SlideShare une entreprise Scribd logo

The Risk of SQL Forms within Oracle Applications

KBACE Technologies, Inc.
KBACE Technologies, Inc.
Technologie
1  sur  35
The risk of SQL forms within the Oracle Applications- How did that Happen? Daryl Geryol, Practice Director - GRC Services, KBACE Jeffrey Hare, CPA CISA CIA - ERP Seminars August 13, 2008 1 .
Webinar Logistics • Hide (and unhide) the Webinar control panel by clicking on the arrow icon on the top right of your screen • The small window icon toggles between a resizable window and full screen mode • Ask questions throughout the presentation using the chat dialog • Questions will be reviewed at the end of the presentation 2 © 2006 KBACE Technologies, Inc.
Agenda • Introductions • Objective • Survey Findings • Risks • Scenarios • Recommendations • Q&A • Closing 3 © 2006 KBACE Technologies, Inc.
Presenters • Daryl Geryol, Practice Director- GRC Services, KBACE: Formerly with Logical Apps and BearingPoint, Daryl has a decade of leadership and implementation and upgrade experience, specializing in assessing and automating internal controls for SOX 404, 302, OMB A-123, HIPAA, PII, and SSI, automating business processes and delivering successful corporate governance solutions • Jeff Hare, CPA, CISA, CIA: Jeff 's extensive background includes public accounting, industry, and Oracle applications implementation experience. His sole focus is on the development of internal controls and security best practices for companies running Oracle Applications. Jeff is a Certified Public Accountant (CPA), a Certified Information Systems Auditor (CISA), and a Certified Internal Auditor (CIA). He is the founder of ERP Seminars and the Oracle Users Best Practices Board and is widely published. 4 © 2006 KBACE Technologies, Inc.
KBACE Corporate Overview • KBACE maximizes the value that Oracle’s clients derive from their software investment and goes to market with Oracle to augment the generation of new license opportunities. • Incorporated in 1998 • Privately held, employee owned, cash-flow positive since inception • Headquartered in Nashua, NH with national presence • Maintain significant portfolio of 250-300 Oracle install base clients • Specialize solely on the Oracle E-Business Suite & related technology • Multiple LOBs Professional Services Support Services Analytics Advanced Technologies Education • KBACE runs our business on the Oracle E-Business Suite Release 12 5 © 2006 KBACE Technologies, Inc.
Professional Services • Oracle Application Consulting Practices Financials Supply Chain Manufacturing Projects CRM Advanced Technology Human Capital Management (HCM) Data Services Governance Risk and Compliance (GRC) • Development centers in Nashua, NH and Bangalore India • Worldwide Certified Advantage Partner • Participated with Oracle on Accelerator and Methodology development • Currently partnering with Oracle on Fusion validation 6 © 2006 KBACE Technologies, Inc.
ERP Seminars Jeffrey T. Hare, CPA CISA CIA • Founder and CEO of ERP Seminars (http://www.erpseminars.com) • Author of various thought leadership white papers available at http://www.oubpb.com and in the internal controls repository (see link at www.erpseminars.com). • Upcoming book series on Oracle Applications Internal Controls • Provides the seminar “Internal Controls and Security Best Practice in an Oracle Applications Environment” 7 © 2006 KBACE Technologies, Inc.
ERP Seminars • Seminars- Internal Controls and Security Best Practices in an Oracle Applications Environment; Upcoming new series to address both Implementing Oracle Apps and Auditing Oracle Apps, including web- delivery options • Risk Assessment Services- User Access Controls and Segregation of Duties Risk Assessment, Risk-Based Automated User Access Controls Analysis, Various Security and Controls Design and Review • Software Implementation- RFI/RFP, Vendor Selection • Free one hour consultation 8 © 2006 KBACE Technologies, Inc.
Objective Oracle’s E-Business Suite has unique risks that need to be evaluated when designing application security and controls. We will look at one of the highest risk areas in Oracle’s E-Business Suite, forms that allow SQL statements to be embedded in them. This webinar will address the following: • Overview of SQL forms and the related risks • Examples of how SQL forms can be used to manipulate data and commit fraud • Best practices related to SQL forms • Strategies to monitor access to and activity in SQL forms 9 © 2006 KBACE Technologies, Inc.
SQL Forms Survey- Awareness of SQL forms risks? I was not aware of the risk 32.6% I have read about SQL forms, but 9% didn't/don't understand the risks 13.0% 0% My company is aware of the risks, but have chosen not to address them 4.3% 33% My company is aware of the risks, but 22% feels monitoring software is too expensive 10.8% My company has put a third party trigger or log-based solution to monitor them 4.3% My company uses Oracle's Sys Admin 4% audit trail to monitor the activity 4.3% 13% 4% 11% My company requires all SQL form activity 4% to go through IT Change Management 21.7% My company reconciles actually activity to our Change Management approvals 0.0% Other 8.6% 10 © 2006 KBACE Technologies, Inc.
SQL Forms Survey- How long as Oracle EBS customer? 3% 3% 5% 5% We are not yet live with the system 5.1% We have been live less than 1 year 2.5% 20% We have been live 2 - 4 years 20.5% We have been live 5 or more years 64.1% Other 2.5% 64% No Responses 5.1% 11 © 2006 KBACE Technologies, Inc.
SQL Forms Survey- Number of Oracle users? 5% 11% 13% 1-50 3% 51-250 27% 251-1000 1001-2500 2501-5000 41% Over 5000 12 © 2006 KBACE Technologies, Inc.
Risks • What type of risks are exposed when users have access to SQL forms? • Override of change management process • Fraud - employees, consultants • Data theft • Unauthorized changes to security • References • Metalink note 189367.1-Best Practices for Securing the E-Business Suite • Additional information available in the internal control repository (ICR). 13 © 2006 KBACE Technologies, Inc.
Scenarios • Fraudulent bank account updates for the purpose of mis- directing funds payment to a supplier • Reset of SYSADMIN login for the propose of unapproved access and system updates The objective of the following scenarios is to show limited examples of how fraud may be committed. These methods shows are not meant to inspire their use for any activities that may be illegal or unethical. The examples shown are for presentation purposes only and do not outline the full business processes or controls that in place around those processes. 14 © 2006 KBACE Technologies, Inc.
Scenario 1- Fraudulent Bank Account Update • A Supplier has contacted procurement about payments they have not received. Through some reporting it has been found that payments were made however there is some inconsistency in the system. The bank account looks as though it had been changed and then changed back however there are no records of this being approved. • Cause- An oracle alert “SQL form” was used to update the bank account from behind the scenes and then update it back. 15 © 2006 KBACE Technologies, Inc.
Unapproved Alert is created The select statement itself does not matter as long as it returns 1 row. A clever person could go so far as fire the trigger when the payment is created with the “victim” bank account and update the bank account record. This is being done as on demand however someone could make it much more intelligent using the event tab 16 © 2006 KBACE Technologies, Inc.
Unapproved Alert is created There are a couple setups needed for triggers but they are fairly simple and flexible. Alerts are powerful since they can launch programs, sql statements and pl/sql. It should be noted that normal users don’t usually have access to create alerts. Create an action set, add an action Select a action type Notice SQL or OS Script Call a pl/sql package or write sql statements 17 © 2006 KBACE Technologies, Inc.
Take a look at the Bank account ‘BEFORE’ Bank accounts are not defined per vendor but are defined as bank accounts records and then assigned to other pieces of data. They are used on vendors, vendor sites and payments as an example. This will be the bank account show on the vendor site. This is the value seen on payment and transactions The bank account number is the victim. This is important because it is not usually seen on the transaction, the “name” is. 18 © 2006 KBACE Technologies, Inc.
A payment is created A payment is created using the “victim” bank account. The bad guy could have an alert set to see this or just now what day payments are made so the alert can fire. The trick is to update the account after the payment record is created. Another note is that this type of fraud would likely be directed at electronic payments . The bank account number shows here in the LOV but not on the form. 19 © 2006 KBACE Technologies, Inc.
The unapproved Alert is fired The alert may be manually initiated to update the account. The smart perpetrator may goes as far as changing the account back after the EFT is completed so it will be tougher for someone to catch what has happened. The alert is raised which will update the records. The last updated date and last updated by will not change. It will look as if the last person changed the record . 20 © 2006 KBACE Technologies, Inc.
Bank account “AFTER” payment and back again If someone were to review the bank account record the account number would be different. The last updated date and last update by would not show any different from before. The perpetrator could then update again and effectively wipe away some of the tracks! The bank account number The bank account number changed 10271-17621-620 10271-17621-619 Updated by dgeryol Update by dgeryol at 6:41:02 pm at 6:41:02 pm 21 © 2006 KBACE Technologies, Inc.
Scenario 2- Reset of SYSADMIN login • Upon routine audit of the system the system admin could not login to the SYSADMIN account. The audit reports also showed a high number of logins by the SYSADMIN user and updates to key profile options. There was no record of approval for any changes by this user and profile options are not normally updated with this login. • Cause- A quality plan from the Oracle Quality application was used to reset the SYSADMIN password so that illegal logins and updates could be made. 22 © 2006 KBACE Technologies, Inc.
SYSADMIN login- Normal Admin personnel may use the SYSADMIN application user for certain admin tasks. The password is tightly controlled 123@!ABc SYSADMIN NORMALLY HAS KEYS TO THE KINGDOM TYPE RESPONSBILITIES 23 © 2006 KBACE Technologies, Inc.
Oracle Quality- not just for Quality Control! Oracle Quality is a powerful application used in areas like receiving and manufacturing to help capture data related to quality, measurement, specifications and other similar data. The data entry into plans can translate into automated reporting, notifications and updates to areas of the system. Setup is normally where you will find the function to create plans however many have this function available for creating adhoc plans. 24 © 2006 KBACE Technologies, Inc.
Create a QA plan A fraudulent QA plan is created with minimal information. These plans can be deleted once they are done being used. This removes many traces of what has been done. A bogus QA plan is created Actions….access to GOLD 25 © 2006 KBACE Technologies, Inc.
Create the condition and pick the event Once a plan is created you need only define your action condition that triggers your action. You then just pick your method to execute. This sets up a condition or trigger value Here are my choices to do damage… Operating System scripts and SQL scripts 26 © 2006 KBACE Technologies, Inc.
Create the action details (sql entry) Using the details window you can write a sql statement or call pl/sql procedures to do your bidding. EXECUTING A STANDARD ORACLE PACKAGE TO UPDATE A USERS PASSWORD WITHOUT KNOWING THE EXISTING PASSWORD. 27 © 2006 KBACE Technologies, Inc.
Enter a QA result to initiate the plan illegal update To execute the plan a simple entry must be made into the fraudulent plan with the trigger condition. Entering QA results is a fairly standard function 28 © 2006 KBACE Technologies, Inc.
Entering the trigger condition initiates an update When the trigger condition is entered and saved a periodic alert is run. This is really the only indicator that something has been done. The alert itself is not really traceable since we can delete our trail! TRIGGER CONDITION INITIATED THE PERIODIC ALERT 29 © 2006 KBACE Technologies, Inc.
USER MAKES ILLEGAL LOGIN AS SYSADMIN The offending user now logins in as SYSADMIN with the password that was set. welcome123 30 © 2006 KBACE Technologies, Inc.
Recommendations Conduct a thorough analysis of the system to identify SQL forms (see references) and also control risks on master data and system setup forms. Review users that have access to any 2 of the following 3 risk areas; system setups, master data, transaction forms. If there are no system controls there should be well documented manual and closely monitored manual controls. System controls are recommended and should cover the following; • Segregation of Duties • Change Control • System Auditing or Monitoring 31 © 2006 KBACE Technologies, Inc.
Best Practices • Segregation of duties • It is not all about transaction forms. If users do not need to see data such as bank accounts, do not let them. This will mitigate people from seeing temptation . • Do not allow end users to have access to SQL forms. These are meant to be configured as part of the system and not as a day to day production task. • An overall risk assessment should highlight those with access to these areas and SQL forms • Change Control • Do not allow sensitive information or master data to get changed without a good change process. • Master data management can be a great success to an organization, or a great risk. • Changes to system setups such as SQL forms should be under change control • System Auditing or Monitoring • Audit key data for setups and master data • Review audit reports regularly to reconcile approved activity to actual activity • Mediate conditions that led to any unauthorized activity 32 © 2006 KBACE Technologies, Inc.
Monitoring Strategies • Record History (row who?) • Limitations • Advanced Oracle Auditing • Pro • Cons • Alerts • Pro • Cons • Triggers / Logs • Pro • Cons 33 © 2006 KBACE Technologies, Inc.
Q&A • Any questions that we do not get to will be addressed via email • Please email all other questions to the presenters directly • Webinar replays at: www.kbace.com Services Tab  Webinars http://www.kbace.com/Services/Webinars.aspx 34 © 2006 KBACE Technologies, Inc.
Thank You Daryl Geryol, Practice Director - GRC Services, KBACE dgeryol@kbace.com www.kbace.com (262) 649.2916 Jeffrey Hare, CPA CISA CIA - ERP Seminars jhare@erpseminars.com www.erpseminars.com www.oubpb.com (602) 769.9094 35 .

Recommandé

2. oracle days sebastiaan vingerhoed_buckarest_november3rd
2. oracle days sebastiaan vingerhoed_buckarest_november3rd2. oracle days sebastiaan vingerhoed_buckarest_november3rd
2. oracle days sebastiaan vingerhoed_buckarest_november3rd
Doina Draganescu
 
Fusion app integration_con8685_pdf_8685_0001
Fusion app integration_con8685_pdf_8685_0001Fusion app integration_con8685_pdf_8685_0001
Fusion app integration_con8685_pdf_8685_0001
jucaab
 
Oracle Fusion applications 101 [2010 OAUG Collaborate]
Oracle Fusion applications 101 [2010 OAUG Collaborate]Oracle Fusion applications 101 [2010 OAUG Collaborate]
Oracle Fusion applications 101 [2010 OAUG Collaborate]
Rhapsody Technologies, Inc.
 
SANS Institute Product Review of Oracle Identity Manager
SANS Institute Product Review of Oracle Identity ManagerSANS Institute Product Review of Oracle Identity Manager
SANS Institute Product Review of Oracle Identity Manager
OracleIDM
 
Integrating oracle cloud and existing applications final sg
Integrating oracle cloud and existing applications final sgIntegrating oracle cloud and existing applications final sg
Integrating oracle cloud and existing applications final sg
Ken Ng
 
Übersicht Cloud Control - EM 12c
Übersicht Cloud Control - EM 12cÜbersicht Cloud Control - EM 12c
Übersicht Cloud Control - EM 12c
Volker Linz
 
Oracle iAS Forms to WebLogic Suite for Alesco
Oracle iAS Forms to WebLogic Suite for AlescoOracle iAS Forms to WebLogic Suite for Alesco
Oracle iAS Forms to WebLogic Suite for Alesco
Fumiko Yamashita
 
Oracle University - Your Complete Training Source for Oracle Software and Har...
Oracle University - Your Complete Training Source for Oracle Software and Har...Oracle University - Your Complete Training Source for Oracle Software and Har...
Oracle University - Your Complete Training Source for Oracle Software and Har...
ORACLE USER GROUP ESTONIA
 

Recommandé

2. oracle days sebastiaan vingerhoed_buckarest_november3rd
2. oracle days sebastiaan vingerhoed_buckarest_november3rd2. oracle days sebastiaan vingerhoed_buckarest_november3rd
2. oracle days sebastiaan vingerhoed_buckarest_november3rd
Doina Draganescu
 
Fusion app integration_con8685_pdf_8685_0001
Fusion app integration_con8685_pdf_8685_0001Fusion app integration_con8685_pdf_8685_0001
Fusion app integration_con8685_pdf_8685_0001
jucaab
 
Oracle Fusion applications 101 [2010 OAUG Collaborate]
Oracle Fusion applications 101 [2010 OAUG Collaborate]Oracle Fusion applications 101 [2010 OAUG Collaborate]
Oracle Fusion applications 101 [2010 OAUG Collaborate]
Rhapsody Technologies, Inc.
 
SANS Institute Product Review of Oracle Identity Manager
SANS Institute Product Review of Oracle Identity ManagerSANS Institute Product Review of Oracle Identity Manager
SANS Institute Product Review of Oracle Identity Manager
OracleIDM
 
Integrating oracle cloud and existing applications final sg
Integrating oracle cloud and existing applications final sgIntegrating oracle cloud and existing applications final sg
Integrating oracle cloud and existing applications final sg
Ken Ng
 
Übersicht Cloud Control - EM 12c
Übersicht Cloud Control - EM 12cÜbersicht Cloud Control - EM 12c
Übersicht Cloud Control - EM 12c
Volker Linz
 
Oracle iAS Forms to WebLogic Suite for Alesco
Oracle iAS Forms to WebLogic Suite for AlescoOracle iAS Forms to WebLogic Suite for Alesco
Oracle iAS Forms to WebLogic Suite for Alesco
Fumiko Yamashita
 
Oracle University - Your Complete Training Source for Oracle Software and Har...
Oracle University - Your Complete Training Source for Oracle Software and Har...Oracle University - Your Complete Training Source for Oracle Software and Har...
Oracle University - Your Complete Training Source for Oracle Software and Har...
ORACLE USER GROUP ESTONIA
 
Corporate overview the services story
Corporate overview the services storyCorporate overview the services story
Corporate overview the services story
ORACLE USER GROUP ESTONIA
 
ING webcast platform
ING webcast platformING webcast platform
ING webcast platform
OracleIDM
 
Fusion Middleware 11g Keynote Foundation For Innovation
Fusion Middleware 11g Keynote Foundation For InnovationFusion Middleware 11g Keynote Foundation For Innovation
Fusion Middleware 11g Keynote Foundation For Innovation
Mark Rabne
 
EBS Upgrade to Oracle Cloud Platform
EBS Upgrade to Oracle Cloud PlatformEBS Upgrade to Oracle Cloud Platform
EBS Upgrade to Oracle Cloud Platform
Fumiko Yamashita
 
Bakiyaraj_Profile_25-May-2015
Bakiyaraj_Profile_25-May-2015Bakiyaraj_Profile_25-May-2015
Bakiyaraj_Profile_25-May-2015
Bakiyaraj Varadharajan
 
Oracle Fusion Middleware for Hyperion
Oracle Fusion Middleware for HyperionOracle Fusion Middleware for Hyperion
Oracle Fusion Middleware for Hyperion
Fumiko Yamashita
 
Oracle Enterprise Manager SOA Management Pack
Oracle Enterprise Manager SOA Management PackOracle Enterprise Manager SOA Management Pack
Oracle Enterprise Manager SOA Management Pack
Fumiko Yamashita
 
Ebs soa con8716_pdf_8716_0001
Ebs soa con8716_pdf_8716_0001Ebs soa con8716_pdf_8716_0001
Ebs soa con8716_pdf_8716_0001
jucaab
 
WebLogic Consolidation Webcast 27 Jan 2011
WebLogic Consolidation Webcast 27 Jan 2011WebLogic Consolidation Webcast 27 Jan 2011
WebLogic Consolidation Webcast 27 Jan 2011
Fumiko Yamashita
 
Fusion app tech_con8707_pdf_8707_0001
Fusion app tech_con8707_pdf_8707_0001Fusion app tech_con8707_pdf_8707_0001
Fusion app tech_con8707_pdf_8707_0001
jucaab
 
OOW15 - Simplified and Touch-Friendly User Interface in Oracle E-Business Suite
OOW15 - Simplified and Touch-Friendly User Interface in Oracle E-Business SuiteOOW15 - Simplified and Touch-Friendly User Interface in Oracle E-Business Suite
OOW15 - Simplified and Touch-Friendly User Interface in Oracle E-Business Suite
vasuballa
 
Oracle mobile cloud service
Oracle mobile cloud serviceOracle mobile cloud service
Oracle mobile cloud service
shravan kumar chelika
 
OEM WebLogic Server Management Pack
OEM WebLogic Server Management PackOEM WebLogic Server Management Pack
OEM WebLogic Server Management Pack
Fumiko Yamashita
 
oracle ebs free web service integration tools
oracle ebs free web service integration toolsoracle ebs free web service integration tools
oracle ebs free web service integration tools
SmartDog Services
 
Otm 2013 c13_e-17a-plessis-elisabeth-otm-self-help
Otm 2013 c13_e-17a-plessis-elisabeth-otm-self-helpOtm 2013 c13_e-17a-plessis-elisabeth-otm-self-help
Otm 2013 c13_e-17a-plessis-elisabeth-otm-self-help
jucaab
 
OEM12c - Application Management Suite
OEM12c - Application Management SuiteOEM12c - Application Management Suite
OEM12c - Application Management Suite
Ravi Madabhushanam
 
Java, app servers and oracle application grid
Java, app servers and oracle application gridJava, app servers and oracle application grid
Java, app servers and oracle application grid
Alicja Sieminska
 
Udvikling af apps til mobile enheder med IBM Worklight, Christina Møller, IBM
Udvikling af apps til mobile enheder med IBM Worklight, Christina Møller, IBMUdvikling af apps til mobile enheder med IBM Worklight, Christina Møller, IBM
Udvikling af apps til mobile enheder med IBM Worklight, Christina Møller, IBM
IBM Danmark
 
OOW15 - Online Patching with Oracle E-Business Suite 12.2
OOW15 - Online Patching with Oracle E-Business Suite 12.2OOW15 - Online Patching with Oracle E-Business Suite 12.2
OOW15 - Online Patching with Oracle E-Business Suite 12.2
vasuballa
 
KBACE Applied Identity Management
KBACE Applied Identity ManagementKBACE Applied Identity Management
KBACE Applied Identity Management
KBACE Technologies, Inc.
 
How Professional Services Organizations Can Improve
How Professional Services Organizations Can ImproveHow Professional Services Organizations Can Improve
How Professional Services Organizations Can Improve
Satinderpal Sandhu
 
Plus default
Plus defaultPlus default
Plus default
mrsccarle3
 

Contenu connexe

Tendances

Oracle Fusion Middleware for Hyperion
Oracle Fusion Middleware for HyperionOracle Fusion Middleware for Hyperion
Oracle Fusion Middleware for Hyperion
Fumiko Yamashita
 
Ebs soa con8716_pdf_8716_0001
Ebs soa con8716_pdf_8716_0001Ebs soa con8716_pdf_8716_0001
Ebs soa con8716_pdf_8716_0001
jucaab
 
Fusion app tech_con8707_pdf_8707_0001
Fusion app tech_con8707_pdf_8707_0001Fusion app tech_con8707_pdf_8707_0001
Fusion app tech_con8707_pdf_8707_0001
jucaab
 
OEM WebLogic Server Management Pack
OEM WebLogic Server Management PackOEM WebLogic Server Management Pack
OEM WebLogic Server Management Pack
Fumiko Yamashita
 
Otm 2013 c13_e-17a-plessis-elisabeth-otm-self-help
Otm 2013 c13_e-17a-plessis-elisabeth-otm-self-helpOtm 2013 c13_e-17a-plessis-elisabeth-otm-self-help
Otm 2013 c13_e-17a-plessis-elisabeth-otm-self-help
jucaab
 
OEM12c - Application Management Suite
OEM12c - Application Management SuiteOEM12c - Application Management Suite
OEM12c - Application Management Suite
Ravi Madabhushanam
 
OOW15 - Online Patching with Oracle E-Business Suite 12.2
OOW15 - Online Patching with Oracle E-Business Suite 12.2OOW15 - Online Patching with Oracle E-Business Suite 12.2
OOW15 - Online Patching with Oracle E-Business Suite 12.2
vasuballa
 

Tendances (20)

Corporate overview the services story
Corporate overview the services storyCorporate overview the services story
Corporate overview the services story
 
ING webcast platform
ING webcast platformING webcast platform
ING webcast platform
 
Fusion Middleware 11g Keynote Foundation For Innovation
Fusion Middleware 11g Keynote Foundation For InnovationFusion Middleware 11g Keynote Foundation For Innovation
Fusion Middleware 11g Keynote Foundation For Innovation
 
EBS Upgrade to Oracle Cloud Platform
EBS Upgrade to Oracle Cloud PlatformEBS Upgrade to Oracle Cloud Platform
EBS Upgrade to Oracle Cloud Platform
 
Bakiyaraj_Profile_25-May-2015
Bakiyaraj_Profile_25-May-2015Bakiyaraj_Profile_25-May-2015
Bakiyaraj_Profile_25-May-2015
 
Oracle Fusion Middleware for Hyperion
Oracle Fusion Middleware for HyperionOracle Fusion Middleware for Hyperion
Oracle Fusion Middleware for Hyperion
 
Oracle Enterprise Manager SOA Management Pack
Oracle Enterprise Manager SOA Management PackOracle Enterprise Manager SOA Management Pack
Oracle Enterprise Manager SOA Management Pack
 
Ebs soa con8716_pdf_8716_0001
Ebs soa con8716_pdf_8716_0001Ebs soa con8716_pdf_8716_0001
Ebs soa con8716_pdf_8716_0001
 
WebLogic Consolidation Webcast 27 Jan 2011
WebLogic Consolidation Webcast 27 Jan 2011WebLogic Consolidation Webcast 27 Jan 2011
WebLogic Consolidation Webcast 27 Jan 2011
 
Fusion app tech_con8707_pdf_8707_0001
Fusion app tech_con8707_pdf_8707_0001Fusion app tech_con8707_pdf_8707_0001
Fusion app tech_con8707_pdf_8707_0001
 
OOW15 - Simplified and Touch-Friendly User Interface in Oracle E-Business Suite
OOW15 - Simplified and Touch-Friendly User Interface in Oracle E-Business SuiteOOW15 - Simplified and Touch-Friendly User Interface in Oracle E-Business Suite
OOW15 - Simplified and Touch-Friendly User Interface in Oracle E-Business Suite
 
Oracle mobile cloud service
Oracle mobile cloud serviceOracle mobile cloud service
Oracle mobile cloud service
 
OEM WebLogic Server Management Pack
OEM WebLogic Server Management PackOEM WebLogic Server Management Pack
OEM WebLogic Server Management Pack
 
oracle ebs free web service integration tools
oracle ebs free web service integration toolsoracle ebs free web service integration tools
oracle ebs free web service integration tools
 
Otm 2013 c13_e-17a-plessis-elisabeth-otm-self-help
Otm 2013 c13_e-17a-plessis-elisabeth-otm-self-helpOtm 2013 c13_e-17a-plessis-elisabeth-otm-self-help
Otm 2013 c13_e-17a-plessis-elisabeth-otm-self-help
 
OEM12c - Application Management Suite
OEM12c - Application Management SuiteOEM12c - Application Management Suite
OEM12c - Application Management Suite
 
Java, app servers and oracle application grid
Java, app servers and oracle application gridJava, app servers and oracle application grid
Java, app servers and oracle application grid
 
Udvikling af apps til mobile enheder med IBM Worklight, Christina Møller, IBM
Udvikling af apps til mobile enheder med IBM Worklight, Christina Møller, IBMUdvikling af apps til mobile enheder med IBM Worklight, Christina Møller, IBM
Udvikling af apps til mobile enheder med IBM Worklight, Christina Møller, IBM
 
OOW15 - Online Patching with Oracle E-Business Suite 12.2
OOW15 - Online Patching with Oracle E-Business Suite 12.2OOW15 - Online Patching with Oracle E-Business Suite 12.2
OOW15 - Online Patching with Oracle E-Business Suite 12.2
 
KBACE Applied Identity Management
KBACE Applied Identity ManagementKBACE Applied Identity Management
KBACE Applied Identity Management
 

En vedette

How Professional Services Organizations Can Improve
How Professional Services Organizations Can ImproveHow Professional Services Organizations Can Improve
How Professional Services Organizations Can Improve
Satinderpal Sandhu
 
ГБОУ Школа №1238: математический квн в 6а и 6б классах.
ГБОУ Школа №1238: математический квн в 6а и 6б классах.ГБОУ Школа №1238: математический квн в 6а и 6б классах.
ГБОУ Школа №1238: математический квн в 6а и 6б классах.
Katerina Novoselova
 
Методсовет ГБОУ Школа № 1238: Эффективность языкового образования в школе. со...
Методсовет ГБОУ Школа № 1238: Эффективность языкового образования в школе. со...Методсовет ГБОУ Школа № 1238: Эффективность языкового образования в школе. со...
Методсовет ГБОУ Школа № 1238: Эффективность языкового образования в школе. со...
Katerina Novoselova
 
Zensar SAP Practice
Zensar SAP PracticeZensar SAP Practice
Zensar SAP Practice
Niraj Singh
 
completed-transcript-9240608
completed-transcript-9240608completed-transcript-9240608
completed-transcript-9240608
Farrah Ranzino
 

En vedette (16)

How Professional Services Organizations Can Improve
How Professional Services Organizations Can ImproveHow Professional Services Organizations Can Improve
How Professional Services Organizations Can Improve
 
Plus default
Plus defaultPlus default
Plus default
 
KBACE Learning Platform Webinar
KBACE Learning Platform WebinarKBACE Learning Platform Webinar
KBACE Learning Platform Webinar
 
Informe del Sector de la Construcción a Junio de 2015
Informe del Sector de la Construcción a Junio de 2015 Informe del Sector de la Construcción a Junio de 2015
Informe del Sector de la Construcción a Junio de 2015
 
ГБОУ Школа №1238: математический квн в 6а и 6б классах.
ГБОУ Школа №1238: математический квн в 6а и 6б классах.ГБОУ Школа №1238: математический квн в 6а и 6б классах.
ГБОУ Школа №1238: математический квн в 6а и 6б классах.
 
Presentaciones digitales
Presentaciones digitalesPresentaciones digitales
Presentaciones digitales
 
Методсовет ГБОУ Школа № 1238: Эффективность языкового образования в школе. со...
Методсовет ГБОУ Школа № 1238: Эффективность языкового образования в школе. со...Методсовет ГБОУ Школа № 1238: Эффективность языкового образования в школе. со...
Методсовет ГБОУ Школа № 1238: Эффективность языкового образования в школе. со...
 
Almacenamiento de gas en Doñana
Almacenamiento de gas en DoñanaAlmacenamiento de gas en Doñana
Almacenamiento de gas en Doñana
 
オープンアクセスと機関リポジトリ
オープンアクセスと機関リポジトリオープンアクセスと機関リポジトリ
オープンアクセスと機関リポジトリ
 
Ebro Express 2º Trimestre 2016
Ebro Express 2º Trimestre 2016Ebro Express 2º Trimestre 2016
Ebro Express 2º Trimestre 2016
 
шмелева настя 8 б
шмелева настя 8 бшмелева настя 8 б
шмелева настя 8 б
 
20150912某社社内研修【公開用】
20150912某社社内研修【公開用】20150912某社社内研修【公開用】
20150912某社社内研修【公開用】
 
Zensar SAP Practice
Zensar SAP PracticeZensar SAP Practice
Zensar SAP Practice
 
SOAL TEKNIK SEPEDAMOTOR
SOAL TEKNIK SEPEDAMOTOR SOAL TEKNIK SEPEDAMOTOR
SOAL TEKNIK SEPEDAMOTOR
 
3MinuteGuideToCPD
3MinuteGuideToCPD3MinuteGuideToCPD
3MinuteGuideToCPD
 
completed-transcript-9240608
completed-transcript-9240608completed-transcript-9240608
completed-transcript-9240608
 

Similaire à The Risk of SQL Forms within Oracle Applications

Con8154 controlling for multiple erp systems with oracle advanced controls
Con8154 controlling for multiple erp systems with oracle advanced controlsCon8154 controlling for multiple erp systems with oracle advanced controls
Con8154 controlling for multiple erp systems with oracle advanced controls
Oracle
 
EA Governance as IT Sustainability (NY IT Leadership Academy Apr 2013)
EA Governance as IT Sustainability (NY IT Leadership Academy Apr 2013)EA Governance as IT Sustainability (NY IT Leadership Academy Apr 2013)
EA Governance as IT Sustainability (NY IT Leadership Academy Apr 2013)
Eric Stephens
 
Maximize your Oracle Cloud Investment and Drive Innovation
Maximize your Oracle Cloud Investment and Drive Innovation Maximize your Oracle Cloud Investment and Drive Innovation
Maximize your Oracle Cloud Investment and Drive Innovation
Smart ERP Solutions, Inc.
 

Similaire à The Risk of SQL Forms within Oracle Applications (20)

Maximizing CRM ROI Through Effective User Adoption Strategies
Maximizing CRM ROI Through Effective User Adoption StrategiesMaximizing CRM ROI Through Effective User Adoption Strategies
Maximizing CRM ROI Through Effective User Adoption Strategies
 
OOW15 - case study: oracle application management suite for oracle e-business...
OOW15 - case study: oracle application management suite for oracle e-business...OOW15 - case study: oracle application management suite for oracle e-business...
OOW15 - case study: oracle application management suite for oracle e-business...
 
Thousands of Hours Saved and Risk Reduced for EBS Upgrades & Implementations
Thousands of Hours Saved and Risk Reduced for EBS Upgrades & ImplementationsThousands of Hours Saved and Risk Reduced for EBS Upgrades & Implementations
Thousands of Hours Saved and Risk Reduced for EBS Upgrades & Implementations
 
The Business Case For Kuali Rice Final
The Business Case For Kuali Rice FinalThe Business Case For Kuali Rice Final
The Business Case For Kuali Rice Final
 
Ensuring Success in the Cloud (1)
Ensuring Success in the Cloud (1)Ensuring Success in the Cloud (1)
Ensuring Success in the Cloud (1)
 
Symantec, Facebook and Navillus - a comprehensive approach to securing & moni...
Symantec, Facebook and Navillus - a comprehensive approach to securing & moni...Symantec, Facebook and Navillus - a comprehensive approach to securing & moni...
Symantec, Facebook and Navillus - a comprehensive approach to securing & moni...
 
