Resources
Understanding Role Delegations in Oracle ERP/HCM Cloud
Fraud and Data Loss - one and the same?
Securing the Financial Close
Oracle ERP Cloud Payables Bypass Risk
We have spent a great deal of time looking at all the ways in which Controls in your Oracle ERP Cloud Applications can be bypassed. We have found ways in which you can delete Person Information in batch without approval. In this article we will look at how certain delivered Roles allow users to make a one-time Payment that bypasses any Workflow Approval.
We have a few articles explaining why you shouldn't rely on the delivered/seeded Roles from Oracle (links at the bottom of this article) and this is another reason why.
In summary, the delivered Roles often grant too much access in the Application, be it by creating and approving transactions, along with access to critical master Data. More and more though we are seeing access to functionality that allows for Data to be uploaded, which given it is a Cloud Application is not beyond reason. However, we should expect some kind of Workflow Approval or some other process to verify the Data and it's impact to the Environment.
Our recommendation is always to take the delivered Roles and customize them or create your own, this way you retain control over what your users have (and just as importantly what they don't) have access to.
Making a Payment
Typically Payments require multiple steps to execute and push the payment process through, and this is as it should be. However the Import Payment Process allows for one time payments to be made. Not only that, this process allows for one time payments to be made to Suppliers who are not setup as a Supplier in the Application.
Any time uploads are able to bypass a Control we consider this to be a risk, but where (by bypassing the Supplier process) two opportunities present themselves we want to ensure that these are caught and considered as to whether Users need this access.
Effective Controls
We provide the following solutions within Oracle ERP/HCM Cloud and across your other Applications:
Segregation of Duties
Sensitive Access
User Access Reviews
Patch Impact Analysis & Configuration Changes
As part of our service we provide support and any necessary training to help you answer the key questions and gain the knowledge required to successfully audit and remediate any issues.
If you would like to discuss how we can help secure your Payables process, along with your other areas of risk - get in touch below: