Thursday, February 24, 2011

Top 10 Fraud Risks in an E-Business Suite Environment

Great response to Top 10 Fraud Risks in an E-Business Suite Environment. Had some technical difficulties with GoToWebinar (a first for me). Not sure if the full webinar was recorded. Will try to post this our website as well as the slides as soon as possible. May be doing a follow up webinar.

Thanks to Steve Kost from Integrigy for hosting today's webinar.

Jeffrey T. Hare, CPA CISA CIA
LinkedIn Profile

Wednesday, February 16, 2011

Great piece: Matt Taibbi's Latest: " Why Isn't Wall Street In Jail?"

Highly recommend this read:

For those of you that spent countless hour preparing for Sarbanes-Oxley compliance and labored night and day, rest assured... it has accomplished nothing... Your only consolation is that is many of you have found gainful employment because of of SOX.

Actually, to be fair, SOX has greatly increased the awareness of, documentation of, and execution of internal controls for many organizations. It has not, however, helped cure the systemic fraud which was part of what lead to SOX.

Jeffrey T. Hare, CPA CIA CISA

Wednesday, February 9, 2011

Oracle's E-Business Suite: Overly complicated security model!

Oracle has its feet firmly planted in two security models - the 'legacy' model is that often referred to as Function Security. The 'new' model is what Oracle attempted to evolve into an RBAC model using the User Management module. What they have created is an overly complicated mess that frustrates even the most experienced security administrators.

One frustration is the background process that 'synchs' the data between the two models (there may actually be more than two...) For example, a responsibility made in the Users form doesn't show up for several minutes in the home page that you receive when you log in. And new functions added to menus often aren't 'available' to be used for several minutes after they are added to a menu.

While I hope Oracle doesn't make the same mistakes in the development of its Fusion apps, those companies planning to continue using Oracle's E-Business Suite have a rude awakening... Oracle continues to make its security model more complicated and frustrating. Double the time you anticipate developing security in your R12 implementation or R12 upgrade. You'll need it to troubleshoot issues...

Tuesday, February 8, 2011

Why doesn't Oracle provide view only access to their data via forms???

I'll continue to say it... Oracle doesn't have a clue how to build their applications to meet common GRC and internal control requirements. Those that have followed my work for long know my feelings on this topic...

In the traditional forms development standards Oracle has provided organizations with the ability to easily create a custom "read only" form by setting the QUERY_ONLY=Yes parameter. However, in OA framework forms, no equivalent process has been provided. Why not? Because they don't understand how companies have to customize (personalize) the application in the real world.

EVERY form/web page should have an equivalent inquiry form out-of-the-box. Auditors and others in the organization such as Business Analysts need access to such data in Production environments and NOT via Discoverer, OBIEE, or another other ad hoc method.

Thanks for listening to my rants...

Jeffrey T. Hare, CPA CISA CIA