SOX Compliance with SOX Compliance with Application AuditorApplication Auditor

Presented ByPresented By Sunita SarathySunita Sarathy Product ManagerProduct ManagerAbsolute Technologies, Inc.Absolute Technologies, Inc.At SROAUG, Los Angeles, March 24, 2006 v2At SROAUG, Los Angeles, March 24, 2006 v2

HighlightsHighlights

Sarbanes Oxley Sarbanes Oxley – Common knowledge? Common knowledge? – Your situation?Your situation?

Internal Controls Internal Controls IT Best Practices for SOX ComplianceIT Best Practices for SOX Compliance Auditing Options in OracleAuditing Options in Oracle Application AuditorApplication Auditor

Sarbanes Oxley ActSarbanes Oxley Act

SOX – Signed into law on July 30, 2002 as a SOX – Signed into law on July 30, 2002 as a result of various accounting scandalsresult of various accounting scandals

Section 404 requires public companies to Section 404 requires public companies to attest to the effectiveness of their internal attest to the effectiveness of their internal controls over financial reportingcontrols over financial reporting

Section 302 requires that CEO’s and CFO’s Section 302 requires that CEO’s and CFO’s vouch for the integrity of their financial vouch for the integrity of their financial statementsstatements

Section 404 Section 404 ComplianceCompliance Compliance with SOX 404 has 4 stepsCompliance with SOX 404 has 4 steps

1.1. Identify Key Internal ControlsIdentify Key Internal Controls

2.2. Document the identified Internal ControlsDocument the identified Internal Controls

3.3. Management - Test Internal ControlsManagement - Test Internal Controls

4.4. Auditor - Test Internal ControlsAuditor - Test Internal Controls

What are Internal What are Internal Controls?Controls? Measures adopted by an Organization to: Measures adopted by an Organization to:

– Ensure integrity and reliability of informationEnsure integrity and reliability of information– Ensure Compliance with policies, laws and regulationsEnsure Compliance with policies, laws and regulations– Safeguard assetsSafeguard assets– Promote economic and efficient use of resourcesPromote economic and efficient use of resources– Accomplish established objectives and goalsAccomplish established objectives and goals

Mature controls are recognized by:Mature controls are recognized by:– Real-time monitoringReal-time monitoring– Continuous improvement, enterprise risk managementContinuous improvement, enterprise risk management– Automation support, ability to make rapid changes to Automation support, ability to make rapid changes to

controlscontrols

When Internal Controls When Internal Controls are missing or are missing or inadequateinadequate1.1. Control DeficiencyControl Deficiency

– Remote likelihood of undetected material Remote likelihood of undetected material misstatement in financialsmisstatement in financials

– No requirement to report itNo requirement to report it– Significant DeficiencySignificant Deficiency

– Adversely affects processes, more than remote Adversely affects processes, more than remote likelihood of consequential misstatement likelihood of consequential misstatement

– Must be reported to the audit committee, but not to Must be reported to the audit committee, but not to the publicthe public

1.1. Material WeaknessMaterial Weakness– Significant deficiency, possible material misstatementSignificant deficiency, possible material misstatement– Needs to be disclosed publicly, in company financial Needs to be disclosed publicly, in company financial

statementsstatements

How is IT Affected?How is IT Affected?

SOX Section 404 - “Management has to SOX Section 404 - “Management has to ensure appropriate internal controls of ensure appropriate internal controls of financial reporting” financial reporting”

Most companies have software applications Most companies have software applications that impact Financial Reporting, like Oracle, that impact Financial Reporting, like Oracle, SAP etcSAP etc

Therefore, most IT Applications would need Therefore, most IT Applications would need to be regulated as per SOX requirements!to be regulated as per SOX requirements!

Internal Controls in ITInternal Controls in IT

Best Practices in the development cycle:Best Practices in the development cycle:

– DocumentationDocumentation– ApprovalsApprovals– Segregation of Duties (SOD)Segregation of Duties (SOD)– TestingTesting– AUDITINGAUDITING

Why Audit?Why Audit?

