Common Change Management Challenges for Companies Running Oracle Applications Presented by: Jeffrey T. Hare, CPA CISA CIA ERP Seminars.

Slides:

Advertisements

Similar presentations

Organizational Governance

Advertisements

. . . a step-by-step guide to world-class internal auditing

Sodexo.com Group Internal Audit. page 2 helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and.

Audit Committee in Albania Legal framework Law 9226 /2006 “On banks in Republic of Albania” Law 9901/2008 “On entrepreneurs and commercial companies” Corporate.

© 2004 ERPS Sarbanes-Oxley Best Practices in an Oracle Applications Environment Jeffrey T. Hare, CPA ERP Seminars.

1 Sarbanes-Oxley Section 404 June 29,  SOX 404 Background 3  SOX 404 Goals 4  SOX 404 Requirements 5  SOX 404 Assertions 6  SOX 404 Compliance.

Sarbanes-Oxley Compliance Process Automation

Security Controls – What Works

SOX Compliance: A Practical Look at Application Auditor Presented By Sunita Sarathy Product Manager Absolute Technologies, Inc.

Copyright © 2009 Rolta International, Inc., All Rights Reserved a c c e l R12™ Upgrade Approach.

1 Strategies to Maintaining Internal & External Relationships The Institute of Internal Auditors April 13, 2004 Xenia Parker, CIA, CISA, CFSA Principal.

Quality evaluation and improvement for Internal Audit

Office of Inspector General (OIG) Internal Audit

1 What is Internal Audit’s Role in Management’s Assertion The Institute of Internal Auditors May 11, 2004 Xenia Ley Parker, CIA, CISA, CFSA Principal XLP.

Internal Audit Process

Chapter 1 Introduction to Databases

Best Practices for User Access Controls and Segregation of Duties Presented by: Jeffrey T. Hare, CPA CISA CIA ERP Seminars.

Database Auditing Models Dr. Gabriel. 2 Auditing Overview Audit examines: documentation that reflects (from business or individuals); actions, practices,

Chapter 7 Database Auditing Models

End User Computer Controls Marc Engel, CPA, CISA, CFE Risk Management Advisory Services LLC

Does Change Management Include Patches? Joel Howard, RingMaster Software Northern California OAUG San Ramon 2004.

By Taver Chong, SFSU Associate Internal Auditor –

Internal Auditing and Outsourcing

Compliance System Validation - An Audit Based Approach December 2012 Uday Gulvadi, CPA, CIA, CISA, CAMS Director - Internal Audit, Risk and Compliance.

1 Chart of Account Conversion May 21, 2009 Presented by Matt Adelman.

Data Governance Data & Metadata Standards Antonio Amorin © 2011.

Copyright Course Technology 1999

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.

Change and Patch Management Controls Critical for Organizational Success Global Technology Auditing Guide 2.

University of Palestine Library Management System S. DEYA Abu REJELA

Practical Implementation of Automated Assessment Tools for the IT Auditor John A. Otte, CISSP, CISA, CFE, EnCE, MSIA Director, Strategic Services FishNet.

- 1 - Roadmap to Re-aligning the Customer Master with Oracle's TCA Northern California OAUG March 7, 2005.

Switch off your Mobiles Phones or Change Profile to Silent Mode.

Vijay V Vijayakumar.  SOX Act  Difference between IT Management and IT Governance  Internal Controls  Frameworks for Implementing SOX  COSO - Committee.

© Grant Thornton | | | | | Guidance on Monitoring Internal Control Systems COSO Monitoring Project Update FEI - CFIT Meeting September 25, 2008.

Chapter 5 Internal Control over Financial Reporting

Master Data Impact, Data Standards, and Management Process and Tools.

IT Service Delivery And Support Week Eleven – Auditing Application Control IT Auditing and Cyber Security Spring 2014 Instructor: Liang Yao (MBA MS CIA.

1 Today’s Presentation Sarbanes Oxley and Financial Reporting An NSTAR Perspective.

7-Oct-15 System Auditing. AUDITING Auditing is a systematic process of objectively obtaining and evaluating evidence regarding assertions about economic.

Policy Review (Top-Down Methodology) Lesson 7. Policies From the Peltier Text, p. 81 “The cornerstones of effective information security programs are.

Best Practices for Implementing Third Party Software to Monitor SOD and User Access Controls Presented by: Jeffrey T. Hare, CPA CISA CIA ERP Seminars.

Brent Mosher Senior Sales Consultant Applications Technology Oracle Corporation.

Enterprise Security for Microsoft Dynamics GP Jeff Soelberg

Auditing Information Systems (AIS)

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 7 Database Auditing Models.

Information Security Governance and Risk Chapter 2 Part 3 Pages 100 to 141.

Executive Invitation – Oracle Data Finder Service Oracle Corporation.

presented by Oliver Lamaca Customer Account Manager.

FY 2005 Audit Plan MnSCU Audit Committee June 15, 2004.

Empowering people-centric IT Unified device management Access and information protection Desktop Virtualization Hybrid Identity.

FSG Tips and Tricks By Melanie Cameron. About Melanie Cameron  14 years experience with EBS  Worked on every release since 10.6, oldest release was.

OAUG Sys Admin SIG Meeting Connection Point Conference September 13, 2004 Orlando, FL Randy Giefer, Chair.

Copyright © 2007 Pearson Education Canada 7-1 Chapter 7: Audit Planning and Documentation.

Database security Diego Abella. Database security Global connection increase database security problems. Database security is the system, processes, and.

Company: Cincinnati Insurance Company Position: IT Governance Risk & Compliance Service Manager Location: Fairfield, OH About the Company : The Cincinnati.

