Showing posts with label Oracle E-Business Suite. Show all posts
Showing posts with label Oracle E-Business Suite. Show all posts

Wednesday, July 5, 2017

Upcoming ERP Risk Advisors webinars_July 2017


Upcoming ERP Risk Advisors webinars_July 2017


You are invited to attend three upcoming webinars taking place over the next couple of weeks as follows:

Don’t give up on your Oracle Advanced Controls investment – Tuesday, July 11

How to automate controls using CaoSys’ newest features – Wednesday, July 12

Identifying and Monitoring Multi-Platform and Cross-Platform Access Control Risks with SafePaas – Wednesday, July 26


“Don’t give up on your Oracle Advanced Controls investment” will be held at two times Tuesday, July 11 – 9 a.m. EST and 4 p.m. EST. 

Have you’ve spent into the six figures on your Oracle Advanced Controls implementation and are wondering how to leverage your investment into something of value.  In this webinar we will share how the expertise, content, and risk-based methodology of ERP Risk Advisors can easily extend the usefulness of your investment and add value to your controls environment.  We will first look at current trends in the audit community and discuss how to leverage your Oracle Advanced Controls investment to address these trends.  Register at: https://attendee.gotowebinar.com/register/5792990699975558914



“How to automate controls using CaoSys’ newest features” will be held at two times Wednesday, July 12 – 9 a.m. EST and 4 p.m. EST. 

With Oracle no longer offering premier support on their Advanced Controls suite customers are wondering about their long-term options with their E-Business Suite on-premise solution.  In this webinar we will provide an overview of the CaoSys GRC suite and showcase some of its newer features that can be helpful to automate controls.  Register at: https://attendee.gotowebinar.com/register/4664617991482616322




Most organizations have multiple software applications to help run their business.  Often there are several ERP and legacy applications that are considered in-scope from a compliance perspective.  Hear from industry expert, Jeffrey T. Hare, CPA CISA CIA about common cross-platform and multi-platform control risks and how organizations can mature their control environment through necessary manual controls, automated controls, and access controls.  Webinar held in conjunction with SafePaas.  Register at: https://register.gotowebinar.com/rt/5153873178082543873


Posted by at No comments:
Labels: , , , , , , , , , , , ,

Thursday, June 15, 2017

ERP Risk Advisors Announces Oracle Advanced Controls Premier Support

ERP Risk Advisors Announces Oracle Advanced Controls Premier Support


As most customers are aware Oracle announced an end to the continued development of its Advanced Controls Suite and the end of Premier Support as of September 2016 (See MOS Note: 2143036.1). Oracle has been developing a replacement known as the Risk Management Cloud which is still in its early versions.   

This change in strategy has left its customers in a difficult position since the applications in Oracle’s GRC Advanced Controls Suite are considered critical to meet their compliance requirements.  

 Many of these same customers have also had less than perfect implementations and incomplete SoD conflict and Sensitive Access rules.  This has led to a lack of reliance on the tools by their external auditors and an inadequate coverage of risk. 

ERP Risk Advisors has historically been focused on the implementation of a competitive product in this space from CaoSys and has built the premier content library and accompanying risk advisory services. 

The transition within the Oracle GRC space has allowed ERP Risk Advisors to hire some high quality resources and so we are pleased to announce a premier support program for customers currently using Oracle's Advanced Controls Suite. 


For those customers that want to continue using Oracle's Advanced Controls Suite, we will offer remote GRC Admin services to allow you to enhance or maintain your reliance on your solution.  To start the engagement, we will perform an assessment and provide you a roadmap.  In most organizations we will be able to perform the assessment in a week. Our core support offering will primarily focus on AACG and CCG, but could also include PCG and TCG.  If you haven't licensed PCG or haven't implemented it, we believe we can implement preventive controls (albeit manual) during your provisioning process to help keep your environment clean.  We will also help you leverage the data from AACG to perform your quarterly re-certification process at the Supervisor and Process Owner levels.

The engagement would start with an initial assessment and will include:

  1. Infrastructure health check to include the patch level related to each of your Oracle Advanced Controls licensed products.
  2. Evaluation of the completeness of the SoD and Sensitive Access rules
  3. Review of your configuration of each of the modules - primarily AACG and CCG
  4. Discussions with management as to how much reliance has been placed on the software and related business processes in your external audits
  5. Review of key SQL scripts to evaluate your role design from a 10,000 foot level
  6. Review of the results of key rules, if implemented already, that all auditors are currently evaluating
  7. Review of a limited set of critical configurations such as Journal Sources and Profile Option Values
  8. An evaluation of your patch level related to each of your licensed Advanced Controls solutions that are being used

The deliverables for the engagement would include:

  1. In some cases, we'll be able to finalize the identification of what should be considered in scope rules.  Usually within a limited engagement we can get to 90+% accuracy, but often it requires a meeting with the external auditors to validate to get to the 100% level.  This is the key deliverable that most GRC consulting firms haven't been able to deliver, but ERP Risk Advisors can deliver with excellence.
  2. High level feedback on role design - where we see risk in the usage of seeded Menus, seeded Request Groups, seeded Responsibilities, and seeded Users
  3. An evaluation of the current SoD conflicts and Sensitive Access rules as to their completeness and accuracy.  We will identify the significant gaps when compared to what we anticipate would be the expectations of your audit firm.
  4. A roadmap for maturing your user provisioning process and the re-certification process
  5. A roadmap for updating your rules library to be complete and accurate as well as mapped to your auditors requirements
  6. This engagement may also include some specific feedback on Sensitive Access rules and SoD conflicts depending on the quality and completeness of your current rule set.
  7. Recommendations on patching your Advanced Controls modules, as needed, and where justified
Once we perform our initial assessment, we would be in a position to offer premium support for your Oracle GRC Advanced Controls suite.  Our support would be tailored to your organization's requirements, but would include the following as our core offering:
  1. All service requests (SRs) surrounding the Oracle GRC Advanced Controls Suite.
  2. Updating your rules library to include more risks - up and to including our full risk library. Adding additional risks from our library as we identify them.  
  3. A comprehensive remediation plan with prioritization based on risk and scoping based on level of effort
  4. Identifying SoD conflicts and Sensitive Access Risks introduced since the prior quarter for management's review and disposition
  5. Developing reports with the detail for a comprehensive quarterly access review process for Supervisors (at the role level) and Process Owners (at the rule level for the key in-scope rules)
  6. Implementation of changes to current roles and development of new roles required (still using Responsibilities, not User Management) as time permits
  7. Revisiting and updating the roadmap to present to senior management

In addition to the above, we could also provide the following services as a supplement to our core offerings:

1.      Auditing changes to the objects related to roles (Roles, Responsibilities, Menu, Request Groups) to evaluate completeness and accuracy of the change management process

2.      Identifying whether any of the in scope reports have been changed in the last quarter (period) so that the process owners know they need to re-test the completeness and accuracy of the reports (as is now being required by the public accounting firms and the PCAOB)
  1. Auditing changes to other configurations that should be subject to the change management process (scope tbd)
  2. Auditing the completeness and accuracy of the approvals related to the User Provisioning process
If you are interested in discussing these services with us, please use our Contact page and we'll get back to you as soon as possible.

Regards,
Jeffrey T. Hare, CPA CISA CISA
CEO

Sam Monarch
Oracle GRC Practice Lead






Posted by at 1 comment:
Labels: , , , , , , , , ,

Sunday, June 11, 2017

Dear Oracle... Here are some SQL Forms you missed in MOS Note 403537.1 / 1334930.1

Dear Oracle... Here are some SQL Forms you missed / MOS Note 403537.1 / 1334930.1


If you are a CISO / CIO /  Signing officer for an organization using an ERP system, you count on your software provider to keep complete and accurate guidance related to significant security risks.  We have been helping clients identify risks and implement the necessary internal controls to address those risks.  As part of our engagements, we have worked with other consultants who have help identify new risks and we have identified new risks as well.  As such, we believe we have identified four forms that allow SQL injection that haven't been documented by Oracle in its Secure Configuration Guide (MOS Note 4035371. with supplemented material in Note 1334930.1).

We respectfully submit this information to Oracle to evaluate and request that Oracle add to their Secure Configuration Guide accordingly.  Please provide us with the appropriate updated reference to our blog as part of Appendix H to your document if you deem this information valuable.

Regards,
Jeffrey T. Hare, CPA, CISA CIA

To our customers and prospective customers,
We are the premier firm in the world in the risk advisory space related to the Oracle E-Business Suite.  I can confidently say that no other firm - large or small - can match the quality of the risk advisory services we provide and at a fraction of the price of what you'd pay at the big four firms.  Please keep us in mind as you identify needs for services or software in the Oracle GRC space.  We are a VAR, implementation partner, and content provider for CaoSys software.  We have resources that can also help implement or improve your implementation of Oracle's ACG and CCG modules. 

Contact us here if you would like to hear more about our services: http://erpra.net/contactus.html.

Detail related to the four Forms that we believe allow for SQL injection.   Included with each screen shot is the Row Who information for these records.  These may be indicative of how long these functions have been in the system.  However, we recognize that these dates may not be reliable.

Function 1:

User Function Name – AutoAccounting Rules

Function Name - PASAADRU

Function 2:

User Function Name: Define Query Objects

Function Name: AKDQUERY



 

Function 3:

User Function Name: Delete Constraints / Delete Constraints: Update

Function Name: BOM_BOMFDCON / BOM_BOMFDCON_UPDATE



 Function 4:

User Function Name: Define Custom SQL Fields

Function Name: WMS_WMSCSLBL


Posted by at 1 comment:
Labels: , , , , , , , , , , ,

Wednesday, May 31, 2017

ERP Risk Advisors now support's Oracle Advanced Controls Suite


ERP Risk Advisors now support's Oracle Advanced Controls Suite


ERP Risk Advisors has hired a new highly-qualified resource that knows Oracle’s Advanced Controls suite very, very well.  We can now bring to our clients the most comprehensive risk-based rules matrix in the market for use with the AACG module.  Our rule set includes nearly 1,900 Functions and nearly 1,500 Concurrent Programs identified with specific risks documented for each one.

Sam Monarch has been hired to head up our Oracle GRC software practice.  Sam has over 12 years’ experience with Oracle’s GRC software and over 20 full cycle implementations.

We can help you prepare for your external audits by helping to scope the Sensitive Access and Segregation of Duties rules that relevant to your organization.  We can also implement GRC software to help you monitor these risks from top software providers like CaoSys and now can offer you similar services if you’ve made the investment in Oracle’s Advanced Controls suite.

Please keep us in mind for your Oracle GRC software needs, now including services for Oracle’s Advanced Controls suite.
Contact us at http://erpra.net/contactus.html if you are interested in hearing more about our services offerings.

Regards,
Jeffrey T. Hare, CPA CISA CIA
CEO, ERP Risk Advisors
Posted by at No comments:
Labels: , , , , , , ,

Tuesday, January 14, 2014

Reliability of Application Controls in ERP Systems Should be Questioned by Auditors

Reliability of Application Controls in ERP Systems Should be Questioned by Auditors
By Jeffrey T. Hare, CPA CIA CISA


The guidance related to relying on Automated (or Application) Controls was originally published by Institute of Internal Auditors (IIA) in July 2007. The IIA Global Technology Audit Guide number 8 (GTAG 8) takes into account the guidance provided by the PCAOB in Auditing Standard No. 12 (Appendix B, in particular).  The testing of an automated control typically requires the skills of both an internal auditor (functional or process auditor) as well as the skills of an IT auditor.

In fact, in GTAG 8, the IIA recommends that the help of an IT auditor is needed.[1]  IT auditors are typically needed to help test IT general controls such as controls over changes to the configurations, code changes, segregation of duties, and access controls.

The most common way to test the automated controls is through a “benchmark strategy.”  The IIA guidance summarizes the PCOAB standard as follows “If general controls that are used to monitor program changes, access to programs, and computer operations are effective and continue to be tested on a regular basis, the auditor can conclude that the application control is effective without having to repeat the previous year’s control test.  This is especially true if the auditor verifies that the application control has not changed since the auditor last tested the application control.”[2]

Since IT auditors are typically tasked with testing IT general controls, the IT auditor normally is responsible for testing ‘program changes, access to programs, and computer operations’ as well as ‘that the application control has not changed since the auditor last tested the application control.’

The beauty of ERP systems, such as Oracle’s E-Business Suite and SAP, is that an application control can be configured to meet an organization’s different requirements.  The ‘configurations’ drive the design of the control and, therefore, a change to the configuration can change the design of the control.  From a Sarbanes-Oxley perspective, the PCAOB and your external auditors should care immensely about whether or not the configurations related to key controls change from year to year.  If these configurations change, the auditor of the related application control should re-benchmark the control or test the control in another way.

