Profile Options: What are they and why should auditors care? Jeffrey T. Hare, CPA CISA CIA ERP Risk Advisors
Profile Options:
What are they and why should
auditors care?
Jeffrey T. Hare, CPA CISA CIA
ERP Risk Advisors
Webinar Logistics
• Hide and unhide the Webinar
control panel by clicking on the
arrow icon on the top right of
your screen
• The small window icon toggles
between a windowed and full
screen mode
• Ask questions throughout the
presentation using the chat
dialog
• Questions will be reviewed and
answered at the end of the
presentation
© 2013 ERPRA 3
4
Overview:
• What are they?
• How are they set?
• Example
• Control expectations
• Audit procedures
• Oracle E-Business Suite GRC Health Check
• Questions and Answers
Presentation Agenda
© 2013 ERPRA
5
Note: CPE will be offered for those that answer
at least 4 (of the 5) polls presented during the
webinar and attend at least 50 minutes.
CPE Requirements
© 2013 ERPRA
6
Introductions
Jeffrey T. Hare, CPA CISA CIA: •Founder of ERP Risk Advisors / Oracle User Best Practices Board
•Written various white papers on Internal Controls and Security
Best Practices in an Oracle Applications environment
•Frequent contributor to OAUG’s Insight magazine
•Experience includes Big 4 audit, 6 years in CFO/Controller roles –
both as auditor and auditee
•In Oracle applications space since 1998 – as client and consultant
•Founder of Internal Controls Repository
•Author Oracle E-Business Suite Controls: Application Security
Best Practices
•Contributing author Best Practices in Financial Risk Management
•Published in ISACA’s Control Journal and ACFE’s Fraud Magazine
© 2013 ERPRA
Poll 1: Will you be needing a CPE
Certificate?
Answers:
• Yes
• No
• Not Sure
© 2013 ERPRA 7
8
Profile Options – What Are They
• What are they:
© 2013 ERPRA
8,591 profile
options in this
12.1.3 environment
Can be set at:
• Site
• Application
• Responsibility
• Server
• Organization
• User
9
Profile Options – What Are They
Impact:
• Process design
• Control design
• Security
• Data security
© 2013 ERPRA
10
Profile Options – What Are They
Level of Risk - Black, Grey, White
• Black – Definitely High Risk
• Grey – Could be High Risk
• White – Most Likely Low Risk
Examples will be presented later in the presentation
© 2013 ERPRA
Poll 2: If you are an auditor, have you
performed an audit of profile option
values?
Answers:
• Yes
• No
• Not Sure
• Am not an auditor
© 2013 ERPRA 11
12 © 2012 ERPRA
Profile Option can be set via the following forms :
Profile Options – How are they set?
Form Function Name User Function Name
Update Personal Profile Values FND_FNDPOMSV Profile User Values
13 © 2012 ERPRA
Profile Option can be set via the following forms:
Profile Options – How are they set?
Form Function Name User Function Name
Update System Profile Values FND_FNDPOMPV Profile System Values
14 © 2013 ERPRA
Profile Options – How are they set?
5,038 profile options of 8,691 are “Updatable” through
Personal Profile Values form
15 © 2013 ERPRA
Profile Options – How are they set?
Can be set at the Site, Application, Responsibility, and
User levels in the Profile System Values form – also at
Organization and Server, but rare
16 © 2013 ERPRA
Profile Options – How are they set?
But also able to be maintained via the Personal Profile
Values form (aka Profile User Values)
Poll 3: Have you identified the setting of
profile values through the User Profile
Values form as a significant risk?
