Ability to report on "Core" Audit Policies" through OTBI — Oracle Analytics

Oracle Transactional Business Intelligence Idea Lab

Welcome to the Oracle Analytics Community: Please complete your User Profile and upload your Profile Picture

Ability to report on "Core" Audit Policies" through OTBI

1367
Views
82
Comments

Organization Name

GP STRATEGIES CORPORATION

Description

Currently we have no visibility to when an Audit Policy is configured or changed.  We need to be able to access the table(s) where the Audit Policies are configured via OTBI so we can build reports to give to the external auditors.   Auditors need us to be able to report on the created_by and last_updated_by  fields.

Currently some of the audit policy data can be queried via the fnd_audit_attributes table through OTBI.  However, the Audit Policies which we call core are not included in that table.  Those Audit Policies are: Oracle SOA Suite, Oracle Platform Security Services, Oracle Data Integrator, Oracle Metadata Services, Oracle Enterprise Scheduling Service, Pages and Business Objects Modifications.

We also need a full audit history of inserts, updates and deletes for these Audit Policies, but that will be a subject for another enhancement request.

Use Case and Business Need

Business Need:  The business needs to report and view configuration changes for Audit Policies to monitor this control, confirm changes are authorized and provide auditors with reasonable proof that such controls are present through the audit period. 

The business needs to address a risk:  A User could disable or change the level of the audit policy.  This change could allow them to disable the tracking of activity and undermine the effectiveness of the controls.

Use Case 1:  Periodic report to Management can provide assurance Audit Policies configuration has not changed without authorization.
Use Case 2:  Report of Audit Policies configuration can provide external auditor with confirmation the audit policies have been in place throughout the period under audit, or indicate any changes.
Use Case 3:  Internal Audit is performing a compliance audit and has selected some Audit Policies for verification.  With a report of changes to Audit Policies configuration, they can validate the types of data collected at different audit level settings.
Use Case 4: System implementation is in a build phase.  Audit Policies configurations are being tested validate the types of data being collected at different levels.  Report of Audit Policies configuration during the test period provides confidence the appropriate configuration is selected.

More details

Numerous Oracle Cloud tables are available for audit whereby events of insert, update and delete can be recorded and viewed later.
This is an important control feature of Oracle Cloud and it is required by/for management and by auditors. This is how we show
configuration changes are not being made either without authorization or with malicious intent. Management relies upon these
controls as does the audit firm.

Currently, neither management nor the auditor have confidence in the control because it can be disabled, at will, without any
record of when the control is either on or off. Without such record, the control is weak, and some might say useless.

Original Idea Number: 7acbb7c60c

Audit Policies 1.png

Tagged:
3
3 votes

Submitted · Last Updated

«13456789

Comments

  • Jeff Hare CPA CISA CIA
    Jeff Hare CPA CISA CIA Rank 5 - Community Champion

    All of our clients have asked us to help them figure out how to report on this data. This is critical from an audit perspective and will inevitably lead to a control deficiency if this isn't remedied by Oracle asap.

    Regards,
    Jeff Hare, CPA CIA CISA
    CEO and Founder, ERP Risk Advisors

  • ashtrakhov-Oracle
    ashtrakhov-Oracle Rank 2 - Community Beginner

    Hi Jeff, there is a standard way of reporting this data.
    Navigation: Tools > Audit Reports

    You will need: Internal Auditor role for this.

    This data then you can export to excel and further analyze it there or provide this extract to auditors...

    Alexey

    AuditReport.png

  • Talbott Jones
    Talbott Jones Rank 1 - Community Starter

    Hello, Alexey.

    We are not referring here to the Audit Reports, but to the configuration of the Audit Reports.  The concern here is that auditing can be turned on or off or configured to different levels without an audit trail of this maintenance.  Therefore, an organization might have a control which is to audit a particular table and they cannot prove to the external auditor (or to themselves) that the table was indeed subjected to audit for the entire audit period.  We are asking for a record of changes to the audit configuration.

    Talbott Jones

     

  • Jeff Hare CPA CISA CIA
    Jeff Hare CPA CISA CIA Rank 5 - Community Champion

    Until Oracle provides full change tracking on these audit policies, we need to be able to use OTBI to report on these changes. Having the ability to to report on this data may provide the argument that the audit policies have been enabled for the entire audit period. This would require that both the created_by field and the last_updated_by column was prior to the start of the audit period.

    Even after there is a full audit trail, we still need to be able to report on this data in case the Audit Policies are not enable. Having visibility to the created_by and last_updated_by values is critical to supporting the external audit.

    Currently a client should NOT be able to rely on any Audit Policies since they cannot prove when audit policies have been enabled and whether or not they have been disabled during the period. This SHOULD result in a control deficiency during an audit - one that should either be a Significant Deficiency or a Material Weakness for any customer using Oracle ERP Cloud.

  • Ivan Ng
    Ivan Ng Rank 1 - Community Starter

    Changes to audit policies need to be monitored to provide assurance to stakeholders that changes are authorized.

  • User_F3Y9Q
    User_F3Y9Q Rank 1 - Community Starter

    Agreed

  • Matthew Rekers
    Matthew Rekers Rank 1 - Community Starter

    This is all interconnected and should be available. Thank you.

  • Jeff Rich-Terillium
    Jeff Rich-Terillium Rank 2 - Community Beginner

    This would allow us to provide our audit teams with documentation around timing of changes to these policies.

  • Youssouf
    Youssouf Rank 3 - Community Apprentice

    Hi Jeff,

    I completly agree with you.

    We can't rely on Audit Controls unless this limitation get fixed by Oracle.

    This limitation impact also another module "Oracle Risk Management Cloud / Advanced Financial Control". As you know, AFC allows to define Audit Controls, but it is completely based on audit policies setup and result.

    So, if a SuperUser turn off the audit tracking in the ERP side for a while, all the result returned by both Audit Report and AFC controls will not reflect the reality.

    This point is very critical.

     

    Regards