The TRUTH About SOX, Auditors

1
The TRUTH About SOX, Auditors Oracle

• Applimation is the leading provider of
  Application Lifecycle Management solutions

2
Year 1 Manual Documentation

• Uncertainty
• Methodology (COSO, COBIT, etc.)
• Lots of manual effort
• What about the projects we pushed-back last year?
• We have to do this all over again?
• Quarterly and annual sign-offs (302, 404)

3
Interesting Statistics

• 27 companies with Revenue 75M disclosed a
  material weakness in January 2005 (compared to 7
  in January 2004)
• 70 of the disclosures were related to financial
  systems and procedures

4
Year 2 SOX as a Sustainable Solution

• Automate the Process
• Test and monitor controls
• Infrastructure to support both
  (people / software)
• Adapt to your control methodology
• Not all controls are the same

5
Sarbanes-Oxley Cycles
YEAR 2, 3, 4 Monitor Changes Test
Controls Applimation Integra Continuous
Monitoring
YEAR 1 Document Processes, Risks Controls
6
All Controls are Not the Same

• Prevent Controls
• STOP a transaction or change from occurring
• Detect Controls
• Alert when a sensitive or material transaction or
  change occurs
• Monitoring Controls
• Capture information for a subsequent review.
  This level of reporting is very effective in
  providing information for auditors performing
  quarterly tests of controls.

7
Controls Trouble-areas

• General IT Controls
• Access (Security) controls
• Change management controls
• Application Controls
• Embedded application controls
• Embedded operation controls

• INTEGRA
• Access, Forms
• Apps, Codebase
• Apps, Transaction
• Apps, Transaction

8
Tough Questions for Oracle Applications

• How do you know key controls are operating
  effectively throughout year?
• Can you report on ALL changes to key controls?
• How do you search for segregation of duties or
  evaluate user access?
• How do you know controls are same for each
  business unit?
• How do you document key controls within systems?

9
Continuous Monitoring in Oracle Applications

• Applimation Integra

10
Continuous Monitoring in Oracle Applications
Applimation Integra
KEY CONTROLS TRANSACTIONS
CONTINUOUSMONITORING
PREVENTION
Transactions
Oracle Applications environment
Integra Forms
Integra Transaction
Security
Integra Access
Setups
Integra Apps
Code
Integra Codebase
DATABASE
OPERATING SYSTEM
11
Integra Access

• Evaluate User Access Search for Segregation of
  Duties Issues

12
Integra Access

• Evaluate User Access
• Search by User
• Search by Form/Function

User

• Search for Segregation of Duties
• Identify incompatible Functions Forms

13
Segregation of Duties
14
Best Practices - (SOD) templates

• Order to Cash
• Order Entry
• Accounts Receivables
• Inventory
• Human Resource Management and Payroll
• Human Resource Mgt. System
• Payroll
• Application Administration (including security
  and configuration management)
• System Administration
• Application Object Library (AOL)

• Financial Reporting and Maintenance of Accounting
  Records
• General Ledger
• Cash Management
• Accounts Receivable
• Accounts Payable
• Procure to Pay Business Process
• Purchasing
• Accounts Payable
• Inventory
• Costing

15
Integra Access SOD Prevention
16
Integra Apps

• Continuous monitoring within Oracle

17
Integra Apps Codebase
Integra Apps Setups InstancesSets of
BooksOperating UnitsVersions MonitoringReportin
gAlerting Application Setups
Automated Documentation Comparisons Change
Tracking Migration
Integra Codebase FormsReportsCode EnvironmentsO
racle VersionsCode Versions MonitoringReporting
Alerting Code Promotion
18
Examples of Setups

• Setup Data
• Application Security
• Document Approvals
• Chart of Accounts
• Profile Options
• Users
• Application Setups
• MRP rules

• Operational Data
• Customers
• Suppliers
• Employees
• Buyers
• Items
• Chart of Account Values
• Category Codes

19
Example of System Controls

• 3-way matching of PO, Invoice and Receipt
• Document spending limits (authorization of PO)
• Security rules access to sensitive transactions
• Employee salaries
• Chart of account values
• Financial statement reports (FSGs)
• Price lists
• Inventory attributes
• Action for late delivery of goods
• Inventory stocking rules
• Rules to create tax on sales orders
• Depreciation methods

20
Best Practices - Audit Trail Templates

• SOX implications (audit trail) for over 3000
  objects.
• Affects / supports a control change tracking
  provides visibility to ensure controls have been
  operating throughout the entire audit period
• Financial statement impact could potentially
  impact a financial statement
• Operational impact changes to business settings
  could be difficult to identify

21
Automated Documentation Snapshot

• Point-in-time picture
• Run on demand or scheduled

22
Snapshot Report
23
Comparison Report
24
Automated Change Tracking

• Integra Apps - Change Tracking
• Who?
• What?
• When?
• Where?

Automatically captures a complete historical
audit trail. Details of EVERY change.
25
Change Tracking
When?
What?
Who?
Where?
26
On-line Change Tracking
27
Tough Questions for Oracle Applications

• How do you know key controls are operating
  effectively throughout year?
• Can you report on ALL changes to key controls?
• How do you search for segregation of duties or
  evaluate user access?
• How do you know controls are same for each
  business unit?
• How do you document key controls within systems?

28
Over 300 Customers Worldwide
29
Integra - Applied
Sarbanes-Oxley compliance for Section 404
internal controls report
Leading Accounting firms adopt Integra as
standard tool for audits of Oracle
Version control for 11i upgrade and on-going
maintenance
30
Continuous Monitoring in Oracle Applications
Applimation Integra
KEY CONTROLS TRANSACTIONS
CONTINUOUSMONITORING
PREVENTION
Transactions
Oracle Applications environment
Integra Forms
Integra Transaction
Security
Integra Access
Setups
Integra Apps
Code
Integra Codebase
DATABASE
OPERATING SYSTEM
31
For more information
www.applimation.com
(212) 500-1200 sales_at_applimation.com
32
Architecture
Test 11i
Dev 10.7
Prod 1 11.0.3
Prod 2 10.7
Applimation Home
APPSERVER
Snapshots Comparisons
USER
33
Architecture
Test 11i
Dev 10.7
Prod 1 11.0.3
Prod 2 10.7
Applimation Home
Snapshots Comparisons