Oracle FAQ Your Portal to the Oracle Knowledge Grid

Home -> Community -> Mailing Lists -> Oracle-L -> RE: Sarbanes Oxley reporting

RE: Sarbanes Oxley reporting

From: Powell, Mark D <>
Date: Mon, 12 Feb 2007 15:56:44 -0500
Message-ID: <>

We produce the reports that the outside auditors said we had to produce. We list every usage of the DBA ID's on production. We also have to list every usage of the SYS ID so we concatenate the Oracle produced $ORACLE_HOME/rdbms/audit files by database into a "report". This report is useless, but it is what the auditors asked for. The report is emailed to management every week and they have to keep a record acknowledging that the reports have been reviewed.  

Our big effort during our recent audit was to map every end-user to the capabilities of every application screen that the user had access to and comparing this to the limitations of the user job position. That is, if you have job X you cannot have the capabilities to perform task Y2 such as the person who orders material cannot be the perform who authorizes payment of an invoice for obvious reasons. Only in our case the review was carried down to the ability to update small pieces of information deemed reverent to each job. IT had long ago created a user to program mapping report, but the addition of the user position restrictions to the reporting was a major task. Many customers lost access to specific screens and some programs had to be changed to not be able to update certain columns. We can now provide this information on an ongoing basis.  

[] On Behalf Of Jared Still

	Sent: Monday, February 12, 2007 1:48 PM
	To: Oracle-L Freelists
	Subject: Sarbanes Oxley reporting

	Those of you that work in the USA, or even for USA based
	companies know what I'm referring to here.
	I am curious what type of reporting you do to document the 
	tests for your SOX controls in regards to Oracle databases. 
	The Sarbanes Oxley legislation is rather loosely written,
	leaving its interpretation pretty much open to negotiation
	between a company and its auditors.
	The reason for asking is that my reports have been accused 
	of being too verbose, or rather, have too much data, and not
	enough information.
	I disagree, and if anyone reading them would simply read
	the instructions on the first page, they would not have so
	much difficulty.  
	But I digress.
	It would be most interesting to see what kind of reports others
	are using to Satisfy SOX requirements for Oracle.
	Comments on possibly improving the reports I am currently
	generating would also be welcome. 
	The following types of reports for Sarbanes Oxley
	are supplied for various tests throughout the year.  
	All are in Excel.
	Each Excel file is for a single database.

** database_roles.xls - a list of all roles, with all privileges
granted to all roles. It is recursive, in that when a role is assigned to a role, it can be clicked on to drill down on the privileges. One role per page. This one does require some guidance if the auditor is unfamiliar with the privileges.
** oar.xls - oracle application roles - (something of a misnomer
here) This Excel file includes the following worksheets: System Accounts: All known Oracle/Application/Busisness specific database accounts are documented here, with the account owner and purpose. eg. SYSTEM, SCOTT, SAPR3, FNDAPP, etc. accounts Known Roles : Similar to System Accounts, but for Database

          Account Reconciliation: List of accounts in the database. Those not found

          in the System Accounts worksheet are flagged in Red.         

          Access Reconciliation: Roles assigned to accounts. Accounts not found

          in the System Accounts worksheet are flagged in Red.         

          Role2User: Roles assigned to users/roles, in ROLE order. Unknown accounts

          flagged in red.         

          Role2Privilege: Similar to Role2User, but for individual privileges.         

          User2Privilege: Similar to Role2User, but for user/role mapping to

          privileges, in user/role order.         

        Changed/new/deleted objects are highlighted in blue.         


	That does it for my reports.  I'm looking for ideas on
	how to consolidate this data into something auditor are
	more likely to read without looking quite so confused 
	when doing so.
	Discussion of how others are satisfying SOX reporting 
	requirements for Oracle databases should be interesting
	and useful.

Received on Mon Feb 12 2007 - 14:56:44 CST

Original text of this message