ISACA | Reviewed by Shasikanth Malipeddi, CISA
Oracle PeopleSoft HCM is one of the most commonly used human capital management (HCM) system found in medium to large companies in the US, and is expanding its presence to several other countries. Designed to centralize, simplify and act as a single source of employee information, Oracle PeopleSoft provides comprehensive solutions for human resource management, payroll, benefits administration and other employee-relation functions. Oracle PeopleSoft also has a major presence in other business fields including financials, supply chain and customer relationship management.
More recently, information security, audit and compliance requirements have made it extremely important for enterprises to properly secure the vast amount of personal, confidential and mission-critical information stored in these systems.
Security, Audit and Control Features Oracle PeopleSoft, 3rd Edition provides detailed information on the PeopleSoft system’s security and control features that are useful for anyone with a stake in information security. The book caters to a wide range of audiences by providing an understanding of how enterprise resource planning (ERP) systems—PeopleSoft in particular—are structured. It describes the impact of ERP systems on business processes and provides technical details about PeopleSoft security controls and implementation best practices.
The book opens with an executive introduction, describing changes since the second edition, and then provides an overview of PeopleSoft and ERP systems in chapter 2. Chapters 3 and 4 discuss how risk management and the audit approach change when implementing ERP systems. Chapters 5 through 8 build on this information and provide in-depth understanding of various PeopleSoft business cycles—particularly human resources and payroll—their risk, key controls and specific testing techniques.
Chapter 9 provides an overview of the PeopleSoft technical infrastructure and application security as well as key components, such as development and integration, data management, operations, and security administration tools. This information is complemented in chapter 10 by an overview of a sample tool set for use in auditing PeopleSoft, including:
The book closes with a discussion on various methods available for continuous monitoring controls, new directions for ERP auditing in the changing compliance landscape and emerging tools.
A comprehensive set of appendices provides internal controls questionnaires and audit programs for each of the following business cycles:
This publication is unique in that it provides comprehensive guidance regarding risk management, audit, security and control over PeopleSoft. These are important aspects that have not been dealt with elsewhere in a single publication.
This book is recommend for all IT audit, compliance and IT security personnel who deal with PeopleSoft systems. It provides valuable information on various types of risk, the potential consequences and appropriate key controls that need to be considered when implementing, operating, monitoring or auditing PeopleSoft ERP applications.
Security, Audit and Control Features Oracle PeopleSoft, 3rd Edition is available from the ISACA Bookstore. For information, see the ISACA Bookstore Supplement in this Journal, visit www.isaca.org/bookstore, email firstname.lastname@example.org or telephone +1.847.660.5650. Learn more and collaborate on Oracle and PeopleSoft at www.isaca.org/knowledgecenter.
Reviewed by Shasikanth Malipeddi, CISA, a senior IT security consultant with UNATEK Inc., which specializes in enterprise, end-to-end IT security solutions. Malipeddi’s consulting services have included ERP applications security, identity management/user life cycle management, access management, audit, and compliance in various industries including financial, educational, construction and public organizations.
Enjoying this article? To read the most current ISACA Journal articles, become a member or subscribe to the Journal.
The ISACA Journal is published by ISACA. Membership in the association, a voluntary organization serving IT governance professionals, entitles one to receive an annual subscription to the ISACA Journal.
Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT Governance Institute and their committees, and from opinions endorsed by authors’ employers, or the editors of this Journal. ISACA Journal does not attest to the originality of authors’ content.
© 2012 ISACA. All rights reserved.
Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, MA 01970, to photocopy articles owned by ISACA, for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.