Many organisations, whether for legislative requirements or simply for good commercial reasons, seek to implement an effective segregation of duties solution. Its primary objective is to prevent fraud by ensuring that more than one person must be involved in key transactions.
While the principal of segregation of duties is quite simple to state it can be complex to implement to ensure that potential violations are correctly identified. The complexity of the E-Business Suite, not least due to its co-existing methods of access control of responsibilities and menus along with the more recent role based access control, makes it difficult for organisations to correctly identify exactly what functions an individual can actually access; particularly when considering indirect access to a controlled function via another accessible function. The complexity of roles and role inheritance and data privileges within the Cloud Applications also present significant challenges in understanding detailed access capabilities.
The E-Business Suite and Cloud Applications themselves incorporate no effective segregation of duties mechanism and the reporting provided for individual access rights is poor and difficult to interpret.
There may be situations where a user will violate the segregation of duties rules but for some particular reason this access is acceptable, whether this is due to a temporary situation such as an absence or part of the ongoing system process. It may be that some other external control is in place to prevent this violation from being an issue. Organisations must be able to record a mitigation to explain why such a violation is considered to be acceptable and this must be clearly reported so the business and auditors can be satisfied the violation is an acceptable risk.
ConfigSnapshot enables organisations to define constraints against access points in the E-Business Suite that they wish to be able to control, including:
Functions outside of the applications can also be included to cater for violations that might occur as a combination of an activity the user does outside of the system together with one performed within the applications.
Rules are defined to specify where users should not have specific combinations of access points. Flexible reporting is provided to identify where violations to these rules occur and to assist in determining what actions should be taken to prevent these violations.
Further refinement to rules can be defined to enable them to consider business specific risks; for example, only considering purchase order approval where the approval limit for the user is greater than a particular minimum value.
Exception conditions can also be defined to help prevent false positives from being included in violation reporting. These can be environment specific to cater for more complex scenarios where certain users may have greater access on test environments etc.
Complex scenarios can be modelled where access depends on combinations of functions rather than a single function. This can prevent large numbers of false positives that may result from a more simplistic rule.
A very flexible mitigation mechanism is provided so that known and accepted rule violations can be recorded; reporting can show these mitigations for audit purposes and can also simply exclude any violation for which there is a current, accepted mitigation.
What If reporting allows organisations to understand the potential for violations if users were given additional roles and responsibilities.
Request a web demo and then download a trial version of ConfigSnapshot absolutely FREE
Register now by providing your details below:
"ConfigSnapshot has been part of our team’s ‘tool kit’ since 2009. It is very powerful and yet simple to use. We use ConfigSnapshot on regular basis, it saves us a lot of time!! I would also like to mention that ConfigSnapshot has a strong and dedicated support team which is an added bonus. I highly recommend it."
Oracle Business Analyst, Industry: One of Australia's Largest Financial Services Brands