Profile Options: What are they and why should auditors care? Jeffrey T. Hare, CPA CISA CIA ERP Risk Advisors Webinar Logistics • Hide and unhide the Webinar • • • control panel by clicking on the arrow icon on the top right of your screen The small window icon toggles between a windowed and full screen mode Ask questions throughout the presentation using the chat dialog Questions will be reviewed and answered at the end of the presentation 3 © 2013 ERPRA Presentation Agenda Overview: • What are they? • How are they set? • Example • Control expectations • Audit procedures • Oracle E-Business Suite GRC Health Check • Questions and Answers 4 © 2013 ERPRA CPE Requirements Note: CPE will be offered for those that answer at least 4 (of the 5) polls presented during the webinar and attend at least 50 minutes. 5 © 2013 ERPRA Introductions Jeffrey T. Hare, CPA CISA CIA: •Founder of ERP Risk Advisors / Oracle User Best Practices Board •Written various white papers on Internal Controls and Security Best Practices in an Oracle Applications environment •Frequent contributor to OAUG’s Insight magazine •Experience includes Big 4 audit, 6 years in CFO/Controller roles – both as auditor and auditee •In Oracle applications space since 1998 – as client and consultant •Founder of Internal Controls Repository •Author Oracle E-Business Suite Controls: Application Security Best Practices •Contributing author Best Practices in Financial Risk Management •Published in ISACA’s Control Journal and ACFE’s Fraud Magazine 6 © 2013 ERPRA Poll 1: Will you be needing a CPE Certificate? Answers: • Yes • No • Not Sure 7 © 2013 ERPRA Profile Options – What Are They • What are they: 8,591 profile options in this 12.1.3 environment Can be set at: • Site • Application • Responsibility • Server • Organization • User 8 © 2013 ERPRA Profile Options – What Are They Impact: • Process design • Control design • Security • Data security 9 © 2013 ERPRA Profile Options – What Are They Level of Risk - Black, Grey, White • Black – Definitely High Risk • Grey – Could be High Risk • White – Most Likely Low Risk Examples will be presented later in the presentation 10 © 2013 ERPRA Poll 2: If you are an auditor, have you performed an audit of profile option values? Answers: • Yes • No • Not Sure • Am not an auditor 11 © 2013 ERPRA Profile Options – How are they set? Profile Option can be set via the following forms : Form Function Name User Function Name Update Personal Profile Values FND_FNDPOMSV Profile User Values 12 © 2012 ERPRA Profile Options – How are they set? Profile Option can be set via the following forms: Form Function Name User Function Name Update System Profile Values FND_FNDPOMPV Profile System Values 13 © 2012 ERPRA Profile Options – How are they set? 5,038 profile options of 8,691 are “Updatable” through Personal Profile Values form 14 © 2013 ERPRA Profile Options – How are they set? Can be set at the Site, Application, Responsibility, and User levels in the Profile System Values form – also at Organization and Server, but rare 15 © 2013 ERPRA Profile Options – How are they set? But also able to be maintained via the Personal Profile Values form (aka Profile User Values) 16 © 2013 ERPRA Poll 3: Have you identified the setting of profile values through the User Profile Values form as a significant risk? Answers: • Yes • No • Not Sure • Am not an auditor 17 © 2013 ERPRA Profile Options – Examples Utilities: Diagnostics profile option 18 © 2012 ERPRA Profile Options – Examples Utilities: Diagnostics profile option 19 © 2012 ERPRA Profile Options – Examples Utilities: Diagnostics profile option 20 © 2012 ERPRA Profile Options – Examples Utilities: Diagnostics profile option 21 © 2012 ERPRA Profile Options – Examples Utilities: Diagnostics profile option 22 © 2012 ERPRA Profile Options – Examples GL: Journal Review Required profile option 23 © 2012 ERPRA Profile Options – Examples GL: Journal Review Required profile option 24 © 2012 ERPRA Profile Options – Examples GL: Journal Review Required profile option 25 © 2012 ERPRA Profile Options – Examples GL: Journal Review Required profile option From the GL User Guide: 26 © 2012 ERPRA Profile Options – Examples Profile Options Risk Assessment 27 © 2012 ERPRA Control Expectations • A risk assessment has been performed to identify which profile options should be subject to the change management process, or all profile option changes are subject to the change management process • The change management documentation clearly identifies the profile options that are subject to the change management process or states that all profile option changes are subject to the change management process • A log-based or trigger-based auditing solution has been deployed to build a detailed audit trail of profile option changes 28 © 2013 ERPRA Control Expectations • A quality assurance process is in place that tests for unauthorized changes by tracing actual changes back to approved changes • Testing of the change management process is performed to verify that the procedures have been followed and properly documented – approvals obtained, etc 29 © 2013 ERPRA Control Expectations Risks associated with the Personal Profile Values / User Profile Values form have been addressed: • User profile values form is NOT accessible by any users in the production environment • The form is restricted through development into the custom.pll that restricts access to just certain profile options that are low risk 30 © 2013 ERPRA Audit Procedures • Review change management procedures to review for expected controls • Ask security administrators about expected controls • Ask security administrators about access to the User Profile Values form and whether any development has been put in place to address the risks associated with access to the form • Query profile options that are set and trace a sample back to the approval process 31 © 2013 ERPRA Poll 4: Our organization has done the following with respect to profile options: (multiple answers allowed) Answers: • Identified profile option changes as needing to go through the change management process • Performed a risk assessment to identify the profile options need to go through the CM process • Have built a system based audit trail of profile option values changes to allow QA over the changes • Have restricted User Profile Values form / put in development to restrict • None of the above / Not sure 32 © 2013 ERPRA Oracle E-Business Suite GRC Health Check This Level I Assessment covers a broad array of best practices noted in the book Oracle E-Business Suite Controls: Application Security Best Practices written by Jeffrey T. Hare, CPA CISA CIA. This assessment offers a 10,000’ view of your organization’s compliance with various application security best practices. The assessment will give you a great ‘first look’ at your organization’s application security environment. The assessment includes analysis, interaction and expertise from one of the industry’s top experts, Jeffrey Hare. 33 © 2013 ERPRA Oracle E-Business Suite GRC Health Check • No charge • Will do up to four per month / need to schedule them about one / week • Contact Phil Reimann @ [email protected] or at 774-999-0527 for more information ** Assessment being performed in conjunction with CaoSys using CS*ComplyXE software 34 © 2013 ERPRA Next webinar SQL Forms in Oracle E-Business Suite - what are they and why should auditors care? Description: SQL Forms are forms that accept SQL statements (or portions thereof) withing an application form. Having access to certain forms give users the abiltiy to execute ad hoc SQL statements (and in some cases OS scripts). In this educational webinar, we will provide examples of how these forms can be used to manipulate data and commit fraud. We will then discuss policies, procedures, and controls necessary to mitigate the risks associated with these SQL forms. Date: Tue, Feb 12, 2013 2:00 PM - 3:00 PM EST Registration url: https://www1.gotomeeting.com/register/745316449 35 © 2013 ERPRA Questions and Answers 36 © 2013 ERPRA Poll 5: Will you be needing a CPE Certificate? Answers: • Yes • No 37 © 2013 ERPRA Resources • Jeffrey Hare’s book “Oracle E-Business Suite Controls: Application Security Best Practices” – available at Collaborate bookstore; online • www.erpra.net 38 © 2013 ERPRA Oracle Apps Internal Controls Repository Internal Controls and Security Public Domain Repository Sample of content: •White papers •Sample development specs •Sample forms personalizations •Sample policies and procedures •SQL Training Docs •Forms that Allow SQL Statements •List of Generic Application Users 39 © 2013 ERPRA Best Practices Caveat Best Practices Caveat The Best Practices cited in this presentation have not been validated with your external auditors nor has there been any systematic study of industry practices to determine they are ‘in fact’ Best Practices for a representative sample of companies attempting to comply with the Sarbanes-Oxley Act of 2002 or other corporate governance initiatives mentioned. The Best Practice examples given here should not substitute for accounting or legal advice for your organization and provide no indemnification from fraud or material misstatements in your financial statements or control deficiencies. 40 © 2013 ERPRA ERP Risk Advisors Contact Information:  Cell for Jeff: 970-324-1450  E-mail: [email protected]  Website: www.erpra.net  Website: www.oubpb.com  Skype: jhareaz  LinkedIn: http://www.linkedin.com/in/jeffreythare  Twitter: http://twitter.com/jeffreythare  Blog: http://jeffreythare.blogspot.com/  LinkedIn Groups: Oracle GRC, Oracle ERP Auditors 41 © 2013 ERPRA