Profile Options: What are they and why should auditors care? · PDF fileProfile Options: What are they and why should auditors care? Jeffrey T. Hare, CPA CISA CIA ERP Risk Advisors

Profile Options:

What are they and why should

auditors care?

Jeffrey T. Hare, CPA CISA CIA

ERP Risk Advisors

Webinar Logistics

• Hide and unhide the Webinar

control panel by clicking on the

arrow icon on the top right of

your screen

• The small window icon toggles

between a windowed and full

screen mode

• Ask questions throughout the

presentation using the chat

dialog

• Questions will be reviewed and

answered at the end of the

presentation

© 2013 ERPRA 3

4

Overview:

• What are they?

• How are they set?

• Example

• Control expectations

• Audit procedures

• Oracle E-Business Suite GRC Health Check

• Questions and Answers

Presentation Agenda

© 2013 ERPRA

5

Note: CPE will be offered for those that answer

at least 4 (of the 5) polls presented during the

webinar and attend at least 50 minutes.

CPE Requirements

© 2013 ERPRA

6

Introductions

Jeffrey T. Hare, CPA CISA CIA: •Founder of ERP Risk Advisors / Oracle User Best Practices Board

•Written various white papers on Internal Controls and Security

Best Practices in an Oracle Applications environment

•Frequent contributor to OAUG’s Insight magazine

•Experience includes Big 4 audit, 6 years in CFO/Controller roles –

both as auditor and auditee

•In Oracle applications space since 1998 – as client and consultant

•Founder of Internal Controls Repository

•Author Oracle E-Business Suite Controls: Application Security

Best Practices

•Contributing author Best Practices in Financial Risk Management

•Published in ISACA’s Control Journal and ACFE’s Fraud Magazine

© 2013 ERPRA

Poll 1: Will you be needing a CPE

Certificate?

Answers:

• Yes

• No

• Not Sure

© 2013 ERPRA 7

8

Profile Options – What Are They

• What are they:

© 2013 ERPRA

8,591 profile

options in this

12.1.3 environment

Can be set at:

• Site

• Application

• Responsibility

• Server

• Organization

• User

9

Profile Options – What Are They

Impact:

• Process design

• Control design

• Security

• Data security

© 2013 ERPRA

10

Profile Options – What Are They

Level of Risk - Black, Grey, White

• Black – Definitely High Risk

• Grey – Could be High Risk

• White – Most Likely Low Risk

Examples will be presented later in the presentation

© 2013 ERPRA

Poll 2: If you are an auditor, have you

performed an audit of profile option

values?

Answers:

• Yes

• No

• Not Sure

• Am not an auditor

© 2013 ERPRA 11

12 © 2012 ERPRA

Profile Option can be set via the following forms :

Profile Options – How are they set?

Form Function Name User Function Name

Update Personal Profile Values FND_FNDPOMSV Profile User Values

13 © 2012 ERPRA

Profile Option can be set via the following forms:

Profile Options – How are they set?

Form Function Name User Function Name

Update System Profile Values FND_FNDPOMPV Profile System Values

14 © 2013 ERPRA

Profile Options – How are they set?

5,038 profile options of 8,691 are “Updatable” through

Personal Profile Values form

15 © 2013 ERPRA

Profile Options – How are they set?

Can be set at the Site, Application, Responsibility, and

User levels in the Profile System Values form – also at

Organization and Server, but rare

16 © 2013 ERPRA

Profile Options – How are they set?

But also able to be maintained via the Personal Profile

Values form (aka Profile User Values)

Poll 3: Have you identified the setting of

profile values through the User Profile

Values form as a significant risk?

© 2013 ERPRA 17

Answers:

• Yes

• No

• Not Sure

• Am not an auditor

18

Profile Options – Examples

© 2012 ERPRA

Utilities: Diagnostics profile option

19

Profile Options – Examples

© 2012 ERPRA

Utilities: Diagnostics profile option

20

Profile Options – Examples

© 2012 ERPRA

Utilities: Diagnostics profile option

21

Profile Options – Examples

© 2012 ERPRA

Utilities: Diagnostics profile option

22

Profile Options – Examples

© 2012 ERPRA

Utilities: Diagnostics profile option

23

Profile Options – Examples

© 2012 ERPRA

GL: Journal Review Required profile option

24

Profile Options – Examples

© 2012 ERPRA

GL: Journal Review Required profile option

25

Profile Options – Examples

© 2012 ERPRA

GL: Journal Review Required profile option

26

Profile Options – Examples

© 2012 ERPRA

GL: Journal Review Required profile option

From the GL User Guide:

27

Profile Options – Examples

© 2012 ERPRA

Profile Options Risk Assessment

Control Expectations

• A risk assessment has been performed to identify

which profile options should be subject to the change

management process, or all profile option changes

are subject to the change management process

• The change management documentation clearly

identifies the profile options that are subject to the

change management process or states that all profile

option changes are subject to the change

management process

• A log-based or trigger-based auditing solution has

been deployed to build a detailed audit trail of profile

option changes

© 2013 ERPRA

28

• A quality assurance process is in place that

tests for unauthorized changes by tracing

actual changes back to approved changes

• Testing of the change management process

is performed to verify that the procedures

have been followed and properly

documented – approvals obtained, etc

Control Expectations

© 2013 ERPRA 29

Control Expectations

Risks associated with the Personal Profile Values / User

Profile Values form have been addressed:

• User profile values form is NOT accessible by any

users in the production environment

• The form is restricted through development into the

custom.pll that restricts access to just certain profile

options that are low risk

© 2013 ERPRA 30

• Review change management procedures to review

for expected controls

• Ask security administrators about expected controls

• Ask security administrators about access to the

User Profile Values form and whether any

development has been put in place to address the

risks associated with access to the form

• Query profile options that are set and trace a

sample back to the approval process

Audit Procedures

© 2013 ERPRA 31

Poll 4: Our organization has done the

following with respect to profile options: (multiple answers allowed)

Answers:

• Identified profile option changes as needing to go

through the change management process

• Performed a risk assessment to identify the profile

options need to go through the CM process

• Have built a system based audit trail of profile option

values changes to allow QA over the changes

• Have restricted User Profile Values form / put in

development to restrict

• None of the above / Not sure

© 2013 ERPRA 32

Oracle E-Business Suite GRC Health Check

This Level I Assessment covers a broad array of best

practices noted in the book Oracle E-Business Suite

Controls: Application Security Best Practices written by

Jeffrey T. Hare, CPA CISA CIA. This assessment offers

a 10,000’ view of your organization’s compliance with

various application security best practices. The

assessment will give you a great ‘first look’ at your

organization’s application security environment. The

assessment includes analysis, interaction and expertise

from one of the industry’s top experts, Jeffrey Hare.

© 2013 ERPRA 33

Oracle E-Business Suite GRC Health Check

• No charge

• Will do up to four per month / need to schedule them

about one / week

• Contact Phil Reimann @ preimann@erpra.net or at

774-999-0527 for more information

** Assessment being performed in conjunction with CaoSys using

CS*ComplyXE software

© 2013 ERPRA 34

Next webinar

SQL Forms in Oracle E-Business Suite - what are they and

why should auditors care?

Description: SQL Forms are forms that accept SQL statements (or portions thereof) withing an

application form. Having access to certain forms give users the abiltiy to execute ad

hoc SQL statements (and in some cases OS scripts). In this educational webinar, we

will provide examples of how these forms can be used to manipulate data and commit

fraud. We will then discuss policies, procedures, and controls necessary to mitigate the

risks associated with these SQL forms.

Date: Tue, Feb 12, 2013 2:00 PM - 3:00 PM EST

Registration url:

https://www1.gotomeeting.com/register/745316449

© 2013 ERPRA 35

Questions and

Answers

© 2013 ERPRA 36

Poll 5: Will you be needing a CPE

Certificate?

Answers:

• Yes

• No

© 2013 ERPRA 37

Resources

• Jeffrey Hare’s book “Oracle E-Business Suite

Controls: Application Security Best Practices” –

available at Collaborate bookstore; online

• www.erpra.net

© 2013 ERPRA 38

39

Oracle Apps Internal Controls Repository

Internal Controls and Security Public Domain Repository

Sample of content:

•White papers

•Sample development specs

•Sample forms personalizations

•Sample policies and procedures

•SQL Training Docs

•Forms that Allow SQL Statements

•List of Generic Application Users

© 2013 ERPRA

40

Best Practices Caveat

Best Practices Caveat

The Best Practices cited in this presentation have not

been validated with your external auditors nor has there

been any systematic study of industry practices to

determine they are ‘in fact’ Best Practices for a

representative sample of companies attempting to

comply with the Sarbanes-Oxley Act of 2002 or other

corporate governance initiatives mentioned. The Best

Practice examples given here should not substitute for

accounting or legal advice for your organization and

provide no indemnification from fraud or material

misstatements in your financial statements or control

deficiencies.

© 2013 ERPRA

41

ERP Risk Advisors

Contact Information:

Cell for Jeff: 970-324-1450

E-mail: jhare@erpra.net

Website: www.erpra.net

Website: www.oubpb.com

Skype: jhareaz

LinkedIn: http://www.linkedin.com/in/jeffreythare

Twitter: http://twitter.com/jeffreythare

Blog: http://jeffreythare.blogspot.com/

LinkedIn Groups: Oracle GRC, Oracle ERP Auditors

© 2013 ERPRA