1 Copyright © 2008, Oracle. All rights reserved. I Course Introduction.

6/13/2015 Visit the Sponsor tables to enter their end of day raffles. Turn in your completed Event Evaluation form at the end of the day in the Registration.

Internal Audit Section. Authorized in Section , Florida Statutes Section , Florida Statutes (F.S.), authorizes the Inspector General to review.

Building a Sound Security and Compliance Environment for Dynamics AX Frank Vukovits Dennis Christiansen Fastpath, Inc.

Liz Piteo Native Controls in a Microsoft Dynamics Environment.

Oracle apps financial functional training Contact us: Magnific training Training | placement|Certificaions.

Internal and external control in an automated environment

Security. Audit. Compliance.

Security Management: Successes and Failures

Automating Vendor Management

Pressure Cooker: Access Controls in New and Existing ERP Systems

Office of Internal Audits

Data Privacy: Essentials for Payroll

Taking the STANDARDS Seriously

Presentation transcript:

Common Change Management Challenges for Companies Running Oracle Applications Presented by: Jeffrey T. Hare, CPA CISA CIA ERP Seminars

© 2008 ERPS Overview: Introductions IIA Standards Common Change Management Challenges Q&A Public Domain Collaboration Oracle Apps Internal Controls Repository OUBPB / ERP Seminars Initiatives Other Resources Contact Information Presentation Agenda

© 2008 ERPS Introductions Jeffrey T. Hare, CPA CISA CIA Founder of ERP Seminars and Oracle User Best Practices Board Written various white papers on SOX Best Practices in an Oracle Applications environment Frequent contributor to OAUG’s Insight magazine Experience includes Big 4 audit, 6 years in CFO/Controller roles – both auditor and audited perspectives In Oracle applications space since 1998– both client and consultant perspectives Founder of Internal Controls Repository - public domain internal controls repository for end users

© 2008 ERPS Introductions Jeffrey T. Hare, CPA CISA CIA Founder of ERP Seminars and Oracle User Best Practices Board Written various white papers on SOX Best Practices in an Oracle Applications environment Frequent contributor to OAUG’s Insight magazine Experience includes Big 4 audit, 6 years in CFO/Controller roles – both auditor and audited perspectives In Oracle applications space since 1998– both client and consultant perspectives Founder of Internal Controls Repository - public domain internal controls repository for end users

© 2008 ERPS IIA Standards IIA’s Global Technology Audit Guide #2 - Change and Patch Management Controls: Critical for Organizational Success can be found at:

© 2008 ERPS Common Change Management Challenges Failure to take into account request groups access in design of security – request groups should be defined from the ground up for each responsibility as they allow for concurrent program access and access to sensitive data, some in standard request groups Forms-based setups not being considered – some forms based setup changes have the impact of code change; change management is done to protect the integrity of the process Change made in various forms that allow SQL statements embedded in them are not required to go through change management process – all activity in SQL forms should go through CM process, be audited and compared to SQL that has been peer-reviewed and was approved in the Change Management ticket (see list of forms in Internal Controls Repository and keep current with recommendations in Metalink Note )

© 2008 ERPS Common Change Management Challenges Excessive access to forms requiring change management – Example - Financials submenu in various menus and contains DFFs, KFFs, Value Set, Value Set Maint, Cross Validation Rules, Security Rules… Failure to clearly document who is responsible for implementing change – Management should determine and document who are the appropriate Change Implementers Failure to test for unauthorized changes – Anything that should go through CM process should be subject to audit. Need to develop a log or trigger based audit trail and compare to approved changes

© 2008 ERPS Common Change Management Challenges Failure to remediate issues that cause for unauthorized changes – need to do root cause analysis of unauthorized changes and remediate issues Failure to maintain documentation – BR100s and BR110s should be kept current; user documentation; IT documentation; process documentation; internal controls testing; test scripts. Poor impact analysis leading to a poor testing process – usually too much turf wars and not enough cooperation; requires tight cooperation between IT and functional users

Q & A

© 2008 ERPS Public Domain Collaboration What is needed are standards for collection of: Tables to audit as data is migrated (for example banks) Additional functions and functionality is added Internal Controls Repository: Publishing list of critical forms, tables, columns to audit prioritized by risk Promoting use of our risk assessment process as the standard in the industry with agreement on language and mapped to the function level Public domain collaboration will insure consistency and quality

© 2008 ERPS Oracle Apps Internal Controls Repository Internal Controls Repository Content: White Papers such as Accessing the database without having a database login, Best Practices for Bank Account Entry and Assignment, Using a Risk Based Assessment for User Access Controls, Internal Controls Best Practices for Oracle’s Journal Approval Process Oracle apps internal controls deficiencies and common solutions Mapping of sensitive data to the table and columns Identification of reports with access to sensitive data

Other Resources © 2008 ERPS Oracle Users Best Practices Board: Cam’s white paper on Auditing the DBA at: Integrigy white papers at: resourceshttp:// resources Solution Beacon: Oracle internal controls and security public listserver:

© 2008 ERPS Best Practices Caveat The Best Practices cited in this presentation have not been validated with your external auditors nor has there been any systematic study of industry practices to determine they are ‘in fact’ Best Practices for a representative sample of companies attempting to comply with the Sarbanes-Oxley Act of 2002 or other corporate governance initiatives mentioned. The Best Practice examples given here should not substitute for accounting or legal advice for your organization and provide no indemnification from fraud or material misstatements in your financial statements or control deficiencies.

© 2008 ERPS Contact Information Jeffrey T. Hare, CPA CISA CIA Phone: Websites: Oracle SOX eGroup at Internal Controls Repository ontrols/ ontrols/