06 Feb 19 Part 3: It’s all about the Risk Matrix
access related risk matrix
If you’ve been following our series of articles that discuss managing access related risk for Oracle EBS then you will understand why a software solution is a crucial part of your toolkit when it comes to managing risk.
However, no matter how great the software is, one key component must not be overlooked and that is the “risk matrix”.
Just a collection of Rules
First, what exactly is an access related risk matrix? Well, you will be pleased to know that it is not as complex as it might sound.
In a nutshell, the risk matrix is simply the “rules” that instruct the software solution what risks to look for.
For example, let’s say we are looking for a scenario where one person is able to create suppliers and invoices; in Oracle EBS terms then, you want to find all users who have access to both the supplier function and the invoice function.
So we have two (or more) functions, that when available together, represent some sort of risk; this is an example of a typical Segregation of Duties (SoD) rule. Here are a few more example SoD rules…
- Enter Journals vs. Post Journals
- Payments vs. Enter Invoices
- Purchase Orders vs. Financial Options
Therefore, a risk matrix is just a collection of rules to be used by the software solution.
Beyond Segregation of Duties
When talking about access related risk, most people think of Segregation of Duties (SoD) related risk, this is where access to two functions creates the risk (i.e. suppliers vs. invoices).
Another type of access related risk that is often neglected is “sensitive access risk”. This is when a single function (or concurrent program) carries risk on its own, regardless of whether used in conjunction with another function. An individual function may be considered a risk because it provides access to critical or sensitive data within Oracle EBS.
Here are some example functions in Oracle EBS that might be monitored by a sensitive access risk rule…
- Supplier Bank Account Maintenance
- Maintain Profile Option Values
- Any functions (screens) that allow SQL Injection
There are hundreds of functions (and concurrent programs) within Oracle EBS that may have some risk associated with them; therefore a good risk matrix should be a collection of sensitive access risk rules as well as SoD rules.
Here are some key attributes of a good risk matrix; it should…
- Include rules that cover what might be considered traditional SoD.
- Rules that an auditor or compliance officer would typically consider as being areas of risk (i.e. in-scope for SoX).
- Go beyond traditional SoD to include areas often overlooked (i.e. risks that are not in-scope for SoX) such as operational risk.
- Include sensitive access rules that provide coverage for…
- functions that expose critical or sensitive data.
- functions that can be used for SQL injection or executing an operating system script.
- high-risk concurrent programs such as those that can purge, decrypt, or process data.
- Include rules for many of the common modules within EBS with particular attention to anything that leads to some sort of financial transaction.
- Incorporate easy to understand risk descriptions to ensure working with the rules is as simple as possible.
- Group logically related rules together to help with rule management.
- Be fine-grained enough to help you understand and interpret the risks in enough detail to allow you to action the results.
- Be comprehensive in terms of risk coverage but not be so large that managing the rules is difficult.
- Allow you to be selective with the rules within the matrix; not all organizations need to utilise all rules.
- Allow rules to be modified to meet requirements as well as allow for the creation of custom rules.
Finding an access related risk matrix for Oracle EBS that includes all of the above attributes is a tall order for sure. The good news is that we have been partnered with a leading expert in the GRC space for the past decade, ERP Risk Advisors, and we have exclusively licensed their risk matrix to work seamlessly with our software.
Do you want to find out if we include all of the attributes that make for a good risk matrix? Get in touch today and ask us about CS*Comply and our pre-seeded rulesets.
Early Access – Newsletter
The next article in this series is “Collusion – The Hidden Risk“.
If you want to get access to these articles before anyone else, please subscribe to our newsletter.