The Problem

The problem faced by most organizations is there is no change history specifically built into the system for the configurations related to key controls.  In fact, as most auditors have discovered, little change history exists in most ERP systems unless the system is built to do so.  In ERP systems, such as Oracle’s E-Business Suite, the change history of a transaction only exists in a few cases and it rarely exists for configurations.
This leaves an IT auditor with a dilemma when trying to test the ‘general controls used to monitor program changes’ as is required in the IIA and PCAOB guidance.  How does an auditor get comfortable that no change has been made during an audit period? 

Absent audit history created by the system, ERP systems have built-in ‘row-who’ information.  This information typically tells you when a record is created and when it is last updated.  Therefore, an auditor can reasonably assume that when the ‘last updated by’ time stamp isn’t within the current audit period (and should be in the period in which the configuration was ‘baselined’ or earlier) that the configuration hasn’t been changed. 

There are three problems with relying on the ‘row who’ information:
  •  Most systems don’t have the queries predefined
  •  A false positive can be occur when data from another column is changed
  •  Some ‘back door’ methods of updating the data don’t change the ‘row who’ information

Lack of predefined queries

In an average system, there may be dozens of configurations related to key controls.  Ideally, the software provider would develop a ‘read only’ role that auditors could use to query the data.  Sadly, this information isn’t provided by most software companies or this information is only available in another product you need to license such as a GRC suite.


False positives

Another issue is false positives whereby a different column is updated than the column related to the key control.  Take a look at this change history:
Change
Column A
Column B
Created Date
Updated Date
Initial data entry
Yes
Yes
01-Jan-2014
01-Jan-2014
Change 1
No
Yes
01-Jan-2014
15-Jan-2014
Change 2
Yes
Yes
01-Jan-2014
19-Jan-2014

In this example, column A’s data is NOT related to the key control and column B’s is what impacts the design of the key control.  As change 1 and change 2 are made, the updated date changes from 01-Jan-2014 to 15-Jan-2014 to 19-Jan-2014.   So if you are an auditor looking at the change history during 2014 you’d could falsely draw the conclusion that the configuration related to the key control (Column B) was changed when actually it was a different column (Column A) that was changed.


Back door methods of updating data

Finally, back door methods such as the use of an unsecured database login or SQL injection could change the data in column B, but not update the Updated Date column.  This risk is especially acute in certain systems such as Oracle E-Business Suite that provides over 50 forms and web pages that allow SQL injection (and in some cases ability to execute packages or OS scripts).


The Solution

If auditors are to rely on application controls and have reasonable assurance of operating effectiveness, a detailed audit trail / change tracking history is essential.  Most auditors give organizations a ‘pass’ when they don’t have detailed change history and take a sample from the change management tickets rather than insist the client develop the change history so the sample can be taken from the system.  We believe this approach CANNOT provide reasonable assurance related to the changes to configurations related to key controls.
The technology necessary to develop this change history differs from system to system.  In our area of domain expertise, Oracle E-Business Suite, there are reasonably priced third party systems that can be deployed using database triggers to create the necessary change history.  The benefits of such technology extends well beyond Sarbanes-Oxley ‘key control’ requirements and can be applied to updates to master data (such as supplier bank accounts) as well as other requirements (password resets for critical access accounts, forms that allow SQL injection, etc.).


The Conclusion

So here we are in 2014 – nearly seven years after the issuance of guidance by the IIA and the challenges facing reliance on automated controls are not much different than those faced when the guidance was first issued.  The time has come for auditors to hold client’s feet to the fire.  As it relates to application controls, either insist on a system-based audit trail or disqualify the reliance on the application control.  You’ve given a ‘pass’ to your clients for far too long when reasonable assurance cannot ‘reasonably’ be attained using the current approach.

About the Author

Jeffrey Hare, CPA CIA CISA is the founder and CEO of ERP Risk Advisors.  His extensive background includes public accounting (including Big 4 experience), industry, and Oracle Applications consulting experience.    Jeffrey has been working in the Oracle Applications space since 1998 with implementation, upgrade, and support experience.  Jeffrey is a Certified Public Accountant (CPA), a Certified Information Systems Auditor (CISA), and a Certified Internal Auditor (CIA).   He has worked in various countries including Australia, Austria, Canada, Mexico, Brazil, United Kingdom, Ireland, Saudi Arabia, and Germany.  Jeffrey is a graduate of Arizona State University and lives in northern Colorado with his wife and three daughters.



[1] IIA GTAG 8, page 14 “Need for Specialized Audit Resources”
[2] IIA GTAG 8, page 3 “Benchmarking”
Posted by at No comments:
Labels: , , , , ,
Subscribe to: Posts (Atom)