Suggestion: Thread for SOX or ICC (for Canada) Issues and Recommendation
Posted: 13 September 2006 05:19 AM
Newbie
Rank
Total Posts:  9
Joined  2006-09-12

These days many organizations are undergoing Sarban-Oxley review (or Internal Controls Certification for Canada) which has far reaching impact on Oracle Applications usage policies and control requirments.  It would be useful to have a thread going that capture of experiences on this topic.

For example,

Review Observation: Oracle application SYSADMIN account should not be shared and use should be reviewed by companies Principals.

Resolution: formalized a process of allow access to SYSADMIN account.  Access is only provided by CIO or CFO.  Implemented an Oracle Alert that sends an email to CIO or CFO when SYSADMIN account is used to log into the applications.

Profile
 
Posted: 20 September 2006 05:07 AM   [ # 1 ]
Newbie
Rank
Total Posts:  5
Joined  2006-09-20

This is a very strange control and I find it hard to believe that the CFO / CIO of any organization would wantto receive an email anytime a person logs in as SYSADMIN user. The very fact being that the CRM Admin Application uses SYSADMIN as a default to administer all internal processes for CRM applications and infact the SYSADMIN user name and password are held in JTF Property values. A better control would be an approval email from the CIO to the DBA to be responsible for the maintenance of the SYSADMIN User id and pasword and that way there is a control and audit trail in place to satisfy the SOX compliance. I don’t think SOX manadtes that you need to have controls that will impact the performance of your application environment.

OraSAM

Profile