Presentation is loading. Please wait.

Presentation is loading. Please wait.

SOX Compliance: A Practical Look at Application Auditor Presented By Sunita Sarathy Product Manager Absolute Technologies, Inc.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "SOX Compliance: A Practical Look at Application Auditor Presented By Sunita Sarathy Product Manager Absolute Technologies, Inc."— Presentation transcript:

1 SOX Compliance: A Practical Look at Application Auditor Presented By Sunita Sarathy Product Manager Absolute Technologies, Inc

2 Sarbanes Oxley Act SOX – Signed into law on July 30, 2002 as a result of various accounting scandals SOX – Signed into law on July 30, 2002 as a result of various accounting scandals Section 404 requires public companies to attest to the effectiveness of their internal controls over financial reporting Section 404 requires public companies to attest to the effectiveness of their internal controls over financial reporting Section 302 requires that CEO’s and CFO’s vouch for the integrity of their financial statements Section 302 requires that CEO’s and CFO’s vouch for the integrity of their financial statements

3 Section 404 Compliance Compliance with SOX 404 has 4 steps Compliance with SOX 404 has 4 steps 1. Identify Key Internal Controls 2. Document the identified Internal Controls 3. Management Test of Internal Controls 4. Auditor Test of Internal Controls

4 Internal Controls What is an Internal Control? What is an Internal Control? Objectives of Internal Controls Objectives of Internal Controls –Ensure integrity and reliability of information –Compliance with policies, laws and regulations –Safeguarding of assets –Economical and efficient use of resources –Accomplishment of established objectives and goals

5 When Internal Controls aren’t met… 1. Deficiency (No requirement to report it) 2. Significant Deficiency (Must be reported to the audit committee, but not to the public) 3. Material Weakness (Needs to be disclosed publicly, in company financial statements)

6 Internal Controls in IT SOX Section 404 - “Management has to ensure appropriate internal controls of financial reporting” SOX Section 404 - “Management has to ensure appropriate internal controls of financial reporting” Most companies have software applications that impact Financial Reporting, like Oracle, SAP etc Most companies have software applications that impact Financial Reporting, like Oracle, SAP etc Therefore, most IT Applications would need to be regulated as per SOX requirements! Therefore, most IT Applications would need to be regulated as per SOX requirements!

7 IT Internal Controls Most companies adopt some or all of these Best Practices: Most companies adopt some or all of these Best Practices: –Documentation –Approvals –Separation of Duties –Testing –AUDITING

8 Why Audit? When critical or financial impacting data isn’t audited properly… …financial statements may be incorrect due to mistakes, or fraud Auditors may identify inconsistencies as significant deficiency or material weakness Auditors may identify inconsistencies as significant deficiency or material weakness

9 Auditing Oracle There are several auditing options in Oracle: Oracle Database – Audit Feature Oracle Database – Audit Feature eBusiness Suite – Row Who Columns eBusiness Suite – Row Who Columns eBusiness Suite – End User Access eBusiness Suite – End User Access eBusiness Suite – Oracle Alerts eBusiness Suite – Oracle Alerts eBusiness Suite – Audit Trail eBusiness Suite – Audit Trail Absolute Technologies Application Auditor Absolute Technologies Application Auditor

10 1. Database Audit Feature Set audit_trail parameter = TRUE in init.ora file and restart the database Set audit_trail parameter = TRUE in init.ora file and restart the database Execute SQL audit commands from SYSTEM user in SQL*Plus Execute SQL audit commands from SYSTEM user in SQL*Plus Audit various database transactions Audit various database transactions Transactions are captured in the SYS.AUD$ table Transactions are captured in the SYS.AUD$ table

11 Limitations Does not provide before and after values for column changes Does not provide before and after values for column changes No standard reporting, or form level access to data No standard reporting, or form level access to data No way to provide user notification, as the audit table is owned by SYS (cannot define triggers on SYS tables) No way to provide user notification, as the audit table is owned by SYS (cannot define triggers on SYS tables)

12 2. EBS – Row Who CREATION_DATE Date and Time row was created CREATED_BY Oracle Applications user ID from FND_USER LAST_UPDATE_LOGIN Login ID from FND_LOGINS LAST_UPDATE_DATE Date and Time row as last updated LAST_UPDATED_BY Oracle Applications user ID from FND_USERS Can be accessed by selecting Help > Record History, in the Oracle Applications Menu Can be accessed by selecting Help > Record History, in the Oracle Applications Menu Columns can also be selected from within SQL Columns can also be selected from within SQL

13 Limitations Only stores the identities of the user that created the record, and the user that made the latest change Only stores the identities of the user that created the record, and the user that made the latest change Does not store old and new values of the changed columns Does not store old and new values of the changed columns Cannot handle changes made by processes external to the security of Oracle Applications Cannot handle changes made by processes external to the security of Oracle Applications Information is stored within the subject table, making it less convenient for centralized audit reporting Information is stored within the subject table, making it less convenient for centralized audit reporting

14 3. EBS – End User Access The system profile option “Sign-On: Audit Level” controls the level of end user access auditing The valid settings are None, User, Responsibility, and Form. ‘Form’ represents maximum auditing The standard reports for end-user auditing are: – –SignOn Audit Users – –SignOn Audit Responsibilities – –SignOn Audit Forms – –SignOn Audit Concurrent Requests – –SignOn Audit Unsuccessful Logins

15 Limitations Only audits end user usage of specified forms Does not audit changes at the database level Does not audit any form activity or database transaction that may be of interest to ensure compliance. Only audits user access

16 4. EBS – Oracle Alerts Oracle’s Exception Reporting Tool Oracle’s Exception Reporting Tool Uses SQL statements to define exception conditions Uses SQL statements to define exception conditions Can be Periodic (schedule based) or Event (creates a database trigger) Can be Periodic (schedule based) or Event (creates a database trigger)

17 Limitations Cannot provide before and after values for changed columns Cannot provide before and after values for changed columns Event Alerts fire on any change to a record within a defined table, generating unwanted transactions Event Alerts fire on any change to a record within a defined table, generating unwanted transactions May cause Concurrent Request bottlenecks May cause Concurrent Request bottlenecks

18 5. EBS – Audit Trail Set the System Profile Option AuditTrail: Activate to Yes As System Administrator, select Security -> AuditTrail -> Install Define applications, groups, tables and columns to audit Run Audit Trail Update Tables program to activate auditing

19 Limitations No single audit table for ease of reporting Can’t apply a condition to the trigger Can’t toggle an audit on/off for a single table Can’t capture data outside the scope of the audited table, like foreign table column values for ease of reporting No single record holds the before and after detail of changed column values

20 Key to SOX Compliance The greater the degree of automation in the development process, the better. The greater the degree of automation in the development process, the better. Automate audit triggering, and the capturing of audit data. Automate audit triggering, and the capturing of audit data. Ease of audit reporting Ease of audit reporting

21 Enter Application Auditor Application Auditor is a comprehensive auditing solution that can be installed and configured within minutes Application Auditor is a comprehensive auditing solution that can be installed and configured within minutes Standard, user-friendly interface based on Oracle Developer tools Standard, user-friendly interface based on Oracle Developer tools Simplifies audit reporting, as all audit records go to one table Simplifies audit reporting, as all audit records go to one table

22 Application Auditor Source Table (FND_USER) Source Table (AP_CHECKS) Source Table (ORDER_HOLDS) App Auditor Transaction Details (Destination) Table

23 Audit Design Audit dynamically creates trigger-procedure combination Audit dynamically creates trigger-procedure combination Database Objects are created in the AA schema Database Objects are created in the AA schema Trigger is defined on Source Table, to be fired upon change to Source Columns Trigger is defined on Source Table, to be fired upon change to Source Columns Procedure collects… Procedure collects… –Before and After Values of Source Columns –Reference Columns and other identifying Elements … and inserts them into the Transactions table

24 Source Table is Changed Audit Flow Table based Trigger fires, calls Procedure Procedure collects Old and New Values of Changed Column, and other Reference Columns Inserts audit data into Destination Table

25 Create an Audit Select a Source Table - the table to be audited Select a Source Table - the table to be auditedSource Table Source Table Register the standard AA Destination table, which will store all audited data Register the standard AA Destination table, which will store all audited dataDestination tableDestination table Identify Source Columns - the Columns that we want tracked in the Source Table Identify Source Columns - the Columns that we want tracked in the Source TableSource Columns Source Columns AA automatically collects standard reference information for each record AA automatically collects standard reference information for each recordreference information reference information AA maps the Source and Reference Column values to columns in the standard Destination Audit Table. AA maps the Source and Reference Column values to columns in the standard Destination Audit Table.maps Compile the configuration - It is now ready to audit! Compile the configuration - It is now ready to audit!

26 Audit Mapping (Source Columns)(Mapped Columns) START_DATE*OLD_COLUMN_VALUE START_DATE*NEW_COLUMN_VALUE LAST_UPDATED_BYLAST_UPDATED_BY TRANSACTED_DATETRANSACTED_DATE D_FND_USER_NAMEFND_USER_NAME D_TERMINALTERMINAL Source Table (FND_USER) Destination Table (ai_ce_change_trx)

27 Audit Features Single audit table stores – Single audit table stores – Before and After values of column Before and After values of column Table and Column name Table and Column name Trigger Action (Insert, Update or Delete) Trigger Action (Insert, Update or Delete) Primary Key of Table Primary Key of Table When and Who changed the column value When and Who changed the column value Reference additional column values within the same table at time of change Reference additional column values within the same table at time of change Embedded SQL can select additional values from other tables upon change Embedded SQL can select additional values from other tables upon change

28 Revision Architecture Uses Revisions to create separate audit bins Uses Revisions to create separate audit bins Audits may be migrated across revisions, or even across database instances. Audits may be migrated across revisions, or even across database instances. –Migrate Audit from Revision 1 to Revision 2 –Migrate entire Revision from Dev to Prod instance Only one compiled revision can exist at a point in time Only one compiled revision can exist at a point in time

29 Revision Architecture Allows the separation of audits based on user criteria Allows the separation of audits based on user criteria Allows one-step compilation of all audits in a revision Allows one-step compilation of all audits in a revision Compiled Audits Revision (example) Development Revision (example)

30 Audit Reporting Audit Transactions Report Audit Transactions Report Audit Transactions Audit Transactions –Displays the old and new values of the column, the database user who updated the record, and the identity of the terminal used to make the change Audit Configurations Report Audit Configurations Report Audit Configurations Audit Configurations –Displays the various audit configurations defined through Application Auditor

31 SOX Compliant Audit Package Pre-defined set of 65 audits, based on significant Setup and Financial Impacting tables in Oracle eBusiness Suite Pre-defined set of 65 audits, based on significant Setup and Financial Impacting tables in Oracle eBusiness Suite Package can be loaded and compiled within minutes Package can be loaded and compiled within minutes

32 AA Administrator Audit the Auditor! Audit the Auditor! Track users created in AA schema Track users created in AA schema Track changes to database objects in AA schema Track changes to database objects in AA schema Administrator email account holds a copy of all email notifications sent from AA Administrator email account holds a copy of all email notifications sent from AA

33 Audit the Auditor

34 Planned Enhancements Increased audit flexibility – allow a Destination Object Type ‘Procedure’ Increased audit flexibility – allow a Destination Object Type ‘Procedure’ Allow users to audit and prevent unauthorized transactions Allow users to audit and prevent unauthorized transactions Audit DDL for ANY schema Audit DDL for ANY schema Audit all transactions for a User Audit all transactions for a User

35 AA Customers (SIMG) Requirement – Distinguish between updates made from SQL*Plus, and updates within Oracle Apps Solution – AA’s Check Terminal feature allows the user to identify how the transaction was performed.

36 AA Customers (Harmonic) Requirement – Transaction Monitoring Solution – AA provides notification when unauthorized transactions occur

37 AA Customers (Tektronix) Requirement – Track Sales Order Changes Solution – AA’s custom table option allows for audit records to be mapped to custom tables

38 Finally Application Auditor is highly performance optimized…no performance issues Application Auditor is highly performance optimized…no performance issues User friendly Forms Interface for Audit Configurations and Audit Transactions User friendly Forms Interface for Audit Configurations and Audit Transactions Two step audit process (Auditor and Audit Administrator) Two step audit process (Auditor and Audit Administrator)

39 Thank You!

40 Source – Destination Tables

41 Source Columns

42 Reference Elements

43 Column Mapping

44 Audit Transactions Report

45 Audit Configuration Report

Download ppt "SOX Compliance: A Practical Look at Application Auditor Presented By Sunita Sarathy Product Manager Absolute Technologies, Inc."

Similar presentations

Enhanced XA Security CISTECH Security Solutions Belinda Daub, Senior Consultant Technical Services 704-814-0004.

Enhanced XA Security CISTECH Security Solutions Belinda Daub, Senior Consultant Technical Services
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 8 Application Data Auditing.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 8 Application Data Auditing.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 8 Application Data Auditing.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 8 Application Data Auditing.
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.

Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
Copyright © 2004 Absolute Technologies, Inc. Satisfying SOX Separation of Duties Compliance Requirements Presented by Kenny Gilbert – Director of IS, Silicon.

Copyright © 2004 Absolute Technologies, Inc. Satisfying SOX Separation of Duties Compliance Requirements Presented by Kenny Gilbert – Director of IS, Silicon.
1 DB2 Access Recording Services Auditing DB2 on z/OS with “DBARS” A product developed by Software Product Research.

1 DB2 Access Recording Services Auditing DB2 on z/OS with “DBARS” A product developed by Software Product Research.
Auditing Computer-Based Information Systems

Auditing Computer-Based Information Systems
SOFTWARE PRESENTATION ODMS (OPEN SOURCE DOCUMENT MANAGEMENT SYSTEM)

SOFTWARE PRESENTATION ODMS (OPEN SOURCE DOCUMENT MANAGEMENT SYSTEM)
The Islamic University of Gaza

The Islamic University of Gaza
Sarbanes-Oxley Compliance Process Automation

Sarbanes-Oxley Compliance Process Automation
The TRUTH About SOX, Auditors & Oracle Applimation is the leading provider of Application Lifecycle Management solutions.

The TRUTH About SOX, Auditors & Oracle Applimation is the leading provider of Application Lifecycle Management solutions.
ProCognis SOX 404 & COSO Implementation Presentation

ProCognis SOX 404 & COSO Implementation Presentation
Chapter 9 Auditing Database Activities

Chapter 9 Auditing Database Activities
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.

Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
Internal Control Concepts Knowledge. Best Practices for IT Governance IT Governance Structure of Relationship Audit Role in IT Governance.

Internal Control Concepts Knowledge. Best Practices for IT Governance IT Governance Structure of Relationship Audit Role in IT Governance.
Creating a Secured and Trusted Information Sphere in Different Markets Giuseppe Contino.

Creating a Secured and Trusted Information Sphere in Different Markets Giuseppe Contino.
COSO Framework A company should include IT in all five COSO components: –Control Environment –Risk Assessment –Control activities –Information and communication.

COSO Framework A company should include IT in all five COSO components: –Control Environment –Risk Assessment –Control activities –Information and communication.
Internal Control. COSO’s Framework Committee of Sponsoring Organizations 1992 issued a white paper on internal control Since this time, this framework.

Internal Control. COSO’s Framework Committee of Sponsoring Organizations 1992 issued a white paper on internal control Since this time, this framework.
1 Classification: Genpact Internal.  Tool From Oracle  Works with Oracle Database  PL/SQL Based  Widely Used with Oracle Applications  Can be Used.

1 Classification: Genpact Internal.  Tool From Oracle  Works with Oracle Database  PL/SQL Based  Widely Used with Oracle Applications  Can be Used.
Chapter 7 Database Auditing Models

Chapter 7 Database Auditing Models

Similar presentations

Ads by Google