ACL AuditExchange 3 - Acl.com

TECHNICAL BRIEF
ACL AuditExchange 3:
Technology for Business Assurance

CONTENTS
Introduction ................................................................................................................................... 3
Why Does Audit need ACL AuditExchange ................................................................................. 3
How ACL AuditExchange Can Help ............................................................................................. 3
What’s New in ACL AuditExchange 3 .......................................................................................... 4
Capability Overview by Platform Component ............................................................................... 5
AX Core Components ........................................................................................................... 5
Optional Components: For Advanced Data Access and Analytic Capability ........................ 6
AX Core Technical Description .................................................................................................... 7
Client Interfaces .................................................................................................................... 7
AX Core Server Modules ...................................................................................................... 7
Communication Ports ......................................................................................................... 10
System Security .................................................................................................................. 11
AX Core and AX Gateway Configuration ............................................................................ 11
Optional Components Technical Description ............................................................................. 12
AX Exception .................................................................................................................. 12
Communication Ports ......................................................................................................... 13
Direct Link ....................................................................................................................... 15
AX Datasource ................................................................................................................ 15
Communication Ports ......................................................................................................... 15
AuditExchange Platform: Deployment and Usage Considerations ............................................ 16
Repository Design .............................................................................................................. 16
Data Access ....................................................................................................................... 16
Data Management .............................................................................................................. 16
Security ............................................................................................................................... 17
AuditExchange Server Hardware architecture ........................................................................... 18
AX Core .............................................................................................................................. 18
AX Exception ...................................................................................................................... 19
AX Datasource ................................................................................................................... 20
Supported Configurations ................................................................................................... 20
© Copyright 2011 ACL Services Ltd. ACL and the ACL logo are trademarks or registered trademarks of ACL Services Ltd. All other trademarks are the property of their respective owners. 2

INTRODUCTION
ACL AuditExchange is a robust Java platform that is built using the best of
open source technologies and adheres to many industry standards. This
document is intended to provide technical details of the platform, including
its components and underlying technical processes, for IT departments to
help assess their requirements for implementation, upgrade, and/or ongoing
maintenance.
There are two releases of ACL AuditExchange 3: one release supports
Unicode data, and a separate release supports non-Unicode data. This is a
very important distinction for your IT and audit department to consider –
because if an ACL Project is opened in a Unicode edition it cannot be
converted back to be opened in a non-Unicode ACL Desktop edition.
WHY DOES AUDIT NEED ACL AUDITEXCHANGE
All organizations face risk, and your audit department helps mediate your
organization’s risk by testing data to ensure your business controls are
effective – this is known as business assurance. Finance, IT, Operations
and Fraud Prevention are all areas where audit can provide assurance and
eliminate risks that can cost your organization money, and in worse case
scenarios devastate an organization’s reputation.
Reasons why you need to
consider Unicode
» Do you plan to analyze data with
textual characters containing
double-byte data or Cyrillic
languages, such as: Chinese,
Japanese, Korean, Turkish,
Russian, Arabic, Hebrew or any
other Asian or non-Western
European language?
» Do you now or do you plan to
connect to databases or
Enterprise Resource Planning
(ERP) systems (e.g., SAP) that
have Unicode encoding?
If you are unsure, please check
with your audit or IT department,
and also with an ACL
representative to discuss options
and repercussions.
Here are the challenges audit faces in providing that assurance:
• Data access – getting secure reliable access to your enterprise data when they need it. The largest
organizations may have more than a hundred different ERP or enterprise data systems, and the
smallest organizations may only have a few but face equal challenges getting to those few.
• Managed storage – security is paramount once the data is accessed from the source systems.
Now audit needs a centralized place to store, manage, analyze and distribute any sensitive content
in a controlled or restricted way across the broader audit team and to relevant stakeholders in the
organization. This managed storage must meet or exceed the security requirements imposed by
IT, organizational, regional and/or regulatory security policies.
• Coverage – in facing both increasing business risks and volumes of transactions in the global
economy, Audit is tasked with providing more assurance with the same or less resources; therefore
Audit needs a toolset to help provide more coverage.
HOW ACL AUDITEXCHANGE CAN HELP
The ACL AuditExchange platform is designed to overcome the challenges that audit faces and in turn
provide more coverage and ultimately the business assurance your organization needs.
• Data access – ACL AuditExchange provides multiple options for Audit to gain access to the
enterprise data it needs to test in order to provide assurance, without overburdening IT resources
or compromising the data systems that IT ensures are available, protected and optimized.
» ACL AuditExchange and ACL Desktop can use native and direct data access to any
existing data system or use a read only view to a data warehouse that IT already has in
place, in an automated or ad hoc manner as required.
» Direct Link is an optional component required to access SAP ERP data directly.
© Copyright 2011 ACL Services Ltd. ACL and the ACL logo are trademarks or registered trademarks of ACL Services Ltd. All other trademarks are the property of their respective owners. 3

