Segregation of Duties is the process of making sure that one person cannot complete two sides of a transaction, for example Receiving Money and Paying out. In this case the Risk would be that one person is responsible for receiving Money recording it and then paying out and could fraudulently steal money in the process. There is no one size fits all approach for Organizations, but many back office processes in Accounting, Treasury and other high risk areas are generally the same.
Whatever the Application, the first step to implementing Segregation of Duties is to take your Organization's Risk and Control matrix and 'translate' these Risks and Controls into the Applications that you use. Once you have identified the Controls you want to implement you need to gather all of the Privileges and settings that need to be reviewed. Your Organization needs to set aside a great deal of time for this process, in Oracle ERP and HCM Cloud Applications there are over 9,000 Privileges. While not all of them should be accounted for in Segregation of Duties, many of them will. For some, their external Auditor may have a 'Rule set' that can be used. We have found though, that many firms do not want to pass on their detailed Rules that they audit you against. This leaves you to try and figure it out for yourself still.
Once you have established all of the Privileges and other elements of the Application that you need to review, you will need to get a Report of the Users, their Roles and the overall structure of your Security setup. The Application does provide certain Reports that will get you the Users and their Roles, along with Privileges. However there are gaps in these reports as they do not give the required detail to get the completeness and accuracy required. In Oracle Cloud Applications, Roles can be embedded within Roles and Privileges attached to these Roles, certain Roles do not have Privileges attached but can still perform functionality. A thorough understanding of this hierarchy is required in order to decide how access should be set and reviewed for Audit.
Here in 2021 we are finding many of the Roles have Segregation of Duty issues, and this also depends on what Rules you are evaluating of course. Our Rules may be different to yours and as such the outcome may be different. However, it is more than likely that any Rule set will find issues in the delivered Roles. We found many of the Roles have both creation and approval of key Transactions, along with the ability to configure Business processes and then run those Transactions. The only real way of ensuring that your Roles are clean is to either design your own from scratch, or copy the delivered Roles into new ones and make the necessary changes.
To avoid complication, Users that are Read Only should be passed over, by this setting the User is a limited Risk as they can only Read information, not update it. This approach also applies for Users that have been terminated, disabled or locked out of their accounts.
There is no formal piece of functionality for managing or storing Exception information within Oracle ERP HCM Cloud itself, so without a tool or some form of ticketing system to help it may be a manual process. We also recommend that these Exceptions be reviewed periodically to ensure that the reason for the Exception still stands. There is nothing worse than finding a User with an Exception, but they have changed Jobs and still have the same access which violates your policies. This happens a lot!
In addition each new update from Oracle can bring new Risks to these delivered Roles, as updates can be deployed directly to them. This means when the changes hit Production, any Users with these Roles may inherit the new functionality.
Seecuring provides software and services - a complete solution for solving the following challenges:
* Segregation of Duties and Sensitive Access Analysis
* Sensitive Access and how users gain this access (through their security Roles and Privileges).
* Reviewing the impact of making changes to your security and make the right decisions to get your Controls and Configurations resolved
* Ensure your issues are being resolved by measuring progress over time, if you need a Role removing from a User.
With each new update from Oracle, new functionality is provided. These updates bring in new Privileges and Configuration changes that may also be granted to the seeded/delivered Roles.
If you are using these Roles, then these updates will be inherited by the Users attached to them.
Seecuring provides a complete library of Roles to be imported and used immediately. Through cleaner security, SoD and Access issues can be picked up and resolved far quicker than with the over-provisioned standard, vendor roles. Seecuring provides the opportunity to review the new security for SoD and Sensitive Access issues prior to import into your environment.
* for changes made to the Application that may affect the performance of your processes and transactions
Seecuring is Technology and a Service, we are dedicated to helping you overcome your Security and Configuration issues to get better control over your Applications. Our subscription based approach ensures that you get ongoing support, including ongoing updates to your Segregation of Duties matrix, training and other support.
To find out more you can contact us: