Bpel Tutorial
This document was uploaded by user and they confirmed that they have the permission to share it. If you are author or own the copyright of this book, please report to us by using this DMCA report form. Report DMCA
Overview
Download & View Bpel Tutorial as PDF for free.
More details
- Words: 1,911
- Pages: 31
A view from an auditor. What is important in Oracle E-Business suite?
KPMG LLP Angela Carter Jeff Kim Jai Cullath
Agenda • • • • •
What are the key IT considerations in audit? Why are IT Considerations a challenge? Key Controls for Oracle E-business suite Addressing Segregation of Duties Challenges Sustaining Compliance – Controls Integration
What are the Key IT Considerations of an Audit? • Appropriate Access Controls – Role specific access – Non-conflicting access controls (Segregation of Duties) • Automated Business Process Controls – Application Controls • Configurations • Edits • Validations • Reports
Why are IT Controls a Challenge? “Mutually Dependent Control Domains” Program Management Office – Risk Management
D
ity
at a
In
te gr
ity
Areas
r cu Se
User Profiles Infrastructure Security (Network, O/S and Database) Security Monitoring
Process Documentation B us Control Design and in es Implementation s Pr Oracle Application oc Control Catalogs es IT s (Version 11.03 and higher) Control
io ns
IT
O pe ra t
System Administration Change Management Disaster Recovery Asset Management Performance
Each control area is dependent on the others
Master Data Data Conversion Data Interfaces Reconciliation
Why are IT Controls Important to the Audit? – Role of Application Controls Significant Significant Accounts Accounts in in Financial Financial Statements Statements Balance Balance Sheet Sheet
Income Income Statement Statement
SCFP SCFP
Notes Notes
Other Other
Classes Classes of of Transactions Transactions Business Business Processes Processes Process Process AA
General General Controls Controls
•• Program Program development development •• Program Program changes changes •• Computer Computer operations operations •• Access control Access control •• Control Control environment environment
Process Process BB
Process Process CC
Financial Financial Applications Applications (application (application controls) controls) Business Events andA Transactions Oracle Financial Application
IT IT Infrastructure Infrastructure Services Services Database Database Operating Operating System System Network Network
Application Application Controls Controls
•• Interfaces Interfaces •• Configurations Configurations •• Reports Reports •• Access Access
Key Controls in an Oracle EBS Audit • Process, risks and controls – Audits are often organized by business processes such as Order to Cash, Procure to Pay, etc. – ERP systems such as Oracle EBS support the execution of such processes – Risk and specifically information risk is inherent in processes and systems – Controls help to mitigate such risks Let’s take a look at some processes, risks and Oracle EBS controls
Key High Focus Processes • General Ledger – Journal Postings – Financial Consolidation • Purchasing – Purchase Order Processing – Receiving • Accounts Payables – Invoice Processing (3-Way Match..)
General Ledger – Potential Risk
GL Postings – Control Considerations • What type of journal authorizations are in place? • Can users post journals to control accounts such as the cost of goods sold account? • Can users modify journals created by the interfaces systems such as Inventory, Order Management, Accounts Receivables...? • Are there any sensitive accounts that require management oversight?
GL-Financial Consolidation – Control Considerations • Is the access to the consolidation “Chart of Accounts” mapping restricted? • What are the controls in place to monitor and authorize Inter-company elimination entries? • If FSG (Financial Statement Generator) is used, what are the controls in place to validate the changes to row set and column set is authorized and appropriate?
Purchasing – Potential Risk
Purchase Order Processing – Control Considerations • Is there an automated approval workflow to manage purchase orders? • Is the system configured to enforce “Approved Supplier List” (ASL)? • Is the system configured to authorize the purchase orders to only the authorized buyer accounts? • Is the changes to supplier master details such as bank information and payment address monitored?
Accounts Payable – Potential Risk
AP Invoice Processing – Control Considerations • Is Oracle Payables’ three-way (or four-way) match functionality utilized? • Is Oracle Payables configured to enforce price and quantity tolerances during the matching of an invoice to a corresponding purchase order and receipt? • Is Oracle Payables configuration for posting automatic accounting entries, defined appropriately?
AP Invoice Processing – Control Considerations • Are Oracle access controls configured to ensure only properly authorized personnel can remove holds on Accounts Payable invoices? • Is Oracle configured to prevent adjustments to accounts payable invoices that have been approved and paid? • Is Oracle Payables configured to age invoices using date ranges that are appropriate given the descriptions of the aging buckets?
Controls Challenge: Segregation of Duties
Learning from SOX so far • Top 10 Material Weaknesses In Oracle, security is: – Income tax matters – Revenue recognition COMPLEX DIFFICULT – Financial staffing/expertise – Leases accounting TECHNICAL PERVASIVE – Application of GAAP – Financial Close process Nine out of ten companies we – Monitoring Controls have audited have significant weaknesses in Oracle Security – Segregation of Duties – Derivatives – Subsidiaries/Remote locations
The Challenge of SOD • Lack of Segregation of Duties (SOD) was one of the “Top 10 Material Weaknesses” in 2004 and 2005 • Informal polls noted eight out of ten companies had significant weaknesses in User Access. • Companies have spent millions of dollars remediating SOD and are still working at it. • Companies are finding new violations still being introduced into their systems
Managing Segregation of Duties and Sensitive Transactions • What do we mean by segregation of duties and sensitive transactions? • Segregation of duties is an internal control activity to help prevent or decrease the occurrence of undetected innocent errors or intentional fraud • SOD conflicts need to be resolved by segregating the conflicting abilities or mitigating the SOD conflict risks by implementing sufficient mitigating controls
Managing Segregation of Duties and Sensitive Transactions • What is a Sensitive Transaction? • Any single transaction in a system that allows a person to perform a high risk task which could result in a misstatement of financial statements or a significant operational risk. • Examples include: – Client administration – Delete client – Open and close accounting periods – Several other transactions
Approach to an SOD Solution Develop an enterprisewide strategy
Global Rule-Set Implementation Remediation and Training Develop Global User Admin Process
=
Sustainable SOD Processes
Sustaining SOD • There are several tools in the market place that enable companies to help analyze access and SOD issues as well as sustain the process.
Sample SOD Rule Set Rule #
Rule Description
Possible Risk
1
AP Invoice Entry, and Vendor Master Maintenance
A user could setup a fictitious vendor, subsequently enter fictitious vendor invoices and possibly have the invoice process for automatic payment as long as other mitigating controls fail to exist.
2
Assessment Master Maintenance, & Assessment Execution
A user could modify existing reporting/costing areas or create new reporting/costing areas, then move costs against those reporting/costing areas for fraudulent purposes or to create a more favorable position for their department.
3
Customer Credit Approval, and Sales Invoicing
A user could inappropriately increase a customer's credit limit and create a sales invoice for an amount greater than the customer is normally authorized to purchase on credit to either inappropriately inflate sales revenues or for a return of favors received from specified customers.
4
Customer Master, Sales Rebates, and AR Cash Application
A user could modify customer information, such as the customer name and bill to address, process unauthorized sales rebates, inappropriately reapply the customer's cash remittances and have rebate checks sent to an invalid address.
5
Fixed Assets, and AP Payments
A user could process for payment the purchase of an unauthorized fixed asset, adjust the fixed asset records to conceal the purchase and possibly obtain or use the assets.
6
GL Entry, and GL Master Maintenance
A user with both the ability to maintain general ledger accounts and the ability to process journal entries could conceal fraudulent transactions or activity in general ledger accounts under the individual's control.
7
GL Entry, and Business Processes
A user could initiate an inappropriate business transaction and update the corresponding GL entries to hide the actual impact of such activity for an extended period of time.
8
Material Master, Purchase Agreement, and Goods Receipt
A user could create a material master that normally is not ordered by the company and enter a purchase agreement for such items from the material list for personal use. Once the goods are shipped, the employee could receive those goods and take possession for their own/personal use.
Sustaining Compliance Controls Integration
Sustaining Compliance Leverage your ERP environment • Have to automate in order to reduce control and compliance costs • Need to leverage all capabilities within your Oracle environment • Need to tie SOD management to overall user provisioning process • Need to incorporate “controls” mindset into your development lifecycle
How Automation Impacts Compliance Costs: Total Cost of Control
• The cost of control is directly associated with the number, type and frequency of controls so ultimately the largest cost driver is in reducing the number of controls and transforming them to low cost performance types
Largely “Hidden”
Control Performance
S-O “Visible”
Initial Compliance, Ongoing Assessment and Monitoring
Total Cost of Control
Control Performance Cost Drivers (Example) On-going Design and Implementation FTE’s performance of controls Systems Costs (applications and support) Failure Rate Management Supervision Training Compliance Cost Drivers (Example) Control Documentation & Change Management Testing (Size and nature of control portfolio) Audit fees Program admin & staffing Remediation Education/Training
Dimension
Business System/ERP Initiative Controls Integration into the Development People & Organization Process Plan Design Build Test Deploy Lifecycle Design Build Deploy Plan Test Technology Risk & Controls
Four dimensions are addressed throughout any development lifecycle: People & Organization, Process, Technology, and Risk & Controls. Aligning controls specialists with project teams to help ensure appropriate knowledge is applied timely, can save significant effort throughout the process. These specialists, or “controls integrators,” provide specialized knowledge in applicable control categories as shown below.
Control Categories
Program Management
Key Attributes
•
Program risks are managed effectively – with quality and meeting expectations
Application Controls
•
Controls Specialist assigned to each initiative/ project
Segregation of Duties
•
Controls framework integrated into initiative/project
• • •
Controls integrated into the business
Business Process Controls
User Access & Security Data Integrity IT General Controls
Avoids end cycle re-work Supports compliance sustainability vision
Potential Business Benefits from Improved Oracle ERP Controls Feature
Potential Benefit
Increased control automation and reduction in manual controls
Reduce cost of operation by eliminating less effective manual controls
Centralized control maintenance
Controls are configured and maintained centrally rather than within every operating unit
Reduced cost of testing controls
Automated controls require less testing and provides greater assurance
Increased data reliability, integrity and accuracy
Cost to identify and correct data error is high
Improved reporting and monitoring of information
Quicker and more reliable information for management allows for more precise and responsive business decisions
Concluding Thoughts • IT is a critical component of financial statement, SOX and other regulatory audits • Control complexity in a system such as Oracle can be high for auditors and their clients • Controls automation and design can provide demonstrated regulatory and business benefits to an organization • Effective control design and implementation in a system such as Oracle can help to deliver regulatory and business benefits organizations are seeking.
Who Are We? KPMG LLP Audit
Advisory
Technology
Finance Operations
M&A Regulatory Compliance
Tax
CFO AGENDA
Accounting
Focus on the Office of the CFO Value Preservation and Value Creation Independent, Objective Advisor
Questions? Thank You For Attending!
KPMG LLP Angela Carter Jeff Kim Jai Cullath
Agenda • • • • •
What are the key IT considerations in audit? Why are IT Considerations a challenge? Key Controls for Oracle E-business suite Addressing Segregation of Duties Challenges Sustaining Compliance – Controls Integration
What are the Key IT Considerations of an Audit? • Appropriate Access Controls – Role specific access – Non-conflicting access controls (Segregation of Duties) • Automated Business Process Controls – Application Controls • Configurations • Edits • Validations • Reports
Why are IT Controls a Challenge? “Mutually Dependent Control Domains” Program Management Office – Risk Management
D
ity
at a
In
te gr
ity
Areas
r cu Se
User Profiles Infrastructure Security (Network, O/S and Database) Security Monitoring
Process Documentation B us Control Design and in es Implementation s Pr Oracle Application oc Control Catalogs es IT s (Version 11.03 and higher) Control
io ns
IT
O pe ra t
System Administration Change Management Disaster Recovery Asset Management Performance
Each control area is dependent on the others
Master Data Data Conversion Data Interfaces Reconciliation
Why are IT Controls Important to the Audit? – Role of Application Controls Significant Significant Accounts Accounts in in Financial Financial Statements Statements Balance Balance Sheet Sheet
Income Income Statement Statement
SCFP SCFP
Notes Notes
Other Other
Classes Classes of of Transactions Transactions Business Business Processes Processes Process Process AA
General General Controls Controls
•• Program Program development development •• Program Program changes changes •• Computer Computer operations operations •• Access control Access control •• Control Control environment environment
Process Process BB
Process Process CC
Financial Financial Applications Applications (application (application controls) controls) Business Events andA Transactions Oracle Financial Application
IT IT Infrastructure Infrastructure Services Services Database Database Operating Operating System System Network Network
Application Application Controls Controls
•• Interfaces Interfaces •• Configurations Configurations •• Reports Reports •• Access Access
Key Controls in an Oracle EBS Audit • Process, risks and controls – Audits are often organized by business processes such as Order to Cash, Procure to Pay, etc. – ERP systems such as Oracle EBS support the execution of such processes – Risk and specifically information risk is inherent in processes and systems – Controls help to mitigate such risks Let’s take a look at some processes, risks and Oracle EBS controls
Key High Focus Processes • General Ledger – Journal Postings – Financial Consolidation • Purchasing – Purchase Order Processing – Receiving • Accounts Payables – Invoice Processing (3-Way Match..)
General Ledger – Potential Risk
GL Postings – Control Considerations • What type of journal authorizations are in place? • Can users post journals to control accounts such as the cost of goods sold account? • Can users modify journals created by the interfaces systems such as Inventory, Order Management, Accounts Receivables...? • Are there any sensitive accounts that require management oversight?
GL-Financial Consolidation – Control Considerations • Is the access to the consolidation “Chart of Accounts” mapping restricted? • What are the controls in place to monitor and authorize Inter-company elimination entries? • If FSG (Financial Statement Generator) is used, what are the controls in place to validate the changes to row set and column set is authorized and appropriate?
Purchasing – Potential Risk
Purchase Order Processing – Control Considerations • Is there an automated approval workflow to manage purchase orders? • Is the system configured to enforce “Approved Supplier List” (ASL)? • Is the system configured to authorize the purchase orders to only the authorized buyer accounts? • Is the changes to supplier master details such as bank information and payment address monitored?
Accounts Payable – Potential Risk
AP Invoice Processing – Control Considerations • Is Oracle Payables’ three-way (or four-way) match functionality utilized? • Is Oracle Payables configured to enforce price and quantity tolerances during the matching of an invoice to a corresponding purchase order and receipt? • Is Oracle Payables configuration for posting automatic accounting entries, defined appropriately?
AP Invoice Processing – Control Considerations • Are Oracle access controls configured to ensure only properly authorized personnel can remove holds on Accounts Payable invoices? • Is Oracle configured to prevent adjustments to accounts payable invoices that have been approved and paid? • Is Oracle Payables configured to age invoices using date ranges that are appropriate given the descriptions of the aging buckets?
Controls Challenge: Segregation of Duties
Learning from SOX so far • Top 10 Material Weaknesses In Oracle, security is: – Income tax matters – Revenue recognition COMPLEX DIFFICULT – Financial staffing/expertise – Leases accounting TECHNICAL PERVASIVE – Application of GAAP – Financial Close process Nine out of ten companies we – Monitoring Controls have audited have significant weaknesses in Oracle Security – Segregation of Duties – Derivatives – Subsidiaries/Remote locations
The Challenge of SOD • Lack of Segregation of Duties (SOD) was one of the “Top 10 Material Weaknesses” in 2004 and 2005 • Informal polls noted eight out of ten companies had significant weaknesses in User Access. • Companies have spent millions of dollars remediating SOD and are still working at it. • Companies are finding new violations still being introduced into their systems
Managing Segregation of Duties and Sensitive Transactions • What do we mean by segregation of duties and sensitive transactions? • Segregation of duties is an internal control activity to help prevent or decrease the occurrence of undetected innocent errors or intentional fraud • SOD conflicts need to be resolved by segregating the conflicting abilities or mitigating the SOD conflict risks by implementing sufficient mitigating controls
Managing Segregation of Duties and Sensitive Transactions • What is a Sensitive Transaction? • Any single transaction in a system that allows a person to perform a high risk task which could result in a misstatement of financial statements or a significant operational risk. • Examples include: – Client administration – Delete client – Open and close accounting periods – Several other transactions
Approach to an SOD Solution Develop an enterprisewide strategy
Global Rule-Set Implementation Remediation and Training Develop Global User Admin Process
=
Sustainable SOD Processes
Sustaining SOD • There are several tools in the market place that enable companies to help analyze access and SOD issues as well as sustain the process.
Sample SOD Rule Set Rule #
Rule Description
Possible Risk
1
AP Invoice Entry, and Vendor Master Maintenance
A user could setup a fictitious vendor, subsequently enter fictitious vendor invoices and possibly have the invoice process for automatic payment as long as other mitigating controls fail to exist.
2
Assessment Master Maintenance, & Assessment Execution
A user could modify existing reporting/costing areas or create new reporting/costing areas, then move costs against those reporting/costing areas for fraudulent purposes or to create a more favorable position for their department.
3
Customer Credit Approval, and Sales Invoicing
A user could inappropriately increase a customer's credit limit and create a sales invoice for an amount greater than the customer is normally authorized to purchase on credit to either inappropriately inflate sales revenues or for a return of favors received from specified customers.
4
Customer Master, Sales Rebates, and AR Cash Application
A user could modify customer information, such as the customer name and bill to address, process unauthorized sales rebates, inappropriately reapply the customer's cash remittances and have rebate checks sent to an invalid address.
