Oracle GRC 860 Terminologies:
To prevent
frauds/misuse of various functionality of Oracle applications in business
some of control will be required in the way application is used by the Users. A
simple example is user in Oracle application should not be able to Initiate
Purchase Order and also approve it, this can be achieved with Oracle GRC.
Governance, Risk
and Compliance is a Application provided by Oracle to enforce certain business
or compliance rules in usage of various modules provided by Oracle Application.
The main purpose of this application is to achieve compliance of the Audit
rules or any specific requirement to avoid frauds/misuse of functionality in
Oracle applications. GRC is not just limited to Oracle Applications but also can
be configured with other products like PeopleSoft , etc.
It consists of
basically 3 modules
1. ACG:
Access control Governance which
deals with various accesses related rules and controls required in Oracle
applications.
2. TCG:
Transaction Control which deals with
the transactions being performed in Oracle applications
3. PCG:
It helps in having the Preventive
controls in place to avoid any misuse/fraud in Oracle applications. ACG is
actually finding the existing issues related in misuse/fraud while PCG is the
next step to prevent these kind of issues from happening.
GRC 860 differs
from 722 very much in the controls are implemented in Oracle applications or
any other ERP system.
Data source:
Its actually Data
systems against which GRC application will run to evaluate any issues of Governance
and Risk compliance. Simply it defines the database of the ERP/Other system,
GRC may run against multiple data sources. Data source configuration is
important setup in implementing GRC.
Access point:
An access point is
an object in a business-management application which, when made available to a
user, enables him to view or manipulate application data. In Oracle E-Business
Suite, access points include roles, responsibilities, menus, functions, grants,
and concurrent programs.
Access points are
considered to conflict when, in combination, they would enable individual users
to complete transactions that may expose a company to risk.
Entitlement:
Its collection of
access points or simply grouping the related access points into one.
Model: (SOD rule in 722)
An access model
specifies access points in business-management applications that conflict with
one another that would enable individual users to complete risky transactions. If
a person has the Responsibility to Initiate the Purchase Order as well as
responsibility to approve it, then these two access points i.e. Responsibility
can be defined in model to identify such users to avoid any fraud/misuse.
An Model can be
evaluated to find out such Users who the access points defined in the model. Models
can be manually defined or they can be imported using templates provided by
Oracle. Usually Oracle provides a set of standards models in the templates and
they can be reviewed and only relevant models can be then imported.
Control:
A control is
defined for a model it adds details like information needed for the control to
be run and its incidents to be resolved, a data-source to which the control is
applied, participants who resolve its incidents, a priority, and more. It also
add enforcement type to the model — Prevent, Monitor, or Approval required —
that determines what a participant may do about the control’s incidents
An AACG model returns “temporary” results a snapshot of risk that is replaced each time
the model is evaluated. A control returns “permanent” results records of
violations that remain available to be resolved no matter how often the control
is run.
Incidents:
Records of control violations are known as
“incidents.” So that incidents may be resolved, each control must name one or
more “participants” — GRCC users who are associated with controls either as
individuals or as members of participant groups. At least one participant is assigned to address incidents generated by
the control; other participants observe the decisions made by those who are
entitled to act.
Moreover, each AACG control is assigned one of
three “enforcement types” — Prevent, Monitor, or Approval Required.
Filter:
A filter may specify an access point or an
entitlement (a set of access points); if so, it identifies users who have been
assigned the specified access point, or any access point in the specified
entitlement. A conflict exists when a user is selected by a combination of
these filters. Combinations are determined by the way you arrange filters in
the model.
Condition:
A filter may define
a condition, which sets limits on the conflicts a model may identify.
Typically, a condition specifies users or other those are excluded from
analysis by the model, or it specifies a type of item and requires that the
model return results only when access points conflict within individual
instances of that item type.
Global
conditions:
A global condition
sets limits on the conflicts identified by all access models or controls
evaluated on a given data source. Like a condition written for a specific
model, a global condition typically specifies users or other items that are
excluded from analysis by a model or control, or it specifies a type of item and
requires the model or control to return results only when access points
conflict within individual instances of that item type..
No comments:
Post a Comment