May 2023 Newsletter

Hello Friends,?

Summer is officially here! We hope as the weather starts to turn from April Showers to sunshine, you get outside and spend quality time with your friends and family. Check out the highlighted topics in this month's issue below. We hope you enjoy and feel connected to what is happening at ERP Risk Advisors and beyond!

Highlights in this issue:?

1. Ascend'23 Presentation Schedule?
2. This Month's Featured Article
3. We Started A Podcast!?
4. Earn Free CPE!?
5. New Learning Opportunities Added to Course Catalog!

?Have a Blessed Day! ~ the ERP Risk Advisors Team

+ + +

Spotlight News

Check out the following articles, topics, and webinars happening in May!

Featured Article - Scroll Down!

Ascend Presentation Information

Presentations from Jeff Hare CPA, CISA, CIA as either a presenter or panelist are listed below:?

1. To Security and Beyond. How to Buzz License Cost and Stay Lightyears Ahead of Fraud (presenter) - Sunday, June 11, 2:30-3:30 pm EDT
2. OATUG Cloud ERP SIG presents Cloud Migration the Good, The Bad and The Ugly (panelist) - Monday, June 12, 3:45-4:45pm EDT

Don't forget to find us at Booth 200 in the exhibition hall! Find the FULL Ascend'23 Presentation Agenda Here

We Started a Podcast!

Almost every other day, news headlines flash, “fraud.” But are we getting the whole story? "Fraud in the Office" is a comical, murder mystery style podcast uncovering secrets deep within the fraud and its ultimate demise. Come ready to be amused as we discover together “the Who, the How, and the What Now”. Catch the latest episode of our two part series now!

We're Making Some Updates!

Updates on ERP Risk Advisors Applications we cover and what is in our roadmap:

In March 2023 we added three new ERP systems to our ERP Armor offerings. They include three niche applications in Oracle’s ERP portfolio: Clinical One, Transportation Management, and Retail.

Our roadmap includes SAP and Ariba which we expect to have built by the end of this summer.

Check Out This Partner Webinar!

Click To Register

+ + +

Featured Article

Lack of Control Performer Independence Testing is Systemic and This is Why it Matters [Part 1]

By: Jeff Hare, CPA CIA CISA

I recently wrote an article called Why Access Controls Must Be Tested for All In-Scope Systems and the feedback has been shocking.?I have a decent network of auditors throughout external audit firms who regularly comment “off the record” when I am drafting or have published something.?

Honestly, I didn’t think the article was that revolutionary, however I am now realizing otherwise based on the feedback I heard.?Publishing that article has uncovered a systemic issue in the internal and external audit industries I didn’t know existed.?

One of the reasons I wrote the prior article: Why Access Controls Must Be Tested for All In-Scope Systems was to stress how important it is to verify control performers do not have access to the underlying activities they oversee in the execution of the control. As it stands, this critical verification process goes unperformed. The ramifications of such an oversight are massive.

Why was Sarbanes Oxley (SOX) implemented??One of the main reasons SOX was implemented was to have controls in place to make sure management was not overriding controls. What is one way management can override controls??They can enter or maintain data that doesn’t get caught during the performance of a control.??

What happens if management has access to the ability they are overseeing in the control??Management can override the control and then the data they enter or maintain may not be caught by someone else.??

A recent example we have of this is FTX. Sam Bankman Fried (SBF) was the Founder and CEO of FTX and had access to crypto wallets. This gave him the ability to move billions of dollars without anyone knowing it. Why did the CEO of FTX have such powerful access and how did this not get caught during an audit???

While the specifics of the FTX case are unknown, I think it’s worthwhile to consider what controls could have prevented this loss in the first place.

SBF as CEO should never have had access to any highly privileged system accounts.?He should have been a part of the execution of the control. Given his technical expertise he probably should have been the Control Reviewer overseeing those who have access to?“keys to the kingdom” accounts.?

Let’s assume he was part of the operation of the control.?This would mean he was asked to opine on the appropriateness of his own access.?FTX gives me one recent example of why the lack of Control Performer independence testing is a systemic issue in the internal and external audit industries.??

What did the internal and external auditors likely miss in the FTX audit??If SBF was the final Control Reviewer, he would have been the one to sign off on the effectiveness of the control.?The external auditors should have verified that SBF as Control Reviewer did not have access to enter or maintain accounts with access to the wallets.?If they had they would have identified SBF HAD THE ABILITY to override the controls with his current access.

I could go down further into this rabbit hole and talk about system or generic accounts that could have been used. Or password controls. Or SignOn login monitoring.?There are a myriad of routes potentially producing the same result.?

However, to keep us on track I will make this blanket statement:

Control performers should NOT have access to the activities they are responsible for signing off on. The controls they assert are in place when they certify their controls are effective at the end of the audit.

Here are three truths every auditor should know:

1. The job of management is to make sure anyone performing a control cannot override the control.?This includes themselves and all others that are involved in executing and reviewing the control.
2. The job of the Internal Auditor is to make sure management has done number 1.
3. The job of the External Auditor is to make sure management has also done number 1.

So, what led?to Sarbanes Oxley’s passage in Congress in 2002???It was a series of frauds and business failures primarily due to management overriding controls.

Am I confident this issue has been solved??NO WAY! The opposite is most likely true.?

I am convinced that auditors are NOT routinely testing whether the Control Performer has access to the activities they are overseeing because it takes a level of cooperation between the financial auditors and the IT auditors that we rarely, if ever, see.

Here are the steps that would need to be in place for this type of testing to take place by external auditors:

1. The financial audit team needs to identify that controls implemented by management they would be relying on in their audit.
2. The RACM would most likely identify a job title rather than a person that is part of the control performance.?Management would need to identify who is(are) the control performer(s) and financial audit team would need to verify that is consistent with their testing.
3. The IT team would need to identify the logins for the control performer(s) in each of the in-scope systems.
4. A full sensitive access analysis assessment process would need to be executed.?This would consist of full details of all users, including all Control Performers and their access via assigned roles.?There would need to be logical understanding and technical confirmation that the scan is complete and accurate.
5. Once established that the assessment is complete and accurate, the activities that a Control Performer can perform (transactions, master data, and configurations) would need to be compared to the control activities and control description to see if their access impairs their independence.

Why I am skeptical this is being done is because:

1. This requires the use of access control software or a point-in-time assessment for all in-scope systems.
2. This requires the risk content being used in the access control software for this assessment to be complete and accurate as well.?We rarely, if ever, see the large risk advisory firms that do this type of work having an extensive library of sensitive access risks.
3. I have yet to see an IT audit team or financial audit team do this during an audit.

I will make my case in more detail in June’s Featured Newsletter Article…?

+ + +

ERP Armor: Learning

Organizations must identify, manage, and mitigate risk in their ERP systems.

ERP Risk Advisors has developed ERP Armor risk content as a unique solution that provides proven results to external audits at a significantly lower TCO than any other options.

Learn more about they WHY behind our learning platform and how our courses taught by some of the best in the business can best serve you and your organization.?

ERP Armor: Learning has added quite a few new courses to their catalog of options for positions such as IT & Financial Auditors, IT Compliance, Program Managers, CIO's, CISO's, and CFO's.

1. Auditing Bank Reconciliations in ERP Systems
2. Auditing Fixed Assets in ERP Systems
3. Auditing System Development Projects
4. Assessing IT General Controls
5. Why Access Controls Must Be Tested for All In-Scope Systems

+ + +

Thank you for reading and subscribing to this month's issue! As always, please contact us with thoughts, or feedback at [email protected].