© 2013 ERPRA 17
Answers:
• Yes
• No
• Not Sure
• Am not an auditor
18
Profile Options – Examples
© 2012 ERPRA
Utilities: Diagnostics profile option
19
Profile Options – Examples
© 2012 ERPRA
Utilities: Diagnostics profile option
20
Profile Options – Examples
© 2012 ERPRA
Utilities: Diagnostics profile option
21
Profile Options – Examples
© 2012 ERPRA
Utilities: Diagnostics profile option
22
Profile Options – Examples
© 2012 ERPRA
Utilities: Diagnostics profile option
23
Profile Options – Examples
© 2012 ERPRA
GL: Journal Review Required profile option
24
Profile Options – Examples
© 2012 ERPRA
GL: Journal Review Required profile option
25
Profile Options – Examples
© 2012 ERPRA
GL: Journal Review Required profile option
26
Profile Options – Examples
© 2012 ERPRA
GL: Journal Review Required profile option
From the GL User Guide:
27
Profile Options – Examples
© 2012 ERPRA
Profile Options Risk Assessment
Control Expectations
• A risk assessment has been performed to identify
which profile options should be subject to the change
management process, or all profile option changes
are subject to the change management process
• The change management documentation clearly
identifies the profile options that are subject to the
change management process or states that all profile
option changes are subject to the change
management process
• A log-based or trigger-based auditing solution has
been deployed to build a detailed audit trail of profile
option changes
© 2013 ERPRA
28
• A quality assurance process is in place that
tests for unauthorized changes by tracing
actual changes back to approved changes
• Testing of the change management process
is performed to verify that the procedures
have been followed and properly
documented – approvals obtained, etc
Control Expectations
© 2013 ERPRA 29
Control Expectations
Risks associated with the Personal Profile Values / User
Profile Values form have been addressed:
• User profile values form is NOT accessible by any
users in the production environment
• The form is restricted through development into the
custom.pll that restricts access to just certain profile
options that are low risk
© 2013 ERPRA 30
• Review change management procedures to review
for expected controls
• Ask security administrators about expected controls
• Ask security administrators about access to the
User Profile Values form and whether any
development has been put in place to address the
risks associated with access to the form
• Query profile options that are set and trace a
sample back to the approval process
Audit Procedures
© 2013 ERPRA 31
Poll 4: Our organization has done the
following with respect to profile options: (multiple answers allowed)
Answers:
• Identified profile option changes as needing to go
through the change management process
• Performed a risk assessment to identify the profile
options need to go through the CM process
• Have built a system based audit trail of profile option
values changes to allow QA over the changes
• Have restricted User Profile Values form / put in
development to restrict
• None of the above / Not sure
© 2013 ERPRA 32
Oracle E-Business Suite GRC Health Check
This Level I Assessment covers a broad array of best
practices noted in the book Oracle E-Business Suite
Controls: Application Security Best Practices written by
Jeffrey T. Hare, CPA CISA CIA. This assessment offers
a 10,000’ view of your organization’s compliance with
various application security best practices. The
assessment will give you a great ‘first look’ at your
organization’s application security environment. The
assessment includes analysis, interaction and expertise
from one of the industry’s top experts, Jeffrey Hare.
© 2013 ERPRA 33
Oracle E-Business Suite GRC Health Check
• No charge
• Will do up to four per month / need to schedule them
about one / week
• Contact Phil Reimann @ [email protected] or at
774-999-0527 for more information
** Assessment being performed in conjunction with CaoSys using
CS*ComplyXE software
© 2013 ERPRA 34
Next webinar
SQL Forms in Oracle E-Business Suite - what are they and
why should auditors care?
Description: SQL Forms are forms that accept SQL statements (or portions thereof) withing an
application form. Having access to certain forms give users the abiltiy to execute ad
hoc SQL statements (and in some cases OS scripts). In this educational webinar, we
will provide examples of how these forms can be used to manipulate data and commit
fraud. We will then discuss policies, procedures, and controls necessary to mitigate the
risks associated with these SQL forms.
Date: Tue, Feb 12, 2013 2:00 PM - 3:00 PM EST
Registration url:
https://www1.gotomeeting.com/register/745316449
© 2013 ERPRA 35
Questions and
Answers
© 2013 ERPRA 36
Poll 5: Will you be needing a CPE
Certificate?
Answers:
• Yes
• No
© 2013 ERPRA 37
Resources
• Jeffrey Hare’s book “Oracle E-Business Suite
Controls: Application Security Best Practices” –
available at Collaborate bookstore; online
• www.erpra.net
© 2013 ERPRA 38
39
Oracle Apps Internal Controls Repository
Internal Controls and Security Public Domain Repository
Sample of content:
•White papers
•Sample development specs
•Sample forms personalizations
•Sample policies and procedures
•SQL Training Docs
•Forms that Allow SQL Statements
•List of Generic Application Users
© 2013 ERPRA
40
Best Practices Caveat
Best Practices Caveat
The Best Practices cited in this presentation have not
been validated with your external auditors nor has there
been any systematic study of industry practices to
determine they are ‘in fact’ Best Practices for a
representative sample of companies attempting to
comply with the Sarbanes-Oxley Act of 2002 or other
corporate governance initiatives mentioned. The Best
Practice examples given here should not substitute for
accounting or legal advice for your organization and
provide no indemnification from fraud or material
misstatements in your financial statements or control
deficiencies.
© 2013 ERPRA
41
ERP Risk Advisors
Contact Information:
Cell for Jeff: 970-324-1450
E-mail: [email protected]
Website: www.erpra.net
Website: www.oubpb.com
Skype: jhareaz
LinkedIn: http://www.linkedin.com/in/jeffreythare
Twitter: http://twitter.com/jeffreythare
Blog: http://jeffreythare.blogspot.com/
LinkedIn Groups: Oracle GRC, Oracle ERP Auditors
© 2013 ERPRA