Accounts Payable risks that you should be addressing in Oracle ERP Cloud.

We specialize in Auditing the Security and Controls in many Applications, including those from Oracle. As we continue to survey customer's Environments, it is clear that the majority of implementations are using the delivered Roles in the Application.

This is not uncommon, but even after all these years of customers having to manage their Business and mitigate Risk, these Configurations are fraught with conflicting access.

Payables

In this post we will focus on Payables, and introduce a topic that many don't consider when reviewing their Internal Controls as they relate to Applications: Configurations vs Transactions.

In many external Audit requirements we have seen, the Controls have mostly focused on the Transactions and then the IT/Application Controls. But it becomes clear that if a User has the ability to complete many Transactions, then they should not be able to configure those transactions.

If a User can configure a Transaction and complete that Transaction, then how can we be sure that Transactions are not subject to Error and Fraud?

The Association of Fraud Examiners note in their report to the nations that Check and Payment Tampering represent the second longest Fraud scheme length, behind Payroll. You can read more on this report here.

Let's take one of the many delivered Roles and look at some of the things it can do (according to the Rule set we use):

ORA_AP_ACCOUNTS_PAYABLE_MANAGER_JOB (Accounts Payable Manager Role) can Manage Payables Interest Rate, Manage Payables Aging Period and more. On the Transaction side this Role can Approve AP Invoices and Create Payments.

So in addition to singular Risks, these Roles also bring Segregation of Duty issues within them. No matter what User they are assigned to they will inherit these Risks automatically.

This Role in particular encompasses a wide range of functionality across the Payables spectrum and other areas, aside from the Risks being introduced when looking at the idea of least Privilege, these Roles run counter to that idea (least privilege dictates that you should only have access to the things needed to do your job and nothing more).

To complicate things further, more and more transactions are being spread out across Applications, as these systems become more industry specialized. The whole procure to Pay process is often split across systems, meaning a full Risk assessment requires delving into all of the settings within and across these Applications.

For Oracle Cloud, a great starting point is ensuring you change the delivered Roles into Roles that better serve your Organization and reduce the risk of error and fraud.

Whether you are a Publicly Traded Organization or not, tight controls around the many transactions across your Application portfolio is critical!

Effective Controls

If you are struggling to implement a program for effective Controls in your Oracle (and more) Applications, Seecuring provides a subscription based service that provides:

• Segregation of Duties

• Sensitive Access

• User Access Reviews

• Patch Impact Analysis & Configuration Changes

We have been working with ERP/HCM Applications since the early 2000's, and work with leading CPA's, Audit staff and Application specialists to deliver a complete solution.

Before you invest in expensive Software, why not look at GRC as a Service? Faster delivery, lower cost, and more than just reports on your issues - we help Organizations achieve their goals for Internal Controls.

To discuss your requirements, you can schedule a call with us: