Oracle Overview and Controls

Workshop for the Internal Audit

Department
2001-2002

CAP GEMINI ERNST & YOUNG

CAP GEMINI ERNST & YOUNG

OVERVIEW OF ORACLE
APPLICATIONS
SECURITY
AUDIT TRAIL
Responsibilities
Applicatio
n
User

Data Group
Menu
Exclusions

Oracle Application
Specific Profiles

Request
Security Group
FUNCTION SECURITY
CAP GEMINI ERNST & YOUNG

APPLICATIONS USER
In order to sign on, must define
Application User
Application User is identified by a:

User Name
Password

Each Application User is assigned a

Responsibility
CAP GEMINI ERNST & YOUNG

SETTING UP USERS

CAP GEMINI ERNST & YOUNG

CAP GEMINI ERNST & YOUNG

USER SIGN-ON

Can be
automated

CAP GEMINI ERNST & YOUNG

Responsibilities

CAP GEMINI ERNST & YOUNG

APPLICATION
RESPONSIBILITIES
Defined Responsibilities allow
access to:

Specific Applications
Sets of Books (SOBs)
Restricted list of windows
Restricted list of functions
Reports in specific application
CAP GEMINI ERNST & YOUNG

APPLICATION
RESPONSIBILITIES
Components of a Responsibility:

Data Group
Menu
Function & Menu Exclusions
Request Security Group

Responsibilities have to be assigned to

Apps Users

CAP GEMINI ERNST & YOUNG

APPLICATION
RESPONSIBILITIES (contd)
A Data Group

Determines the database tables and table privileges

accessible by the corresponding application(s) assigned
to the user

Oracle Database

DATA GROUP
CAP GEMINI ERNST & YOUNG

ASSIGNING
RESPONSIBILITIES

CAP GEMINI ERNST & YOUNG

USER ASSIGNED
RESPONSIBILITY (Example
1)

CAP GEMINI ERNST & YOUNG

USER ASSIGNED
RESPONSIBILITY (Example
2)

Without Supplier Menu

CAP GEMINI ERNST & YOUNG

APPLICATION
RESPONSIBILITIES (contd)
A Menu

Is a hierarchical arrangement of
application form functions (forms)
and non-form functions
(subfunctions) that define the range of
application functionality
Can be customised to restrict
functionality and navigation to certain
windows
CAP GEMINI ERNST & YOUNG

APPLICATION
RESPONSIBILITIES (contd)

FUNCTIONAL SECURITY

Two Types of Functions:

Form Functions
(Form)
Non-Form Functions
(Subfunction)

CAP GEMINI ERNST & YOUNG

AP MANAGER MENU EXAMPLE

CAP GEMINI ERNST & YOUNG

APPLICATION
RESPONSIBILITIES (contd)
Function & Menu Exclusions

Used to customize pre-defined menu

structures
OR
You can create new menu structures
from scratch

CAP GEMINI ERNST & YOUNG

RESTRICTED MENU
EXAMPLE

CAP GEMINI ERNST & YOUNG

APPLICATION
RESPONSIBILITIES (contd)
A Request Security Group

Defines the concurrent programs (includes

Requests and Request sets) that may be run
by an Application User under a particular
responsibility
Concurrent programs are long running, dataintensive tasks such as: Posting a journal or running
a report
A request set is a collection of reports and/or
programs that you group together. You can submit
the reports and/or programs in a request set all at
once using a single transaction.

CAP GEMINI ERNST & YOUNG

APPLICATION
RESPONSIBILITIES (contd)
Request
Security Group
Reports

Request Sets

Reports

Request
Group

Responsibility

Request Sets

Concurrent
Programs

User signs on

Concurrent
Programs

CAP GEMINI ERNST & YOUNG

SUBMIT REQUESTS
EXAMPLE

CAP GEMINI ERNST & YOUNG

Application Security:
Pre-defined
Oracle Purchasing:
Oracle Super User: Provides access to all product
Responsibilities

forms;
Purchasing Manager: duplicates Super User
responsibility;
Buyer: Provide general access to purchasing
documents, inquiries, vendor and item management,
report and limited setup forms;
Requestor: Provides access to requisition functions,
related inquiries and reports, and
Receiver: Provides access to receiving functions,
related inquiries and reports.

CAP GEMINI ERNST & YOUNG

Application Security:
Maintenance
System Administrator defines and maintains
all Oracle Application users;
Each user can be assigned to more than one
responsibility;
The Oracle Applications user ID is not linked
to the user operating ID (control concern),
and
Access to Responsibilities can be limited to a
specific period of time through the Effective
Dates feature
CAP GEMINI ERNST & YOUNG

Designing Security
Administration
Consider organizational design and business
processes;
Utilize vanilla responsibilities;
Edit responsibilities using Security matrix:

Determine which employees should get access

Determine what they should get access to:
Applications
Functions
Data
Reports

Incorporate Corporate Governance and Segregation of

Duties

CAP GEMINI ERNST & YOUNG

ACCESS SECURITY
REPORTS
Reports that may be run to view
user access rights:

Active Responsibilities Report

Active Users Report
Reports & Sets by Responsibility
Report
Function Security Menu Report
CAP GEMINI ERNST & YOUNG

FLEXFIELD
S

CAP GEMINI ERNST & YOUNG

DATA SECURITY:
FLEXFIELDS
FLEXFIELDS:

Customizable fields made up of

segments, in which the user may enter
data (accounting or non-accounting)
Flex fields are either KEY or DESCRIPTIVE
Segment values are validated using
Value Sets and Security Rules
User cannot define segment value on his
own ,i.e., only values in COA can be used
CAP GEMINI ERNST & YOUNG

DATA SECURITY:
FLEXFIELDS (contd)
Asset Category Computer
Sub Category

Monitor

Size

14

Serial Number

ABC12345

CAP GEMINI ERNST & YOUNG

DATA SECURITY:
FLEXFIELDS (contd)
Value Set

Value Set
Cross-Validation

VALUES

VALUES

Security

Security
CAP GEMINI ERNST & YOUNG

DATA SECURITY:
FLEXFIELDS (contd)
Value Sets determine:

Basic attributes of Flexfield (data

type, value length, minimum and
maximum values, required(Y/N)
Basic validation strategy
(independent, dependent, tablevalidated, etc)
Approved values (if available)
CAP GEMINI ERNST & YOUNG

DATA SECURITY:
FLEXFIELDS (contd)

Cross-Validation rules cross-check value

combinations entered and prevent
illogical combinations of segment values
from being entered
Country Value Set
USA
UK

Country
State
City

State Value Set

CA

City Value
Set
Los
Angeles

NY

London

TX

New York
City

UK
CA
Los Angeles

CAP GEMINI ERNST & YOUNG

DATA SECURITY:
FLEXFIELDS (contd)
Dynamic Insertion option allows
users to create new code
combinations automatically (e.g.
during implementation period for
legacy data)
MUST ENSURE CROSS-VALIDATION
IS ON WHEN DYNAMIC INSERTION
OPTION IS ENABLED!!!
CAP GEMINI ERNST & YOUNG

DATA SECURITY:
FLEXFIELDS (contd)
Value Set Security rules determine
who can use particular segment
values
Use Responsibilities to determine
what access a user may have to
data

CAP GEMINI ERNST & YOUNG

FLEXFIELD SECURITY
(contd)

Comparing Cross-Validation and Security

Rules:

Applies to all users

Applies only to users

of the chosen responsibility

Affects only key FF

Affects key, descriptive FF

as well as report parameters

Applies across an
entire key FF structure

Applies only to
the value set used

CAP GEMINI ERNST & YOUNG

Detailed session next mon

Descriptive Flex field

CAP GEMINI ERNST & YOUNG

AUDITING IN ORACLE
APPLICATIONS

Oracle Database

CAP GEMINI ERNST & YOUNG

AUDITING IN ORACLE
APPLICATIONS (contd)

Auditing Users is supported by:

Sign-On: Activate Audit Level profile

option settings
Audit Reports

Auditing Database row changes is

supported by:

Help Menu: About this record

Audit Trail: Activate profile option setting
CAP GEMINI ERNST & YOUNG

AUDITING IN ORACLE
APPLICATIONS (contd)
Sign-On: Audit Level features:

Selective Auditing
Monitoring Application Users
Display Sign-on Audit data in Help
Menu
Notification of unsuccessful logins
Sign-on Audit Reports
CAP GEMINI ERNST & YOUNG

AUDITING IN ORACLE
APPLICATIONS (contd)
Sign-on Audit Reports:

Concurrent requests
Audit forms
Audit responsibilities
Audit unsuccessful logins
Audit users

CAP GEMINI ERNST & YOUNG

AUDITING IN ORACLE
APPLICATIONS (contd)
Help Menu: About this record

Display information about a record that has

been saved before
Information includes who created the record,
the date of creation, and the database table
where the record resides
Lets you know who last changed the record
using Oracle Applications, the date of
change, and that user's system logon and
terminal information
CAP GEMINI ERNST & YOUNG

AUDITING IN ORACLE
APPLICATIONS (contd)
Audit Trail

Keeps a history of changes to data (what changed, who

changed it & when)
Stores change info in a shadow table of the audited table
Determines how any data row or element obtained its
current value
Can be enabled for specific application table
as it impacts performance if enabled at instance
level

CAP GEMINI ERNST & YOUNG

Document Sequencing
All accounting systems have to
prove completeness and provide
audit ability, and
Completeness is proof that no
documents have been lost or not
posted.

CAP GEMINI ERNST & YOUNG

Document Sequencing Contd.

Document sequencing assigns a
number to every transaction - even
failed transactions;
Document sequencing also creates
audit data so that even if
documents are deleted, the audit
trail remains.
CAP GEMINI ERNST & YOUNG

Auditability
Auditability is a means of providing
an audit trail from GL to source
transaction.

Audit trail from GL through subsidiary

ledger to documents that generate the
transaction
Documents the application (e.g. Oracle
AR and the document number e.g.
Invoice # 5432)
CAP GEMINI ERNST & YOUNG

APPLICATION SPECIFIC
CONTROLS - Examples
ACCOUNTS PAYABLE

Set limits for invoice amounts

Hold payment
to selected suppliers
to selected invoices

Set quantity and price tolerances

CAP GEMINI ERNST & YOUNG

APPLICATION SPECIFIC
CONTROLS - Examples
ORDER ENTRY

Apply holds to items, customers, sites or orders

Hold orders at any step of the order process
Control hold updates by user
Check credit during order entry and pick
release
Set customer limits per order and for all orders
Assign tolerances to single-order and totalorder limits

CAP GEMINI ERNST & YOUNG

REQUEST GROUP

APPLICATION DASHBOARD

SCHEDULING

PROFILE

Application Security Questions?

CAP GEMINI ERNST & YOUNG