Monday, August 7, 2017

ERP Risk Advisors: Revalidation of In-Scope Reports for Completeness and Accuracy

 Revalidation of In-Scope Reports for  Completeness and Accuracy

Organizations that are subject to Sarbanes-Oxley (SOX) compliance use various reports from the source systems to perform the controls defined by management. Essential to the control design is the completeness and accuracy of the report(s) being used to execute the control. Ensuring completeness entails gaining comfort that a full population of the relevant transactions are captured and presented in the report. Ensuring each report is accurate involves validating that the integrity of data compiled by the report is maintained throughout the report creation process.
The validation process is a bit of a circular exercise in that often you are querying data directly from the database or using other reports to verify its completeness and accuracy (C&A). How the C&A is tested for each report is typically reviewed by both internal and external auditors as it forms the foundation for the reliance on the report in the execution of the control.
Read the full article at:

Potential services from ERP Risk Advisors

ERP Risk Advisors is the premier risk advisory firm in the ERP space.  We provide targeted resources with extensive experience in ERP systems. 
An engagement related to the above could include:
1.      Identifying in-scope reports through discussions with various process owners reviewing your controls library and related process documentation.
2.      Developing a library of the configurations that objects that would need to monitor
3.      Writing SQL queries to monitor the specific objects in each of the tables related to Concurrent Programs, Executables, and the Objects.
4.      Training staff on how to execute the SQL queries, analyze the results, and document conclusions.
5.      Recommendations on which reports should be migrated from other systems back into the core systems to remove the other systems from SOX scope
Developing requirements documents for building the in-scope reports in the core system.  We could also work with the process owner to validate the requirements.

Training on Auditing Oracle E-Business Suite

Find more about our training related to Oracle E-Business Suite here.

Wednesday, July 5, 2017

Upcoming ERP Risk Advisors webinars_July 2017

Upcoming ERP Risk Advisors webinars_July 2017

You are invited to attend three upcoming webinars taking place over the next couple of weeks as follows:

Don’t give up on your Oracle Advanced Controls investment – Tuesday, July 11

How to automate controls using CaoSys’ newest features – Wednesday, July 12

Identifying and Monitoring Multi-Platform and Cross-Platform Access Control Risks with SafePaas – Wednesday, July 26

“Don’t give up on your Oracle Advanced Controls investment” will be held at two times Tuesday, July 11 – 9 a.m. EST and 4 p.m. EST. 

Have you’ve spent into the six figures on your Oracle Advanced Controls implementation and are wondering how to leverage your investment into something of value.  In this webinar we will share how the expertise, content, and risk-based methodology of ERP Risk Advisors can easily extend the usefulness of your investment and add value to your controls environment.  We will first look at current trends in the audit community and discuss how to leverage your Oracle Advanced Controls investment to address these trends.  Register at:

“How to automate controls using CaoSys’ newest features” will be held at two times Wednesday, July 12 – 9 a.m. EST and 4 p.m. EST. 

With Oracle no longer offering premier support on their Advanced Controls suite customers are wondering about their long-term options with their E-Business Suite on-premise solution.  In this webinar we will provide an overview of the CaoSys GRC suite and showcase some of its newer features that can be helpful to automate controls.  Register at:

Most organizations have multiple software applications to help run their business.  Often there are several ERP and legacy applications that are considered in-scope from a compliance perspective.  Hear from industry expert, Jeffrey T. Hare, CPA CISA CIA about common cross-platform and multi-platform control risks and how organizations can mature their control environment through necessary manual controls, automated controls, and access controls.  Webinar held in conjunction with SafePaas.  Register at:

Thursday, June 15, 2017

ERP Risk Advisors Announces Oracle Advanced Controls Premier Support

ERP Risk Advisors Announces Oracle Advanced Controls Premier Support

As most customers are aware Oracle announced an end to the continued development of its Advanced Controls Suite and the end of Premier Support as of September 2016 (See MOS Note: 2143036.1). Oracle has been developing a replacement known as the Risk Management Cloud which is still in its early versions.   

This change in strategy has left its customers in a difficult position since the applications in Oracle’s GRC Advanced Controls Suite are considered critical to meet their compliance requirements.  

 Many of these same customers have also had less than perfect implementations and incomplete SoD conflict and Sensitive Access rules.  This has led to a lack of reliance on the tools by their external auditors and an inadequate coverage of risk. 

ERP Risk Advisors has historically been focused on the implementation of a competitive product in this space from CaoSys and has built the premier content library and accompanying risk advisory services. 

The transition within the Oracle GRC space has allowed ERP Risk Advisors to hire some high quality resources and so we are pleased to announce a premier support program for customers currently using Oracle's Advanced Controls Suite. 

For those customers that want to continue using Oracle's Advanced Controls Suite, we will offer remote GRC Admin services to allow you to enhance or maintain your reliance on your solution.  To start the engagement, we will perform an assessment and provide you a roadmap.  In most organizations we will be able to perform the assessment in a week. Our core support offering will primarily focus on AACG and CCG, but could also include PCG and TCG.  If you haven't licensed PCG or haven't implemented it, we believe we can implement preventive controls (albeit manual) during your provisioning process to help keep your environment clean.  We will also help you leverage the data from AACG to perform your quarterly re-certification process at the Supervisor and Process Owner levels.

The engagement would start with an initial assessment and will include:

  1. Infrastructure health check to include the patch level related to each of your Oracle Advanced Controls licensed products.
  2. Evaluation of the completeness of the SoD and Sensitive Access rules
  3. Review of your configuration of each of the modules - primarily AACG and CCG
  4. Discussions with management as to how much reliance has been placed on the software and related business processes in your external audits
  5. Review of key SQL scripts to evaluate your role design from a 10,000 foot level
  6. Review of the results of key rules, if implemented already, that all auditors are currently evaluating
  7. Review of a limited set of critical configurations such as Journal Sources and Profile Option Values
  8. An evaluation of your patch level related to each of your licensed Advanced Controls solutions that are being used

The deliverables for the engagement would include:

  1. In some cases, we'll be able to finalize the identification of what should be considered in scope rules.  Usually within a limited engagement we can get to 90+% accuracy, but often it requires a meeting with the external auditors to validate to get to the 100% level.  This is the key deliverable that most GRC consulting firms haven't been able to deliver, but ERP Risk Advisors can deliver with excellence.
  2. High level feedback on role design - where we see risk in the usage of seeded Menus, seeded Request Groups, seeded Responsibilities, and seeded Users
  3. An evaluation of the current SoD conflicts and Sensitive Access rules as to their completeness and accuracy.  We will identify the significant gaps when compared to what we anticipate would be the expectations of your audit firm.
  4. A roadmap for maturing your user provisioning process and the re-certification process
  5. A roadmap for updating your rules library to be complete and accurate as well as mapped to your auditors requirements
  6. This engagement may also include some specific feedback on Sensitive Access rules and SoD conflicts depending on the quality and completeness of your current rule set.
  7. Recommendations on patching your Advanced Controls modules, as needed, and where justified
Once we perform our initial assessment, we would be in a position to offer premium support for your Oracle GRC Advanced Controls suite.  Our support would be tailored to your organization's requirements, but would include the following as our core offering:
  1. All service requests (SRs) surrounding the Oracle GRC Advanced Controls Suite.
  2. Updating your rules library to include more risks - up and to including our full risk library. Adding additional risks from our library as we identify them.  
  3. A comprehensive remediation plan with prioritization based on risk and scoping based on level of effort
  4. Identifying SoD conflicts and Sensitive Access Risks introduced since the prior quarter for management's review and disposition
  5. Developing reports with the detail for a comprehensive quarterly access review process for Supervisors (at the role level) and Process Owners (at the rule level for the key in-scope rules)
  6. Implementation of changes to current roles and development of new roles required (still using Responsibilities, not User Management) as time permits
  7. Revisiting and updating the roadmap to present to senior management

In addition to the above, we could also provide the following services as a supplement to our core offerings:

1.      Auditing changes to the objects related to roles (Roles, Responsibilities, Menu, Request Groups) to evaluate completeness and accuracy of the change management process

2.      Identifying whether any of the in scope reports have been changed in the last quarter (period) so that the process owners know they need to re-test the completeness and accuracy of the reports (as is now being required by the public accounting firms and the PCAOB)
  1. Auditing changes to other configurations that should be subject to the change management process (scope tbd)
  2. Auditing the completeness and accuracy of the approvals related to the User Provisioning process
If you are interested in discussing these services with us, please use our Contact page and we'll get back to you as soon as possible.

