FulcrumWay - Effective Ways to Assess ERP Controls 2014

Leverage T echnology: Move Your Business Forward™

Risk and Compliance Financial Reporting Internal Audit Controls Catalog Application Security Advanced Analytics

A Leader in Risk Based Enterprise Controls Management Solutions

Copyright ©. Fulcrum Information Technology, Inc. Give me a lever long enough and a fulcrum on which to place it, and I shall move the world - Archimedes

Is Oracle ERP in Scope for 2014 Audit Plan?

Learn, from our client case-studies, effective ways to assess ERP Controls

Webinar – January 28th, 2014

Adil Khan

Managing Director

www.fulcrumway.com Copyright © FulcrumWay


Introductions

ERP Control Assessment Approach – 2014

ERP Controls in Scope for Audit

Audit Findings and Remediation

Oracle Advanced Controls – Case Study

Agenda


A Leader in Risk Based Controls Management™

FulcrumWay: is the #1 End-to-End Provider of Risk Based Enterprise Controls Management

Solutions for Oracle EBS, PeopleSoft and JDE customers with over 200 Fortune-500 to Middle Market

clients. Since 2003, we have successfully assisted companies across all major industry segments.

Expertise: Risk Advisory Services. Advanced Controls Design for Enterprise Applications. Best

Practices for Risk Mitigation and Internal Controls Automation. Audit, Compliance, Financial,

Enterprise and Operational Risk Assessments. Risk Remediation Services.

Packaged Solutions: FulcrumWay is the #1 choice of Oracle customers for Oracle GRC Advanced

Controls, GRC Manager, and GRC Intelligence/OBIEE software implementation. Oracle has certified

us as the only partner with Accelerators for Oracle GRC. We also provide Managed Services

Software Services: Risk Assessment for ERP systems, Control Design and Management Tools,

Controls Catalog, Enterprise Risk Manager, Financial Reporting Manager, Audit Manager

USA Presence: Privately held Delaware Corporation with US offices in New York City, Dallas and San

Francisco

International Presence: in Auckland, Chennai, Johannesburg, London, Mexico City

FulcrumWay


FulcrumWay Clients Successful

Track Record Government Oil and Gas

Healthcare

Communications

Financial Services

Transportation Natural Resources

Manufacturing

Retail

High Tech Media/Entertainment Life Sciences

http://www.rd.com/

http://www.arvinmeritor.com/

http://www.semiconductorstore.com/pages/asp/supplier.asp?pl=0133

http://www.integralife.com/index.aspx


FulcrumWay™ Insight

Thought Leadership

Co-Authored GRC Book: First book on GRC for Oracle Applications

Webcasts – GRC Best Practices, Trends and Expert Insight – February 19th

Executive Round Table – GRC Advanced Controls Luncheon, Los Angeles, February 21st

Executive Round Table - March 13th Chicago: GRC Case Studies and Best Practices

Collaborate 14 – GRC Client Appreciation Dinner April 9th , 2014 Las Vegas

Oracle Open World – Annual GRC Dinner on September 23rd , 2014 W Hotel San Francisco

LinkedIn –FulcrumWay Risk, Compliance and Audit Software Group

YouTube Podcasts – FulcrumWay Instant Insight in 10 min or less

Proven Expertise



Introductions





Agenda


Why include ERP Controls in Audit ?

An Audit of Internal Control Over Financial Reporting That is Integrated with An Audit of Financial Statements, states that benchmarking of application controls can be used because these controls are generally not subject to breakdowns due to human failure. If general controls that are used to monitor program changes, access to programs, and computer operations are effective and continue to be tested on a regular basis, the auditor can conclude that the application control is effective without having to repeat the previous year’s control test. This is especially true if the auditor verifies that the application control has not changed since the auditor last tested the application control

U.S. Public Company Accounting

Oversight Board’s (PCAOB)

ERP Controls


Audit Logs Data Archives

System Control Documents Business Policies

ERP Configurations

Data Storage

Inputs

User Inputs

External

Interface

Web Services

Banks

Output

Stockholders

Data Input Validation Posting Processing Output

Board of

Directors

What are ERP Application Controls

Control Points




ERP Configurations

Data Storage

Inputs

User Inputs

External

Interface

Web Services

Banks

Output

Stockholders


Board of

Directors


Control Points

Input data is accurate, complete, authorized, and

correct




ERP Configurations

Data Storage

Inputs

User Inputs

External

Interface

Web Services

Banks

Output

Stockholders


Board of

Directors


Control Points

Data is processed as intended in an acceptable time period


correct




ERP Configurations

Data Storage

Inputs

User Inputs

External

Interface

Web Services

Banks

Output

Stockholders


Board of

Directors


Control Points

Data stored is accurate and complete.



correct




ERP Configurations

Data Storage

Inputs

User Inputs

External

Interface

Web Services

Banks

Output

Stockholders


Board of

Directors


Control Points




correct

Outputs are accurate and complete.




ERP Configurations

Data Storage

Inputs

User Inputs

External

Interface

Web Services

Banks

Output

Stockholders


Board of

Directors


Control Points




correct

Outputs are accurate and complete.

A record is maintained to track the process of data from input to storage and to the eventual output


Top Down Risk Based Approach to Application

Controls

Assessment

Approach

What are the enterprise wide risks

that need to be

Assessed?

Which business processes are impacted by

these risks?

Which ERP apps are used to perform these processes

Where (business locations) are the processes performed

What application functions control the processes?



Introductions





Agenda


Application Risk Factors

ERP Scope

Risk Threshold

AR

AP GL

INV INV

PR HR

OM PO

FA List of Apps

Primary Process Enabler

Financial /Sensitive Data

Custom Code

Freq. of Changes

Audit Logs

Risk Rating

GL 8 9 5 9 8 34

AP 7 7 6 8 9 32

AR 7 7 9 9 7 39

FA 5 5 5 5 5 25

PO 5 5 4 6 4 24

AP GL

AR Risk Scale: Highest 10

Risk Threshold: Over 30


Access Controls ERP Scope

Access Control Risk Description Process ERP App

Risk Type

Risk Rating

Enter Journal and Post Journal

Can cause frauds or errors resulting in over or under stated financial statements

R2R GL Fin High

Create Suppliers and Create Invoices - R12

Can lead to an overstatement of liabilities if fictitious suppliers are created and invoiced.

P2P AP Fin High

Create Customer and Create Sales Order - R12

Can lead to an overstatement of revenues. O2C AR Fin High

FulcrumWay Controls Catalog


Configuration Controls ERP Scope

Configuration Control Risk Description Process ERP App

Risk Type

Risk Rating

Journal Authorization Limits

Authorization limits for employees. R2R GL Fin High

Payment Adjustment Controls

Adjustments made to invoice distributions after payment is issued can cause errors in reconciliation …

P2P AP Fin High

Define Credit Usage Rules In Credit Management, credit usage rule sets ensure that all transactions for the specified currencies are converted to the credit ...

O2C AR Fin High



ERP Transaction Controls ERP Scope

Transaction Control Risk Description Process ERP App

Risk Type

Risk Rating

Exchange Rates Identify transactions after the fact monitoring of manual inputs of system exchange rates that are …more than 10% +/-

R2R GL Fin High

AP Invoice Over PO Invoice payments in excess of PO / user Invoice approval limit

P2P AP Fin High

AR Invoices Over Threshold

Control monitor returns a record of each customer invoice that is valued in excess of a specified threshold.

O2C AR Fin High



ERP Control Methods

Monitor Controls

Mitigate Remediate & Prevent

Accept

High Risk

Medium Risk

Medium Risk

Low Risk

Low

High

High

I M P A C T

PROBABILITY

ERP Scope


ERP Preventive Controls ERP Scope



Introductions





Agenda


ERP Audit Findings and Remediation

Findings /

Remediation

Assess Risk

Detect

Violations

Analyze

Issues

Remediate

Issues

Implement

Corrective

Actions

Monitor

Application

Environment

Scope

Application

Controls

Sample

ERP

Data

Manage

Exceptions

Setup

Mitigating

Controls

IT/Business

Control Teams Application Controls

Manager

Application

Security

Administrator

Application

Controls

Manager

Establish

Test

Environment

FulcrumWay DataProbe


Access Controls Violations Findings User: John

Doe

Role: Invoice

Manager

Permission List:

Invoices

Component: INVOICES-

GBL Page:

TD_INVOICES

Page:

PAYMENT_ACTION_IC

Role: Purchasing

User

Menu:

CREATE_PMTS

Role

Row

Security

Class

SOD

Conflict

Inherent

False

Positive

Locked

User

Panel

Group

Component

Authorized

Actions


Business Process Models Service Oriented Architecture

Corporate Performance Management Collaboration

Strategic Sourcing & Contract Mgmt

Supplier Collaboration

Spend Categories

Indirect & MRO

Direct

Materials

Services SWIFTNet

Settlement

Payment

Processors

Requisition Purchase

Goods /

Services

Receive

Goods /

Services

Invoice Issue

Payments

Banks

Oracle Procure-to-Pay

Control Points Findings





Spend Categories

Indirect & MRO

Direct

Materials

Services SWIFTNet

Settlement

Payment

Processors

Requisi-

tion

Purchase

Goods /

Services

Receive

Goods /

Services

Invoice Issue

Payments

Banks


Are your vendors compliant with trade regulations? Are the vendors

blacklisted?

Do you have duplicate suppliers?

Are there inappropriate associations between a

vendor and an employee?

Are there frequent changes to Supplier

information?

Are you missing critical supplier information? Is the information valid?

Strategic Sourcing & Contract Mgmt CONTROLS

Findings






Spend Categories

Indirect & MRO

Direct

Materials

Services SWIFTNet

Settlement

Payment

Processors

Receive

Goods /

Services

Invoice Issue

Payments

Banks


Do you have duplicate Purchase Orders?

Are there purchases with non-preferred vendors?

Are there split POs?

Are POs created on the same day as goods

arrive? Requisition

Purchase

Goods /

Services

CONTROLS

Findings






Spend Categories

Indirect & MRO

Direct

Materials

Services SWIFTNet

Settlement

Payment

Processors

Requisi-

tion

Purchase

Goods /

Services

Banks


Are you making accurate and timely payments?

Did the person making the payment create or modify

the vendor?

Are there discrepancies in freight charges?

Receive

Goods /

Services Invoice

Issue

Payments

CONTROLS

Are payment term changes reviewed before payment?

Are there duplicate invoice amounts being processed?

Findings



Introductions





Agenda


Company Overview

Corporate Overview

• Large Mining, Chemical, Energy & Oil company headquartered in

West Palm Beach, FL

• 1,200 Employees worldwide and $4B annual revenue

• Own Oracle E Business Suite R12 and several Non-Oracle Systems

Overall Challenges and the Need for ERP Controls

• Heterogeneous business application environment

• Inability to track unusual activity on sensitive financial data

• Lack of proper internal controls in various processes

• Insufficient documentation on access, configurations and transaction

controls

31

Case Study


Controls in Scope

User security to prevent improper access to business functions

Segregation of Requisitions from Purchase Orders

– Auto Create of Purchase Orders/RFQ from Requisitions

One, Two or Three way matching of purchases to payments

Purchasing and Payment tolerances

Vendor purchasing/pay site configuration

One-time vendor indicator

Purchasing Approvals

– Based on dollar value

– Commodity Type


Purchasing – Compare Vendor Address with Employee address, looking for similarities

– Duplicate Suppliers, similar names or same tax ID

– One time vendors, Audit rules on the one-time vendor flag changes

– PO creation date is the same as the receiving date

– Split purchase orders

– Duplicate purchase orders

Accounts Payable – Change rule for change in payment terms & Change tracking object for terms and tolerances

– Duplicate Invoices Control

– Same employee create vendor and invoice to vendor

Controls in Scope


Open/Closing Accounting Periods

Adding KFF Account values

Hiding private/sensitive data

– Social Security Number

– Bank Account information

– Home addresses

Automated period close and consolidation process

Controls in Scope


IT/Super User Change Tracking

Security Rules

Cross Validation Rules

Foreign Currency exchange rate changes

Key Flexfield Segments

System Profiles

ERP Responsibilities

Payment Terms and Tolerances

Form Changes

Alert Changes

Bank Account Information

Journal Sources and Categories


36

Oracle Advanced Controls Implementation

Form Rules i.e. limiting

access to a field

Flow Rules i.e. approval rule

informational message on

trigger

Audit Rules i.e. track changes

Change Control Rules i.e. reason

code as to why a field is changed

Preventive Controls

Snapshots i.e. capturing specific

setup/configuration info

Comparisons i.e. comparing snapshots

between ledgers, operating

units, instances

Change Tracking i.e.

monitor any change

to configuration

Configuration Controls

Segregation of Duties i.e.

