Thursday, February 1, 2018

ERP Risk Advisors to present at OAUG's Risk Week

ERP Risk Advisors to present at OAUG's Risk Week

ERP Risk Advisors founder and CEO, Jeffrey T. Hare, CPA CIA CISA, will be presenting at OAUG's risk week.  His presentation is titled "ERP Risk Advisors and CaoSys: The Premier GRC Offering for Oracle E-Business Suite"

The presentation will include a discussion of common issues being identified by external and internal auditors and how the CaoSys suite of GRC-related applications can be used to address these needs.

The CaoSys GRC software suite is, by far, the leader in software in the E-Business Suite GRC space having been implemented at leading organizations throughout the world  CaoSys customer base includes the largest on-line retailer in the world with undoubtedly the largest install base, a high-tech manufacturer who is top 10 in the world in transaction volume for EBS, and many other leading Fortune 500 companies.

ERP Risk Advisors has developed content and specialized risk advisory services to supplement CaoSys' industry-leading software.  Our content library includes more than 1,000 rules - 600+ of the rules are sensitive access rules, providing visibility to risks throughout the applications.  This  includes nearly 400 rules of activities are expected to go through the Change Management process which allow you to easily evaluate if functions that should be managed by IT are isolated to those that understand and execute the change control expectations.

Our webinar will be held Friday, 09 February 2018 at 1 p.m. EST.

Join us at our Risk Week webinar hosted by OAUG by signing up here:

Tuesday, January 23, 2018

Welcome to 2018! Big news for ERP Risk Advisors!!!

Welcome to 2018!  Big news for ERP Risk Advisors!!!

With a new year brings exciting news at ERP Risk Advisors.  Happy New Year! We wish you the best for 2018.

First, we are pleased to welcome a new member to our team, Donna Curtis, who will be heading up our ERP Cloud practice after just recently leaving a big 4 firm as a Manager.  She brings over 20 years of experience in the IT industry as a leading talent in the Oracle EBS/Cloud and Advanced Controls space with full life cycle implementations on multiple projects (30+).  We are excited to have Donna on board.

Next, ERP Risk Advisors has launched partnerships with several new GRC software providers including SafePaas, Smart ERP, Oracle, Sentinel Software, and Fast Path.  We now offer full risk advisory services for E-Business Suite, ERP Cloud, and PeopleSoft.  We are THE niche firm in the Oracle GRC space and can provide high quality risk advisory services at a much lower price than the big 4 firms.

Additionally, we also have continued to deepen our most strategic relationship with CaoSys in the E-Business Suite space.  With Oracle de-supporting their Advanced Controls Suite, CaoSys has become the only fully integrated software for E-Business Suite and just so happens to produce excellent software.  We have collaborated with CaoSys to launch two new solutions – CS*License and CS*Lookback – which we know will be well-received by the market.  See enclosed datasheets for these offerings.  These solutions compliment an already superb suite of software that includes CS*Comply, CS*Audit, CS*Provisum, and CS*Rapid.  Find our more about CaoSys at  

Finally, in 2017 I wrote three thought-leadership white papers called “The One Series” where I identified one configuration, one function, and one profile option that could undermine your manual Journal Entry controls.  I have published a new article with another configuration, AutoPost Criteria, that could potentially undermine your manual Journal Entry controls.  We are going to give end user organizations a one year head start before releasing this publicly.  You can access it only in the Internal Controls Repository (ICR) which is only open to end user organizations (or you can email and ask for it if you’d rather not sign up for the ICR).

If you haven’t read the other three articles, I’d invite you to download them from our homepage at   

We are exhibiting at Collaborate 18 in Las Vegas this April and invite you to stop by our booth and say hello. 

We are planning an update to my current book on E-Business Suite and will be expanding it to be called Oracle E-Business Suite Controls: Foundational Principles.  We also hope to have a book on ERP Cloud published before Collaborate called Oracle ERP Cloud Controls: Foundational Principles. 

If I can answer any questions or if ERP Risk Advisors can be of help in any way, please reach out to me at or on my cell at 970-324-1450.  Please also consider connecting with me via Twitter, LinkedIn, and my blog, links are below.

Jeffrey T. Hare

Twitter: @jeffreythare

Tuesday, January 16, 2018

ERP Risk Advisors: Don’t Give Up on Your Advanced Controls Investment

ERP Risk Advisors: Don’t Give Up on Your Advanced Controls Investment

Oracle has announced it will no longer sell their Advanced Controls suite for Oracle E-Business Suite and has ended premier support.  Many organizations have made a substantial investment in the implementation and use of these solutions and are left wondering what is next for their investment.

Join ERP Risk Advisors CEO, Jeffrey Hare, and our Advanced Controls Practice Manager, Sam Monarch as they discuss how organizations can extend their investment and still meet their compliance objectives.  Watch the full webinar at:

Contact us at with questions or for more information about these services.

More detail about our services can be found in our prior blog on this topic:  

Tuesday, January 9, 2018

ERP Risk Advisors and CaoSys Announce Two New Ground-Breaking Solutions for Oracle E-Business Suite

ERP Risk Advisors and CaoSys Announce Two New Ground-Breaking Solutions for Oracle E-Business Suite

ERP Risk Advisors and CaoSys have collaborated to build two new ground-breaking solutions for organizations running Oracle E-Business Suite: CS*License and CS*Lookback.

ERP Risk Advisors and CaoSys have been strategic partners since 2008 and have designed, developed, and released two new solutions that are highly valuable for compliance purposes.

CS*License is a unique and innovative solution for understanding your organization’s risks related to licensing for Oracle E-Business Suite.   This solution maps 100% of Functions and Concurrent Programs to the Application they are associated with and provides suggested mapping for objects that aren't associated with an Application.   CS*License can provide you visibility into where your organization stands with respect to your Oracle E-Business Suite license with Oracle.

CS*License includes the following:
·        Predefined rules for all Functions and Concurrent Programs, currently built up to 12.2.7
·        Updates for new content as Oracle provides upgrades – as part of annual support
·        Ability to override default applications to which a Function or Concurrent Program is mapped
·        Ability to map Applications to your licensing buckets
·        Summary and Detailed reports to help you analyze your exposure – including down to Menu and Navigation Paths to identify how the object is accessed

CS*Lookback is a unique and innovative solution that helps you determine who has done what within your Oracle E-Business Suite applications; this is an invaluable tool that greatly assists with lookback procedures and other audit related tasks.

CS*Lookback includes the following…
·        Analyze data based on configurable groups of tables and users
·        Analyze an entire schema and even the entire database
·        Perform a lookback analysis across common time rolling periods, such as “This week”, “This Month”, “This quarter”, “This year”, etc.
·        Perform a lookback analysis of any user defined time period
·        On-screen interactive reporting allows you to drill into the data from many angles
·        Powerful out-of-the-box summary level analysis and detailed reporting

CS*License and CS*Lookback compliment other leading GRC solutions for Oracle E-Business Suite including:

CS*Comply is the most effective way to deal with access control risks such as Segregation of Duties and Single Function Risks.  CS*Comply offers best-in-class reporting and preventive controls.

CS*Comply includes the following…
·        Over 1,000 pre-defined rules across the most commonly used modules covering over 36,000 known function based combinations – the most comprehensive set of rules available on the market. 
·        Our pre-defined content covers nearly 4,500 security objects, including nearly 3,000 functions and 1,400 high risk concurrent programs and can easily be extended to address custom objects developed by US Steel
·        Comprehensive reporting and analysis of SoD/Single function risks
·        Powerful, easy to use analysis / reporting tools
·        Dozens of other reports / best practice monitoring tools to help with access controls
·        Multiple preventive controls to help you take a pro-active approach to risk
·    Remediation Toolkit, Collusion Detection, Menu Cloning, Request Group Cloning, and much more)

CS*Audit is the most effective way to satisfy audit requirements as it relates to capturing and monitoring change to data within Oracle E-Business Suite.  CS*Audit also features an easy to configure near-real-time notification of changes being made.

CS*Audit includes the following…
·        Extensive library of pre-defined policies with mapping of related meta-data
·        Rule driven, fine-grained auditing and monitoring of changes to data
·        Near-real-time notification engine
·        Documentary approvals
·        Powerful reporting options
·        Capture change management information to provide to your auditors
·        Data security in our reporting repository where sensitive data is audited

CS*Provisum consists of two main components, Periodic Access Review (PAR) and Automated Assignment Provisioning (Provisioning (AAP).  

CS*Provisum (AAP) provides an efficient and effective means of automating the request and assignment of access within Oracle.  CS*Provisum (AAP) includes the following…
·        Initiation of responsibility request by the user, manager, or process owner
·        Visibility to potential SoD / single function risks as part of the approval process
·        Supervisor and/or process owner approval of access requests; no approval required can also be configured
·        Ability to create the user account when requests are approved
·        Superior visibility to pending and approved access requests

CS*Provisum (PAR) provides an efficient and effective means of validating user access on a regular basis.  CS*Provisum (PAR) includes the following…
·        Multiple review types (Process/Module owner, supervisor and transfer reviews)
·        “Selective” reviews for specific types of access (i.e. SoX Review, Financials Review, etc.)
·        Integrated with CS*Comply to provide visibility of SoD risk during the review process
·        Assignment de-provisioning is automated (no need to involve Security/System Administrator)
·        Review delegation, automated reminders/escalation and much more

CS*Rapid is a unique and innovative solution for delivering real-time operational reports and application extensions for Oracle E-Business Suite.   CS*Rapid includes the following:
·        Allows you to bring in-scope SOX reports into Oracle EBS so you can remove your data warehouse from your in-scope applications
·        Is fully integrated with Oracle E-Business Suite
·        A familiar look and feel
·        No up-front licensing costs, no additional hardware or software required
·        Your operational reporting requirements can go from concept to the users’ menu in minutes.