Jeffrey T. Hare, CPA CISA CISA

Sam Monarch
Oracle GRC Practice Lead

Sunday, June 11, 2017

Dear Oracle... Here are some SQL Forms you missed in MOS Note 403537.1 / 1334930.1

Dear Oracle... Here are some SQL Forms you missed / MOS Note 403537.1 / 1334930.1

If you are a CISO / CIO /  Signing officer for an organization using an ERP system, you count on your software provider to keep complete and accurate guidance related to significant security risks.  We have been helping clients identify risks and implement the necessary internal controls to address those risks.  As part of our engagements, we have worked with other consultants who have help identify new risks and we have identified new risks as well.  As such, we believe we have identified four forms that allow SQL injection that haven't been documented by Oracle in its Secure Configuration Guide (MOS Note 4035371. with supplemented material in Note 1334930.1).

We respectfully submit this information to Oracle to evaluate and request that Oracle add to their Secure Configuration Guide accordingly.  Please provide us with the appropriate updated reference to our blog as part of Appendix H to your document if you deem this information valuable.

Jeffrey T. Hare, CPA, CISA CIA

To our customers and prospective customers,
We are the premier firm in the world in the risk advisory space related to the Oracle E-Business Suite.  I can confidently say that no other firm - large or small - can match the quality of the risk advisory services we provide and at a fraction of the price of what you'd pay at the big four firms.  Please keep us in mind as you identify needs for services or software in the Oracle GRC space.  We are a VAR, implementation partner, and content provider for CaoSys software.  We have resources that can also help implement or improve your implementation of Oracle's ACG and CCG modules. 

Contact us here if you would like to hear more about our services:

Detail related to the four Forms that we believe allow for SQL injection.   Included with each screen shot is the Row Who information for these records.  These may be indicative of how long these functions have been in the system.  However, we recognize that these dates may not be reliable.

Function 1:

User Function Name – AutoAccounting Rules

Function Name - PASAADRU

Function 2:

User Function Name: Define Query Objects

Function Name: AKDQUERY


Function 3:

User Function Name: Delete Constraints / Delete Constraints: Update


 Function 4:

User Function Name: Define Custom SQL Fields

Function Name: WMS_WMSCSLBL

Wednesday, May 31, 2017

ERP Risk Advisors now support's Oracle Advanced Controls Suite

ERP Risk Advisors now support's Oracle Advanced Controls Suite

ERP Risk Advisors has hired a new highly-qualified resource that knows Oracle’s Advanced Controls suite very, very well.  We can now bring to our clients the most comprehensive risk-based rules matrix in the market for use with the AACG module.  Our rule set includes nearly 1,900 Functions and nearly 1,500 Concurrent Programs identified with specific risks documented for each one.

Sam Monarch has been hired to head up our Oracle GRC software practice.  Sam has over 12 years’ experience with Oracle’s GRC software and over 20 full cycle implementations.

We can help you prepare for your external audits by helping to scope the Sensitive Access and Segregation of Duties rules that relevant to your organization.  We can also implement GRC software to help you monitor these risks from top software providers like CaoSys and now can offer you similar services if you’ve made the investment in Oracle’s Advanced Controls suite.

Please keep us in mind for your Oracle GRC software needs, now including services for Oracle’s Advanced Controls suite.
Contact us at if you are interested in hearing more about our services offerings.

Jeffrey T. Hare, CPA CISA CIA
CEO, ERP Risk Advisors

Friday, March 10, 2017

Effective Governance over Profile Option Values in Oracle E-Business Suite

Effective Governance over Profile Option Values

“If only I knew back then what I know now…”  A famous phrase with applicability to many of life’s situations…

If you’ve implemented an ERP system and stuck around for a while, eventually you’ll say those words.  The implementation of a new ERP system for the first time is like drinking from a fire hose. 
If you’ve been live for a couple of years and were part of the implementation team, I challenge you to do just that.  Go back and visit your implementations configurations with the knowledge you now have.  No doubt some of the decisions you made during the implementation you’d make differently now.
Specifically, look at how you set your profile options and what profile option values you have set since you went live.  I am guessing that your governance process related to profile option values has been less than perfect.
Start with these questions to understand if you have in place proper governance relating to the approval and maintenance of profile option values:
1.      Which profile options should be set in Production?  Or… which profile options should NOT be set in Production? (yes this implies that some should not be set).
2.      Who is authorized to approve the setting of new profile options or changes to existing settings?
3.      At what level(s) should each profile option be set (Site, Application, Responsibility, User)
Each profile option has unique characteristics and abilities.  Following is a screen shot of the System Profile Values form where profile option values can be configured:

The above example shows a profile option that can only be set at the Site and User levels. 
The next example “Printer” can be set at any level.

The configuration of each Profile Option is set in the Profiles form.  The box “Hierarchy Type Access Level” defines at which level a Profile Option is Visible and Updatable.  The User Access box identifies whether it can be updated via the User Profile Values form.

Following is a screen shot of the User Profile Values form (aka Personal Profile Values):

Risks and Controls related to the Personal Profile Values form will be covered in another blog.'

You can download a template to use as a starting point for your risk assessment here:   Your organization could used the outcome of the risk assessment as a basis for a desktop procedures for those that have the authority to make profile option value changes in Production.
If you want to know more about Profile Options and why you should care, I’d suggest watching the video for the full webinar we did on this topic at: 

One other topic of interest may be how to address the profile option "Utilities: Diagnostics" from a SOX audit perspective.  I covered that in an earlier blog that you can review at:

Recommended Services from ERP Risk Advisors related to this topic

We are a free health check that includes reviewing how  your organization has set many of the high risk profile options.  See more about this free service at: . 
If you are an auditor, keep in mind that we also do outsourced IT audit work.   We are thorough, risk-based, and will work with you to develop a scope that fits your budget.

Tuesday, February 7, 2017

Security Standards for Oracle E-Business Suite: DMZ Configuration Guide

Security Standards for Oracle E-Business Suite: DMZ Configuration Guide

In my last blog (see we discussed Oracle’s Secure Configuration Guide (MOS Note 403537.1).  Another critical document that Oracle publishes is their DMZ configuration document (MOS Note 380490.1).  Every step must be meticulously followed or your data could be exposed – especially for those with externally facing applications such as Employee Self Service, iStore, or iRecruitment. 

If you are running iStore and have NOT tokenized your credit card data, you could be exposing your organization to significant PCI risk since Oracle provides the ability to decrypt credit card data via a concurrent program.  Find out more about decryption risk at: 

Other good information related to the DMZ configuration and related risks can be found on our partner firm’s, Integrigy, website at:  Integrigy is also hosting a webinar on 9-Feb on this topic.  Sign up at: 

Recommended Services from ERP Risk Advisors

We offer assessment services that can evaluate your organization’s compliance with part or all the recommendations in this MOS Note along with other high risks not considered by Oracle.
Additionally, we can help you identify a partner than tokenize your credit card data to remove most PCI risks from your EBS environment.
Since some of these risks need to be evaluated by reviewing access controls, a SaaS service to review role design may also be appropriate.  We perform that service in conjunction with our partner, CaoSys.
Contact us at  for more information about these services or CaoSys GRC solutions if you are interested in learning more.  We offer our Role / Responsibility analysis consulting as a service (CS*Proviso) or via installed software (CS*Comply).  See more about CaoSys GRC solutions at

About ERP Risk Advisors

ERP Risk Advisors is a leading provider of Risk Advisory services for organizations using Oracle Applications.  We provide consulting and training services related to compliance, security, risk management, and controls.  We also assist organizations in implementing GRC-related software from industry-leading companies such as Oracle, CaoSys, Smart ERP Solutions, and MentiSoftware.

About Jeffrey T. Hare, CPA CISA CIA

Jeffrey Hare, CPA CIA CISA is the founder and CEO of ERP Risk Advisors.  His extensive background includes public accounting (including Big 4 experience), industry, and Oracle Applications consulting experience.    Jeffrey has been working in the Oracle Applications space since 1998 with implementation, upgrade, and support experience.  Jeffrey is a Certified Public Accountant (CPA), a Certified Information Systems Auditor (CISA), and a Certified Internal Auditor (CIA).   Jeffrey has worked in various countries including Austria, Australia, Brazil, Canada, Germany, Ireland, Mexico, Panama, Saudi Arabia, United Arab Emirates, and United Kingdom.  Jeffrey is a graduate of Arizona State University and lives in northern Colorado with his wife and three daughters.  You can reach him at or (970) 324-1450.

Jeffrey's first solo book project "Oracle E-Business Suite Controls: Application Security Best Practices" was released in 2009.  His second book project “Auditing Oracle E-Business Suite: Common Issues” was released in 2015.  Jeffrey has written various white papers and other articles, some of which have been published by organizations such as ISACA, the ACFE, and the OAUG.  Request these white papers here.  Jeffrey is a contributing author for the book “Best Practices in Financial Risk Management” published in 2009.