July Newsletter
ERP Risk Advisors
Risk content to help you identify, manage, and mitigate ERP risk.
Hello Friends,?
This month we celebrate the birthdate of our nation!
What does July 4th stand for, after all? For some, it is parades, fireworks, and watermelon. For others, it’s honoring the people who fought for and continue to protect our nation’s independence. For our Operations Manager, Kacey Vande Steeg, it’s celebrating the new life and opportunity America offered her family.
In an article*, her grandfather explained what daily life in his home country of Holland included. He wrote that they saw, “three anti-aircraft guns positioned in our pasture and an ammunitions truck parked behind the house. The soldiers took our potatoes, and we ate the peelings. Those who helped Jewish neighbors were arrested and sent to a concentration camp. We were watched and tracked wherever we went. Through it all, my parents gave what little food they had to the refugees from other cities.”
He went on to say that America is not to be taken for granted and ended with an important reminder that, “Our country is well worth the effort of placing our hands over our hearts for the Pledge of Allegiance.”
Kacey contributes, “my family and I would not be here if it weren’t for the freedom that the United States offers.”
What does July 4th mean to you?
Highlights in this issue:?
?Have a Blessed Day!
~ the ERP Risk Advisors Team
*Chino Champion Newspaper, 2/18/2023, Albert Vande Steeg, "What America Means To An Immigrant"
+ + +
Spotlight News
Below are hot topic items to the IT audit and security industry. Enjoy the read and reach out with any questions or feedback to [email protected].
+ + +
Learning
Organizations must identify, manage, and mitigate risk in their ERP systems.
ERP Risk Advisors has developed ERP Armor risk content as a unique solution that provides proven results to external audits at a significantly lower TCO than any other options.
Learn more about the WHY behind our learning platform and how our courses taught by some of the best in the business can serve you and your organization HERE.?
CPE Opportunities
Auditing IT Dependent Risks in ERP Systems: A Foundational for Financial & IT Auditors - 2 CPE Credit Hours
Auditing today’s IT environment necessitates a thorough understanding of IT dependent and IT application controls. To help organizations meet this obligation, Jeff Hare, CPA CIA CISA discusses a variety of pertinent concerns. In this course, we explore examples of control design and learn why it is necessary to understand how a unique system works. We focus on areas of risk in several key financial processes and also address common IT General controls issues that could undermine your IT Application Controls.??In addition to the helpful insight provided, two hours of CPE credit will be awarded upon completion of the class.
+++
Check It Out: ERP Armor
ERP Armor, our risk content, is designed to identify, monitor, and mitigate risk. ERP Armor consists of Rules, Roles, and Reports.?We’ve summarized the primary benefits that our risk content offers in the following five points:
+++
July's Featured Article
Licensing Overages Being Driven by Poorly Designed Roles in ERP / HCM Cloud
By: Jeff Hare CPA, CISA, CIA
In the last two months, our featured articles have been focused on overlooked Access Control risks. April’s article was titled “Lack of control performer independence testing is systemic, and this is why it matters”. This article described why detailed Sensitive Access (SA) risk analysis is necessary to validate that the people performing the controls do not have the ability to override the controls they oversee. This is a systemic gap throughout the audit community which is quite concerning given that the passage of Sarbanes Oxley was primarily in response to the management override of controls.
In May we published an article titled, “Lack of Software to Test Access Controls is Systemic and why it matters” addressing the ten (10) different scenarios where Access Control software is needed. This article provided evidence for why management cannot have effective controls without the implementation and effective use of Access Control software.
If you have not read those articles, they would be worth your time to read as these risks are applicable to all ERP systems.
This month we are going to focus on a different type of risk. When one normally talks about “risks”, they are referring to Sensitive Access Risks and Segregation of Duties risks. However, overprovisioning of Access Controls can also lead to licensing risks as well.?
While each ERP vendor has their own process for licensing their applications, a consistent approach for certain modules or abilities are determined when an end user license is consumed. This means roles or certain abilities (often referred to as security objects, permissions, privileges, or entitlements) that are over-assigned to users could lead to additional license costs charged by the software provider.
This is the same approach that Oracle takes in its ERP / HCM application. Certain “privileges” drive the need for licenses.
At times, software providers, like Oracle, go fishing for additional revenue by performing license audits on their clients, which can lead to a significant bill being presented.
A sizable portion of ERP Risk Advisors’ current practice focuses on Oracle’s ERP / HCM Cloud applications. We recently attended a User’s Group conference, called Ascend, which focused on Oracle applications. Many customers recalled how Oracle has audited them and identified significant license overages which lead to unwanted invoices being presented. Our own presentation at this conference was one of many at the conference that focused on the license audits Oracle is increasingly performing. To us, this comes as no surprise since we have been focusing on role customization for many years. In fact, a few years ago we were the only organization passionately advocating for the use of fully customized roles instead of seeded roles . At this recent (Ascend) user’s conference it was clear Oracle has become more aggressive in their license audits.?
Here are a few examples of several roles in ERP / HCM Cloud that have 6 or more license buckets for each of the roles:
Given Oracle’s more aggressive stance on evaluating license overages, organizations running ERP / HCM Cloud are becoming increasingly interested in developing custom roles to avoid license costs. Usually, organizations decide to implement custom roles to reduce risk and to avoid Segregation of Duties conflicts. However, now we are seeing organizations become more interested in customizing roles. If you are running ERP / HCM Cloud, you should run the SaaS Service Usage Metrics Report and work to identify how to reduce access to the privileges which require licenses.
If you are interested in understanding how to reduce your license risks, feel free to contact us at [email protected]. We have a significant library of pre-built fully customized roles accelerating your remediation timeline. In these types of projects, we also work with management to further reduce sensitive access risks and segregation of duties conflicts where they still exist.??
+++
Thanks for reading our July newsletter! If you have any questions or comments, please reach out to us at [email protected]