ERP Risk Advisors Announces Oracle Advanced Controls Premier Support
As most customers are aware Oracle announced an end to the continued development of its Advanced Controls Suite and the end of Premier Support as of September 2016 (See MOS Note: 2143036.1). Oracle has been developing a replacement known as the Risk Management Cloud which is still in its early versions.
This change in strategy has left its customers in a difficult position since the applications in Oracle’s GRC Advanced Controls Suite are considered critical to meet their compliance requirements.
Many of these same customers have also had less than perfect implementations and incomplete SoD conflict and Sensitive Access rules. This has led to a lack of reliance on the tools by their external auditors and an inadequate coverage of risk.
ERP Risk Advisors has historically been focused on the implementation of a competitive product in this space from CaoSys and has built the premier content library and accompanying risk advisory services.
The transition within the Oracle GRC space has allowed ERP Risk Advisors to hire some high quality resources and so we are pleased to announce a premier support program for customers currently using Oracle's Advanced Controls Suite.
For those customers that want to continue using Oracle's Advanced Controls Suite, we will offer remote GRC Admin services to allow you to enhance or maintain your reliance on your solution. To start the engagement, we will perform an assessment and provide you a roadmap. In most organizations we will be able to perform the assessment in a week. Our core support offering will primarily focus on AACG and CCG, but could also include PCG and TCG. If you haven't licensed PCG or haven't implemented it, we believe we can implement preventive controls (albeit manual) during your provisioning process to help keep your environment clean. We will also help you leverage the data from AACG to perform your quarterly re-certification process at the Supervisor and Process Owner levels.
The engagement would start with an initial assessment and will include:
- Infrastructure health check to include the patch level related to each of your Oracle Advanced Controls licensed products.
- Evaluation of the completeness of the SoD and Sensitive Access rules
- Review of your configuration of each of the modules - primarily AACG and CCG
- Discussions with management as to how much reliance has been placed on the software and related business processes in your external audits
- Review of key SQL scripts to evaluate your role design from a 10,000 foot level
- Review of the results of key rules, if implemented already, that all auditors are currently evaluating
- Review of a limited set of critical configurations such as Journal Sources and Profile Option Values
- An evaluation of your patch level related to each of your licensed Advanced Controls solutions that are being used
The deliverables for the engagement would include:
- In some cases, we'll be able to finalize the identification of what should be considered in scope rules. Usually within a limited engagement we can get to 90+% accuracy, but often it requires a meeting with the external auditors to validate to get to the 100% level. This is the key deliverable that most GRC consulting firms haven't been able to deliver, but ERP Risk Advisors can deliver with excellence.
- High level feedback on role design - where we see risk in the usage of seeded Menus, seeded Request Groups, seeded Responsibilities, and seeded Users
- An evaluation of the current SoD conflicts and Sensitive Access rules as to their completeness and accuracy. We will identify the significant gaps when compared to what we anticipate would be the expectations of your audit firm.
- A roadmap for maturing your user provisioning process and the re-certification process
- A roadmap for updating your rules library to be complete and accurate as well as mapped to your auditors requirements
- This engagement may also include some specific feedback on Sensitive Access rules and SoD conflicts depending on the quality and completeness of your current rule set.
- Recommendations on patching your Advanced Controls modules, as needed, and where justified
- All service requests (SRs) surrounding the Oracle GRC Advanced Controls Suite.
- Updating your rules library to include more risks - up and to including our full risk library. Adding additional risks from our library as we identify them.
- A comprehensive remediation plan with prioritization based on risk and scoping based on level of effort
- Identifying SoD conflicts and Sensitive Access Risks introduced since the prior quarter for management's review and disposition
- Developing reports with the detail for a comprehensive quarterly access review process for Supervisors (at the role level) and Process Owners (at the rule level for the key in-scope rules)
- Implementation of changes to current roles and development of new roles required (still using Responsibilities, not User Management) as time permits
- Revisiting and updating the roadmap to present to senior management
In addition to the above, we could also provide the following services as a supplement to our core offerings:
1. Auditing changes to the objects related to roles (Roles, Responsibilities, Menu, Request Groups) to evaluate completeness and accuracy of the change management process
2. Identifying whether any of the in scope reports have been changed in the last quarter (period) so that the process owners know they need to re-test the completeness and accuracy of the reports (as is now being required by the public accounting firms and the PCAOB)
- Auditing changes to other configurations that should be subject to the change management process (scope tbd)
- Auditing the completeness and accuracy of the approvals related to the User Provisioning process
Regards,Jeffrey T. Hare, CPA CISA CISA
Oracle GRC Practice Lead