March Risk Revolution
ERP Risk Advisors
Risk content to help you identify, manage, and mitigate ERP risk.
Hello Friends,
As spring begins to blossom around us, it's time to dust off the remnants of winter, roll up our sleeves, and embark on our annual cleaning sprees. This is an opportune moment to clear away the shadows of potential fraud lurking within our ERP systems. Just as we tidy up our homes and refresh our surroundings, it's imperative to clean house digitally and ensure data theft and fraud risks to our organizations are identified, mitigated, and managed for the season ahead.
In this edition of The Risk Revolution, we'll explore ways to equip you and your organization with the knowledge and tools needed to fortify your defenses across various ERP systems including ERP Cloud, NetSuite, Workday, and more. From helping you reduce licensing costs to demonstrating ERP system foundational concepts; from updating your roles/rules due to patch releases to enhancing security and critical controls, we’re ready to help you spring clean your fraud risk strategies and safeguard your assets.
So, grab your virtual broom and dustpan, and let's get started!
Have a Blessed Day!
~ the ERP Risk Advisors Team
Spotlight News
Below are hot topic items to the IT audit and cyber security industry. Enjoy the read and reach out with any questions or feedback to [email protected] .
EPR ARMOR: Learning
Below are our March ERP ARMOR: Learning featured courses. Learn to identify, manage, and mitigate risks from the best in the?business and fulfill your CPE requirements! Check out our Learning Homepage for the full course catalog!
Social Impact
At ERP Risk Advisors, we believe in using our resources to make a positive impact on the world around us.? When you partner with us , a portion of that partnership goes toward supporting another community, one person at a time.
International Justice Mission (IJM), our March featured Social Impact Partner, is at the forefront of bringing a stop to slavery and trafficking all over the world. They work with justice systems to end violence against people living in poverty. End Slavery in Our Lifetime.
Step 1 in Our 2024 Resovolutions
Part of our 2024 Resovolutions is to revolutionize the way organizations identify, manage, and mitigate risk in their ERP systems. Application security design and management risks produce a significant, immature control within organizations.?Management knows these risks are often not being managed properly. The benefits seem to outweigh the risks when you consider:
Traditionally, there have been two types of software – the first being identity and access management (IAM). The second category of software is typically used for compliance to test application access controls.
领英推荐
Software Types & the Risks
Let's Set the Stage, from Problem to Resovolution...
To understand our 2024 resovolutions, you must first understand the problem. Identity and access management software (IAM) manages identities across all (or most) IT systems. This allows for automated provisioning and de-provisioning of users, as well as changes to a user’s access as roles change.
Application access controls software is leveraged to test Segregation of Duties (SoD) conflicts and to a lesser extent, sensitive access risks (SA). This category is most often used for testing compliance risks such as Sarbanes-Oxley, J-Sox, and UK-Sox.
Implementation projects related to these systems often start in the six figures and rise from there. These projects will likely repeat during significant upgrades. Which typically are every two to five years for on-premise applications such as Oracle E-Business Suite and SAP. The way software is traditionally sold and implemented makes the cost outweigh the value. Often organizations choose not to implement and maintain their own software, but instead rely on expensive contracts with the Big 4 and other large risk advisory firms to test these controls. On the other hand, organizations take a wrong turn with a “hope and pray approach” and wait for the external auditors to test these controls as part of their annual audit.
The Plot Thickens...
Historically, the effectiveness of external auditors is hit or miss. Mostly a miss… either by over scoping or under scoping risks.?As I say to clients regularly, "they throw a bunch of crap up on the wall and see what sticks".?Their rationale for what they include and exclude seems at times to be at random.
The world is rapidly moving to SaaS ERP applications where patches are mandatory two to four times a year.?These patches / releases introduce changes to the systems on a regular basis.?New features are a driving factor on why organizations implement systems such as ERP Cloud, NetSuite, Workday, or others.
These perpetual patching cycles demand management to identify, manage, and mitigate new risks on a regular basis.?Each patch cycle is a mini-upgrade project. Identify changes and new features…. Test, test, test to make sure everything works as expected. Then, evaluate whether seeded or hybrid roles have new abilities added to them which make them appropriate or not for their users. And then finally, we hope and pray the patches / releases applied to their DEV environment are the same as what is applied to Production.
SaaS applications have also introduced new cyber security risks.?Traditionally, one may find the "keys to the kingdom" systems behind a firewall in secure networks and data centers.?The old adage was to ‘protect the perimeter’.?If the bad guys can’t penetrate the network, our data and systems are safe – or so management thought.
So Where is the Problem?
This is why our 2024 resovolutions are so critical now. We are witnessing the greatest digital transformation process since Y2K. Covid-19 and the work from home environment has made it almost mandatory to use SaaS applications. So, management has decided to use internet facing applications to support the new world we live in.
A traditional view of cyber security is blind to the new risks. Management has decided to outsource ‘protecting the perimeter’ to cloud hosting and SaaS ERP system providers such as: Oracle, NetSuite, Workday, Salesforce, and SAP. This strategy is fantastic when ALL risks are under their protection. However, an issue we see management falling into is not identifying a firm specializing in cyber security AND one who has specific expertise with the ERP systems they are implementing. A vast majority of the cyber security firms do not have expertise in how SaaS systems are configured and secured. If cyber security firms do not have this expertise, this leaves these systems vulnerable to fraud, compliance risk, PII, PHI, and other data security risks.
A Gap in Design
Simply put, cyber security firms do not have the expertise to help management identify, manage, and mitigate risks because they lack a comprehensive understanding of each unique ERP system. What is needed is a deep domain expertise in how authentication and application security is configured and deployed within an ERP system.
Therefore, can we count on the auditors to bring these issues to the attention of management? Gaps in people, processes, and technologies are where auditors normally come in. Where there are control design deficiencies is where management can call upon Internal auditors as a first line of defense. However, there are chasms between the work of the IT auditor and the financial auditors. Despite the billions spent on SOX audits, systemic issues in the audit process leave issues under or un-audited.
Recently, we brough the PCAOB’s attention to a major flaw we identified in the methodology of internal and external audits. We found audit firms are not testing to verify that control performers are independent in the oversight of their controls [article ]. This gap in the design of audit procedures means auditors would not be able to detect whether management has overridden the controls defined. The override of controls by management was one of the major factors leading to the adoption of the audit of Internal Controls over Financial Reporting introduced by the Sarbanes-Oxley legislation in 2002. Let's look at how our 2024 resovolutions solve the issues at hand.
In Closing: Resovolutions Recap
Nothing is New Under the Sun
Last month in our newsletter, we introduced our 2024 resovolutions for the first time. We want to see a revolution in risk management in four industries: ERP software, System Integrator, Cyber Risk, and the Audit Industries.
Having spent 25+ years in this space, I, Jeff Hare CPA, CISA, CIA, have seen these issues firsthand. These industries remind me of the quote from Ecclesiastes 1:9 in the Old Testament -
“What has been will be again, what has been done will be done again; there is nothing new under the sun.”
The writer of Ecclesiastes understood that the sinful heart of man leads to the same outcomes over and over again… Same story… different day…
Applying this to the ‘modern’ world we get:
How do we change the tides?
Markedly, this leads me back to the 2024 Resovolutions we set at the end of last year.
I asked myself and my team: How can we change the tide? How can we help management have better outcomes? How do we help management better educate on these risks to then help them bid and award contracts to firms in light of these systemic issues.
In 2024, I hope to develop and publish a class for senior management to take ideally before they start an ERP project. The class will focus on the key needed discussions and decisions they need to make related to the lifecycle of an ERP system including:
Not in scope for this class will be the lifecycle of de-commissioning an ERP system.
Our Ask
Even as I finish this article, I realize the monumental task of what I have set forth to do. To be moderately successful I am going to need the help and input from folks who have seen the good, the bad, and the ugly. I would appreciate any willingness to speak on your experiences. If so, please provide your contact information here .
Sincerely,