Audit As a Service Session ID: 10609

Audit as a Service Session ID: 10609

Prepared by: Mike Ward Be Prepared for your External Audit CEO Q Software & your Oracle License Audit April 25th 2018

Remember to complete your evaluation for this session within the app! Agenda

• Introduction & Objectives • Risks on Your ERP System • External Auditor – What are they Looking for? • Auditing an ERP System • License Compliance • Summary Objectives…....

• why should you audit your ERP (what are the risks) • how to run an audit in 4 hours • does this satisfy Compliance & Audit? • keep the Oracle License Audit team at bay Mike Ward 40 Years IT Experience ERP from the Beginning 200 Audits @mikeaward Serial Entrepreneur Brian Stanz

26 Years IT Experience JDE & Oracle JDE E1 Development 200 Security Audits A Worldwide Business

Mid-West USA Sales Cincinnati, OH UK Development Leatherhead, Surrey EMA Support +44 1372 700750 NA Support +1- 888-308-3771 x 711 Northeast USA Sales Burlington, MA UK Sales Office Leatherhead Surrey

EMEA Sales Office Bergen op Zoom Netherlands

Indian Development Western USA Sales Southeast USA Sales Centre, Bangalore Denver, CO Orlando, FL

Australasia Support Sales Office +61 3 8530 8686 Product Development Australasia Sales Regional Support Desk St Kilda, VIC Energy Mnftg/Dist Const/Eng Retail Pharma Food Finance/Govt Entertmt

ERP Audit Experience Agenda

• Introduction & Objectives • Risks on Your ERP System • External Auditor – What are they Looking for? • Auditing an ERP System • License Compliance • Summary Why do you have an ERP System? Has your company experienced Fraud? PwC 2018 Crime & Fraud Survey What Can Happen?

• Theft of IPR • Accidental Data Error • Process Error • Change Control Mistake • Financial Manipulation • Fraud

No-one would do that to us

65% Employees

21% Former Employees

Dutch infrastructure group Imtech NV was at the centre of fraud allegations in 2013, after an internal investigation revealed fraud had cost the company hundreds of millions of euros. It was alleged that senior executives of Imtech’s German division ordered managers to revise their financial statements upwards, and made €30m in unjustifiable payments to a company it refers to as “X Group”, which employed former managers from Imtech.

Between the fraud first coming to light in February 2013 and June 2013, its shares fell by 60%. In all the company lost a value of €1 billion on the stock market and June 2013 the company confessed that the internal controls had not worked. And on 13th August 2015, Imtech NV went ……. Understand your Fraud Risks • Expenses v Assets • Inventory Manipulation • Inter-company Accounts • Depreciation • Payroll Manipulation • Suppliers & Credit Limits • Supplier Account Details Why Perform an Audit? Why Perform an Audit?

I went live, I need a Plan? How good is my Security? The CFO Asked…... The Auditor is coming tomorrow? Visibility Where are my SoD issues? Who Owns that Issue? What is the Business Risk? How do I fix it? Mitigation? Who can Access this Critical Object, Master Data? Periodic Access Review Oracle Retired GRC/AACG – what does it Tell Us?

Cost of Compliance needs to be Lower Extra Hardware - why? Segregation of Duties needs to be Easier Content is King Project Time & Cost Usability = Adoption Rate Adaptable to Business Needs Specialist Consultancy Agenda

• Introduction & Objectives • Risks on Your ERP System • External Auditor – What are they Looking for? • Auditing an ERP System • License Compliance • Summary

Objective of an External Audit

…....conducted by an independent auditor to ensure that the company’s financial reports present a true & fair view of its financial performance and financial position…... Greatest Risk Factors

• Inadequate Planning

• Lack of policies and procedures: • Change Management • Access Management

• Security Design Issues: • Improper role design or provisioning • IT users provisioned access to sensitive business applications

• No Proactive Segregation of Duties checks in place Plan the Audit

• Pre-Audit – Internal Meeting • Assess extent of Controls • Check Documentation & Evidence • Last Year? • If you’re Weak….....they Will Investigate Meet the Auditor

• Outline Controls • Agree the Plan • Evidence Fraud • Do NOT exagerate ...... all, any, every, never

Form the basis of what auditors will focus on when reviewing any environment

They provide assurance for information

Help mitigate risks associated with the use of technology Control Types

IT General Control Application Control

Ensures the effective Relates to the input, operation of application processing or output of controls. Those which financial transactions depend on computer processes Examples of IT General Controls

Change Access Security Segregation of Management Management Administration Duties

Authentication, Migration of Security strategy Sarbanes-Oxley Administrator changes, test and model legislation level or documentation privileged access reviews Change Management

Risk • Developer access to production / ability to develop and promote their own projects

Mitigation • Strong control enforcement against such access or very robust monitoring • Ability to evidence monitoring • Utilize GRC tool Access Management Risk • Users granted inappropriate access • Privileged users such as those granted access to IT applications • Complex security within JDE makes it difficult for management to understand the risks and how to manage them

Mitigation • Conduct access re-certification / periodic reviews • Utilizing GRC tool Reviewing Access • Perform user access review – users and roles • Perform security workbench review – roles and security records • Review Integrity • Users with no roles • Roles with no security records • Enabled users with expired roles Periodic reviews allow you to • Ensures a users role is appropriate for their job function / title • The security on the role is aligned with the job function • Maintain clean data (cuts down on mass clean ups / audit questions) User Access Provisioning

Who Approves? Visibility & What if? SoD Check Mitigation Periodic Access Review Audit? Security Administration

• Configuration • Open versus Deny All Security • User versus Role Based Security • Access to specific applications and reports

LEAST PRIVILEGE Access to Master Data Programs

Object Description % of Users Business Units 19% Company Master 10% Automatic Accounting Instructions 40% Ledger Type Master Setup 19% Distribution AAIs 11% Item Master 22% Accounts 21% Access to Critical Programs

Object Description % of Users Annual Close Report 12% Repost Account Ledger 12% Purge Prior Year Account Balance 12% Batches 79% Journal Entries 59% Recurring Journal Entries 41% Indexed Computations 28% Global Sub Update 9% Global Account Number Update 9% Global Business Unit Change 9% Price Adjustment Schedule 14% Price Adjustment Detail Revisions 31% Cost Revisions 25% Sales Price Revisions 38% Segregation of Duties

“Segregation of duties is the concept of having more than one person required to complete a task. In business the separation by sharing of more than one individual in one single task is an internal control intended to prevent fraud and error.”

Segregation of Duties

Maintains cash Maintains custody balances of cash on hand

Makes monthly comparisons, reports differences Segregation of Duties Examples of Fraud

• Inappropriate Expense or Asset Overstatements • Depreciation inappropriate to defer expenses • Expenses recorded as Fixed Assets • Inventory manipulation of physical counts • Inappropriate Intercompany eliminations • Evidence fraud

Standard Financial Audits are not based on Fraud; however, fraud risks should always be considered

Model: QCLoud1

Policy Policy Description Risk Description ID Run Bank Reconciliation & Receive 001 A user could post unapproved invoices for payment and then complete the account reconciliation to conceal those postings. Payment Maintain Vendor Master & Process Allowing a user to create or modify supplier master records and enter invoices may result in unauthorized or fictitious expenditures, 002 Vendor Invoices decreased cash flow, conflicts of interest, kickbacks, and circumvention of management purchasing policy. Maintain Vendor Master & Process Allowing a user to create or modify existing supplier master records and process payments may result in unauthorized or fictitious 003 Vendor Payments expenditures, decreased cash flow, conflicts of interest, kickbacks, and circumvention of management purchasing policy. Create AR Adjustment & Create - A user could access to make AR adjustments and create-modify billing result in invoices, debit memos, chargebacks, on-account 004 Maintain Customer Billing credits issues. Create AR Adjustment & Create Allowing a user to create credit-Debit Memo and AR Adjustment may result in Revenue recognition problems, misappropriation of 005 Credit-Debit Memo assets, decreased cash flow, and misstatements of accounts receivable and revenue. Run Bank Reconciliation &Issue 006 A user could initiate an unapproved cash transaction and then conceal that item in the account reconciliation. Payments Where Journal Approval is not enabled within a particular Set of Books, journal approval can only be achieved by segregating these 007 Enter Journals & Approve Journals functions. A user with both abilities may process a journal without authorization and may therefore manipulate financial information.

Where Journal Approval is not enabled within a particular Set of Books, journal approval can only be achieved by segregating these 008 Enter Journals & Post Journals functions. A user with both abilities may process a journal without authorization and may therefore manipulate financial information.

Enter Journals & Setup Journal The ability to setup journal sources includes the ability to turn off journal approval for a particular source. Therefore this ability to 009 Sources together with the ability to enter journals may result in unapproved and therefore unauthorized journals. The ability to manipulate the Chart of Accounts should be segregated from all core business transactions in order to ensure accounts, 010 Maintain GL Master & Enter Journals roll-ups, account hierarchies are not manipulated to conceal unauthorized transactions. The ability to manipulate the Chart of Accounts should be segregated from all core business transactions in order to ensure accounts, 011 Maintain GL Master & Post Journals roll-ups, account hierarchies are no manipulated to conceal unauthorized transactions. Open - Close Accounting Periods & Period end processing includes the ability to open and close accounting periods. This ability together with the ability to post journals 012 Post Journals may result in journals being processed in the incorrect period or prior period accounting information being manipulated. Model: QCLoud1

• Introduction & Objectives • Risks on Your ERP System • External Auditor – What are they Looking for? • Auditing an ERP System • License Compliance • Summary Audit as a Service

Very Rapid, No Effort…...... Answers QCloud – a Huge Time Saving • Existing audit processes are manual – IT staff create reports – SQL/manual – Cobbled together spreadsheets – Auditors Review & Question (& loop) • Tools – Specialist On-Prem (CS*Comply, Audit Manager) – Expensive & Very Complex (Oracle GRC/AACG) • QCloud Automates – Customer Log In – Request, Review – Download Report

QCloud Demo….

The Future of Security Audit has Arrived Functions

• Historic Trends • Drill Down • Access Reporting • SoD Reporting • Live Audit Results • Data -> Business Information • Rapid Results Agenda

• Introduction & Objectives • Risks on Your ERP System • External Auditor – What are they Looking for? • Auditing an ERP System • License Compliance • Summary

Are you Compliant with your Oracle License? Why Perform an Audit?

Oracle Audit team just called Rolled out to another Division The CFO Asked Planning Ahead Understand your Module Usage

• Input Oracle License – auto pick up next release • Request Audit – No technical requirements • Report will show – Usage by Module – Non-Compliance Modules – Custom Modules QCloud Demo….

License Audit has Arrived Summary Security of Customer Data

Hosted at AWS Totally secure Environment Encrypted in Flight From customer site to Cloud . Encrypted at Rest in the QCloud Audit as a Service – No Technical Effort Required

• General Release – Security Audit – JDE & EBS – 2017 • ERP Cloud – April 2018 – License Audit – JDE February • EBS – April • Database – May • Monthly License (12 months) • Special Offer to End of June – License Audit foc with Security Audit

8 Best Practice Tips for ERP Security

1. Understand & Evaluate the Risks (experience is key) 2. Know your Business Processes 3. Audit Live Security 4. Plan your Roles - Authorization 5. A Risk Matrix (yours not someone elses’) 6. Build IT General Controls 7. Use the Tools & the Experience 8. Periodic Review – Involve the Business ecure & Audit your ERP Collaborate Sessions

10303 Plan EBS Appsec - Cloud – Sunday 1.45pm Breakers L 103770 Preparing for your Audit – Tuesday 9.45 Lagoon H 112450 JDE Security Panel – Tuesday 1.15 Lagoon A 10302 Moving Audit Solutions to the Cloud (EBS) – Wednesday9.45 Breakers F 10609 Audit as a Service – Wednesday 11 Shell Seeker A 103740 Moving Audit Solutions to the Cloud (JDE) – Wednesday 2.20 South Seas J 103470 Trek – JDE Security the Easy Way - Thursday 8.30 Lagoon D

STAND 1225

Blog: www.qsoftware.com/blog Twitter: @QSoftwareGlobal [email protected] Facebook: www.facebook.com/QSoftwareGlobal LinkedIn: www.linkedin.com/company/q-software-global-limited @mikeaward Q & A A 55,000+ member user community for Oracle Cloud, JD Edwards and PeopleSoft customers.

Visit Quest International Users Group at Booth #239

. Learn how Quest can help you receive 4x the return on your Oracle ERP investment

. Walk through a customized Quest Activation Plan (QAP) to maximize your product ROI in partnership with Quest

. Find out more about Quest’s product-specific events: PeopleSoft RECONNECT and JD Edwards INFOCUS

Real stories. Real people. Real solutions. [email protected]

Session ID: 10609

Remember to complete your evaluation for this session within the app!