A Revolution of Resovolutions
in Blog Article by Jeff HarePart of our 2024 Resovolutions is to revolutionize the way organizations identify, manage, and mitigate risk in their ERP systems. Application security design and management risks produce a significant, immature control within organizations. Management knows these risks are often not being managed properly. The benefits seem to outweigh the risks when you consider:
- The long-term cost of acquiring software,
- Monitoring risks and keeping the current,
- And keeping staff on task and educated.
Traditionally, there have been two types of software – the first being identity and access management (IAM). The second category of software is typically used for compliance to test application access controls.
Software Types & the Risks
Let’s Set the Stage, from Problem to Resovolution…
To understand our 2024 resovolutions, you must first understand the problem. Identity and access management software (IAM) manages identities across all (or most) IT systems. This allows for automated provisioning and de-provisioning of users, as well as changes to a user’s access as roles change.
Application access controls software is leveraged to test Segregation of Duties (SoD) conflicts and to a lesser extent, sensitive access risks (SA). This category is most often used for testing compliance risks such as Sarbanes-Oxley, J-Sox, and UK-Sox.
Implementation projects related to these systems often start in the six figures and rise from there. These projects will likely repeat during significant upgrades. Which typically are every two to five years for on-premise applications such as Oracle E-Business Suite and SAP. The way software is traditionally sold and implemented makes the cost outweigh the value. Often organizations choose not to implement and maintain their own software, but instead rely on expensive contracts with the Big 4 and other large risk advisory firms to test these controls. On the other hand, organizations take a wrong turn with a “hope and pray approach” and wait for the external auditors to test these controls as part of their annual audit.
The Plot Thickens…
Historically, the effectiveness of external auditors is hit or miss. Mostly a miss… either by over scoping or under scoping risks. As I say to clients regularly, “they throw a bunch of crap up on the wall and see what sticks”. Their rationale for what they include and exclude seems at times to be at random.
The world is rapidly moving to SaaS ERP applications where patches are mandatory two to four times a year. These patches / releases introduce changes to the systems on a regular basis. New features are a driving factor on why organizations implement systems such as ERP Cloud, NetSuite, Workday, or others.
These perpetual patching cycles demand management to identify, manage, and mitigate new risks on a regular basis. Each patch cycle is a mini-upgrade project. Identify changes and new features…. Test, test, test to make sure everything works as expected. Then, evaluate whether seeded or hybrid roles have new abilities added to them which make them appropriate or not for their users. And then finally, we hope and pray the patches / releases applied to their DEV environment are the same as what is applied to Production.
SaaS applications have also introduced new cyber security risks. Traditionally, one may find the “keys to the kingdom” systems behind a firewall in secure networks and data centers. The old adage was to ‘protect the perimeter’. If the bad guys can’t penetrate the network, our data and systems are safe – or so management thought.
So Where is the Problem?
This is why our 2024 resovolutions are so critical now. We are witnessing the greatest digital transformation process since Y2K. Covid-19 and the work from home environment has made it almost mandatory to use SaaS applications. So, management has decided to use internet facing applications to support the new world we live in.
A traditional view of cyber security is blind to the new risks. Management has decided to outsource ‘protecting the perimeter’ to cloud hosting and SaaS ERP system providers such as: Oracle, NetSuite, Workday, Salesforce, and SAP. This strategy is fantastic when ALL risks are under their protection. However, an issue we see management falling into is not identifying a firm specializing in cyber security AND one who has specific expertise with the ERP systems they are implementing. A vast majority of the cyber security firms do not have expertise in how SaaS systems are configured and secured. If cyber security firms do not have this expertise, this leaves these systems vulnerable to fraud, compliance risk, PII, PHI, and other data security risks.
A Gap in Design
Simply put, cyber security firms do not have the expertise to help management identify, manage, and mitigate risks because they lack a comprehensive understanding of each unique ERP system. What is needed is a deep domain expertise in how authentication and application security is configured and deployed within an ERP system.
Therefore, can we count on the auditors to bring these issues to the attention of management? Gaps in people, processes, and technologies are where auditors normally come in. Where there are control design deficiencies is where management can call upon Internal auditors as a first line of defense. However, there are chasms between the work of the IT auditor and the financial auditors. Despite the billions spent on SOX audits, systemic issues in the audit process leave issues under or un-audited.
Recently, we brough the PCAOB’s attention to a major flaw we identified in the methodology of internal and external audits. We found audit firms are not testing to verify that control performers are independent in the oversight of their controls [article]. This gap in the design of audit procedures means auditors would not be able to detect whether management has overridden the controls defined. The override of controls by management was one of the major factors leading to the adoption of the audit of Internal Controls over Financial Reporting introduced by the Sarbanes-Oxley legislation in 2002. Let’s look at how our 2024 resovolutions solve the issues at hand.
In Closing: Resovolutions Recap
Nothing is New Under the Sun
Last month in our newsletter, we introduced our 2024 resovolutions for the first time. We want to see a revolution in risk management in four industries: ERP software, System Integrator, Cyber Risk, and the Audit Industries.
Having spent 25+ years in this space, I, Jeff Hare CPA, CISA, CIA, have seen these issues firsthand. These industries remind me of the quote from Ecclesiastes 1:9 in the Old Testament –
“What has been will be again, what has been done will be done again; there is nothing new under the sun.”
The writer of Ecclesiastes understood that the sinful heart of man leads to the same outcomes over and over again… Same story… different day…
Applying this to the ‘modern’ world we get:
- Same ERP software development and sales processes… leading to incomplete systems…
- Same System Integrator processes…leading to incomplete and insecure ERP implementations…
- Same Cyber Risk firms… securing the perimeter is not enough… leading to lack of ERP system focus and ERP systems subject to cyber security risks…
- Same Auditors… same overly-expensive audits led by untrained and poorly supervised auditors… leading to very little value add.
How do we change the tides?
Markedly, this leads me back to the 2024 Resovolutions we set at the end of last year.
I asked myself and my team: How can we change the tide? How can we help management have better outcomes? How do we help management better educate on these risks to then help them bid and award contracts to firms in light of these systemic issues.
In 2024, I hope to develop and publish a class for senior management to take ideally before they start an ERP project. The class will focus on the key needed discussions and decisions they need to make related to the lifecycle of an ERP system including:
- ERP vendor selection process
- Negotiating and developing a contract with an ERP software provider
- ERP software provider(s)
- System Integrator
- Training for IT and end user staff
- Risk Advisory firm
- Risk content firm (we are the only firm in this category)
- Cyber risk assessment
- Cyber risk / Security monitoring (Internal / External threats)
- Pre- and Post-implementation auditor
- Support provider
- Managed service provider(s)
- Patch lifecycle management including impact analysis including testing automation.
Not in scope for this class will be the lifecycle of de-commissioning an ERP system.
Our Ask
Even as I finish this article, I realize the monumental task of what I have set forth to do. To be moderately successful I am going to need the help and input from folks who have seen the good, the bad, and the ugly. I would appreciate any willingness to speak on your experiences. If so, please provide your contact information here.
Sincerely,