Oracle ERP Cloud Users Take Note – Oracle’s Fusion (Cloud) 2018 Q4 SOC1 Issued with Auditor Opinion

By now it is common knowledge that the 2018 Q4 System and Organizational Controls 1 (SOC 1) Type 2 issued for Oracle’s Cloud services came with a qualified opinion. In short, Oracle’s external auditor identified control deviations during their scheduled audit efforts which focused on the April 1 to September 30, 2018 timeframe. But what does that translate to for organizations who opted for Oracle ERP Cloud over traditional on-premise options (e.g. E-Business Suite [EBS])?  Well, that likely varies by organization and is highly dependent upon several factors, including the current “health” of your organization’s internal control framework (i.e. prior year control deficiencies) – equally important is understanding why the qualified opinion was issued in the first place, what it is used for and where it ultimately landed.

First – what is a SOC1 “opinion”? An opinion summarizing a professional, independent auditor’s review of a service providers internal controls; it primarily focuses on whether or not an organization properly designed and implemented controls that operate effectively to mitigate key risks related to the services that they provide their clients.

  • Unqualified: The company has an appropriate control structure and the controls operated effectively within the given audit period
  • Qualified: The company has an appropriate control structure and the controls operated effectively within the given period EXCEPT FOR A CERTAIN AREA

Second – why was a qualified opinion issued?  This particular SOC1 isn’t a short read (75 pages long), but it’s important to focus on the actual drivers behind the opinion, specifically Oracle’s internal change management process.

  1. Write or “edit” access to Oracle’s version control software is supposed to be restricted to accounts that only developers can access.
    • However, 1 of the 35 users selected for testing who had write access wasn’t a developer. In response, management subsequently confirmed this particular user did not utilize their write access and removed their access.
  2. Oracle’s version control software is supposed to be configured to require approval before code can be merged.
    • Although it was configured to require approval, users with access to approve merge requests were likely able to approve their own merge requests which yields a segregation of duties concern. In response, management confirmed that each user with the ability to approve merge requests has a unique ID and plans to update the version control software to prevent end-users from approving their own merge request and tracking the user (by name) that approves a request.
  3. The Fusion Compliance Team is supposed to perform a quarterly review of users with access to develop and implement changes for the Fusion applications. This includes activity logs being reviewed to monitor for potential segregation of duties violations; the review should ultimately be reviewed/approved by the Director of Cloud Compliance Operations.
    • For one quarter’s review, management only reviewed changes in which developers made changes in the code repository AND accessed the production environment on the same day. Completeness was also lacking, as all logs representing actual activity by users with access to develop and implement changes were not reviewed. In response, management subsequently reduced the duration privileged access can be maintained – from 30 days to 1 day.

NOTE: an additional Change Management control deviation was noted, related to Enterprise Performance Management (EPM), but this blog focuses upon SOC1 impacts to Oracle Enterprise Resource Planning (ERP) Cloud

Third, and most important – where did it land?  The net-net is:

  • Oracle’s external auditor performed additional testing (i.e. examining change tickets to determine they were appropriately approved, had a business case, and segregation of duties were in place), and
  • Oracle implemented additional complimentary controls

On January 25, 2019, Oracle’s external auditor concluded the controls with prior deviations for period April 1 – September 30 2018, were appropriately designed AND effective from October 1 – December 31 2018.

Given the external auditor’s eventual January conclusion regarding Oracle’s change management controls’ design and operating effectiveness, this should help organizations breathe a sigh of relief…right?  Not necessarily. Soon after the SOC1’s issuance, we learned that an Oracle ERP Cloud customer – who had a prior significant deficiency related to their internal change management process – was facing pressure from their external auditor to accept a change management material weakness. It is our stance that 1+1 (internal control deviations + SOC1 opinions) does not always equal 2 (significant deficiency or material weakness), in this type of scenario.

Organizations initially believed that by choosing a SaaS model over an on-prem tool, they were, in essence, shifting risk responsibility to the external service provider – but the prior example of an external auditor exhibiting a lean toward an all-encompassing risk perspective introduces the need for updated thought processes. So what can you do to get ahead of future Oracle Fusion SOC1 issuances, and further safeguard your organization from potential auditor opinions?

  1. Participate in optional, third-party organized roll-out testing: SaaS providers like Oracle offer (and encourage!) participation in proactive testing windows. Prior to rolling out a quarterly update, Oracle communicates the intended changes and offers a window to get exposure to new features and changes. This represents an opportunity for organizations to safely simulate business process situations, specifically with the intent of scrutinizing updated system accuracy, integrity, and internal control relevance.
  2. Develop and maintain an appropriate play-book: Similar to an implementation’s lifecycle, regression testing is necessary whenever any substantial change (code and/or configuration) is introduced to a previously baselined instance. Therefore, in anticipation of Oracle’s quarterly updates, organizations utilizing the Cloud product should have a sequenced series of events to run through, including the execution of business process controls which may detect material issues. This “play-book” increases the likelihood of identifying business disruptions (i.e. bugs) before they become a reality and should be tailored to the enterprise’s critical business functions and those ultimately impacting financial reporting.

The above proactive steps could aid in minimizing an organization’s risk exposure related to SOC1 opinions.

Garrett Burnell

Associate Director
Technology Consulting – Enterprise Application Solutions

Subscribe to Topics

Protiviti Director Kyle Swanson explains how SAP Fiori can help increase user adoption, reduce workload and process complexity and free up time for your resources to focus on higher value tasks http://ow.ly/DACw50D9RWc #SAPblog #SAPFiori

Is your organization managing to the speed of emerging technology? Is its business model at risk of digital disruption? If the board's not sure, it’s time to assess digital readiness http://ow.ly/xlJX50D5MX0 via @cci_compliance
#DigitalReadiness #DigitalDisruption @DeLoachJim

Session voting and registration is OPEN for DynamicsCon, a free, virtual event focused on Microsoft Dynamics and Power Platform! Vote for our sessions and register today!
Vote: https://bit.ly/3oIxS4y
Register: http://bit.ly/3nHTH2Q
#Dynamics365 #PowerPlatform #Microsoft

How are you protecting your data? Join us on February 3rd to see how #Microsoft Information Protection can help your organization protect sensitive data throughout its entire lifecycle. Register now: http://bit.ly/3b9udsz

@Microsoft #MIP #DataProtection

What does #resilience mean for your organization? A key first step is understanding the attributes of a #BCM or Operational Resilience program. Learn more at http://ow.ly/1r9250CShAt
#businesscontinuity #businesscontinuityplanning #operationalresilience #bankingindustry

Load More...