sox compliance: a practical look at application auditor presented by sunita sarathy product manager...
Post on 18-Dec-2015
221 views
TRANSCRIPT
SOX Compliance: A SOX Compliance: A Practical Look at Practical Look at
Application AuditorApplication Auditor
Presented ByPresented BySunita SarathySunita SarathyProduct ManagerProduct ManagerAbsolute Technologies, IncAbsolute Technologies, Inc
Sarbanes Oxley ActSarbanes Oxley Act
SOX – Signed into law on July 30, 2002 as a SOX – Signed into law on July 30, 2002 as a result of various accounting scandalsresult of various accounting scandals
Section 404 requires public companies to Section 404 requires public companies to attest to the effectiveness of their internal attest to the effectiveness of their internal controls over financial reportingcontrols over financial reporting
Section 302 requires that CEO’s and CFO’s Section 302 requires that CEO’s and CFO’s vouch for the integrity of their financial vouch for the integrity of their financial statementsstatements
Section 404 Section 404 ComplianceCompliance Compliance with SOX 404 has 4 stepsCompliance with SOX 404 has 4 steps
1.1. Identify Key Internal ControlsIdentify Key Internal Controls
2.2. Document the identified Internal ControlsDocument the identified Internal Controls
3.3. Management Test of Internal ControlsManagement Test of Internal Controls
4.4. Auditor Test of Internal ControlsAuditor Test of Internal Controls
Internal ControlsInternal Controls
What is an Internal Control? What is an Internal Control?
Objectives of Internal ControlsObjectives of Internal Controls– Ensure integrity and reliability of informationEnsure integrity and reliability of information– Compliance with policies, laws and regulationsCompliance with policies, laws and regulations– Safeguarding of assetsSafeguarding of assets– Economical and efficient use of resourcesEconomical and efficient use of resources– Accomplishment of established objectives and Accomplishment of established objectives and
goalsgoals
When Internal Controls When Internal Controls aren’t met…aren’t met…1.1. Deficiency (No requirement to report it)Deficiency (No requirement to report it)
2.2. Significant Deficiency (Must be reported to Significant Deficiency (Must be reported to the audit committee, but not to the public)the audit committee, but not to the public)
3.3. Material Weakness (Needs to be disclosed Material Weakness (Needs to be disclosed publicly, in company financial statements)publicly, in company financial statements)
Internal Controls in ITInternal Controls in IT
SOX Section 404 - “Management has to SOX Section 404 - “Management has to ensure appropriate internal controls of ensure appropriate internal controls of financial reporting” financial reporting”
Most companies have software applications Most companies have software applications that impact Financial Reporting, like Oracle, that impact Financial Reporting, like Oracle, SAP etcSAP etc
Therefore, most IT Applications would need Therefore, most IT Applications would need to be regulated as per SOX requirements!to be regulated as per SOX requirements!
IT Internal ControlsIT Internal Controls
Most companies adopt some or all of these Most companies adopt some or all of these Best Practices:Best Practices:
– DocumentationDocumentation– ApprovalsApprovals– Separation of DutiesSeparation of Duties– TestingTesting– AUDITINGAUDITING
Why Audit?Why Audit?
