By now it is common knowledge that the 2018 Q4 System and Organizational Controls 1 (SOC 1) Type 2 issued for Oracle’s Cloud services came with a qualified opinion. In short, Oracle’s external auditor identified control deviations during their scheduled audit efforts which focused on the April 1 to September 30, 2018 timeframe. But what does that translate to for organizations who opted for Oracle ERP Cloud over traditional on-premise options (e.g. E-Business Suite [EBS])? Well, that likely varies by organization and is highly dependent upon several factors, including the current “health” of your organization’s internal control framework (i.e. prior year control deficiencies) – equally important is understanding why the qualified opinion was issued in the first place, what it is used for and where it ultimately landed.
First – what is a SOC1 “opinion”? An opinion summarizing a professional, independent auditor’s review of a service providers internal controls; it primarily focuses on whether or not an organization properly designed and implemented controls that operate effectively to mitigate key risks related to the services that they provide their clients.
- Unqualified: The company has an appropriate control structure and the controls operated effectively within the given audit period
- Qualified: The company has an appropriate control structure and the controls operated effectively within the given period EXCEPT FOR A CERTAIN AREA
Second – why was a qualified opinion issued? This particular SOC1 isn’t a short read (75 pages long), but it’s important to focus on the actual drivers behind the opinion, specifically Oracle’s internal change management process.
- Write or “edit” access to Oracle’s version control software is supposed to be restricted to accounts that only developers can access.
- However, 1 of the 35 users selected for testing who had write access wasn’t a developer. In response, management subsequently confirmed this particular user did not utilize their write access and removed their access.
- Oracle’s version control software is supposed to be configured to require approval before code can be merged.
- Although it was configured to require approval, users with access to approve merge requests were likely able to approve their own merge requests which yields a segregation of duties concern. In response, management confirmed that each user with the ability to approve merge requests has a unique ID and plans to update the version control software to prevent end-users from approving their own merge request and tracking the user (by name) that approves a request.
- The Fusion Compliance Team is supposed to perform a quarterly review of users with access to develop and implement changes for the Fusion applications. This includes activity logs being reviewed to monitor for potential segregation of duties violations; the review should ultimately be reviewed/approved by the Director of Cloud Compliance Operations.
- For one quarter’s review, management only reviewed changes in which developers made changes in the code repository AND accessed the production environment on the same day. Completeness was also lacking, as all logs representing actual activity by users with access to develop and implement changes were not reviewed. In response, management subsequently reduced the duration privileged access can be maintained – from 30 days to 1 day.
NOTE: an additional Change Management control deviation was noted, related to Enterprise Performance Management (EPM), but this blog focuses upon SOC1 impacts to Oracle Enterprise Resource Planning (ERP) Cloud
Third, and most important – where did it land? The net-net is:
- Oracle’s external auditor performed additional testing (i.e. examining change tickets to determine they were appropriately approved, had a business case, and segregation of duties were in place), and
- Oracle implemented additional complimentary controls
On January 25, 2019, Oracle’s external auditor concluded the controls with prior deviations for period April 1 – September 30 2018, were appropriately designed AND effective from October 1 – December 31 2018.
Given the external auditor’s eventual January conclusion regarding Oracle’s change management controls’ design and operating effectiveness, this should help organizations breathe a sigh of relief…right? Not necessarily. Soon after the SOC1’s issuance, we learned that an Oracle ERP Cloud customer – who had a prior significant deficiency related to their internal change management process – was facing pressure from their external auditor to accept a change management material weakness. It is our stance that 1+1 (internal control deviations + SOC1 opinions) does not always equal 2 (significant deficiency or material weakness), in this type of scenario.
Organizations initially believed that by choosing a SaaS model over an on-prem tool, they were, in essence, shifting risk responsibility to the external service provider – but the prior example of an external auditor exhibiting a lean toward an all-encompassing risk perspective introduces the need for updated thought processes. So what can you do to get ahead of future Oracle Fusion SOC1 issuances, and further safeguard your organization from potential auditor opinions?
- Participate in optional, third-party organized roll-out testing: SaaS providers like Oracle offer (and encourage!) participation in proactive testing windows. Prior to rolling out a quarterly update, Oracle communicates the intended changes and offers a window to get exposure to new features and changes. This represents an opportunity for organizations to safely simulate business process situations, specifically with the intent of scrutinizing updated system accuracy, integrity, and internal control relevance.
- Develop and maintain an appropriate play-book: Similar to an implementation’s lifecycle, regression testing is necessary whenever any substantial change (code and/or configuration) is introduced to a previously baselined instance. Therefore, in anticipation of Oracle’s quarterly updates, organizations utilizing the Cloud product should have a sequenced series of events to run through, including the execution of business process controls which may detect material issues. This “play-book” increases the likelihood of identifying business disruptions (i.e. bugs) before they become a reality and should be tailored to the enterprise’s critical business functions and those ultimately impacting financial reporting.
The above proactive steps could aid in minimizing an organization’s risk exposure related to SOC1 opinions.