Interesting start to the morning... I am working with a company helping them to evaluate their "SOD" rules. They initially had their Oracle GRC software installed and configured by a large firm that does a lot of outsourced internal auditing. In about 2 hours work I showed them that this firm's rules recommended to the customer were complete crap - failing to understand risk in the applications (and outside the applications as well) and the functions that related to the risks.
Their external auditors ( a firm that begins w/ a "P") reviewed my comments. This audit firm verbatim copied from my risk assessment content (that is copyrighted). Here is part of the verbiage they used in their response to the client "Enter Suppliers vs. Enter AP Payments: Access to enter suppliers allows a user the ability to enter a supplier, including the setting up of a fictitious supplier. It also allows a user to override system level tolerances that are set in Payables Options - tolerances related to Qtr Ordered, Qty Received, Tax, and Price. In Oracle, you cannot make a payment to a supplier without first entering an invoice so this risk is minimized unless someone with this access can approve an invoice outside the system..."
It seems even some of the large audit firms have no respect for copyrights. Charles Caleb Colton said "Imitation is the best form of flattery." The least thing my imitators can do is change the language to make it their own.
As I continue to emphasize to clients and prospects, if your consulting partner fails to perform a proper risk assessment process, whatever tool you implement will fail to meet your objectives leading to a failure to get a proper ROI on your investment. Perhaps an idea for another webinar...
Monday, May 3, 2010
Friday, March 19, 2010
Another example of Oracle not focusing on Best Practices
Look at Metalink Note 227010.1. This note is for "Script to check for Default Passwords being used for some common usernames."
Why just 'common' usernames? Why not all usernames? Why can't they maintain this document and the related test scripts for all known usernames? Would it be so difficult to put into their development QA process to update this document when a new schema is added or another type of default database user is added? It is ironic that this script published doesn't even take into account all the usernames suggested to monitor in their own "Best Practices" document - 189367.1 and 403537.1 which aren't being maintained (reference earlier blog).
Yet another example... Oracle, where is your Norman?
Why just 'common' usernames? Why not all usernames? Why can't they maintain this document and the related test scripts for all known usernames? Would it be so difficult to put into their development QA process to update this document when a new schema is added or another type of default database user is added? It is ironic that this script published doesn't even take into account all the usernames suggested to monitor in their own "Best Practices" document - 189367.1 and 403537.1 which aren't being maintained (reference earlier blog).
Yet another example... Oracle, where is your Norman?
Oracle needs to focus on Best Practices
Arggghhh.... Look at Metalink Note 403537.1 - Best Practices for Securing Oracle E-Business Suite Release 12. It was last updated February 27, 2007. Yes... that is not a typo - 2007. The last update to this document was over three years ago. Is it possible that nothing has changed or nothing needed to be added to this document in over three years? Hardly the case. A lot has changed since then. New products have been launched and many new features have been added to existing applications. That SHOULD mean that new recommendations need to be added to the document - two obvious ones are new seeded database users and new seeded application users. We at ERP Risk Advisors have identified 10 new seeded application users {see Internal Controls Repository (for end users only) at: http://tech.groups.yahoo.com/group/oracleappsinternalcontrols/) for more on this topic}.
If Oracle is going to produce a best practices document it needs to maintain the document or provide a caveat stating that the document is a sampling of best practices that should not be relied upon as a comprehensive list. Just my two cents...
Email me with comments at jhare@erpra.net.
Regards,
Jeffrey T. Hare, CPA CISA CIA
ERP Risk Advisors / ERP Seminars
www.erpseminars.com
www.erpra.net
If Oracle is going to produce a best practices document it needs to maintain the document or provide a caveat stating that the document is a sampling of best practices that should not be relied upon as a comprehensive list. Just my two cents...
Email me with comments at jhare@erpra.net.
Regards,
Jeffrey T. Hare, CPA CISA CIA
ERP Risk Advisors / ERP Seminars
www.erpseminars.com
www.erpra.net
Tuesday, February 2, 2010
Where is Oracle's Norman?
I am an avid user of LinkedIn, having amassed over 1700 connections, I host two groups (Oracle GRC and Oracle ERP Auditors), and am a member of several other groups including a group on GRC and a group hosted by the IIA. I have bumped into several posts from Norman Marks whose title is "Vice President, GRC at SAP BusinessObjects division." Norman is an advocate for GRC best practices and regularly blogs on the topic on LinkedIn, the IIA site and other.
SAP has clearly invested in this man. Go do your thing. Go promote GRC best practices. Go be an expert... knowing that the reputation this builds for SAP as a thought leader is priceless. I am not saying necessarily that SAP GRC's focus is stronger than Oracle's because I don't know SAP software well enough to make a valid comparison. However, it does beg the question... "Where is Oracle's Norman?"
Food for thought...
Regards,
Jeffrey T. Hare, CPA CISA CIA
Industry Analyst.Author.Consultant.Audit Trail Evangelist
Phone: 970-785-6455
Cell: 970-324-1450
Email: jhare@erpseminars.com
Website: www.erpseminars.com
Author of the book “Oracle E-Business Suite Controls: Application Security Best Practices” - buy it at: http://stores.lulu.com/erpseminars
LinkedIn: http://www.linkedin.com/in/jeffreythare
Oracle Users Best Practices Board: www.oubpb.com
LinkedIn Oracle GRC group: http://www.linkedin.com/groups?gid=2017790
LinkedIn Oracle ERP auditors group: http://www.linkedin.com/groups?gid=2354934
Oracle internal controls and security listserver: http://tech.groups.yahoo.com/group/OracleSox/
Oracle internal controls repository: http://tech.groups.yahoo.com/group/oracleappsinternalcontrols/
Any opinions or advice stated in this e-mail or the attachments thereof do not constitute legal or accounting advice and provide no indemnification from fraud or material misstatements.
SAP has clearly invested in this man. Go do your thing. Go promote GRC best practices. Go be an expert... knowing that the reputation this builds for SAP as a thought leader is priceless. I am not saying necessarily that SAP GRC's focus is stronger than Oracle's because I don't know SAP software well enough to make a valid comparison. However, it does beg the question... "Where is Oracle's Norman?"
Food for thought...
Regards,
Jeffrey T. Hare, CPA CISA CIA
Industry Analyst.Author.Consultant.Audit Trail Evangelist
Phone: 970-785-6455
Cell: 970-324-1450
Email: jhare@erpseminars.com
Website: www.erpseminars.com
Author of the book “Oracle E-Business Suite Controls: Application Security Best Practices” - buy it at: http://stores.lulu.com/erpseminars
LinkedIn: http://www.linkedin.com/in/jeffreythare
Oracle Users Best Practices Board: www.oubpb.com
LinkedIn Oracle GRC group: http://www.linkedin.com/groups?gid=2017790
LinkedIn Oracle ERP auditors group: http://www.linkedin.com/groups?gid=2354934
Oracle internal controls and security listserver: http://tech.groups.yahoo.com/group/OracleSox/
Oracle internal controls repository: http://tech.groups.yahoo.com/group/oracleappsinternalcontrols/
Any opinions or advice stated in this e-mail or the attachments thereof do not constitute legal or accounting advice and provide no indemnification from fraud or material misstatements.
Friday, January 22, 2010
Manage Proxies... A great R12 'feature'
Manage Proxies is new functionality that allows delegation of security to another user. Whereas Worklist Access and Vacation Rules are a delegation of approval authority, Manage Proxies is a complete delegation of security to another user.
Fortunately, The Manage Proxies functionality is only available if the Manage Proxies role is granted to the user. This role can only be granted to a user via the User Management module.
The manage proxies functionality is extremely powerful and, therefore, extremely dangerous. Unfortunately, there isn’t any out-of-the-box report (similar to the Users of a Responsibility report) in the User Management module that provides you with a list of users that are assigned roles such as the Manage Proxies role. All inquiry related to the User Management module needs to be custom built.
Manage Proxies in the next in a long list of 'features' that may be a good idea from an operational perspective, but a nightmare from an internal controls perspective, especially without the necessary controls-related monitoring that should could 'standard' with this functionality. Oracle needs to build in the necessary monitoring and auditing requirements into the design of each of their new features. This is one area where they seriously missed the mark. Let's hope they've refined their processes and talent in Fusion Apps.
Regards,
Jeffrey T. Hare, CPA CIA CISA
Fortunately, The Manage Proxies functionality is only available if the Manage Proxies role is granted to the user. This role can only be granted to a user via the User Management module.
The manage proxies functionality is extremely powerful and, therefore, extremely dangerous. Unfortunately, there isn’t any out-of-the-box report (similar to the Users of a Responsibility report) in the User Management module that provides you with a list of users that are assigned roles such as the Manage Proxies role. All inquiry related to the User Management module needs to be custom built.
Manage Proxies in the next in a long list of 'features' that may be a good idea from an operational perspective, but a nightmare from an internal controls perspective, especially without the necessary controls-related monitoring that should could 'standard' with this functionality. Oracle needs to build in the necessary monitoring and auditing requirements into the design of each of their new features. This is one area where they seriously missed the mark. Let's hope they've refined their processes and talent in Fusion Apps.
Regards,
Jeffrey T. Hare, CPA CIA CISA
Monday, November 9, 2009
Oracle doesn't have a clue - take 3... workflow history
Well.... Interesting day for Oracle users as Oracle cuts over to the new "My Oracle Support" portal. Another great technology snafu by Oracle. Kinda reminds me of Microsoft. They just can't seem to prevent screwing up customer's days...
