Solihull Metropolitan Borough Council. IT Audit Findings Report September 2015



Similar documents
The Annual Audit Letter for West Mercia Police and Crime Commissioner and Chief Constable

High level review of the general IT control environment

NEW HAMPSHIRE RETIREMENT SYSTEM

Coleg Gwent. Wireless Audit. Internal Audit Report (2.10/11) 23 May Overall Opinion: Amber Green

PREPARED BY: AUDIT PROGRAM Author: Lance M. Turcato. APPROVED BY: Logical Security Operating Systems - Generic. Audit Date:

Understanding ERP Architectures, Security and Risk Brandon Sprankle PwC Partner March 2015

Information Security Policy September 2009 Newman University IT Services. Information Security Policy

Top Ten Fraud Risks in the Oracle E Business Suite

Scottish Sports Council Group and Lottery Fund

Achieving PCI COMPLIANCE with the 2020 Audit & Control Suite.

The Audit Findings for NHS Dorset Clinical Commissioning Group

Internal Audit Progress Report Performance and Overview Committee (19 th August 2015) Cheshire Fire Authority

Appendix 1c. DIRECTORATE OF AUDIT, RISK AND ASSURANCE Internal Audit Service to the GLA REVIEW OF INTERNET- BASED NETWORK SECURITY

Newcastle University Information Security Procedures Version 3

Department of Information Technology Remote Access Audit Final Report. January promoting efficient & effective local government

Walton Centre. Document History Date Version Author Changes 01/10/ A Cobain L Wyatt 31/03/ L Wyatt Update to procedure

IT ACCESS CONTROL POLICY

Department of Finance Department of Purchasing and Supply Management Fixed Assets System Audit Final Report

Chapter 6: Developing a Proper Audit Trail for your EBS Environment

Information Security Policies. Version 6.1

Best Practices Report

Access Control BUSINESS REQUIREMENTS FOR ACCESS CONTROL

Oracle E-Business Suite: SQL Forms Risks and. Presented by: Jeffrey T. Hare, CPA CISA CIA

INTERNAL AUDIT FINAL REPORT CNES FINANCE AND CORPORATE RESOURCES DEPARTMENT CLOUD IT SYSTEMS AND THE CRM SYSTEM OFFICIAL OFFICIAL

Ref: Issue Raised Recommendation Priority Management Response Implementation Network and ABS E-Financials 1. Account security settings

Implementation of Internal Audit Recommendations: Summary of Progress Report by Head of Finance

Feature. Multiagent Model for System User Access Rights Audit

Data Management Policies. Sage ERP Online

ISP12 Information Security Policy Account Management

Building an Audit Trail in an Oracle EBS Environment. Presented by: Jeffrey T. Hare, CPA CISA CIA

OFFICE OF INSPECTOR GENERAL. Audit Report

How to Audit the Top Ten E-Business Suite Security Risks

Regulatory Compliance Using Identity Management

Argyll and Bute Council

Audit of Government s Corporate Accounting System: Part 2

Department of Public Utilities Customer Information System (BANNER)

Oracle E-Business Suite Controls: Application Security Best Practices

AUDIT REPORT WEB PORTAL SECURITY REVIEW FEBRUARY R. D. MacLEAN CITY AUDITOR

IT General Controls Domain COBIT Domain Control Objective Control Activity Test Plan Test of Controls Results

An Introduction to Continuous Controls Monitoring

OFFICE OF THE CITY CONTROLLER

Aberdeen City Council IT Security (Network and perimeter)

INFORMATION TECHNOLOGY CONTROLS

How To Audit A Windows Active Directory System

The City of New York

Smithsonian Enterprises

ICT OPERATING SYSTEM SECURITY CONTROLS POLICY

Dacorum Borough Council Final Internal Audit Report

Network Password Management Policy & Procedures

PeopleSoft IT General Controls

The Annual Audit Letter for Torbay Council

External Audit Reviews. Report by Director of Finance

How To Protect Decd Information From Harm

<COMPANY> PR11 - Log Review Procedure. Document Reference Date 30th September 2014 Document Status. Final Version 3.

Oracle FLEXCUBE Security Management System User Manual Release Part No E

EHLANZENI DISTRICT MUNICIPALITY NETWORK SCANNING POLICY FOR 2012

Cloud Services. Anti-Spam. Admin Guide

Guide to Auditing and Logging in the Oracle E-Business Suite

PUR1308/12 - Service Management Tool Minimum Requirements

Our Impacts: accurate base factor data supporting Audit Ready Output

Informatics Policy. Information Governance. Network Account and Password Management Policy

IT Operations User Access Management Policies

U.S. Department of Energy Office of Inspector General Office of Audits & Inspections. Evaluation Report

Full Compliance Contents

AGENDA ITEM: SUMMARY. Author/Responsible Officer: John Worts, ICT Team Leader

Seven Things To Consider When Evaluating Privileged Account Security Solutions

Interim Audit Report. Borough of Broxbourne Audit 2010/11

User Accounts and Password Standard and Procedure

CITRUS COMMUNITY COLLEGE DISTRICT GENERAL INSTITUTION COMPUTER AND NETWORK ACCOUNT AND PASSWORD MANAGEMENT

University of Aberdeen Information Security Policy

Supplier Information Security Addendum for GE Restricted Data

ISO27001 Controls and Objectives

Audit of Policy on Internal Control Information Technology General Controls (ITGCs) Audit

Leverage T echnology: Move Your Business Forward

Internal Control Systems

Pension Benefit Guaranty Corporation. Office of Inspector General. Evaluation Report. Penetration Testing An Update

Information and Communications Technology Controls Report

Windows Operating Systems. Basic Security

HertSFX. User Guide V2.04. Hertfordshire s Secure File Exchange Portal. (Jan 2014) HertSFX User Guide V2.04 Jan 2014 Page 1 of 17

Account Management Standards

Recommendations which have been implemented have been removed from this report. The original numbering of recommendations has been retained.

Antifraud program and controls assessment grid*

Access Control Policy

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

Application controls testing in an integrated audit

KANSAS CITY, MISSOURI RESPONSES TO THE FISCAL YEAR 2013 AUDIT MANAGEMENT LETTER

GFI White Paper PCI-DSS compliance and GFI Software products

White Paper: FSA Data Audit

Independent Auditors Report to the Commissioner for Law Enforcement Data Security -

Change Management Best Practices for ERP Applications, An Internal Auditor's Perspective. Jeffrey T. Hare, CPA CISA CIA ERP Risk Advisors

INFORMATION TECHNOLOGY SECURITY STANDARDS

April promoting efficient & effective local government

North American Electric Reliability Corporation: Critical Infrastructure Protection, Version 5 (NERC-CIP V5)

Continuous Monitoring: Match Your Business Needs with the Right Technique

Internal Controls, Fraud Detection and ERP

Trust but Verify: Best Practices for Monitoring Privileged Users

PROTECTING SYSTEMS AND DATA PASSWORD ADVICE

Access Control and Audit Trail Software

Guardium Change Auditing System (CAS)

GAO INFORMATION SECURITY. Weak Controls Place Interior s Financial and Other Data at Risk. Report to the Secretary of the Interior

Transcription:

Solihull Metropolitan Borough Council IT Audit Findings Report September 2015

Version: Responses v6.0 SMBC Management Response July 2015 Financial Year: 2014/2015 Key to assessment of internal control deficiencies Material weakness - risk of material misstatement Significant deficiency - risk of significant misstatement Deficiency - risk of inconsequential misstatement 2015 Grant Thornton UK LLP September 2015 1

Introduction The recommendations of the external auditors have been reviewed by relevant SMBC managers and a solutions schedule is set out below. The delivery of the completion dates will be monitored by internal audit. Control Title Auditors Risk Assessment SMBC Solution effort/ complexity assessment Scheduled completion date Control 1 Oracle EBS user management and governance (Controls 1 7) Significant Multiple responses; see controls 2 7 Multiple dates for controls 2 7;, see below. Control 2 Excessive number of system administrators in Oracle EBS Significant High December 2015 Control 3 Users self-assigning responsibilities in Oracle EBS Significant High December 2015 Control 4 Excessive privileges assigned to generic accounts in Oracle EBS Significant Medium October 2015 Control 5 Audit logging is not fully enabled and configured in Oracle EBS Significant Medium October 2015 Control 6 Control 7 Control 8 Control 9 Control 10 Control 11 Users with 'processes tab' functionality in Oracle EBS Users with inappropriate access to elevated accounts Weak Northgate logical access controls Weak Oracle EBS logical access controls Users without password expiration date Access rights and responsibilities assigned are not periodically reviewed (Oracle EBS) Deficiency Low 31 July 2015 Deficiency Low 31 August 2015 Deficiency Low DONE Deficiency Low DONE Deficiency Low 31 July 2015 Deficiency High December 2015 Control 12a Removal of leavers user access Deficiency Medium Short term fix October 2015 rights Control 12b Deficiency Medium Medium term fix December 2015 Control 12c Deficiency High Long term fix To be prioritised and scheduled 2015 Grant Thornton UK LLP September 2015 2

1 1 Oracle EBS user management and governance We observe that there is no clear separation between users responsible for business functions and users with access to IT functions and utilities. There is no evidence that an effective role based access control (RBAC) process is in place, nor is there evidence that segregation of duties are properly managed within the application. This weakness manifests itself with IT users having the ability to create and post financial transactions and business users having access to certain system administration functions. We also noted that certain users have the ability to increase their own level of systems access and may have done so without requiring authorisation from an appropriate person. In complex Enterprise Resource Planning (ERP) systems such as Oracle EBS, the assignment of user privileges must be carefully considered to avoid excessive access and the potential lack of segregation of duties that can follow as a result. We noted for example, that IT users were regularly using the SYSADMIN default account which has full system access. The potential for certain users to change their own access without authorisation is a clear violation of best practice, undermines information governance principles and is likely to increase the level of incompatible duties as well as increasing the possibility of users incorrectly posting financial entries due to unfamiliarity with the application's functionality. The lack of control over information governance, excessive access and segregation of duties conflicts can increase the risk of fraudulent activity and lead to unreliable financial reporting. We also note, that it is possible that existing management controls may not be sufficient to compensate where those risks are not Solihull MBC IT Security Policy provides a framework to manage user access. Management should consider how to enforce this at all levels of the organisation including those staff managing the IT environment and applications. The following principles should be considered: enforcing appropriate authorisation of role and responsibility changes restricting System Administrator privileges to only those that need them based on operational requirements (see Issue 2) removing full System Administrator responsibility from created roles that do not require this level of access and restrict access to only those functions that the role requires (see Issue 2) eliminating self-assignment of responsibilities (see Issue 3) reinstating SYSADMIN privileges to its 'out of the box' role (see Issue 4) removing access to the process tab in all cases (see Issue 6) creating responsibilities specific to roles based on the 'least privilege' principle and remove multiple accounts for individual users (see Issue 7) Assessing the appropriateness of the above measures would benefit from further analysis relating to segregation of duties conflicts sand this should be conducted as soon as possible. We acknowledge the points made and agree, except for IT users were regularly using the SYSADMIN default account. This is not a regular occurrence and only used for scheduling required concurrent processes. For this issue and for all other issues in this report as indicated solutions to these controls are scheduled as below. 2015 Grant Thornton UK LLP September 2015 3

fully understood. 2 2 Excessive number of system administrators in Oracle EBS There are 43 accounts within the system that have the ability to perform system administrator functions. Not all of these users are members of the IT function. Of these: 16 users have the 'System Administrator' responsibility assigned to them 27 users have been assigned 'View Users', Password reset' or 'Purchasing User Details' these responsibilities are seen as a 'backdoor' which allows individuals to create new users, reset passwords and assign privileges (including their own) this is not a standard Oracle process or seen as maintaining best practice Users within Oracle EBS are considered to have system administrator abilities if they can access the forms that allow the creation or modification of user accounts or reset passwords. Management should consider: restricting System Administrator privileges to only those that need them based on operational requirements create responsibilities specific to roles based on the 'least privilege' principle We believe that some of the numbers are not quite right, but the principle of the concern is sound. We will revise and update both IT and financial operations access. Action This work requires review, discussion and documentation of requirements and access with users, as well as ensuring good documentation and processes are in place to maintain the security control. This will be completed by December 2015. 3 3 Users self-assigning responsibilities in Oracle EBS We identified that in the period under review there have been 14 instances where users have assigned additional access rights to themselves in the production environment. These users are not all located within the Oracle EBS support functions. When users have done this they have not end-dated the responsibility and therefore retain access to it permanently. Information governance is undermined by such actions. Users Staff should be prohibited by policy from self-assigning additional functionality. In instances where support staff require additional functionality, for example when resolving an emergency, this should be supported by after the fact documentation and authorization. Where administrative staff require additional functionality this should be formally authorized and approved with the responsibility end-dated accordingly. 2015 Grant Thornton UK LLP September 2015 4