Contact ERP Risk Advisors ( or CaoSys ( for more information about these new software and service offerings.  

Wednesday, July 5, 2017

Upcoming ERP Risk Advisors webinars_July 2017

Upcoming ERP Risk Advisors webinars_July 2017

You are invited to attend three upcoming webinars taking place over the next couple of weeks as follows:

Don’t give up on your Oracle Advanced Controls investment – Tuesday, July 11

How to automate controls using CaoSys’ newest features – Wednesday, July 12

Identifying and Monitoring Multi-Platform and Cross-Platform Access Control Risks with SafePaas – Wednesday, July 26

“Don’t give up on your Oracle Advanced Controls investment” will be held at two times Tuesday, July 11 – 9 a.m. EST and 4 p.m. EST. 

Have you’ve spent into the six figures on your Oracle Advanced Controls implementation and are wondering how to leverage your investment into something of value.  In this webinar we will share how the expertise, content, and risk-based methodology of ERP Risk Advisors can easily extend the usefulness of your investment and add value to your controls environment.  We will first look at current trends in the audit community and discuss how to leverage your Oracle Advanced Controls investment to address these trends.  Register at:

“How to automate controls using CaoSys’ newest features” will be held at two times Wednesday, July 12 – 9 a.m. EST and 4 p.m. EST. 

With Oracle no longer offering premier support on their Advanced Controls suite customers are wondering about their long-term options with their E-Business Suite on-premise solution.  In this webinar we will provide an overview of the CaoSys GRC suite and showcase some of its newer features that can be helpful to automate controls.  Register at:

Most organizations have multiple software applications to help run their business.  Often there are several ERP and legacy applications that are considered in-scope from a compliance perspective.  Hear from industry expert, Jeffrey T. Hare, CPA CISA CIA about common cross-platform and multi-platform control risks and how organizations can mature their control environment through necessary manual controls, automated controls, and access controls.  Webinar held in conjunction with SafePaas.  Register at:

Thursday, June 15, 2017

ERP Risk Advisors Announces Oracle Advanced Controls Premier Support

ERP Risk Advisors Announces Oracle Advanced Controls Premier Support

As most customers are aware Oracle announced an end to the continued development of its Advanced Controls Suite and the end of Premier Support as of September 2016 (See MOS Note: 2143036.1). Oracle has been developing a replacement known as the Risk Management Cloud which is still in its early versions.   

This change in strategy has left its customers in a difficult position since the applications in Oracle’s GRC Advanced Controls Suite are considered critical to meet their compliance requirements.  

 Many of these same customers have also had less than perfect implementations and incomplete SoD conflict and Sensitive Access rules.  This has led to a lack of reliance on the tools by their external auditors and an inadequate coverage of risk. 

ERP Risk Advisors has historically been focused on the implementation of a competitive product in this space from CaoSys and has built the premier content library and accompanying risk advisory services. 

The transition within the Oracle GRC space has allowed ERP Risk Advisors to hire some high quality resources and so we are pleased to announce a premier support program for customers currently using Oracle's Advanced Controls Suite. 

For those customers that want to continue using Oracle's Advanced Controls Suite, we will offer remote GRC Admin services to allow you to enhance or maintain your reliance on your solution.  To start the engagement, we will perform an assessment and provide you a roadmap.  In most organizations we will be able to perform the assessment in a week. Our core support offering will primarily focus on AACG and CCG, but could also include PCG and TCG.  If you haven't licensed PCG or haven't implemented it, we believe we can implement preventive controls (albeit manual) during your provisioning process to help keep your environment clean.  We will also help you leverage the data from AACG to perform your quarterly re-certification process at the Supervisor and Process Owner levels.

The engagement would start with an initial assessment and will include:

  1. Infrastructure health check to include the patch level related to each of your Oracle Advanced Controls licensed products.
  2. Evaluation of the completeness of the SoD and Sensitive Access rules
  3. Review of your configuration of each of the modules - primarily AACG and CCG
  4. Discussions with management as to how much reliance has been placed on the software and related business processes in your external audits
  5. Review of key SQL scripts to evaluate your role design from a 10,000 foot level
  6. Review of the results of key rules, if implemented already, that all auditors are currently evaluating
  7. Review of a limited set of critical configurations such as Journal Sources and Profile Option Values
  8. An evaluation of your patch level related to each of your licensed Advanced Controls solutions that are being used

The deliverables for the engagement would include:

  1. In some cases, we'll be able to finalize the identification of what should be considered in scope rules.  Usually within a limited engagement we can get to 90+% accuracy, but often it requires a meeting with the external auditors to validate to get to the 100% level.  This is the key deliverable that most GRC consulting firms haven't been able to deliver, but ERP Risk Advisors can deliver with excellence.
  2. High level feedback on role design - where we see risk in the usage of seeded Menus, seeded Request Groups, seeded Responsibilities, and seeded Users
  3. An evaluation of the current SoD conflicts and Sensitive Access rules as to their completeness and accuracy.  We will identify the significant gaps when compared to what we anticipate would be the expectations of your audit firm.
  4. A roadmap for maturing your user provisioning process and the re-certification process
  5. A roadmap for updating your rules library to be complete and accurate as well as mapped to your auditors requirements
  6. This engagement may also include some specific feedback on Sensitive Access rules and SoD conflicts depending on the quality and completeness of your current rule set.
  7. Recommendations on patching your Advanced Controls modules, as needed, and where justified
Once we perform our initial assessment, we would be in a position to offer premium support for your Oracle GRC Advanced Controls suite.  Our support would be tailored to your organization's requirements, but would include the following as our core offering:
  1. All service requests (SRs) surrounding the Oracle GRC Advanced Controls Suite.
  2. Updating your rules library to include more risks - up and to including our full risk library. Adding additional risks from our library as we identify them.  
  3. A comprehensive remediation plan with prioritization based on risk and scoping based on level of effort
  4. Identifying SoD conflicts and Sensitive Access Risks introduced since the prior quarter for management's review and disposition
  5. Developing reports with the detail for a comprehensive quarterly access review process for Supervisors (at the role level) and Process Owners (at the rule level for the key in-scope rules)
  6. Implementation of changes to current roles and development of new roles required (still using Responsibilities, not User Management) as time permits
  7. Revisiting and updating the roadmap to present to senior management

In addition to the above, we could also provide the following services as a supplement to our core offerings:

1.      Auditing changes to the objects related to roles (Roles, Responsibilities, Menu, Request Groups) to evaluate completeness and accuracy of the change management process

2.      Identifying whether any of the in scope reports have been changed in the last quarter (period) so that the process owners know they need to re-test the completeness and accuracy of the reports (as is now being required by the public accounting firms and the PCAOB)
  1. Auditing changes to other configurations that should be subject to the change management process (scope tbd)
  2. Auditing the completeness and accuracy of the approvals related to the User Provisioning process
If you are interested in discussing these services with us, please use our Contact page and we'll get back to you as soon as possible.

Jeffrey T. Hare, CPA CISA CISA

Sam Monarch
Oracle GRC Practice Lead

Sunday, June 11, 2017

Dear Oracle... Here are some SQL Forms you missed in MOS Note 403537.1 / 1334930.1

Dear Oracle... Here are some SQL Forms you missed / MOS Note 403537.1 / 1334930.1

If you are a CISO / CIO /  Signing officer for an organization using an ERP system, you count on your software provider to keep complete and accurate guidance related to significant security risks.  We have been helping clients identify risks and implement the necessary internal controls to address those risks.  As part of our engagements, we have worked with other consultants who have help identify new risks and we have identified new risks as well.  As such, we believe we have identified four forms that allow SQL injection that haven't been documented by Oracle in its Secure Configuration Guide (MOS Note 4035371. with supplemented material in Note 1334930.1).

We respectfully submit this information to Oracle to evaluate and request that Oracle add to their Secure Configuration Guide accordingly.  Please provide us with the appropriate updated reference to our blog as part of Appendix H to your document if you deem this information valuable.

Jeffrey T. Hare, CPA, CISA CIA

To our customers and prospective customers,
We are the premier firm in the world in the risk advisory space related to the Oracle E-Business Suite.  I can confidently say that no other firm - large or small - can match the quality of the risk advisory services we provide and at a fraction of the price of what you'd pay at the big four firms.  Please keep us in mind as you identify needs for services or software in the Oracle GRC space.  We are a VAR, implementation partner, and content provider for CaoSys software.  We have resources that can also help implement or improve your implementation of Oracle's ACG and CCG modules. 

Contact us here if you would like to hear more about our services:

Detail related to the four Forms that we believe allow for SQL injection.   Included with each screen shot is the Row Who information for these records.  These may be indicative of how long these functions have been in the system.  However, we recognize that these dates may not be reliable.

Function 1:

User Function Name – AutoAccounting Rules

Function Name - PASAADRU

Function 2:

User Function Name: Define Query Objects

Function Name: AKDQUERY


Function 3:

User Function Name: Delete Constraints / Delete Constraints: Update


 Function 4:

User Function Name: Define Custom SQL Fields

Function Name: WMS_WMSCSLBL