本文重点介绍了在使用云ERP系统满足萨班斯-奥克斯利(萨班斯-奥克斯利法案, SOX)要求时需要考虑的一些关键问题.
Pick your favorite cloud infrastructure; what do they all have in common? 如果想到可伸缩性这个词, you aren’t alone; many organizations are opting to switch out their on-premise systems for scalable tools like Oracle’s Fusion Enterprise Resource Planning (ERP) Cloud and Oracle Enterprise Performance 管理 (EPM) Cloud. 使用云ERP系统的众多好处之一是能够扩展并将组织的许多应用程序集中到一个系统中, all while the vendor is responsible for managing the behind the scenes infrastructure. 这听起来像是梦想成真, 但不要抱太大希望, 因为你的组织仍然有许多关键的责任. Organization’s must understand that with implementing a cloud ERP system, they are still responsible for how the application is configured, 如何安全地使用它们, and how to implement robust controls across the entire platform. Oracle的Fusion ERP云是一个流行的云ERP系统,组织在选择可扩展的云ERP系统时可以选择. Oracle’s Fusion ERP Cloud has become a one-stop-shop; from providing modules for inventory, 固定资产, 应付款项, 应收账款, 总分类帐, 创建自定义报表以帮助月末结账, everything is contained within one platform – and that just naming a few of the modules they offer.
除此之外, Oracle还提供Oracle EPM Cloud, which offers organizations modules for account reconciliation (弧), 财务合并和结算, 数据管理, 计划和预算(EPBCS), 可以直接连接到Fusion ERP云,以提供对组织无价的无缝集成. Implementing a cloud ERP or 电火花 system can quickly change an organization’s IT systems from legacy to legendary; but what are the key responsibilities as mentioned above? From a 1000-foot view, organizations are still responsible for their overall control environment. They must implement formal controls to ensure the control effectiveness of change management, 用户访问管理, 监控和支持.
变更管理
Oracle Cloud change management can be grouped in the following categories: 1) vendor upgrades, 2)自定义报告更改, 3)配置变化. Oracle Fusion ERP Cloud system upgrades are released quarterly, Oracle EPM Cloud系统每月更新一次. 组织 should create defined procedures to test any and all upgrades. 除了, 当任何模块的功能发生变化时,应该让关键业务涉众参与进来,并给予正式批准. All key controls should be tested for efficacy to ensure the upgrade does not affect functionality. 此外,终端用户应该收到系统中断的通知.
变更管理并不局限于系统升级. 组织可以控制自定义报告的开发,也可以控制各个模块中不同关键设置的配置. 管理对自定义报告和配置的更改, 包括谁可以执行更改以及如何跟踪更改, is fundamental to ensuring proper change management procedures. 发展 activities such as these should be limited to appropriate individuals and tracked. 刚接触Oracle Fusion ERP云和Oracle EPM云的组织必须明白,对自定义报告和配置设置的更改不会注销. 没有正确记录更改, organization will not be able to maintain a complete and accurate audit trail of these changes. 该审计跟踪需要符合萨班斯-奥克斯利法案 (SOX)法规,以便为审计员提供完整和准确的数据,以确保所有更改都得到批准,并遵循组织定义的必要程序. 对于自定义报告, logging is not systematically available to capture the changes to key reports throughout the year; the organization must develop alternative procedures to track all changes throughout the year. For configuration changes, logging must be turned on for each individual configuration setting. 必须为每个关键自动控件的配置设置所在的区域打开审计策略. 这个过程很耗时,而且需要手工操作. When defining requirements for the implementation of the cloud system, 组织应该预算必要的时间,以确保在整个实施过程中完成. A good starting point is to identify key Oracle automated controls.
用户访问管理
Understanding the Oracle security structure can be cumbersome. Inappropriate user access can have catastrophic affects if not restricted appropriately. Oracle的Fusion ERP云和EPM云充满了开箱即用的角色,可以用来实现基于角色的访问. 组织, 然而, should use caution when relying exclusively on out-of-the-box roles; separation of duties (SOD) analysis should be performed, 如果存在SOD问题,则应开发自定义角色. Each role is comprised of many entitlements, also known as privileges. 一个用户通常被分配一个或多个角色. 仅使用开箱即用的角色可能会违反最少特权原则,因为用户可能会无意中获得执行其工作功能所不需要的继承权利. 协助分析角色和权利, organizations should consider implementing the Advanced Access Controls (AAC) Cloud, which “…enables continuous monitoring of all access policies in Oracle ERP, 潜在的侵犯, 内部威胁和欺诈”. Oracle’s AAC service allows organizations to evaluate access to sensitive areas within the system, 由组织定义.
Oracle’s Fusion ERP Cloud and EPM Cloud are completely separate, 因此用户安全是不同的. Oracle Fusion ERP Cloud最强大的角色包括应用程序实施顾问(AIC)角色, 哪些具有管理员级别的访问权限, 兼IT安全经理, 哪个用于管理用户及其分配的角色. Oracle EPM Cloud has separate user security for each module implemented (i.e. 弧, fcc, 电火花, EPBCS, etc) in addition to having completely separate user security than Oracle Fusion ERP Cloud. 尽管用户安全必须单独配置, the most privileged role stays the same: Service Administrator. 组织必须非常重视限制对这些角色的访问,并实现最低权限,以确保用户不会无意中修改对组织至关重要的系统配置. 未经授权的更改可能会影响系统功能, 从SOX的角度来看, 成为控制异常的原因.
除了上面提到的特权角色, organizations should identify all roles that have access to modify key control configurations. 要做到这一点, an organization must identify where the configuration item lives, and then parse through the entitlements for every role to determine the roles that have that access. 例如, a key configuration might live in the “Manage Journal Sources” area within Oracle Fusion ERP Cloud; any control that has a key configuration within this area may be affected by any role with the “管理 Journal Sources” entitlement.
监控和支持
So you’ve completely implemented Oracle Fusion ERP Cloud or Oracle EPM – what’s next? Your organization needs to be able to provide continuing support for your user base, 很有可能, the current IT department doesn’t have the knowledge or size to support it to the level that is needed. Until those resources are gathered and information is learned, a third-party provider may be brought in to support user tickets or to troubleshoot items. Emphasis should be placed on the roles and/or entitlements given to these users; although they may be an extension of your company, 特权角色,如AIC, IT安全经理, 或Service Administrator应该受到严格限制.
从完整性和准确性的角度来看, 您的组织还应该实施控制,以确保云系统之间的数据传输和协调是正确和及时的. 在任何数据传输后的最终签署之前,应该在流程中放置收费站以要求审查和批准.
从尽职调查的角度来看, procedures should be performed on any vendor or third-party that is providing a service. Oracle Fusion ERP云和Oracle EPM的SOC 1/2 Type II报告应该每年深入审查一次, 管理层还可能决定对其基础设施所在的数据中心进行一次演练. 进一步, 任何能进入你系统的第三方, 如果适用的话, 是否应该每年进行一次评估, and reliance should only be placed on a SOC 1/2 Type II report, which shows the operating effectiveness of the controls in place at that organization.
施耐德唐斯的专用IT, 金融, 和运营审计专业人员有萨班斯-奥克斯利法经验,与各种规模的各种行业合作, 国内和国际. We have proven experience with the all the commonly used processes, 应用程序, 平台, 和数据库, 包括Oracle Fusion ERP云和Oracle EPM云.