Our research shows that on an average JD Edward system around 8% of users have access that would enable them to commit the “dummy supplier” fraud. The consultancies agree that the chance of fraud in your company is around 35% this year. Can you afford to ignore this risk? Will you lose your job if it happens to your organization?
When ERP systems were introduced, providing open access to all corporate data seemed like the answer to many problems. At last managers could retrieve all the information they needed to make sound decisions. Finally data could be shared across applications, so you only needed one file with customer data which could be accessed by users in accounting, sales or customer service. What a great idea!
Thirty years later, our world has changed. Nowadays security fears impinge on every part of our lives. IT managers are haunted by fears of a hack attack or an IT ransom demand, so a great deal of effort is focused on defending the perimeter from remote threats. But everyone responsible for the security of an ERP system needs to be aware that 50% of fraudulent incidents are committed by insiders.
Beware of internal fraud – protect your system from the enemy within
Finding solutions can be daunting, but a well thought through plan can resolve the risks within months. The key starting point is to audit your existing security to identify your vulnerabilities, review your procedures, and then create a security improvement plan.
So what are the critical success factors?
Typically, the plan will start with Role Design, where the key aim is to map the roles closely to your business processes. This is important for two reasons:
- Business managers need to own the roles. Applications security is a business issue – our job in IT is to advise and guide, and provide the tools to simplify the tasks.
- The roles need to reflect your organization’s specific processes. There’s no such thing as ‘standard’ roles, so never fall for the advice of people who tell you otherwise! Examples from another implementation may provide a starting point, but your roles need to be tailored to your processes. Using someone else’s security will always go wrong eventually.
The next step is usually to implement Segregation of Duties (SoD), which is recommended as the main means of preventing internal fraud. To do this effectively, you need to make sure that you and the relevant business owners understand the common frauds and how they can be committed, so that you can agree and jointly implement appropriate measures to minimize the risks.
Starter SoD Rules can provide a useful shortcut, but here, again, it’s important to spend maybe 2 or 3 days adapting the rules to suit your own policies, and to ensure that the business owns them.
Most critically, you must provide business managers with reporting tools that give them relevant, clear information that helps them to identify issues. Never ask them to sign off something they can’t understand!
After that, you can introduce further measures to make it easier to keep your system clean and safe, for example processes for User Provisioning, Access Approval and Periodic Review, and areas such as passwords and retired user accounts policies. You may also wish to track changes to your critical data, and implement extra controls for your privileged users.
Solutions are available to help you achieve all this. As always, the starting point is to understand your problems.
Take the first step – identify the security risks in your system
Remember to tell the management and the key ERP stakeholders in the business that there is a 1 in 3 chance of internal fraud at your company this year. An audit is a great way to show the C suite the extent of the risks in your system.
Check out our new and very affordable monthly service, QCloud Audit as a Service. Get answers overnight, together with recommendations to inform your planning. It’s available for Oracle E-Business Suite, JD Edwards EnterpriseOne and the Oracle Cloud.
If you’re at INFOCUS, visit us on booth 206 to find out more. We’ll also be at Oracle Openworld – you’ll find us on booth 2828.