Sarbanes Oxley Act (SOX) enacted in 2002 created a watershed moment for companies forcing them to take a critical look at their internal controls and processes. Executives operating unfettered until then abusing company resources and shareholder money were now asked to account for their actions. Although the mandates under the SOX Act started out murky they have since evolved to something more clearer manageable set, but much needs to be done still. As a matter of fact, it is still one of those activities that take significant investment of time, money and resources in each company.
All the demands associated with the SOX (and PCI, HIPAA, GLBA) mandates have in turn created a new segment of technologies under the umbrella – Governance Risk and Compliance (GRC) to help companies cope with the challenges.
I recently had a chance to meet with Jeff Hare, who has been practicing Internal Audit, Information Systems Audit and has created a significant following with his tireless work for companies and in the community at-large in the GRC area. He is a Certified Public Accountant(CPA), Information Systems Auditor (CISA) and Certified Internal Auditor (CIA) and has a long history of helping companies with their compliance mandates. He recently came out with a book on Application Security Controls – “Oracle E-Business Suite: Application Security Best Practices” specifically targeted at the Oracle Applications customers.
Our discussion went into the state of affairs in the GRC space, the challenges faced by companies, the book and future. Here is an excerpt
SM: Jeff, tell us a little bit about yourself for the benefit of the readers of PrudentCloud.
JH: I started my career in public accounting w/ Big 8 firm and spent 6 plus years in Corporate Accounting roles with as Assistant Controller, Controller, and CFO. I had been running audits even in the pre-SOX days as a client and so was very familiar with the audit process already. For the last 6 years I have been focusing on Internal Controls and Security best practices in the area of Oracle E-Business Suite. My profile is slightly different from a typical financial auditor in that I have been doing IT side of implementations besides IT audits as well. I am a Certified Public Account (CPA), Certified Information Systems Auditor (CISA) and a Certified Internal Auditor (CIA). In fact, I have been working in the Oracle E-Business Suite space since 1998.
SM: So you have essentially played all three key roles involved in a typical IT-Systems Audit, the internal auditor, the external auditor and the Systems guy. That should provide you a 360 degree view of a typical from everybody’s perspective. Coming to the book, why the book? How did it come about?
JH: Over the years, organizations and auditors predominantly have focused on SOX compliance which has left some gaps in their implementation of internal controls for Oracle EBS. While they broadly cover the high level risks, the fraud risk below the materiality level i.e, the sub-material fraud risk is typically left unmanaged. Since the area is so vast, there was no definitive manual to check the nuances and implementing appropriate security controls. Hence I felt the need that a book that addresses these areas would be very useful to the Oracle EBS community. The book focuses on Application Security, a key component related to internal controls and security.
I feel that this is a beginning and there could be a series of such books focused on various topics around Oracle EBS Controls. I have some early drafts of followup books that follow in the area of assessing risk in the design of business processes and application security. Eventually, when Oracle releases Fusion Applications and there is widespread adoption, I can see the next series of books.
SM: Sub-material fraud risk. Can you give us an example to give readers some idea as to what you are referring to?
JH: I will give you some typical example in Accounts Payables (AP). An AP clerk might have the ability to enter a fictitious supplier in the system and enter an approve the invoice related to that supplier. For SOX purposes, a company may look at large invoices to prevent material fraud from occurring, but not have controls over smaller invoices below certain thresholds.
SM: That is a great example of where it is easy to miss controls. I guess when the controls by definition are tied to discrete functions in the application as opposed to the business process that is bound to happen.
JH: You are absolutely right. The controls in Oracle EBS are tied to individual functions. But based on the business scenario those very functions fulfill different needs and hence having a control at the function level does not work under all scenarios. Ideally the controls should be defined for a business process under various scenarios and should be enforced through out the process. The book delves into these scenarios and tries to outline controls that are needed in each of those scenarios.
SM: Who are the typical audience for the book?
JH: Anyone focused on application security. The audience is pretty broad. CIOs and IT managers need to read this to understand the unmitigated risks they have related to application security; Internal auditors and IT auditors need to audit business process and IT controls related to application security; business analysts and application consultants could benefit as well. I have intentionally organized the book in such a way that educators/academia can also take advantage of the approaches outlined in the book.
SM: In a way the book has a broad focus. Isn’t it?
JH: Yes. It was an intentional decision to keep it broad instead of focusing on a particular compliance mandate like SOX, PCI-DSS, GLBA, HIPAA. My feeling is that irrespective of the compliance mandates there are several controls that are common and necessary for companies to institute. The objective of the book is to define best practices for application security and addresses topics that cross a broad variety of compliance requirements.
SM: Now that we are about 6-7 years into the whole Governance, Risk and Compliance (GRC) era, what is the state of affairs?
JH: Despite being into the 7th year, very little detailed best practices have been written in the public domain. Organizations have had to rely on consulting and audit firms to address their application security design and related controls. From my experience, a well-defined and mature risk assessment process in this area is still years away. Everyone is so concerned about their intellectual property that the best and brightest minds between firms, end users, and academia have yet to come together to define best practices.
Because of this, organizations have various risk exposure, much of which they still have yet to identify. Many C-level executives would be shocked to hear the risks they have presumably ‘accepted.’ In reality, there are a lot of remaining risks that have yet been brought to their attention.
SM: Where does this leave the technology solutions that are in the market?
JH: As for technology solutions, there are a handful or large ones like Oracle, which are borderline good but they have priced the solutions so high that they have priced the customers out of the market. Then there are smaller companies with good offerings, but just are not getting the exposure in the marketplace due to smaller sales and marketing budgets and less brand awareness. I had hoped that Oracle would have lowered the price of the LogicalApps suite after the purchase, but the average selling price is still too high for many SMB companies. Companies caught between these two challenges are doing what they can.
SM: So where can someone buy the book?
SM: Excellent. Jeff, it has been great catching up and good luck with the book. There are lot of people out there waiting for good concrete information.