA ERP Risk Advisors](https://reader030.vdocument.in/reader030/viewer/2022021421/5a7904677f8b9a217b8c13e3/html5/thumbnails/36.jpg)
Poll 5: Will you be needing a CPE
Certificate?
Answers:
• Yes
• No
© 2013 ERPRA 37
![Page 37: Profile Options: What are they and why should auditors care? · PDF fileProfile Options: What are they and why should auditors care? Jeffrey T. Hare, CPA CISA CIA ERP Risk Advisors](https://reader030.vdocument.in/reader030/viewer/2022021421/5a7904677f8b9a217b8c13e3/html5/thumbnails/37.jpg)
Resources
• Jeffrey Hare’s book “Oracle E-Business Suite
Controls: Application Security Best Practices” –
available at Collaborate bookstore; online
• www.erpra.net
© 2013 ERPRA 38
![Page 38: Profile Options: What are they and why should auditors care? · PDF fileProfile Options: What are they and why should auditors care? Jeffrey T. Hare, CPA CISA CIA ERP Risk Advisors](https://reader030.vdocument.in/reader030/viewer/2022021421/5a7904677f8b9a217b8c13e3/html5/thumbnails/38.jpg)
39
Oracle Apps Internal Controls Repository
Internal Controls and Security Public Domain Repository
Sample of content:
•White papers
•Sample development specs
•Sample forms personalizations
•Sample policies and procedures
•SQL Training Docs
•Forms that Allow SQL Statements
•List of Generic Application Users
© 2013 ERPRA
![Page 39: Profile Options: What are they and why should auditors care? · PDF fileProfile Options: What are they and why should auditors care? Jeffrey T. Hare, CPA CISA CIA ERP Risk Advisors](https://reader030.vdocument.in/reader030/viewer/2022021421/5a7904677f8b9a217b8c13e3/html5/thumbnails/39.jpg)
40
Best Practices Caveat
Best Practices Caveat
The Best Practices cited in this presentation have not
been validated with your external auditors nor has there
been any systematic study of industry practices to
determine they are ‘in fact’ Best Practices for a
representative sample of companies attempting to
comply with the Sarbanes-Oxley Act of 2002 or other
corporate governance initiatives mentioned. The Best
Practice examples given here should not substitute for
accounting or legal advice for your organization and
provide no indemnification from fraud or material
misstatements in your financial statements or control
deficiencies.
© 2013 ERPRA
![Page 40: Profile Options: What are they and why should auditors care? · PDF fileProfile Options: What are they and why should auditors care? Jeffrey T. Hare, CPA CISA CIA ERP Risk Advisors](https://reader030.vdocument.in/reader030/viewer/2022021421/5a7904677f8b9a217b8c13e3/html5/thumbnails/40.jpg)
41
ERP Risk Advisors
Contact Information:
Cell for Jeff: 970-324-1450
E-mail: [email protected]
Website: www.erpra.net
Website: www.oubpb.com
Skype: jhareaz
LinkedIn: http://www.linkedin.com/in/jeffreythare
Twitter: http://twitter.com/jeffreythare
Blog: http://jeffreythare.blogspot.com/
LinkedIn Groups: Oracle GRC, Oracle ERP Auditors
© 2013 ERPRA