We have spent a great deal of time looking at all the ways in which Controls in your Oracle ERP Cloud Applications can be bypassed. We have found ways in which you can delete Person Information in batch without approval. In this article we will look at how certain delivered Roles allow users to make a one-time Payment that bypasses any Workflow Approval.
We have a few articles explaining why you shouldn't rely on the delivered/seeded Roles from Oracle and this is another reason why.
In summary, the delivered Roles often grant too much access in the Application, be it by creating and approving transactions, along with access to critical master Data. More and more though we are seeing access to functionality that allows for Data to be uploaded, which given it is a Cloud Application is not beyond reason. However, we should expect some kind of Workflow Approval or some other process to verify the Data and its impact to the Environment.
Our recommendation is always to take the delivered Roles and customize them or create your own, this way you retain control over what your users have (and just as importantly what they don't) have access to.
Typically Payments require multiple steps to execute and push the payment process through, and this is as it should be. However, the Import Payment Process allows for one time payments to be made. Not only that, this process allows for one time payments to be made to Suppliers who are not setup as a Supplier in the Application.
Any time uploads are able to bypass a Control we consider this to be a risk, but where (by bypassing the Supplier process) two opportunities present themselves we want to ensure that these are caught and considered as to whether Users need this access.
Without effectively securing users from this import process, you may be forced to perform look back reviews to identify who may have performed this process. With an import process the impact can be significant if the user imports multiple records at the same time.
Decide who should have this access, even if the access is permanent or temporary and ensure that this import process is secured from everyone else.
We provide the following solutions within Oracle ERP/HCM Cloud and across your other Applications:
Segregation of Duties
Sensitive Access
User Access Reviews
Patch Impact Analysis & Configuration Changes
As part of our service we provide support and any necessary training to help you answer the key questions and gain the knowledge required to successfully audit and remediate any issues.
If you would like to discuss how we can help secure your Payables process, along with your other areas of risk - get in touch below: