13 Feb 19 Part 4: Collusion – The Hidden Risk
An area of risk that is often overlooked because it can be difficult to identify is collusion. In the context of access related risk and Oracle EBS, collusion is the risk that two or more people (users) work together to complete a business transaction.
Typical Access Related Risk
The primary capability of any good Segregation of Duties solution is the identification of access related risk collusion which is typically on a “per user” basis. This means that the software is looking for risk related to one user, i.e. can Joe create a supplier and create an invoice; this is the core part of any good SoD solution.
Beyond “Individual” Risk
Consider the following scenario…
- Joe has the ability to create a supplier and the ability to create an invoice.
- Jane has the ability to create a supplier but does not have the ability to create an invoice.
- Jack has the ability to create an invoice but does not have the ability to create a supplier.
- You have a great new SoD software solution in place.
- You currently have 1 rule enabled in your risk matrix that is looking for risks where a person can create a supplier and an invoice.
So you run a scan on your system using your super new SoD solution, how many risks should it find?
“Just 1 risk” I hear you say.
And of course, you are quite correct, it should only find 1 risk.
Or should it?
What if I was to tell you that Jane and Jack car-share on their way to work on a morning. Or what if I tell you they are best friends or that they are related. Does this make a difference?
Still only 1 risk?
Yes of course only 1 risk for most of the time because, by and large, people are honest. However, if everyone was honest then the need for a good access related risk solution would be somewhat diminished.
The fact that Jane and Jack might car-share or could be best friends or maybe related will, for the most part, make no difference whatsoever because Jane and Jack are likely both very honest hard-working individuals but sometimes people get together and cook up a plan to commit fraud because they don’t have the access to the system to allow them to do it on their own (possibly because your new super SoD solution put a stop to that).
Identifying Potential Access Related Risk Collusion
Your new super SoD solution needs a way to detect possible collusion related risk; taking potential collusion between Jane and Jack into account then we should identify 3 potential risks; can your SoD solution do that?
So how do you manage this type of risk within your organization?
The risk is small for sure but it is still a risk, albeit hidden most of the time.
All organizations are at an access related risk of collusion yet there is very little available that can help you manage this type of risk.
Early Access – Newsletter
The next article in this series is “Preventive Controls – Taking the pro-active approach to risk“.
If you want to get access to these articles before anyone else, please subscribe to our newsletter.