Policy Load

User Provisioning i.e.

Detection and remediation

of SODs

Conflict Reports i.e.

Report on Intra and Inter

Responsibility conflicts

Access Controls

Transaction Controls

Business Objects i.e.

Tables and fields within

EBS Suite

Parameters i.e. Filters,

Patterns and Functions

TCG Models i.e. string of

business objects that

generate suspects


Transaction Control Monitors

AP Invoices Over Threshold Identify AP Invoices that are over a certain Threshold Amount

Dormant Inventory Items Check for Dormant Inventory Items

Dormant User IDs Identify dormant user IDs

Duplicate Vendor Payments Identify Duplicate Vendor Payments within a specified time period

Enter Post Journals SOD Violation Identify Journals that are entered and posted by the same user.

Manual Journal Entries over Threshold Amount Identify Manual Journals created in General Ledger that are above the specified

threshold amount

PO Over Threshold Amount Identify Purchase Orders that are over a certain Threshold Amount.

Sales Order Over Credit Limit Control Monitor for Sales Order over Credit Limit

Sales Order Over Threshold Amount Identify Sales Orders that were booked for a value over a threshold amount

SOD Violation between AP Invoices and PO

Documents

Identify purchasing and payables documents entered by the same user.

Terminated Employees with Active User Ids Identify Terminated Employees with Active User Ids


Define credit usage rules In Order Management, credit usage rule sets define the set of

currencies that will share a predefined credit limit during the credit checking process, and enable

the grouping currencies for global credit checking.

Customer reporting hierarchy Receivables uses the following hierarchy to determine the

default payment term for your transactions, stopping when one is found:

1. Bill–to site

2. Customer Address

3. Customer

4. Transaction Type

Approval limits Approval limits affect the Adjustments, Submit Auto Adjustments, and Approve

Adjustments windows as well as the Credit Memo Request Workflow. Define approval limits to

determine whether a Receivables user can approve adjustments or credit memo requests. You

define approval limits by document type, dollar amount, reason code, and currency.

Aging buckets Define aging buckets to review and report on open receivables based on the

number of days each item is past due. For example, the 4–Bucket Aging bucket that Receivables

provides consists of four periods: –999 to 0 days past due, 1 to 30 days past due, 31–61 days

past due, and 61–91 days past due.

38

Transaction Control Monitors


Change Tracking

Query a change tracker to identify changes across multiple instances.

Select multiple applications to monitor

Query requires Change Tracking Transfer program to run before any data can be collected. (This program transfers change tracking data from the ERP instances to CCG.)


Change Tracking

Monitor Configuration Changes

Users and administrators can monitor before-and-after values, responsible user, and time stamp


EBS Form Rule Capabilities

Set security attributes Compile lists of values (LOV)

Establish navigation paths Set field attributes

Display messages Run SQL statements

Define default values for fields Execute Flow Rule process

41

• Defines what actions the element performs

• Empowers the user to make changes to EBS forms and processes


Form Rule Highlights

Modify Security Settings

Create Messages

Edit Field Properties

Hidden Field

Field Required

Edit Background

Edit Prompt Hide Field Data

Edit Messages


Unapproved or Illegal Suppliers

Business Risks

Delayed Supplier payments

Unauthorized Purchases

Capture all Discounts

Controls Objectives

Accurate Supplier Information

Valid Purchase Orders

Ensure Separation of Duties in

Procurement

Split purchase orders

Continuous Monitors

Discounts Lost due to Delays in Payment

Multiple Suppliers with the same Tax ID

Multiple Suppliers with the same Bank Account

Number

Supplier and Invoices Created by Same User

Multiple Suppliers with the similar email domain

Purchase Orders issued to Blocked Suppliers

Monitor purchases of unauthorized items, such as contraband

Prevent Leakage Cash Flow Optimization

Incident !

Incident !

Incident !

Investigate

Close

Incident !

Procure to Pay with Oracle Advanced Controls


Leader in Risk Based Enterprise Controls Q & A

One-on-One with Experts Download DataProbe

Follow FulcrumWay on LinkedIn for ERP Risk and Controls

FulcrumWay - Effective Ways to Assess ERP Controls 2014

Technology

Transcript of FulcrumWay - Effective Ways to Assess ERP Controls 2014