By Sid Sinha, Vice President of Applications Development, Oracle Risk Cloud, Oracle
From payables to receivables, data within your Oracle Fusion Cloud ERP system is the lifeblood for maintaining and executing your core business activities and operations. ERP data contains your organization’s crown jewels and requires a purpose-built, scalable approach with repeatable processes that protect the security and control of that data.
Now more than ever, this is no longer optional; it’s a necessity for any successful business. Today's modern business environment has seen increasing systems use and data access across a dynamic, distributed set of employees, contractors, and third-party consultants.
A lack of proper security and controls creates new security risks, including unauthorized employee access to sensitive data and non-compliant audit findings, such as data privacy-related violations.
To manage this complex environment, organizations must have direct security controls over critical systems like ERP and HCM applications, with the ability to quickly change who has access to what, without introducing potential security risks or role conflicts.
Mitigating these new risks is best handled through a phased approach.
In phase 1, the focus is to have an impact within 1-2 weeks by focusing on low hanging fruit. This can start with:
In phase 2, the goal is to digitize and automate key processes to monitor and identify potential risks that need action. This can include validating who has access, and monitoring for suspicious transactions.
Oracle Cloud ERP customers can leverage built-in security and controls within Oracle Fusion Cloud Risk Management. It helps you analyze risk accurately and quickly see results. There are three core use cases that can be easily implemented within 1-2 weeks:
Without proper role design and controls in place, your business and critical data are vulnerable to data breaches and loss of sensitive financial information. Poorly designed roles are the #1 reason for SOD non-compliance in audit findings—which leads to unexpected costs and additional time to remediate.
Through proper role design—ideally at the time of ERP implementation—you can mitigate data loss and breaches, along with potential audit non-compliance due to poorly designed roles.
Using purpose-built, complimentary technology like Oracle Cloud Risk Management within Oracle Cloud ERP, organizations are securing sensitive information across the enterprise and ensuring that only the right people have the right access to financial data within the ERP system.
Oracle Risk Management helps you easily design conflict-free, secure roles within your ERP system, identify which users will be granted access to sensitive information, and automate role provisioning and the identification of non-compliant users, along with the potential risk this represents. With a pre-built library of over 100 best practice security rules and privacy controls, you can implement proper role design in a few easy steps, reducing the overall security design effort, re-work and consulting fees typically seen when implemented by a third-party.
Segregation of duties ensures proper oversight and reduces the risk of possible fraud or data breaches within your core ERP system. In the US, to meet Sarbanes–Oxley (SOX) requirements, public companies are required to certify their controls for SOD. Having automated SOD compliance reporting in place removes manual, inefficient work—often done by a third party consultant or auditor.
Oracle Risk Management provides automated SOD compliance reporting, making SOD reporting easy. By doing this all within Oracle ERP and Risk Management, you eliminate the risk of distributing sensitive ERP data to third-party consultants and their outside systems each quarter.
Once automated SOD compliance reporting is in place, managing the process becomes streamlined and reduces long-term costs and risks. You can actively monitor system privileges, certify access, and identify and resolve the most critical SOD conflicts.
Ensuring and certifying that the right people have the right access to sensitive data and systems is just as critical as the data itself. Not doing so introduces the risk of the wrong people having system privileges and access to sensitive information that they shouldn’t have. For example, an outside team that implemented your Oracle ERP system shouldn’t have access to that system and accounts payable data once the project is over.
In the past, many businesses managed user access using ad-hoc emails and spreadsheets, making reporting a very manual, error-prone process which consumed about 250 hours per year.
Oracle Cloud ERP customers can now continuously certify new users with high-risk access. Oracle Risk Management compliments the native access control within Oracle ERP by providing an extra, pre-built, pre-integrated layer of security and controls.
As systems and data access become the foundation for how work gets done today, enforcing security rules and access rules is more important than ever.
Business and technology leaders must ensure they have the processes and system controls in place to protect and secure their data, minimizing the risks of data loss or breaches that can have significant downstream implications—from financial and reputational loss to legal risk.
Oracle ERP customers can immediately leverage Oracle Risk Management for improved control, monitoring and reporting—with both workflow and data analysis in the same system as your ERP system—to get the high levels of security, coordination and collaboration required by today’s growing companies.
To help you take any of the three steps outlined above, Oracle customers can access the detailed step-by-step guides—all available in Oracle Cloud Customer Connect—and get your organization live in 1-2 weeks.