Oracle Financial AuditingT3
Oracle Financial AuditingT3
Oracle Financial AuditingT3
Application Controls General Ledger, Payables, Receivables and Purchasing Controls Lunch Introduction to the Oracle Governance, Risk and Compliance Suite Application Access Controls Governor Configuration Controls Governor Preventive Controls Governor Transaction Controls Governor Oracle GRCM and GRCI Manager and Intelligence
Normally, the human resource organization structure depicts the organizational elements of the human resource model The financial organization structure depicts the organizational elements relevant to the accounting model. This may also be viewed as the enterprise structure
Legal entity
Operating unit
Inventory organization
Financial organization
Financial organization model
Business group
BG1
BG2
Secondary ledger
SL1
Primary ledger
PL1
Legal entity
PL2
PL3
organization
Inventory
Operating unit
LE1
LE2
LE3
LE4
OU1
OU2
OU3
OU4
INV1
INV2
INV3
INV4
INV5
BG1
BG1
HR organization level 1
HR L11
HR L12
HR L13
HR Organization level 2
HR L21
HR L22
HR L23
HR L24
HR organization level 3
HR L31
HR L32
HR L33
HR L34
Business group
Represents the highest level in the organization structure, identify certain HR specific attributes like job structures, and grade structures Multiple ledgers can share the same business group if they share the same business group attributes Approval hierarchies are impacted by the business group structure
Business group
Legal entity
Operating unit
Inventory organization
Requirement to have at least one set of books defined Multiple types of ledgers can exist
Primary ledger
Books of record
Legal entity
Secondary ledger
Linked to Primary Ledgers Used where theres a need for alternate representation of financial information
Operating unit
Consolidated ledger
Consolidates information from the primary ledgers
Inventory organization
Legal entity
In the Oracle model, the legal entity represents the statutory entities of the organization for which fiscal or tax reports are prepared The Legal Entities which would be established as part of the Enterprise Structure, may be viewed as equivalent to either a legal entity group or specific tax legal entities
Business group
Legal entity
Operating unit
Inventory organization
10
Operating unit
The operating unit is often designed to represent buying and selling units of the organization Transactional data is partitioned by operating unit in order management, accounts receivable, purchasing, and accounts payable
Business group
Legal entity
Operating unit
Inventory organization
11
Inventory organization
Typically, is a unit that holds, manufactures or distributes materials Oracle Inventory and the manufacturing family of applications are partitioned by inventory organization It can only belong to one ledger, legal entity and operating unit structure May be divided into sub-inventories
Business group
Legal entity
Operating unit
Inventory organization
12
Sub-inventory
Sub-inventory is a sub-division within an inventory organization Allows tracking and management of inventory in logical groups, such as:
By product lines By physical location By intended use of production cycle (raw material, customer returns, finished goods, etc.)
In organizations using standard costing to value inventory, enables accounting of inventory value in each subinventory in a different account
13
MOAC overview
14
Benefits of MOAC
Improve efficiency
Process data across multiple OUs from one responsibility Process transactions more efficiently for companies that have centralized business functions or operate Shared Service Centers Obtain better information for decision making Obtain a global consolidated view of information View information, such as supplier sites and customer sites across multiple OUs
Reduce costs
Speed data entry Reduce setup and maintenance of many responsibilities
15
16
The following are the fundamental Oracle EBS R12 security terminology:
Users Roles Responsibilities Forms Menus Functions Request groups
17
18
Following is an example of how various Oracle EBS security concepts work together
Users Role 1 (e.g. GL Manager) Role 2 (e.g. GL Clerk)
Main menu
Request group
19
User creation
Users creation using system administrator responsibility Navigation: System Administrator Responsibility >Security>User>Define
HR record associated
Following is an example of how various Oracle EBS security concepts work together
Users Role 1 (e.g. GL Manager) Role 2 (e.g. GL Clerk)
Main menu
Request group
21
22
Functions (cont.)
Defining parameter QUERY_ONLY=YES enables the function to be inquiry only function
23
Following is an example of how various Oracle EBS security concepts work together
Users Role 1 (e.g. GL Manager) Role 2 (e.g. GL Clerk)
Main menu
Request group
24
25
Following is an example of how various Oracle EBS security concepts work together
Users Role 1 (e.g. GL Manager) Role 2 (e.g. GL Clerk)
Main menu
Request group
26
Following is an example of how various Oracle EBS security concepts work together
Users Role 1 (e.g. GL Manager) Role 2 (e.g. GL Clerk)
Main menu
Request group
27
Request groups
Responsibility Creation System Admin>Security>Responsibility>Define
Request Group assigned to responsibility
28
Following is an example of how various Oracle EBS security concepts work together
Users Role 1 (e.g. GL Manager) Role 2 (e.g. GL Clerk)
Main menu
Request group
29
Responsibilities
Responsibility Creation System Admin>Security>Responsibility>Define
Request Group assigned to responsibility
30
Conclusion
Users
Main menu
Request group
31
Conclusion
Users, Responsibilities, request groups, menus, functions can be created in oracle forms Users access oracle functionality via a responsibility Functions are building blocks of Oracle security Menu is a logical grouping of functions and is accessible via a responsibility Concurrent programs are assigned to a responsibility via a request group
32
Flexfield security
33
Flexfield security
Flexfields are codes made up of meaningful segments (intelligent keys) to identify general ledger accounts, part numbers, and other business entities Chart of accounts structure is made up of several segments that represent dimensions of business Restricts access to specific segment values Enable security for a particular segment or parameter by checking enable security for that segment or parameter Assign rule to a responsibility using the assign security rules window
34
35
36
Flexfield security
Conclusion
Flexfields are building blocks of Oracles accounting structure Flexfields are of two major types key Flexfield and Descriptive Flexfield Key Flexfield forms the accounting structure in Oracle EBS Descriptive Flexfield can be used to add information to an existing field in the application Security for Flexfields is governed at the responsibility level
37
Module based security (HR security, project security, purchasing, buyer, treasury security)
38
HR security
HRMS security restricts data access based on security model Users access the system through Oracle responsibility that is linked to a security profile and/or a security group Access control Security group determines which business group Security profile determines which records within the business group
Who?
What
Customizations
Windows
Menus
Business group
Security group
Responsibility
39
HR security (cont.) Assigning users to a responsibility, security profile, and business group
Security Profile
User
Responsibility
Business Group
40
HR security (cont.)
HR manager
HR manager responsibility
41
Project security
Projects can have role based security Project team members can be assigned roles Roles define what users can do in a project, i.e., add tasks, query labor costs, etc Seeded access controls are available that determine level of access in a project
42
43
44
Purchasing security
Purchase requisitions can only be created by employees Purchase Orders can only be created by buyers Only employees can be created as buyers Default shipping locations can be assigned to buyers
45
46
48
Miscellaneous security
Conclusion
Modules have unique security features independent of system administration Module based security exists in HRMS, projects, inventory, purchasing, treasury, etc. HR security is driven primarily by organization structure Project Security is role based and governs access in a project User access in inventory based modules is restricted using inventory organization access Purchasing security is employee based Treasury security governs access to deals and company
49
Application controls
50
51
Payables
Trial balance
Inventory
Purchasing
52
Accounting
Accounting in Oracle financials is based on four characteristics:
Chart of accounts Currency Calendar Accounting conventions
53
Ledgers
Ledger:
Ledgers replace the concept of Set of Books (SOB) in Release 12 Defined as one or more legal or business entities that share a common chart of accounts, calendar, currency and accounting method
54
Ledger sets
Ledger set 1
Ledger A U.S. GAAP U.S. CoA U.S. Calendar USD Ledger B French rules U.S. CoA U.S. Calendar EUR Ledger C U.S. GAAP U.S. CoA U.S. Calendar AUS
All ledger in a ledger set must have the same Ledger D U.S. GAAP U.S. CoA U.S. Calendar USD
Calendar Chart of accounts
Ledger set 2
55
56
Key controls
Journals are approved systematically in Oracle, according to the approval limits pre-defined in the system. Completeness/valuation Imported journals (from feeder modules) cannot be modified in the general ledger. Valuation Oracle only allows balanced entries to be posted. If used, accounts used for suspense posting of journal entries are properly configured in Oracle and balances are reviewed and cleared on a regular basis. Valuation Cross-validation rules have been enabled and developed to help ensure the accuracy of data entry. Valuation Cross-validation rules overwrite Dynamic Inserts Flexfield definitions are frozen so that account code combinations are enforced. Completeness/existence or occurrence Rollup groups are frozen indicating that they cannot be changed. Completeness/presentation and disclosure
57
Key GL controls
Journal approval Journal authorization limits Flexfield definition Cross validation rules Flexfield security rules GL accounts definition Ledger accounting options Open/close GL periods GL calendar definition
58
59
60
61
GL account
Navigation: Setup > Accounts > Combinations
62
63
64
65
Flexfield values
Navigation: Setup > Financials > Flexfields > Key > Values
66
Calendar
Navigation: Setup > Financials > Calendar > Accounting
67
Accounting options
Navigation: Setup > Accounting setup manager > Accounting Setups > Subledger Applications
68
69
Auto post
Navigation: Setup > Journal > Auto Post
70
Document sequence
Navigation: Setup > Financial > Sequences > Document > Define
71
Payables controls
72
Payables overview
Create invoice
Create payment
73
74
75
Invoice tolerances
Setup tolerances for 3-way matching Navigation: Setup > Invoice > Tolerances
76
77
Invoice holds
Navigation: Setup > Invoice > Hold and Release Name Prevent a transaction from completing and puts the transaction on hold until the specific condition is resolved/satisfied
78
79
80
Financial options
Navigation Path: Setup > Options > Financial Options> Supplier Entry Hold unmatched invoices Automatic numbering
81
82
Key reports
Missing document numbers report Matching hold detail report Invoice on hold report Invoice aging report Distribution set listing Payment exceptions report Stopped payments report Void payment register
83
Receivable controls
84
AR overview
Invoice creation
Create receipt
85
AR transactions
AR Invoices Credit memos
Can create on-account credits Can apply credits to open invoices, debit memos, and chargebacks
Commitments
Deposits Guarantees
86
Batch sources
Manual Imported
88
Transaction types
Navigation: Setup > Transactions > Transaction Types
89
Transaction sources
Navigation: Setup > Transactions > Sources
90
Auto invoicing
Auto Invoice allows import and generation of invoices, credit memos, etc. Sales tax is calculated automatically Revenue can be set to run automatically or manually
91
92
Auto accounting
AutoAccounting: Can be used to generate default accounting flexfields for each invoice and credit memo. The values may be derived or constant segment Benefit of AutoAccounting: Greater accuracy (less data entry errors) Risk of AutoAccounting: If configuration not correct, could result in incorrect entries
93
94
Accounting rules
Navigation: Setup > Transactions > Accounting Rules
95
Approval limits
Navigation: Setup > Transactions > Approval Limits
96
Receivables reports
Accounting rules listing report Aging reports Audit report by document number Duplicate customer report Incomplete invoices report Reversed receipts report Setup details report
97
Purchasing controls
98
Create requisition
Auto create
Purchase order
Purchasing
Receive goods from suppliers Create receipt Transfer to general ledger
99
100
102
103
Approvals overview
Approval hierarchies let you automatically route documents for approval. There are two kinds of approval hierarchies:
Employee/supervisor relationships: Organization hierarchies Position hierarchies Jobs/positions hierarchies
104
105
106
Buyers
Only buyers can create purchase orders (regardless of access to the purchase orders form) Navigation: Setup > Personnel > Buyers
107
Purchasing options
Document control
Price tolerance percentage
Enforce price tolerance percentage (% by which the Autocreated PO line price cannot exceed the requisition line price)
Cancel requisitions (Cancel requisitions upon cancellation of auto created POs) Enforce buyer name (Enforce entry of only the buyers name on PO) Enforce supplier hold (If you do not want to approve POs for suppliers on hold)
Receipt accounting
Accrue expense item Accrue inventory item
Document numbering
Automatic numbering of PO and requisition
108
109
110
111
Receiving options
Navigation: Setup > Organizations > Receiving Options Allow unordered receipt
112
Financials options
Navigation: Setup > Options > Financial Options > Accounting
113
114
Key reports
Purchasing
Purchasing interface errors report Purchase price variance report Invoice price variance report
Receiving
Receiving exceptions report Uninvoiced receipts report Unordered receipts report Receipt adjustments report
115
Introduction to GRC
116
What is GRC?
