Oracle introduces Segregation of Duties for Asset Management in ERP Cloud release 24A

One of the most often overlooked risks in Enterprise applications is the ability to import data easily. What is the definition of 'easy', what are the risks, and what is Oracle doing about it?

Oracle Release 24A

Data Import - Pros and Cons

Given the amount of data in an Enterprise and the need for a single source of truth to store, manage, and utilize for operations, there is a need to get this data into Enterprise applications in a way that users with little technical experience can perform. Specifically, importing financial/accounting data into your ERP application through spreadsheets empowers end users to bring in large data sets without needing IT. Common sense and logic would also suggest that not all data belongs in your Production environment where Financial Reporting takes place. Can your employees import bogus Financial data? Can they inflate or deflate the numbers without checks and balances?

Asset and Impairment Fraud Risks

Why do we need to care about Asset fraud? Falsifying the value of assets can have a material or significant impact on the Financial performance of an organization. Writing down or writing off the value of assets helps investors and stakeholders evaluate the performance of management within an organization. Has management made risky investments that have later on had to be written off as worthless? On the flip side, have poor internal controls allowed the inflation of the value of assets?

Examples of asset-related issues and fraud:

SEC Charges Future Fintech Group Inc. with Accounting Fraud Violations

SEC Complaint: Iconix Brand Group, Inc

What are effective controls to avoid asset risks?

Applications such as Netsuite have controls that allow you to enforce checks by way of workflow approval. If one user imports data, then it must be approved by one or more individuals before it is finally imported into those all-important tables/objects. While not foolproof, at least one person is not responsible for the whole thing. Oracle's ERP and HCM Cloud applications can benefit from this approach, but for now, we are getting this segregation function by function it seems - this time Asset Management.

Oracle ERP Cloud release 24A new feature

In release 24A we are starting to see considerations for the management of Fixed Assets. Specifically, you will be able to separate the person entering and preparing asset transactions from those posting them. For the import process, this is a great step forward to ensure the integrity of imports and the resulting data. We hope this continues through other transaction types too!

How can we secure our asset data?

For this process to take effect, your organization is going to have to do some work. Particularly changing any Roles that currently have the import feature assigned to them. This will also involve working out any personnel/skill changes to ensure that the right individuals are identified to split the transactions out. This process involves splitting the processes out so that one role cannot import and post the asset changes. This process will be split between two or more Roles, along with some User-level settings (which we will come onto). Oracle has identified the delivered Roles for this change. If you have the Privileges specified in your own custom/hybrid roles, you will need to ensure they are separated. The other key consideration is the use of Profile Options to secure the impairment process. Up until now, most of your controls have focused on Roles and their Privileges to grant access. To allow a user to prepare impairments, a Profile Option needs to be granted to the user (not a Role). This setting should be reviewed as part of your audit, access reviews to establish which users can prepare impairments, and then align this to their roles to establish their ability to prepare or post transactions. So in addition to changes to security, the 'footprint' for reviewing asset import/impairment and post has expanded. Pulling this data and easily reporting over it is a challenge! If you require more information and aid on Role Design and access control solutions for your applications (including the review of Users, Roles, Privileges, Profile Options, For the full instructions and details from Oracle: Oracle ERP Cloud 24A Notes

Want to better manage these patches and your security?

Seecuring provides evaluation of your security and controls within your Enterprise Applications, including updates and patches. In addition, our services help resolve security issues through better security design and ensuring the right controls are in place.

  • Segregation of Duties.

  • Sensitive Access.

  • User Access Reviews.

  • Patch Impact Analysis & Configuration Changes.

If you need help further understanding the implications of this role and the other sensitive access it has access to please reach out, we have reviewed the delivered roles and many of them create segregation of duty and other risks to your processes.