12 Jul 19 Part 2: What Should We Audit?
What Should We Audit?
So you have decided to implement an audit trail to help you improve your internal controls, monitor your change management processes, help satisfy auditors, and to assist you in implementing your mitigating controls (among other things).
Great! So what now?
Once you recognize that an audit trail is essential, the next step is to determine what you are going to put into the audit trail; or in other words, what “change” are you going to track.
Just Audit Everything, Right?
Wrong, very wrong!
Oracle EBS is a very large and complex suite of applications covering the full 360-degree view of the business; some might suggest that you “just audit everything”, just in case. This is most certainly the wrong approach for many reasons (We discuss this topic when we introduce fine-grained auditing in the next article in the series); the correct approach to building an effective audit trail is to take a targeted approach or, in other words, audit only what you actually need.
By and large, most of the data you should track is non-transactional data, so rather than tracking order lines or invoice items or manufacturing routings, you should be looking at tracking change for things like…
- Master data
- Key Configurations
- Profile Options
- Security Setup
- Module Setups
- Purchasing Parameters
- Payables Parameters
- Journal Sources
- Approval Limits…etc
- High-Risk Functionality
- Functionality that allows SQL injection
There may be other types of data you may want to monitor but the above covers the most common areas.
What Not to Audit
Here are some things you generally don’t need to audit (unless you have a specific requirement to do so such as exceptional or unusual data, i.e. high-value invoices or payments)…
- Day to day transactional data
- Analytical data
- Temporary/transient data
- Interface data
Understanding exactly what to audit can be quite tricky due to the complexities of the underlying data model in Oracle EBS but this can be greatly simplified by using our own auditing solution, CS*Audit; not only because CS*Audit is a great audit trail solution but because it is available with over 600 predefined policies out of the box; so you can be up and running and auditing everything you need very quickly.
Want to know how we can help you build an effective audit trail for Oracle EBS? Get in touch today and ask us about CS*Audit.
Next Time & Early Access
The next article in this series is “Fine-grained auditing is the key to an effective audit trail“.
If you want to get access to these articles before anyone else, please subscribe to our newsletter.