The answer  - both are setting standards.  Tom the Turkey has become known as the standard for Thanksgiving meals throughout the world (for those of us Americans, at least ).  ERP Seminars has launched an ambitious campaign to define the standards related to Oracle EBS user access controls. 



For those of you that know me I bet you were thinking the comparison would relate to a round stomach and bald head.  Sorry...



More details can be found at: http://www.erpseminars.com/standards.html



The standards development process will be the perfect forum for professionals to learn the intricacies of assessing risk related to application security for Oracle EBS customers.  For those newbies, you'll get up to 44 hours of CPE training over a 3 1/2 month period.  For those veterans in the field, you'll be able to forge your legacy through the standards development process and may earn the right to license the risk assessment process from ERP Seminars.



For now, enjoy your turkeys (or tofu or whatever...) and enjoy your Thanksgiving day.  Rest up because starting in January we have a LOT of work to do



Regards,

Jeff

The timing on me finding a survey from the US Chamber of Commerce on my desk is impeccable with the financial crisis happening around us.  The survey was published Nov 07 and the question that I found interesting was:

"Looking ahead to Dec 08, to what extent do you expect compliance with SOX 404 will allow your company and your company's outside auditor to detect and prevent material fraud"



What is shocking to me is that 58.6% of respondents said "Very little at all" and only 36% said either "To a great extent" or "To a moderate extent."   Apparently, the majority of the people in the survey felt that documenting and testing internal controls would do very little to help prevent or detect fraud. 



I somewhat agree depending on how you define fraud - material fraud and sub-material fraud.  My latest white paper titled "Sub-Material Fraud: The Elephant in the Room" outlines why I believe that companies are no better off to detect sub-material fraud.  Request this white paper at www.oubpb.com.



However, in the context of this survey, I think the question related to material fraud because the context was SOX section 404.  The results are shocking since 58.6% believe that 404 hasn't done anything to prevent or detect fraud.  If you have a hunch why this might be please email me at jhare@erpseminars.com.



Now, in light of the current financial crisis, I see how people feel this way.  Greed on Wall Street has led to some of the most significant fraud ever perpetrated in the history of the world.  That type of fraud, apparently, is too difficult to detect, even for the most experienced audit firms.



I have released a schedule of the five books I plan on writing over the next year and a half.  If you are interested, check out: http://www.erpseminars.com/books.html



Regards,

Jeffrey T. Hare, CPA CISA CIA

Industry Analyst ∙ Author ∙ Consultant

Phone: 970-785-6455 Cell: 602-769-9049

Website: www.erpseminars.com

Blog: www.erpseminars.com/blog.html

Email: jhare@erpseminars.com

Oracle Users Best Practices Board (www.oubpb.com)



Please consider signing up for the various forums we host:  Oracle Internal Controls and Security; Oracle Apps Internal Controls Repository.

Anyone involved in the design and monitoring of internal controls should review the ACFE Report to the Nation.  Always interesting reading, especially if you are having a hard time sleeping because of the financial crisis swirling around us like Hurricane Ike bearing down on Galveston.



http://www.acfe.com/documents/2008-rttn.pdf



Read the executive summary, if nothing else.  One quote stands out to me...



"The most commonly cited behavioral red flags were perpetrators living beyond their apparent means or experiencing financial difficulties at the time of the frauds"  Folks, that defines about half of the US right now.  Now, more than ever, it is important to communicate tip lines and open door policies  as well as tune up your fraud prevention mechanisms.



My two cents...



Regards,



Jeffrey T. Hare, CPA CISA CIA



Any opinions or advice stated in this e-mail or the attachments thereof do not constitute legal or accounting advice and provide no indemnification from fraud or material misstatements.

Well... Here we go again.  Crisis around you, companies failing due to crashing asset values - Enron, right?  No, Lehman Brothers, Bear Stearns, Fannie, Freddie, whose next???



Will anyone go to jail this time?  How many fraudulent statements have been made by CEOs and CFOs about the financial condition of their companies only to be contradicted a few days later with the filing of Ch 11 of their company or major write downs of assets?  Where is the SEC is all this mess?



As an avid investor in the stock market, I have been closely following the saga of many of these companies in the past few months.  As an 'average investor' whom Sarbanes-Oxley was supposed to protect, it feels like the CEOs of these major investment banks have been lying through their teeth.  While I have no doubt their lawyers carefully crafted their words to protect them in a court of law, I do have doubt they told the truth to the extent that Congress would have expected when they passed Sarbanes-Oxley in 2002. 



Further, our administration officials are no better than the Wall Street execs.  Either they are lying through their teeth to 'soothe' the nerves of the American public or they are no smarter than I and don't deserve the posts in which they serve.



From the outside looking in, it appears to me that SOX has done NOTHING to restore the confidence in our financial system unless we see a few of these CEOs get thrown in jail.  Time will tell...

Many of you may have seen a couple of questions I posted on OAUGnet and other forums in the past week or so related to OA framework forms.  Here are the three questions I posted:



1. Where do I go to get the created by, last updated by information



that is available in the professional forms via the Record History field.



2. Is there anything equivalent in the OA framework forms to the



Last Query?



3. Can you make these forms 'View Only' by making adding



QUERY_ONLY="YES" to the Parameters field in the Function form?



After hearing from several folks I consider experts in this area, my fears were confirmed.  There are some inherent flaws in the architecture of OA framework forms.  The answer to all the above questions is these features don't exist in OA framework forms.  The 'standards' Oracle uses to develop such forms apparently don't take into account such requirements.



I have been amassing a running list of internal controls and security deficiencies in Oracle's EBS and will add these three items to the list.  For end users, this list is published in the ICR.  The ICR is an end user only forum. 



Many of you know that I have been calling for Oracle to create a Customer Advisory Board (CAB) at the EBS level to address these architectural issues.   I will do a separate blog in the coming days to outline the need for such a CAB and why existing feedback mechanisms aren't communicating these issues to Oracle execs properly.   Anyone with similar frustrations, please contact me directly at jhare@erpseminars.com.  I am told that these are issues that Steven Chan needs to address, but I don't have a relationship with him.  If someone out there can make me an intro to Mr. Chan, I'd love to sit down with him and make the case on our behalf.



Regards,

Jeffrey T. Hare, CPA CISA CIA