» AX Datasource is an optional component that partners with Informatica’s PowerCenter
ETL solution (extract, transform, load) to help gather more complex organizational and data
environments, and to help meet the most sophisticated analytic requirements – continuous
audit and monitoring that provides the ultimate in coverage and business assurance.
• Managed Storage – ACL AuditExchange provides a managed and secure platform for audit and IT
to ensure and govern which users have access to which data or sensitive content.
• Coverage – ACL AuditExchange helps audit provide more coverage in a number of ways:
» It reduces the amount of time required for data access, especially if automated processes
are established. This frees up specialized data auditors to utilize their skills in other areas.
» The managed platform allows data that is required for many audit tests to be re-used and
re-purposed, whilst providing maximum security and flexibility for sharing and distribution
when required.
» Lastly, the optional component AX Exception allows the data analytic experts in audit to
prepare the analytic tests to find transactions that exceed your business controls and then
distribute to business stakeholders for review and follow-up based on your organizations
remediation process for high risk business areas.
WHAT’S NEW IN ACL AUDITEXCHANGE 3
New architectural features for IT to consider:
• Oracle 10 & 11 is now supported as a database for AX Core and AX Exception.
• Single Sign On is supported for the AuditExchange platform using Integrated Windows
Authentication, which extends to any 3rd Party SSO Solution that uses the same.
• Unicode or non-Unicode data can now be analyzed and stored using the platform.
• 64-bit server architecture is supported and recommended, but the analytic engine is still a 32-bit
application that requires 32-bit drivers.
New features for the specialist auditor using AX Core Client:
• AX Core Client (formerly AX GatewayPro) now contains an editor to view and edit existing AX
analytics and ACL Desktop scripts.
• AX Core Client can now run or schedule AX Analytics in the Library.
• AX Core Client can now create Master, Linked or Standalone ACL Tables by copying.
• AX Core Client can now create Master, Linked or Standalone AX Analytics by copying.
• AX Analytics now support an encrypted password parameter.
• A single AX Analytic can now publish multiple result tables to AX Exception.
New features for the broader audit team using AX Gateway:
• ACL Tables can now be opened in Microsoft Excel from AX Gateway.
• A new menu and home page for improved navigation and easier access to working items.
New features for the business stakeholders using AX Exception:
• Attachments can now be uploaded to a single or batch of exceptions.
• User Interface improvements for easier navigation and filtering.
• Usability improved for editing, scrolling and selecting exceptions for remediation.
© Copyright 2011 ACL Services Ltd. ACL and the ACL logo are trademarks or registered trademarks of ACL Services Ltd. All other trademarks are the property of their respective owners. 4

CAPABILITY OVERVIEW BY PLATFORM COMPONENT
AX Core Components
Following is a capability overview of each component of the ACL AuditExchange platform. As your audit
department becomes more sophisticated in its analytic capabilities, it will need more of the optional
components in order to meet increasing assurance needs.
AX Core — the hub of AuditExchange
AX Core is the hub of ACL’s business assurance platform. It contains both the AX Core application
server and the AX Core database server, though it is recommended they be distributed to optimize
performance. AX Core stores and manages all audit content, regardless of file type, including
associated audit documents. Leveraging server security and speed, AX Core provides powerful analytic
processing capabilities and the ability to easily schedule and automate analysis in a secure
environment.
AX Core Client is the thin client user interface that supports specialized data analysts, and provides
administrative setup of your audit projects in the repository, management of users and content
permissions, and manual loading of audit content to the AX Core to support remote and ad hoc analysis.
The AX Core Client requires an instance of ACL Desktop in order to startup.
ACL Desktop Edition
ACL Desktop is recognized worldwide as the leading PC-based data analysis software for audit and
financial professionals. Providing a unique and powerful combination of data access, analysis and
integrated reporting, ACL Desktop enables you to gain immediate visibility into transactional data critical
to your organization. Whether as a standalone tool, or as part of the more powerful AuditExchange
solution, ACL Desktop allows you to analyze entire data populations in search for transactional
anomalies. ACL Desktop provides the tool for remote and ad hoc analysis, as well as the development
environment to create analytics and prepare data for loading to AX Core.
AX Gateway
AX Gateway is an optional web-based server and client which allows your audit specialists to share
work that is tasked to the broader, less specialized audit staff in a secure manner, and provides easy-touse
analysis capabilities. The AX Gateway web server is embedded and installed in AX Core, but it may
require separate activation if licensed separately. AX Gateway now allows users to open ACL tables in
Excel 2003, 2007 or 2010, but the optional Add-ins are required to do this.
AX Add-ins for Microsoft Office
AX Add-ins for Microsoft Office are an optional component that provides the ability to Open, Save or
Insert URLs to/from AX Core content within six Microsoft Office applications: Excel, Outlook, Word,
PowerPoint, Project or Visio. AX Add-ins are required for Gateway users to open ACL tables directly to
Excel in AuditExchange 3.
© Copyright 2011 ACL Services Ltd. ACL and the ACL logo are trademarks or registered trademarks of ACL Services Ltd. All other trademarks are the property of their respective owners. 5

Optional Components: For Advanced Data Access and Analytic Capability
AX Exception — quickly correct fraud, error and inefficiency
An add-on component to ACL AuditExchange, AX Exception is a web-based application that offers the
ability to immediately manage the distribution, assignment, escalation and remediation of each
exception found during data analysis testing – limiting the impact of fraud, error and inefficiencies on the
organization. This component requires the most sophisticated analytic capability targeted at audit
departments that are ready to transition from continuous audit, where the audit team investigates all
results, to continuous monitoring where investigation is turned over to business stakeholders using the
AX Exception system.
Direct Link — Seamless access to SAP ERP table data
The Direct Link solution provides ACL Desktop and AuditExchange users direct and secure access to
SAP ® ERP data when it’s needed without having to rely on busy IT resources. Direct Link has achieved
SAP interface certification designation for all SAP ERP releases. Direct Link requires the installation of:
a Direct Link SAP Add-on component on the SAP system(s); a Direct Link client on the ACL Desktop(s);
and an AX Link client on the AuditExchange server(s).
AX Datasource — Direct access to enterprise data types
Powered by Informatica ® PowerCenter ® , the worldwide market leader in Extract, Transform and Load
(ETL) technology, AX Datasource provides access to more enterprise data types than any other
technology on the market. It also supports automated data extracts and the ability to mask sensitive
data, allowing for faster and more comprehensive repetitive and continuous analysis.
Figure 1: AuditExchange Platform Summary
© Copyright 2011 ACL Services Ltd. ACL and the ACL logo are trademarks or registered trademarks of ACL Services Ltd. All other trademarks are the property of their respective owners. 6

AX CORE TECHNICAL DESCRIPTION
Client Interfaces
AX Core Client
Formerly named AX GatewayPro, AX Core Client is a thin client Java
application that provides the user interface for managing the content,
security, and users of AX Core. It comes with its own Java Runtime
Environment (JRE), so a separate JRE need not be installed on each user’s PC.
ACL Desktop Edition
ACL Desktop Edition runs on a user’s PC, where it provides a user
interface and analytic engine for ad hoc or remote data analysis. ACL
Desktop is also the environment for developing analytics that can be run
and scheduled in AX Core.
When accessing server-side data and performing ad hoc desktop analysis or running scripts locally,
ACL Desktop accesses server resources using AX Core Desktop Connector (see “AX Core Server
Modules” below) over TCP/IP, using default port 10000. While connected to the server, the data
remains on AX Core for security, and ACL commands are processed server-side, using server
resources. This is also the recommended way to utilize existing ACL Desktop scripts without the
necessary conversion or migration to AX analytics if not required for distribution to other users or
automation.
Important: For the Unicode release, a different edition of ACL Desktop is required, so existing customers
may need to replace their existing ACL Desktop client if their organization requires analysis of Unicode
data.
AX Gateway
AX Gateway is the optional browser-based interface that supports Internet
Explorer 6, 7, and 8. Internet Explorer connects to AX Core using https
(http over SSL). AX Gateway is used to open ACL data tables in Excel for
secondary analysis or reporting, but requires AX Add-ins.
AX Core Server Modules
AX Core is composed of the following six server modules.
1. AX Core (application server)
AX Core is central to the ACL AuditExchange platform, providing the following:
• AuditExchange repository – storage and retrieval of analytics, tables, ACL projects, data files, and
any associated audit documents, for example MS® Word (.doc, docx), Excel® (.xls, .xlsx), .pdf, or
other media files.
• AuditExchange user management, including user setup and managing permissions on repository
content.
© Copyright 2011 ACL Services Ltd. ACL and the ACL logo are trademarks or registered trademarks of ACL Services Ltd. All other trademarks are the property of their respective owners. 7

• Quartz scheduler - Quartz is used by AX Core to run and schedule AX analytics for automation,
and continuous audit and monitoring.
• Analytic engine for AX analytic and ACL script execution.
• Central Authentication Service (CAS) is used by AuditExchange to provide form-based
username/password authentication or silent, also known as integrated windows authentication.
Authentication is described in later sections.
• Analytic engine executes any commands, functions or scripts in ACL Desktop when an ACL
Project is opened in AX Core Client from the server and the source data .fil file remains on the
server.
2. AX analytic server
The analytic server is the execution environment for analytics initiated through AX Core. ACL
AuditExchange allows you to move analytic processing off of the AX Core server, and only the smallest
of audit departments with light audit usage should consider not deploying this distributed server in their
hardware architectural configuration. By configuring one or more analytic servers, you can schedule
many long running, data intensive analytics, or even run analytics during working hours, without
impacting the AX Core server. By moving analytic processing away from the AX Core server, AX Core
will be able to dedicate its resources to handing end user requests from AX Gateway and AX Core
Client. AX Gateway and AX Core Client will be more responsive, providing increased productivity and a
better user experience.
Analytic servers are easily installed and configured. Once the software is installed, the AX Core
administration console provides the ability to add, remove, and configure analytic servers. Each analytic
server can be configured with a maximum number of concurrent analytics, allowing each server to be
configured based on capability and performance. If the analytic servers are processing their maximum
number of concurrent analytics, any further analytics are automatically queued by AX Core until an
available core processor becomes free.
Performance Information
When an analytic is run or triggered via schedule, an ACLScript.exe process is launched. The
ACLScript.exe process exits when the analytic script finishes.
To reduce load on the AX Core server, one or more analytic servers should be used. Analytic servers
are dedicated to running analytics. When at least one AX Analytic server is deployed separate from AX
Core, AX Core stops processing analytics and only governs dispatching queued analytics until an
available core processor is available on the AX Analytic server.
System resource usage by the analytic server depends on how many analytics are concurrently run, the
ACL commands used, and the amount of data being analyzed. Another factor impacting performance is
for analytic script authors to perform an extract on the data, so that subsequent scripting commands are
not congesting throughput from the source data to the analytic server. Even though an ACLScript.exe
process is single-threaded, multiple CPU cores are taken advantage of if running multiple analytics
simultaneously governed by AX Core. The Windows operating system determines which CPU core is
assigned to an ACLScript.exe process. Analytics should be scheduled to make efficient use of server
resources. The analytic server will benefit from fast CPUs and fast disk I/O throughput, but running
many analytics simultaneously can affect performance, particularly when analyzing large data sets. For
heavy analytic usage against large data sets, a Storage Area Network or Network Attached Storage
application with fibre channel is recommended.
© Copyright 2011 ACL Services Ltd. ACL and the ACL logo are trademarks or registered trademarks of ACL Services Ltd. All other trademarks are the property of their respective owners. 8

3. AX Core desktop connector
The AX Core desktop connector is embedded within AX Core. It provides communication for data
access between AX Core and the ACL Desktop client interfaces, using an aclse.exe process.
When AX data tables or ACL projects/AX analytics are exported from AX Core, the default behavior is
for data files (.fil) to remain on the server machine (although exporting of data files for offline work is
supported). Using ACL Desktop’s ability to connect to AX Core desktop connector, AuditExchange
allows remote access to data files residing in the AX Core repository. Sensitive data files remain on the
server. This type of usage might be favored by your audit or IT department in order for your audit
department to meet your organizational or regulatory security policy.
Database Access
The AX Core desktop connector supports direct access to Oracle, DB2 ® and SQL Server databases.
When reading data from the direct database interfaces, the database provides only raw data via SQL
SELECT statements, as the data analysis is performed by ACL’s analytical algorithms, not SQL
statements. Direct database access in this mode uses native, RDBMS vendor-provided drivers to
connect to the database, inheriting security and functionality such as tie-ins to Active Directory and
support for clusters from the drivers. Using the vendor-provided drivers also means that the AX Core
desktop connector can function in any database topology supported by the vendor, such as accessing
OS/400-based DB2 data using DB2 Connect from a Windows server.
Performance Information
Each connection from the ACL Desktop Edition client to the AX Core desktop connector creates a new
aclse.exe process on the AX Core server machine. The aclse.exe process exits when the ACL Desktop
connection is closed.
Server resource usage by the ACL server depends on how many ACL Desktop users are connected,
which ACL commands are executed, and the size of the data being analyzed. Even though an aclse.exe
process is single-threaded, multiple CPU cores are taken advantage of since each ACL Desktop
connection creates an aclse.exe process. The Windows operating system determines which CPU core
is assigned to an aclse.exe process.
While ACL Desktop is connected to the AX Core server, ACL commands are executed by the AX Core
desktop connector. This impacts server resources since CPU cycles, disk I/O, and memory are
consumed by each aclse.exe process. Depending on the ACL command executed, and the size of data
file, aclse.exe processes can consume significant CPU cycles and disk I/O. Memory is less of a concern
since each aclse.exe has a relatively low memory requirement of a few MBs, plus an additional (up to)
5MB while sorting data (configurable up to 100MB for improving sort performance at the expense of
memory). As more users open and work with AX Core repository data files, more AX Core server
resources are consumed.
The AX Core server will benefit from fast CPUs and fast disk I/O throughput. Understanding your audit
department’s usage requirements will help IT deploy the appropriate hardware configuration to optimize
performance.
© Copyright 2011 ACL Services Ltd. ACL and the ACL logo are trademarks or registered trademarks of ACL Services Ltd. All other trademarks are the property of their respective owners. 9

4. Geronimo Application Server
Apache Geronimo is an enterprise Java application server, providing similar services and functionality
as IBM Websphere and Oracle Weblogic. AX Core, AX Core Client, AX Gateway, AX Core
administration, AX Exception, and AX Exception administration all run within the Geronimo Application
Server.
5. Tomcat Web Server
In AX3, AX Gateway is an optional component. For new installations, the Gateway web server is
included in the AX Core Geronimo application server, and although it is only one installation, it does
require separate activation from AX Core. For customers upgrading from AX2.x no extra steps are
required to activate Gateway.
6. AX Core database
The AX Core database can be either Oracle or PostgreSQL. For PostgreSQL, the PostgreSQL server
and the AX Core database can be installed and configured by the AX Core installer. For organizations
that require Oracle, an Oracle DBA is first required to create a schema for AX use, and the DBA will
provide connection information that the AX Core installer can use when creating AX Core database
tables, stored procedures, etc.
The AX Core database holds the AX Core repository content, with the exception of data files (.fil). Data
files are stored outside the database due to their potential size, and because the AX Core desktop
connector and the AuditExchange analytic engine require direct access to the data files.
The AX Core database also holds ACL AuditExchange user and role information, which accommodates
AX Core and AX Exception (optional component).
Important: For Oracle and the Unicode release of AuditExchange, an Oracle instance with the database
character set and the national character sets set to either UTF-8 or UTF-16 is required.
The AX Core database is recommended to be installed on a separate server from AX Core for all but
the smallest of audit departments and resulting usage.
7. AX Core administration
It provides remote access to AX Core configuration settings, including configuration of analytic servers.
These are the same settings that are noted below as are set within the aclAuditExchange.xml file. This
console is accessed using a web browser.
Communication Ports
Default Port Component – Protocol Encryption Remote connectivity required?
4201 Geronimo EJB - Remote Method SSL
Yes – AX Core Client
Invocation (RMI)
5432 PostgreSQL Database – custom Supported Yes(*) – AX Exception
8443 Geronimo Web Server – https SSL Yes – AX Gateway (web browser) &
AX Core Client & AX Datasource
importer
© Copyright 2011 ACL Services Ltd. ACL and the ACL logo are trademarks or registered trademarks of ACL Services Ltd. All other trademarks are the property of their respective owners. 10

Default Port Component – Protocol Encryption Remote connectivity required?
10000 ACL server – custom TwoFish 128bit Yes – ACL Desktop
1099 Geronimo Naming – JNDI None No
1527 Geronimo System Database - custom None No
8009 Geronimo Web Server – AJP None No
8080 Geronimo Web Server – http None No
9999 Geronimo Management – JMXMP None No
61613 Geronimo Messaging – Stomp None No
61616 Geronimo Messaging – OpenWire None No
* Remote connectivity to the AX Core database is required if AX Exception is running on a separate
machine.
Note: Your IT will stipulate which port is required when Oracle is used as the AX Core database server.
System Security
The following system accounts are required by AX Core and are optionally created by the AX Core
server installation (if not already existing):
• A Geronimo service account
• An AX database service account for PostgreSQL or Oracle
Additionally, AX Core requires a PostgreSQL user account (also specified during the AX Core
installation).
The table below notes how the AX Core system performs specific background actions:
Action
Scheduled AX Analytic
“Run Now” AX Analytic
AX Core desktop connector session
(initiated via ACL Desktop Edition)
Run By
Geronimo service account
Geronimo service account
Logged in user
AX Core and AX Gateway Configuration
The following files contain configuration settings for the AX Core and AX Gateway servers. Notable
settings are described for each of them below.
aclAuditExchange.xml:
• AX Core data directory – The file path where AuditExchange stores repository data files (.fil).
• AX Core file transfer directory – The file path used for temporary file storage during upload and
download operations.
• AX Core analytic engine working directory – The file path used by AX Core as the default
location for storing ACL table data files (.fil). For each user that connects to AX Core via the AX
Core desktop connector from the ACL Desktop client, a directory is created here named after the
user’s name.
• AX Core analytic engine port number – The port number used by the AX Core desktop
connector (ACLSE) service.
© Copyright 2011 ACL Services Ltd. ACL and the ACL logo are trademarks or registered trademarks of ACL Services Ltd. All other trademarks are the property of their respective owners. 11

• Default domain – The Active Directory domain to use by default if a user does not specify a
domain when they log in.
• AX Exception data upload URL – The URL that AX Core uses to publishing exception results to
AX Exception. This text box is only displayed if AX Exception is installed.
• AX Datasource address – The IP address of the AX Datasource server. This text box only
requires a value if AX Datasource is used to automatically send data extracts to the AX Core
repository.
aclDatabase.xml:
• Contains the hostname or IP address of the AX Core database server, the database driver type
(Oracle or PostgreSQL), along with the database username and password. Because
aclDatabase.xml contains sensitive user and password information, it is automatically encrypted by
AX Core. Once encrypted, the settings cannot be modified except by recreating the file.
aclQuartz.properties:
• Contains configuration for the Quartz scheduler.
aclSchedulerCluster.xml
• Controls the number of concurrent analytics which can be executed by AX Core. This file also
contains the settings for analytic servers.
aclScriptEngine.xml
• Contains configuration settings for the analytic engine, such as the path to the ASCLScript.exe
axGateway.properties:
• Temporary work directory when opening an ACL data table in Excel.
• The Excel template file to use when opening an ACL data table in Excel.
• Maximum number of items displayed within the Recent Work screen – default 25.
• Number of days past to display Recent Work items – default value 7.
• Maximum single file upload size into the repository.
» Default is 2Gb
» Maximum is 2Gb
• Maximum number of items returned by a Search – default value 50.
» If Search query returns more than this maximum, user will be prompted to refine their
search.
OPTIONAL COMPONENTS TECHNICAL DESCRIPTION
AX Exception
AX Exception is a browser-based application providing audit exception
remediation workflow, reporting, and notification. Exceptions are fed into
AX Exception from scheduled analytics running in AX Core. Internet
Explorer connects to AX Exception using https (http over SSL).
© Copyright 2011 ACL Services Ltd. ACL and the ACL logo are trademarks or registered trademarks of ACL Services Ltd. All other trademarks are the property of their respective owners. 12

Analytics scheduled to run in AX Core can be configured to publish exceptions to AX Exception. AX
Core opens an https connection to the AX Exception server and the publish operation transfers
exception data (records), parameter values, and metadata.
AX Exception Administration
It provides AX Exception user management, allowing initial creation of users, as well as ongoing
management of entity and role assignment to each user. The Entity determines which data a user is
allowed to view, and the role determines which actions they can undertake in the remediation workflow.
This component is accessed using a web browser.
Geronimo Application Server
Apache Geronimo is an enterprise Java application server, providing similar services and functionality
as IBM Websphere and Oracle Weblogic. AX Exception runs within the Geronimo Application Server.
AX Exception database
The AX Exception database can be either Oracle or Microsoft SQL Server. For SQL Server, the AX
Exception database can be installed and configured by the AX Exception installer. For Oracle, an Oracle
DBA is first required to create a schema for AX use, and the DBA will provide connection information
that the AX Exception installer can use when creating AX Core database tables, stored procedures, etc.
The AX Exception database stores information for the AX Exception application, with the exception of
users and roles. Users and roles are shared with AX Core via the AX Core database.
The AX Exception database should be installed on a separate machine from AX Exception. Encryption
of the communications between AX Exception and the database is controlled by database server
configuration.
Important: For Oracle and the Unicode release of AuditExchange, an Oracle instance with the database
character set and the national character sets set to either UTF-8 or UTF-16 is required.
Communication Ports
Default Port Component – Protocol Encryption Remote connectivity required?
1433 SQL Server – custom supported No
8443 Geronimo Web Server – SSL Yes - AX Exception (web browser)
https
1099 Geronimo Naming – JNDI None No
1527 Geronimo System Database None No
– custom
8009 Geronimo Web Server – AJP None No
8080 Geronimo Web Server – http None No
9999 Geronimo Management – None No
JMXMP
61613 Geronimo Messaging – None No
Stomp
61616 Geronimo Messaging –
OpenWire
None No
© Copyright 2011 ACL Services Ltd. ACL and the ACL logo are trademarks or registered trademarks of ACL Services Ltd. All other trademarks are the property of their respective owners. 13

