How to better capitalize your Hyperion applications for ...
Transcript of How to better capitalize your Hyperion applications for ...
Session ID:
Prepared by:
Remember to complete your evaluation for this session within the app!
10675
How to better capitalize your Hyperion applications for Quarterly Audit ?
Best practices for auditing your Hyperion applications
April 7, 2019
Azmat BhattiSolutions Architect – HyperionCanadian Tire Corp.
Agenda• Hyperion Financial Applications and Audit requirements• Who are Internal and External auditors ?• What are the auditors looking for in Hyperion systems ?• What critical reports can be produced out of Hyperion Shared Services ?• Enabling the Audit feature in Shared Services• Who ran which Task and when ?• What changes can be made in order to pass your compliance requirements ?• HFM vs HP vs HSF vs FDM vs FR vs DRM – Roles & Responsibilities• Shared Services report(s); so many formats ?• Creating and updating your “Corporate Approval Matrix”• Q&A
Hyperion Audit Requests• Hyperion financial applications are often considered as CKA (Critical Key Applications),
producing accurate and timely financial reporting for any public company• How to comply with Sarbanes-Oxley (SOX), SEC and other internal / external audit compliance • Auditor(s) requirements for large amount of documentation to pass your Audit• Testing of evidence to ensure that you are in compliant - Secure, backed up and are highly
available applications • If you have experienced such a Financial audit, you and your IT department will recognize the
large amount of time and effort required for this process• Change Management, Evidence, Tickets, Approval Matrix etc.
Hyperion Audit Requests• Hyperion and Compliance reports• Hyperion Audit requests• Hyperion Shared Services
– The place to go for all your reporting needs• Shared Services Administrator vs Application Administrator vs Provisioning Manager• Key HFM roles and reporting• Planning/Essbase reporting• HSF reporting• DRM reporting• FR reporting
Type of Auditors ?• Internal
– Within IT • ITGC (Information Technology Governance Compliance or Controls)
– Within Finance• FAB (Finance Audit Board)• CAB (Change Advisory Board)• Big 5 such as Deloitte/PWC/EY
• External– Works along with Finance/IT functions
• 3rd Party or• Big 5 such as Deloitte/PWC/EY/KPMG
Hyperion Audit Requests ?• Application Admin report
– HFM/HP/HSF/FDM/Essbase/DRM• Application Administrator (Looking for 1 to 3 only)• Provisioning Manager• User/Groups/Role Matrix report
• Shared Services Admin report– Looking for 1 to 2 Admin on this report
• Native Essbase Admin report– Essbase Server Manager access
• Can Create/Delete/Update applications• Hyperion Servers Admin report
– Looking for “Local User and Groups”• Groups
– Administrators» Who is in the list ?» Are they authorized to be in this list ?» Does any e-mail or paper trail of any Admin addition or removal or update exist ?» Is it Approved or Authorized by the right Owner of Hyperion within IT
Shared Services - NavigationShared Services console is for all Security Management for Hyperion products- Click on Navigate- Administer- Shared Services Console
Foundation Roles- Administrator Role provides control over all
products that integrate within Shared Services- This is the most powerful EPM System Role- Administrators can perform all Administrative
tasks and can provision themselves- Organizations should only have One or Two
Administrators assigned to this Role
Shared Services – Provisioning Report• Navigate Administration View Provisioning Report
– There will be various filters that you can select for your report
– You can run report by Users , Groups or Roles– You can filter by User ID or use Wildcard to bring
everyone “ * “– You can select Show Effective Roles, this will show you
if a user has Direct provisioning to the application– You can Group your report by Application or Users– Lastly select the product that you looking the report for
Shared Services – Roles Report• Navigate Administration View Provisioning Report
– Below is the list of various Roles in Hyperion applications
– You can select the most commonly asked Roles report by the Auditors, such as “Administrator” and “Provisioning Manager”
Enabling the Audit feature in Shared Services• Navigate Administration Audit Reports
– You will notice the message that “Auditing is Disabled and No Records Audited”
• Navigate Administration Configure Auditing– Select the Tasks that you want to Audit for and click on OK– Message pop-up “Audit Configuration has been saved
successfully. Changes will be taken in to effect only after server restart:
– Stop Shared Services and then Start for table entries to populate
Audit Feature Reports – Shared Services• Navigate Administration Audit Reports Security Reports
– Report displays activities performed on by the user and for which product and task
– By clicking on Detailed View, you can see New/Change value information
– Report can be exported in XSL format for further Audit as required by the Auditors
• Artifact Reports– Metadata updates
• Config Reports– LCM, Directory Management and User updates
Purging Audit Data• Shared Services Console Configure Auditing• If you have Enabled Auditing, then the “Purge Data
Older than” will be enabled for input– Select 60 or 90 days, depending on your IT/Audit
Controls/Policies (Or Retention Records policies)– Backup “Shared Services” DB– Changes will take in effect on the server restart
HFM vs Planning – Some key Roles to report on
HFM• Application Administrator• Provisioning Manager• Default
Planning• Administrator• Provisioning Manager• Planner• Essbase Write Access• Interactive User
HFM Application Administrator Role
• 3 type of Roles are identified within HFM application– Application Administrator
• Have 2 to 3 MAX admins• Should not be given Provisioning Manager role