If you don’t properly audit transactions If you don’t properly audit transactions that impact that impact

(a) financial data, and(a) financial data, and(b) application setups …(b) application setups …

… … there is exposure that mistakes or there is exposure that mistakes or fraudulent activity may be fraudulent activity may be undetected …undetected …… … resulting in incorrect financial resulting in incorrect financial statementsstatements

Auditors may identify inconsistencies as Auditors may identify inconsistencies as significant deficiency or material weaknesssignificant deficiency or material weakness

How data is changed How data is changed in Oracle eBusiness in Oracle eBusiness SuiteSuite In Oracle, data can be modified through two In Oracle, data can be modified through two

mechanisms:mechanisms:– eBusiness Suite of ApplicationseBusiness Suite of Applications– Directly at the database level, through tools such Directly at the database level, through tools such

as SQL*Plus, TOAD, SQL*Navigator, etcas SQL*Plus, TOAD, SQL*Navigator, etc

Most conventional Auditing options audit one Most conventional Auditing options audit one or the other methodor the other method

Auditing in OracleAuditing in Oracle

There are several auditing options* in Oracle:There are several auditing options* in Oracle:

Oracle Database – Audit FeatureOracle Database – Audit Feature eBusiness Suite – Row Who ColumnseBusiness Suite – Row Who Columns eBusiness Suite – End User AccesseBusiness Suite – End User Access eBusiness Suite – Oracle AlertseBusiness Suite – Oracle Alerts eBusiness Suite – Audit Trail eBusiness Suite – Audit Trail

* Part of Oracle’s products prior to SOX legislation, oriented toward instrumentation and debugging.

1. Database Audit 1. Database Audit FeatureFeature Set Set audit_trailaudit_trail parameter = TRUE in init.ora file parameter = TRUE in init.ora file Execute SQL audit commands from SYSTEM user Execute SQL audit commands from SYSTEM user

in SQL*Plus. Transactions are captured in in SQL*Plus. Transactions are captured in SYS.AUD$ tableSYS.AUD$ table

LimitationsLimitations No Before and After values for changes. No No Before and After values for changes. No

standard reporting, or form level access to datastandard reporting, or form level access to data User Notification not possible, as table is owned User Notification not possible, as table is owned

by SYSby SYS

2. EBS – Row Who2. EBS – Row Who

Creation_Date, Created_By, Last_Updated_By, Creation_Date, Created_By, Last_Updated_By, Last_Update_Date, Last_Update_LoginLast_Update_Date, Last_Update_Login

Navigate to Help > Record History, in the Navigate to Help > Record History, in the Oracle Applications Menu, or select from within Oracle Applications Menu, or select from within SQLSQL

LimitationsLimitations Only records identities of Initial and Last UserOnly records identities of Initial and Last User Does not store Old and New ValuesDoes not store Old and New Values Cannot handle changes made by processes Cannot handle changes made by processes

external to the security of Oracle Applicationsexternal to the security of Oracle Applications

3. EBS – End User 3. EBS – End User AccessAccess System profile option “Sign-On: Audit Level”

controls the level of end user access auditing Audit using standard reports like SignOn

Audit Users, SignOn Audit Responsibilities, SignOn Audit Forms, etc

Limitations Only audits user access, or end user usage of

specified forms Does not audit changes at the database level

4. EBS – Oracle Alerts4. EBS – Oracle Alerts

Oracle’s Exception Reporting ToolOracle’s Exception Reporting Tool Use SQL statements to define exception Use SQL statements to define exception

conditionsconditions Can be Periodic (schedule based) or Event Can be Periodic (schedule based) or Event

(creates a database trigger)(creates a database trigger)

LimitationsLimitations Event Alerts fire on any change to a record within Event Alerts fire on any change to a record within

a defined table, generating unwanted a defined table, generating unwanted transactionstransactions

May cause Concurrent Request bottlenecksMay cause Concurrent Request bottlenecks

5. EBS – Audit Trail5. EBS – Audit Trail

Set System Profile Option AuditTrail: Activate =Yes

As System Administrator, select Security > AuditTrail > Install

Define applications, tables and columns to audit Run Audit Trail Update Tables program to

activate

Limitations Can’t toggle audits On/Off for selected tablesCan’t toggle audits On/Off for selected tables Can’t capture data outside the scope of the Can’t capture data outside the scope of the

audited tableaudited table

Keys to SOX Keys to SOX ComplianceCompliance The Audit triggering process should be The Audit triggering process should be

automatedautomated

Audit trail (record of transaction, the activity Audit trail (record of transaction, the activity & data) should be meaningful and & data) should be meaningful and comprehensivecomprehensive

Audit Reporting should be convenientAudit Reporting should be convenient

The Auditing Application should be secureThe Auditing Application should be secure

Enter Application Enter Application Auditor Auditor

(Aa)(Aa) Comprehensive auditing solution Comprehensive auditing solution Can be installed and configured in less than an Can be installed and configured in less than an

hourhour Create Audit Configurations, for tables and Create Audit Configurations, for tables and

columns to be auditedcolumns to be audited User InterfaceUser Interface

– Defines the work flow of defining, creating, Defines the work flow of defining, creating, configuring, installing, using, and reporting audits configuring, installing, using, and reporting audits

– Based on Oracle Developer tools, familiar look & feelBased on Oracle Developer tools, familiar look & feel Simplifies audit reporting – all audit trail records Simplifies audit reporting – all audit trail records

go to one tablego to one table All audits are created in custom Aa schemaAll audits are created in custom Aa schema

Application AuditorApplication Auditor

Source Table(FND_USER)

Source Table(AP_CHECKS)

Source Table(ORDER_HOLDS)

App Auditor

TransactionDetails

(Destination)Table

Create Audit ConfigCreate Audit Config

Select a Select a Source Table Source Table - the table to be audited- the table to be audited Register standard Aa Register standard Aa Destination tableDestination table Identify Identify Source Columns Source Columns - Columns to be tracked - Columns to be tracked Aa automatically collects standard Aa automatically collects standard

Reference information Reference information for each recordfor each record Create Create ConditionsConditions, if any, to limit auditing, if any, to limit auditing Aa Aa mapsmaps the Source and Reference Column values the Source and Reference Column values

to columns in the standard Destination Audit to columns in the standard Destination Audit Table.Table.

Compile the configuration - It is now ready to Compile the configuration - It is now ready to audit! audit!

Audit MappingAudit Mapping

(Source Columns)(Source Columns) (Mapped Columns)(Mapped Columns)START_DATE*START_DATE* OLD_COLUMN_VALUEOLD_COLUMN_VALUESTART_DATE*START_DATE* NEW_COLUMN_VALUENEW_COLUMN_VALUELAST_UPDATED_BYLAST_UPDATED_BY LAST_UPDATED_BYLAST_UPDATED_BYTRANSACTED_DATETRANSACTED_DATE TRANSACTED_DATETRANSACTED_DATED_EMAILD_EMAIL EMAILEMAILD_TERMINALD_TERMINAL TERMINALTERMINAL

Source Table(FND_USER)

Destination Table(ai_ce_change_trx)

Audit DesignAudit Design

App Auditor dynamically creates trigger-App Auditor dynamically creates trigger-procedure combinationprocedure combination

Database Objects are created in the Aa Database Objects are created in the Aa schemaschema

Trigger is defined on Source Table, to be fired Trigger is defined on Source Table, to be fired upon change to Source Columnsupon change to Source Columns

Procedure collects…Procedure collects…– Before and After Values of Source ColumnsBefore and After Values of Source Columns– Reference Columns and other identifying ElementsReference Columns and other identifying Elements

… … and inserts them into the Transactions tableand inserts them into the Transactions table

Source Table is ChangedSource Table is Changed

Audit FlowAudit Flow

Table based Trigger fires, calls ProcedureTable based Trigger fires, calls Procedure

Procedure collects Old and New Values of Procedure collects Old and New Values of Changed Column, and other Reference Changed Column, and other Reference

ColumnsColumns

Inserts audit data into Destination TableInserts audit data into Destination Table

Audit FeaturesAudit Features

Single audit table stores – Single audit table stores – Before and After values of Source Column Before and After values of Source Column Source Table and Column nameSource Table and Column name Trigger Action (Insert, Update or Delete)Trigger Action (Insert, Update or Delete) Primary Key of Source TablePrimary Key of Source Table Who changed Column and WhenWho changed Column and When Reference additional column values from Source Reference additional column values from Source

tabletable Embedded SQL to select additional data from Embedded SQL to select additional data from

other tablesother tables Audit Notification can be set up via emailAudit Notification can be set up via email

Revision ArchitectureRevision Architecture

Aa uses Revisions to create separate audit binsAa uses Revisions to create separate audit bins

Audits may be migrated across revisions, Audits may be migrated across revisions, across schemas, or even across database across schemas, or even across database instances.instances.– Migrate Audit from Revision 1 to Revision 2Migrate Audit from Revision 1 to Revision 2– Migrate entire Revision from Dev to Prod instanceMigrate entire Revision from Dev to Prod instance

