As part of our reviews in organization's security and controls we constantly look at how over provisioned the delivered or 'seeded' Roles are. In Oracle ERP Cloud for example the Employee Role allows users to upload data, delegate their security and much more. ERP vendors are not Risk or Audit professionals by trade, and the design of these applications are set to get customer's security implemented quickly to aid a fast go live.
In addition, vendors typically add new functionality to the existing Roles building them out even further, meaning that with each update you need to test your applications for the impact of these changes.
Like many of the delivered Roles, collections is an area that has been included from a security standpoint, with a number of roles available to help you get your collections processes in place.
If we look at the requirements for this area we can summarize that you would need both view only and edit access on these transactions (depending on the type of seniority or other requirement for the user):
* Clients and Transactions.
* Account Profiles.
* Collection Strategies.
* Collections History
It is clear from above that you most likely do not want all Collections users having full edit access on these transaction areas. Many of your users should only have read only to support the organization.
If you are utilizing the Collections area of the application we would urge you to perform a review of the access in this area.
If you have access to the Oracle Customer Cloud Connect website, there is an 'idea' that has been posted on there to request a read only Collections role. You can request the link to this idea using the contact form below.
If you are utilizing the delivered Security and Configuration within your Applications, there is a good chance you have Segregation of Duty violations. Seecuring will assist you with establishing and reporting on the issues you have through to helping remediate the issues (which usually represents the biggest and most time consuming aspect of implementing internal controls). Specifically, Seecuring delivers:
Segregation of Duties
User Access Reviews
Patch Impact Analysis & Configuration Changes
We have been working with ERP/HCM Applications since the early 2000's, and work with leading CPA's, Audit staff and Application specialists to deliver a complete solution.
Before you invest in expensive Software, why not look at GRC as a Service? Faster delivery, lower cost, and more than just reports on your issues - we help Organizations achieve their goals for Internal Controls.
To discuss your requirements, you can schedule a call with us: