Tuesday, August 14, 2018

Two Day Training Class: Auditing Oracle's® Fusion ERP Cloud Application

Two Day Training Class: Auditing Oracle's® Fusion ERP Cloud Application


Is your company using Oracle's Fusion / ERP Cloud apps?  Consider joining us for upcoming training from an audit perspective.

Auditing Oracle's® Fusion ERP Cloud Application - ASE151

New York - 13-14-Sep
San Francisco  - 8-9-Nov

Details can be found on the link below.

Tuesday, July 31, 2018

CaoSys and ERP Risk Advisors Announce Preventive Provisioning for Free for E-Business Suite Users


CaoSys and ERP Risk Advisors Announce Preventive Provisioning for Free for E-Business Suite Users



CaoSys and ERP Risk Advisors is pleased to announce a"Preventive Provisioning for Free" offering for organizations using Oracle E-Business Suite. 

“We recognize that some organizations are using cloud and client/server software packages that can’t restrict access to segregation of duties conflicts and sensitive access risks” says ERP Risk Advisors CEO, Jeff Hare, CPA CIA CIA.  “The goal is not just to identify who has this access, but to block new users from getting them in the future or at least to have them go through an approval process where mitigating controls would be documented”

CaoSys offers the best in breed solution CS*Comply as part of its overall GRC software suite.  CS*Comply is the most commonly implemented application in its broad package of solutions that address many other compliance needs.

“We have paired our best in class solution, CS*Comply, with a rapid implementation by our key partner, ERP Risk Advisors, to be able to bring this offering to the market” says CaoSys CEO Craig O’Neill.   “We are excited to be able to provide organizations who have chosen competitive products with the opportunity to enhance their controls by using CS*Comply’s preventive control features.”

CS*Comply allows an organization to put individual segregation of duties (SoD) conflicts and sensitive access rules in either PREVENT or APPROVE mode.  PREVENT mode would block the access and is often used for high risk SoD conflicts such as the ability to Enter Purchase Orders and Enter Goods Receipts.  PREVENT mode is also used to block access in Production to sensitive access risks such as forms that allow SQL injection or that allow General Ledger balances or journal entries to be purged.   APPROVE mode submits the conflict or risk to a risk owner or process owner that can evaluate if the user being granted the access is appropriate.  The APPROVE mode is used in cases where certain sensitive access risks such as the ability to maintain user role assignments or enter suppliers is appropriate for the user to which the assignment is being made.

CaoSys and ERP Risk Advisors will implement and support CaoSys’ CS*Comply module, which contains the preventive controls in PREVENT or APPROVE mode, for the cost that organizations are currently paying for their cloud provider or client/server software provider on an annual basis.**

Obtain information about this offering by emailing sales@caosys.com or sales@erpra.net or visiting www.CaoSys.com or www.ERPRA.net.    

** some restrictions apply.  Contact us for details.

Wednesday, July 4, 2018

Press Release: ERP Risk Advisors announces new Audit Support as a Service services for Oracle's E-Business Suite and ERP Cloud applications

Press Release: ERP Risk Advisors announces new Audit Support as a Service offerings for Oracle's E-Business Suite and ERP Cloud applications

ERP Risk Advisors is pleased to announce two new Software as a Service (SaaS) offerings for Oracle's ERP applications - E-Business Suite and ERP Cloud.

This "Audit Support as a Service" offering will provide internal and external auditors with much better and more comprehensive data needed to audit these two applications.

ERP Risk Advisors, CEO, Jeffrey T. Hare, CPA CIA CISA states the problem:

"We are often brought in by organizations that have audit findings to help clients remediate their control deficiencies.  As we help clients with their remediation, we often find many other significant control design issues that should have been identified by the internal and external auditors.  Two things drive our findings.  First, there is a lack of maturity in understanding by internal and external auditors of these specific systems and risks specific to each system.  Second, auditors don't have the right data to help analyze these risks and related controls"

