Blog

We are witnessing the most significant digital transformation in global history – surpassing the massive Y2K tech boom. This shift is largely driven by evolving cyber security risks in our work from home era and modernization of business processes.  Why do some organizations pursue ERP implementations to reduce costs? That’s not always the case.   With […]

“The definition of insanity is doing the same things over and over again but expecting different results”, attributed to Albert Einstein. I am writing this six-part article series about Why ERP Implementations Fail – to help you avoid a failed or a ‘less than optimal’ ERP implementation. In part 1, 2 and 3 we have […]

“The definition of insanity is doing the same things over and over again but expecting different results”.   I have been in the ERP implementation and ERP audit space for over 25 years. More often than not implementations are NOT “successful” – let’s explore why.   Understanding Why Your Risk Advisory Firm Should Not Be Your SI […]

Hopefully by now you have heard that Oracle is rolling out a major change to the login process and management thereof for Oracle Cloud. This change is starting will roll out to customers after the 25B quarterly update goes live. Here’s a brief, high-level overview of what this will look like. What is the change?  […]

“The definition of insanity is doing the same things over and over again but expecting different results”. I am writing this six-part article series about Why Implementations Fail – to help you avoid a failed or a ‘less than optimal’ implementation. In part 1 and part 2 we have covered the following two topics:  Software […]

Disruption in the risk advisory industry has influenced industries time and time again over the years. Everyone understands how Uber revolutionized the yellow taxi model. Uber sparked competition from Lyft. Both have since faced competition from autonomous vehicle services such as Waymo.  Think of iTunes taking over the radio industry—and then Spotify.  Cell phones and […]

We are excited to share a long-awaited major enhancement in 25B from Oracle: Multi-Factor Authentication (MFA) is now being implemented for Supplier Portal accounts. A BIG WIN!!! In the previous article, we highlighted that Oracle’s 25B major enhancement is introducing the most significant overhaul in application security for your ERP/HCM Cloud environment.  If your team […]

In release 25B, Oracle will begin to introduce the most significant overhaul related to application security.  Here is a link to the recording:   Oracle Go – FAQ: Fortifying Oracle Fusion Applications Best Practices for Securing External Facing Portals — Cloud Customer Connect  The webinar by Roland Koene, Outbound Product Manager | SaaS Cloud Security at […]

When embarking on a Digital Transformation Project, management strives to avoid becoming a headline in the news  due to significant cost overrun or Significant Deficiencies in their first external audit after going live. In this six-part article series we are exploring the six systemic biases working against a successful ERP Implementation. In the first article, […]

Having been in this space for over 25 years, I have seen the good, the bad, and the ugly.  The deck is stacked against a secure and compliant ERP system implementation. Most publicly traded organizations implementing a new ERP system likely will have one or more “Significant Deficiencies” in the first year that should be […]

We are witnessing the greatest digital transformation ever as organizations are moving from legacy ‘on-premise’ ERP systems to cloud-based ERP systems (SaaS applications). Though management is investing millions into the implementation of these SaaS applications, experts estimate that up to 90% of them fail. Why? Because “success” isn’t always about going live on time, within […]

A digital revolution is upon us! We are witnessing the greatest digital transformation since Y2K thanks to perpetual patch cycles within SaaS Applications. Organizations are ridding themselves of building and managing data centers by moving their legacy applications to hosted data centers. And thus moving many of their legacy applications to modern SaaS applications. Some […]

Managing identity has become one of the most critical elements of enterprise security in today’s complex digital environment

Most organizations have mature processes and controls related to preventing a breech on their internal systems – what we refer to as “securing the perimeter.

Having been in the Security and Controls space for far too long, I have witnessed and am still witnessing a phenomenon that needs to be addressed.  Auditors talk WAY too much about Segregation of Duties. Hear me out… In testing access controls, auditors spend way too much time assessing risks related to SoD and far […]

From our Cyber Security technical expert, Connor Thompson, CIA CISA In the Software as a Service (SaaS) world, cyber security risks extend far beyond traditional perimeter defenses and malware protection. Today, a strong cyber security strategy for SaaS environments must encompass a multi-faceted approach. This includes strong authentication methods, user training against social engineering attacks, […]

There’s a Lack of Native MFA in ERP/HCM Cloud. Oracle released this article in March highlighting the top cybersecurity threats and how to prevent them. In the article, they highlight the number one risk as “Business Email Compromise (BEC).” The article states “BEC is a type of phishing attack. Other phishing scams try to trick […]

The Why Behind Our Tips In the following article, I make the case for why these top 3 tips are crucial action steps for your organization. We call it “turning resovolutions into action.” For 25+ years I have been watching ERP (Enterprise Resource Planning) implementations go live that are half-baked at best. This has created […]

Part of our 2024 Resovolutions is to revolutionize the way organizations identify, manage, and mitigate risk in their ERP systems. Application security design and management risks produce a significant, immature control within organizations. Management knows these risks are often not being managed properly. The benefits seem to outweigh the risks when you consider: The long-term cost […]

Everyone loves setting New Year’s Resolutions. Given my history having a heart attack in 2019, I encourage you to set goals arounds eating healthy and consistent exercise (link to January newsletter story). You could say I’ve been around the block a few times, having spent 25+ years in the ERP applications space as a client, […]

New Year – New Me…. In the new year, we like to focus on new goals, new aspirations, even “a new me”. But how do you face the new year when life’s inner struggles impact your mind? Having a traumatic, life-changing medical issue changes you and can challenge your faith in God.  In March 2019, […]

Application Access Controls form the foundation of your control environment in your ERP system.  However, these new SaaS systems have become quite complex. And organizations tend not to have a program to develop and manage these controls. This is why more and more organizations are partnering with outside advisory firms to help. So, what are […]

The lack of maturity of external auditing procedures is finally attracting more of the attention it deserves. The US’s Public Company Accounting Oversight Board (PCAOB) and the UK’s Financial Reporting Council (FRC) are publicly challenging external auditors to improve their processes. Two Causes for Concern Emerge in One Month In October 2023, two articles emerged […]

Part 2: In part 1 of this article series, I postulated that there is a systemic issue related to management override of controls. More concerning than the existence of this issue is that it isn’t being addressed by management or the audit community. This issue is systemic. Let’s discuss what changes we would need to […]

The latest U.S. Securities and Exchange Commission (SEC) guidance on Cyber Security risks have “Cyber” firms buzzing.  Those that thought this would be the equivalent of Sarbanes Oxley must have been seriously disappointed.  There was no mandatory audit of Cyber risk included. The guidance requires companies “to disclose material cybersecurity incidents they experience and to disclose on […]

Written By Fred Roth, CISA, Sr. Adjunct Lecture at ERP Risk Advisors What is AI? Artificial Intelligence (AI) is fast, complex, and limitless. The risks and rewards are in the news daily. As with any new technology, security and controls lag technological growth. Who will assess the security and controls of this innovative technology for your […]

I recently wrote an article called Why Access Controls Must Be Tested for All In-Scope Systems and the feedback has been shocking. I have a decent network of auditors throughout external audit firms who regularly comment “off the record” when I am drafting or have published something. 

Organizations using SaaS Applications are encountering an increase in fraud risks that traditional cyber security firms are failing to recognize. Most organizations focus on protecting the perimeter and risks related to ransomware and data theft, leaving the organization vulnerable to attack in neglected areas.

Sarbanes-Oxley and control design best practices require access controls be tested for every in-scope ERP system within an organization’s Risk and Control Matrix (RACM). While this may not be the standard for …

In early January, FAA software caused US flight operations to halt for several hours. For a summary of the software failure, see Adam Levin’s Bloomberg article “FAA Computer File Caused by People Who Damaged Data File”.

ERP software provides organizations with tremendous benefits including vast configurable processes and standard reports used for reporting on data.  ERP software comes in two flavors: those that …

I did it! My redemption race is done. I AM A IRONMAN!!! Two years, eight months and 20 days from my heart attack in the Oman 70.3 race, I completed my first full Ironman race in Arizona this past week.

Despite having been in the Oracle applications space for over 20 years it is still a mystery to me what external auditors do or don’t do in their audit.  Recently on vacation I ran into an IT auditor from a big …

Last week I wrote a blog talking about how the System Implementation industry is biased against a “Complete and Secure” implementation.  This week I’d like to address another elephant in the …

This article is long overdue, but still one I have been dreading to release.  I know the audit firms could come under significant additional scrutiny from regulators such as the PCAOB.  However, there are …