Presentation is loading. Please wait.

Presentation is loading. Please wait.

Pressure Cooker: Access Controls in New and Existing ERP Systems

Published byRodney Golden Modified over 6 years ago

Similar presentations

Presentation on theme: "Pressure Cooker: Access Controls in New and Existing ERP Systems"— Presentation transcript:

1 Pressure Cooker: Access Controls in New and Existing ERP Systems

2 Overview Introduction: A story of contrasts Motivations
Lifecycle Stage Time

3 Motivations (UA) Classification of Financial Audit Findings:
Control deficiency: control does not prevent or detect misstatements on a timely basis. Significant Deficiency: one or a combination of control deficiencies. Written finding. Report to federal agencies. Material Weakness: one or a combination of significant deficiencies, resulting in more than a remote likelihood of misstatement of financials. Serious concern to Regents.

4 Pre-validation and binder
Motivation (UA) 2009 Deputy CIO Legacy System Financial Auditor Ad hoc preparation 2010 UISO PeopleSoft HR IT Auditor Pre-validation and binder

5 Motivations (PCC) Banner implemented in 1999
Variety of high risk issues Two pronged approach: Long term planning Security culture

6 Lifecycle (UA) Business Analysts Program Coordinators
University Information Security Officer Enterprise Applications Security and HR Technical Teams Infrastructure Sys Admin and Environment Teams Business Analysts Program Coordinators Business Intelligence Team

7 Auditor Access and Data
Lifecycle stage (UA) NetID VPN PeopleSoft Business Intelligence Auditor Access and Data Roles Initial Access Access Provisioning Application Access Control Change Management System Infrastructure Controls Change Control

8 Auditor Access and Data (UA)
Secure access on a protected remote connection NetID and VPN Separate role, read only, restricted to meet requirements PeopleSoft HR Reports limited to requirements and data files run by UA staff Business Intelligence

9 Access Control (UA) UA Security Policies Role Construction
Password Policy, Authorization and Control of Access UA Security Policies Roles and access by job functions with audit tables for role security Role Construction Initial Provisioning, QA and transition to Provisioning Application Access Provisioning

10 Change Control (UA) Dev Test Stage Prod

11 Change Control (UA) User Move to Prod Ticket system Bench test
Peer Review Risk Assessment UAT Fallback Plan Mgmt Approval Move to Prod

12 Lifecycle Stage (PCC)

13 Lifecycle Stage (PCC)

14 Policies Roles Provisioning
Timeline (UA) Setup Auditor Access Access Controls Policies Roles Provisioning Change Controls Change Mgmt Infrastructure Results Lessons Learned Effort Timeline

15 Timeline (UA) May June July File preparation, process validation
Set up auditor access accounts Onsite meeting, web conferences, data feeds June Coordination of reports and data feeds Collection of info for follow-up questions Web conferences, conference calls July Access control and change management testing Onsite meetings, web conferences, conference calls

16 Timeline (UA) - what worked
Focus preparation on major controls Pre-validation of control processes Prepare documentation in advance for auditor Ensure a team approach Know where and how to get information Share out knowledge quickly to teams to begin improvements Develop rapport with auditors Be helpful, timely, check in on needs Keep them in scope while providing access Learn the standards they use to measure controls Represent best of what UA is doing and keep a good perspective

17 Time (PCC)

18 Conclusion Cathy Bates Univ. Information Security Off.
University of Arizona Brian Basgen Information Security Officer Pima Community College

Download ppt "Pressure Cooker: Access Controls in New and Existing ERP Systems"

Similar presentations

How we work with you. Infrastructure savings Pay only for what you use Labour Costs Match job functions with skill sets Financial Technology Efficient.

How we work with you. Infrastructure savings Pay only for what you use Labour Costs Match job functions with skill sets Financial Technology Efficient.
Calyxinfo Walking through Calyx Info The Organisation.

Calyxinfo Walking through Calyx Info The Organisation.
Auditing Concepts.

