UK Police Department using ERP Cloud given “Significant Deficiency” by Grant Thornton partially due to “Segregation of Duties” issues and system accounts.

Read full article here

From the article (emphasis added):

“The commissioner’s Audit Advisory Committee report of a 27 May 2020 meeting said the Oracle Fusion system, which went live in 2019 in the Oracle-based Multi-Force Shared Service (MFSS) group system, included “segregation of duties conflicts in Oracle Fusion between IT security and finance duties.”

ERP Risk Advisors comments:

Access control issues including Segregation of Duties conflicts and Sensitive Access Risks are pervasive in the seeded roles provided by Oracle.  Oracle recommends that organizations work with their System Integrators during their implementation process to reduce risk through the customization of roles.  Yet, Oracle does not provide the means to test SoD conflicts and Sensitive Access risks without purchasing their Advanced Access Controls (AAC) solution – a part of the Risk Management Cloud.

Sadly, Oracle charges customers for a tool (AAC) that is needed by every organization to test their security design – whether they are publicly traded, subject to regulations like Sarbanes-Oxley, or privately held and merely looking to reduce fraud and protect the integrity of their system.

Further from the article (emphasis added):

“Risk that internal access to information assets and administrative functionality may not be restricted based on legitimate business need.”

Flagged as a “significant deficiency” by auditors at Grant Thornton, the problem meant 18 MFSS or Capgemini system administrator’s accounts – service accounts that have the IT security manager role assigned to them – also had privileged access to the finance system. “This breaches good practice to split these abilities,” the committee report said, and could allow account control by the vendor to “change system configurations,” meaning “there is a risk that system-enforced internal control mechanisms are bypassed through inappropriate use of administrative functionality.”

ERP Risk Advisors comments:

These issues are common practice at nearly every implementation we have reviewed.

1. Management ‘accepts the risk’ of service accounts, then does not put in the basic monitoring controls to see if the accounts are being used.
2. The same if often true for those with access to IT Security Manager role. It is usually over-assigned, sometimes to the System Integration and Remote IT support firm for months after go- live in the name of ‘supporting the system’ during Hypercare.  However, IT Security Manager provides each user with Keys to the Kingdom access by allowing Sensitive Access risks such as:
   1. Resetting passwords for all users (even SSO users) without adequate logs to track password resets and without notifying users an administrator that their password has reset their password
   2. Add roles to their own account that can be subsequently deleted. These role assignments may be logged, but logs are rarely reviewed on a timely manner for unauthorized usage.  The logs are normally only used to support an audit with a low sample size (usually only a few transactions a year out of thousands or tens of thousands of assignments.
   3. Make changes to roles to escalate their permissions and then delete the privileges that were added. These privilege additions may also be tracked via audit logs, but again… they are rarely reviewed on a proactive basis.  They are mostly  used to support internal and external audits that are only reviewed via a small sample.

Realistically, we believe most organizations are subject to a control deficiency that could easily rise to the level of a Significant Deficiency.  We have seen these types of deficiencies, when combined with others, rise to a Material Weakness.

ERP Risk Advisors Offering:

ERP Risk Advisors offers a free review of your internal controls environment when the organization completes the self-assessment at: https://www.erpra.net/erp-armor/

ERP Risk Advisors also offers a one-time or recurring service that allows organizations to test their access controls to help inoculate their organization for risks such as what was experienced by the Chesire Police.

If you are interested, please contact us here: https://www.erpra.net/contact-us/