Upcoming ERP Risk Advisors webinars_July 2017

Upcoming ERP Risk Advisors webinars_July 2017

You are invited to attend three upcoming webinars taking place over the next couple of weeks as follows:

Don’t give up on your Oracle Advanced Controls investment – Tuesday, July 11

How to automate controls using CaoSys’ newest features – Wednesday, July 12

Identifying and Monitoring Multi-Platform and Cross-Platform Access Control Risks with SafePaas – Wednesday, July 26

“Don’t give up on your Oracle Advanced Controls investment” will be held at two times Tuesday, July 11 – 9 a.m. EST and 4 p.m. EST. 

Have you’ve spent into the six figures on your Oracle Advanced Controls implementation and are wondering how to leverage your investment into something of value.  In this webinar we will share how the expertise, content, and risk-based methodology of ERP Risk Advisors can easily extend the usefulness of your investment and add value to your controls environment.  We will first look at current trends in the audit community and discuss how to leverage your Oracle Advanced Controls investment to address these trends.  Register at: https://attendee.gotowebinar.com/register/5792990699975558914

“How to automate controls using CaoSys’ newest features” will be held at two times Wednesday, July 12 – 9 a.m. EST and 4 p.m. EST. 

With Oracle no longer offering premier support on their Advanced Controls suite customers are wondering about their long-term options with their E-Business Suite on-premise solution.  In this webinar we will provide an overview of the CaoSys GRC suite and showcase some of its newer features that can be helpful to automate controls.  Register at: https://attendee.gotowebinar.com/register/4664617991482616322

"Identifying and Monitoring Multi-Platform and Cross-Platform Access Control Risks” will be held at two times on Wednesday, July 26 – 7 am. EST and Noon EST. 

Most organizations have multiple software applications to help run their business.  Often there are several ERP and legacy applications that are considered in-scope from a compliance perspective.  Hear from industry expert, Jeffrey T. Hare, CPA CISA CIA about common cross-platform and multi-platform control risks and how organizations can mature their control environment through necessary manual controls, automated controls, and access controls.  Webinar held in conjunction with SafePaas.  Register at: https://register.gotowebinar.com/rt/5153873178082543873

Dear Oracle... Here are some SQL Forms you missed in MOS Note 403537.1 / 1334930.1

Dear Oracle... Here are some SQL Forms you missed / MOS Note 403537.1 / 1334930.1

If you are a CISO / CIO /  Signing officer for an organization using an ERP system, you count on your software provider to keep complete and accurate guidance related to significant security risks.  We have been helping clients identify risks and implement the necessary internal controls to address those risks.  As part of our engagements, we have worked with other consultants who have help identify new risks and we have identified new risks as well.  As such, we believe we have identified four forms that allow SQL injection that haven't been documented by Oracle in its Secure Configuration Guide (MOS Note 4035371. with supplemented material in Note 1334930.1).

We respectfully submit this information to Oracle to evaluate and request that Oracle add to their Secure Configuration Guide accordingly.  Please provide us with the appropriate updated reference to our blog as part of Appendix H to your document if you deem this information valuable.

Regards,

Jeffrey T. Hare, CPA, CISA CIA

To our customers and prospective customers,

We are the premier firm in the world in the risk advisory space related to the Oracle E-Business Suite.  I can confidently say that no other firm - large or small - can match the quality of the risk advisory services we provide and at a fraction of the price of what you'd pay at the big four firms.  Please keep us in mind as you identify needs for services or software in the Oracle GRC space.  We are a VAR, implementation partner, and content provider for CaoSys software.  We have resources that can also help implement or improve your implementation of Oracle's ACG and CCG modules. 

Contact us here if you would like to hear more about our services: http://erpra.net/contactus.html.

Detail related to the four Forms that we believe allow for SQL injection.   Included with each screen shot is the Row Who information for these records.  These may be indicative of how long these functions have been in the system.  However, we recognize that these dates may not be reliable.

Function 1:

User Function Name – AutoAccounting Rules

Function Name - PASAADRU

Function 2:

User Function Name: Define Query Objects

Function Name: AKDQUERY

 

Function 3:

User Function Name: Delete Constraints / Delete Constraints: Update

Function Name: BOM_BOMFDCON / BOM_BOMFDCON_UPDATE

 Function 4:

User Function Name: Define Custom SQL Fields

Function Name: WMS_WMSCSLBL