5
Fixed Assets, and AP Payments
A user could process for payment the purchase of an unauthorized fixed asset, adjust the fixed asset records to conceal the purchase and possibly obtain or use the assets.
6
GL Entry, and GL Master Maintenance
A user with both the ability to maintain general ledger accounts and the ability to process journal entries could conceal fraudulent transactions or activity in general ledger accounts under the individual's control.
7
GL Entry, and Business Processes
A user could initiate an inappropriate business transaction and update the corresponding GL entries to hide the actual impact of such activity for an extended period of time.
8
Material Master, Purchase Agreement, and Goods Receipt
A user could create a material master that normally is not ordered by the company and enter a purchase agreement for such items from the material list for personal use. Once the goods are shipped, the employee could receive those goods and take possession for their own/personal use.
Sustaining Compliance Controls Integration
Sustaining Compliance Leverage your ERP environment • Have to automate in order to reduce control and compliance costs • Need to leverage all capabilities within your Oracle environment • Need to tie SOD management to overall user provisioning process • Need to incorporate “controls” mindset into your development lifecycle
How Automation Impacts Compliance Costs: Total Cost of Control
• The cost of control is directly associated with the number, type and frequency of controls so ultimately the largest cost driver is in reducing the number of controls and transforming them to low cost performance types
Largely “Hidden”
Control Performance
S-O “Visible”
Initial Compliance, Ongoing Assessment and Monitoring
Total Cost of Control
Control Performance Cost Drivers (Example) On-going Design and Implementation FTE’s performance of controls Systems Costs (applications and support) Failure Rate Management Supervision Training Compliance Cost Drivers (Example) Control Documentation & Change Management Testing (Size and nature of control portfolio) Audit fees Program admin & staffing Remediation Education/Training
Dimension
Business System/ERP Initiative Controls Integration into the Development People & Organization Process Plan Design Build Test Deploy Lifecycle Design Build Deploy Plan Test Technology Risk & Controls
Four dimensions are addressed throughout any development lifecycle: People & Organization, Process, Technology, and Risk & Controls. Aligning controls specialists with project teams to help ensure appropriate knowledge is applied timely, can save significant effort throughout the process. These specialists, or “controls integrators,” provide specialized knowledge in applicable control categories as shown below.
Control Categories
Program Management
Key Attributes
•
Program risks are managed effectively – with quality and meeting expectations
Application Controls
•
Controls Specialist assigned to each initiative/ project
Segregation of Duties
•
Controls framework integrated into initiative/project
• • •
Controls integrated into the business
Business Process Controls
User Access & Security Data Integrity IT General Controls
Avoids end cycle re-work Supports compliance sustainability vision
Potential Business Benefits from Improved Oracle ERP Controls Feature
Potential Benefit
Increased control automation and reduction in manual controls
Reduce cost of operation by eliminating less effective manual controls
Centralized control maintenance
Controls are configured and maintained centrally rather than within every operating unit
Reduced cost of testing controls
Automated controls require less testing and provides greater assurance
Increased data reliability, integrity and accuracy
Cost to identify and correct data error is high
Improved reporting and monitoring of information
Quicker and more reliable information for management allows for more precise and responsive business decisions
Concluding Thoughts • IT is a critical component of financial statement, SOX and other regulatory audits • Control complexity in a system such as Oracle can be high for auditors and their clients • Controls automation and design can provide demonstrated regulatory and business benefits to an organization • Effective control design and implementation in a system such as Oracle can help to deliver regulatory and business benefits organizations are seeking.
Who Are We? KPMG LLP Audit
Advisory
Technology
Finance Operations
M&A Regulatory Compliance
Tax
CFO AGENDA
Accounting
Focus on the Office of the CFO Value Preservation and Value Creation Independent, Objective Advisor
Questions? Thank You For Attending!
Related Documents
Bpel Tutorial
October 2019 25
Oraclce Bpel Tutorial
October 2019 6
Ws-bpel=
June 2020 12
Bpel Basics
December 2019 31
Oracle Bpel
October 2019 38
Bpel And Workflow
October 2019 27More Documents from "floatingbrain"
Technical Foundation - Order Management
October 2019 19
Bpel Tutorial
October 2019 25
Forms 6i Personalization
October 2019 30
Automating The Procure To Pay Process
October 2019 22
Oracle Bpel
October 2019 38