IMPLEMENTATION BEST PRACTICES Sep 22.pdf
IMPLEMENTATION BEST PRACTICES Sep 22.pdfIMPLEMENTATION BEST PRACTICES Sep 22.pdf
IMPLEMENTATION BEST PRACTICES Sep 22.pdf
 
OOW16 - Testing Oracle E-Business Suite Best Practices [CON6713]
OOW16 - Testing Oracle E-Business Suite Best Practices [CON6713]OOW16 - Testing Oracle E-Business Suite Best Practices [CON6713]
OOW16 - Testing Oracle E-Business Suite Best Practices [CON6713]
 
What is Oracle Cloud called and its features?-Oracle cloud
What is Oracle Cloud called and its features?-Oracle cloudWhat is Oracle Cloud called and its features?-Oracle cloud
What is Oracle Cloud called and its features?-Oracle cloud
 
Con8154 controlling for multiple erp systems with oracle advanced controls
Con8154 controlling for multiple erp systems with oracle advanced controlsCon8154 controlling for multiple erp systems with oracle advanced controls
Con8154 controlling for multiple erp systems with oracle advanced controls
 
Customers talk about controlling access for multiple erp systems with oracle ...
Customers talk about controlling access for multiple erp systems with oracle ...Customers talk about controlling access for multiple erp systems with oracle ...
Customers talk about controlling access for multiple erp systems with oracle ...
 
DBA Role Shift in a DevOps World
DBA Role Shift in a DevOps WorldDBA Role Shift in a DevOps World
DBA Role Shift in a DevOps World
 
Optimizing order to-cash (e-business suite) with GRC Advanced Controls
Optimizing order to-cash (e-business suite) with GRC Advanced ControlsOptimizing order to-cash (e-business suite) with GRC Advanced Controls
Optimizing order to-cash (e-business suite) with GRC Advanced Controls
 
Soa suite12c presentation @AMIS by Simone Geib
Soa suite12c presentation @AMIS by Simone GeibSoa suite12c presentation @AMIS by Simone Geib
Soa suite12c presentation @AMIS by Simone Geib
 
Omc for oracle_ebs_demo_script
Omc for oracle_ebs_demo_scriptOmc for oracle_ebs_demo_script
Omc for oracle_ebs_demo_script
 
EA Governance as IT Sustainability (NY IT Leadership Academy Apr 2013)
EA Governance as IT Sustainability (NY IT Leadership Academy Apr 2013)EA Governance as IT Sustainability (NY IT Leadership Academy Apr 2013)
EA Governance as IT Sustainability (NY IT Leadership Academy Apr 2013)
 
Streamline it management
Streamline it managementStreamline it management
Streamline it management
 
Why cloud?
Why cloud?Why cloud?
Why cloud?
 
Maximize your Oracle Cloud Investment and Drive Innovation
Maximize your Oracle Cloud Investment and Drive Innovation Maximize your Oracle Cloud Investment and Drive Innovation
Maximize your Oracle Cloud Investment and Drive Innovation
 
Cloud Streaming & Financial Close: Streamline Your Financial Processes
Cloud Streaming & Financial Close: Streamline Your Financial ProcessesCloud Streaming & Financial Close: Streamline Your Financial Processes
Cloud Streaming & Financial Close: Streamline Your Financial Processes
 

Plus de KBACE Technologies, Inc.

Migrating from Sales Force to Oracle CRM On Demand Webinar
Migrating from Sales Force to Oracle CRM On Demand WebinarMigrating from Sales Force to Oracle CRM On Demand Webinar
Migrating from Sales Force to Oracle CRM On Demand Webinar
KBACE Technologies, Inc.
 
KBACE Individual Compensation Distribution Webinar
KBACE Individual Compensation Distribution WebinarKBACE Individual Compensation Distribution Webinar
KBACE Individual Compensation Distribution Webinar
KBACE Technologies, Inc.
 
KBACE Applied Service Oriented Architecture
KBACE Applied Service Oriented ArchitectureKBACE Applied Service Oriented Architecture
KBACE Applied Service Oriented Architecture
KBACE Technologies, Inc.
 

Plus de KBACE Technologies, Inc. (18)

KBACE Open Enrollment Webinar
KBACE Open Enrollment WebinarKBACE Open Enrollment Webinar
KBACE Open Enrollment Webinar
 
KBACE Oracle Learning Management Release 12.1 Webinar
KBACE Oracle Learning Management Release 12.1 WebinarKBACE Oracle Learning Management Release 12.1 Webinar
KBACE Oracle Learning Management Release 12.1 Webinar
 
Oracle Advanced Benefits Webinar Slides
Oracle Advanced Benefits Webinar SlidesOracle Advanced Benefits Webinar Slides
Oracle Advanced Benefits Webinar Slides
 
Migrating from Sales Force to Oracle CRM On Demand Webinar
Migrating from Sales Force to Oracle CRM On Demand WebinarMigrating from Sales Force to Oracle CRM On Demand Webinar
Migrating from Sales Force to Oracle CRM On Demand Webinar
 
KBACE iRecruitment Webinar
KBACE iRecruitment WebinarKBACE iRecruitment Webinar
KBACE iRecruitment Webinar
 
KBACE Common Extensions for Oracle iRecruitment
KBACE Common Extensions for Oracle iRecruitmentKBACE Common Extensions for Oracle iRecruitment
KBACE Common Extensions for Oracle iRecruitment
 
KBACE Individual Compensation Distribution Webinar
KBACE Individual Compensation Distribution WebinarKBACE Individual Compensation Distribution Webinar
KBACE Individual Compensation Distribution Webinar
 
KBACE Incentive Compensation Webinar
KBACE Incentive Compensation WebinarKBACE Incentive Compensation Webinar
KBACE Incentive Compensation Webinar
 
KBACE Data Quality Management Webinar
KBACE Data Quality Management WebinarKBACE Data Quality Management Webinar
KBACE Data Quality Management Webinar
 
KBACE Ceridian Webinar
KBACE Ceridian WebinarKBACE Ceridian Webinar
KBACE Ceridian Webinar
 
KBACE Applied Service Oriented Architecture
KBACE Applied Service Oriented ArchitectureKBACE Applied Service Oriented Architecture
KBACE Applied Service Oriented Architecture
 
KBACE Applied OBIEE
KBACE Applied OBIEEKBACE Applied OBIEE
KBACE Applied OBIEE
 
KBACE Acquisitions & Divestitures
KBACE Acquisitions & Divestitures KBACE Acquisitions & Divestitures
KBACE Acquisitions & Divestitures
 
KBACE Self Service HR Common Extensions
KBACE Self Service HR Common ExtensionsKBACE Self Service HR Common Extensions
KBACE Self Service HR Common Extensions
 
KBACE iRecruitment 12.1 Webinar
KBACE iRecruitment 12.1 WebinarKBACE iRecruitment 12.1 Webinar
KBACE iRecruitment 12.1 Webinar
 
KBACE OLM Extensions Webinar
KBACE OLM Extensions WebinarKBACE OLM Extensions Webinar
KBACE OLM Extensions Webinar
 
Oracle Compensation Workbench Webinar
Oracle Compensation Workbench WebinarOracle Compensation Workbench Webinar
Oracle Compensation Workbench Webinar
 
Comp ben121enhancementswebinar
Comp ben121enhancementswebinarComp ben121enhancementswebinar
Comp ben121enhancementswebinar
 

Dernier

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
UiPathCommunity
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Orbitshub
 

Dernier (20)

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 

The Risk of SQL Forms within Oracle Applications

  • 1. The risk of SQL forms within the Oracle Applications- How did that Happen? Daryl Geryol, Practice Director - GRC Services, KBACE Jeffrey Hare, CPA CISA CIA - ERP Seminars August 13, 2008 1 .
  • 2. Webinar Logistics • Hide (and unhide) the Webinar control panel by clicking on the arrow icon on the top right of your screen • The small window icon toggles between a resizable window and full screen mode • Ask questions throughout the presentation using the chat dialog • Questions will be reviewed at the end of the presentation 2 © 2006 KBACE Technologies, Inc.
  • 3. Agenda • Introductions • Objective • Survey Findings • Risks • Scenarios • Recommendations • Q&A • Closing 3 © 2006 KBACE Technologies, Inc.
  • 4. Presenters • Daryl Geryol, Practice Director- GRC Services, KBACE: Formerly with Logical Apps and BearingPoint, Daryl has a decade of leadership and implementation and upgrade experience, specializing in assessing and automating internal controls for SOX 404, 302, OMB A-123, HIPAA, PII, and SSI, automating business processes and delivering successful corporate governance solutions • Jeff Hare, CPA, CISA, CIA: Jeff 's extensive background includes public accounting, industry, and Oracle applications implementation experience. His sole focus is on the development of internal controls and security best practices for companies running Oracle Applications. Jeff is a Certified Public Accountant (CPA), a Certified Information Systems Auditor (CISA), and a Certified Internal Auditor (CIA). He is the founder of ERP Seminars and the Oracle Users Best Practices Board and is widely published. 4 © 2006 KBACE Technologies, Inc.
  • 5. KBACE Corporate Overview • KBACE maximizes the value that Oracle’s clients derive from their software investment and goes to market with Oracle to augment the generation of new license opportunities. • Incorporated in 1998 • Privately held, employee owned, cash-flow positive since inception • Headquartered in Nashua, NH with national presence • Maintain significant portfolio of 250-300 Oracle install base clients • Specialize solely on the Oracle E-Business Suite & related technology • Multiple LOBs Professional Services Support Services Analytics Advanced Technologies Education • KBACE runs our business on the Oracle E-Business Suite Release 12 5 © 2006 KBACE Technologies, Inc.
  • 6. Professional Services • Oracle Application Consulting Practices Financials Supply Chain Manufacturing Projects CRM Advanced Technology Human Capital Management (HCM) Data Services Governance Risk and Compliance (GRC) • Development centers in Nashua, NH and Bangalore India • Worldwide Certified Advantage Partner • Participated with Oracle on Accelerator and Methodology development • Currently partnering with Oracle on Fusion validation 6 © 2006 KBACE Technologies, Inc.
  • 7. ERP Seminars Jeffrey T. Hare, CPA CISA CIA • Founder and CEO of ERP Seminars (http://www.erpseminars.com) • Author of various thought leadership white papers available at http://www.oubpb.com and in the internal controls repository (see link at www.erpseminars.com). • Upcoming book series on Oracle Applications Internal Controls • Provides the seminar “Internal Controls and Security Best Practice in an Oracle Applications Environment” 7 © 2006 KBACE Technologies, Inc.
  • 8. ERP Seminars • Seminars- Internal Controls and Security Best Practices in an Oracle Applications Environment; Upcoming new series to address both Implementing Oracle Apps and Auditing Oracle Apps, including web- delivery options • Risk Assessment Services- User Access Controls and Segregation of Duties Risk Assessment, Risk-Based Automated User Access Controls Analysis, Various Security and Controls Design and Review • Software Implementation- RFI/RFP, Vendor Selection • Free one hour consultation 8 © 2006 KBACE Technologies, Inc.
  • 9. Objective Oracle’s E-Business Suite has unique risks that need to be evaluated when designing application security and controls. We will look at one of the highest risk areas in Oracle’s E-Business Suite, forms that allow SQL statements to be embedded in them. This webinar will address the following: • Overview of SQL forms and the related risks • Examples of how SQL forms can be used to manipulate data and commit fraud • Best practices related to SQL forms • Strategies to monitor access to and activity in SQL forms 9 © 2006 KBACE Technologies, Inc.
  • 10. SQL Forms Survey- Awareness of SQL forms risks? I was not aware of the risk 32.6% I have read about SQL forms, but 9% didn't/don't understand the risks 13.0% 0% My company is aware of the risks, but have chosen not to address them 4.3% 33% My company is aware of the risks, but 22% feels monitoring software is too expensive 10.8% My company has put a third party trigger or log-based solution to monitor them 4.3% My company uses Oracle's Sys Admin 4% audit trail to monitor the activity 4.3% 13% 4% 11% My company requires all SQL form activity 4% to go through IT Change Management 21.7% My company reconciles actually activity to our Change Management approvals 0.0% Other 8.6% 10 © 2006 KBACE Technologies, Inc.
  • 11. SQL Forms Survey- How long as Oracle EBS customer? 3% 3% 5% 5% We are not yet live with the system 5.1% We have been live less than 1 year 2.5% 20% We have been live 2 - 4 years 20.5% We have been live 5 or more years 64.1% Other 2.5% 64% No Responses 5.1% 11 © 2006 KBACE Technologies, Inc.
  • 12. SQL Forms Survey- Number of Oracle users? 5% 11% 13% 1-50 3% 51-250 27% 251-1000 1001-2500 2501-5000 41% Over 5000 12 © 2006 KBACE Technologies, Inc.
  • 13. Risks • What type of risks are exposed when users have access to SQL forms? • Override of change management process • Fraud - employees, consultants • Data theft • Unauthorized changes to security • References • Metalink note 189367.1-Best Practices for Securing the E-Business Suite • Additional information available in the internal control repository (ICR). 13 © 2006 KBACE Technologies, Inc.
  • 14. Scenarios • Fraudulent bank account updates for the purpose of mis- directing funds payment to a supplier • Reset of SYSADMIN login for the propose of unapproved access and system updates The objective of the following scenarios is to show limited examples of how fraud may be committed. These methods shows are not meant to inspire their use for any activities that may be illegal or unethical. The examples shown are for presentation purposes only and do not outline the full business processes or controls that in place around those processes. 14 © 2006 KBACE Technologies, Inc.
  • 15. Scenario 1- Fraudulent Bank Account Update • A Supplier has contacted procurement about payments they have not received. Through some reporting it has been found that payments were made however there is some inconsistency in the system. The bank account looks as though it had been changed and then changed back however there are no records of this being approved. • Cause- An oracle alert “SQL form” was used to update the bank account from behind the scenes and then update it back. 15 © 2006 KBACE Technologies, Inc.
  • 16. Unapproved Alert is created The select statement itself does not matter as long as it returns 1 row. A clever person could go so far as fire the trigger when the payment is created with the “victim” bank account and update the bank account record. This is being done as on demand however someone could make it much more intelligent using the event tab 16 © 2006 KBACE Technologies, Inc.
  • 17. Unapproved Alert is created There are a couple setups needed for triggers but they are fairly simple and flexible. Alerts are powerful since they can launch programs, sql statements and pl/sql. It should be noted that normal users don’t usually have access to create alerts. Create an action set, add an action Select a action type Notice SQL or OS Script Call a pl/sql package or write sql statements 17 © 2006 KBACE Technologies, Inc.
  • 18. Take a look at the Bank account ‘BEFORE’ Bank accounts are not defined per vendor but are defined as bank accounts records and then assigned to other pieces of data. They are used on vendors, vendor sites and payments as an example. This will be the bank account show on the vendor site. This is the value seen on payment and transactions The bank account number is the victim. This is important because it is not usually seen on the transaction, the “name” is. 18 © 2006 KBACE Technologies, Inc.
  • 19. A payment is created A payment is created using the “victim” bank account. The bad guy could have an alert set to see this or just now what day payments are made so the alert can fire. The trick is to update the account after the payment record is created. Another note is that this type of fraud would likely be directed at electronic payments . The bank account number shows here in the LOV but not on the form. 19 © 2006 KBACE Technologies, Inc.
  • 20. The unapproved Alert is fired The alert may be manually initiated to update the account. The smart perpetrator may goes as far as changing the account back after the EFT is completed so it will be tougher for someone to catch what has happened. The alert is raised which will update the records. The last updated date and last updated by will not change. It will look as if the last person changed the record . 20 © 2006 KBACE Technologies, Inc.
  • 21. Bank account “AFTER” payment and back again If someone were to review the bank account record the account number would be different. The last updated date and last update by would not show any different from before. The perpetrator could then update again and effectively wipe away some of the tracks! The bank account number The bank account number changed 10271-17621-620 10271-17621-619 Updated by dgeryol Update by dgeryol at 6:41:02 pm at 6:41:02 pm 21 © 2006 KBACE Technologies, Inc.
  • 22. Scenario 2- Reset of SYSADMIN login • Upon routine audit of the system the system admin could not login to the SYSADMIN account. The audit reports also showed a high number of logins by the SYSADMIN user and updates to key profile options. There was no record of approval for any changes by this user and profile options are not normally updated with this login. • Cause- A quality plan from the Oracle Quality application was used to reset the SYSADMIN password so that illegal logins and updates could be made. 22 © 2006 KBACE Technologies, Inc.
  • 23. SYSADMIN login- Normal Admin personnel may use the SYSADMIN application user for certain admin tasks. The password is tightly controlled 123@!ABc SYSADMIN NORMALLY HAS KEYS TO THE KINGDOM TYPE RESPONSBILITIES 23 © 2006 KBACE Technologies, Inc.
  • 24. Oracle Quality- not just for Quality Control! Oracle Quality is a powerful application used in areas like receiving and manufacturing to help capture data related to quality, measurement, specifications and other similar data. The data entry into plans can translate into automated reporting, notifications and updates to areas of the system. Setup is normally where you will find the function to create plans however many have this function available for creating adhoc plans. 24 © 2006 KBACE Technologies, Inc.
  • 25. Create a QA plan A fraudulent QA plan is created with minimal information. These plans can be deleted once they are done being used. This removes many traces of what has been done. A bogus QA plan is created Actions….access to GOLD 25 © 2006 KBACE Technologies, Inc.
  • 26. Create the condition and pick the event Once a plan is created you need only define your action condition that triggers your action. You then just pick your method to execute. This sets up a condition or trigger value Here are my choices to do damage… Operating System scripts and SQL scripts 26 © 2006 KBACE Technologies, Inc.
  • 27. Create the action details (sql entry) Using the details window you can write a sql statement or call pl/sql procedures to do your bidding. EXECUTING A STANDARD ORACLE PACKAGE TO UPDATE A USERS PASSWORD WITHOUT KNOWING THE EXISTING PASSWORD. 27 © 2006 KBACE Technologies, Inc.
  • 28. Enter a QA result to initiate the plan illegal update To execute the plan a simple entry must be made into the fraudulent plan with the trigger condition. Entering QA results is a fairly standard function 28 © 2006 KBACE Technologies, Inc.
  • 29. Entering the trigger condition initiates an update When the trigger condition is entered and saved a periodic alert is run. This is really the only indicator that something has been done. The alert itself is not really traceable since we can delete our trail! TRIGGER CONDITION INITIATED THE PERIODIC ALERT 29 © 2006 KBACE Technologies, Inc.
  • 30. USER MAKES ILLEGAL LOGIN AS SYSADMIN The offending user now logins in as SYSADMIN with the password that was set. welcome123 30 © 2006 KBACE Technologies, Inc.
  • 31. Recommendations Conduct a thorough analysis of the system to identify SQL forms (see references) and also control risks on master data and system setup forms. Review users that have access to any 2 of the following 3 risk areas; system setups, master data, transaction forms. If there are no system controls there should be well documented manual and closely monitored manual controls. System controls are recommended and should cover the following; • Segregation of Duties • Change Control • System Auditing or Monitoring 31 © 2006 KBACE Technologies, Inc.
  • 32. Best Practices • Segregation of duties • It is not all about transaction forms. If users do not need to see data such as bank accounts, do not let them. This will mitigate people from seeing temptation . • Do not allow end users to have access to SQL forms. These are meant to be configured as part of the system and not as a day to day production task. • An overall risk assessment should highlight those with access to these areas and SQL forms • Change Control • Do not allow sensitive information or master data to get changed without a good change process. • Master data management can be a great success to an organization, or a great risk. • Changes to system setups such as SQL forms should be under change control • System Auditing or Monitoring • Audit key data for setups and master data • Review audit reports regularly to reconcile approved activity to actual activity • Mediate conditions that led to any unauthorized activity 32 © 2006 KBACE Technologies, Inc.
  • 33. Monitoring Strategies • Record History (row who?) • Limitations • Advanced Oracle Auditing • Pro • Cons • Alerts • Pro • Cons • Triggers / Logs • Pro • Cons 33 © 2006 KBACE Technologies, Inc.
  • 34. Q&A • Any questions that we do not get to will be addressed via email • Please email all other questions to the presenters directly • Webinar replays at: www.kbace.com Services Tab  Webinars http://www.kbace.com/Services/Webinars.aspx 34 © 2006 KBACE Technologies, Inc.
  • 35. Thank You Daryl Geryol, Practice Director - GRC Services, KBACE dgeryol@kbace.com www.kbace.com (262) 649.2916 Jeffrey Hare, CPA CISA CIA - ERP Seminars jhare@erpseminars.com www.erpseminars.com www.oubpb.com (602) 769.9094 35 .