ERP Risk Advisors offers content for Oracle E-Business Suite, ERP Cloud, and PeopleSoft in various
leading software companies. Our content related to segregation of duties, single-function risk, and
access to sensitive data uses the most comprehensive approach in the industry and is mapped to
the lowest object for each software package.
The content is process-centric in that it take into account risks at the process level where Oracle's
security is deficient. For example, entering of credit memos in AR is a common risk for
organizations. However, in Oracle there is no single function you can point to that allows you to
identify the users that have the ability to enter a credit memo. In this case, the process-centric risk is
noted with an appropriate risk description that includes further description on these risks. The risk
description includes this comment "In many Oracle instances, access to the transactions form allow
for the entry of a negative transaction (check your transaction types setups for creation sign)."
Because of the process-centric nature of the content, much of the content can be leveraged in your
risk assessments related to other systems.
The content is also application-centric. We recognize there are certain risks that are unique to the
software (such as Oracle E-Business Suite) that need to be specifically spelled out. For example, the
forms that allow for the embedding of a SQL statement or OS statement are unique to Oracle E-
Business Suite. Each of these forms is spelled out as a high-risk single function.
For Oracle E-Busienss Suite, our content addresses the following:
- Over 1,000 SOD conflicts and single function risks
- Addresses risk regarding inquiry access to sensitive data
- Specific risk description for each conflict / single function risk
- Common mitigating controls
- Template to perform risk assessment for each conflict / single function risk
- Common SOX and Fraud Risk
- Consideration of manual processes that happen outside the system
- Mapping to the function level for each system-related risk
- Updates twice a year based on latest patches by Oracle
The content is geared towards those with a risk advisory, corporate governance, or internal audit
Contact us for pricing and more details regarding this offering.