Add to collection(s) Add to saved
  1. Business
  2. Management

Title slide for on-screen presentation

Internal Controls & Compliance
using Oracle Applications
Ohio Valley Oracle Application Users Group
Jeff Taylor
Pathik Mody
Deloitte & Touche LLP
January 26, 2007
Agenda
• Sarbanes-Oxley Overview
• Internal Controls, Compliance, & Technology
• SOX Tools
• Segregation of Duties
• Process and Financial Statement Certifications
• Continuous Control Monitoring
• Case Study
• Questions
Copyright © 2006 Deloitte Development LLC. All rights reserved.
1
Sarbanes-Oxley Overview
Background of Sarbanes-Oxley
• Passed by Congress on January 23rd, 2002
and signed by President Bush on July 30th,
2002
• Named after Senator Paul Sarbanes (D-MD)
and Representative Michael Oxley (R-OH)
• Governs publicly traded firms, including all
overseas firms traded on the US markets
Copyright © 2006 Deloitte Development LLC. All rights reserved.
3
Regulatory Background
Section 404
Section 302
Sarbanes-Oxley Section 302 and 404 Internal Control Requirements
Requires the CEO and CFO of a public company to certify quarterly and annually
that they:
 Are responsible for disclosure controls,
 Have designed controls to ensure that material information is known to them,
 Have evaluated the effectiveness of controls,
 Have presented their conclusions in the filing,
 Have disclosed to the audit committee and auditors significant control deficiencies
and acts of fraud,
 Have indicated in the report significant changes to controls.
Requires the CEO and CFO to annually:
 State their responsibility for establishing and maintaining an adequate internal control
structure and procedures for financial reporting,
 Conduct and provide an assessment of the effectiveness of the enterprise’s internal
controls.
Requires the external auditor to:
 Attest to management’s assertion.
Copyright © 2006 Deloitte Development LLC. All rights reserved.
4
Internal Controls, Compliance &
Technology
What is an Internal Control?
Providing reasonable assurance of:
• Effectiveness and efficiency of operations
• Reliability of financial reporting
• Compliance with laws and regulations
or else…
Copyright © 2006 Deloitte Development LLC. All rights reserved.
6
Compliance Steps
Policy
&
Procedure
Standards
Enforcement
Monitor
SOX 404
Common
Automated
Auditing
COSO
Configuration
Enforcement and
Monitoring
COBIT
Standards
Configuration
Reporting
FDICIA
and
ISO
Operational
Policies
Copyright © 2006 Deloitte Development LLC. All rights reserved.
7
Current Situation Analysis
• Companies today are thinking beyond initial compliance
requirements
– Focusing on achieving sustained compliance
– Establishing systems to support compliance in year three/four and beyond that are
integrated into their ongoing operations
• Technology plays a key role in helping companies sustain
compliance effectively and efficiently
• Most companies adopted interim solutions to support their
compliance efforts
• However, companies need an efficient and sustainable
environment to enable the documentation, monitoring,
assessment and reporting on internal controls
Copyright © 2006 Deloitte Development LLC. All rights reserved.
8
End-State Architecture for Sustaining
Compliance
Sarbanes
PMO
CEO/CFO
CIO
Business
Unit
Field Audit
(404 App)
Internal
Audit
External
Audit
Audit
Disclosure Committee
Committee
HR/
Training
Integration and Collaboration
Security
Financial
Systems
Internal
Control
Documentation
&
Assessment
Supply
Chain
Financial
Reporting
HR
Control
Monitoring
CRM
Systems
Mgmt
Databases
Content &
Records
Mgmt
Document
Retention
Compliance
related
applications
and systems
Financial and
related
systems,
platforms and
databases –
holds data,
transactions
and records
Hardware/Operating System/Network Infrastructure
Copyright © 2006 Deloitte Development LLC. All rights reserved.
9
The Compliance Direction
Detective
Preventive
Manual
Automated
Fragmented
Integrated
Local
Global
Copyright © 2006 Deloitte Development LLC. All rights reserved.
10
SOX Tools
Oracle Internal Controls Manager
Sarbanes-Oxley Section 404 Tools
• Many commercially available products offer integrated technology functionality
• Vendors offer different approaches to implementing and managing internal
controls in their products.
• There are a number of option available in the market from ERP vendors, large
integrated software vendors and specialty vendors and more should be expected
in the future
• Many of these products can provide product functionality such as Integration with
ERPs, financial reporting systems, and other backend systems that can support
SOX sustained compliance efforts
• The ERP vendors are expected to possess an advantage for companies that
already use their systems
• However, companies must consider their technology environment and business
requirements to determine which option is best
• With most product in the market, companies should be able to migrate their risk
and control information to vendors’ product through the use of a variety of
export/import tools
Copyright © 2006 Deloitte Development LLC. All rights reserved.
12
Sample Vendors and Products
ERPs
Large Software Vendors
ICM
ICE
MIC
Specialty Vendors
Copyright © 2006 Deloitte Development LLC. All rights reserved.
13
What is Oracle Internal Controls Manager?
• ICM is a application developed to facilitate the collection,
management, testing and remediation of control data and risk
related efforts.
• ICM Integrates seamlessly with your ERP Oracle application!
Monitor
• ICM is a tool that can be
used by:
Experts
• Controllers, Internal Auditors,
Operational Managers, and
External Auditor to perform
assessments, review and
monitor ongoing compliance
• Process Owners to document
and validate business
processes and track issues
• Signing Officers to certify
financial statements
ICM
Document
Test
Copyright © 2006 Deloitte Development LLC. All rights reserved.
14
Why Implement ICM?
•
•
•
•
•
Organizes process documentation
Organizes risk assessments and control evaluations
Identify control weaknesses more easily
Provides flexibility to tailor audit process
ICM’s flexibility enables reporting from different points of
view (e.g., financial, operational, organizational)
• Segregation of Duties, IT Audit Capabilities
• Integrates with Oracle Financials Suite
• Useful for all levels of managements
Copyright © 2006 Deloitte Development LLC. All rights reserved.
15
Oracle ICM Process
Data
Repository
Define
Organizations
Define Parent
Processes
Define
Processes
Define Risks
Define
Controls
Define Audit
Procedures
Audit Results
Findings /
Remediation
Conclude
Certify
Audit /
Review
Process
Administration, Security Roles and Access, Reports
Copyright © 2006 Deloitte Development LLC. All rights reserved.
16
Oracle ICM Current Features
Copyright © 2006 Deloitte Development LLC. All rights reserved.
17
Populating the Data Repository
Processes
Understand the
Business processes
that run the business
• Create Business
process using
• Web ADI
• Workflow
• Tutor
• Associate
procedures to
processes
• Link Key accounts
to Processes
• Associate Risks,
Controls, and Audit
Procedures with
processes
Risks
Process are exposed
to various risks
Controls
Controls are put in
place to mitigate
risks
Audit
Procedures
Audit procedures test
the effectiveness of
controls
• Import controls
using
• Import process
(Web ADI)
• Import Audit
Procedures using
• Import process
(Web ADI)
• Identify the risks
associated with
each business
process
• Associate controls
with risks
• Keep track of audit
history for each
procedures
• Classify each risk
for its probability
and impact
• Capture Control
Objectives, control
assertions, and
physical evidence
detail
• Import risks using
• Import process
(Web ADI)
• Create/maintain a
library of reusable
risks
• Map Processes to
Organizations
Copyright © 2006 Deloitte Development LLC. All rights reserved.
• Categorize controls
using control type
• Procedures provide
detailed steps to be
performed during the
audit field work
• Procedures can be
setup to verify design,
operational
effectiveness or both
18
Documenting Processes, Risks and Controls
Processes – Sub
Process
Copyright © 2006 Deloitte Development LLC. All rights reserved.
Risk & Control
Association
19
Process Details
Process
Control
Risk
Objective
Control Activity
Copyright © 2006 Deloitte Development LLC. All rights reserved.
20
ICM Other Features
•
•
•
•
•
•
•
Process associated with audit procedures
Audit procedures associated with control
Create Audit Engagement
Add Organization and Process to an Audit Engagement
Associate process to an Audit Engagement
Create/Add procedure to an Audit Engagement
Document findings and remediation
Copyright © 2006 Deloitte Development LLC. All rights reserved.
21
Segregation of Duties
SOD Features and Benefits
Features
–
–
–
–
Constraints for Incompatible Responsibilities/Functions
Waivers for Users or Responsibilities
Spreadsheet Upload for Constraints
XML Publisher Report for Constraint Violations
Benefits
–
–
–
–
Segregate Duties by Operating Units
Allow Super Users to be Exempted from Constraints
Reduce Implementation Effort in Constraint Set Up
Facilitate Sharing of Constraint Violation Report
Copyright © 2006 Deloitte Development LLC. All rights reserved.
23
Incompatible Responsibilities/Functions
Copyright © 2006 Deloitte Development LLC. All rights reserved.
24
SOD – XML Reports
Copyright © 2006 Deloitte Development LLC. All rights reserved.
25
Process and Financial Statement
Certifications
Business Process Certification Dashboard
Copyright © 2006 Deloitte Development LLC. All rights reserved.
27
Financial Statement Certification Dashboard
Copyright © 2006 Deloitte Development LLC. All rights reserved.
28
Certifying Compliance Dashboard
Copyright © 2006 Deloitte Development LLC. All rights reserved.
29
What reports are available?