Auditing Concepts.
Information Risk Management in the Audit Chapter 9 Presented by Dee Dee Owens, Senior Manager KPMG LLP KPMG LLP.

Information Risk Management in the Audit Chapter 9 Presented by Dee Dee Owens, Senior Manager KPMG LLP KPMG LLP.
Preparing for the Audit Presented by Patty McClendon Senior Manager – KPMG LLP KPMG LLP.

Preparing for the Audit Presented by Patty McClendon Senior Manager – KPMG LLP KPMG LLP.
COSO Framework A company should include IT in all five COSO components: –Control Environment –Risk Assessment –Control activities –Information and communication.

COSO Framework A company should include IT in all five COSO components: –Control Environment –Risk Assessment –Control activities –Information and communication.
1 April 2010 TX SET Timeline Project Conceptualization 11 weeks Market Requirements 12 weeks ERCOT Requirements 12 weeks Conceptual Design 6 weeks Detail.

1 April 2010 TX SET Timeline Project Conceptualization 11 weeks Market Requirements 12 weeks ERCOT Requirements 12 weeks Conceptual Design 6 weeks Detail.
Preparing for the Audit Presented by Elisa Stilwell Senior Manager - KPMG LLP KPMG LLP.

Preparing for the Audit Presented by Elisa Stilwell Senior Manager - KPMG LLP KPMG LLP.
SOX & ISO 27001 Protect your data and be ready to be audited!!!

SOX & ISO Protect your data and be ready to be audited!!!
Stephen S. Yau CSE 465-591, Fall 2006 1 Security Strategies.

Stephen S. Yau CSE , Fall Security Strategies.
Common Change Management Challenges for Companies Running Oracle Applications Presented by: Jeffrey T. Hare, CPA CISA CIA ERP Seminars.

Common Change Management Challenges for Companies Running Oracle Applications Presented by: Jeffrey T. Hare, CPA CISA CIA ERP Seminars.
Best Practices for User Access Controls and Segregation of Duties Presented by: Jeffrey T. Hare, CPA CISA CIA ERP Seminars.

Best Practices for User Access Controls and Segregation of Duties Presented by: Jeffrey T. Hare, CPA CISA CIA ERP Seminars.
SAS 112: The New Auditing Standard Jim Corkill Controller Accounting Services & Controls.

SAS 112: The New Auditing Standard Jim Corkill Controller Accounting Services & Controls.
Statement on Auditing Standards (SAS) 112 Communicating Internal Control Related Matters Identified in an Audit.

Statement on Auditing Standards (SAS) 112 Communicating Internal Control Related Matters Identified in an Audit.
Implications of SAS 112 NCURA Regional Meeting Park City, Utah April 22-27, 2006.

Implications of SAS 112 NCURA Regional Meeting Park City, Utah April 22-27, 2006.
Process-based IT Organisation at Statistics New Zealand Prepared by Matjaž Jug.

Process-based IT Organisation at Statistics New Zealand Prepared by Matjaž Jug.
Functionally Navigating/Balancing Patches and Fixes Session 1023 March 20, 2001 Presented by Melissa Grimsley, David Kline & Jane North.

Functionally Navigating/Balancing Patches and Fixes Session 1023 March 20, 2001 Presented by Melissa Grimsley, David Kline & Jane North.
Considering Internal Control

Considering Internal Control
AUDITS What you should know - a campus perspective. Franz Lozano Director/Budget Officer (former Internal Auditor) San Francisco State University Academic.

AUDITS What you should know - a campus perspective. Franz Lozano Director/Budget Officer (former Internal Auditor) San Francisco State University Academic.
Chapter 7 Auditing Internal Control over Financial Reporting McGraw-Hill/Irwin ©2008 The McGraw-Hill Companies, All Rights Reserved.

Chapter 7 Auditing Internal Control over Financial Reporting McGraw-Hill/Irwin ©2008 The McGraw-Hill Companies, All Rights Reserved.

Similar presentations

Ads by Google