As your organization grows in size, some precautions are necessary to keep certain elements of your work secure. This is true for almost any organization large enough to have a business hierarchy, and it only becomes more important as your organization takes on bigger projects and creates more roles for employees. Two people running a coffee shop as a partnership do not need to concern themselves with who has what authorization, but a 40-person business strategy service should never grant full data access to every intern who walks through the door.
Fortunately, Oracle Risk Management Cloud provides a variety of tools to help avoid risk and risky situations involving potential fraud or errors. These tools, located within Oracle Advanced Access Controls and Oracle Advanced Financial Controls, do require some set up, but this effort and the security it brings to your organization are worth it in the long run. The following article will teach you how these tools function and how they can be configured to fit the specific needs of your organization.
What does Oracle consider risky?
Within Oracle Risk Management, Advanced Access Controls assists organizations with locating user-role assignments that provide certain users with too much access through their application roles and privileges. This includes situations where a user may be in charge of both creating and approving a product or report. By placing a user in charge of both roles, an organization’s review process serves no purpose, and their operation takes on unnecessary risk. This same logic can apply to various privilege assignments and role-and-privilege combinations.
Oracle Advanced Financial Controls helps organizations identify a different sort of risk in the form of fraud or errors relating to transactions carried out using Oracle Cloud applications or by tracking changes in the Oracle Cloud audit framework. This is done using models designed by users with filters that define what an organization considers to be risky or fraudulent. In this way, Oracle Advanced Financial Controls lets organizations who know their structure best identify situations where they are at risk. If your organization has an individual in the Audit role, they might build a transaction model to determine the level of risk your organization’s systems are exhibiting at the time when the model is evaluated based on the auditors’ experience and familiarity with financial risk. Taking the time to identify and remove these instances of risk can make or break a company, especially when it comes to external auditing and other inspections.
How do you create Advanced Access Controls models to detect risk for you?
To locate problematic user-role assignments you must first create Advanced Access Controls access models. These models house controls your organization design to counter risk by enforcing user-created risk logic built to detect scenarios that are considered risky.
Access models perform the following key functions:
- Use filters to identify roles, privileges, and role-and-privilege combinations that pose a compliance issue.
- Record results of suspect risk scenarios for users to review.
- Test risk-logic definitions before integrating them into a control by testing them in a model.
- Provide an assessment of risks inherent in a system at a specific time.
Access models are created from access points. To work with access models, users must first obtain permission to work with these access points. This is done by providing users with certain privileges like Promote Worker or roles like Line Manager that give users access to different data in your organization’s system. These users then apply filters to these access points, and they can also group related filters together into entitlements. For example, you can create a Manage Employee entitlement containing several privileges related to how Human Resources personnel hire employees, such as Add Direct Report or Rehire Employee.
You also apply entitlements or access points to model logic, and you have the option to exclude certain data if necessary using global conditions. Global conditions exclude data in an access model by removing records that you do not want your access model to analyze. This might be a permission that is universally granted to all employees and not necessary to analyze or certain admin users who are purposefully granted full access to a system.
How Oracle Advanced Financial Controls works with models
Advanced Financial Controls also uses models with filters designed to define what your organization considers to be risky. These transaction models help users locate transactions meeting this risk criteria. Advanced Financial Controls models allow users to do the following:
- Define risk logic.
- Locate instances of risk using risk logic.
- Assign users to correct these instances.
Keeping a record: Which reports track Risk Management data?
If your organization is large and its organizational hierarchy complex, it can be difficult to keep track of every case and evaluation of potential risk. To make this process more manageable, Oracle Advanced Controls and Oracle Financial Compliance generate a series of reports with different, related purposes. For tracking and reporting potentially risky user-role assignments, Advanced Controls provides the following reports that you should run and keep an eye on:
- Access Point Report: this report details access point paths invoiced in potential conflicts. This comprehensive list also includes any paths with connections to a conflict, even when that path is not directly involved with the conflict itself.
- Access Violations by User Report: this report provides a list of the ten users involved in the most conflicts, as well as the number of conflicts each are in and details relating to those conflicts. If you have already configured global conditions to exclude admin roles, this list should help identify privileges and roles that grant too much access to individual users.
- Access Violations within a Single Role (Intra-Role) Report: This report identifies roles that have been determined to be unassignable because the privileges they grant are guaranteed to lead to conflict.
- Intra-Role Violations by Control Report: this report identifies access controls that grant privileges within individual roles which create conflicts. To better group this data, each conflicting role is assigned a status of Assigned, Remediate, or Accepted to indicate what work needs to be done to resolve it.
- Global Users Report: this report provides you with additional information regarding your organization’s global users including their IDs and any possible alternative IDs they use while doing work in Oracle Advanced Controls.
- Results by Control Summary Extract Report: this report identifies controls in your organization with pending incidents and provides details about each. This report documents incidents found in both Advanced Access Controls and Advanced Financial Controls.
- Users with Access Violations by Control Report: this report identifies access controls with incidents at the Assigned, Remediate, or Accepted status, as well as the users in your organization who have caused the control incident due to their work assignments.
In addition to these reports, you also have access to predefined dashboards that provide additional or recontextualized Risk Management data. These dashboards are accessed through the Oracle Business Intelligence Catalog.
Oracle Financial Compliance reports are focused on documenting how your organization plans to avoid risk and meet regulatory requirements. This information is also collected into reports and alternatively in Oracle Business Intelligence Catalog dashboards. The following reports help you track your organization’s response to risk:
- Assignment Details Report: this report provides details about assessments carried out on selected objects in your system.
- Control Assessment Report: this report lists controls and their related assessment activities as a PDF.
- Control Assessment Extract: This report lists controls and their related assessment activities in a format you can easily export data with like a spreadsheet.
- GRCM Control Details Report: this report lists details about selected controls like their names, descriptions, the employee in your organization who created or last update them, and the date they were last updated.
- Issue Details Report: this report lists details about issues like the object the issue is questioning, the issues status, state, the users who created it or update it, and when the issue was updated.
- Issue Listing Extract: this report provides the same information as the Issue Details Report, but in a format ready to export like a spreadsheet.
- Risk Control Matrix Report Financial Governance: this report details how select processes, risks, or controls relate to other objects and values in your system.
- Risk Control Matrix Extract Financial Governance: this report provides the same information as the Risk Control Matrix Report Financial Governance, but in a format ready to export like a spreadsheet.
Financial Reporting Compliance and Advanced Controls reports are scheduled and run from their respective models pages. From these pages, you can open the Related Links page to choose a report to run from a selection of reports categories. Scheduling a report to run at a specific time requires naming the schedule, setting a start date and time, and end date and time, and how frequently the report should run while active.
Where do I begin with Oracle Risk Management?
Risk management might seem overwhelming at first. There is a lot of data to process and many considerations to make regarding roles, privileges, and other points of access that can leave your entire organization at risk. Instead of getting overwhelmed, take the advice found in this article and develop a strategy built on access models and risk logic that best works for your business.
More information on configuring Risk Management features to suite your organization’s needs are available with Engage, Maverick Solutions’ comprehensive, subscription-based Oracle training model. Speak with one of our customer service representatives today to learn more or request a demo.