Reactive Companies Meet Sarbanes-Oxley Standards, Proactive Organizations Exceed Them! Therron Hofsetz Logical Apps, Inc.

Agenda Sarbanes Oxley Overview Logical Apps Approach to Sarbannes Oxley Question and Answer

What do these dates have in common? December 2, 2001 July 19, 2002 August 31, 2002 Enron declares bankruptcy MCI Worldcom declares bankruptcy Arthur Anderson agrees to stop auditing public companies

How did this happen? Earnings pressure Lack of mandated disclosure of company reporting model Minimal oversight into corporate business practices No documented or enforced internal controls Dependency on consulting fees Assumed good intent of their client Inability to continuously monitor a company’s internal controls Unable to identify violations of internal controls Corporate Issues Audit Firm Issues

How Did Congress Respond? Sarbanes – Oxley Act

Section 103: Your auditor (and therefore, you should) maintain all audit related records, including electronic ones, for seven years. Section 201: Firms that audit your company’s books can no longer provide you with IT related services. Section 301: You must provide systems or procedures that allow employees to communicate effectively with the audit committee. Highlights

Sarbanes – Oxley Act Section 302: Your CEO and CFO must sign statements verifying the completeness and accuracy of financial reports. Sections 404 CEO’s, CFO’s and outside auditors must attest to the effectiveness and accuracy of financial reports. Section 409: Companies must report material changes in their financial conditions “on a rapid and current basis.” The act calls it “real-time” disclosure but is unclear on what it means. Highlights (continued)

Sarbanes–Oxley Act BehaviorConsequence Any CEO or CFO who “recklessly” violates his or her certification of the company’s financial statements. If “willfully” violates. Fine of up to $1,000,000 and/or up to 10 years imprisonment. Fine of up to $5 million and/or up to 20 years imprisonment. Any person who “corruptly” alters, destroys, conceals, etc., any records or documents with the intent of impairing the integrity of the record or document or use in an official proceeding. Fine and/or up to 20 years imprisonment. Sarbanes–Oxley Law

Sarbanes - Oxley Impact on Information Systems

The 3 Cs of Sarbanes-Oxley The jobs of the CEO, CFO & CIO got tougher on July 30, the day the Sarbanes-Oxley Act was signed. The legislation requires significant changes to financial practices and corporate governance, and touches all corporate areas -- including technology. For the first time ever, the CFO and CEO can look a CIO in the eye and say, 'Guess what, you're on the hook with us.' CEO’s, CFO’s and CIO’s

What Does this Mean to CIOs? Provide extensive Control for Oracle Applications Continuously Monitor Identified Risks Provide Oversight Into Creation of Financial Data Enforce Segregation of Duties to Minimize Risk Take Measures to Ensure Financial Data is Accurate Ensure the Accuracy of Reporting Data CEO’s and CFO’s will Require CIO’s to:

System Control Examples Financial Statement Generation Report parameter changes are documented Data that generates financial statements is accurate Inventory Item Creation Costing is accurately assigned Purchasing Approved suppliers are used Approval limits cannot be easily manipulated Customer Creation Duplicate customers Credit limits

Oversight of Financial Data Examples Standard Data Entry is Enforced Accurate reporting Segregation of Duties Separation of functions to minimize risk of fraud Audit changes to sensitive data Approval processes for creation of financial data Oversight into Financial Processes Ensure all month/year end activities are completed

Typical Solution to Sarbanes-Oxley

The Logical Apps Approach to Sarbanes–Oxley AppsRules AppsRules for Sarbanes-Oxley Compliance

LogicalApps for Oracle Applications Automated Enforcement of Internal Controls for the Oracle Applications

AppsRules for Sarbanes-Oxley AppsForm Enforce Segregation of Duties Enforce Accuracy/Completeness of System Data AppsFlow System Enforced Process Approvals Oversight into Business Processes AppsAudit Continuous Monitoring of System Changes Built in Reporting on System Changes Automated Enforcement of System Controls

Implement & Enforce Your Company Policies Enforce Controls in Oracle Forms Forms Security Data Integrity Accountability Increase Productivity

AppsForm for Sarbanes-Oxley Compliance ChallengeOracle SolutionAppsForm Solution Application Security Hide Fields or Tabs Prevent Update/Insert 1. Define multiple Responsibilities 2. Forms Customization for required security 1. Form/Field level security by User, Group of Users, Responsibility, Operating Unit, Inventory Org, etc. Data Integrity Require Values Field validation LOVs & Default Values 1. Offline business rule 2. Forms customization 1. Required Fields 2. Validation of entered data 3. LOVS for free form data End User Productivity Hide Fields or Tabs Zooms Default Navigation 1. Forms customization 1. Configure forms for specific users 2. Tool menu entries 3. Field & tab order

Implement & Enforce Your Company Processes Implement Process Controls Through Workflow Automate Current Manual Processes Enforce Systematic Approvals System Wide Notifications Integrated with Workflow Builder

AppsFlow for Oracle Applications Risk/ControlOracle SolutionAppsFlow Solution Separation of Duties via Transaction Limits and Approvals 1. Limited seeded workflow 2. Build Custom workflow processes for needed transactions 1. Configure approvals for any Oracle Apps transaction 2. Integrate to Oracle Workflow for re- usability Enforce Data Integrity Across Process Steps 1. None 1. Configure complex process flows across steps, departments, users, responsibilities 2. Enforce process completeness and track metrics Provide Process Details and Metrics 1. Track processes in workflow tables 1. All AppsFlow processes tracked via workflow tables

Monitor and Report on System Changes Complete Audit Trail History Configure Audit Rules in Minutes Comprehensive Reporting Key Setup Changes Key Transaction Changes Simplifies Oracle Audit

AppsAudit for Sarbanes-Oxley Compliance Risk/ControlOracle SolutionAppsAudit Solution Monitor Setup Data Changes 1. Created_by and last_updated_by 2. Oracle Audit 1. Complete history, including old value, new value, user, date & time of change Monitor Transactional Data Changes 1.Created_by and last_updated_by 2.Oracle Audit 1. Complete history, including old value, new value, user, date & time of change Implement conditional audits based on user defined condition 1. None 1. Additional where clause on audit trigger Pre-Built, easy to use audit reports 1. None 1. Online & hard copy reports 2. Reports user values not internal ids or foreign keys

Sarbanes Oxley Benefits AppsRules Proactively Enforces System Controls: Provide extensive Control for Oracle Applications Maintain oversight into creation of financial reports Enforce data integrity and reporting accuracy Automate processes to enforce separation of duties and appropriate levels of approval Enforce process completeness across multiple process steps and departments (Item Setup, Month End Close) Continuously monitor changes to sensitive data Configure & Report on key Audit Data Centralize a repository of rules and workflows

Questions? Therron Hofsetz