A view from an auditor.

What is
important in Oracle E-Business suite?

KPMG LLP
Angela Carter
Jeff Kim
Jai Cullath
Agenda

• What are the key IT considerations in audit?

• Why are IT Considerations a challenge?
• Key Controls for Oracle E-business suite
• Addressing Segregation of Duties Challenges
• Sustaining Compliance – Controls Integration
What are the Key IT Considerations of an
Audit?
• Appropriate Access Controls
– Role specific access
– Non-conflicting access controls (Segregation of Duties)
• Automated Business Process Controls
– Application Controls
• Configurations
• Edits
• Validations
• Reports
Why are IT Controls a Challenge?
“Mutually Dependent Control Domains”
Program Management Office – Risk Management

ƒ System ƒ Process
Administration B Documentation
us
ƒ Change Management in ƒ Control Design and

ns
ƒ Disaster Recovery es

io
Implementation
s
t
ƒ Asset Management ra Pr ƒ Oracle Application
pe
oc Control Catalogs
O

ƒ Performance IT es
IT

Control s (Version 11.03 and higher)

Areas
ƒ User Profiles ƒ Master Data

ity
ƒ Infrastructure ƒ Data Conversion

gr
Se

te
Security (Network, ƒ Data Interfaces
cu

In
O/S and Database)
r

ƒ Reconciliation
a
ity

at

ƒ Security
D

Monitoring

Each control area is dependent on the others

 Why are IT Controls Important to the Audit? –
Role of Application Controls
Significant
Significant Accounts
Accounts in
in Financial
Financial Statements
Statements
Balance
Balance Income
Income SCFP
SCFP Notes
Notes Other
Other
Sheet
Sheet Statement
Statement

Classes
Classes of
of Transactions
Transactions
Business
Business Processes
Processes
Process
Process AA Process
Process BB Process
Process CC

Financial
Financial Applications
Applications (application
(application controls)
controls) Application
Application
General
General Business Events andA Transactions
Financial Oracle
Application Controls
Controls
Controls
Controls •• Interfaces
Interfaces
•• Program
Program development
development
IT •• Configurations
Configurations
•• Program
Program changes
changes IT Infrastructure
Infrastructure Services
Services
•• Reports
Reports
•• Computer
Computer operations
operations Database
Database
•• Access
Access
•• Access control
Access control Operating
Operating System
System
•• Control
Control environment
environment Network
Network
Key Controls in an Oracle
EBS Audit
• Process, risks and controls
– Audits are often organized by business processes such
as Order to Cash, Procure to Pay, etc.
– ERP systems such as Oracle EBS support the
execution of such processes
– Risk and specifically information risk is inherent in
processes and systems
– Controls help to mitigate such risks

Let’s take a look at some processes, risks and Oracle EBS controls
Key High Focus Processes

• General Ledger
– Journal Postings
– Financial Consolidation
• Purchasing
– Purchase Order Processing
– Receiving
• Accounts Payables
– Invoice Processing (3-Way Match..)
General Ledger – Potential Risk
GL Postings – Control Considerations

• What type of journal authorizations are in place?

• Can users post journals to control accounts such as the
cost of goods sold account?
• Can users modify journals created by the interfaces
systems such as Inventory, Order Management, Accounts
Receivables...?
• Are there any sensitive accounts that require
management oversight?
GL-Financial Consolidation –
Control Considerations
• Is the access to the consolidation “Chart of Accounts”
mapping restricted?
• What are the controls in place to monitor and authorize
Inter-company elimination entries?
• If FSG (Financial Statement Generator) is used, what are
the controls in place to validate the changes to row set
and column set is authorized and appropriate?
Purchasing – Potential Risk
Purchase Order Processing –
Control Considerations
• Is there an automated approval workflow to manage
purchase orders?
• Is the system configured to enforce “Approved Supplier
List” (ASL)?
• Is the system configured to authorize the purchase orders
to only the authorized buyer accounts?
• Is the changes to supplier master details such as bank
information and payment address monitored?
Accounts Payable – Potential Risk
AP Invoice Processing –
Control Considerations
• Is Oracle Payables’ three-way (or four-way) match
functionality utilized?
• Is Oracle Payables configured to enforce price and
quantity tolerances during the matching of an invoice to a
corresponding purchase order and receipt?
• Is Oracle Payables configuration for posting automatic
accounting entries, defined appropriately?
AP Invoice Processing – Control
Considerations
• Are Oracle access controls configured to ensure only
properly authorized personnel can remove holds on
Accounts Payable invoices?
• Is Oracle configured to prevent adjustments to accounts
payable invoices that have been approved and paid?
• Is Oracle Payables configured to age invoices using date
ranges that are appropriate given the descriptions of the
aging buckets?
Controls Challenge:
Segregation of Duties
Learning from SOX so far

• Top 10 Material Weaknesses

– Income tax matters In Oracle, security is:
– Revenue recognition COMPLEX DIFFICULT
– Financial staffing/expertise
– Leases accounting
TECHNICAL PERVASIVE
– Application of GAAP
– Financial Close process Nine out of ten companies we
– Monitoring Controls have audited have significant
– Segregation of Duties weaknesses in Oracle Security
– Derivatives
– Subsidiaries/Remote locations
The Challenge of SOD

• Lack of Segregation of Duties (SOD) was one of the “Top

10 Material Weaknesses” in 2004 and 2005
• Informal polls noted eight out of ten companies had
significant weaknesses in User Access.
• Companies have spent millions of dollars remediating
SOD and are still working at it.
• Companies are finding new violations still being
introduced into their systems
Managing Segregation of Duties
and Sensitive Transactions
• What do we mean by segregation of duties and sensitive
transactions?
• Segregation of duties is an internal control activity to help
prevent or decrease the occurrence of undetected
innocent errors or intentional fraud
• SOD conflicts need to be resolved by segregating the
conflicting abilities or mitigating the SOD conflict risks by
implementing sufficient mitigating controls
Managing Segregation of Duties
and Sensitive Transactions
• What is a Sensitive Transaction?
• Any single transaction in a system that allows a person to
perform a high risk task which could result in a
misstatement of financial statements or a significant
operational risk.
• Examples include:
– Client administration
– Delete client
– Open and close accounting periods
– Several other transactions
Approach to an SOD Solution

Develop an enterprise-
wide strategy

Global Rule-Set
Implementation

Remediation and
Training

Develop Global User Sustainable SOD Processes

Admin Process
=
Sustaining SOD

• There are several tools in the market place that enable

companies to help analyze access and SOD issues as
well as sustain the process.
Sample SOD Rule Set
Rule Rule Description Possible Risk
#
1 AP Invoice Entry, and A user could setup a fictitious vendor, subsequently enter fictitious vendor invoices and possibly
Vendor Master have the invoice process for automatic payment as long as other mitigating controls fail to exist.
Maintenance
2 Assessment Master A user could modify existing reporting/costing areas or create new reporting/costing areas, then
Maintenance, & move costs against those reporting/costing areas for fraudulent purposes or to create a more
Assessment Execution favorable position for their department.
3 Customer Credit A user could inappropriately increase a customer's credit limit and create a sales invoice for an
Approval, and Sales amount greater than the customer is normally authorized to purchase on credit to either
Invoicing inappropriately inflate sales revenues or for a return of favors received from specified customers.
4 Customer Master, Sales A user could modify customer information, such as the customer name and bill to address, process
Rebates, and AR Cash unauthorized sales rebates, inappropriately reapply the customer's cash remittances and have
Application rebate checks sent to an invalid address.
5 Fixed Assets, and AP A user could process for payment the purchase of an unauthorized fixed asset, adjust the fixed
Payments asset records to conceal the purchase and possibly obtain or use the assets.
6 GL Entry, and GL A user with both the ability to maintain general ledger accounts and the ability to process journal
Master Maintenance entries could conceal fraudulent transactions or activity in general ledger accounts under the
individual's control.
7 GL Entry, and Business A user could initiate an inappropriate business transaction and update the corresponding GL entries
Processes to hide the actual impact of such activity for an extended period of time.
8 Material Master, A user could create a material master that normally is not ordered by the company and enter a
Purchase Agreement, purchase agreement for such items from the material list for personal use. Once the goods are
and Goods Receipt shipped, the employee could receive those goods and take possession for their own/personal use.
Sustaining Compliance
Controls Integration
Sustaining Compliance
Leverage your ERP environment
• Have to automate in order to reduce control and
compliance costs
• Need to leverage all capabilities within your Oracle
environment
• Need to tie SOD management to overall user provisioning
process
• Need to incorporate “controls” mindset into your
development lifecycle
 How Automation Impacts
Compliance Costs: Total Cost of Control

• The cost of control is directly associated with the number,

type and frequency of controls so ultimately the largest
cost driver is in reducing the number of controls and
transforming them to low cost performance types
Control Performance Cost Drivers (Example)
On-going Design and Implementation
FTE’s performance of controls
Systems Costs (applications and support)
Largely
Control
Failure Rate
“Hidden” Total Management Supervision
Performance Cost of Training
Control Compliance Cost Drivers (Example)
Control Documentation & Change Management
Testing (Size and nature of control portfolio)
S-O Initial Compliance, Audit fees
“Visible” Ongoing Assessment Program admin & staffing
and Monitoring
Remediation
Education/Training
 Controls Integration into the Development
Business System/ERP Initiative
Dimension

People & Organization

Lifecycle
Process
Technology
Plan
Plan
Design
Design
Build
Build
Test
Test
Deploy
Deploy

Risk & Controls

Four dimensions are addressed throughout any development lifecycle: People &
Organization, Process, Technology, and Risk & Controls. Aligning controls specialists with
project teams to help ensure appropriate knowledge is applied timely, can save significant
effort throughout the process.
These specialists, or “controls integrators,” provide specialized knowledge in applicable
control categories as shown below.
Key Attributes
Program Management
• Program risks are managed effectively – with
Control Categories

Business Process Controls quality and meeting expectations

Application Controls • Controls Specialist assigned to each
initiative/ project
Segregation of Duties
• Controls framework integrated into
User Access & Security
initiative/project
• Controls integrated into the business
Data Integrity
• Avoids end cycle re-work
IT General Controls • Supports compliance sustainability vision
Potential Business Benefits from Improved
Oracle ERP Controls
Feature Potential Benefit

Increased control Reduce cost of operation by eliminating less effective manual

automation and reduction in controls
manual controls

Centralized control Controls are configured and maintained centrally rather than
maintenance within every operating unit

Reduced cost of testing Automated controls require less testing and provides greater
controls assurance

Increased data reliability, Cost to identify and correct data error is high
integrity and accuracy

Improved reporting and Quicker and more reliable information for management allows
monitoring of information for more precise and responsive business decisions
Concluding Thoughts

• IT is a critical component of financial statement, SOX and

other regulatory audits
• Control complexity in a system such as Oracle can be
high for auditors and their clients
• Controls automation and design can provide
demonstrated regulatory and business benefits to an
organization
• Effective control design and implementation in a system
such as Oracle can help to deliver regulatory and
business benefits organizations are seeking.
 Who Are We?
KPMG LLP

Audit Advisory Tax

Technology Finance
M&A Operations

Regulatory
Accounting
Compliance CFO AGENDA

Focus on the Office of the CFO Value Preservation and

Value Creation Independent, Objective Advisor
Questions?
Thank You For Attending!