Presentation is loading. Please wait.

Presentation is loading. Please wait.

Very Simple SoD & Audit Reporting Oracle ERP Cloud & EBS

Published byUrsula Frank Modified over 6 years ago

Similar presentations

Presentation on theme: "Very Simple SoD & Audit Reporting Oracle ERP Cloud & EBS"— Presentation transcript:

1 Very Simple SoD & Audit Reporting Oracle ERP Cloud & EBS
Mike Ward – CEO Q Software Brian Stanz – CTO

2 Objectives….... know if you have security issues on your ERP
satisfying Compliance & Audit? remediation planning SoD & Fraud control

3 Mike Ward 45 Years IT Experience ERP from the Beginning 200 Audits
@mikeaward

4 Brian Stanz 26 Years IT Experience JDE & Oracle JDE E1 Development
200 Security Audits

5 Has your company experienced Fraud?
© PwC 2018 Crime & Fraud Survey

6

7 Objective of an External Audit
…....conducted by an independent auditor to ensure that the company’s financial reports present a true & fair view of its financial performance and financial position…...

8 Why Perform an Audit? The CFO Asked Oracle Licensing Called The Auditor is coming tomorrow? How good is my Security? I went live, I need a Plan?

9 Role Based Access Control
Map on to Business Processes Consider SoD during Role Design Managing Roles not the Individual Visibility & Risk Least Privilege - Need Access to do Job Sensitive Data Access Defining Roles RBAC Advantage: allows you to alter Roles rather than individuals Issue: how do you ensure that your roles are aggregated enough but do not create too much risk.

10 Visibility Where are my SoD issues? Who Owns that Issue?
What is the Business Risk? How do I fix it? Mitigation? Who can Access this Critical Object, Master Data? Periodic Access Review

11 EBS - Understand your Module Usage
Input Oracle License Request Audit – No technical requirements Report will show Usage by Module Non-Compliance Modules Custom Modules User who have accessed & Users who could access Look at Users/Roles to Determine Usage & Remove unnecessary access What you need to know – what are your risks? Have you secured against them?

12 QCloud - Audit as a Service
Very Rapid, No Effort… Answers So lets look at how Audit as a Service can help you Make finding the answers internally or for external audit very easy

13 QCloud Audit as a Service – a Huge Time Saving
Existing audit processes are manual IT staff create reports SQL/manual Cobbled together spreadsheets Auditors Review & Question (& loop) Tools Specialist On-Prem (Audit Manager) Expensive & Very Complex (Oracle GRC/AACG) QCloud Automates Customer Log In Request, Review Download Report Typical audits for ERP software are performed manually IT staff create reports over their systems to show the level of security of their application. These reports are either done manually using current reports that the system generates or they are cobbled together into spreadsheets based on data exports. The reports are then reviewed and interrogated by the auditors until the authorization to the system is deemed to be secure. Q Software has audit processes today that work On Premise and then back in our audit environments to produce the reports for customers to then show the auditors or the CFO of the business. Q Software is now able to bring automation to the audit process so that customers can sign up for audits and have the software in our cloud review, collate and report back on your system. Customers log in to our Q Cloud portal Customers can request a new audit, review old audit information, or download previous audit reports. Customers can see historical information of the audits that have been run in the past on the Q Cloud. Q Software is starting off with JD Edwards EnterpriseOne, but will be expanding to other ERPs in the near future. (more on that later)

14 Cloud Based Architecture consisting of three modules
Q Cloud Hosted logic and portal for accessing and running audits in the cloud Multi-Tenant architecture ALL data ‘At-Rest’ in the cloud in encrypted Q Agent Downloaded from the Q Cloud once registered Collects relevant audit data from the customer’s enterprise All data ‘In-Flight’ is encrypted. Platform and Database agnostic Q Helper (Internal Only) The ’brains’ behind the scenes. Currently hosted in the Amazon Cloud (AWS) Can be hosted on any cloud infrastructure Can be hosted in any country to satisfy local regulations on data

15 The Future of Security Audit has Arrived
QCloud Demo…. The Future of Security Audit has Arrived

16 Security of Customer Data
ISO/IEC :2010 Part 3 Encryption (Oracle Standard) No Business Data Uploaded to the Q Cloud . Hosted at AWS (Australia) Totally secure Environment Encrypted in Flight From customer site to QCloud . Encrypted at Rest in the QCloud

17 Summary

18 Metrics – Immediate Measures of Quality

19 Bluescope E-Business Suite Listed in Australia Audits Twice a Year
Very Time consuming Segregation of Duties Mitigation Audit Documentation Live in a Month

20 Tesaro BioPharma in Boston ERP Cloud – Financials & HCM Newly Listed
Audit & SoD Reporting Remediation…….Standard Roles! Live

21 The main issues – get an audit on demand, immediate results wityh no technical effort, trends & drill down What would you use for … plan and remediate, simplify audit process for auditors, fraud control

22 6 Best Practice Tips for ERP Security
Audit Live Security Evaluate the Risks Build YOUR Risk Matrix Map on to your Business Processes Plan your Roles Periodic Review – Involve the Business

Download ppt "Very Simple SoD & Audit Reporting Oracle ERP Cloud & EBS"

Similar presentations

1/17/20141 Leveraging Cloudbursting To Drive Down IT Costs Eric Burgener Senior Vice President, Product Marketing March 9, 2010.

1/17/20141 Leveraging Cloudbursting To Drive Down IT Costs Eric Burgener Senior Vice President, Product Marketing March 9, 2010.
Enterprise Resource Planning It is not the end, it is just the beginning Mary Avery Finance Manager Nebraska Auditor of Public Accounts 2006 Joint NSAA/NASC.

Enterprise Resource Planning It is not the end, it is just the beginning Mary Avery Finance Manager Nebraska Auditor of Public Accounts 2006 Joint NSAA/NASC.
“The Honeywell Web-based Corrective Action Solution”

“The Honeywell Web-based Corrective Action Solution”
Fahri BaturOctober 2013 SAP GRC AC ARA Access Risk Analysis Requirements Gathering Workshop.

Fahri BaturOctober 2013 SAP GRC AC ARA Access Risk Analysis Requirements Gathering Workshop.
…optimise your IT investments Spreadsheet Management Maturity Model Philip Howard Research Director – Bloor Research.

…optimise your IT investments Spreadsheet Management Maturity Model Philip Howard Research Director – Bloor Research.
1 SAP Security and Controls Use of Security Compliance Tools to Detect and Prevent Security and Controls Violations.

1 SAP Security and Controls Use of Security Compliance Tools to Detect and Prevent Security and Controls Violations.
Audit Automation as the Foundation of Continuous Auditing Michael Alles Alexander Kogan Miklos A. Vasarhelyi J. Donald Warren, Jr.

Audit Automation as the Foundation of Continuous Auditing Michael Alles Alexander Kogan Miklos A. Vasarhelyi J. Donald Warren, Jr.
Shooting The Moving Target…… Internal Controls & Segregation of Duties (SOD) Session Code: 503 Jasvir Gill, Virsa Systems Donnie Looper, Eastman Chemical.

Shooting The Moving Target…… Internal Controls & Segregation of Duties (SOD) Session Code: 503 Jasvir Gill, Virsa Systems Donnie Looper, Eastman Chemical.
Best Practices for User Access Controls and Segregation of Duties Presented by: Jeffrey T. Hare, CPA CISA CIA ERP Seminars.

Best Practices for User Access Controls and Segregation of Duties Presented by: Jeffrey T. Hare, CPA CISA CIA ERP Seminars.
CNJohnson & Associates, Inc. 2010 An Overview of Chargeback Best Practices.

CNJohnson & Associates, Inc An Overview of Chargeback Best Practices.
Continuous Monitoring for Enterprise Applications: Real Needs, Real Solutions. November 22, 2002 5 th Continuous Assurance and Auditing Symposium Newark,

Continuous Monitoring for Enterprise Applications: Real Needs, Real Solutions. November 22, th Continuous Assurance and Auditing Symposium Newark,
Performance Management in Practice

Performance Management in Practice
©2011 Quest Software, Inc. All rights reserved. Patrick Hunter EMEA IDAM Team Lead 7 th February 2012 Creating simple, effective and lasting IDAM solutions.

©2011 Quest Software, Inc. All rights reserved. Patrick Hunter EMEA IDAM Team Lead 7 th February 2012 Creating simple, effective and lasting IDAM solutions.
User Manager Pro Suite Taking Control of Your Systems Joe Vachon Sales Engineer November 8, 2007.

User Manager Pro Suite Taking Control of Your Systems Joe Vachon Sales Engineer November 8, 2007.
Kevin Casady Hanna Short BJ Rollinson.  Centralized and Structured collection of data stored in a computer system  An electronic filing system  Easy.

Kevin Casady Hanna Short BJ Rollinson.  Centralized and Structured collection of data stored in a computer system  An electronic filing system  Easy.
IT Service Delivery And Support Week Eleven – Auditing Application Control IT Auditing and Cyber Security Spring 2014 Instructor: Liang Yao (MBA MS CIA.

IT Service Delivery And Support Week Eleven – Auditing Application Control IT Auditing and Cyber Security Spring 2014 Instructor: Liang Yao (MBA MS CIA.
Auditing Information Systems (AIS)

Auditing Information Systems (AIS)
 Cloud computing is the use of computing resources (hardware and software) that are delivered as a service over a network (typically the Internet). 

 Cloud computing is the use of computing resources (hardware and software) that are delivered as a service over a network (typically the Internet). 
Acumatica on the Windows Azure Platform September 2009.

Acumatica on the Windows Azure Platform September 2009.
Application Modernization Step by Step. Copyright ©2009, Oracle. All rights reserved. Oracle Confidential PACE OF BUSINESS Increasing expectations from.

Application Modernization Step by Step. Copyright ©2009, Oracle. All rights reserved. Oracle Confidential PACE OF BUSINESS Increasing expectations from.

Similar presentations

Ads by Google