GRC Terminologies

To prevent frauds/misuse of various functionality of Oracle applications in business some of control will be required in the way application is used by the Users. A simple example is user in Oracle application should not be able to Initiate Purchase Order and also approve it, this can be achieved with Oracle GRC.

Governance, Risk and Compliance is a Application provided by Oracle to enforce certain business or compliance rules in usage of various modules provided by Oracle Application. The main purpose of this application is to achieve compliance of the Audit rules or any specific requirement to avoid frauds/misuse of functionality in Oracle applications. GRC is not just limited to Oracle Applications but also can be configured with other products like PeopleSoft , etc.

It consists of basically 3 modules

1.    AACG:

Access control Governance which deals with various accesses related rules and controls required in Oracle applications.

2.    TCG:

Transaction Control which deals with the transactions being performed in Oracle applications

3.    PCG:

It helps in having the Preventive controls in place to avoid any misuse/fraud in Oracle applications. ACG is actually finding the existing issues related in misuse/fraud while PCG is the next step to prevent these kind of issues from happening.

GRC 860 differs from 722 very much in the controls are implemented in Oracle applications or any other ERP system.

Data source:

Its actually Data systems against which GRC application will run to evaluate any issues of Governance and Risk compliance. Simply it defines the database of the ERP/Other system, GRC may run against multiple data sources. Data source configuration is important setup in implementing GRC.

Access point:

An access point is an object in a business-management application which, when made available to a user, enables him to view or manipulate application data. In Oracle E-Business Suite, access points include roles, responsibilities, menus, functions, grants, and concurrent programs.

Access points are considered to conflict when, in combination, they would enable individual users to complete transactions that may expose a company to risk.

Entitlement:

Its collection of access points or simply grouping the related access points into one.

Model: (SOD rule in 722)

An access model specifies access points in business-management applications that conflict with one another that would enable individual users to complete risky transactions. If a person has the Responsibility to Initiate the Purchase Order as well as responsibility to approve it, then these two access points i.e. Responsibility can be defined in model to identify such users to avoid any fraud/misuse.

An Model can be evaluated to find out such Users who the access points defined in the model. Models can be manually defined or they can be imported using templates provided by Oracle. Usually Oracle provides a set of standards models in the templates and they can be reviewed and only relevant models can be then imported.

Control:

A control is defined for a model it adds details like information needed for the control to be run and its incidents to be resolved, a data-source to which the control is applied, participants who resolve its incidents, a priority, and more. It also add enforcement type to the model — Prevent, Monitor, or Approval required — that determines what a participant may do about the control’s incidents

An AACG model returns “temporary” results  a snapshot of risk that is replaced each time the model is evaluated. A control returns “permanent” results records of violations that remain available to be resolved no matter how often the control is run.

Incidents:

Records of control violations are known as “incidents.” So that incidents may be resolved, each control must name one or more “participants” — GRCC users who are associated with controls either as individuals or as members of participant groups. At least one participant  is assigned to address incidents generated by the control; other participants observe the decisions made by those who are entitled to act.

Moreover, each AACG control is assigned one of three “enforcement types” — Prevent, Monitor, or Approval Required.

Filter:

A filter may specify an access point or an entitlement (a set of access points); if so, it identifies users who have been assigned the specified access point, or any access point in the specified entitlement. A conflict exists when a user is selected by a combination of these filters. Combinations are determined by the way you arrange filters in the model.

Condition:

A filter may define a condition, which sets limits on the conflicts a model may identify. Typically, a condition specifies users or other those are excluded from analysis by the model, or it specifies a type of item and requires that the model return results only when access points conflict within individual instances of that item type.

Global conditions:

A global condition sets limits on the conflicts identified by all access models or controls evaluated on a given data source. Like a condition written for a specific model, a global condition typically specifies users or other items that are excluded from analysis by a model or control, or it specifies a type of item and requires the model or control to return results only when access points conflict within individual instances of that item type.