Oracle allows some roles to assigned to a User to be delegated to another user without having to go through the approval process.  This would allow an assignment of a role that all organizations would require approval for as part of their ITGCs.  In this video, we will demonstrate how this is done, how to test for its existence, and how to prevent it from happening in your environment.

This is an important topic to keep you out of hot water with your auditors.  If one or more Roles in your system are configured to allow delegation it could easily lead to a control deficiency.  Given these delegations do not show in the audit logs, it could easily lead to a Significant Deficiency related to your User Provisioning process.

Join the discussion on LinkedIn here.

Additional Resources: Lack of Software to Test Access Controls is Systemic and Why It Matters [Part 2]