Oracle Business Intelligence

Products Banner

Ability to report on "Core" Audit Policies" through OTBI

Submitted
1112
Views
82
Comments

Organization Name

GP STRATEGIES CORPORATION

Description

Currently we have no visibility to when an Audit Policy is configured or changed.  We need to be able to access the table(s) where the Audit Policies are configured via OTBI so we can build reports to give to the external auditors.   Auditors need us to be able to report on the created_by and last_updated_by  fields.

Currently some of the audit policy data can be queried via the fnd_audit_attributes table through OTBI.  However, the Audit Policies which we call core are not included in that table.  Those Audit Policies are: Oracle SOA Suite, Oracle Platform Security Services, Oracle Data Integrator, Oracle Metadata Services, Oracle Enterprise Scheduling Service, Pages and Business Objects Modifications.

We also need a full audit history of inserts, updates and deletes for these Audit Policies, but that will be a subject for another enhancement request.

Use Case and Business Need

Business Need:  The business needs to report and view configuration changes for Audit Policies to monitor this control, confirm changes are authorized and provide auditors with reasonable proof that such controls are present through the audit period. 

The business needs to address a risk:  A User could disable or change the level of the audit policy.  This change could allow them to disable the tracking of activity and undermine the effectiveness of the controls.

Use Case 1:  Periodic report to Management can provide assurance Audit Policies configuration has not changed without authorization.
Use Case 2:  Report of Audit Policies configuration can provide external auditor with confirmation the audit policies have been in place throughout the period under audit, or indicate any changes.
Use Case 3:  Internal Audit is performing a compliance audit and has selected some Audit Policies for verification.  With a report of changes to Audit Policies configuration, they can validate the types of data collected at different audit level settings.
Use Case 4: System implementation is in a build phase.  Audit Policies configurations are being tested validate the types of data being collected at different levels.  Report of Audit Policies configuration during the test period provides confidence the appropriate configuration is selected.

More details

Numerous Oracle Cloud tables are available for audit whereby events of insert, update and delete can be recorded and viewed later.
This is an important control feature of Oracle Cloud and it is required by/for management and by auditors. This is how we show
configuration changes are not being made either without authorization or with malicious intent. Management relies upon these
controls as does the audit firm.

Currently, neither management nor the auditor have confidence in the control because it can be disabled, at will, without any
record of when the control is either on or off. Without such record, the control is weak, and some might say useless.

Original Idea Number: 7acbb7c60c

Audit Policies 1.png

Tagged:
3 votes

Submitted · Last Updated

«13

Comments