© Copyright 2011 ACL Services Ltd. ACL and the ACL logo are trademarks or registered trademarks of ACL Services Ltd. All other trademarks are the property of their respective owners. 14

Direct Link
Direct Link provides direct access to SAP data from AuditExchange
analytics via the AuditExchange analytic engine. Communications to an
SAP system can be configured for encryption.
Note: There is an additional component of Direct Link that must be installed on each SAP server that is
to be accessed by AuditExchange or ACL Desktop.
AX Datasource
ACL embeds Informatica® PowerCenter® within the AX Datasource
application for specific use with the AuditExchange platform in order to
source data from various formats within an organization for audit usage
within the AX Core repository.
In addition to the components described below, there are several data connectors that are available to
provide format-specific connectivity to a variety of business applications.
Informatica PowerCenter Client
The PowerCenter client connects to PowerCenter server and is used to setup data mappings, workflows
and tasks for extracting data from hundreds of different data sources.
Informatica PowerCenter Server
PowerCenter provides data extract and transformation capabilities from hundreds of different data
sources. Data is extracted to data files in a format that is compatible with ACL Desktop Edition, the AX
Core desktop connector, and the AuditExchange analytic engine. Extracted data files are then imported
into AX Core using the AX Datasource importer.
AX Datasource Importer
This component resides on the AX Core server and allows PowerCenter data extracts to be
automatically imported into AX Core. Data files and metadata are transferred to AX Core securely using
https.
Communication Ports
Default Port Component – Protocol Encryption Remote connectivity required?
6001 Informatica PowerCenter Node – custom None Yes – PowerCenter client
6002 Informatica PowerCenter Service None No
Manager – custom
6005(+) Informatica PowerCenter Services –
custom
None Yes – PowerCenter client
+ Depending on services configuration, PowerCenter may use default ports 6005-6015
© Copyright 2011 ACL Services Ltd. ACL and the ACL logo are trademarks or registered trademarks of ACL Services Ltd. All other trademarks are the property of their respective owners. 15

AUDITEXCHANGE PLATFORM: DEPLOYMENT AND USAGE
CONSIDERATIONS
Repository Design
ACL AuditExchange 3 is designed to reflect how auditors work and organize their information – around
the concept of the Audit Engagement. Engagements are constructs that allow the audit team to organize
their audit resources, including working papers, associated audit documentation, data sets and analytics
in a manner consistent with their audit objectives for discrete audit projects. Within Engagements are
the Activities that audit teams can follow to efficiently execute according to their audit plans.
There are two sections to the AX Core repository, a Working directory and a Library. The Working
directory is the place where each audit engagement is planned and carried out.
All key elements of the audit engagement are kept together within the repository – Data tables,
AuditExchange analytics, all planning and explanatory documentation and all resulting audit evidence.
ACL AuditExchange supports storage of all electronic file formats in addition to all ACL file types.
The Library directory provides an area for data or analytic specialists to store and apply further
restrictions on access to highly sensitive but re-usable audit resources, such as Master data and Master
analytics.
Data Access
The AX Core desktop connector features the broad range of ACL data access capabilities. These
capabilities permit end-user access to a wide range of data sources for investigative and exploratory
analysis. Typically, this step is a precursor to repetitive and continuous analysis that is best enabled by
the AX Datasource add-on module discussed in the previous section. The following describes the data
access approaches available from within the AX Core desktop connector.
File System Access
The AX Core desktop connector and ACL Desktop Edition support fixed and variable record length
(CR/LF) files stored on network drives accessible by the server machine. These include direct-connect
disks, network file systems (NFS) or SMB shared file systems and storage area networks (SANs).
Textual report, or “print image,” formats are also supported on these ACL platforms. ACL can, in many
cases, automatically determine tabular data within a textual report file, and use it for further analysis.
Internally, ACL uses a fixed-record length format for temporary and imported data storage.
Data Management
AX Core/AX Core Client
When an ACL table is imported into the AX Core repository through AX Core Client, the table definition
(layout) information is stored within the AX Core repository database and the data file itself is stored
within the Windows file system under an AuditExchange-managed directory structure.
**Note: It is up to the administrator of the Windows server where AuditExchange is stored to ensure
appropriate security access is applied to these Windows directories.
AuditExchange supports the re-use of data within the repository via copying and linking the table across
Engagements – both within the Working area and between the Library and Working areas. When a data
© Copyright 2011 ACL Services Ltd. ACL and the ACL logo are trademarks or registered trademarks of ACL Services Ltd. All other trademarks are the property of their respective owners. 16

