Moving to Oracle ERP Cloud?
Take a risk-based approach to ensure success
The pandemic has changed the way organizations do business. And as a result, the market for Cloud applications has accelerated. In recent reports, Oracle’s Larry Ellison stated that Cloud will continue to grow, and he estimates growth from five billion to twenty billion over the next five years. Ellison also predicts that many on-premise customers using Oracle E-Business Suite, PeopleSoft, and JD Edwards will also move to the Cloud as well as non-Oracle customers.
Systems Integrators play a big role in helping organizations understand what a transition to the cloud will actually look like, and most customers understand that moving to the Cloud will be complex and challenging. Still, the benefits of moving to the cloud far outweigh on-premise options.
The benefits of Oracle ERP Cloud include but are not limited to:
A robust system capable of growing and adapting with the organization
Scaleable in both features and users
Faster time to value - faster deployments, shorter time to value, and less risk
Lower maintenance costs
Continuous automatic upgrades
Easy accessibility = increased productivity
In today’s competitive business landscape, customers are looking for a measurable return on their investment. And that translates into customers looking for solutions that can be tailored to their needs and offer increased security measures. The following are a few trends seen in the market.
It’s recommended to follow best practices when looking at Cloud and SaaS products and understand how those best practices work. For example, a company that is in the professional services industry will have different workflow processes from a company in industrial manufacturing. Organizations should find applications specific to their industry as opposed to trying to make a system fit.
Understanding Roles in Cloud Projects
Traditional IT stakeholders need to understand their role in moving to the Cloud and what controls are needed; even though everything is moved to the Cloud, change management controls need fixing from an IT general controls perspective.
Customers are also concerned about security design in Cloud. Businesses want to be protected against cyber threats. When moving to the cloud, organizations need to ensure there are controls across change management, such as configuration changes, master data changes, access, and security. To avoid this, the recommendation is to address risks and controls before moving to the Cloud.
How to define a successful implementation
A successful transformation focuses on best practices. A major element in a successful implementation is to look at your reasons for moving to Cloud and build your unique business case. For example:
Do you need more functionality?
Faster close process?
Better alignment to the industry?
Answering these questions will provide you with a starting place in building your business case for moving to the cloud. Once you have why moving to the Cloud will benefit your organization, you should consider how you will measure success. Documenting your measures of success can also help your organization keep its eye on the prize when experiencing issues during the implementation. Measures of success might include the following:
Identify value and benefits that can be measured in KPIs from the project
Align the agreed KPIs with implementation objectives
Post-go-live - Cloud Deployment Success Assessment
Tie in partner success commercially with the benefit realization
Understanding key requirements and understanding change management will be critical to success, as well as understanding what happens post-go-live, i.e., quarterly upgrades and enhancements.
How to define a successful implementation from a controls perspective
Implementations fail when auditors fail controls in a cloud implementation. Organizations must be proactive regarding risk management and have well-designed controls in place.
Throughout a cloud implementation, organizations should ensure they maintain controls. For example, ensure that the people who approve purchase orders have the proper authority in the system and the right custom roles assigned to them. They should not be able to create and pay invoices which creates segregation of duties conflict. Designing security upfront saves a significant amount of time.
To avoid these risks, we recommend carefully going through your work streams to ensure that controls are addressed during implementation. Good business controls reduce the risk that keeps organizations from achieving objectives. Controls are the evidence that demonstrates ROI.
The reason controls are so important is to ensure they are operating effectively. Control failures can be very painful.
Embedding controls at the beginning of a project is the recommended approach to any ERP upgrade or implementation. Embedding controls upfront is an easy and low-cost process Once your controls are documented, a controls partner like SafePaaS can embed those controls, like your segregation of duty policies.Your auditors test your risks annually, but if your controls are not part of the pre-implementation conversation, they may get left out. At that point, things get very costly because you will need to perform your controls manually to correct the initial oversight. Providing evidence of adequate controls during the manual process is called substantive testing. Substantive testing is an audit technique that examines financial statements and supporting documentation to see if they contain errors. Typically, there is a 20-fold increase in audit costs associated with substantive testing.
An IT-driven project versus a business transformation creates several challenges. IT and business should be aligned for the best results. Implementations affect not only IT but ERP, HCM, and the supply chain. Therefore, it’s critical all parties involved understand the impact of the project on the business.
Organizations must also understand that the implementation process is invasive, and there will be demands on teams throughout the whole process. All parties must understand that there will be a requirement during implementation, and projects get delayed if things go wrong.
From a control’s perspective, one of the first questions is: how do we design our roles to comply with existing, revised and new policies? Customers typically design roles in workshops with their implementation partners, functional users, and controls partners like SafePaaS to understand what privileges a user needs.
For example, a finance user. Do they need the ability to post journal entries and inquire about payments from sub-ledger accounts payable? Do they need to be able to look at fixed assets to see how depreciation would work? Suppose then they want to be able to do that in Germany, France, or the US. All these responsibilities require data segmentation within that group. SafePaaS allows you to design the role within SafePaaS to have a global repository for role design.
Roles and data segments can be created manually. However, the challenge is that it's not easily replicated. As your SDLC process takes you from a lower instance to a higher instance and into UAT, you want to ensure your privileges, data security groups, duties, and roles also transform. If any permissions are lost, investment is lost.
SafePaaS role design capabilities can simulate, extract, and upload role and privilege data. Role design is a time-consuming process - using an automated solution allows organizations to reduce time spent on design.
Once the design has been completed, you should have a service partner to help you go live and be successful. However, you want to make that sustainable through these enhancements and other things coming in. You want to remain current with the latest trends and innovations, making your business more productive and agile. As part of the financial close, you also need to look at the configurations, which are the controls inside your process. An example is a three-way match on credit limits: the vendor and supplier setup process. Management relies on controls to ensure that financial statements and reports that come out of the Cloud are accurate, timely, and a single source of truth.
You also want to monitor the changes within your processes, whether configuration, the master data, or transactions. On the flip side of this is not only do you have good controls and role design, but also the good design is operating effectively in your processes. Good design means no duplicate payments are made, and configuration on approval hierarchies isn't being changed.
A three-way match control is sacred and safe. A three-way match control means that your AP terms are accurate and timely. Your supplier bank accounts are correct; the wrong people can't change them. These accounts don't look like your employee bank accounts. For example, those are controls are called process controls. There's access control and process control. Process controls can also be embedded into your Cloud. They most likely are, but monitoring those controls burdens a customer.
Preparing a plan that considers all elements of your organization and its unique controls when moving to the Cloud will be time well spent. It will pay dividends in the form of greater adoption and acceptance rates of the change within your organization.
Role design in Oracle ERP Cloud
Many businesses have made the decision to move to Oracle ERP Cloud, however, what many don’t realize is the huge effort and know-how needed to not only design but deploy well-designed, effective roles. There is a misconception that seeded roles have been designed with security and compliance considered. Unfortunately, this is not the case.
Risk Management in Cloud Transformation
Cloud transformations come with obvious benefits. Instead of buying, downloading, and maintaining software on-premises, you can connect to a third-party's application through the internet. But the rewards of cloud transformation come with equal risk and require a methodical approach to reviewing processes and policies that will secure the new ERP cloud environment.
Secure Oracle ERP Cloud with effective access controls
Take a proactive approach to access controls, data security policies and in particular, segregation of duties to restrict privileged access in Oracle ERP Cloud.