Governance Governance is the responsibility of senior executive management and focuses on creating organizational transparency by defining the mechanisms an organization uses to enforce that its constituents follow established processes and policies. A proper governance strategy implements systems to monitor and record current business activity, takes steps to comply with agreed policies, and provides for corrective action in cases where the rules have been ignored or misconstrued. Risk Risk Management is the process by which an organization sets the risk appetite, identifies potential risks, and prioritizes the tolerance for risk based on the organizations business objectives. Risk Management leverages internal controls to manage and mitigate risk throughout the organization. Compliance Compliance is the process that records and monitors the policies, procedures, and controls needed to enable compliance with legislative or industry mandates as well as internal policies.
The goal of Governance Risk and Compliance (GRC) is to help a company efficiently put policies and controls in place to address its compliance obligations while at the same time gathering information that helps proactively run the business
117
Evolution of GRC
Governance, Risk Management, and Compliance (GRC) are three distinct disciplines that, in the past, have existed in silos within organizations and considered to be separate from mainstream business processes and decision making Most organizations have viewed governance, risk, and compliance as discrete activities Today, many organizations are starting to coordinate these activities by adopting a GRC program This approach is helping organizations create efficiencies, achieve a holistic view of the environment, and ensure greater accountability
118
119
120
GRC
Moves organization beyond financial controls and regulatory compliance Enables strategic risk support Minimizes silos Promotes risk management accountability Facilitates data security Enables data transparency and reporting Aligns risk assessment methodologies Enhances proactive tracking of actionable items and issues/observation
121
Summary (cont.)
GRC processes in an enterprise are distinct disciplines, however, by integrating these disciplines, it can help drive a company to effectively and efficiently address compliance obligations. In addition, once these integrated disciplines are formed, an enterprise will be able to obtain the pertinent information to manage their business risks There are number of GRC tools available in the market that help integrate and enable the GRC processes Implementing a GRC enterprise solution is a journey, but if implemented correctly, it can lead to a number of financial and operational efficiencies in the future GRC benefits to internal audit and other compliance groups are evident, however, internal audit should play a crucial role in setting the direction of the GRC implementation
122
123
GRC Intelligence
GRCM
124
125
126
Access controls
Configuration controls
Transaction controls
Who changed the setup and why Preventive controls Enforce policies in context
127
Detection
Prevention
128
Access points Element level of definition that can include responsibilities, menus, functions, and concurrent programs. Access policy
Define conflicts by joining access points and entitlements through various relationships (and or or). Prevent Monitor Approval required
Policy type
129
Conflict analysis This gives a list of policies that are violated by assigning conflicting SOD to users. It reports results at the path level to resolve SOD conflicts It can be generated by scheduling job or real time SOD analysis is at the responsibility level Conflict reports can also be run and exported from the Report Center where parameters to view can be selected
130
Simulation Run what-if simulation to test proposed access changes before remediation in Oracle EBS
131
Access to the responsibility is end dated till the conflict analysis is run
132
133
134
Access controls
Configuration controls
Transaction controls
Who changed the setup and why Preventive controls Enforce policies in context
135
PCG Features
Form rules enable users to write rules that modify the security, navigation, field, and data properties of Oracle E-Business Suite forms. These are used to design application controls and define access restrictions for transactions. when conflict remediation could not be performed. The Flow rules application defines and implements business processes and sets of actions to be completed in specified sequences. Flow rules could be primarily used to define approval workflows. Audit rules enable users to track changes to the values of fields in database tables.
