Wednesday, July 4, 2018

Press Release: ERP Risk Advisors announces new Audit Support as a Service services for Oracle's E-Business Suite and ERP Cloud applications

Press Release: ERP Risk Advisors announces new Audit Support as a Service offerings for Oracle's E-Business Suite and ERP Cloud applications

ERP Risk Advisors is pleased to announce two new Software as a Service (SaaS) offerings for Oracle's ERP applications - E-Business Suite and ERP Cloud.

This "Audit Support as a Service" offering will provide internal and external auditors with much better and more comprehensive data needed to audit these two applications.

ERP Risk Advisors, CEO, Jeffrey T. Hare, CPA CIA CISA states the problem:

"We are often brought in by organizations that have audit findings to help clients remediate their control deficiencies.  As we help clients with their remediation, we often find many other significant control design issues that should have been identified by the internal and external auditors.  Two things drive our findings.  First, there is a lack of maturity in understanding by internal and external auditors of these specific systems and risks specific to each system.  Second, auditors don't have the right data to help analyze these risks and related controls"

ERP Risk Advisors has been focused on helping clients design and test controls for over 15 years.  The new Audit Support as a Service offerings will provide the following data for Oracle's E-Business Suite and ERP Cloud applications:
  • Test access controls and role design by evaluating sensitive access risks and segregation of duties conflicts
  • Evaluate control design by:
    • reviewing the actual configurations verses expected configurations
    • considering ‘best practice’ configuration design as provided by ERP Risk Advisors
  • Test change control processes by having a population of IT and functional configurations throughout the most commonly used ‘in scope’ modules and the core applications
ERP Risk Advisors CEO, Jeff Hare, continues:

"There are significant gaps in the understanding of systems auditors are responsible for reviewing.  Each ERP system has its own characteristics that must be taken into account as part of the audit.  No longer can auditors audit 'around' the system.  Auditors need a better understanding of the system and need better data to perform an audit that is complete and accurate.  I would encourage you to take a look at this recent article I wrote on this topic called "Why the PCAOB and External Auditors Should be Concerned about Substantive Only Audits " which can be found here.  This explains this need in more detail.  We look forward to helping internal and external auditors improve their effectiveness and efficiencies in auditing Oracle's E-Business Suite and ERP Cloud applications through the use of this service"

More about this service and other services offered by ERP Risk Advisors can be found here.

Why the PCAOB and External Auditors Should be Concerned about Substantive-Only Audits


Why the PCAOB and External Auditors Should be Concerned about Substantive-Only Audits




This article is long overdue, but still one I have been dreading to release.  I know the audit firms could come under significant additional scrutiny from regulators such as the PCAOB.  However, there are significant risks organizations are facing because of poorly designed controls and inadequate audit procedures.  It is 2018, more than 15 years after the passage of the Sarbanes-Oxley act and it is time to shine the light on areas that board members and investors would be appalled by if they understood this topic.  With this said, here is my article...

In evaluating how to approach an audit, in general, and specific business processes within any audit, in particular, external auditors sometimes choose to audit ‘around the system’.  That is, they ignore the way systems are designed and test the given process or control without regards to how the system is designed.  They do so by identifying a population of transactions related to the process and testing the activity through sampling as required by their internal standards and consistent with the regulator(s) that oversee their audits (PCAOB, OCC, various government agencies, etc).

There are consistent gaps in the approach that external audit firms take that could leave the chosen populations incomplete.  Therefore, I will make the argument that a substantive-only audit is a flawed approach and one that external audit partners and regulators should be concerned about.

To illustrate this flaw, I will use arguably the most important control related to the integrity of the financial statements – the control over manual (non-standard) journal entries.  Manual journal entries inherently pose a high risk to the integrity of the financial statements because they can move any balance between any account within the trial balance.  In my experience, most external auditors don’t know how to properly identify a population of journal entries that equate to a manual journal entry.

I identify the following types of journal entries that could exist within an ERP system:

1.       Manually created in the system within the general ledger itself

2.       Uploaded from a spreadsheet – manual or non-standard type

3.       Uploaded from a spreadsheet – created by another system (i.e. manual interface)

4.       Uploaded from a spreadsheet – looking as if it came from a subledger


5.       Interfaced from another system (i.e. automated interface)

6.       Transferred from a subledger

7.       Manually created in a subledger and transferred as if it were a subledger entry


… continued in full article - see below for link ...


Conclusions

Because of the way JE controls are typically designed (i.e. to ignore subledger JE’s) organizations using Oracle’s E-Business Suite or ERP Cloud applications would need to configure each system differently in order to prohibit a user from creating a journal entry from a Source that is not subject to the manual / non-standard JE controls.  In other words, even in the case where an audit is not placing reliance on any application controls (i.e. a fully substantive audit), the improper configuration of a system COULD cause the functional auditors to leave out a portion of the JE’s that should be in their control population.  

… continued in full article - see below for link …



Access the full article here

Saturday, June 16, 2018

Oracle E-Business Suite Controls: Foundational Principles is finished!

Oracle E-Business Suite Controls: Foundational Principles is finished!

Oracle E-Business Suite Controls: Foundational Principles is finished!

Tetelestai, as the Greeks would say. Meaning - it is finished.

Four years since I first started an the update to this book... You can purchase this at: http://www.lulu.com/shop/jeffrey-t-hare-cpa-cisa-cia/oracle-e-business-suite-controls-foundational-principles-2nd-edition/paperback/product-23679820.html.

If you want to support more publication of best practices like this, please consider purchasing this book. 100% of the proceeds of the book will support Rapha House. Rapha House is a Christian ministry whose mission is "We exist to love, rescue, & heal children who have been rescued from trafficking & sexual exploitation." So your purchase of this book will not only serve to help motivate me to write more articles and books, but will also serve to protect 'the least of these' among us. See more at www.RaphaHouse.com

For those of you that have seen the musical - Hamilton - the phrase 'why do you write like you're running out of time' from the song 'Non Stop' comes to mind. More articles and books to come.

#HamiltonQuotesForTheWinAlex #Matthew25_40 #NonStop
#oracleebusinesssuite #OracleBestPractices #NotThrowingAwayMyShot


Tuesday, May 22, 2018

CaoSys and ERP Risk Advisors Announces New Accelerated Implementation and Subscription Pricing for their Segregation of Duties Solution, CS*Comply

CaoSys and ERP Risk Advisors Announce New Accelerated Implementation and Subscription Pricing for their Segregation of Duties Solution, CS*Comply

CaoSys is pleased to announce their leading SoD solution, CS*Comply, for Oracle E-Business Suite is now available with Subscription pricing.  CaoSys has partnered with ERP Risk Advisors to provide accelerated implementation services for its flagship SoD solution such that implementation services can be bundled into subscription costs.
“We’ve seen a trend that our customers and prospects are looking for lower initial costs that can be addressed in an operating budget rather than requiring a capital expense” said Craig O’Neill, CTO at CaoSys.  “We are excited to announce that our flagship SoD solution, CS*Comply, is now available in a new simple subscription pricing model that provides our high-quality software for customers looking for a lower entry cost.”
CaoSys has partnered with ERP Risk Advisors since 2008 to implement its GRC suite.  ERP Risk Advisors has also built risk-based content for CS*Comply and can provide risk advisory services as part of the implementation of the suite.
“We are excited to provide accelerated implementation services for the CaoSys GRC suite that can get the basics of each solution ‘up and running’ then provide follow on training and consulting in the following months” says ERP Risk Advisors CEO, Jeffrey Hare CPA CIA CISA. “We are committed to provide on-going touch points each month to help CaoSys customers derive more value from each of the solutions they have licensed.”
CaoSys and ERP Risk Advisors now offer best of breed software, content, high-quality risk advisory services and ongoing support all for a low fix monthly subscription fee. This new solution offering will be available from May 14th.

Tuesday, April 17, 2018

ERP Risk Advisors at Collaborate 2018_Major Announcements

ERP Risk Advisors at Collaborate 2018_Major Announcements




ERP Risk Advisors will be presenting again this year at Collaborate 18 in Las Vegas, April 22-26. 

At Collaborate we will be announcing and discussing in more detail several major enhancements to our partner network and services as follows:

·       Audit Support as a Service for E-Business Suite and ERP Cloud – Complete data necessary to audit either application including configurations, a change management population, and SoD conflicts / Sensitive Access rule reporting

·       Content Unlimited for ERP Cloud – SoD and Sensitive Access rule subscription service for Oracle’s Risk Management Cloud

·       Training of project teams and auditors on Risks and Controls for ERP Cloud

·       E-Business Suite license review service through CaoSys’ CS*License solution

·       Support of Oracle’s Risk Management Cloud for ERP Cloud

·       Quarterly Risk Advisory webinar for ERP Cloud – focusing on governance, risk management, and control design issues throughout the application including bugs and enhancement requests

·       Several new Risk Advisory articles for ERP Cloud



If you are attending Collaborate, please visit us at Booth 1330 and plan on attending one or more of these sessions:


Monday 23rd - 11 a.m. - GRC SIG – Change Management Best Practices


Thursday – 26th (ADDITIONAL FEE) - 8:30 a.m. to 1:00 p.m. Security and Controls Foundational Concepts for Oracle E-Business Suite – (Jasmine C)

Monday, April 16, 2018

ERP Cloud: Certified Resources for Risk Management Cloud

ERP Cloud: Risk Management Cloud Certifications and Services

***  PRESS RELEASE ***


ERP Risk Advisors is pleased to announce a second of our resources is certified on the Financial Reporting Compliance (FRC) module of the Risk Management Cloud.  Donna Curtis was one of the first to attain certification on FRC and recently Sam Monarch has recently become certified as well. 
 
Many organizations have licensed the Risk Management Cloud and can take advantage of our accelerated implementation services including a two-week proof of concept engagement and six-week accelerated implementation of the FRC module.
 
ERP Risk Advisors is the premier niche consulting firm who focuses on Oracle applications, with an emphasis on ERP Cloud, E-Business Suite, and PeopleSoft.
 
Contact us at http://erpra.net/contactus.html for more information.
 
Donna Curtis bio:
  • ERP Risk Advisors Cloud Practice Lead
  • 20+ years as an Oracle EBS/GRC/Cloud consultant
  • Aided Oracle in the writing of the Oracle Financial Reporting Compliance Certification exam
  • Experience includes Big 4 consulting as well as small boutique firms
  • Certified Cloud Security Implementation Specialist, Certified FRC Implementation Specialist

Sam Monarch bio:
  • ERP Risk Advisors Oracle GRC Practice Lead
  • 29+ GRC Implementations covering all areas of Risk & Compliance
  • Expert Reviewer (SME) - Governance, Risk, and Compliance Handbook for Oracle Applications; Packt Publishing
  • Functional and Technical Leader in Oracle GRC, ERP Cloud Risk Management and CaoSys Product Suites
  • Experience includes Big 4 audit defense utilizing GRC technologies
  • Author of comprehensive IT Department SOPs, structured to optimize the business processes allowing clients to become both compliant and efficient.
  • Certified FRC Implementation Specialist
About ERP Risk Advisors:
ERP Risk Advisors is a leading provider of Risk Advisory services for organizations using Oracle Applications.  We provide consulting and training services related to compliance, security, risk management, and controls.  We also assist organizations in implementing GRC-related software from industry-leading companies.  ERP Risk Advisors is a proud VAR of CaoSys as well as several other leading software companies.

Friday, April 6, 2018

ERP Cloud: Two new risk advisors articles published and available to end users of ERP Cloud

ERP Cloud: Two new risk advisors articles published and available to end users of ERP Cloud

Thought Leadership Others Follow


ERP Risk Advisors is pleased to announce the publishing of two new articles for ERP Cloud in our Risk Advisory series.  Both of these articles are only available to end user organizations that are considering implementing,  are implementing, or have implemented Oracle's ERP Cloud software.

The topics are:
  • How Two ... Could Undermine Your Manual Journal Entry Controls
  • Critical Risks in Managing System...
If you are an end user organization, you can request these articles at:
http://erpra.net/ArticleAccessForm.html

Please keep ERP Risk Advisors in mind for any services you have related to ERP Cloud
Services and offerings – ERP Cloud
•Comprehensive Risk Assessment / Controls Design

•Role Assessment, Remediation and Design

•Reports & Analytics Development for Controls Monitoring

•Risk Management Cloud Implementation & Support:
  • Financial Reporting Compliance (FRC)
  • Advanced Financial Controls (AFC)
  • Advanced Access Controls (AAC)
Regards,
Jeffrey T. Hare, CPA CIA CISA

Thursday, April 5, 2018

Oracle E-Business Suite Controls: Foundational Principles is just around the corner...

Oracle E-Business Suite Controls: Foundational Principles is just around the corner...

Can it be over soon???   I have been laboring over updating my E-Business Suite Application Security book for years and have one more chapter to write before it goes into final review...

It will be called "Oracle E-Business Suite Controls: Foundational Principles" and I hope, hope, hope to have it done by the end of April.

So... ready for it to be completed so it can be a resource for organizations running Oracle E-Business Suite.

The book has more than doubled in size an is approach 400 pages... It will likely have to be hard cover because of its size.  We'll see...

Then... it will be onward towards writing a similar book for ERP Cloud.

Tuesday, March 6, 2018

New Webinar and New LinkedIn Group focusing on GRC issues for Oracle’s ERP Cloud software


New Webinar and New LinkedIn Group focusing on GRC issues for Oracle’s ERP Cloud software


ERP Risk Advisors is excited to present our ERP Cloud Risk Advisory Series.   Join us for our first webinar in this series title - How One Configuration Could Undermine Your Manual Journal Entry Controls.  Join CEO, Jeffrey T. Hare, CPA CISA CIA and our ERP Cloud Practice Manager, Donna Curtis for this webinar.
This webinar will provide you with one CPE credit, but is only open to end user organizations. No anonymous emails, consulting firms, or audit firms will be allowed to participate.

Register here:


With this new Risk Advisory series, we are also excited to announce a new LinkedIn Group focused on GRC issues for Oracle’s ERP Cloud software.  Sign up for this group here:
https://www.linkedin.com/groups/12100219

Thursday, February 1, 2018

ERP Risk Advisors to present at OAUG's Risk Week

ERP Risk Advisors to present at OAUG's Risk Week


ERP Risk Advisors founder and CEO, Jeffrey T. Hare, CPA CIA CISA, will be presenting at OAUG's risk week.  His presentation is titled "ERP Risk Advisors and CaoSys: The Premier GRC Offering for Oracle E-Business Suite"

The presentation will include a discussion of common issues being identified by external and internal auditors and how the CaoSys suite of GRC-related applications can be used to address these needs.

The CaoSys GRC software suite is, by far, the leader in software in the E-Business Suite GRC space having been implemented at leading organizations throughout the world  CaoSys customer base includes the largest on-line retailer in the world with undoubtedly the largest install base, a high-tech manufacturer who is top 10 in the world in transaction volume for EBS, and many other leading Fortune 500 companies.

ERP Risk Advisors has developed content and specialized risk advisory services to supplement CaoSys' industry-leading software.  Our content library includes more than 1,000 rules - 600+ of the rules are sensitive access rules, providing visibility to risks throughout the applications.  This  includes nearly 400 rules of activities are expected to go through the Change Management process which allow you to easily evaluate if functions that should be managed by IT are isolated to those that understand and execute the change control expectations.

Our webinar will be held Friday, 09 February 2018 at 1 p.m. EST.

Join us at our Risk Week webinar hosted by OAUG by signing up here:
https://oaug.org/education-events/elearning/item/7123-erp-risk-advisors-and-caosys-the-premier-grc-offering-for-oracle-e-business-suite.

Tuesday, January 23, 2018

Welcome to 2018! Big news for ERP Risk Advisors!!!


Welcome to 2018!  Big news for ERP Risk Advisors!!!


With a new year brings exciting news at ERP Risk Advisors.  Happy New Year! We wish you the best for 2018.

First, we are pleased to welcome a new member to our team, Donna Curtis, who will be heading up our ERP Cloud practice after just recently leaving a big 4 firm as a Manager.  She brings over 20 years of experience in the IT industry as a leading talent in the Oracle EBS/Cloud and Advanced Controls space with full life cycle implementations on multiple projects (30+).  We are excited to have Donna on board.

Next, ERP Risk Advisors has launched partnerships with several new GRC software providers including SafePaas, Smart ERP, Oracle, Sentinel Software, and Fast Path.  We now offer full risk advisory services for E-Business Suite, ERP Cloud, and PeopleSoft.  We are THE niche firm in the Oracle GRC space and can provide high quality risk advisory services at a much lower price than the big 4 firms.

Additionally, we also have continued to deepen our most strategic relationship with CaoSys in the E-Business Suite space.  With Oracle de-supporting their Advanced Controls Suite, CaoSys has become the only fully integrated software for E-Business Suite and just so happens to produce excellent software.  We have collaborated with CaoSys to launch two new solutions – CS*License and CS*Lookback – which we know will be well-received by the market.  See enclosed datasheets for these offerings.  These solutions compliment an already superb suite of software that includes CS*Comply, CS*Audit, CS*Provisum, and CS*Rapid.  Find our more about CaoSys at www.CaoSys.com  

Finally, in 2017 I wrote three thought-leadership white papers called “The One Series” where I identified one configuration, one function, and one profile option that could undermine your manual Journal Entry controls.  I have published a new article with another configuration, AutoPost Criteria, that could potentially undermine your manual Journal Entry controls.  We are going to give end user organizations a one year head start before releasing this publicly.  You can access it only in the Internal Controls Repository (ICR) which is only open to end user organizations (or you can email admin@erpra.net and ask for it if you’d rather not sign up for the ICR).

If you haven’t read the other three articles, I’d invite you to download them from our homepage at www.erpra.net.   

We are exhibiting at Collaborate 18 in Las Vegas this April and invite you to stop by our booth and say hello. 

We are planning an update to my current book on E-Business Suite and will be expanding it to be called Oracle E-Business Suite Controls: Foundational Principles.  We also hope to have a book on ERP Cloud published before Collaborate called Oracle ERP Cloud Controls: Foundational Principles. 

If I can answer any questions or if ERP Risk Advisors can be of help in any way, please reach out to me at jhare@erpra.net or on my cell at 970-324-1450.  Please also consider connecting with me via Twitter, LinkedIn, and my blog, links are below.

Regards,
Jeffrey T. Hare

Twitter: @jeffreythare
Blog: jeffreythare.blogspot.com
LinkedIn: linkedin.com/in/jeffreythare

Tuesday, January 16, 2018

ERP Risk Advisors: Don’t Give Up on Your Advanced Controls Investment

ERP Risk Advisors: Don’t Give Up on Your Advanced Controls Investment


Oracle has announced it will no longer sell their Advanced Controls suite for Oracle E-Business Suite and has ended premier support.  Many organizations have made a substantial investment in the implementation and use of these solutions and are left wondering what is next for their investment.

Join ERP Risk Advisors CEO, Jeffrey Hare, and our Advanced Controls Practice Manager, Sam Monarch as they discuss how organizations can extend their investment and still meet their compliance objectives.  Watch the full webinar at: https://youtu.be/xvW_eqMoIvg

Contact us at admin@erpra.net with questions or for more information about these services.

More detail about our services can be found in our prior blog on this topic:
http://jeffreythare.blogspot.com/2017/06/erp-risk-advisors-announces-oracle.html  

Tuesday, January 9, 2018

ERP Risk Advisors and CaoSys Announce Two New Ground-Breaking Solutions for Oracle E-Business Suite

ERP Risk Advisors and CaoSys Announce Two New Ground-Breaking Solutions for Oracle E-Business Suite

ERP Risk Advisors and CaoSys have collaborated to build two new ground-breaking solutions for organizations running Oracle E-Business Suite: CS*License and CS*Lookback.

ERP Risk Advisors and CaoSys have been strategic partners since 2008 and have designed, developed, and released two new solutions that are highly valuable for compliance purposes.

CS*License is a unique and innovative solution for understanding your organization’s risks related to licensing for Oracle E-Business Suite.   This solution maps 100% of Functions and Concurrent Programs to the Application they are associated with and provides suggested mapping for objects that aren't associated with an Application.   CS*License can provide you visibility into where your organization stands with respect to your Oracle E-Business Suite license with Oracle.

CS*License includes the following:
·        Predefined rules for all Functions and Concurrent Programs, currently built up to 12.2.7
·        Updates for new content as Oracle provides upgrades – as part of annual support
·        Ability to override default applications to which a Function or Concurrent Program is mapped
·        Ability to map Applications to your licensing buckets
·        Summary and Detailed reports to help you analyze your exposure – including down to Menu and Navigation Paths to identify how the object is accessed



CS*Lookback is a unique and innovative solution that helps you determine who has done what within your Oracle E-Business Suite applications; this is an invaluable tool that greatly assists with lookback procedures and other audit related tasks.

CS*Lookback includes the following…
·        Analyze data based on configurable groups of tables and users
·        Analyze an entire schema and even the entire database
·        Perform a lookback analysis across common time rolling periods, such as “This week”, “This Month”, “This quarter”, “This year”, etc.
·        Perform a lookback analysis of any user defined time period
·        On-screen interactive reporting allows you to drill into the data from many angles
·        Powerful out-of-the-box summary level analysis and detailed reporting

CS*License and CS*Lookback compliment other leading GRC solutions for Oracle E-Business Suite including:

CS*Comply
CS*Comply is the most effective way to deal with access control risks such as Segregation of Duties and Single Function Risks.  CS*Comply offers best-in-class reporting and preventive controls.

CS*Comply includes the following…
·        Over 1,000 pre-defined rules across the most commonly used modules covering over 36,000 known function based combinations – the most comprehensive set of rules available on the market. 
·        Our pre-defined content covers nearly 4,500 security objects, including nearly 3,000 functions and 1,400 high risk concurrent programs and can easily be extended to address custom objects developed by US Steel
·        Comprehensive reporting and analysis of SoD/Single function risks
·        Powerful, easy to use analysis / reporting tools
·        Dozens of other reports / best practice monitoring tools to help with access controls
·        Multiple preventive controls to help you take a pro-active approach to risk
·    Remediation Toolkit, Collusion Detection, Menu Cloning, Request Group Cloning, and much more)

CS*Audit
CS*Audit is the most effective way to satisfy audit requirements as it relates to capturing and monitoring change to data within Oracle E-Business Suite.  CS*Audit also features an easy to configure near-real-time notification of changes being made.

CS*Audit includes the following…
·        Extensive library of pre-defined policies with mapping of related meta-data
·        Rule driven, fine-grained auditing and monitoring of changes to data
·        Near-real-time notification engine
·        Documentary approvals
·        Powerful reporting options
·        Capture change management information to provide to your auditors
·        Data security in our reporting repository where sensitive data is audited

CS*Provisum
CS*Provisum consists of two main components, Periodic Access Review (PAR) and Automated Assignment Provisioning (Provisioning (AAP).  

CS*Provisum (AAP) provides an efficient and effective means of automating the request and assignment of access within Oracle.  CS*Provisum (AAP) includes the following…
·        Initiation of responsibility request by the user, manager, or process owner
·        Visibility to potential SoD / single function risks as part of the approval process
·        Supervisor and/or process owner approval of access requests; no approval required can also be configured
·        Ability to create the user account when requests are approved
·        Superior visibility to pending and approved access requests

CS*Provisum (PAR) provides an efficient and effective means of validating user access on a regular basis.  CS*Provisum (PAR) includes the following…
·        Multiple review types (Process/Module owner, supervisor and transfer reviews)
·        “Selective” reviews for specific types of access (i.e. SoX Review, Financials Review, etc.)
·        Integrated with CS*Comply to provide visibility of SoD risk during the review process
·        Assignment de-provisioning is automated (no need to involve Security/System Administrator)
·        Review delegation, automated reminders/escalation and much more

CS*Rapid
CS*Rapid is a unique and innovative solution for delivering real-time operational reports and application extensions for Oracle E-Business Suite.   CS*Rapid includes the following:
·        Allows you to bring in-scope SOX reports into Oracle EBS so you can remove your data warehouse from your in-scope applications
·        Is fully integrated with Oracle E-Business Suite
·        A familiar look and feel
·        No up-front licensing costs, no additional hardware or software required
·        Your operational reporting requirements can go from concept to the users’ menu in minutes.

Contact ERP Risk Advisors (http://erpra.net/contactus.html) or CaoSys (http://caosys.com/mcw.php) for more information about these new software and service offerings.