• Reports
– Design Assessment
– Operating Effectiveness
– Risk Assessment
– Control Testing
– Open Issues / Findings
– Control Gaps
• Dashboard
• Several XML reports
Copyright © 2006 Deloitte Development LLC. All rights reserved.
30
What We Learned
• Reduce the scope of the effort by focusing on key processes,
transactions and controls
• Grow into extensive ICM functionality
• Ensure management understands the level of involvement
required throughout the organization
• Standardize compliance process throughout the organization
• Spend time upfront loading Risk Library
• Leverage software to monitor the compliance effort,
document testing and promote management responsibility
Copyright © 2006 Deloitte Development LLC. All rights reserved.
31
Continuous Control Monitoring
Controls Automation & Monitoring
• Why Controls Automation and Continuous Controls
Monitoring are Important
– Reduces effort, cost, and reliance on external consultants by
increasing control reliability and efficiency.
– Enhances the effectiveness of Internal Audit and line manager/staff.
– Provides real-time information for proactive preventive measures.
– Leverages real-time information and compliance investment for
business value generation.
– Provides a sustainable and repeatable process to enable data and
control quality improvement.
– Decreases learning curve and training requirements.
Copyright © 2006 Deloitte Development LLC. All rights reserved.
33
Controls Monitoring
Category
Transaction
Monitoring
Features
•
•
•
•
Master Data
Monitoring
•
Benefits
Identify suspicious transactions
Identify suspicious transactions for further review
Flag anomalies for investigation
Isolate transactions not in compliance with business
rules
•
Monitor changes to master data files (e.g., Supplier
Master) for suspicious activity
•
•
•
Access
Control
Monitoring
•
Segregation
of Duties
Monitoring
•
Configuration
Monitoring
Monitor changes to user access / roles
•
•
Identify inappropriate flows (e.g., duplicate
payments)
Provide evidence of control operation / quickly
identify issues
Identify and address suspicious changes to
master data
Detect stale master file records
Detect unauthorized modifications to user access
/ roles
Monitor access to sensitive transactions and data
Identify SOD violations
Detect executed transactions that violate SOD rules
•
Prevent SOD conflicts that increase the risk of
fraud & error
•
Detect changes to system configurations that may
increase risks of fraud & error
•
Demonstrate the continued effectiveness of
application controls
Manual
Process &
Control
Monitoring
•
Ensure the initiation and completion of manual
business & IT processes & controls
•
Provide an audit trail for manual processes
Increase effectiveness & efficiency of manual
business & IT processes and controls
IT General
Controls
•
Security / access controls
Change management controls
IT Operations controls
•
•
•
•
Copyright © 2006 Deloitte Development LLC. All rights reserved.
•
Enable increased reliance on automated business
process controls
34
Oracle Application Controls Manager
•
Detect fraud or errors by tracking changes to Oracle
Applications control settings
•
Assess the current state of the Oracle Application control
environment
•
Confirm that Oracle Application control settings remain to
industry standards
•
Detect Oracle Application control settings changes by user
id and date.
•
Identify configuration mismatches across instances
Copyright © 2006 Deloitte Development LLC. All rights reserved.
35
Recommended Control Settings
Once recommended values have been setup, they are displayed in the ‘Application Control History’ pages
along with the change history. This screenshot shows comparison between the recommended values and
actual parameter settings. Non-conforming values are highlighted with a red icon.
Copyright © 2006 Deloitte Development LLC. All rights reserved.
36
Database Vault
• Specialized warehouse for audit data
• Leverages Database vault security to block DBA from viewing audit
data
• SOD / Defined roles
• Audit vault and Compliance report
• Setup Audit Alerts
Audit Vault
Oracle – Database and Audit Vault
• Restrict the DBA and other privileged users from accessing
application data
• Protect the database and applications from unauthorized changes
• Enforce strong controls over who, when, and where application can
be accessed
Visit: Oracle .com/security
Try Software: OTN: OTN.Oracle.com
Copyright © 2006 Deloitte Development LLC. All rights reserved.
37
Case Study
Integrating Security & Controls
Client Background
• $12 billion global technology manufacturing
• Primary legacy Oracle 10.7 character system
• Other Oracle legacy instances on various versions
• Located in 70 countries
• North America, EMEA, APAC, and LATAM regions
• Over 10,000 users
• Re-implementing Oracle 11.5.10 platform
• Phased functionality deployment approach
• Extensive application footprint
Copyright © 2006 Deloitte Development LLC. All rights reserved.
39
Implementation Scope
Implementation Scope
HR including Self-Service
Accounts Receivable
Advanced Pricing
Order Management
Trading Community Architecture
(TCA)
TeleSales
Accounts Payable
Purchasing
iProcurement
Bill of Materials
Cash Management
General Ledger
Projects Costing
Engineering
Shipping
Procurement Contracts
Fixed Assets
Projects Billings
Projects Mgt
Advanced Budgeting & Planning
Advanced Benefits
Inventory
Cost Management
TeleService
Treasury
Service Contracts
Warehouse Mgt
Configurator
Advanced Supply Chain
Planning
Incentive Comp
Work in Process
Projects Resourcing
Quoting
Learning Mgt
ICM
Mobile Field Service
Advanced Scheduling
Advanced Inbound
Scripting
iSupplier
Quality
iSupport
Depot Repair
Spares Mgt
Proposals
iExpense
Demand Planning
Collaborative Planning
Knowledge Mgt
Field Service
Time and Labor
Install Base
CRM Foundation
Copyright © 2006 Deloitte Development LLC. All rights reserved.
40
Engagement Objectives
• Deloitte was engaged to
• Design, build, and implementation of the application security
model for a global deployment of Oracle 11i.
• design and implementation of new global Oracle 11i
Security Responsibilities for new functionality and users.
• Identify and document the Oracle 11i automated controls.
• Design a global Oracle security structure that incorporates
appropriate segregation of duties, controls compliance,
administration efficiencies, standardization, and flexibility to
adapt to on-going business and technology changes.
Copyright © 2006 Deloitte Development LLC. All rights reserved.
41
Security & Controls Objectives
• Elimination of significant segregation of duty conflicts in the
Oracle 11i application
• Completion of SOX documentation as it relates to Oracle 11i
automated control implementation (i.e. control matrices)
• Standardization of the Oracle 11i security
practices/procedures, including naming conventions
• Ease of compliance enforcement for the Oracle 11i system
and on-going SOX compliance
• Security staff trained in the new Oracle 11i security
practices/procedures
• Internal control and regulatory compliance concerns
appropriately addressed
Copyright © 2006 Deloitte Development LLC. All rights reserved.
42
Contact Information
Jeff Taylor, Sr. Manager, Deloitte Consulting
Jefftaylor@deloitte.com
Pathik Mody, Manger, Deloitte & Touche, LLP
pmody@deloitte.com
Copyright © 2006 Deloitte Development LLC. All rights reserved.
43
About Deloitte
Deloitte refers to one or more of Deloitte Touche Tohmatsu, a Swiss Verein, its member firms and their respective subsidiaries and affiliates.
Deloitte Touche Tohmatsu is an organization of member firms around the world devoted to excellence in providing professional services and
advice, focused on client service through a global strategy executed locally in nearly 150 countries. With access to the deep intellectual capital
of 120,000 people worldwide, Deloitte delivers services in four professional areas, audit, tax, consulting and financial advisory services, and
serves more than one-half of the world’s largest companies, as well as large national enterprises, public institutions, locally important clients,
and successful, fast-growing global growth companies. Services are not provided by the Deloitte Touche Tohmatsu Verein and, for regulatory
and other reasons, certain member firms do not provide services in all four professional areas.
As a Swiss Verein (association), neither Deloitte Touche Tohmatsu nor any of its member firms has any liability for each other’s acts or
omissions. Each of the member firms is a separate and independent legal entity operating under the names Deloitte, Deloitte & Touche, Deloitte
Touche Tohmatsu, or other related names.
In the US, Deloitte & Touche USA LLP is the US member firm of Deloitte Touche Tohmatsu and services are provided by the subsidiaries of
Deloitte & Touche USA LLP (Deloitte & Touche LLP, Deloitte Consulting LLP, Deloitte Financial Advisory Services LLP, Deloitte Tax LLP and
their subsidiaries), and not by Deloitte & Touche USA LLP. The subsidiaries of the US member firm are among the nation's leading professional
services firms, providing audit, tax, consulting and financial advisory services through nearly 30,000 people in more than 80 cities. Known as
employers of choice for innovative human resources programs, they are dedicated to helping their clients and their people excel. For more
information, please visit the US member firm’s web site at www.deloitte.com/us.
Copyright © 2006 Deloitte Development LLC. All rights reserved.
Copyright © 2006 Deloitte Development LLC. All rights reserved.
44
Related documents
Position: Audit Intern
Position: Audit Intern
Paul Pacter
Paul Pacter
1305100131_corporate-ni_profile
1305100131_corporate-ni_profile
(2) Represents the annual subscription for access to the Deloitte
(2) Represents the annual subscription for access to the Deloitte
DELOITTE & TOUCHE NEW EMPLOYEE ORIENTATION
DELOITTE & TOUCHE NEW EMPLOYEE ORIENTATION
Name of Company DELOITTE VIETNAM COMPANY
Name of Company DELOITTE VIETNAM COMPANY
For FLYERS Please Click here - HFMA Metropolitan New York
For FLYERS Please Click here - HFMA Metropolitan New York
Download