Session ID:

Prepared by:

Remember to complete your evaluation for this session within the app!

10675

How to better capitalize your Hyperion applications for Quarterly Audit ?

Best practices for auditing your Hyperion applications

April 7, 2019

Azmat BhattiSolutions Architect – HyperionCanadian Tire Corp.

Agenda• Hyperion Financial Applications and Audit requirements• Who are Internal and External auditors ?• What are the auditors looking for in Hyperion systems ?• What critical reports can be produced out of Hyperion Shared Services ?• Enabling the Audit feature in Shared Services• Who ran which Task and when ?• What changes can be made in order to pass your compliance requirements ?• HFM vs HP vs HSF vs FDM vs FR vs DRM – Roles & Responsibilities• Shared Services report(s); so many formats ?• Creating and updating your “Corporate Approval Matrix”• Q&A

Hyperion Audit Requests• Hyperion financial applications are often considered as CKA (Critical Key Applications),

producing accurate and timely financial reporting for any public company• How to comply with Sarbanes-Oxley (SOX), SEC and other internal / external audit compliance • Auditor(s) requirements for large amount of documentation to pass your Audit• Testing of evidence to ensure that you are in compliant - Secure, backed up and are highly

available applications • If you have experienced such a Financial audit, you and your IT department will recognize the

large amount of time and effort required for this process• Change Management, Evidence, Tickets, Approval Matrix etc.

Hyperion Audit Requests• Hyperion and Compliance reports• Hyperion Audit requests• Hyperion Shared Services

– The place to go for all your reporting needs• Shared Services Administrator vs Application Administrator vs Provisioning Manager• Key HFM roles and reporting• Planning/Essbase reporting• HSF reporting• DRM reporting• FR reporting

Type of Auditors ?• Internal

– Within IT • ITGC (Information Technology Governance Compliance or Controls)

– Within Finance• FAB (Finance Audit Board)• CAB (Change Advisory Board)• Big 5 such as Deloitte/PWC/EY

• External– Works along with Finance/IT functions

• 3rd Party or• Big 5 such as Deloitte/PWC/EY/KPMG

Hyperion Audit Requests ?• Application Admin report

– HFM/HP/HSF/FDM/Essbase/DRM• Application Administrator (Looking for 1 to 3 only)• Provisioning Manager• User/Groups/Role Matrix report

• Shared Services Admin report– Looking for 1 to 2 Admin on this report

• Native Essbase Admin report– Essbase Server Manager access

• Can Create/Delete/Update applications• Hyperion Servers Admin report

– Looking for “Local User and Groups”• Groups

– Administrators» Who is in the list ?» Are they authorized to be in this list ?» Does any e-mail or paper trail of any Admin addition or removal or update exist ?» Is it Approved or Authorized by the right Owner of Hyperion within IT

Shared Services - NavigationShared Services console is for all Security Management for Hyperion products- Click on Navigate- Administer- Shared Services Console

Foundation Roles- Administrator Role provides control over all

products that integrate within Shared Services- This is the most powerful EPM System Role- Administrators can perform all Administrative

tasks and can provision themselves- Organizations should only have One or Two

Administrators assigned to this Role

Shared Services – Provisioning Report• Navigate Administration View Provisioning Report

– There will be various filters that you can select for your report

– You can run report by Users , Groups or Roles– You can filter by User ID or use Wildcard to bring

everyone “ * “– You can select Show Effective Roles, this will show you

if a user has Direct provisioning to the application– You can Group your report by Application or Users– Lastly select the product that you looking the report for

Shared Services – Roles Report• Navigate Administration View Provisioning Report

– Below is the list of various Roles in Hyperion applications

– You can select the most commonly asked Roles report by the Auditors, such as “Administrator” and “Provisioning Manager”

Enabling the Audit feature in Shared Services• Navigate Administration Audit Reports

– You will notice the message that “Auditing is Disabled and No Records Audited”

• Navigate Administration Configure Auditing– Select the Tasks that you want to Audit for and click on OK– Message pop-up “Audit Configuration has been saved

successfully. Changes will be taken in to effect only after server restart:

– Stop Shared Services and then Start for table entries to populate

Audit Feature Reports – Shared Services• Navigate Administration Audit Reports Security Reports

– Report displays activities performed on by the user and for which product and task

– By clicking on Detailed View, you can see New/Change value information

– Report can be exported in XSL format for further Audit as required by the Auditors

• Artifact Reports– Metadata updates

• Config Reports– LCM, Directory Management and User updates

Purging Audit Data• Shared Services Console Configure Auditing• If you have Enabled Auditing, then the “Purge Data

Older than” will be enabled for input– Select 60 or 90 days, depending on your IT/Audit

Controls/Policies (Or Retention Records policies)– Backup “Shared Services” DB– Changes will take in effect on the server restart

HFM vs Planning – Some key Roles to report on

HFM• Application Administrator• Provisioning Manager• Default

Planning• Administrator• Provisioning Manager• Planner• Essbase Write Access• Interactive User

HFM Application Administrator Role

• 3 type of Roles are identified within HFM application– Application Administrator

