Protected: 3 Billion Reasons To Do More Than Just Secure The Perimeter There is no excerpt because this is a protected post. August 23, 2024
Auditors Are Talking about Segregation of Duties Too Much! Having been in the Security and Controls space for far too long, I have witnessed and am still witnessing a phenomenon that needs to be addressed. Auditors talk WAY too much about Segregation of Duties. Hear me out… In testing access controls, auditors spend way too much time assessing risks related to SoD and far […] July 31, 2024
Top 4 Reasons You Need THIS Cyber Security Approach From our Cyber Security technical expert, Connor Thompson, CIA CISA In the Software as a Service (SaaS) world, cyber security risks extend far beyond traditional perimeter defenses and malware protection. Today, a strong cyber security strategy for SaaS environments must encompass a multi-faceted approach. This includes strong authentication methods, user training against social engineering attacks, […] June 28, 2024
The Irony Related in Oracle’s Latest Article on Cybersecurity There’s a Lack of Native MFA in ERP/HCM Cloud. Oracle released this article in March highlighting the top cybersecurity threats and how to prevent them. In the article, they highlight the number one risk as “Business Email Compromise (BEC).” The article states “BEC is a type of phishing attack. Other phishing scams try to trick […] May 29, 2024
Top 3 Tips for Resovolutions: Setting the Right Objectives The Why Behind Our Tips In the following article, I make the case for why these top 3 tips are crucial action steps for your organization. We call it “turning resovolutions into action.” For 25+ years I have been watching ERP (Enterprise Resource Planning) implementations go live that are half-baked at best. This has created […] March 28, 2024
A Revolution of Resovolutions Part of our 2024 Resovolutions is to revolutionize the way organizations identify, manage, and mitigate risk in their ERP systems. Application security design and management risks produce a significant, immature control within organizations. Management knows these risks are often not being managed properly. The benefits seem to outweigh the risks when you consider: The long-term cost […] February 28, 2024
ERP Risk Advisors’ 2024 New Years Resolutions [Resovolutions] Everyone loves setting New Year’s Resolutions. Given my history having a heart attack in 2019, I encourage you to set goals arounds eating healthy and consistent exercise (link to January newsletter story). You could say I’ve been around the block a few times, having spent 25+ years in the ERP applications space as a client, […] January 26, 2024
The Inner Struggle When Reality Hits: How Crisis Impacts Your Faith New Year – New Me…. In the new year, we like to focus on new goals, new aspirations, even “a new me”. But how do you face the new year when life’s inner struggles impact your mind? Having a traumatic, life-changing medical issue changes you and can challenge your faith in God. In March 2019, […] December 28, 2023
Bright Light Shines on Massive Failures of External Auditors with “Painful” Consequences The lack of maturity of external auditing procedures is finally attracting more of the attention it deserves. The US’s Public Company Accounting Oversight Board (PCAOB) and the UK’s Financial Reporting Council (FRC) are publicly challenging external auditors to improve their processes. Two Causes for Concern Emerge in One Month In October 2023, two articles emerged […] October 25, 2023
Lack of Software to Test Access Controls is Systemic and Why It Matters [Part 2] Part 2: In part 1 of this article series, I postulated that there is a systemic issue related to management override of controls. More concerning than the existence of this issue is that it isn’t being addressed by management or the audit community. This issue is systemic. Let’s discuss what changes we would need to […] October 23, 2023
The Impact of SEC Guidance Related to Cyber Risk for Organizations Using SaaS ERP Systems The latest U.S. Securities and Exchange Commission (SEC) guidance on Cyber Security risks have “Cyber” firms buzzing. Those that thought this would be the equivalent of Sarbanes Oxley must have been seriously disappointed. There was no mandatory audit of Cyber risk included. The guidance requires companies “to disclose material cybersecurity incidents they experience and to disclose on […] August 28, 2023
Assessing AI (Artificial Intelligence) Risks & Controls Written By Fred Roth, CISA, Sr. Adjunct Lecture at ERP Risk Advisors What is AI? Artificial Intelligence (AI) is fast, complex, and limitless. The risks and rewards are in the news daily. As with any new technology, security and controls lag technological growth. Who will assess the security and controls of this innovative technology for your […] July 27, 2023
Lack of Control Performer Independence Testing is a Systemic Issue and This is Why it Matters [Part 1] I recently wrote an article called Why Access Controls Must Be Tested for All In-Scope Systems and the feedback has been shocking. I have a decent network of auditors throughout external audit firms who regularly comment “off the record” when I am drafting or have published something. May 5, 2023
Cyber Risks Getting More Attention from Organizations Using SaaS Applications Organizations using SaaS Applications are encountering an increase in fraud risks that traditional cyber security firms are failing to recognize. Most organizations focus on protecting the perimeter and risks related to ransomware and data theft, leaving the organization vulnerable to attack in neglected areas. March 31, 2023
Why Access Controls Must Be Tested for All In-Scope Systems Sarbanes-Oxley and control design best practices require access controls be tested for every in-scope ERP system within an organization’s Risk and Control Matrix (RACM). While this may not be the standard for … March 22, 2023
FAA Failure: A Failure in IT Operations and Governance In early January, FAA software caused US flight operations to halt for several hours. For a summary of the software failure, see Adam Levin’s Bloomberg article “FAA Computer File Caused by People Who Damaged Data File”. February 15, 2023
PCAOB Change in Expectations Driving Increasing Scope for SOC Reports ERP software provides organizations with tremendous benefits including vast configurable processes and standard reports used for reporting on data. ERP software comes in two flavors: those that … March 8, 2022
A Story of Perseverance I did it! My redemption race is done. I AM A IRONMAN!!! Two years, eight months and 20 days from my heart attack in the Oman 70.3 race, I completed my first full Ironman race in Arizona this past week. December 3, 2021
Another Elephant in the Room: “Institutional Bias” in the External Audit Community Last week I wrote a blog talking about how the System Implementation industry is biased against a “Complete and Secure” implementation. This week I’d like to address another elephant in the … April 7, 2020
Why the PCAOB and External Auditors Should be Concerned about Substantive-Only Audits This article is long overdue, but still one I have been dreading to release. I know the audit firms could come under significant additional scrutiny from regulators such as the PCAOB. However, there are … July 4, 2018