Be successful with Oracle ERP Cloud – risk-based approach - SafePaaS

Be successful with Oracle ERP Cloud – risk-based approach

Oracle ERP Cloud Security
Next generation risk management for EBS

How to be successful with Oracle ERP Cloud

Join industry veterans Rick Anthony, VP, Evosys and Adil Khan, CEO, SafePaaS as they share valuable insight and stories from the field and discover how to be successful with Oracle ERP Cloud by taking a risk-based approach to access. 

Learn what we are seeing in the market, what makes a project succeed (or fail), challenges organizations are facing, lessons learned and how fine-grained access management solutions can help you be successful both now and in the future. 

On-demand viewing

Join our Thought Leaders

Transcript

Trends in the Market

Rick: It's interesting over the last few years things have definitely changed and the market for Cloud applications has really accelerated. If you look, if you listen to anything that Larry Ellison says in his reports, it's going to continue to grow, and estimates are that it's going to grow from five billion to 20 billion in the marketplace over the next five years. That's a considerable amount of growth and you know, he’s been right most of the time. So, you know we have to prepare for that. But what I've seen is a lot of the on-premise customers, and this is if you looked at his last report and video, he really is putting his money on taking on premise customers. That's PeopleSoft JD Edwards, the business customers to cloud and we're seeing it too we've seen it with a number of customers especially during this period.

You know, when you had the pandemic, we had customers that were on a business that couldn't access, their systems from home, their VPN would not allow them to access. We've had one of the one of the largest travel retailers and manufacturers, they had just gone live with HCM and they said, if it wasn't for Oracle HCM we wouldn't be able to function, we'd have to shut our doors and they were on premise customers.

We're seeing that the E-Business customers JD Edwards customers are looking to move to cloud and they need to do that. There's been a few dates that are out there from Oracle where they needed to either upgrade or look at cloud. What I've seen is those customers that have decided to move are looking for system integrators that can help them move their current E-Business to what it looks like in cloud and understand what that transition is going to be. So, they need to know how much is it going to cost?

How many complications and complexity there will be to it. That's been an issue with a number of customers and I've talked to every business and JDE customers and none of them has said it's going to be an easy move. Every one of them has said. We've got so many customizations we can't move. So, you know, they're looking to understand how complex the move is going to be. I've got stories to tell about customers that we've taken to cloud, where we've been able take our accelerators to show them how they can move to cloud and how complex it is. Most of them have, I mean, when we work with them in doing this assessment, we do it for free. 50% of those customers decide to move to cloud because we clear the smoke. We're able to let them know how they can move to cloud, what their values are going to gain by moving to cloud. So, and I'm not saying this to promote, obviously, Evosys but find a partner. If you're an on-premise customer, find a partner that can show you these values, show you why you should move to cloud and not just that you've got a on premise solution and you've got to upgrade that you have to adhere to. But we're also seeing a lot of customers that are non-oracle customers that need to move to cloud. The reason a lot of them are doing that is, you know, Gartner will get out there in their magic quadrant and show how Oracle is best in class and best in breed, in those particular areas, whether it's ERP, EPM, or HCM. So, they're listening to that, but what they are also finding is it is an enterprise system that continues to grow with you. So, you will find in a lot of these situations, whether non-Oracle, they have never worked with Oracle as an application before, they've heard about it. They've had some experience through third parties, but when they actually see the system and the robustness of it they really see how they can move forward and there are a lot of systems out there. For instance, SAP is one of the few that offers that full scope of enterprise systems. So, it will cover supply chain, EPM, HCM, an ERP. A company like SAP they grew their portfolio through acquisition. So, you've got different data structures in all of those. So, if you needed to upgrade, I was talking to one customer that was on SAP, and, they had it across the board for various workflow processes. They had to do 19 upgrades just to manage ERP, HCM, supply chain, because they all have different data structures. Whereas, Oracle, know when they, when they have acquired systems and built their own, it's still under that same data structure. So, we do upgrade it, it's not going to be an upgrade that across multiple data streams, it's going be an upgrade that is on a quarterly basis that is continuous improvement and included in there. So, that's why we're seeing a lot of customers that aren't on Oracle move to Oracle when they're looking for that one source of truth.

Because they're not having to deal with Excel spreadsheets anymore. They're not having to deal with different data structures. So, when you do that, you have to have a little bit more complex analytic systems that go with that. The other thing I'm seeing a lot of is, you know, we when, as I said, I've been implementing Oracle applications for 25 years and, you know, I always talk about, one of my customers, that, when I was in Europe, it was a five-year project to implement EBS for Expedia Division of Expedia and when the project was defined, they had their ROI. How are they going to get the return from their investment? What is it going to look like? This was a five-year project so they really found it difficult to rationalize what the value was going to be over that five-year period, but they still had to put it in there because they had to put the value realization to upper management, define value realization, and how that was going to be measured.

But about halfway through the project, they lost vision to their ROI and the return on investment, was just getting their lives back. Five years into it, you know, you've got a five-year project, 2.5 into it, they just wanted their lives back.

Because people were doing their day job, as well as implementing. So, you know, all that was thrown out the window. Well, we now have cloud, you can go live in six months, nine months, complex projects, 24 months, OK, for large, global enterprises. So, now, customers are really looking for a measurable return on their investment. What is good going to look like? How do I quantify it, and I think more and more, as this goes forward and people realize you can attain that, I think you're going to see that trend, continue and grow? Oracle has actually responded to that because they have this new product called FAW, which is Fusion Analytics Warehouse, which is specifically for ERP, HCM, and supply chain. And it produces those analytics across those various areas, those pillars, so that you can have a lot of those analytics. And you can build in your own return on investment into that application. I think you're going to see the adoption of FAW quite a bit more.

The other big trend is it's never really gone away, but it seems to be more focused, is the industry specificity. More and more companies, when they are looking at cloud and as SaaS products, you have to follow best practices. You have to understand how those best practices work. A company that is in professional services and a company that is industrial manufacturing, they may not have that same workflow processes. So, they want to find applications that are specific to their industry and work for their industry.

So, we're finding that, we're, it's a lot about change management and understanding that your on-premise solution that you were using previous, is not going to be the same but you're going to adopt best practices. Once you figure out what those best practices are, there may be a few business processes that are specific to your industry, that you may have to write what is called an Extension. An Extension is a customizable business process that's put into a PaaS. That allows the customer to have that industry specificity, if it's needed. What, I tell customers, and I tell people, today who are listening, is fine.

If you're going down that path, and you do have specific industry, specificities, you need, in the products, find an SI, that knows how to understand your business, but also that can write that extension for it. It's not going to be the world of E-Business Suite, where you write 2400 extensions. You don't need to do that anymore. I'm working with customers, and there's maybe 15 or 20 that you have to write and maintain, but they're a lot easier to do than it was previously. So that's what I see as the trends there.

Emma: What about you Adil?

Adil: Yeah, I think Rick covered in detail, so all I can do is echo that. Some of these trends. I will just echo, just verify that where we see the customer is from a control perspective and risk management perspective. They're concerned about when they're talking about their ROI discussion resonates with me coming from a finance experience is that they are asking those tough questions, and they're also there's stakeholders in the organization that we talk to, so, there's the traditional IT stakeholders, they need to understand their role in the Cloud and what controls they need to own in the Cloud. So, even though you're putting everything in the cloud, from an IT general controls perspective as Rick said, your change management controls around those patching.

We work with Evosys and we have some common customers together where change management, you may have Evosys performing your change management on certain things as part of their managed service offering, then there's controls around it that SafePaaS can provide. There's obviously just the security design itself in cloud, with all the cyber threats, the war going on right now. We’re hearing that we should be protecting our businesses better against cyber threats, and so forth. So, those are some of the concerns that come up during the selection process from our customers.