When critical or financial impacting data isn’t When critical or financial impacting data isn’t audited properly…audited properly…
……financial statements may be incorrect due to financial statements may be incorrect due to mistakes, or fraudmistakes, or fraud
Auditors may identify inconsistencies as Auditors may identify inconsistencies as significant deficiency or material weaknesssignificant deficiency or material weakness
Auditing OracleAuditing Oracle
There are several auditing options in Oracle:There are several auditing options in Oracle:
Oracle Database – Audit FeatureOracle Database – Audit Feature eBusiness Suite – Row Who ColumnseBusiness Suite – Row Who Columns eBusiness Suite – End User AccesseBusiness Suite – End User Access eBusiness Suite – Oracle AlertseBusiness Suite – Oracle Alerts eBusiness Suite – Audit Trail eBusiness Suite – Audit Trail Absolute Technologies Application AuditorAbsolute Technologies Application Auditor
1. Database Audit 1. Database Audit FeatureFeature Set Set audit_trailaudit_trail parameter = TRUE in init.ora file parameter = TRUE in init.ora file
and restart the databaseand restart the database
Execute SQL audit commands from SYSTEM Execute SQL audit commands from SYSTEM user in SQL*Plususer in SQL*Plus
Audit various database transactionsAudit various database transactions
Transactions are captured in the SYS.AUD$ Transactions are captured in the SYS.AUD$ tabletable
LimitationsLimitations
Does not provide before and after values for Does not provide before and after values for column changescolumn changes
No standard reporting, or form level access No standard reporting, or form level access to datato data
No way to provide user notification, as the No way to provide user notification, as the audit table is owned by SYS (cannot define audit table is owned by SYS (cannot define triggers on SYS tables)triggers on SYS tables)
2. EBS – Row Who2. EBS – Row Who
CREATION_DATE Date and Time row was created
CREATED_BY Oracle Applications user ID from FND_USER
LAST_UPDATE_LOGIN Login ID from FND_LOGINS
LAST_UPDATE_DATE Date and Time row as last updated
LAST_UPDATED_BY Oracle Applications user ID from FND_USERS
Can be accessed by selecting Help > Record Can be accessed by selecting Help > Record History, in the Oracle Applications MenuHistory, in the Oracle Applications Menu
Columns can also be selected from within SQLColumns can also be selected from within SQL
LimitationsLimitations
Only stores the identities of the user that Only stores the identities of the user that created the record, and the user that made created the record, and the user that made the latest changethe latest change
Does not store old and new values of the Does not store old and new values of the changed columnschanged columns
Cannot handle changes made by processes Cannot handle changes made by processes external to the security of Oracle Applicationsexternal to the security of Oracle Applications
Information is stored within the subject table, Information is stored within the subject table, making it less convenient for centralized making it less convenient for centralized audit reportingaudit reporting
3. EBS – End User 3. EBS – End User AccessAccess The system profile option “Sign-On: Audit Level”
controls the level of end user access auditing The valid settings are None, User, Responsibility,
and Form. ‘Form’ represents maximum auditing The standard reports for end-user auditing are:
– SignOn Audit Users– SignOn Audit Responsibilities– SignOn Audit Forms– SignOn Audit Concurrent Requests– SignOn Audit Unsuccessful Logins
LimitationsLimitations
Only audits end user usage of specified forms
Does not audit changes at the database level
Does not audit any form activity or database transaction that may be of interest to ensure compliance. Only audits user access
4. EBS – Oracle Alerts4. EBS – Oracle Alerts
Oracle’s Exception Reporting ToolOracle’s Exception Reporting Tool
Uses SQL statements to define exception Uses SQL statements to define exception conditionsconditions
Can be Periodic (schedule based) or Event Can be Periodic (schedule based) or Event (creates a database trigger)(creates a database trigger)
LimitationsLimitations
Cannot provide before and after values for Cannot provide before and after values for changed columnschanged columns
Event Alerts fire on any change to a record Event Alerts fire on any change to a record within a defined table, generating unwanted within a defined table, generating unwanted transactionstransactions
May cause Concurrent Request bottlenecksMay cause Concurrent Request bottlenecks
5. EBS – Audit Trail5. EBS – Audit Trail
Set the System Profile Option AuditTrail: Activate to Yes
As System Administrator, select Security -> AuditTrail -> Install
Define applications, groups, tables and columns to audit
Run Audit Trail Update Tables program to activate auditing
LimitationsLimitations
No single audit table for ease of reporting Can’t apply a condition to the trigger Can’t toggle an audit on/off for a single
table Can’t capture data outside the scope of the
audited table, like foreign table column values for ease of reporting
No single record holds the before and after detail of changed column values
Key to SOX Key to SOX ComplianceCompliance The greater the degree of automation in the The greater the degree of automation in the
development process, the better.development process, the better.
