Monday, November 9, 2009

Oracle doesn't have a clue - take 3... workflow history

Well.... Interesting day for Oracle users as Oracle cuts over to the new "My Oracle Support" portal. Another great technology snafu by Oracle. Kinda reminds me of Microsoft. They just can't seem to prevent screwing up customer's days...

One of the other great 'features' of the EBS suite is the workflow history purge process. If you are an 11i client, if you want to purge workflow notifications, you also will be purging workflow approvals. The retention of workflow approvals (e-mails that indicate 'approval' of a workflow process such as journal approvals) is critical to have audit history related to automated controls. Failure to retain an audit history of workflow approvals could mean an external auditor would not allow reliance on automated controls under the AS5 standard.

Your organization needs to build a custom retention process to store this data for at least 15 months (check your org's data retention policy before purging...) in order to support audit requirements.

If this 'feature' is news to you, contact me for more details at I can provide some tips (provided to be my Karen Brownfield of Solution Beacon) on how to build a custom archive process for retaining such data.

Good luck to all of you trying to new Oracle's new Metalink replacement!

Jeffrey T. Hare, CPA CISA CIA

Thursday, October 29, 2009

Oracle doesn't have a clue - take 2: Delegated Authority...

Here is another one.... An email from a user to one of the listservers I manage:

"Hi all. Anyone know of a means to report on current user settings for worklist
access and vacation rules? We would like to be able to review which of our
users are using worklist access and vacation rules, and to whom they have

Ideally, there would be a seeded report in Oracle. If not, perhaps some SQL or
knowledge of which tables hold this information."

Delegation of approval authority via worklist access or vacation rules could violate company policy and could subject a company to a nasty-gram from their auditors ala a control weakness in their SOX testing. If an auditor really wanted to be nasty about it, they could give an organization a material weakness (or at least a significant deficiency) IMO because this allows someone to delegate their approval authority and, in some cases, the delegation isn't recorded or reflected anywhere in the system. For example, a CFO could delegate their PO approval or Journal Entry approval authority to the janitor, their secretary, or a staff accountant who could act on behalf of the CFO to approve a journal entry, PO, or anything done via Oracle Workflow.

Cool functionality when you look at it on an operational basis. Jane Doe, CFO, takes a week off to ride on her 200 foot yacht and someone needs to approve things when she is gone so that business doesn't come to a screeching halt. Case closed, right? However, in some cases, when Jane delegates to another employee, it still looks AS IF Jane made the approval AND... no record of this delegation is made in the system... or at least there are NO REPORTS out of the box that records the delegation (I suspect the audit trail doesn't even exist...).

Nice job Oracle!!! We wouldn't want that type of information in the case of an audit, would we?

More to come...

Jeffrey T. Hare, CPA CIA CISA

SQL Forms webinar reminds me that Oracle doesn't have a clue

I did a webinar this week training auditors and other practitioners about the risks related to SQL forms and the necessary controls to monitor activity within them. Essentially these forms allow users to run any SQL statements (and in some cases OS scripts) in them. One attended said "giminy frickin christmas... you would think ORA would know that sql injection is a potential issue?
All I could say is 'amen.' I can buy into the fact that Oracle wants to allow flexibility in the use and of their applications and be 'open' in this way. However, not putting controls in place to monitor the activity done through these forms is inexcusable on many levels.

What is more inexcusable IMO is the fact that Oracle continues to put their head in the sand. I have sent letters to Charles Phillips, Steve Miranda, and Chris Leone outlining this risk among a ton of others I have identified and... not a peep. In Metalink Note 189367.1 they outline these forms, their risks, and suggest controls (i.e. trigger based audit should be deployed), but do they DO anything about it like say... build that into the core application? The answer to that is..... No.

Note 189367.1 also fails to mention one form that a colleague, Daryl Geryol, pointed out to me that allows both SQL and OS scripts. Many of us have come to love this as one of the 'undocumented features' provided by Oracle.

Hellllllloooooooooo... Oracle.... is anyone home? Your customers are suffering under the burden of identifying and addressing these undocumented features and poor design. It is time to wake up and solve these issues once and for all.

For the past two years or so I have been trying to get Oracle's attention on some of these matters. Instead of thanking me for pointing out some of these issues, I get an email from an exec asking me to take his email address of my email list. Nice strategy!!!

Jeffrey T. Hare, CPA CIA CISA

Tuesday, August 11, 2009

Oracle GRC Strategy... finally a very small win - record history in OAF pages

Solution Beacon posted this in their latest newsletter:

Record History feature now available in OAF forms in EBS Release 12.1.1
By Alyssa Johnson

One of the often used features in Oracle Professional Forms has been the Record History
selection on the Help dropdown menu. This enabled functional users to see which user updated a particular record without querying the underlying database tables. However, the same functionality was not available in the Oracle Application Framework (OAF) pages and in my experience this has been an oft asked for requirement. Starting in Release 12.0.6 this feature is now available. However, it is also included in the RCDs for 12.1.1. Even though this feature is now available, it does take a different format being enabled through a profile option and forms personalization. The new profile option is FND: Record History Enabled. If set to YES, record history can be rendered at the Header, Table, and Advanced Table levels through forms personalization. If is set to NO, then record history cannot be rendered even if set to True in forms personalization. The default value is YES. Following is an example of how to rendered the Record History icon through forms personalization. Personalization has been enabled for OAF forms.

Subscribe to the Solution Beacon newsletter at: for more on this and other topics.

In my opinion, Oracle has failed to grasp the true requirements that many, if not all, of their customers need to meet their GRC requirements. Oracle has been focused on buying companies like Logical Apps and Stellent to fill in gaps in their software portfolio, but has failed to develop a comprehensive strategy for their entire suite. I have sent several letters to Oracle execs outlining some of the architectural failings in the E-Business Suite and have suggested they form a CAB to deal with these issues. There has been no response from Oracle management.

The record history in the forms is a fundamental requirement for all customers for GRC purposes as well as troubleshooting operational issues. The failure to include this feature in OA framework forms and the continuing failure to make this information available without the use of Forms Personalization is indicative of their lack of understanding related to their customer's operational and GRC requirements.

I have an extensive list of internal control deficiencies in the EBS suite that I have made available to end users in the Internal Controls Repository. I have also made this information available to Oracle execs. I fear that they are making the same mistakes in the building of Fusion that they have made in Oracle EBS. As an advocate for my GRC customers and Oracle customers, in general, I am wondering what will wake up Oracle management to the need to fix these issues.

Jeffrey T. Hare, CPA CISA CIA
Author.Consultant.Analyst.Audit Trail Evangelist
Author of the book "Oracle E-Business Suite Controls: Application Security Best Practices"

Friday, June 26, 2009

Oracle E-Business Suite Controls: Application Security Best Practices

Hey all! Welcome to the blog about my book "Oracle E-Business Suite Controls: Application Security Best Practices." Please leave any comments or questions related to the content of this book on this blog! I'll do my best to respond to questions as they are posted.

Jeffrey T. Hare, CPA CISA CIA