Interesting start to the morning... I am working with a company helping them to evaluate their "SOD" rules. They initially had their Oracle GRC software installed and configured by a large firm that does a lot of outsourced internal auditing. In about 2 hours work I showed them that this firm's rules recommended to the customer were complete crap - failing to understand risk in the applications (and outside the applications as well) and the functions that related to the risks.
Their external auditors ( a firm that begins w/ a "P") reviewed my comments. This audit firm verbatim copied from my risk assessment content (that is copyrighted). Here is part of the verbiage they used in their response to the client "Enter Suppliers vs. Enter AP Payments: Access to enter suppliers allows a user the ability to enter a supplier, including the setting up of a fictitious supplier. It also allows a user to override system level tolerances that are set in Payables Options - tolerances related to Qtr Ordered, Qty Received, Tax, and Price. In Oracle, you cannot make a payment to a supplier without first entering an invoice so this risk is minimized unless someone with this access can approve an invoice outside the system..."
It seems even some of the large audit firms have no respect for copyrights. Charles Caleb Colton said "Imitation is the best form of flattery." The least thing my imitators can do is change the language to make it their own.
As I continue to emphasize to clients and prospects, if your consulting partner fails to perform a proper risk assessment process, whatever tool you implement will fail to meet your objectives leading to a failure to get a proper ROI on your investment. Perhaps an idea for another webinar...