Automate audit triggering, and the capturing Automate audit triggering, and the capturing of audit data.of audit data.
Ease of audit reportingEase of audit reporting
Enter Application Enter Application AuditorAuditor Application Auditor is a comprehensive Application Auditor is a comprehensive
auditing solution that can be installed and auditing solution that can be installed and configured within minutesconfigured within minutes
Standard, user-friendly interface based on Standard, user-friendly interface based on Oracle Developer toolsOracle Developer tools
Simplifies audit reporting, as all audit records Simplifies audit reporting, as all audit records go to one tablego to one table
Application AuditorApplication Auditor
Source Table(FND_USER)
Source Table(AP_CHECKS)
Source Table(ORDER_HOLDS)
App Auditor
TransactionDetails
(Destination)Table
Audit DesignAudit Design
Audit dynamically creates trigger-procedure Audit dynamically creates trigger-procedure combinationcombination
Database Objects are created in the AA Database Objects are created in the AA schemaschema
Trigger is defined on Source Table, to be fired Trigger is defined on Source Table, to be fired upon change to Source Columnsupon change to Source Columns
Procedure collects…Procedure collects…– Before and After Values of Source ColumnsBefore and After Values of Source Columns– Reference Columns and other identifying ElementsReference Columns and other identifying Elements
… … and inserts them into the Transactions tableand inserts them into the Transactions table
Source Table is ChangedSource Table is Changed
Audit FlowAudit Flow
Table based Trigger fires, calls ProcedureTable based Trigger fires, calls Procedure
Procedure collects Old and New Values of Procedure collects Old and New Values of Changed Column, and other Reference Changed Column, and other Reference
ColumnsColumns
Inserts audit data into Destination TableInserts audit data into Destination Table
Create an AuditCreate an Audit
Select a Select a Source Table Source Table - the table to be audited- the table to be audited Register the standard AA Register the standard AA Destination tableDestination table, which , which
will store all audited datawill store all audited data Identify Identify Source Columns Source Columns - the Columns that we - the Columns that we
want tracked in the Source Tablewant tracked in the Source Table AA automatically collects standard AA automatically collects standard
reference information reference information for each recordfor each record AA AA mapsmaps the Source and Reference Column values the Source and Reference Column values
to columns in the standard Destination Audit Table.to columns in the standard Destination Audit Table. Compile the configuration - It is now ready to audit! Compile the configuration - It is now ready to audit!
Audit MappingAudit Mapping
(Source Columns)(Source Columns) (Mapped Columns)(Mapped Columns)START_DATE*START_DATE* OLD_COLUMN_VALUEOLD_COLUMN_VALUESTART_DATE*START_DATE* NEW_COLUMN_VALUENEW_COLUMN_VALUELAST_UPDATED_BYLAST_UPDATED_BY LAST_UPDATED_BYLAST_UPDATED_BYTRANSACTED_DATETRANSACTED_DATE TRANSACTED_DATETRANSACTED_DATED_FND_USER_NAMED_FND_USER_NAME FND_USER_NAMEFND_USER_NAMED_TERMINALD_TERMINAL TERMINALTERMINAL
Source Table(FND_USER)
Destination Table(ai_ce_change_trx)
Audit FeaturesAudit Features
Single audit table stores – Single audit table stores – Before and After values of column Before and After values of column Table and Column nameTable and Column name Trigger Action (Insert, Update or Delete)Trigger Action (Insert, Update or Delete) Primary Key of TablePrimary Key of Table When and Who changed the column valueWhen and Who changed the column value Reference additional column values within the Reference additional column values within the
same table at time of changesame table at time of change Embedded SQL can select additional values Embedded SQL can select additional values
from other tables upon changefrom other tables upon change
Revision ArchitectureRevision Architecture
Uses Revisions to create separate audit binsUses Revisions to create separate audit bins
