Oracle e-Business-Access issue(Configuration setting chnges) 719
vexedwithsox last edited by
Anyone out there who has worked on SOX compliance of Oracle e-Business suite of applications ?
Need some help/guidance on the following issue :
Oracle Configuration setting changes are not considered s/w code changes, but are more of something like parameter changes which may effect the finacial reports generated by the system. I’d like to know how you guys out there are putting in access controls around this ???
'cause from what I’ve heard from our Oracle dev group (I’m not an Oracle e-Business person), it seems such change needs to be done manually (u cant have a script to do this), and it seems the system keeps track of only the last change.
Now, sometimes, for fixing prod problems, it seems the IT support person(s) may need to change these configurations, for which they would need to have access to certain conflicting ‘responsibilities’ in prod, that might not be okay per SOX. Which brings us to the issue of access controls over this area.
What we are suggesting is to (1) put in a system to record the prod problem/helpdesk issue that led to the config change, (2) create a log where the IT person logs whatever config change they made, and (3)have an automated reporting system which will track all the changes to configurations ( it seems our team is working on this).
And then, at defined intervals of time, a report/ comparison will be done between the manual log recorded by the IT person(2) and the automated system (3).
Anyone out there who can suggest a simpler/quicker way to handle this issue ??
IrquiM last edited by
Just a quick comment;
Your sollution sounds exactly like my companys ‘change control register’ sollution
vexedwithsox last edited by
Well… recently got an update that the automated tool for capturing configuration setting changes that we were so hopeful about, is not happening
it seems with this particular Oracle software( Oracle e_Business suite of Applications), it is not possible to generate a log of ‘configuration setting’ changes.
Mind you, we are NOT talking about s/w code changes here. These are configuration ‘settings’ like specifying a book name, or a reporting period, number of days to be included etc. These setting changes might affect the financial reports, if changed.
These are part of the available front-end functionality of the system, so that any user with appropriate access can go to one of the forms, and possibly change the config settings, without anyone else ever knowing (unless someone specifically starts looking for it), that any such change ever happened. ( because the system keeps track of only the last change).
From what I’ve heard from our Dev team, Oracle advertised a ‘patch’ to generate a log of config setting changes, but the team has been facing lot of challenges trying to put it in. I think it is called ‘Internal Controls Management’ … (not sure about the name?)
So, anyone out there who knows how to tackle this entire issue ???
If you know of any Oracle product that would give a solution to this problem, pls let me know.