Select Page

6 Ways to Prepare Oracle EPM Applications for a SOX Audit

Author: David Silverstrim | | September 29, 2021


 

Let’s face it: SOX audits aren’t something any of us want to have to think about. While they may be necessary, they are also cumbersome and stressful, especially if you haven’t lined up your ducks before the auditors come knocking.

 

Because Oracle EPM applications contain important financial data and reports, they are an essential review point for an audit, putting you in the hot seat. And with end of support for EPM 11.1 on the horizon, concerns around SOX audits and software compliance and certifications are top of mind for many Hyperion administrators and managers.

For this reason, we recently put together a Q&A about SOX audits and end of support to help you understand how end of support can affect your audit. But we also wanted to put together some guidelines to help you prepare your applications so you can feel confident about your overall compliance. Keep reading to learn six ways you can prepare for your next SOX audit.
 

  1. Keep up with your documentation

    One of the number one rules of SOX preparation is “document, document, document.” Even if your security processes and policies are airtight, auditors are going to want to see proof that they are established and communicated to the appropriate parties. They will ask for documentation for everything from security policies to user access criteria to password requirements. Have it ready so you don’t have to go digging for it.

  2.  

  3. Maintain regular SOX compliance status reports

    This might seem like overkill, but it will go a long way in not only reassuring auditors that you are on top of security, but also in keeping you in check in between audits. Keep a running compliance status report with a list of criteria the audit covers, and update the status of every item on a regular basis. Sign and date each report and include check marks and notes on each item so it’s clear that you completed your review in detail.

  4.  

  5. Reduce the use of spreadsheets as much as possible

    Even with the sophistication of EPM applications, many companies are still relying on spreadsheets to move data or exchange reports. The potential for human error and the difficulty of tracking spreadsheets once they leave your outbox means they are a major security risk. While it might be hard to eliminate spreadsheets altogether, make use of the automations, integration capabilities, in-app dashboards, and digital sharing capabilities of your software to reduce their use. If you’re not sure how to do this, lean on a partner like Datavail who has the experience to enable or build these features for you quickly and efficiently.

  6.  

  7. Establish and document best practices

    You no doubt have information security policies in place that control how you access, manage, document, and distribute financial information. Control Objectives for Information Technology (COBIT) and Information Technology Infrastructure Library (ITIL) are a couple of good examples of best practices, but most companies have their own policies as well. Document them as well as the steps involved in implementing and controlling them. If these are not already in place, we strongly recommend you approach senior management about it, or put them in place yourself. You will need them in place (and documented!) to pass a SOX audit.

  8.  

  9. Regularly review user access and security profiles

    You should already have a process in place (and…documented!) for removing users who have left the company, adjusting access privileges when job functions change, and adding new users with the appropriate security profile. Establish a regular interval for reviewing and double-checking the status of each user and ensuring that past employees have been removed. Irregularities in user access is a common area where companies get tripped up in an audit because it’s easy to let people fall through the cracks. Stay on top of it. Sign and date each review.

  10.  

  11. Stay up to date on your application patches and certifications

    Depending on the requirements of your company’s SOX audit, implementing the latest patches and security updates may be necessary to stay compliant. This means you need to be on the latest version and in-support with the vendor. In the case of Oracle EPM on-premises, you’ll need to be on 11.2 (or moved over to Oracle EPM Cloud) by the end of the year. In addition, your databases and third-party applications need to be certified for use with your version of Oracle EPM, so upgrades might also be required for Java, Windows Server, Oracle Database, etc.

For an up-to-date matrix on the technologies that are certified for Oracle EPM 11.1 and 11.2, see our Oracle EPM On-prem Certification Comparison Chart.

Final Thoughts

This is by no means a comprehensive list of SOX audit preparation steps, but hopefully it gives you a concrete place to start from. For more information about how your version of Oracle EPM on-premises can affect the outcome of a SOX audit, take a look at our Q&A with practice lead, David Silverstrim. For additional questions or support in upgrading your Oracle EPM applications, reach out to our team to start the conversation.

How to Solve the Oracle Error ORA-12154: TNS:could not resolve the connect identifier specified

The “ORA-12154: TNS:could not resolve the connect identifier specified” Oracle error is a commonly seen message for database administrators.

Vijay Muthu | February 4, 2021

Best RAID For SQL Server | RAID 0, RAID 1, RAID 5, RAID 10

Which RAID should you use with SQL Server? Learn the differences between RAID 0, RAID 1, RAID 5, and RAID 10, along with best practices.

Eric Russo | June 8, 2015

Using Nulls in DB2

If a column “value” can be null, it can mean one of two things: the attribute is not applicable for certain occurrences of the entity, or the attribute applies to all entity occurrences, but the information may not always be known.

Craig Mullins | April 6, 2015

Subscribe to Our Blog

Never miss a post! Stay up to date with the latest database, application and analytics tips and news. Delivered in a handy bi-weekly update straight to your inbox. You can unsubscribe at any time.

Work with Us

Let’s have a conversation about what you need to succeed and how we can help get you there.

CONTACT US

Work for Us

Where do you want to take your career? Explore exciting opportunities to join our team.

EXPLORE JOBS