Very Simple SoD & Audit Reporting Oracle ERP Cloud & EBS Mike Ward – CEO Q Software Brian Stanz – CTO

Objectives….... know if you have security issues on your ERP satisfying Compliance & Audit? remediation planning SoD & Fraud control

Mike Ward 45 Years IT Experience ERP from the Beginning 200 Audits @mikeaward

Brian Stanz 26 Years IT Experience JDE & Oracle JDE E1 Development 200 Security Audits

Has your company experienced Fraud? © PwC 2018 Crime & Fraud Survey

Objective of an External Audit …....conducted by an independent auditor to ensure that the company’s financial reports present a true & fair view of its financial performance and financial position…...

Why Perform an Audit? The CFO Asked Oracle Licensing Called The Auditor is coming tomorrow? How good is my Security? I went live, I need a Plan?

Role Based Access Control Map on to Business Processes Consider SoD during Role Design Managing Roles not the Individual Visibility & Risk Least Privilege - Need Access to do Job Sensitive Data Access Defining Roles RBAC Advantage: allows you to alter Roles rather than individuals Issue: how do you ensure that your roles are aggregated enough but do not create too much risk.

Visibility Where are my SoD issues? Who Owns that Issue? What is the Business Risk? How do I fix it? Mitigation? Who can Access this Critical Object, Master Data? Periodic Access Review

EBS - Understand your Module Usage Input Oracle License Request Audit – No technical requirements Report will show Usage by Module Non-Compliance Modules Custom Modules User who have accessed & Users who could access Look at Users/Roles to Determine Usage & Remove unnecessary access What you need to know – what are your risks? Have you secured against them?

QCloud - Audit as a Service Very Rapid, No Effort….......Answers So lets look at how Audit as a Service can help you Make finding the answers internally or for external audit very easy

QCloud Audit as a Service – a Huge Time Saving Existing audit processes are manual IT staff create reports SQL/manual Cobbled together spreadsheets Auditors Review & Question (& loop) Tools Specialist On-Prem (Audit Manager) Expensive & Very Complex (Oracle GRC/AACG) QCloud Automates Customer Log In Request, Review Download Report Typical audits for ERP software are performed manually IT staff create reports over their systems to show the level of security of their application. These reports are either done manually using current reports that the system generates or they are cobbled together into spreadsheets based on data exports. The reports are then reviewed and interrogated by the auditors until the authorization to the system is deemed to be secure. Q Software has audit processes today that work On Premise and then back in our audit environments to produce the reports for customers to then show the auditors or the CFO of the business. Q Software is now able to bring automation to the audit process so that customers can sign up for audits and have the software in our cloud review, collate and report back on your system. Customers log in to our Q Cloud portal Customers can request a new audit, review old audit information, or download previous audit reports. Customers can see historical information of the audits that have been run in the past on the Q Cloud. Q Software is starting off with JD Edwards EnterpriseOne, but will be expanding to other ERPs in the near future. (more on that later)

Cloud Based Architecture consisting of three modules Q Cloud Hosted logic and portal for accessing and running audits in the cloud Multi-Tenant architecture ALL data ‘At-Rest’ in the cloud in encrypted Q Agent Downloaded from the Q Cloud once registered Collects relevant audit data from the customer’s enterprise All data ‘In-Flight’ is encrypted. Platform and Database agnostic Q Helper (Internal Only) The ’brains’ behind the scenes. Currently hosted in the Amazon Cloud (AWS) Can be hosted on any cloud infrastructure Can be hosted in any country to satisfy local regulations on data

The Future of Security Audit has Arrived QCloud Demo…. The Future of Security Audit has Arrived

Security of Customer Data ISO/IEC 18033-3:2010 Part 3 Encryption (Oracle Standard) No Business Data Uploaded to the Q Cloud . Hosted at AWS (Australia) Totally secure Environment Encrypted in Flight From customer site to QCloud . Encrypted at Rest in the QCloud

Summary

Metrics – Immediate Measures of Quality

Bluescope E-Business Suite Listed in Australia Audits Twice a Year Very Time consuming Segregation of Duties Mitigation Audit Documentation Live in a Month

Tesaro BioPharma in Boston ERP Cloud – Financials & HCM Newly Listed Audit & SoD Reporting Remediation…….Standard Roles! Live

The main issues – get an audit on demand, immediate results wityh no technical effort, trends & drill down What would you use for ….......plan and remediate, simplify audit process for auditors, fraud control

6 Best Practice Tips for ERP Security Audit Live Security Evaluate the Risks Build YOUR Risk Matrix Map on to your Business Processes Plan your Roles Periodic Review – Involve the Business