6 Ways to Prepare Oracle EPM Applications for a SOX Audit
Author: David Silverstrim | | September 29, 2021
Let’s face it: SOX audits aren’t something any of us want to have to think about. While they may be necessary, they are also cumbersome and stressful, especially if you haven’t lined up your ducks before the auditors come knocking.
Because Oracle EPM applications contain important financial data and reports, they are an essential review point for an audit, putting you in the hot seat. And with end of support for EPM 11.1 on the horizon, concerns around SOX audits and software compliance and certifications are top of mind for many Hyperion administrators and managers.
For this reason, we recently put together a Q&A about SOX audits and end of support to help you understand how end of support can affect your audit. But we also wanted to put together some guidelines to help you prepare your applications so you can feel confident about your overall compliance. Keep reading to learn six ways you can prepare for your next SOX audit.
Keep up with your documentation
One of the number one rules of SOX preparation is “document, document, document.” Even if your security processes and policies are airtight, auditors are going to want to see proof that they are established and communicated to the appropriate parties. They will ask for documentation for everything from security policies to user access criteria to password requirements. Have it ready so you don’t have to go digging for it.
Maintain regular SOX compliance status reports
This might seem like overkill, but it will go a long way in not only reassuring auditors that you are on top of security, but also in keeping you in check in between audits. Keep a running compliance status report with a list of criteria the audit covers, and update the status of every item on a regular basis. Sign and date each report and include check marks and notes on each item so it’s clear that you completed your review in detail.
Reduce the use of spreadsheets as much as possible
Even with the sophistication of EPM applications, many companies are still relying on spreadsheets to move data or exchange reports. The potential for human error and the difficulty of tracking spreadsheets once they leave your outbox means they are a major security risk. While it might be hard to eliminate spreadsheets altogether, make use of the automations, integration capabilities, in-app dashboards, and digital sharing capabilities of your software to reduce their use. If you’re not sure how to do this, lean on a partner like Datavail who has the experience to enable or build these features for you quickly and efficiently.
Establish and document best practices
You no doubt have information security policies in place that control how you access, manage, document, and distribute financial information. Control Objectives for Information Technology (COBIT) and Information Technology Infrastructure Library (ITIL) are a couple of good examples of best practices, but most companies have their own policies as well. Document them as well as the steps involved in implementing and controlling them. If these are not already in place, we strongly recommend you approach senior management about it, or put them in place yourself. You will need them in place (and documented!) to pass a SOX audit.
Regularly review user access and security profiles
You should already have a process in place (and…documented!) for removing users who have left the company, adjusting access privileges when job functions change, and adding new users with the appropriate security profile. Establish a regular interval for reviewing and double-checking the status of each user and ensuring that past employees have been removed. Irregularities in user access is a common area where companies get tripped up in an audit because it’s easy to let people fall through the cracks. Stay on top of it. Sign and date each review.
Stay up to date on your application patches and certifications
Depending on the requirements of your company’s SOX audit, implementing the latest patches and security updates may be necessary to stay compliant. This means you need to be on the latest version and in-support with the vendor. In the case of Oracle EPM on-premises, you’ll need to be on 11.2 (or moved over to Oracle EPM Cloud) by the end of the year. In addition, your databases and third-party applications need to be certified for use with your version of Oracle EPM, so upgrades might also be required for Java, Windows Server, Oracle Database, etc.
For an up-to-date matrix on the technologies that are certified for Oracle EPM 11.1 and 11.2, see our Oracle EPM On-prem Certification Comparison Chart.
This is by no means a comprehensive list of SOX audit preparation steps, but hopefully it gives you a concrete place to start from. For more information about how your version of Oracle EPM on-premises can affect the outcome of a SOX audit, take a look at our Q&A with practice lead, David Silverstrim. For additional questions or support in upgrading your Oracle EPM applications, reach out to our team to start the conversation.
The “ORA-12154: TNS:could not resolve the connect identifier specified” Oracle error is a commonly seen message for database administrators.
Which RAID should you use with SQL Server? Learn the differences between RAID 0, RAID 1, RAID 5, and RAID 10, along with best practices.