Only one compiled revision can exist at a point Only one compiled revision can exist at a point in timein time

Revision ArchitectureRevision Architecture

Allows the separation of audits based on user Allows the separation of audits based on user criteriacriteria

Allows one-step compilation of all audits in a Allows one-step compilation of all audits in a revisionrevision

Compiled Audits Revision

(example)

Development Revision

(example)

Audit ReportingAudit Reporting

Audit Transactions Audit Transactions Report Report – Displays the old and new values of the column, the Displays the old and new values of the column, the

database user who updated the record, and the database user who updated the record, and the identity of the terminal used to make the change identity of the terminal used to make the change

Audit Configurations Audit Configurations Report Report – Facilitates review discussion with external auditorFacilitates review discussion with external auditor– Documents all audit configurations defined in Documents all audit configurations defined in

Application AuditorApplication Auditor View Transactions View Transactions Form Form

– Displays the various audited transactions created Displays the various audited transactions created as a result of triggered auditsas a result of triggered audits

SOX Audit PackageSOX Audit Package

Pre-defined set of 80+ table level audits, Pre-defined set of 80+ table level audits, based on key setup and transaction tables based on key setup and transaction tables that can impact Financial reporting and that can impact Financial reporting and controls in Oracle eBusiness Suitecontrols in Oracle eBusiness Suite

Package can be loaded and compiled within Package can be loaded and compiled within minutesminutes

Aa AdministratorAa Administrator

Audit the Auditor!Audit the Auditor!

Create and maintain Aa Audit usersCreate and maintain Aa Audit users

Track changes to database objects in any Track changes to database objects in any schemaschema

Maintain Admin email accounts, which receive a Maintain Admin email accounts, which receive a copy of all email notifications sent from Aa copy of all email notifications sent from Aa

Define content for Aa email alertsDefine content for Aa email alerts

Audit the AuditorAudit the Auditor

Aa CustomerAa Customer

Silicon ImageSilicon Image

RequirementRequirement Differentiate updates made fromDifferentiate updates made from SQL*Plus SQL*Plus Oracle AppsOracle Apps

SolutionSolution Aa’s Check Terminal feature Aa’s Check Terminal feature allows the user to identify how allows the user to identify how the transaction was performed.the transaction was performed.

Aa CustomerAa Customer

HarmonicHarmonic

RequirementRequirement Monitor selected users’ Monitor selected users’ transactionstransactions

SolutionSolution Aa provides notification when Aa provides notification when unauthorized transactions occurunauthorized transactions occur

Condition feature allows Condition feature allows tracking to be limited based on tracking to be limited based on user criteriauser criteria

– Changes made via external Changes made via external processesprocesses

– Changes made by a specific userChanges made by a specific user

Aa CustomerAa Customer

TektronixTektronix

RequirementRequirement Track Sales Order changes for Track Sales Order changes for separate business and financial separate business and financial reviewreview

SolutionSolution Aa’s custom table option allows Aa’s custom table option allows for audit records to be mapped to for audit records to be mapped to separate audit trail tableseparate audit trail table

Finally…Finally…

HighlightsHighlights– Can audit database and Oracle E-Business Suite Can audit database and Oracle E-Business Suite

transactionstransactions– Email Notification when audit is triggeredEmail Notification when audit is triggered– Auditing can be limited to user defined criteriaAuditing can be limited to user defined criteria– Custom Schema to ensure audit integrity and Custom Schema to ensure audit integrity and

securitysecurity Application Auditor is highly performance Application Auditor is highly performance

optimized…no performance issuesoptimized…no performance issues User-friendly Forms InterfaceUser-friendly Forms Interface Audit security maximized by dual role Audit security maximized by dual role

auditing (Auditor and Audit Administrator)auditing (Auditor and Audit Administrator)

Thank You!

www.absolute-tech.com

Source – Destination Source – Destination TablesTables

Source ColumnsSource Columns

Reference ElementsReference Elements

ConditionsConditions

Column MappingColumn Mapping

Audit Transactions Audit Transactions ReportReport

Audit Configuration Audit Configuration ReportReport

View TransactionsView Transactions

AUD$ TableAUD$ Table

EBS Row WhoEBS Row Who

EBS – End User AccessEBS – End User Access

Audit Trail > Install Audit Trail > Install