ERP Risk Advisors has been focused on helping clients design and test controls for over 15 years.  The new Audit Support as a Service offerings will provide the following data for Oracle's E-Business Suite and ERP Cloud applications:
  • Test access controls and role design by evaluating sensitive access risks and segregation of duties conflicts
  • Evaluate control design by:
    • reviewing the actual configurations verses expected configurations
    • considering ‘best practice’ configuration design as provided by ERP Risk Advisors
  • Test change control processes by having a population of IT and functional configurations throughout the most commonly used ‘in scope’ modules and the core applications
ERP Risk Advisors CEO, Jeff Hare, continues:

"There are significant gaps in the understanding of systems auditors are responsible for reviewing.  Each ERP system has its own characteristics that must be taken into account as part of the audit.  No longer can auditors audit 'around' the system.  Auditors need a better understanding of the system and need better data to perform an audit that is complete and accurate.  I would encourage you to take a look at this recent article I wrote on this topic called "Why the PCAOB and External Auditors Should be Concerned about Substantive Only Audits " which can be found here.  This explains this need in more detail.  We look forward to helping internal and external auditors improve their effectiveness and efficiencies in auditing Oracle's E-Business Suite and ERP Cloud applications through the use of this service"

More about this service and other services offered by ERP Risk Advisors can be found here.

Why the PCAOB and External Auditors Should be Concerned about Substantive-Only Audits


Why the PCAOB and External Auditors Should be Concerned about Substantive-Only Audits




This article is long overdue, but still one I have been dreading to release.  I know the audit firms could come under significant additional scrutiny from regulators such as the PCAOB.  However, there are significant risks organizations are facing because of poorly designed controls and inadequate audit procedures.  It is 2018, more than 15 years after the passage of the Sarbanes-Oxley act and it is time to shine the light on areas that board members and investors would be appalled by if they understood this topic.  With this said, here is my article...

In evaluating how to approach an audit, in general, and specific business processes within any audit, in particular, external auditors sometimes choose to audit ‘around the system’.  That is, they ignore the way systems are designed and test the given process or control without regards to how the system is designed.  They do so by identifying a population of transactions related to the process and testing the activity through sampling as required by their internal standards and consistent with the regulator(s) that oversee their audits (PCAOB, OCC, various government agencies, etc).

There are consistent gaps in the approach that external audit firms take that could leave the chosen populations incomplete.  Therefore, I will make the argument that a substantive-only audit is a flawed approach and one that external audit partners and regulators should be concerned about.

To illustrate this flaw, I will use arguably the most important control related to the integrity of the financial statements – the control over manual (non-standard) journal entries.  Manual journal entries inherently pose a high risk to the integrity of the financial statements because they can move any balance between any account within the trial balance.  In my experience, most external auditors don’t know how to properly identify a population of journal entries that equate to a manual journal entry.

I identify the following types of journal entries that could exist within an ERP system:

1.       Manually created in the system within the general ledger itself

2.       Uploaded from a spreadsheet – manual or non-standard type

3.       Uploaded from a spreadsheet – created by another system (i.e. manual interface)

4.       Uploaded from a spreadsheet – looking as if it came from a subledger


5.       Interfaced from another system (i.e. automated interface)

6.       Transferred from a subledger

7.       Manually created in a subledger and transferred as if it were a subledger entry


… continued in full article - see below for link ...


Conclusions

Because of the way JE controls are typically designed (i.e. to ignore subledger JE’s) organizations using Oracle’s E-Business Suite or ERP Cloud applications would need to configure each system differently in order to prohibit a user from creating a journal entry from a Source that is not subject to the manual / non-standard JE controls.  In other words, even in the case where an audit is not placing reliance on any application controls (i.e. a fully substantive audit), the improper configuration of a system COULD cause the functional auditors to leave out a portion of the JE’s that should be in their control population.  

… continued in full article - see below for link …



Access the full article here

Saturday, June 16, 2018

Oracle E-Business Suite Controls: Foundational Principles is finished!

Oracle E-Business Suite Controls: Foundational Principles is finished!

Oracle E-Business Suite Controls: Foundational Principles is finished!

Tetelestai, as the Greeks would say. Meaning - it is finished.

Four years since I first started an the update to this book... You can purchase this at: http://www.lulu.com/shop/jeffrey-t-hare-cpa-cisa-cia/oracle-e-business-suite-controls-foundational-principles-2nd-edition/paperback/product-23679820.html.

If you want to support more publication of best practices like this, please consider purchasing this book. 100% of the proceeds of the book will support Rapha House. Rapha House is a Christian ministry whose mission is "We exist to love, rescue, & heal children who have been rescued from trafficking & sexual exploitation." So your purchase of this book will not only serve to help motivate me to write more articles and books, but will also serve to protect 'the least of these' among us. See more at www.RaphaHouse.com

For those of you that have seen the musical - Hamilton - the phrase 'why do you write like you're running out of time' from the song 'Non Stop' comes to mind. More articles and books to come.

#HamiltonQuotesForTheWinAlex #Matthew25_40 #NonStop
#oracleebusinesssuite #OracleBestPractices #NotThrowingAwayMyShot


Tuesday, May 22, 2018

CaoSys and ERP Risk Advisors Announces New Accelerated Implementation and Subscription Pricing for their Segregation of Duties Solution, CS*Comply

CaoSys and ERP Risk Advisors Announce New Accelerated Implementation and Subscription Pricing for their Segregation of Duties Solution, CS*Comply

CaoSys is pleased to announce their leading SoD solution, CS*Comply, for Oracle E-Business Suite is now available with Subscription pricing.  CaoSys has partnered with ERP Risk Advisors to provide accelerated implementation services for its flagship SoD solution such that implementation services can be bundled into subscription costs.
“We’ve seen a trend that our customers and prospects are looking for lower initial costs that can be addressed in an operating budget rather than requiring a capital expense” said Craig O’Neill, CTO at CaoSys.  “We are excited to announce that our flagship SoD solution, CS*Comply, is now available in a new simple subscription pricing model that provides our high-quality software for customers looking for a lower entry cost.”
CaoSys has partnered with ERP Risk Advisors since 2008 to implement its GRC suite.  ERP Risk Advisors has also built risk-based content for CS*Comply and can provide risk advisory services as part of the implementation of the suite.
“We are excited to provide accelerated implementation services for the CaoSys GRC suite that can get the basics of each solution ‘up and running’ then provide follow on training and consulting in the following months” says ERP Risk Advisors CEO, Jeffrey Hare CPA CIA CISA. “We are committed to provide on-going touch points each month to help CaoSys customers derive more value from each of the solutions they have licensed.”
CaoSys and ERP Risk Advisors now offer best of breed software, content, high-quality risk advisory services and ongoing support all for a low fix monthly subscription fee. This new solution offering will be available from May 14th.

Tuesday, April 17, 2018

ERP Risk Advisors at Collaborate 2018_Major Announcements

ERP Risk Advisors at Collaborate 2018_Major Announcements




ERP Risk Advisors will be presenting again this year at Collaborate 18 in Las Vegas, April 22-26. 

At Collaborate we will be announcing and discussing in more detail several major enhancements to our partner network and services as follows:

·       Audit Support as a Service for E-Business Suite and ERP Cloud – Complete data necessary to audit either application including configurations, a change management population, and SoD conflicts / Sensitive Access rule reporting

·       Content Unlimited for ERP Cloud – SoD and Sensitive Access rule subscription service for Oracle’s Risk Management Cloud

·       Training of project teams and auditors on Risks and Controls for ERP Cloud

·       E-Business Suite license review service through CaoSys’ CS*License solution

·       Support of Oracle’s Risk Management Cloud for ERP Cloud

·       Quarterly Risk Advisory webinar for ERP Cloud – focusing on governance, risk management, and control design issues throughout the application including bugs and enhancement requests

·       Several new Risk Advisory articles for ERP Cloud



If you are attending Collaborate, please visit us at Booth 1330 and plan on attending one or more of these sessions:


Monday 23rd - 11 a.m. - GRC SIG – Change Management Best Practices


Thursday – 26th (ADDITIONAL FEE) - 8:30 a.m. to 1:00 p.m. Security and Controls Foundational Concepts for Oracle E-Business Suite – (Jasmine C)