Friday, January 13, 2017

Why Utilities Diagnostics Should NOT Be In Scope for SOX

Why Utilities Diagnostics Should NOT Be In Scope for SOX

The setting of the Utilities: Diagnostics profile option has been a source of scrutiny for our clients over the past few years.  Some auditors have suggested that access in Production allowed by the setting of Utilities: Diagnostics could provide a back-door way to update financially significant data that a user would not be able to maintain through their normal access.  Access this video at: 

This testing was done on an R12 environment and the conclusions should not be applied to 11i or prior environments.

Recommended Services from ERP Risk Advisors

We offer an evaluation of Application Controls design effectiveness along with an analysis of the configurations.  This service can be performed typically in one to three weeks.

Since some of these risks need to be evaluated by reviewing access controls, a SaaS service to review role design may also be appropriate.  We perform that service through our partner, CaoSys.

Contact us at  for more information about these services or CaoSys GRC solutions if you are interested in learning more.  We offer our Role / Responsibility analysis consutling as a service (CS*Proviso) or via installed software (CS*Comply).  See more about CaoSys GRC solutions at
Appendix A- Screen Shots of how Utilities: Diagnostics works:
Following are a couple of screen shots related to Utilities: Diagnostics:

No comments: