Categories
- All Categories
- 15 Oracle Analytics Sharing Center
- 15 Oracle Analytics Lounge
- 208 Oracle Analytics News
- 41 Oracle Analytics Videos
- 15.7K Oracle Analytics Forums
- 6.1K Oracle Analytics Idea Labs
- Oracle Analytics User Groups
- 76 Oracle Analytics Trainings
- 14 Oracle Analytics Data Visualizations Challenge
- Find Partners
- For Partners
Ability to report on "Core" Audit Policies" through OTBI
Organization Name
GP STRATEGIES CORPORATION
Description
| Currently we have no visibility to when an Audit Policy is configured or changed. We need to be able to access the table(s) where the Audit Policies are configured via OTBI so we can build reports to give to the external auditors. Auditors need us to be able to report on the created_by and last_updated_by fields. Currently some of the audit policy data can be queried via the fnd_audit_attributes table through OTBI. However, the Audit Policies which we call core are not included in that table. Those Audit Policies are: Oracle SOA Suite, Oracle Platform Security Services, Oracle Data Integrator, Oracle Metadata Services, Oracle Enterprise Scheduling Service, Pages and Business Objects Modifications. We also need a full audit history of inserts, updates and deletes for these Audit Policies, but that will be a subject for another enhancement request. |
Use Case and Business Need
| Business Need: The business needs to report and view configuration changes for Audit Policies to monitor this control, confirm changes are authorized and provide auditors with reasonable proof that such controls are present through the audit period. The business needs to address a risk: A User could disable or change the level of the audit policy. This change could allow them to disable the tracking of activity and undermine the effectiveness of the controls. Use Case 1: Periodic report to Management can provide assurance Audit Policies configuration has not changed without authorization. Use Case 2: Report of Audit Policies configuration can provide external auditor with confirmation the audit policies have been in place throughout the period under audit, or indicate any changes. Use Case 3: Internal Audit is performing a compliance audit and has selected some Audit Policies for verification. With a report of changes to Audit Policies configuration, they can validate the types of data collected at different audit level settings. Use Case 4: System implementation is in a build phase. Audit Policies configurations are being tested validate the types of data being collected at different levels. Report of Audit Policies configuration during the test period provides confidence the appropriate configuration is selected. |
More details
| Numerous Oracle Cloud tables are available for audit whereby events of insert, update and delete can be recorded and viewed later. This is an important control feature of Oracle Cloud and it is required by/for management and by auditors. This is how we show configuration changes are not being made either without authorization or with malicious intent. Management relies upon these controls as does the audit firm. Currently, neither management nor the auditor have confidence in the control because it can be disabled, at will, without any record of when the control is either on or off. Without such record, the control is weak, and some might say useless. |
Original Idea Number: 7acbb7c60c
Comments
-
All of our clients have asked us to help them figure out how to report on this data. This is critical from an audit perspective and will inevitably lead to a control deficiency if this isn't remedied by Oracle asap.
Regards,
Jeff Hare, CPA CIA CISA
CEO and Founder, ERP Risk Advisors0 -
Hi Jeff, there is a standard way of reporting this data.
Navigation: Tools > Audit ReportsYou will need: Internal Auditor role for this.
This data then you can export to excel and further analyze it there or provide this extract to auditors...
Alexey
0 -
Hello, Alexey.
We are not referring here to the Audit Reports, but to the configuration of the Audit Reports. The concern here is that auditing can be turned on or off or configured to different levels without an audit trail of this maintenance. Therefore, an organization might have a control which is to audit a particular table and they cannot prove to the external auditor (or to themselves) that the table was indeed subjected to audit for the entire audit period. We are asking for a record of changes to the audit configuration.
Talbott Jones
0 -
Until Oracle provides full change tracking on these audit policies, we need to be able to use OTBI to report on these changes. Having the ability to to report on this data may provide the argument that the audit policies have been enabled for the entire audit period. This would require that both the created_by field and the last_updated_by column was prior to the start of the audit period.
Even after there is a full audit trail, we still need to be able to report on this data in case the Audit Policies are not enable. Having visibility to the created_by and last_updated_by values is critical to supporting the external audit.
Currently a client should NOT be able to rely on any Audit Policies since they cannot prove when audit policies have been enabled and whether or not they have been disabled during the period. This SHOULD result in a control deficiency during an audit - one that should either be a Significant Deficiency or a Material Weakness for any customer using Oracle ERP Cloud.
0 -
Please also see these two Ideas which are equally critical:
0 -
Changes to audit policies need to be monitored to provide assurance to stakeholders that changes are authorized.
0 -
Agreed
0 -
This is all interconnected and should be available. Thank you.
0 -
This would allow us to provide our audit teams with documentation around timing of changes to these policies.
0 -
Hi Jeff,
I completly agree with you.
We can't rely on Audit Controls unless this limitation get fixed by Oracle.
This limitation impact also another module "Oracle Risk Management Cloud / Advanced Financial Control". As you know, AFC allows to define Audit Controls, but it is completely based on audit policies setup and result.
So, if a SuperUser turn off the audit tracking in the ERP side for a while, all the result returned by both Audit Report and AFC controls will not reflect the reality.
This point is very critical.
Regards
0