Audits may be migrated across revisions, or Audits may be migrated across revisions, or even across database instances.even across database instances.– Migrate Audit from Revision 1 to Revision 2Migrate Audit from Revision 1 to Revision 2– Migrate entire Revision from Dev to Prod instanceMigrate entire Revision from Dev to Prod instance
Only one compiled revision can exist at a Only one compiled revision can exist at a point in timepoint in time
Revision ArchitectureRevision Architecture
Allows the separation of audits based on user Allows the separation of audits based on user criteriacriteria
Allows one-step compilation of all audits in a Allows one-step compilation of all audits in a revisionrevision
Compiled Audits Revision
(example)
Development Revision
(example)
Audit ReportingAudit Reporting
Audit Transactions Audit Transactions Report Report – Displays the old and new values of the column, the Displays the old and new values of the column, the
database user who updated the record, and the database user who updated the record, and the identity of the terminal used to make the change identity of the terminal used to make the change
Audit Configurations Audit Configurations Report Report – Displays the various audit configurations defined Displays the various audit configurations defined
through Application Auditorthrough Application Auditor
SOX Compliant Audit SOX Compliant Audit PackagePackage Pre-defined set of 65 audits, based on Pre-defined set of 65 audits, based on
significant Setup and Financial Impacting significant Setup and Financial Impacting tables in Oracle eBusiness Suitetables in Oracle eBusiness Suite
Package can be loaded and compiled within Package can be loaded and compiled within minutesminutes
AA AdministratorAA Administrator
Audit the Auditor!Audit the Auditor!
Track users created in AA schemaTrack users created in AA schema
Track changes to database objects in AA Track changes to database objects in AA schemaschema
Administrator email account holds a copy of Administrator email account holds a copy of all email notifications sent from AA all email notifications sent from AA
Audit the AuditorAudit the Auditor
Planned Planned EnhancementsEnhancements Increased audit flexibility – allow a Increased audit flexibility – allow a
Destination Object Type ‘Procedure’Destination Object Type ‘Procedure’
Allow users to audit Allow users to audit and preventand prevent unauthorized transactionsunauthorized transactions
Audit DDL for ANY schemaAudit DDL for ANY schema
Audit all transactions for a Audit all transactions for a UserUser
AA Customers (SIMG) AA Customers (SIMG)
Requirement – Requirement –
Distinguish between updates made from Distinguish between updates made from SQL*Plus, and updates within Oracle Apps SQL*Plus, and updates within Oracle Apps
Solution – Solution –
AA’s Check Terminal feature allows the user to AA’s Check Terminal feature allows the user to identify how the transaction was performed.identify how the transaction was performed.
AA Customers AA Customers (Harmonic) (Harmonic) Requirement – Requirement –
Transaction MonitoringTransaction Monitoring
Solution – Solution –
AA provides notification when unauthorized AA provides notification when unauthorized transactions occurtransactions occur
AA Customers AA Customers (Tektronix) (Tektronix) Requirement – Requirement –
Track Sales Order ChangesTrack Sales Order Changes
Solution – Solution –
AA’s custom table option allows for audit AA’s custom table option allows for audit records to be mapped to custom tablesrecords to be mapped to custom tables
FinallyFinally
Application Auditor is highly Application Auditor is highly performance optimized…no performance optimized…no performance issuesperformance issues
User friendly Forms Interface for Audit User friendly Forms Interface for Audit Configurations and Audit TransactionsConfigurations and Audit Transactions
Two step audit process (Auditor and Two step audit process (Auditor and Audit Administrator) Audit Administrator)
Thank You!
Source – Destination Source – Destination TablesTables
Source ColumnsSource Columns
Reference ElementsReference Elements
Column MappingColumn Mapping
Audit Transactions Audit Transactions ReportReport
Audit Configuration Audit Configuration ReportReport