Delegation of authority
Departments should appoint an appropriate authorised signatory for Oracle access, expected to be a senior member of the department such as the Head of Administration and Finance or a senior finance manager, responsible for authorising access requests and monitoring access to Oracle Financials.
Authorised signatories for Oracle access should manage access requests promptly in line with two key principles:
- Access must only be granted to those that need it (and removed as soon as it is not needed).
- Access must be limited to the minimum needed to deliver the role, including appropriate approval and journal limits. Enquiry (read-only) access should be used wherever possible; edit access should only be granted where the user needs to carry out transaction activity.
Segregation of duties
All requests for access to Oracle Financials must be authorised by someone other than the user. It is good practice for the authoriser to be senior to the user; divisional teams should approve requests for access for heads of administration and finance (or equivalent) where possible.
It is good practice to embed segregation of duties between the person completing the request form and the person authorising the request.
Adequate review of user access reports or the User Access Dashboard should be undertaken at least quarterly to ensure that all access remains appropriate. Checks should be evidenced and retained.