Diebold AACG BR030 BRM for Access Controls and SOD

OIC GRCIM

AU.040 Oracle Security Administration Audit Plan

Client

Oracle E-Business Suite Release 12.1.1

Oracle Security Administration Audit Work Plan

Author - Roger Drolet, CPA, MBA, CISA, CITP

Creation Date: 6-July-2010

Last Updated: 07-Sep-2010

Control Ref: grcim_au040_oracle_sec_admin_audit_plan

Version: 1.0

Contents

Document Control......

Change Record......

Reviewers......

Distribution......

Using the BR.030 Business Requirements Mapping (BRM) Form......

GRC Requirements for SOD and Access Controls......

Business Processes: Using Access Controls and Segregation of Duties in AACG 8.5......

Mapping Source – Introduction– 1.0......

Business Requirements, Mapping and Process Steps......

Proposed Solution – Introduction – 1.0......

Best Practices......

Lessons Learned......

Related Information......

Mapping Solution – Introduction – 1.0......

Workaround......

Application Enhancement......

Reengineering Opportunity......

Solution Design Document Reference......

Custom Report......

Interface......

Customization......

Mapping Source – Creating Access Policies– 2.0......

Business Requirements Mapping and Process Steps......

Proposed Solution – Creating Access Policies – 2.0......

Best Practices......

Lessons Learned......

Mapping Solution – Creating Access Policies – 2.0......

Workaround......

Application Enhancement......

Reengineering Opportunity......

Solution Design Document Reference......

Custom Report......

Interface......

Customization......

Mapping Source – Finding and Resolving Conflicts– 3.0......

Business Requirements Mapping and Process Steps......

Proposed Solution – Finding and Resolving Conflicts – 3.0......

Best Practices......

Lessons Learned......

Mapping Solution – Finding and Resolving Conflicts – 3.0......

Workaround......

Application Enhancement......

Reengineering Opportunity......

Solution Design Document Reference......

Custom Report......

Interface......

Customization......

Mapping Source – Reporting– 4.0......

Business Requirements Mapping and Process Steps......

Best Practices......

Lessons Learned......

Related Documents......

Workaround......

Application Enhancement......

Reengineering Opportunity......

Solution Design Document Reference......

Custom Report......

Interface......

Customization......

Open Issues......

Closed Issues......

Document Control

Change Record

10Date / Author / Rel / Change Reference
07-Sep-10 / Roger Drolet / 1.0 / No previous document

Reviewers

Name / Position

Distribution

Copy No. / Name / Location
1
2
3
4

Introduction

The purpose of these audit plans and internal control questionnaires (ICQs) is to provide the audit, control and security professional with a methodology for evaluating the subject matter of the ISACA publication Security, Audit and Control Features Oracle® E-Business Suite: A Technical and Risk Management Guide, 2nd Edition. They examine key issues and components that need to be considered for this topic. The review questions have been developed and reviewed with regard to COBIT 4.0. Note: The professional should customize the audit programs and ICQs to define each specific organization’s constraints, policies and practices.

The following are included here:

• Oracle Financial Accounting Business Cycle Audit PlanPage 2
• Oracle Financial Accounting Business Cycle ICQPage 16
• Oracle Expenditure Business Cycle Audit PlanPage 20
• Oracle Expenditure Business Cycle ICQPage 36
• Oracle Security Administration Audit PlanPage 40
• Oracle Security Administration ICQPage 53

Item # / Control Objective/Test / Documentation / Matters Arising / Comments / COBIT References
A. Prior Audit/Examination Report Follow-up
Review prior report, if one exists, and verify completion of any agreed-upon corrections.
Note remaining deficiencies / ME1
B. Preliminary Audit Steps
Gain an understanding of the Oracle Applications environment.
The same background information obtained for the Oracle Applications Security audit plan is required for and relevant to the business cycles.
In particular, obtain the following important information:
1 / Version and release of the Oracle Applications software that has been implemented
2 / Total number of named users (forcomparison with logical accesssecurity testing results)
3 / Total number of named users (for comparison with logical access security testing results)
4 / Number of Oracle Applications database instances
5 / Company Codes
6 / Modules (e.g., Finance, Manufacturing, Marketing Management, Human Resources, Project Accounting, Supply Chain Management and industry-specific) that are being used
7 / Locally developed application programs, reports or tables created by the organization
8 / Details of the risk assessment approach taken in the organization to identify and prioritize risks
9 / Copies of the organization’s key security policies and standards
10 / Outstanding audit findings, if any, from previous years

Open and Closed Issues for this Deliverable

Open Issues

ID / Issue / Resolution / Responsibility / Target Date / Impact Date
1 / Need to provide related documentation. / Roger Drolet

Closed Issues

ID / Issue / Resolution / Responsibility / Target Date / Impact Date

Copyright © Oracle Independent Consultants (OIC) LLC, 2008. All rights reserved.

grcim_aacg_br030_access_controls_and_sod

Page 1 of 7Rev 1.0