We specialize in Auditing the Security and Controls in many Applications, including those from Oracle. As we continue to survey customer's Environments, it is clear that the majority of implementations are using the delivered Roles in the Application.
This is not uncommon, but even after all these years of customers having to manage their Business and mitigate Risk, these Configurations are fraught with conflicting access.
In this post we will focus on the Billing Specialist Role, and some of the issues with the delivered Role in Oracle that manage this process.
Included in this review is a look at Transactions vs Configuration access, in many external Audit requirements we have seen, the Controls have mostly focused on the Transactions and then the IT/Application Controls. But it becomes clear that if a User has the ability to complete many Transactions, then they should not be able to configure those same Transactions.
If a User can configure a Transaction and complete that Transaction, then how can we be sure that Transactions are not subject to Error and Fraud?
The Association of Fraud Examiners note in their report to the nations that Check and Payment Tampering represent the second longest Fraud scheme length, behind Payroll.You can read more on this report here.
Many of the Roles in the Application have various definitions: Specialist, Administrator, Manager and so on. Thankfully we have a Role description to help us understand what the Role should do when assigned to a User:
When we ran our Separation of Duties Analysis against it, we found that this Role 'breaks' or violates a number of Rules that encompass other lines of Business, including:
Create and Maintain Customers vs Create and Maintain AR Receipts
Create and Maintain AR Adjustments vs Approve AR Adjustments
Create and Maintain AR Transactions vs Bank/Bank Branch Maintenance
When we are working with customers we have to ask: do the Users with this Role need to be maintaining both sides of these Transactions? Should an AR type Role be able to manage Customers and Bank Maintenance?
Logically the answer is no, unless you are a small Organization where one person may be having to complete many Transactions.
The next area of concern focuses on the second item in the list and really for any situation where Transactions can be created and then approved by one Person. There will likely be individuals who can and should be able to create and approve transactions, in those situations the Approval should be split out into another Role or processed via Workflow Approval.
Users may well get assigned a Role like this without knowledge that the Role is able to create and approve Transactions.
To complicate things further, more and more transactions are being spread out across Applications, as these systems become more industry specialized. The whole procure to Pay process is often split across systems, meaning a full Risk assessment requires delving into all of the settings within and across these Applications.
For Oracle Cloud, a great starting point is ensuring you take the delivered Roles and make copies that better serve your Organization and reduce the risk of error and fraud.
Whether you are a Publicly Traded Organization or not, tight controls around the many transactions across your Application portfolio is critical!
If you are struggling to implement a program for effective Controls in your Oracle (and more) Applications, Seecuring provides a subscription based service that provides:
Segregation of Duties
User Access Reviews
Patch Impact Analysis & Configuration Changes
We have been working with ERP/HCM Applications since the early 2000's, and work with leading CPA's, Audit staff and Application specialists to deliver a complete solution.
Before you invest in expensive Software, why not look at GRC as a Service? Faster delivery, lower cost, and more than just reports on your issues - we help Organizations achieve their goals for Internal Controls.
To discuss your requirements, you can schedule a call with us:
Or, reach out to us below if you want to get your Applications under control: