Posts

Posts

  • Barry Greenhut
    Design and export your own Risk Management reports24.8
    Topic posted March 6, 2019 by Barry GreenhutBronze Medal: 1,250+ Points, tagged Advanced Controls, Compliance, ERP, Financial Reporting Compliance, Financial Transactions, Financials, Fraud, Governance, GRC, Public Sector, Risk Management, Sarbanes Oxley, Security, Separation of Duties, SOX in Human Capital Management > Risk Management public
    Title:
    Design and export your own Risk Management reports
    Content:

    When you subscribe to Risk Management, you get complimentary access to tools that let you design reports, pivot, analyze and export data, and much more.

    We're thrilled to share two new videos by Stephanie Golly, our product manager in charge of this topic. She'll show you how to create and export your own analyses of user access and transactions - an Access Incident Details Extract report (AIDE) and Transaction Incident Details Extract report (TIDE).

    And don't miss Lakshmi Rajamohan's master class in Financial Reporting Compliance reports and dashboards - part of our Hands-On series!

  • Christine Doxey
    Compensating Controls to Mitigate Risk5.0
    Topic posted February 20, 2019 by Christine DoxeyRed Ribbon: 250+ Points, tagged Advanced Controls, Compliance, Financial Transactions, Fraud, GRC, Risk Management, Sarbanes Oxley, Separation of Duties, SOX in Human Capital Management > Risk Management public
    Title:
    Compensating Controls to Mitigate Risk
    Summary:
    Learn about compensating controls as an additional risk management tool.
    Content:

    Introduction

    Segregation of duties promotes the use of sound business practices and supports the achievement of a business process objective.  When designing segregation of duties controls for a business or financial process, most business process owners start with identifying incompatible functions and then define the segregation of duties and systems access controls. However, the segregation of duties control cannot always be achieved in certain situations due to staffing limitations.

    In some cases, an employee will perform all activities within a process. In this scenario, segregation of duties does not exist and risk cannot be identified nor mitigated in a timely manner. As a result, the implementation of additional compensating controls should be considered.

    Definition of Compensating Controls

    A compensating control reduces the vulnerabilities in ineffectively segregated functions.  A compensating control can reduce the risk of errors, omissions, irregularities and deficiencies,  which can improve the overall business process.

    Compensating Controls, CSA and CCM

    However, it should be noted that many companies include compensating controls in their internal controls programs as additional measures to reduce risk. These controls can be embedded in continuous controls monitoring (CCM) and controls self-assessment (CSA) processes.

    Continuous controls monitoring (CCM) refers to the use of automated tools and various technologies to ensure the continuous monitoring of financial transactions and other types of transactional applications to reduce and mitigate risk. A CCM process includes the validation of authorizations, systems access, system configurations and business process settings.

    Examples of Compensating Controls

    1. Skim through detailed transactions report: A manager should consider performing a high level review of detailed report of transactions completed by an employee that performs incompatible duties.  As an example, a manager may simply skim through the report sections that contain high risk transactions or account and may review specific payment types or amounts before the payment is made.
    1. Review sample of transactions:  Using a CSA or CCM process, a manager may select a few sample of transactions, request for the supporting documents and review the documents to ensure that they are complete, appropriate, and accurately processed. In addition to detecting errors, the knowledge of a periodic review could create a disincentive (that is, reduce the opportunity) for the person performing the incompatible duties to process unauthorized or fraudulent transactions. This review identifies transactional anomalies which can be used as a flag to indicate collusion.  As an example, unchanged pricing and using the same suppliers for several years can indicate possible collusion between a buyers and suppliers.
    1. Review system reports: Applications that support business or office operations have embedded reporting capabilities that enable the generation of reports based on pre-determined or user defined criteria. A review of relevant system exception reports can provide good compensating controls for an environment that lacks adequate segregation of duties. As an example, I suggest a review of report of deleted or duplicated transactions, report of changes to data sets and report of transactions exceeding a specific dollar amount on a quarterly basis.
    1. Perform analytical reviews: Another example of compensating control is the comparison of different records with predictable relationships and the analysis of identified unusual trends. For example, a budget vs. actual expenditure comparison or current year vs. prior year subscription fees analysis or comparison of selected asset records to actual physical count of asset might indicate unusual variances or discrepancies that may need to be investigated.  In this review, an analytical review should occur on a monthly basis.  
    1. Reassign reconciliation: If there is an opportunity to reassign one activity from the person performing incompatible function to another employee, a manager may consider re-assigning the reconciliation activity. As an example, reassigning the bank account reconciliation function to someone other than the person receiving cash and depositing it to the bank could improve the quality of internal controls in the cash receipt process. Reconciliations should occur monthly as a standard of internal control.
    1. Increase supervisory oversight: Other forms of activities a manager may perform as compensating control are observation and inquiry. Where appropriate, increasing supervisory reviews through the observation of processes performed in certain functions and making inquiries of employees are good administrative controls that may help to identify and address areas of concerns before a transaction is finalized.
    1. Rotate jobs: Many companies rotate jobs in the finance and accounting department every 1-2 years. This creates an environment of control and can prevent collusion. As example, accounts payable processors should be rotated on a regular basis so that they don’t become too involved with specific suppliers. And as noted above a buyer’s responsibility should be rotated within the purchasing organization.

    Conclusion

    Effective compensating controls can reduce the risk for a process that has limited or inadequate segregation of duties and ultimately can provide reasonable assurance to management that the anticipated objective(s) of a process or a department will be achieved.  As a detective risk management technique, compensating controls tend to look at the accuracy of a transaction after it has occurred but can be used as preventive controls within CSA and CCM processes.

  • Lana Prout
    It's time to vote for your favorite Change Agents of...5.0
    Announcement posted February 12, 2019 by Lana ProutGreen Ribbon: 100+ Points, tagged Announcements, Financials, Procurement, Project Portfolio Management, Risk Management in ERP Members > ERP Announcements public
    Title:
    It's time to vote for your favorite Change Agents of Finance!
    Announcement:
     
    Oracle Cloud Customer Connect
    Announcement

    It's time to vote for your favorite Change Agents of Finance!

    The voting for the 2019 Oracle Change Agents of Finance Awards is now open.  Review the award finalists and vote for your favorite finance heroes by February 20th. Award winners will be notified in February and will receive a complimentary pass to attend Modern Business Experience, presented by Oracle, March 19-21, 2019 in Las Vegas where they will be recognized in a special award ceremony.

    Vote Now -> https://changeagents.oracle-awards.com/a

    COAVoteNow.png

    Integrated Cloud Applications & Platform Services
     
     
     
  • Anthony Olivo
    Descriptive Flexfields15.0
    Topic posted February 12, 2019 by Anthony OlivoGreen Ribbon: 100+ Points, tagged Risk Management in Human Capital Management > Risk Management public
    Title:
    Descriptive Flexfields
    Summary:
    Can you migrate DFF from one environment to another. Test to Prod.
    Version:
    Revision 13.18.10 (11.13.18.10.0)
  • Venkatesh Chella
    After 18C Upgrade, Several of the Advanced Access Control...2
    Topic posted January 25, 2019 by Venkatesh ChellaRed Ribbon: 250+ Points, tagged Advanced Controls, Governance, GRC, Risk Management, Tip in Human Capital Management > Risk Management public
    Title:
    After 18C Upgrade, Several of the Advanced Access Control features are not working.
    Summary:
    Several Advanced Access Control Features stopped working after 18C Upgrade
    Content:

    FYI for Risk Management Cloud - Advanced Access Control - 18C users.

    We are getting the error 'java.lang.NullPointerException' when you try to open any Control that have already been deployed. This started happening only after 18C upgrade. This does not happen to controls that are deployed new.

    Also we are not able to deploy already existing Models into Controls after 18C. But we are able to deploy both new Models and Controls.

    New Models and New Controls = OK to Deploy, Execute and View results.
    Old Models and Deploy them now as Controls = Not working
    View Old Controls = Not able to view and getting errors " Java.lang.NullPointerException "
    Execute Old Controls - The Job fails after starting. Getting error " oracle.apps.odin.domain.job.JobExecutionException: Error occurred during analysis "

    Error Codes
    ---------------------------------------------------
    java.lang.NullPointerException, oracle.apps.odin.domain.job.JobExecutionException: Error occuring during analysis

    Version:
    Oracle Cloud application 13.18.10 (11.13.18.10.0)
  • Venkatesh Chella
    In Advanced Access Control under Enforcement Type, How does...55.0
    Topic posted January 9, 2019 by Venkatesh ChellaRed Ribbon: 250+ Points, tagged GRC, Risk Management, Separation of Duties in Human Capital Management > Risk Management public
    Title:
    In Advanced Access Control under Enforcement Type, How does Prevent and Approval Required work.
    Summary:
    Usage of Enforcement Type in Controls
    Content:

    Would like to know the different functionalities of Enforcement Type ( Monitor, Prevent , Approval Required ). How does it work ?

    We are in 18C and would like to know how to make use of Enforcement Type in Controls.

    Version:
    18C
  • Sujay Bandyopadhyay
    Granular Security for Assessments in Financial Reporting...24.8
    Topic posted December 20, 2018 by Sujay BandyopadhyayRed Ribbon: 250+ Points, tagged Compliance, Financial Reporting Compliance, Financials, Governance, GRC, Risk Management, Sarbanes Oxley, Security, SOX in Human Capital Management > Risk Management public
    Title:
    Granular Security for Assessments in Financial Reporting Compliance
    Content:

    Starting with quarterly update 18C, you can configure Financial Reporting Compliance data security for batch assessments independent of the data security of the objects that are being assessed. This granular security enables you to generate multiple assessments for each included object using the perspective values configured in the assessment. These improvements should dramatically increase the ease of maintaining Financial Reporting Compliance object data and the batch assessment process. The attached whitepaper provides the details.

  • Lana Prout
    Call for Nominations – Oracle Change Agents of Finance A...5.0
    Announcement posted December 19, 2018 by Lana ProutGreen Ribbon: 100+ Points, tagged Announcements, Financials, Procurement, Project Portfolio Management, Risk Management in ERP Members > ERP Announcements public
    Title:
    Call for Nominations – Oracle Change Agents of Finance Awards
    Announcement:

    There are only a few days left to submit nominations for the Change Agents of Finance Awards! Don’t miss this opportunity to have your team, colleague, or yourself, recognized for achieving goals by leveraging the cloud and other emerging technologies.

    Nominations close this Friday, December 21st. Award winners will receive a complimentary pass to Modern Business Experience in Las Vegas, March 17-19, 2019.

    Nominate now >>

     

  • Pathikp
    Oracle Cloud Risk Management integration with On-Prem Oracle45.0
    Topic posted November 29, 2018 by PathikpRed Ribbon: 250+ Points, tagged Compliance, Financial Reporting Compliance, Governance, GRC, Risk Management, Separation of Duties, SOX in Human Capital Management > Risk Management public
    Title:
    Oracle Cloud Risk Management integration with On-Prem Oracle
    Summary:
    Does Oracle Cloud Risk Management integration with On-Prem Oracle?
    Content:

    We actively use GRC AACG and CCG on prem looking at two separate Oracle instances (12.1.3 & 12.2.3) .  In addition, we also have Oracle ERP Cloud application. 

    we would like to know more about the following

    Questions -  

    • Is there a solution/path to connect all three oracle instances (on prem two instance & Cloud instance) with Risk management Cloud?
    • Is it possible to path/interface from/to on-prem to risk management cloud?  (ie REST API)
    • if it's currently not available then do we know,will it be part of future roadmap?
  • Christine Doxey
    The Benefits of Segregation of Duties Controls5.0
    Topic posted November 9, 2018 by Christine DoxeyRed Ribbon: 250+ Points, tagged Advanced Controls, Compliance, Financial Transactions, Fraud, GRC, Risk Management, Sarbanes Oxley, Separation of Duties, SOX in Human Capital Management > Risk Management public
    Title:
    The Benefits of Segregation of Duties Controls
    Summary:
    In my last post, we discussed the concept of implementing internal controls to mitigate risk. Segregation of duties is a fundamental control to consider when managing risk.
    Content:

    What is Segregation of Duties (SoD)?

    The key principle of segregation of duties is that an individual or small group of individuals should not be in a position to control all components of a transaction or business process. The general duties to be segregated are: planning/initiation, authorization, custody of assets, and recording or reporting of transactions. In addition, control tasks such as review, audit, and reconcile should not be performed by the same individual responsible for recording or reporting the transaction. Adequate segregation of duties controls reduces the likelihood that errors (intentional or unintentional) will remain undetected by implementing separate processing by different individuals at various stages of a transaction and for independent reviews of the work performed. 

    Segregation of duties controls provides four primary benefits: 1) the risk of a deliberate fraud is mitigated as the collusion of two or more persons would be required in order to circumvent controls;  2) the risk of legitimate errors is mitigated as the likelihood of detection is increased;  3) the cost of corrective actions is mitigated as errors are generally detected earlier in their lifecycle; and 4) the organization’s reputation for integrity and quality is strengthened through a system of checks and balances.

    Applying SoD Controls to Systems Access

    The principle of segregation of duties is critical as it ensures the separation of different functions such as transaction entry, on-line approval of the transactions, master file initiation, master file maintenance, user access rights, and the review of transactions.  This means that one individual should not have access rights which permit them to enter, approve and review transactions. Assigning different security profiles or roles to various individuals supports the principle of segregation of duties. As an example, this principle can be reinforced by systems access policy and the ongoing review of system access controls as part of your internal controls program.

    Eight Categories of SoD Controls to Consider

    The following categories of duties or responsibilities should be considered when implementing segregation of duties controls and can  be validated by system access roles by asking the question, “Who can do what?” These controls can be used to develop your internal controls self-assessment process and when considering compensating controls to mitigate risk for a specific business process.

    1. Policy, Plans and Goals
      • Formulating policy, plans and goals
      • Approving policy, plans and goals
    2. Developing/analyzing business case justification
      • Transaction SoD Controls
      • Initiating a transaction
      • Authorizing the transaction
      • Recording the transaction
    3. Monitoring or having custody of physical assets
    4. Monitoring and/or reporting on performance results
    5. Reconciling accounts and transactions
    6. Master File Transactions
      • Authorizing master file transactions
      • Processing master file transactions
    7. Providing information systems development, security administration, and other related support
    8. Following-up and resolving issues or discrepancies