Auditing the DBA in Oracle Applications: A Guide for Compliance and Audit Managers
In these days of Sarbanes-Oxley (SOX) regulations, Governance, Risk and Compliance (GRC) managers for Oracle E-Business Suite have the assignment to develop and maintain proper controls for their information systems that align with best practices so their organizations can attain compliance. These individuals may be well suited to design, approve and enforce business process-related controls, but they may not fully understand how to audit and control technical professionals like Database Administrators (DBA) and Information Technology (IT) Staff. DBAs and IT Staff access and manipulate enterprise data using methods that may be confusing or unknown to managers with less technical knowledge.
Therefore, it is essential to introduce and support appropriate and effective system based controls by creating and maintaining a secure audit trail of transactions and operations within corporate databases that can be overseen by non-technical managers. To accomplish this, those managers and auditors tasked with compliance must gain a better understanding of the DBA’s role, privileges, and capabilities, and how to effectively audit DBA activity in the database. They cannot simply rely on DBAs to audit themselves. This would violate basic segregation of duties principles.
As the title suggests, this paper will benefit compliance and audit managers, non-technical managers and business analysts who are tasked with securing Oracle E-Business Suite for SOX and Segregation of Duties compliance purposes, but are not familiar with the general details of the Oracle database, nor with the capabilities and privileges of the DBA. Specifically, this paper speaks to those who have or are implementing controls for application end users where the next step is to design and implement a strategy for deploying controls for DBA and IT staff users.
In the context of recent Sarbanes-Oxley legislation (SOX), external auditors have scrutinized DBA access and have required controls and systematic proof of those controls before certifying SOX or GRC compliance. After all, the systematic controls for application end users have little impact on your DBA’s ability to tamper with financial records in the database.
To facilitate the implementation of such controls, this paper will familiarize the reader with important attributes of the Oracle Database and the available roles and privileges of an Oracle DBA. It reviews and discusses approaches and mechanisms to limit DBA power, segregate DBA duties, and audit DBA activity. With this information, it is possible to mitigate the risk that a DBA could modify or circumvent end user controls without detection, obstruct audit mechanisms, or compromise the audit trail itself.