– Default– Provisioning Manager
• Avoid giving this Role to the HFM Admin• All User Provisioning should be controlled by ONE Admin
HFM Role
Power Role- Application Administrator
- Role performs all FM tasks- Access to this role overrides any other access
setting for the user- Have one or two Application Admin assigned
for this role ONLY- Load System
- Loads rules and member lists- Inter-Company Transaction Admin
- Open/Close period- Lock/Unlock entities- All Intercompany tasks can be performed
Interactive Role- Rules Admin/Designer- Journals Administrator- Reviewer 1 through 10- Submitter- Lock/Unlock Data- Consolidate/Consolidate All with Data- Load Excel Data- Enable write back in Web Grid- Database Management- Manage Custom Documents- Extended Analytics- Data Form Write Back from Excel- Default (Open/Close application, manages
documents, SmartView, access running tasks, cannot extract Metadata/Rules and cannot create folders
View Role- Load Excel Data- Enable write back in Web Grid- Database Management- Manage Custom Documents- Extended Analytics- Data Form Write Back from Excel
Note: Detail HFM Role descriptions can be found at https://docs.oracle.com/cd/E57185_01/OPUSA/apas05.html
HFM Provisioning Manager report• Login into Shared Services Console• Navigate to User Directories Native Directory Roles
– Search Provisioning Manager– Right-click and View Provisioning Report– Select the appropriate Application
HFM Task Audit Requests ?• HFM Task Audit - Tasks
– Most common reports asked are - - - Data Load, Metadata Load, Rules Load and Security Load
– Report data can be extracted into CSV or TXT format for further analysis
HFM Application Data Audit• Consolidation Maintenance Data Audit• You can use the Data Audit feature to view data changes performed by users.
You can filter the data changes by date range, application server, user, and dimension members.
• In the Metadata Manager, you can enable the EnableDataAudit metadata attribute for the accounts and scenarios for which you want to audit data changes
• The audit settings for the scenario override the audit settings for the account. If the EnableDataAudit attribute is set to Yes for a scenario, all accounts in the scenario are audited, even accounts for which EnableDataAudit is set to False
• If EnableDataAudit is set to Override for a scenario, all accounts for which EnableDataAudit is set to True are audited. To disable auditing of Scenario and Account members, change the EnableDataAudit attribute to No
• The data audit log information is stored in the APPNAME_DATA_AUDIT table. You can back up or extract the information in the table. You should monitor the size of the log and clear it on a regular basis
HFM Application Security Extract• Consolidation Extract Application Elements• You can extract application security to view or modify it in a text editor.
When you extract application security from an application, save the file in a format that supports multi-byte character sets (MBCS)
• By default, application security files use the SEC file extension• The SEC File will consist of the following information:
– Users and groups– Security classes– Role access– Security class access
Shared Services – Planning Report• Navigate Administration View
Provisioning Report– Below is the list of a Planning application
“Vision” and what Role/User has access
Shared Services – Roles Report for FDM Admins• Navigate Administration View Provisioning Report
– Below is a filter for running a Role based report, such as Admins in FDM
Shared Services – FDM Report• Navigate Administration View Provisioning
Report– Below is the list of FDM application “FDMEE”
and what Role/User has access
Financial Reporting (FR) – Roles• Navigate Administration View Provisioning Report
– Below is a filter for running a Role based report, such as Admins ID in FR, and what access does it have
Planning and Auditing• Login into your Planning application• Click on Tools Reports
– Select Planning actions you want to Audit– Some of the common ones Dimension, Security, Users and Groups Administration– The table HSP_AUDIT_RECORDS will consist of all changes made– Have Quarterly or Semi-Annual process to archive records
HSF - Roles
• Administrator– Full application access
• Basic User– Read access for HSF DB/App
• Interactive User– Write access for HSF DB/App
• Provisioning Manager– User Provisioning access
• View User– Read access only - Limited
DRM – Roles• Access Manager
– Audit user transactions & system transactions– Manage users & roles, node access groups and property access
• Application Administrator– Browse versions/hierarchies/properties– Manage system level queries, compares, exports, imports, blenders– Run Action Scripts– Manage application – properties, system configuration etc.– Audit user & system transactions
• Data Creator– Browse versions/hierarchies/properties– Create versions and hierarchies– Manage user level queries, compares, exports, imports and blenders
• DRM Manager– Manage versions (need) and hierarchies– Manage user & standard level queries, compares, exports, imports and blenders– Run Action Scripts– Manage property lists (property categories, node type lists)
• Anonymous User– Basic “read only” user role– Browse versions/hierarchies/properties– Run queries, compares and exports of data
DRM – Audit Report• Login into DRM - Audit Select
Columns Run your report– Provides detail summary on
activities performed• After running the query, you can
– View the details of a transaction by clicking the arrow to the left of the row. The transaction details are displayed across Action, Object, History, and Request tabs.
– Click Download drop down arrow, and then select the format for the file : CSV, TSV, PDF, RTF, or XLS
Corporate Approval Matrix
Session ID:
Remember to complete your evaluation for this session within the app!
10675