One of the other great 'features' of the EBS suite is the workflow history purge process. If you are an 11i client, if you want to purge workflow notifications, you also will be purging workflow approvals. The retention of workflow approvals (e-mails that indicate 'approval' of a workflow process such as journal approvals) is critical to have audit history related to automated controls. Failure to retain an audit history of workflow approvals could mean an external auditor would not allow reliance on automated controls under the AS5 standard.
Your organization needs to build a custom retention process to store this data for at least 15 months (check your org's data retention policy before purging...) in order to support audit requirements.
If this 'feature' is news to you, contact me for more details at jhare@erpseminars.com. I can provide some tips (provided to be my Karen Brownfield of Solution Beacon) on how to build a custom archive process for retaining such data.
Good luck to all of you trying to new Oracle's new Metalink replacement!
Regards,
Jeffrey T. Hare, CPA CISA CIA
One of the other great 'features' of the EBS suite is the workflow history purge process. If you are an 11i client, if you want to purge workflow notifications, you also will be purging workflow approvals. The retention of workflow approvals (e-mails that indicate 'approval' of a workflow process such as journal approvals) is critical to have audit history related to automated controls. Failure to retain an audit history of workflow approvals could mean an external auditor would not allow reliance on automated controls under the AS5 standard.
Your organization needs to build a custom retention process to store this data for at least 15 months (check your org's data retention policy before purging...) in order to support audit requirements.
If this 'feature' is news to you, contact me for more details at jhare@erpseminars.com. I can provide some tips (provided to be my Karen Brownfield of Solution Beacon) on how to build a custom archive process for retaining such data.
Good luck to all of you trying to new Oracle's new Metalink replacement!
Regards,
Jeffrey T. Hare, CPA CISA CIA
Thursday, October 29, 2009
Oracle doesn't have a clue - take 2: Delegated Authority...
Here is another one.... An email from a user to one of the listservers I manage:
"Hi all. Anyone know of a means to report on current user settings for worklist
access and vacation rules? We would like to be able to review which of our
users are using worklist access and vacation rules, and to whom they have
delegated.
Ideally, there would be a seeded report in Oracle. If not, perhaps some SQL or
knowledge of which tables hold this information."
Delegation of approval authority via worklist access or vacation rules could violate company policy and could subject a company to a nasty-gram from their auditors ala a control weakness in their SOX testing. If an auditor really wanted to be nasty about it, they could give an organization a material weakness (or at least a significant deficiency) IMO because this allows someone to delegate their approval authority and, in some cases, the delegation isn't recorded or reflected anywhere in the system. For example, a CFO could delegate their PO approval or Journal Entry approval authority to the janitor, their secretary, or a staff accountant who could act on behalf of the CFO to approve a journal entry, PO, or anything done via Oracle Workflow.
Cool functionality when you look at it on an operational basis. Jane Doe, CFO, takes a week off to ride on her 200 foot yacht and someone needs to approve things when she is gone so that business doesn't come to a screeching halt. Case closed, right? However, in some cases, when Jane delegates to another employee, it still looks AS IF Jane made the approval AND... no record of this delegation is made in the system... or at least there are NO REPORTS out of the box that records the delegation (I suspect the audit trail doesn't even exist...).
Nice job Oracle!!! We wouldn't want that type of information in the case of an audit, would we?
More to come...
Jeffrey T. Hare, CPA CIA CISA
"Hi all. Anyone know of a means to report on current user settings for worklist
access and vacation rules? We would like to be able to review which of our
users are using worklist access and vacation rules, and to whom they have
delegated.
Ideally, there would be a seeded report in Oracle. If not, perhaps some SQL or
knowledge of which tables hold this information."
Delegation of approval authority via worklist access or vacation rules could violate company policy and could subject a company to a nasty-gram from their auditors ala a control weakness in their SOX testing. If an auditor really wanted to be nasty about it, they could give an organization a material weakness (or at least a significant deficiency) IMO because this allows someone to delegate their approval authority and, in some cases, the delegation isn't recorded or reflected anywhere in the system. For example, a CFO could delegate their PO approval or Journal Entry approval authority to the janitor, their secretary, or a staff accountant who could act on behalf of the CFO to approve a journal entry, PO, or anything done via Oracle Workflow.
Cool functionality when you look at it on an operational basis. Jane Doe, CFO, takes a week off to ride on her 200 foot yacht and someone needs to approve things when she is gone so that business doesn't come to a screeching halt. Case closed, right? However, in some cases, when Jane delegates to another employee, it still looks AS IF Jane made the approval AND... no record of this delegation is made in the system... or at least there are NO REPORTS out of the box that records the delegation (I suspect the audit trail doesn't even exist...).
Nice job Oracle!!! We wouldn't want that type of information in the case of an audit, would we?
More to come...
Jeffrey T. Hare, CPA CIA CISA
Subscribe to:
Posts (Atom)