Building an Audit Trail in an Oracle Applications Environment
Sarbanes-Oxley’s section 404 requires a company’s key systems be audited. However,
many companies have ‘unauditable’ systems and don’t even know it. This paper explores
methods by which companies can create an auditable system by implementing various
levels of audit trails in Oracle Applications.
Executive Summary: (4000)
The technology revolution of the past ten years has been staggering. We have witnessed
monumental and historic events such as Y2K and the dot-com boom/bust. As part of this
revolution, we have seen many companies migrate from using mainframe systems to
client-server and, most recently, to web-enabled applications. We have also observed the
explosion of ERP applications that run on multi-tier architectures. With new technology
brings new challenges.
Alongside the revolution of technology, there has been a revolution of corporate
accountability. Legislation such as Sarbanes-Oxley (SOX), California Senate Bill 1386,
HIPAA, Basel II, and the Gramm-Leach-Bliley Act (among others) has resulted in greater
scrutiny and larger penalties for poor corporate governance and security. Much of the
risk from this legislation rests on IT systems.
Sarbanes-Oxley’s section 404 requires a company’s key systems to be audited. However,
many companies have ‘unauditable’ systems and don’t even know it. There is no magic
solution or silver bullet in creating an auditable system that satisfies all the requirements
for proper corporate governance; rather a layered approach of auditing and logging is
required to provide a comprehensive and thorough audit trail. This paper explores
methods and degrees by which companies can create an auditable system by
implementing various levels of audit trails in Oracle Applications.
There are five primary ways to develop an audit trail:
1. Standard Application Auditing
2. Application Level Audit Trail
3. Database Event Auditing
4. Database Trigger Aud