Form rules
Flow rules
Audit rules...
136
PCG Form rules Form rule elements Target a form, block, or field
It specifies an event that triggers processing and defines customizations to the target form, blocks, or fields.
These are applied to the users and responsibilities Used to assign security attributes, set navigation paths, create messages, define default values, List of Value, or other field attributes, run SQL statements, or run processes defined in flow Rules.
137
138
PCG Flow rules (cont.) Flow rule Periodic user access reviews
Select all supervisors and direct reports with their responsibility access
Notify supervisors of direct reports user access, with the ability to approve or reject that access automatically
139
A table must belong to an audit group, and so an essential step in the auditing process is to create groups.
This tab can be used to select the columns from each audit table.
140
141
Access controls
Configuration controls
Transaction controls
Who changed the setup and why Preventive controls Enforce policies in context
142
Detection
Prevention
Record changes to sensitive setup data. Compare before and after values for changes.
143
Snapshot definition Records the setup data for a specified Oracle Module on a specified ERP instance
144
Records the setup data for a specified ERP application on a specified ERP instance Displays the difference in setup data for two occurrences of the same object
Differences
145
146
Where?
What?
147
Detect and record changes to sensitive setup data Require settings and data updates conform to valid values Require conditional approval for changes to sensitive setup data
Supplier Setup Supplier Address Terms
Acme Corp 123 Main St Center City, NY 12345 Net 60 Net 30 OK Cancel
GRC Controls Message Your change has been submitted for OK approval by: John Doe Configuration Change Policy If payment terms are changed: (1) Require an approval (2) Audit the change (3) Require a reason
Audit Monitor
User Johnson
Entity Acme
Old Net 30
New Net 60
148
Mask sensitive data, disable buttons, confirm data input, etc. Granular user interface restrictions Restrict access to data or actions Embedded control enforcement
Employee Update
John Doe
149
Access controls
Configuration controls
Transaction controls
Who changed the setup and why Preventive controls Enforce policies in context
150
151
Detection
Prevention
Detect the violation against the policies and address the violation
152
153
154
155
156
157
Example
A user who can create a supplier cannot pay the supplier A user who can create a supplier can pay other suppliers, but not the same one he created Check the responsibility to see if there are any users who have created a supplier and approved a payment Check if someone has changed the billing address of a supplier
Output
Detects all the responsibilities that have these two privileges Since this is preventive, this will prevent any fraud from occurring Detects suspects that point to some kind of fraudulent activity
158
159
Audit/Review Process
Assess and Test Number of options to execute an assessment (Process / Risk / Controls) Issue Management & Remediation Plans Number of options to document issues and remediation steps Certification and Reporting Delivered Reports and Opportunity for Ad/Hoc Reporting via GRCi
Application Administration
160
162
163
165
166
167
168
Operational efficiency
Improved risk and compliance reporting consistency and quality with assessment standard metrics and criteria Improved control decisions through a risk-based business case methodology Improved visibility and practicality of identifying operating risks through risk rationalized control baselines linked to requirements Improved the ability to perform trending and analytics through standardized control baselines Improved business unit and internal audit ability to meet skill position requirements through business rules enabled, automated workflow system
The actual benefits realized will depend on how risk and compliance is managed in the organization.
169
This presentation contains general information only and Deloitte is not, by means of this presentation, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This presentation is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor. Deloitte, its affiliates, and related entities shall not be responsible for any loss sustained by any person who relies on this presentation. About Deloitte Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee, and its network of member firms, each of which is a legally separate and independent entity. Please see www.deloitte.com/about for a detailed description of the legal structure of Deloitte Touche Tohmatsu Limited and its member firms. Please see www.deloitte.com/us/about for a detailed description of the legal structure of Deloitte LLP and its subsidiaries. Certain services may not be available to attest clients under the rules and regulations of public accounting.
170