the most comprehensive content approach in the industry

ERP Risk Advisors offers content for Oracle E-Business Suite, ERP Cloud, and PeopleSoft in various leading software companies. Our content related to segregation of duties, single-function risk, and access to sensitive data uses the most comprehensive approach in the industry and is mapped to the lowest object for each software package.


The content is process-centric in that it take into account risks at the process level where Oracle’s security is deficient.  For example, entering of credit memos in AR is a common risk for organizations.  However, in Oracle there is no single function you can point to that allows you to identify the users that have the ability to enter a credit memo.  In this case, the process-centric risk is noted with an appropriate risk description that includes further description on these risks.  The risk description includes this comment “In many Oracle instances, access to the transactions form allow for the entry of a negative transaction (check your transaction types setups for creation sign).” Because of the process-centric nature of the content, much of the content can be leveraged in your risk assessments related to other systems.


The content is also application-centric. We recognize there are certain risks that are unique to the software (such as Oracle E-Business Suite) that need to be specifically spelled out. For example, theforms that allow for the embedding of a SQL statement or OS statement are unique to Oracle E-Business Suite. Each of these forms is spelled out as a high-risk single function.

For Oracle E-Business Suite, our content addresses the following:

  • Over 1,000 SOD conflicts and single function risks
  • Addresses risk regarding inquiry access to sensitive data
  • Specific risk description for each conflict / single function risk
  • Common mitigating controls
  • Template to perform risk assessment for each conflict / single function risk
  • Common SOX and Fraud Risk
  • Consideration of manual processes that happen outside the system
  • Mapping to the function level for each system-related risk
  • Updates twice a year based on latest patches by Oracle

The content is geared towards those with a risk advisory, corporate governance, or internal audit background.