18 Nov Oracle rejects two critical enhancements requests for ERP Cloud – do they even care about compliance?
Oracle Customer Connect debacle Nov 2021
We file enhancement requests with Oracle for ERP Cloud issues through a social media site called Customer Connect. In fact, ERP Risk Advisors has filed more enhancement requests related to security and controls than any other organization. We desperately need Oracle to enhance their solutions so that our customers can more effectively secure their applications and to reduce significant compliance risks.
Unfortunately, we are no longer convinced Oracle is taking the feedback provided through Customer Connect seriously and we will provide three examples – two where they have rejected the request and one where they have, strangely, failed to respond.
For the one they have failed to respond, let me provide some context. Oracle delivers a seeded Employee role that is used to provide the basic elements needed for all employees. In every instance we evaluate, we either find this seeded role assigned or a custom version of this role, based on the seeded Employee role. We identified that the seeded Employee role has two privileges in it that could allow a fraudster to commit material fraud. Here are the details of our ER and the dialogue back and forth with Oracle on this topic: https://cloudcustomerconnect.oracle.com/posts/16e90b9d56
The Employee role is developed by the HR team. Before agreeing to remove the privileges from the Employee role, they verified the risk with the financials team. To give you some perspective on how silo’d Oracle is, after the financials team verified this fraud risk with the HR team, the financials team didn’t think to look for this risk in their own backyard. We had to log an Enhancement Request with them to ask them to remove this fraud risk from the roles they own. Here is the ticket outstanding with the Financials team to remove this ability from the roles owned by the Financials team.
What is odd to us is that the financials team has not even acknowledged this Enhancement Request. It still has a status of Submitted. Usually, when Oracle first takes a look at an issue, the status is changed to “Under Oracle Review”. Why is it that the Financials team wouldn’t evaluate this risk for their roles once they had confirmed this risk for the HCM team? This is an indicator of a lack of focus on security and compliance risks.
We have similar enhancements open with the Purchasing, Product Recall Management, and Supplier Management teams. There are also similar issues with the Higher Education roles, but currently Oracle doesn’t provide a way to log Enhancement Request with that product team.
This risk, by the way, is also the seeded Internal Auditor role – which is intended to be used by Internal Auditors. So, if you take Oracle’s seeded roles as the basis for assigning to users based on their job function, the assignment of the seeded Internal Auditor role effectively compromises the internal auditor from investigating this fraud, given they have the ability as well. Pro tip… if you are an internal auditor and are assigned the seeded Internal Auditor role – you might want to ask to have that role de-provisioned from your user account.
The lesson we learned is that Oracle is incredibly silo’d and one product team doesn’t talk to another product team about issues such as this. By the way, our recently analysis 21D identified many other roles that have this risk as well.
Two critical enhancement requests that have been rejected
On to the next topic, the two critical enhancement requests that have been rejected.
The first one relates to the ability to turn on and off audit logging functionality, known as Audit Policies. Audit policies, when enabled, form the foundation of an organization’s control environment. Audit Policies must be turned on as they aren’t enabled by default. Given they have to be turned on, this means they can also be turned off. We identified a seeded END USER role that has this ability – that being the Product Data Steward role. We logged an Enhancement Request to have it removed from that role because it is a role used by end users. See the thread on this topic here:
The second example where Oracle has rejected a critical enhancement request is this thread:
As some background on this topic, see this thread:
Oracle’s ability to enter a Journal Entry via ADFDI (like web ADI in E-Business Suite) also provides the user the ability to enter a journal entry via FBDI. JE’s uploaded via ADFDI are generally subject to the journal approval workflow as is typically configured via the Journal Sources page. Journal entries entered via FBDI are NOT subject to the journal approval workflow because this ability is typically used for interfaces or conversion activities. The FBDI template allows a user to select ANY source including those that are not configured to be subject to the journal approval workflow process.
This has been a known issue and another user has logged an Enhancement Request that has been outstanding since September 2020. Frustrating given this is another potential material weakness for SOX filers.
Given Oracle hasn’t even acknowledged that this needs to be fixed in over a year since it was logged, we logged another ER to address this unresolved deficiency. A detective control would be helpful which is why we logged this Enhancement Request:
This was archived on November 10, 2021 even though it had 38 votes at the time and those votes were accumulated in only a few months (This was logged June 8, 2021). This is the standard comment made by Oracle when it was archived:
“Thank you for your idea submission. Due to the high volume of ideas we receive, we are not able to address your idea in the short/medium term. This idea submission will be archived and no further action will be taken on it. We greatly appreciate your efforts in helping us build the best products and services for all of our customers.”
Hence, this is another example of Oracle not ‘getting it’. This ER and the ER logged on which this was based (separating AFDFI vs FBDI abilities) have not be acknowledged or responded to by Oracle. Given the significance of the risk from a SOX / external audit perspective it is clear Oracle doesn’t have a clue about compliance issues.
Another note… given external auditors are aware of this issue and there is no seeded report that provides the ability to perform a detective control over this risk, you have to wonder if external auditors have a clue about this risk either.
The three examples we have provided make it clear that Oracle development (in this case Financials / General Ledger team) doesn’t have the right people and processes to evaluate deficiencies in functionality and requests for enhancements by consultants and end users who are implementing and using ERP Cloud.