should not be permitted to assign themselves additional responsibilities, especially where there is no evidence of monitoring user activity. An audit log monitoring process should be established to identify occasions when users have self-assigned themselves privileges. We consider that the actions identified to resolve control 2 will also resolve control 3. This is therefore also scheduled to complete for December 2015. 2015 Grant Thornton UK LLP September 2015 5

4 4 Excessive privileges assigned to generic accounts in Oracle EBS There are 41 additional responsibilities assigned to the SYSADMIN account. A number of these are default, unsegregated responsibilities that Oracle EBS is provided with (see Issue 6). We also identified that one individual user has four system administration accounts. This violates the principle of accountability and is indicative of poor management processes. The highest level account in Oracle EBS is the SYSADMIN account. This ships with the application and cannot be locked or disabled as it is required to perform maintenance tasks and upgrades. Best practice is that this account should only be used when required and as such it should not have any responsibilities assigned to it other that the default 'System Administrator'. As a generic account this presents a risk that users can access the account and use it to perform inappropriate or fraudulent transactions without any accountability. These responsibilities could allow users to perform end-to-end transactions and/or modify standing data, enabling fraud to be committed without detection. Management should consider: restoring the SYSADMIN account to its original settings establish audit logging on the SYSADMIN account to identify any changes to it if additional responsibilities are required for a specific reason, they should be supported by an authorised change request and end-dated Generic Sys Admin has ability to do more than is necessary and scheduled jobs (like PO workflow and CRM Calendars) use this level of privilege. The pre-requisite to restoring SYSADMIN to its original settings is to remove sys admin from scheduled jobs. We expect to complete this for October 2015. 2015 Grant Thornton UK LLP September 2015 6

5 5 Audit logging is not fully enabled and configured in Oracle EBS We note that some auditing processes and alerts have been created and enabled. However, these have not been fully configured and updated and can be easily by-passed by other users with elevated privileges. By default, Oracle EBS automatically records the user and time that a financial or system record was created and last updated. It does not record what was changed, nor detail all changes between the point of creation and the last update. There is a risk that inappropriate or unauthorised activity within a high risk area of the application is not detected in a timely fashion. A user could disguise fraudulent activity by making a change, waiting for the change to be processed and then changing the record back to its original state, the only record of change would be the most recent. Management should implement the audit logging of key areas of the system on a riskbased approach. These logs should be secured against unauthorised access and retained for a sufficient period. A procedure should be introduced to ensure that audit logs of high-risk areas are subject to periodic review by a user independent of the function. To aid management, a list of best practice forms/functions to consider enabling audit logs is provided below: Application controls Affect Business Processes Development Security Fraud related Journal Sources, Journal Authorisation Limits,, Approval Groups, Adjustment Approval limits (AR), Receivables activities (AR), Line Types (PO), Document Types (PO), Approval Groups (PO), Approval Group Assignments (PO), Approval Group Hierarchies (PO), tolerances, item Master Setups, Item Categories Profile Options, Descriptive Flexfields, Key Flexfields, Value Set Changes Concurrent Programs, Executable, Functions, SQL forms Menus, Roles, Responsibilities, Request Groups, Security Profiles, SQL forms such as Dynamic Trigger maintenance, Define Profile Options, Alerts, Collection Plans. Suppliers, Remit-To-Addresses, Locations, Bank Accounts Internal Audit have agreed to do the periodic review of audit trails. 2015 Grant Thornton UK LLP September 2015 7

Internal Audit will liaise with IT and agree which fields to audit track by October 2015. Agreed Audit tracking to be switched on shortly afterwards. 6 6 Users with 'processes tab' functionality in Oracle EBS There are an excessive number of users that have access to the 'process tab' in Oracle EBS at Solihull MBC. The 'processes tab' (also known as 'AZN menus') is a known security risk present within Oracle EBS. It is used for system developers during the implementation stage to easily configure business workflows and should not be enabled within the production environment. The processes tab displays workflows diagrammatically, however it also enables the related functions to be performed, bypassing the responsibilities allocated to a user. For example a user with the out of the box responsibility 'Payables Manager' can view the accounts payable workflow on the processes tab. This will also enable the user to perform any of these stages, such as make a payment. Of particular risk is the 'Application Developer' responsibility that allows full access to most business processes within Oracle EBS. Users are able to have unsegregated access to whole processes that system administrators and management are not aware of. There is a risk of users being able to perform end-toend transactions that could be used to commit fraudulent activity. The risk of such changes not being detected is increased by the absence of effective audit logging. A review should be undertaken to identify all responsibilities in use that could be exploited using the processes tab functionality. These can be identified by reviewing responsibilities for menus that include the string %AZN%. Exclusions should then be used to ensure that no responsibilities in use have access to these menus. To aid management the following responsibilities are in use that are either default responsibilities, or direct copies of them. Responsibility No. of users Application Developer 11 ACA General Ledger Super User 7 ACA Payables Manager 4 ACA Purchasing Super User 9 ACA iprocurement 4 GX General Ledger Super User 3 GX Payables Manager 3 GX Purchasing Super User 6 GX iprocurement 1 General Ledger Super User 5 LDC Payables Manager 3 LDC Purchasing Superuser 9 Payables Manager 7 Purchasing Super User 12 RESPONSIBILITY_NAME 1 Receivables Manager 12 2015 Grant Thornton UK LLP September 2015 8

SCH General Ledger Super User 5 This functionality is not used in SMBC, so can simply switched off. Completion scheduled for August 2015. 7 7 8 8 Users with inappropriate access to elevated accounts A responsibility for second-line Oracle EBS support staff to enable password resets has been created and is provided to 24 users. A weaknesses of Oracle EBS's password management controls is that the password of any account can be changed. There is no process whereby new passwords are automatically emailed to the user, the system administrator is only required to type a new one in. There is therefore a risk that these 24 users could hijack privileged accounts, for example those shipped with the application of those of system administrators, through changing their passwords. These users could perform inappropriate or fraudulent transactions whilst covering their tracks due to using another's account. This risk is compounded due to the absence of pro-active monitoring of audit logs. Weak Northgate logical access controls The password settings for users with the 'First Default' profile are inadequate as passwords must only be a minimum of three characters long. The 'First-Default' profile is allocated to system administrators of the Northgate application. Users with this profile have access to all system administration functionality, including creating users and modifying access rights or system parameters. Management should consider: restricting the number of staff with this level responsibility enable logging on and independently monitor regularly (see Issue 5) We will remove password reset access privileges from the ICT service desk for both SMBC and Lichfield District Council (for whom we run a shared service). This will have the added efficiency benefit of driving more password resets to self service. Passwords for all profiles within Northgate should be set to a minimum of eight characters. Done 2015 Grant Thornton UK LLP September 2015 9

These users have the most privileged level of access within the system strong logical access controls are necessary to adequately reduce the risk of unauthorised access being obtained through password guessing or brute force attacks. Such unauthorised access could lead to fraudulent activity or individuals having inappropriate access to information. 9 9 10 10 Weak Oracle EBS logical access controls The following weaknesses are in the system password settings for the Oracle EBS application: Passwords are only required to be a minimum of six characters Users are not prevented from recycling a password they have used within the previous year Weak logical access controls increase the risk of unauthorised access being obtained through the guessing of passwords or the brute force cracking. Users without password expiration date There are 70 accounts that have no password expiry date value against them. These accounts are all generic accounts and are not linked to named individuals. Two have significant business process privileges assigned to them and have not changed their password since 2011. We also note that at least one generic Oracle EBS account still has its default password and no password expiry set. We note that the majority of users have an expiry set to 90 days. However, accounts that accounts that have passwords that do not expire become vulnerable to being disclosed over time and can therefore provide access to the system and data. The Oracle EBS logical access controls should be strengthened in line with best practice: Passwords should be required to be at least eight characters long Users are prevented from re-using a password they have used within the previous 180 days Done All accounts should have a password expiry value entered against them, (unless they are system accounts performing automated tasks e.g. batch posting). This should be subject to periodic review to identify any users with administration rights who have overwritten this setting. Disciplinary action should be taken in these instances. All real user password lifespan days set to 60 days done None of the 70 accounts are people. They are processes, like WebForms and calendars, with limited privileges and where the business process requires no end 2015 Grant Thornton UK LLP September 2015 10

11 11 12 Assessment Issue and risk Recommendation Passwords which either do not expire or which are not changed frequently represent a high risk that they will be enumerated and disclosed to unauthorised users. Where this is assigned to a generic account access to and subsequent activities may not be monitored or identified which could undermine security settings within the system. Access rights and responsibilities assigned are not periodically reviewed (Oracle EBS) There are no regular processes within Solihull MBC to review access rights across functions for Active Directory, Academy or Oracle EBS. Additionally, no security audit logs are maintained to monitor user activity which would identify anomalous user actions outside their remit (see Issue 5). Over time, users can acquire access rights that are not commensurate with their functional role and bypass or override internal control processes. This contradicts the principle of least privilege, whereby users are allocated the minimum level of access rights to fulfil their role. Without this control in place the following risks are inadequately managed: gaps in user administration processes and controls may not be identified and dealt with in a timely manner access to information resources and system functionality may not be restricted on the basis of legitimate business need enabled, no-longer-needed user accounts may be misused by valid system users to circumvent internal controls no-longer-needed permissions may granted to end-users may lead to segregation of duties conflicts access privileges may become disproportionate with date. Management will verify that this is the case for all 70, and end date any exceptions, by August 2015. There is a need for management to perform periodic, formal reviews of the user accounts and permissions within Oracle EBS, Academy and Active Directory. These reviews should; take place at a pre-defined, risk-based frequency (annually at a minimum) create an audit trail such that a third-party could determine when the reviews were performed, who was involved, and what access changed as a result. evaluate both the necessity of existing user ID's as well as the appropriateness of user-to-group assignments (with due consideration being given to adequate segregation of duties) access to folders are only given to those with appropriate roles and responsibilities develop a process/form to document and evidence approval of user amendments including access active directory folder permissions Although some periodic reviews do take place, this can be enhanced with better input data. ICT could develop a script to produce data for analysis of leavers, movers and joiners access privileges. This requires time to review, write, discuss, revise etc.. Business system owners to agree they will use the output of the scripts to do better periodic reviews. Script to be operational and system owners will be making regular use of it by December 2015. 2015 Grant Thornton UK LLP September 2015 11

12 Assessment Issue and risk Recommendation respect to end users' job duties accumulation of excessive folder rights which undermines roles defined in system access profiles All issues above could result in unidentified material misstatement due to fraud or error. Removal of leavers user access rights System administrators for Oracle EBS, Northgate and Active Directory rely on the end-user community to notify them of accounts that require disabling as a result of users moving post or leaving the organisation. The end-user community should never be solely relied upon to inform security administrators of the need to revoke logical access due to leaver activity, as such notifications are typically inconsistently provided (if at all). Whilst the Oracle EBS administrators monitor leaver activity recorded through the Oracle EBS HR module, this may not capture non-hr users e.g. temps, agency staff, contractors etc. and it is not clear whether these user accounts are only removed from Oracle EBS and not from active directory or Northgate. Access to information resources and system functionality may not be restricted on the basis of legitimate business need and enabled, no-longer-needed user accounts may be misused by valid system users to circumvent internal controls. Terminated employees may continue to access information assets through enabled, no-longer-needed user accounts and revocation of access rights may not be performed accurately, comprehensively, or on a timely basis. Oracle EBS, Northgate and Active Directory administrators should be provided with: timely, proactive notifications from HR of leaver activity for anticipated terminations timely, per-occurrence notifications for unanticipated terminations Security administrators of financially critical applications should then use these notifications to end-date user accounts associated with anticipated leavers, or immediately disable user accounts associated with un-anticipated leavers. Management Response: There are a number of issues to resolve in this control, with short term, medium term and long term actions. The proposed solutions are: Short term: Re-instate the process with HR advising of people end dated in Oracle (probably through an improved automated script). This is scheduled for October 2015 Medium term: Add contractors and consultants (particularly those with IT systems access) to Oracle. This is scheduled for December 2015 Long term: build joiners-movers and leavers process automation. This is to be reviewed, prioritised and if appropriate scheduled, by the Oracle Exploitation Board, led by the Director of Resources. 2015 Grant Thornton UK LLP September 2015 12

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information