table is copied and linked through the AX Core Client interface, only a link between master table and
link table is created; similar to a shortcut in Windows, it does not make a separate copy of the
underlying data file. The AX Core repository manages a single copy of this data file and maintains a
referential link to all places that the master table is linked.
When a user double-clicks on a data table from within the AX Core Client interface, the table definition
will be exported into an ACL project format so that it can be viewed using the ACL Desktop Edition
interface. At this time, the user will be prompted as to whether or not they wish to create a local copy of
the data file itself, or whether or not they want to leave the data on the server and under the
management of AuditExchange (the default is to have the data remain on the server).
Running an Analytic
ACL AuditExchange analytics can be run against any data table that is within the Data folder of the
Activity where the analytic resides. Any data table that is generated as an output of the analytic can
either be posted to the AX Core repository as a result (using the //RESULT syntax) or directly within the
Data folder of the same Activity (using the //DATA syntax).
Refreshing Data
It is recommended that the refresh of data within the repository (outside of refreshing data using AX
Datasource) be accomplished through the use of analytics. By specifying that the resulting data table(s)
from an analytic be copied back to the Data folder within the Activity (if the data table already exists
there), the underlying data file will be overwritten when the table definition is overwritten as well.
Back-up and Archive of Repository Data
Currently neither of these functions is automatically accomplished by AuditExchange. Archiving of the
AX Core database and the Windows file directories housing the data files should be coordinated with
your network administrator. ACL recommends a cold backup: that is turn off the AX Core services to
ensure no system activity is in progress and therefore data is static.
Security
Authentication
User Accounts
AuditExchange platform user authentication is supported via Microsoft Active Directory. A user must be
a valid Windows domain user. AuditExchange supports forests of trusted Active Directory domains.
Users can then be added to the AuditExchange user list. AuditExchange does not store any passwords
within our system, authentication is confirmed via the Windows API each time a user attempts to login to
the system, but AuditExchange does not interface directly with Active Directory itself.
If an organization does not employ Active Directory as their network authentication system,
AuditExchange supports creation and use of local users on the AX Core server machine.
Single Sign On
AX Core integrates with the Central Authentication Service (CAS), which is installed with AX Core, and
can be configured for form-based or silent integrated Windows authentication. If configured to use form-
© Copyright 2011 ACL Services Ltd. ACL and the ACL logo are trademarks or registered trademarks of ACL Services Ltd. All other trademarks are the property of their respective owners. 17

ased authentication, users must enter a username and password to logon to an AuditExchange
application.
Silent authentication does not require the user to enter a username or password, it uses integrated
Windows Authentication and Kerberos to validate the user who is accessing an AuditExchange
application. The same user account that is logged into the PC is also the user account which is silently
authenticated to access AuditExchange. Only Active Directory users are able to use silent
authentication, and CAS must be registered on the Active Directory domain controller as a Service
Principal Name (SPN). If silent authentication is configured, local user accounts can still be used, but
they will require username and password entry.
Application Security
Security is maintained centrally in the AX Core for the entire AX platform. Application security is rolebased,
with two primary roles supported.
Users can either be an Administrator or a User of the AX Core system. Administrators are able to see
and manage all Engagements and their contents within the AX Core repository.
Users are only able to access Engagements or associated Activities for which they have been granted
permissions. Permissions to an Engagement or Activity are either:
• Full: Includes permission to create, modify and delete content or structure within a particular
Engagement or Activity. This includes the ability to run and schedule any Analytics within the
Activity. Anyone with Full permission to the Engagement may grant additional users permission to
that Engagement.
• Read Only: Includes permission to view all content within the Engagement or Activity. Does not
include the ability to run Analytics.
When a new Engagement is created (in the Working area), the creator has Full permissions by default.
They must add any additional users (Full or Read Only) to the Engagement manually to share it with
other users. Users that are added to the Engagement level will automatically inherit the same
permissions for all Activities within the Engagement. These permissions can be modified at the Activity
level.
Only Administrators are able to create new Engagements within the Library. They may subsequently
grant additional users (non-Administrators) either Full or Read Only permission to the Engagements
within the Library.
AUDITEXCHANGE SERVER HARDWARE ARCHITECTURE
AX Core
AX Core hardware requirements will be unique for each installation based on usage and data storage
needs. Each running analytic, ACL Desktop user, AX Core Client user, AX Gateway user, and AX
Datasource import, will consume AX Core server resources.
• ACL recommends a distributed hardware architecture including the AX Core server, AX Database
server, and the storage location of source (.fil) data files for all but the smallest of number of
users/audit teams and/or light analysis requirements.
• SAN or NAS Storage: for heavy data analytic requirements, the AX Database server and source
data files are recommended to be stored in a SAN or NAS with fibre channel or otherwise fast/large
throughput. Throughput is the single biggest bottleneck in the hardware along with disk i/o speed.
© Copyright 2011 ACL Services Ltd. ACL and the ACL logo are trademarks or registered trademarks of ACL Services Ltd. All other trademarks are the property of their respective owners. 18

