Oracle ERP configuration changes: What to monitor for SOX compliance

Oracle Enterprise Resource Planning (ERP) solutions are the fastest-growing enterprise resource planning products in the market. In 2024, Oracle surpassed SAP as the No.1 ERP provider globally for the first time.

One reason for this success is due to Oracle’s diverse ERP product line: Oracle Fusion Cloud ERP, Oracle EBS, and NetSuite.

Tens of thousands of organizations rely on Oracle Fusion Cloud, Oracle EBS, and NetSuite, and for their mission-critical financial processes and reporting. With so much riding on these systems, it’s not surprising that when it comes time for an audit, auditors ask tough questions around what changes are being made and who made those changes. These questions can include changes to master data, system configurations, and critical transactions.

Why do auditors zero in on these changes? Because they need the assurance that proper controls are in place. If these changes go unmonitored, financial reporting integrity can be compromised. This leaves the organization vulnerable to compliance violations, misstatements, and potential fraud.

For publicly traded companies, documenting critical changes is an internal control required under the Sarbanes-Oxley Act. For private or pre-IPO organizations, adopting the same discipline with internal controls is valuable to prevent internal fraud and is simply best practice for good governance.

What is SOX compliance?

The primary goal of the Sarbanes-Oxley Act is to provide transparency and accuracy regarding the company’s financial position for the benefit of investors, employees, and the general public. The law requires businesses to establish internal controls over their internal security and business systems and to verify these controls by independent external auditors. The law also provides oversight into the actions of a company’s CEO, CFO, and board of directors.

• Where is your sensitive data stored? 
• Who has access to that data? 
• Why are they accessing it?
• What can they do with it?  And, in the event of suspicious activities, can an organization put a stop to them and remediate access quickly? 

Why change tracking matters for SOX

Under SOX, documenting these types of changes is part of a strong internal control system. Private companies or those on the pre-IPO path can also benefit from strong controls to help prevent fraud while scaling.

ERP implementations take months—or longer—of careful effort to set correct parameters, align roles, and establish approval workflows that match the business policies and processes. Without reliable change tracking, those controls can slip silently over time, leaving no trail of what changed and when. Auditors look for that loss of visibility.

• Who modified specific vendor banking information?
• When did a user receive a special privileged role?
• What activities are admins performing?
• Who changed a financial reporting parameter?

Implement best practices

To assist with answering those questions auditors may pose around these internal controls, here are a few tips:

1. Track only what is necessary — Although vendor data is a common control point, certain non-critical vendor fields don't need to be tracked. The problem comes when companies overzealously try to audit everything, slowing the accounting system to a crawl.
   
   
2. Involve the application owners — IT departments set up audit trails without taking into consideration what information the application owners need to review. While the application owners might not even use the ERP in their daily jobs, they will review the reports. Make sure your IT team communicates with your application owners during the set-up process to determine what data changes you want to track.
   
   
3. Data maintenance — Audit trails create data that needs to be stored and maintained.  Develop a retention policy for your audit trail data, and remember that not all data will fall under the same retention policy.  How long do we need to keep vendor changes?  Customer changes?  Payroll changes?  1 month? 1 year? 7 years?   Once you have defined your retention policy, develop a plan to archive and purge your audit data based on your policy.
   
   
4. Report and review — What good is change tracking if you never review the reports? By following the first three tips, you will get the information you are looking for, but, be sure to continually review, follow up, and sign off on the resulting reports. This will not only help you quickly identify anomalies, it will help come audit time.

While these best practices can help prepare a company for audit, organizations run into a few challenges when relying solely on Oracle’s native capabilities.

The challenge to tracking changes natively

NetSuite, Oracle Fusion Cloud, and Oracle EBS all have native change logs available to customers; however, each has limitations that leave IT and audit teams doing extra manual work.

NetSuite has system notes for tracking changes. System notes are excellent because they capture changes to many areas out of the box; however, because they capture nearly everything, it makes it hard to isolate changes relevant to SOX. Critical changes like vendor banking info get mixed with trivial changes like a contact’s fax number. Due to the overwhelming nature of system notes, changes are typically hard to understand and can be like finding a needle in a haystack.

Oracle EBS has an audit trail that allows for tracking changes. Because EBS is an on-premise solution, configuring the change logs and applying those triggers can be difficult. The amount of data generated can also impact application performance. Much of the time, custom SQL scripts are often needed to get the audit trail data ready for SOX.

Lastly, Oracle Fusion Cloud has audit policies that can be flipped on to track specific objects. However, Oracle Fusion Cloud does not provide a full list of all configuration changes. One common misperception about ITGC-Change Management testing is that viewing the last update will show all previous updates. Unfortunately, there is no easy or reliable way to obtain a seeded report of all Oracle Fusion Cloud application configuration changes. The Last Update Date will not tell you how many times a field has been updated.

Similar challenges around cumbersome reporting, managing what should be tracked, and getting the data out for reporting are present across all three Oracle ERP systems.

Preparing for the SOX audit

To be SOX-compliant, firms must create and maintain documentation that provides evidence to prove that not only are controls in place and documented, but that they are also communicated, followed, and most importantly, functioning as designed. Keeping large volumes of records for financial data and providing extensive documentation for SOX compliance can be overwhelming when done manually.

One of the real complaints about SOX over the past twenty years is the amount of documentation or audit evidence that has been generated. In fact, it is nearly impossible to do this without the right technology in place.

Organizations need application access governance tools that can provide three critical capabilities around their financial systems of record: 

1. Effective enforcement of Segregation of Duties (SoD) policies 
   
   
2. Automatic logging and data tracking tools that generate clear reports throughout the year.
   
   
3. Centralized administration of identity governance and access controls. 

Automate your audit trail with Fastpath Change Tracking

Whether you leverage out-of-the-box templates or define the scope of the change tracking yourself, Delinea’s Fastpath Change Tracking will identify who made the change and provide before-and-after values and key metadata to determine appropriateness.

Fastpath solutions connect with all Oracle ERPs with prebuilt connectors. These connections enable Fastpath to retrieve the necessary Oracle user security data, like users, roles, and security permissions, which are then integrated into the platform. Once this integration is established, Fastpath automatically generates comprehensive reports that are immediately usable, without any additional customization needed.

Fastpath’s change tracking solution offers prebuilt auditor-designed templates to track the most commonly tracked tables and fields, giving customers a jump start on what they should be tracking rather than everything under the sun.

When it comes to Oracle Fusion Cloud, Fastpath provides additional reporting to assist in tracking configuration changes outside of what is available in audit policies.

Finally, with integrations to popular IT Service Management (ITSM) platforms, customers can associate tickets to changes to provide detailed evidence when it comes time for an audit. All Fastpath reports take the native changes, clean them up to make them easier to understand, and allow the correct reporting on who made a change, when the change was made, and what was actually changed.

Let Fastpath help transform your SOX audits from stressful chores to confidence-building exercises.

To see how easy it is to use Fastpath Change Tracking, check out the interactive demo.

Come see us at Oracle AI World 2025, from October 13-16 in Las Vegas.