• Have 2 to 3 MAX admins• Should not be given Provisioning Manager role

– Default– Provisioning Manager

• Avoid giving this Role to the HFM Admin• All User Provisioning should be controlled by ONE Admin

HFM Role

Power Role- Application Administrator

- Role performs all FM tasks- Access to this role overrides any other access

setting for the user- Have one or two Application Admin assigned

for this role ONLY- Load System

- Loads rules and member lists- Inter-Company Transaction Admin

- Open/Close period- Lock/Unlock entities- All Intercompany tasks can be performed

Interactive Role- Rules Admin/Designer- Journals Administrator- Reviewer 1 through 10- Submitter- Lock/Unlock Data- Consolidate/Consolidate All with Data- Load Excel Data- Enable write back in Web Grid- Database Management- Manage Custom Documents- Extended Analytics- Data Form Write Back from Excel- Default (Open/Close application, manages

documents, SmartView, access running tasks, cannot extract Metadata/Rules and cannot create folders

View Role- Load Excel Data- Enable write back in Web Grid- Database Management- Manage Custom Documents- Extended Analytics- Data Form Write Back from Excel

Note: Detail HFM Role descriptions can be found at https://docs.oracle.com/cd/E57185_01/OPUSA/apas05.html

HFM Provisioning Manager report• Login into Shared Services Console• Navigate to User Directories Native Directory Roles

– Search Provisioning Manager– Right-click and View Provisioning Report– Select the appropriate Application

HFM Task Audit Requests ?• HFM Task Audit - Tasks

– Most common reports asked are - - - Data Load, Metadata Load, Rules Load and Security Load

– Report data can be extracted into CSV or TXT format for further analysis

HFM Application Data Audit• Consolidation Maintenance Data Audit• You can use the Data Audit feature to view data changes performed by users.

You can filter the data changes by date range, application server, user, and dimension members.

• In the Metadata Manager, you can enable the EnableDataAudit metadata attribute for the accounts and scenarios for which you want to audit data changes

• The audit settings for the scenario override the audit settings for the account. If the EnableDataAudit attribute is set to Yes for a scenario, all accounts in the scenario are audited, even accounts for which EnableDataAudit is set to False

• If EnableDataAudit is set to Override for a scenario, all accounts for which EnableDataAudit is set to True are audited. To disable auditing of Scenario and Account members, change the EnableDataAudit attribute to No

• The data audit log information is stored in the APPNAME_DATA_AUDIT table. You can back up or extract the information in the table. You should monitor the size of the log and clear it on a regular basis

HFM Application Security Extract• Consolidation Extract Application Elements• You can extract application security to view or modify it in a text editor.

When you extract application security from an application, save the file in a format that supports multi-byte character sets (MBCS)

• By default, application security files use the SEC file extension• The SEC File will consist of the following information:

– Users and groups– Security classes– Role access– Security class access

Shared Services – Planning Report• Navigate Administration View

Provisioning Report– Below is the list of a Planning application

“Vision” and what Role/User has access

Shared Services – Roles Report for FDM Admins• Navigate Administration View Provisioning Report

– Below is a filter for running a Role based report, such as Admins in FDM

Shared Services – FDM Report• Navigate Administration View Provisioning

Report– Below is the list of FDM application “FDMEE”

and what Role/User has access

Financial Reporting (FR) – Roles• Navigate Administration View Provisioning Report

– Below is a filter for running a Role based report, such as Admins ID in FR, and what access does it have

Planning and Auditing• Login into your Planning application• Click on Tools Reports

– Select Planning actions you want to Audit– Some of the common ones Dimension, Security, Users and Groups Administration– The table HSP_AUDIT_RECORDS will consist of all changes made– Have Quarterly or Semi-Annual process to archive records

HSF - Roles

• Administrator– Full application access

• Basic User– Read access for HSF DB/App

• Interactive User– Write access for HSF DB/App

• Provisioning Manager– User Provisioning access

• View User– Read access only - Limited

DRM – Roles• Access Manager

– Audit user transactions & system transactions– Manage users & roles, node access groups and property access

• Application Administrator– Browse versions/hierarchies/properties– Manage system level queries, compares, exports, imports, blenders– Run Action Scripts– Manage application – properties, system configuration etc.– Audit user & system transactions

• Data Creator– Browse versions/hierarchies/properties– Create versions and hierarchies– Manage user level queries, compares, exports, imports and blenders

• DRM Manager– Manage versions (need) and hierarchies– Manage user & standard level queries, compares, exports, imports and blenders– Run Action Scripts– Manage property lists (property categories, node type lists)

• Anonymous User– Basic “read only” user role– Browse versions/hierarchies/properties– Run queries, compares and exports of data

DRM – Audit Report• Login into DRM - Audit Select

Columns Run your report– Provides detail summary on

activities performed• After running the query, you can

– View the details of a transaction by clicking the arrow to the left of the row. The transaction details are displayed across Action, Object, History, and Request tabs.

– Click Download drop down arrow, and then select the format for the file : CSV, TSV, PDF, RTF, or XLS

Corporate Approval Matrix

Session ID:

Remember to complete your evaluation for this session within the app!

10675

Azmat.Bhatti@cantire.com