• Disk space: ACL table data files (ACL .fil files) are stored by AX Core as regular disk files, and all
other data and metadata is stored in the AX Core database. Disk space needs are directly
proportional to the size and amount of data stored in the AX Core repository.
• Disk performance: AX Core, particularly the AX analytic engine will perform better using disk
hardware with fast read and write times. Disks on a SAN are supported, but performance will be
dependent on network and SAN specifications.
• Processors: AX Core will utilize multiple processors when handling AX Gateway and AX Core
Client user sessions. Analytics are executed by the AX analytic engine and the Windows OS will
schedule each AX analytic engine process on a separate CPU core as needed.
• Memory: The memory requirements of AX Core itself are not large, but as more users access AX
Core, and analytics are scheduled, memory usage will increase accordingly.
Suggested Hardware Configurations
Users Analytic Usage Analytic Server(s) Suggested Hardware
5 Light Not needed 2 CPU cores, 4GB memory, 200+ GB Disk Space(*)
5 Moderate Recommended 2 CPU cores, 4GB memory, 200+ GB Disk Space(*)
5 Heavy Yes 2 CPU cores, 4GB memory, 200+ GB Disk Space(*)
20 Light Recommended 4 CPU cores, 4GB memory, 500+ GB Disk Space(*)
20 Moderate -
Heavy
Yes
4 CPU cores, 4GB memory, 500+ GB Disk Space(*)
20+ Varying Yes 4+ CPU cores, 4+GB memory, 500+ GB Disk Space(*)
* Disk space requirements depend largely on the size and number of files stored in the AX Core
repository.
Note: If the AX Core database is PostgreSQL, and is located on the AX Core server, there should be at
least double the amount of memory and CPU cores allocated.
Analytic Usage
Light – Infrequent analytics being run by users, and/or a small number, (e.g. less than 5), of shortduration
analytics scheduled to run periodically at night.
Moderate – Users run short-duration analytics frequently. A small number, (e.g. 5–10), of analytics of
mixed duration are scheduled to run – most at night, some concurrently. Once you’ve reached moderate
analytic usage, it’s time to consider using an analytic server to reduce the load on the AX Core server.
Heavy – Analytics of varying duration are run by users at any time. Many analytics scheduled to run
periodically on varying schedules, some concurrently, some are long-running, (e.g. 2 hours or more).
With heavy analytic usage, ACL strongly recommends setting up one or more analytic servers in
addition to your main AX Core server.
AX Exception
Users Suggested Hardware
5 2 CPU cores, 4GB memory
20 2 CPU cores, 8GB memory
20+ 4+ CPU cores, 8+GB memory
Note: If the AX Exception database is located on the same server, there should be at least double the
amount of memory and CPU cores allocated.
© Copyright 2011 ACL Services Ltd. ACL and the ACL logo are trademarks or registered trademarks of ACL Services Ltd. All other trademarks are the property of their respective owners. 19

AX Datasource
• A quad-core processor, or two dual-core processors, at 2.5 GHz or faster (quad-core processor
recommended).
• When installing Informatica PowerCenter, you are limited by licensing restrictions to a four-core
processor server.
• 8 GB of RAM.
• At least 3 GB of disk space for the PowerCenter and AX Datasource application components.
• Significant additional disk space may be required to store data extracts, for configurations where
this server is being used to host data. Please see following paragraphs for Supported
Configurations.
Supported Configurations
All on One Server
AX Core, AX Exception, and AX Datasource can be installed on a single server machine. This
configuration is recommended only for installations with a small number of users, (e.g. 5 users or less)
with only light analytic usage requirements.
Multiple Servers
• AX Core, AX Exception, and AX Datasource can each be installed on its own dedicated server,
which is recommended for installations with more than 5 users or with moderate to heavy analytic
usage.
• Multiple AX Core servers can be installed, but they cannot share content. Each AX Core server will
have its own content repository.
• Multiple AX Core servers can publish transactions to a single AX Exception. In this case, AX
Exception will be configured to use the database from one of the AX Cores for user and role
information. The other AX Core servers will have their own database, with their own user and role
information.
• Multiple AX Datasource servers can be configured to import data to a single AX Core.
• AX Core does not support publishing to multiple AX Exception servers. The AX Core publish
operation can only be configured with a single URL for publishing to a single AX Exception server.
_____________________________
For technical support and contact information, visit the ACL Support Center:
www.acl.com/supportcenter
© Copyright 2011 ACL Services Ltd. ACL and the ACL logo are trademarks or registered trademarks of ACL Services Ltd. All other trademarks are the property of their respective owners. 20

ACL Headquarters
T +1 604 669 4225
F +1 604 669 3557
• acl.com
info@acl.com
About ACL Services Ltd.
ACL Services Ltd. is the leading global provider of business assurance technology for audit and
compliance professionals. Combining market-leading audit analytics software with centralized content
management and exception reporting, ACL technology provides a complete end-to-end business
assurance platform that is flexible and scalable to meet the needs of any organization.
Since 1987, ACL technology has helped organizations reduce risk, detect fraud, enhance profitability,
and improve business performance. ACL delivers its solutions to 14,700 organizations in over 150
countries through a global network of ACL offices and channel partners. Our customers include 98
percent of Fortune 100 companies, 89 percent of the Fortune 500 and over two-thirds of the Global 500,
as well as hundreds of national, state and local governments, and the Big Four public accounting firms.
© 2011 ACL Services Ltd.
TB/AX2/02072011
ACL Services Ltd. ACL and the ACL logo are trademarks or registered trademarks of ACL Services Ltd. All other trademarks are the property of their respective owners.