ERP Risk Advisors blog

Article published by OAUG: Why Implementations Fail, Beyond the Obvious

2012-01-10T13:52:00.000-08:00

We are excited to announce that OAUG just published an article I wrote called "Why Implementations Fail, Beyond the Obvious". The article can be downloaded at: http://erpra.net/files/ERPRA_Why_Implementations_Fail_Beyond_the_Obvious_OAUG_Insight.pdf.

Please read the article and provide any comments on my blog. Feel free to send me any questions or comments at jhare@erpra.net.

Regards,
Jeffrey T. Hare, CPA CISA CIA
CEO, ERP Risk Advisors

Basics of MOAC and Inherent limitations

2011-08-30T17:55:00.000-07:00

In R12 of E-Business Suite, Oracle introduced Multi-Org Access Control (MOAC) to provide users with the ability to view data and process data across operating units. This new functionality is welcome by organizations that process data and want to view data across operating units – such as those that have a shared service environment. The implementation of MOAC is simple, but has some limitations. MOAC cannot be implemented in much of the world because of the need to use localizations and apply such localizations at the Responsibility level.

Inherent limitations
I queried two Payables users from in the Solution Beacon 12.1.2 Vision public domain environment – one for Austria and one for Germany. Localizations (JG: Territory and JG: Product) profile options were applied to these two responsibility in order to implement country-specific localizations for Austria and Germany. If you had a shared service center in Germany, for example, you wouldn’t be able to combine these two countries into a single responsibility using MOAC because there is no way to apply the localizations to the combined responsibility because you’d need to set the JG: Territory profile option for both Germany and Austria which the profile options form doesn’t currently support. I logged an enhancement request on behalf of client (Enhancement Request 10361672) that Oracle is currently considering. I encourage you to log an SR and throw your support behind this enhancement request.

White paper continued... Full white paper on this topic can be downloaded at: http://erpra.net/bestpractices.html

Configuration Change Management process - should end users own it?

2011-08-17T15:10:00.000-07:00

I am dealing with a client that has end users make significant changes to the configurations in their module. They are re-implementing and I am advising them on changes to security and controls. I thought this email would be of interest to other companies so I thought I'd share a bit of it.

"I have some feedback regarding your configuration change management process that I wanted to pass on to you. I sensed some strong feeling about it in our meeting yesterday and didn't want to rock the boat so I thought email would be a better mechanism to provide you feedback and allow you to reflect on the recommendations.

I believe strongly in informed and educated end users. The more knowledgeable users are about the system, the better the processes they own. I am a strong believer that process owners 'own' the process, including how the applications work. This includes an understanding of the setups / configurations related to the module and those setups / configurations that are core to the entire suite of applications.

However, I rarely see end users have responsibility for making changes to key configurations in the application - what I call the configuration change management process. This is for two primary reasons. First, there is additional risk from an SOD perspective if end users have the ability to control the configurations for the processes they use. An example that we talked about yesterday is configurations related to the journal approval process. I'd rather not give the end user the community the ability to override a key control without it being formally documented and approved. Giving end users control over these configurations does just that. This could pose a serious problem when auditors come into to test the control under AS5 and learn that changes to the configurations may have been made without proper approval. Second, end users are typically not good gate-keepers for the change management process, are not trained on it, and are not supervised by management that has primary responsibility for implementing and controlling the change management process.

As it relates to the discussion yesterday, we specifically talked about Bob's role in the GL module. However, we also need to address the risks in other analysts like Bob throughout the application - those supporting AR, AP, HR, Payroll, Purchasing, etc. Do you have the same level of confidence in their ability as you would with Bob? What happens when Bob retires or leaves the company? Are you going to have the same level of confidence in her replacement?

The purpose of the change management process is, among other things, to protect the integrity of the system, its data, and the business processes which are supported by the system. From what I understand, part of the reason that ABC Company is re-implementing relates to configuration changes that weren't thoroughly thought through and/or tested in 11i. I am not necessarily saying that having IT manage those changes would have saved you from having to re-implement, but I can say that at least a solid configuration change management process will give you a more defined process to follow - documentation, impact analysis, test plans, approvals, etc. - and give you a better shot at maintaining the integrity of your system after you re-implement in R12.

So my recommendation is this... as part of the risk assessment process I am doing, let's have a discussion, by module, about what configurations should go through the configuration change management process, then design security and the configuration change management process to allow IT to make those changes rather than the end users. In my opinion and based on my experience, this will give ABC Company better controls (preventive versus detective) and a better chance of maintaining the integrity of the system."

Thoughts are welcome!

Regards,
Jeffrey T. Hare, CPA CISA CIA

Two new web blogs in past few days

2011-06-28T14:20:00.000-07:00

You Tube channel has all web blogs. Links are also available on our website.

Here are the topics for the latest two:
-Impact of Responsibilities using a custom application on SLA programs
-AR Adjustment Limits System Design Flaw

Regards,
Jeffrey T. Hare, CPA CISA CIA
jhare@erpra.net
LI profile: http://www.linkedin.com/in/jeffreythare

Web-blog: Consolidations submenu design flaw

2011-06-21T13:08:00.000-07:00

Here is the first web-blog I've done. Hopefully today's topic will be of interest to you and future topics will be as well. Today's web blog can be accessed at: http://erpra.net/bestpractices.html.

Contact me with any questions or suggestions on future blog topics at jhare@erpra.net.

Regards,
Jeffrey T. Hare, CPA CISA CIA

Change their password upon first login/admin reset

2011-04-01T08:28:00.000-07:00

Got a question today about password resets:

"I am trying to figure something out. How do we validate that Oracle forces the user to change their password upon first login/admin reset? I thought it was something in the profile options. Thank you for the help."

My response...
Inherent in the system. Can't be turned off. Not controlled by Profile Options.

There are a lot of risk involved with password resets. With plenty of hacking / backdoor access to the database and privileged users that have the ability to reset passwords, this should be a critical control for your organization. You need a policy and related procedures on how/when p/w resets can be requested and who can reset the p/w. Then, because of the risk, the process owner (system or security administrator, security auditor, etc) should regularly check with the owner of the accounts to make sure the p/w resets were valid and not some nefarious behavior.

My two cents FWIW.

Regards,
Jeffrey T. Hare, CPA CIA CISA

GL: Statistical Journals -- not suppport by journal approval workflow

2011-03-22T15:54:00.000-07:00

I saw this question on OAUGnet and thought I'd respond to it...

"Can anyone verify this: In R12 G/L, the seeded Journal Approval workflow (WF) will not route a statistical journal for approval regardless of the journal's source."

Here is what I found in My Oracle Support
MOS [ID 1076823.1]
"Currently Statistical journals do not require approval as per standard functionality.

The only limitation you can make is that you can use the profile option Journals: Mix Statistical and Monetary to prevent STAT and monetary lines on the same journal.
It is not possible to restrict entry of STAT lines by user."

Not really sure I understand how this profile option 'limitation' addresses the issue, but it is there nonetheless... Sometimes support analysts just hate saying "no Oracle doesn't provide that functionality"...

Regards,
Jeffrey T. Hare, CPA CISA CIA
ERP Risk Advisors
http://www.linkedin.com/in/jeffreythare
send me a linked in request - jhare@erpra.net

Does your organization maintain proper workflow history?

2011-03-18T12:05:00.000-07:00

Reviewing docs for a client today and ran across this comment in a document "I believe that there are audit reporting requirements to provide evidence of workflow approvals of changes to compensation or position-related edits"

Question: Does your company property maintain workflow history for approvals? Let me help with another question to ask your DBAs - how often are workflow history tables purged? Your homework for the day...

Based on my experience, many organizations do not have the evidence for such approvals if an auditor asks for this type of history.

I have enabled anonymous comments to protect the identity of those responding. Please respond anonymously with any comments.

Ad hoc SQL statements in Production environments by a developer

2011-03-16T14:20:00.000-07:00

I had a client email me today the following:
"Is it normal to have IT dev/support group run SQL queries in production to fix errant/stuck data in an Oracle EBS shop? As an example have an data issue that is listing the load weight as 0LB and have IT fix that through an SQL query directly in production?"

Here was my response:
"No. This is not normal for two reasons:

1. Developers should not have access to run scripts in Prod. Any scripts should be developed by the developers, executed by the DBAs in a non-prod environment, tested by an end user then executed by the DBAs in Prod.

2. May or may not be an issue... SQL scripts can either be supported or not supported by Oracle depending on how they are written. If they call a public API, generally they are supported. If there is no public API, Oracle should be providing the data fix script. Otherwise, they'll not support it and the execution of it may void your support agreement."

Top 10 Fraud Risks in an E-Business Suite Environment

2011-02-24T13:40:00.000-08:00

Great response to Top 10 Fraud Risks in an E-Business Suite Environment. Had some technical difficulties with GoToWebinar (a first for me). Not sure if the full webinar was recorded. Will try to post this our website as well as the slides as soon as possible. May be doing a follow up webinar.

Thanks to Steve Kost from Integrigy for hosting today's webinar.

Regards,
Jeffrey T. Hare, CPA CISA CIA
jhare@erpra.net
LinkedIn Profile

Great piece: Matt Taibbi's Latest: " Why Isn't Wall Street In Jail?"

2011-02-16T13:41:00.000-08:00

Highly recommend this read:
http://www.zerohedge.com/article/matt-taibbis-latest-why-isnt-wall-street-jail

For those of you that spent countless hour preparing for Sarbanes-Oxley compliance and labored night and day, rest assured... it has accomplished nothing... Your only consolation is that is many of you have found gainful employment because of of SOX.

Actually, to be fair, SOX has greatly increased the awareness of, documentation of, and execution of internal controls for many organizations. It has not, however, helped cure the systemic fraud which was part of what lead to SOX.

Regards,
Jeffrey T. Hare, CPA CIA CISA

Oracle's E-Business Suite: Overly complicated security model!

2011-02-09T15:45:00.000-08:00

Oracle has its feet firmly planted in two security models - the 'legacy' model is that often referred to as Function Security. The 'new' model is what Oracle attempted to evolve into an RBAC model using the User Management module. What they have created is an overly complicated mess that frustrates even the most experienced security administrators.

One frustration is the background process that 'synchs' the data between the two models (there may actually be more than two...) For example, a responsibility made in the Users form doesn't show up for several minutes in the home page that you receive when you log in. And new functions added to menus often aren't 'available' to be used for several minutes after they are added to a menu.

While I hope Oracle doesn't make the same mistakes in the development of its Fusion apps, those companies planning to continue using Oracle's E-Business Suite have a rude awakening... Oracle continues to make its security model more complicated and frustrating. Double the time you anticipate developing security in your R12 implementation or R12 upgrade. You'll need it to troubleshoot issues...

Why doesn't Oracle provide view only access to their data via forms???

2011-02-08T09:30:00.000-08:00

I'll continue to say it... Oracle doesn't have a clue how to build their applications to meet common GRC and internal control requirements. Those that have followed my work for long know my feelings on this topic...

In the traditional forms development standards Oracle has provided organizations with the ability to easily create a custom "read only" form by setting the QUERY_ONLY=Yes parameter. However, in OA framework forms, no equivalent process has been provided. Why not? Because they don't understand how companies have to customize (personalize) the application in the real world.

EVERY form/web page should have an equivalent inquiry form out-of-the-box. Auditors and others in the organization such as Business Analysts need access to such data in Production environments and NOT via Discoverer, OBIEE, or another other ad hoc method.

Thanks for listening to my rants...

Regards,
Jeffrey T. Hare, CPA CISA CIA

The politics of a project and the impact on addressing risks

2011-01-17T15:05:00.000-08:00

Just finishing a project where we helped design and implement application security for a global rollout of a manufacturing company. The politics of a project never cease to amaze me and every project has its own unique politics. I’ve seen it all... A well run project takes strategic vision and the proper leadership to support all the objectives. More often than not, a project is well supported from an operational perspective, but does not have the same level of support or leadership when it comes to security and controls. This is why using a firm independent form the system integrator is so important. Without a proper understanding of the risks involved in implementing the applications from a project as a whole or an individual element such as application security, management is running blind. In many cases, management does not have the experience or expertise in implementing ERP systems, in general, or the specific ERP system. Having both types of knowledge is critical to being able to effectively manage a project.
All too often, the bidding process for system integrators lends to the ‘get it done on time and on budget’ and ‘to hell’ with things like properly designed security or implementing proper internal controls PRIOR to go live. Without strong project leadership, often proper security and controls never gets implemented because post-go-live funding is difficult to attain because the ‘core’ project is over-time and over-budget.
I suspect this blog may hit a few nerves and am looking forward to any comments.

Big 4 - copyright violations...

2010-05-03T08:44:00.000-07:00

Interesting start to the morning... I am working with a company helping them to evaluate their "SOD" rules. They initially had their Oracle GRC software installed and configured by a large firm that does a lot of outsourced internal auditing. In about 2 hours work I showed them that this firm's rules recommended to the customer were complete crap - failing to understand risk in the applications (and outside the applications as well) and the functions that related to the risks.

Their external auditors ( a firm that begins w/ a "P") reviewed my comments. This audit firm verbatim copied from my risk assessment content (that is copyrighted). Here is part of the verbiage they used in their response to the client "Enter Suppliers vs. Enter AP Payments: Access to enter suppliers allows a user the ability to enter a supplier, including the setting up of a fictitious supplier. It also allows a user to override system level tolerances that are set in Payables Options - tolerances related to Qtr Ordered, Qty Received, Tax, and Price. In Oracle, you cannot make a payment to a supplier without first entering an invoice so this risk is minimized unless someone with this access can approve an invoice outside the system..."

It seems even some of the large audit firms have no respect for copyrights. Charles Caleb Colton said "Imitation is the best form of flattery." The least thing my imitators can do is change the language to make it their own.

As I continue to emphasize to clients and prospects, if your consulting partner fails to perform a proper risk assessment process, whatever tool you implement will fail to meet your objectives leading to a failure to get a proper ROI on your investment. Perhaps an idea for another webinar...

Another example of Oracle not focusing on Best Practices

2010-03-19T15:44:00.000-07:00

Look at Metalink Note 227010.1. This note is for "Script to check for Default Passwords being used for some common usernames."

Why just 'common' usernames? Why not all usernames? Why can't they maintain this document and the related test scripts for all known usernames? Would it be so difficult to put into their development QA process to update this document when a new schema is added or another type of default database user is added? It is ironic that this script published doesn't even take into account all the usernames suggested to monitor in their own "Best Practices" document - 189367.1 and 403537.1 which aren't being maintained (reference earlier blog).

Yet another example... Oracle, where is your Norman?

Oracle needs to focus on Best Practices

2010-03-19T14:00:00.000-07:00

Arggghhh.... Look at Metalink Note 403537.1 - Best Practices for Securing Oracle E-Business Suite Release 12. It was last updated February 27, 2007. Yes... that is not a typo - 2007. The last update to this document was over three years ago. Is it possible that nothing has changed or nothing needed to be added to this document in over three years? Hardly the case. A lot has changed since then. New products have been launched and many new features have been added to existing applications. That SHOULD mean that new recommendations need to be added to the document - two obvious ones are new seeded database users and new seeded application users. We at ERP Risk Advisors have identified 10 new seeded application users {see Internal Controls Repository (for end users only) at: http://tech.groups.yahoo.com/group/oracleappsinternalcontrols/) for more on this topic}.

If Oracle is going to produce a best practices document it needs to maintain the document or provide a caveat stating that the document is a sampling of best practices that should not be relied upon as a comprehensive list. Just my two cents...

Email me with comments at jhare@erpra.net.

Regards,
Jeffrey T. Hare, CPA CISA CIA
ERP Risk Advisors / ERP Seminars
www.erpseminars.com
www.erpra.net

Where is Oracle's Norman?

2010-02-02T15:48:00.001-08:00

I am an avid user of LinkedIn, having amassed over 1700 connections, I host two groups (Oracle GRC and Oracle ERP Auditors), and am a member of several other groups including a group on GRC and a group hosted by the IIA. I have bumped into several posts from Norman Marks whose title is "Vice President, GRC at SAP BusinessObjects division." Norman is an advocate for GRC best practices and regularly blogs on the topic on LinkedIn, the IIA site and other.

SAP has clearly invested in this man. Go do your thing. Go promote GRC best practices. Go be an expert... knowing that the reputation this builds for SAP as a thought leader is priceless. I am not saying necessarily that SAP GRC's focus is stronger than Oracle's because I don't know SAP software well enough to make a valid comparison. However, it does beg the question... "Where is Oracle's Norman?"

Food for thought...

Regards,
Jeffrey T. Hare, CPA CISA CIA
Industry Analyst.Author.Consultant.Audit Trail Evangelist
Phone: 970-785-6455
Cell: 970-324-1450
Email: jhare@erpseminars.com
Website: www.erpseminars.com
Author of the book “Oracle E-Business Suite Controls: Application Security Best Practices” - buy it at: http://stores.lulu.com/erpseminars
LinkedIn: http://www.linkedin.com/in/jeffreythare
Oracle Users Best Practices Board: www.oubpb.com
LinkedIn Oracle GRC group: http://www.linkedin.com/groups?gid=2017790
LinkedIn Oracle ERP auditors group: http://www.linkedin.com/groups?gid=2354934
Oracle internal controls and security listserver: http://tech.groups.yahoo.com/group/OracleSox/
Oracle internal controls repository: http://tech.groups.yahoo.com/group/oracleappsinternalcontrols/
Any opinions or advice stated in this e-mail or the attachments thereof do not constitute legal or accounting advice and provide no indemnification from fraud or material misstatements.

Manage Proxies... A great R12 'feature'

2010-01-22T13:48:00.000-08:00

Manage Proxies is new functionality that allows delegation of security to another user. Whereas Worklist Access and Vacation Rules are a delegation of approval authority, Manage Proxies is a complete delegation of security to another user.

Fortunately, The Manage Proxies functionality is only available if the Manage Proxies role is granted to the user. This role can only be granted to a user via the User Management module.

The manage proxies functionality is extremely powerful and, therefore, extremely dangerous. Unfortunately, there isn’t any out-of-the-box report (similar to the Users of a Responsibility report) in the User Management module that provides you with a list of users that are assigned roles such as the Manage Proxies role. All inquiry related to the User Management module needs to be custom built.

Manage Proxies in the next in a long list of 'features' that may be a good idea from an operational perspective, but a nightmare from an internal controls perspective, especially without the necessary controls-related monitoring that should could 'standard' with this functionality. Oracle needs to build in the necessary monitoring and auditing requirements into the design of each of their new features. This is one area where they seriously missed the mark. Let's hope they've refined their processes and talent in Fusion Apps.

Regards,
Jeffrey T. Hare, CPA CIA CISA

Oracle doesn't have a clue - take 3... workflow history

2009-11-09T08:10:00.000-08:00

Well.... Interesting day for Oracle users as Oracle cuts over to the new "My Oracle Support" portal. Another great technology snafu by Oracle. Kinda reminds me of Microsoft. They just can't seem to prevent screwing up customer's days...

One of the other great 'features' of the EBS suite is the workflow history purge process. If you are an 11i client, if you want to purge workflow notifications, you also will be purging workflow approvals. The retention of workflow approvals (e-mails that indicate 'approval' of a workflow process such as journal approvals) is critical to have audit history related to automated controls. Failure to retain an audit history of workflow approvals could mean an external auditor would not allow reliance on automated controls under the AS5 standard.

Your organization needs to build a custom retention process to store this data for at least 15 months (check your org's data retention policy before purging...) in order to support audit requirements.

If this 'feature' is news to you, contact me for more details at jhare@erpseminars.com. I can provide some tips (provided to be my Karen Brownfield of Solution Beacon) on how to build a custom archive process for retaining such data.

Good luck to all of you trying to new Oracle's new Metalink replacement!

Regards,
Jeffrey T. Hare, CPA CISA CIA

Oracle doesn't have a clue - take 2: Delegated Authority...

2009-10-29T20:46:00.001-07:00

Here is another one.... An email from a user to one of the listservers I manage:

"Hi all. Anyone know of a means to report on current user settings for worklist
access and vacation rules? We would like to be able to review which of our
users are using worklist access and vacation rules, and to whom they have
delegated.

Ideally, there would be a seeded report in Oracle. If not, perhaps some SQL or
knowledge of which tables hold this information."

Delegation of approval authority via worklist access or vacation rules could violate company policy and could subject a company to a nasty-gram from their auditors ala a control weakness in their SOX testing. If an auditor really wanted to be nasty about it, they could give an organization a material weakness (or at least a significant deficiency) IMO because this allows someone to delegate their approval authority and, in some cases, the delegation isn't recorded or reflected anywhere in the system. For example, a CFO could delegate their PO approval or Journal Entry approval authority to the janitor, their secretary, or a staff accountant who could act on behalf of the CFO to approve a journal entry, PO, or anything done via Oracle Workflow.

Cool functionality when you look at it on an operational basis. Jane Doe, CFO, takes a week off to ride on her 200 foot yacht and someone needs to approve things when she is gone so that business doesn't come to a screeching halt. Case closed, right? However, in some cases, when Jane delegates to another employee, it still looks AS IF Jane made the approval AND... no record of this delegation is made in the system... or at least there are NO REPORTS out of the box that records the delegation (I suspect the audit trail doesn't even exist...).

Nice job Oracle!!! We wouldn't want that type of information in the case of an audit, would we?

More to come...

Jeffrey T. Hare, CPA CIA CISA

SQL Forms webinar reminds me that Oracle doesn't have a clue

2009-10-29T20:30:00.000-07:00

I did a webinar this week training auditors and other practitioners about the risks related to SQL forms and the necessary controls to monitor activity within them. Essentially these forms allow users to run any SQL statements (and in some cases OS scripts) in them. One attended said "giminy frickin christmas... you would think ORA would know that sql injection is a potential issue?
All I could say is 'amen.' I can buy into the fact that Oracle wants to allow flexibility in the use and of their applications and be 'open' in this way. However, not putting controls in place to monitor the activity done through these forms is inexcusable on many levels.

What is more inexcusable IMO is the fact that Oracle continues to put their head in the sand. I have sent letters to Charles Phillips, Steve Miranda, and Chris Leone outlining this risk among a ton of others I have identified and... not a peep. In Metalink Note 189367.1 they outline these forms, their risks, and suggest controls (i.e. trigger based audit should be deployed), but do they DO anything about it like say... build that into the core application? The answer to that is..... No.

Note 189367.1 also fails to mention one form that a colleague, Daryl Geryol, pointed out to me that allows both SQL and OS scripts. Many of us have come to love this as one of the 'undocumented features' provided by Oracle.

Hellllllloooooooooo... Oracle.... is anyone home? Your customers are suffering under the burden of identifying and addressing these undocumented features and poor design. It is time to wake up and solve these issues once and for all.

For the past two years or so I have been trying to get Oracle's attention on some of these matters. Instead of thanking me for pointing out some of these issues, I get an email from an exec asking me to take his email address of my email list. Nice strategy!!!

Jeffrey T. Hare, CPA CIA CISA

Oracle GRC Strategy... finally a very small win - record history in OAF pages

2009-08-11T08:06:00.000-07:00

Solution Beacon posted this in their latest newsletter:

Record History feature now available in OAF forms in EBS Release 12.1.1
By Alyssa Johnson

One of the often used features in Oracle Professional Forms has been the Record History
selection on the Help dropdown menu. This enabled functional users to see which user updated a particular record without querying the underlying database tables. However, the same functionality was not available in the Oracle Application Framework (OAF) pages and in my experience this has been an oft asked for requirement. Starting in Release 12.0.6 this feature is now available. However, it is also included in the RCDs for 12.1.1. Even though this feature is now available, it does take a different format being enabled through a profile option and forms personalization. The new profile option is FND: Record History Enabled. If set to YES, record history can be rendered at the Header, Table, and Advanced Table levels through forms personalization. If is set to NO, then record history cannot be rendered even if set to True in forms personalization. The default value is YES. Following is an example of how to rendered the Record History icon through forms personalization. Personalization has been enabled for OAF forms.

Subscribe to the Solution Beacon newsletter at: http://www.solutionbeacon.com/newsletter.htm for more on this and other topics.

In my opinion, Oracle has failed to grasp the true requirements that many, if not all, of their customers need to meet their GRC requirements. Oracle has been focused on buying companies like Logical Apps and Stellent to fill in gaps in their software portfolio, but has failed to develop a comprehensive strategy for their entire suite. I have sent several letters to Oracle execs outlining some of the architectural failings in the E-Business Suite and have suggested they form a CAB to deal with these issues. There has been no response from Oracle management.

The record history in the forms is a fundamental requirement for all customers for GRC purposes as well as troubleshooting operational issues. The failure to include this feature in OA framework forms and the continuing failure to make this information available without the use of Forms Personalization is indicative of their lack of understanding related to their customer's operational and GRC requirements.

I have an extensive list of internal control deficiencies in the EBS suite that I have made available to end users in the Internal Controls Repository. I have also made this information available to Oracle execs. I fear that they are making the same mistakes in the building of Fusion that they have made in Oracle EBS. As an advocate for my GRC customers and Oracle customers, in general, I am wondering what will wake up Oracle management to the need to fix these issues.

Regards,
Jeffrey T. Hare, CPA CISA CIA
Author.Consultant.Analyst.Audit Trail Evangelist
Author of the book "Oracle E-Business Suite Controls: Application Security Best Practices"

Oracle E-Business Suite Controls: Application Security Best Practices

2009-06-26T15:15:00.001-07:00

Hey all! Welcome to the blog about my book "Oracle E-Business Suite Controls: Application Security Best Practices." Please leave any comments or questions related to the content of this book on this blog! I'll do my best to respond to questions as they are posted.

Regards,
Jeffrey T. Hare, CPA CISA CIA