Thursday, June 15, 2017

ERP Risk Advisors Announces Oracle Advanced Controls Premier Support

ERP Risk Advisors Announces Oracle Advanced Controls Premier Support

As most customers are aware Oracle announced an end to the continued development of its Advanced Controls Suite and the end of Premier Support as of September 2016 (See MOS Note: 2143036.1). Oracle has been developing a replacement known as the Risk Management Cloud which is still in its early versions.   

This change in strategy has left its customers in a difficult position since the applications in Oracle’s GRC Advanced Controls Suite are considered critical to meet their compliance requirements.  

 Many of these same customers have also had less than perfect implementations and incomplete SoD conflict and Sensitive Access rules.  This has led to a lack of reliance on the tools by their external auditors and an inadequate coverage of risk. 

ERP Risk Advisors has historically been focused on the implementation of a competitive product in this space from CaoSys and has built the premier content library and accompanying risk advisory services. 

The transition within the Oracle GRC space has allowed ERP Risk Advisors to hire some high quality resources and so we are pleased to announce a premier support program for customers currently using Oracle's Advanced Controls Suite. 

For those customers that want to continue using Oracle's Advanced Controls Suite, we will offer remote GRC Admin services to allow you to enhance or maintain your reliance on your solution.  To start the engagement, we will perform an assessment and provide you a roadmap.  In most organizations we will be able to perform the assessment in a week. Our core support offering will primarily focus on AACG and CCG, but could also include PCG and TCG.  If you haven't licensed PCG or haven't implemented it, we believe we can implement preventive controls (albeit manual) during your provisioning process to help keep your environment clean.  We will also help you leverage the data from AACG to perform your quarterly re-certification process at the Supervisor and Process Owner levels.

The engagement would start with an initial assessment and will include:

  1. Infrastructure health check to include the patch level related to each of your Oracle Advanced Controls licensed products.
  2. Evaluation of the completeness of the SoD and Sensitive Access rules
  3. Review of your configuration of each of the modules - primarily AACG and CCG
  4. Discussions with management as to how much reliance has been placed on the software and related business processes in your external audits
  5. Review of key SQL scripts to evaluate your role design from a 10,000 foot level
  6. Review of the results of key rules, if implemented already, that all auditors are currently evaluating
  7. Review of a limited set of critical configurations such as Journal Sources and Profile Option Values
  8. An evaluation of your patch level related to each of your licensed Advanced Controls solutions that are being used

The deliverables for the engagement would include:

  1. In some cases, we'll be able to finalize the identification of what should be considered in scope rules.  Usually within a limited engagement we can get to 90+% accuracy, but often it requires a meeting with the external auditors to validate to get to the 100% level.  This is the key deliverable that most GRC consulting firms haven't been able to deliver, but ERP Risk Advisors can deliver with excellence.
  2. High level feedback on role design - where we see risk in the usage of seeded Menus, seeded Request Groups, seeded Responsibilities, and seeded Users
  3. An evaluation of the current SoD conflicts and Sensitive Access rules as to their completeness and accuracy.  We will identify the significant gaps when compared to what we anticipate would be the expectations of your audit firm.
  4. A roadmap for maturing your user provisioning process and the re-certification process
  5. A roadmap for updating your rules library to be complete and accurate as well as mapped to your auditors requirements
  6. This engagement may also include some specific feedback on Sensitive Access rules and SoD conflicts depending on the quality and completeness of your current rule set.
  7. Recommendations on patching your Advanced Controls modules, as needed, and where justified
Once we perform our initial assessment, we would be in a position to offer premium support for your Oracle GRC Advanced Controls suite.  Our support would be tailored to your organization's requirements, but would include the following as our core offering:
  1. All service requests (SRs) surrounding the Oracle GRC Advanced Controls Suite.
  2. Updating your rules library to include more risks - up and to including our full risk library. Adding additional risks from our library as we identify them.  
  3. A comprehensive remediation plan with prioritization based on risk and scoping based on level of effort
  4. Identifying SoD conflicts and Sensitive Access Risks introduced since the prior quarter for management's review and disposition
  5. Developing reports with the detail for a comprehensive quarterly access review process for Supervisors (at the role level) and Process Owners (at the rule level for the key in-scope rules)
  6. Implementation of changes to current roles and development of new roles required (still using Responsibilities, not User Management) as time permits
  7. Revisiting and updating the roadmap to present to senior management

In addition to the above, we could also provide the following services as a supplement to our core offerings:

1.      Auditing changes to the objects related to roles (Roles, Responsibilities, Menu, Request Groups) to evaluate completeness and accuracy of the change management process

2.      Identifying whether any of the in scope reports have been changed in the last quarter (period) so that the process owners know they need to re-test the completeness and accuracy of the reports (as is now being required by the public accounting firms and the PCAOB)
  1. Auditing changes to other configurations that should be subject to the change management process (scope tbd)
  2. Auditing the completeness and accuracy of the approvals related to the User Provisioning process
If you are interested in discussing these services with us, please use our Contact page and we'll get back to you as soon as possible.

Jeffrey T. Hare, CPA CISA CISA

Sam Monarch
Oracle GRC Practice Lead

Sunday, June 11, 2017

Dear Oracle... Here are some SQL Forms you missed in MOS Note 403537.1 / 1334930.1

Dear Oracle... Here are some SQL Forms you missed / MOS Note 403537.1 / 1334930.1

If you are a CISO / CIO /  Signing officer for an organization using an ERP system, you count on your software provider to keep complete and accurate guidance related to significant security risks.  We have been helping clients identify risks and implement the necessary internal controls to address those risks.  As part of our engagements, we have worked with other consultants who have help identify new risks and we have identified new risks as well.  As such, we believe we have identified four forms that allow SQL injection that haven't been documented by Oracle in its Secure Configuration Guide (MOS Note 4035371. with supplemented material in Note 1334930.1).

We respectfully submit this information to Oracle to evaluate and request that Oracle add to their Secure Configuration Guide accordingly.  Please provide us with the appropriate updated reference to our blog as part of Appendix H to your document if you deem this information valuable.

Jeffrey T. Hare, CPA, CISA CIA

To our customers and prospective customers,
We are the premier firm in the world in the risk advisory space related to the Oracle E-Business Suite.  I can confidently say that no other firm - large or small - can match the quality of the risk advisory services we provide and at a fraction of the price of what you'd pay at the big four firms.  Please keep us in mind as you identify needs for services or software in the Oracle GRC space.  We are a VAR, implementation partner, and content provider for CaoSys software.  We have resources that can also help implement or improve your implementation of Oracle's ACG and CCG modules. 

Contact us here if you would like to hear more about our services:

Detail related to the four Forms that we believe allow for SQL injection.   Included with each screen shot is the Row Who information for these records.  These may be indicative of how long these functions have been in the system.  However, we recognize that these dates may not be reliable.

Function 1:

User Function Name – AutoAccounting Rules

Function Name - PASAADRU

Function 2:

User Function Name: Define Query Objects

Function Name: AKDQUERY


Function 3:

User Function Name: Delete Constraints / Delete Constraints: Update


 Function 4:

User Function Name: Define Custom SQL Fields

Function Name: WMS_WMSCSLBL