Where we can assist our partners, like Evosys and other customers, is basically, make sure those things are tied down. So, when the decision to go to cloud is presented to management it not only includes this great transformation of your business to essentially get prepared for the modern way of doing business, which is what Rick’s covered really well, but also from a control perspective - you don't lose any controls because you know that's what CFOs lose their sleep over, so we cover that side of it and that's what we specialize in.

That's basically my controls perspective on how customers are selecting. We have a number of customers that were EBS and moved to cloud. Then they had some challenges of the cloud. (And we'll talk about that in a minute) and they had reverted back to EBS while those controls and challenges were addressed. So, obviously, you can learn from experts like Rick today, and not have those challenges, and I'll let him talk more about that. But, that's where we can help, you know, if you are running into challenges, like designing your security and roles, making sure your IT and your audit,

IT controllers, and audit and finance people are comfortable with the statements that are coming out of your Cloud application to make sure there's controls across change management, like configuration changes, master data changes, as well as access and security to design correctly. That's where we're assisting cloud customers with partnerships with folks like Rick.

So, Rick, if you want to take this to the next level.

Rick: Just a comment on that Adil. We find customers who want to look at risks and controls after. We try to push them in the beginning. Start that we're building a global design. When you're building designed to have those considerations in place. And I know sometimes this obviously impacts the commercials but it has to be looked at, it really should be because that is best practices. Because after the fact, like you said, Adil you've bought into it and you realize there are certain limitations on the control and maybe you have to revert back, and that's not the right way to do things. So, I really do push our customers to look at that risk controls in the very beginning.

On the subject of what makes transformation successful. So, you know, I used to give global talks on how implementations fail and why and I gave those talks and it wasn't to disparage Oracle or the application. It is really to focus on best practices, how you make them successful. And I've listed a few here on why transformations should be made, but how you make them successful. So, the first I always look at is the business case building the business case. Because what's going to transpire is you're going to be trying to fix something that isn't broken. So, you've got a E- Business system, you've got a JD Edwards. Sometimes they are broken. They need to be fixed because of growth, but oftentimes the user experience, they don't see that. So, you need to build a business case of why do you really need to do it?

When I engage with my customers, I try and talk them out of an implementation, so that they can understand what it is that is really going to happen during this whole process. What I find in doing so, they then justify internally why they need to change. So, building that business case. Is it functionality you're going get? Is it a faster, close process? Is it better alignment to the industry? How do you track your inventory? All those areas are building, that business case, so that you've got that one source of the truth. That's where you come back to, that ROI discussion. You'll hear me say that again a couple of times during this, because that's where you start building the ROI. Why should you do this? Because when you look at some customers, they just may want parity from their E Business to cloud. When they shouldn't look at it that way, they should look at what additional functionality are they going to get.

One of the things that we do when we look at those customers, we have a process in which we look their current state, measured against what the future state is going to be. And then show the added functionality and business processes they're going to gain by moving the cloud.

So, we help customers to build that business case and we go through that process and then identify KPIs that will allow them to measure that success.

So that's where I go to the second point. How are you going to measure the successes? You’re a manufacturing company and you want to be able to make sure your POs, your purchase orders and your procurement is following adherence to guidelines. I was talking to a company in Canada. It was a three-billion-dollar company that did all their procurement through PDFs, filling out a PDF form and turning that in. Looking at moving to cloud they were by consolidation on a global basis. That alone paid for it.

That alone paid for their, the savings they would earn from just having an integrated procurement process. I mean, that's a simple example.

How your industry and what sort of things that you need to do that you're in that your current application, you need best of breed practices. I've done this, and I'll talk about it a little bit more. Research it. Don't just look at what I said parity before but look at all those other best of breed applications you have and you're currently using and look at what your new software is going to be. I mean, I had one company keep talking through this because I didn't have a lot of experience in these areas. They were spending two million a year in software licenses across the board that included Microsoft, that included best of breed, various licenses across the board, including HCM in supply chain. When they moved to Oracle Cloud, they were able to consolidate all those applications into one enterprise system and the actual annual spend for them for those same applications was $350,000. Significant savings for them. To make it successful, don't look at parity. Look at what you have as a whole and consolidate those applications, and I'm doing that more and more with our customers now.

I asked for an architectural diagram and I start picking things out that Oracle can do, they didn't think about, they didn't know, and all of a sudden, we’re building that business case again.

Another key area is, is buy in from the top. I can say handover heart, one of the top five reasons why implementations fail. I give these talks, but over the last three years Evosys has been brought into over 60 rescue projects, 60 rescue projects, and in more than half reasons why they initially failed were executive buy in. They thought this was just an IT implementation. It was just IT, we had to level set when we engaged on those customers to say with the CFO, the COO and the CTO is you. It starts at the top: You need to buy into this whole process, otherwise it won't be successful because, again, your people that are actually going to be doing the hands-on work on their side - your resources have a day job. So, you're going to be asking them to work, not just eight hours a day anymore. You're asking them to work in certain periods during the implementation, 12 hours, a day, or more. So, if they see leadership is bought in, and that they're listening, then you're going to get that buy in as well that feeds into the rank and file. But also, the buy in has to be on that on those measurements of successes from the executive team, as well. Because every implementation is going to have a rough patch or two.  But if you have a ROI and a KPI that you know that's going to improve your business, instead of throwing in the towel, you continue on. And as long as they have that focus, they know that they're in good hands. I tell customers in the very beginning, in the kickoff, we will have a few bumps in the road guarantee that but we stay course.

 I've just had a recent go live, where in the beginning it was bumpy. At the end, they're now a happy referenceable customer for Oracle and Evosys.

Recognizing key requirements. Again, going back to those KPIs, what's going to be important to your understanding. Can the product achieve those key requirements? Whether it be industry, or whether it be just best practices? Understanding what the limitations are, because the way you did think, because in the past are going to be different from any new system, you go to, unless you rewrite it yourself, and nobody's going to do that because it's too expensive, and too costly to maintain.

So, understanding of those key requirements and understanding change management, and, Adil will talk a bit more about that change management understanding in achieving those key requirements.

The last point is go live. Post, go live, sorry. When you purchase a SaaS system, and especially Oracle, you've purchased a product that continues to develop and innovate. So, what you knew of your product two years ago for supply chain or three years ago, is not the same product today. On an on premise, you will get here upgrades and enhancements every five years, every six years. And it was significant effort of work to upgrade and get those enhancements. With Oracle it develops and it's kicked out every quarter, these new enhancements. So, having a system where you feel it's successful in the go live, that's just the halfway point of having a system that you're going to grow with, because there are going to be enhancements that come out and that's why our managed services is called Application Enhancement Services, because we help you through that whole process post, go live. So, all these new enhancements that are coming out, because with Oracle you can hold back on a couple of these enhancements on these quarterly releases for two periods, that's two quarters, but then they push it out. They force it out. So, you need to have a plan for post go live, and that managed service. Otherwise. one, you're not going to take advantage of the cloud that you bought and the additional functionality that they're pushing out during these quarterly releases. But you're going to have screens change on you, and the users are not going to be understanding what those changes to those screens are. I mean that's where you can have the choice of saying, you know what? We don't accept that and you change the configuration. But it's that it's that forward thinking on post go live.

So those are my points for a cloud transformation, how to make it successful. I don't know if you have any additional input Adil.

Adil: That's a very valuable experience being in the trenches and doing this for many customers. It's impressive to hear there's 60 plus companies that you've even done rescue projects not to mention, the number you've done across the board, across the globe on other areas.

So, from a SafePaaS perspective, is usually we get a platform burning call. Somebody is in UAT and their auditors have failed their controls in cloud implementation and now there burning some amount of money depending who they're using. So, now there are basically clocks running and they have to get these controls right. That's unfortunate, because when those calls come in, we certainly do all of those things and help the customers. But, when partners like Rick involved on their proactive and there, because we said they already design this controls track into their workshops, the world is a much better place, and that's what success looks like to us when we work with partners and customers that really think about controls, and frankly, the top management does want controls in place because their top management job depends on signing financial statements. So, clearly buy in is not our challenge from a control perspective. In fact, it helps the IT projects become more successful if you talk about controls with senior management because that's one of the key reasons why, the key drivers for them to select a new platform.

I'll give you just a few examples of what makes that successful, so when we do start project on the right foot with a partner, like Evosys what we find is that, during those workshops that are being discussed to make the business more agile, more successful in the cloud world, the transformation discussions that are happening, during work streams. In fact, those discussions are also creating this knowledge for us to build out the controls.

For example, Rick mentioned the purchase order example, which is an area very close to me, because we see our customers, one of our customers in Chicago has 70 some procure to pay controls. We did a ton of controls, you think about it, because most companies, our marketing industry surveys have shown a total of 200 controls for the enterprise, even very complex enterprises. This organization has over 120 business units around the world. Anyways, they have 70 some controls in place. So, any kind of change to that environment would need to make sure that those controls are actively working when they move the procure to pay cycle. So, think about a cloud implementation of your procure to pay cycle.  You're implementing - your management expects the same controls to be in place. So, let's pick a few examples here of a control that says that you don't pay duplicate invoices. Very obvious, you'll want to make sure that the people that approve the purchase orders have the right authority in the system. They have the right custom roles assigned to them, and they cannot for example, create their own invoices and pay those invoices. We call that segregation of duties. There are restrictions around access, and if you're working in certain markets, so you do business in certain markets, maybe there's no data provision that applies to you and your regulatory guideline, CCPA, GDPR in Europe. Data protection is becoming really the good way of doing business, so, least amount of data need to know. So, your master data, like customer credit, employee, national IDs, your customer, your supplier’s bank accounts. If they require additional data security, cloud offers that capability, but being able to design that upfront saves you a significant amount of time, and not have to do that burning platform call to SafePaaS at the 11th hour, when your management is spending through a lot of money, trying to go live, and now, you miss your go live date.

To avoid those risks, we recommend that as you're going through these work streams, and the customers that are successful with cloud, from an audit perspective, and ultimately from a controls streamlining perspective. Because, remember, controls are good business controls, is basically reducing the risk that can keep you from achieving your objectives. When you think about ROI, controls are the key part of that ROI because they are the evidence that you will achieve those ROI. It's a, pretty simple for me to say that. But, sometimes, it gets muddled up in the IT discussions. The reason controls are so important is because if you've put together an ROI platform, and you're saying that, this is our procure to pay process and we want to achieve this as Rick mentioned a significant saving in our procure to pay process by streamlining that process, going from those PDF purchase orders to a workflow enabled online digital system, which is modern. We will save a ton of money, but during that process, you also want to make sure those a three-way match controls still works, whether it's on paper and PDF, or in system. The reason you need that control is because if that control fails, you are bleeding money to the bottom line. You're wasting company's resources.

Your financial forecast will be off and will you report the market incorrect numbers that would result in an impact on your stock price, let's say, or maybe heads will roll at the top because you missed your estimates. So, it can be very painful for companies to deal with control failures.

And controls have to be embedded in the beginning, and it's really easy and low cost, because you're already producing the information that a control’s partner like ourselves, will need to then embed those controls like the three-way match, the control around data access, around segregation of duty policies, around fraud risks. Whatever those risks you have today your auditors are testing those.  But if they're not part of that conversation, they show up 24 months late, and then they say, well, where are my controls? Because I can't run this business, and I can't report financial results to the market, that's when challenges start to come up and it gets very costly because now, you're doing things manually to control everything, and you're providing evidence of what controls are effective. An auditor calls this substansive testing and that's usually a 20 X cost, an audit increase.  20-fold increase in costs, because now they have to bring an army of auditors to tell basically, they don't trust your system. So, that after trying to have to take every transaction and record it into a spreadsheet and compare and reconcile that with the financial statement, and if you want to avoid that, the best thing is to get those controls. And if there's any lesson that I can leave you with, is to include your control design as part of your design workshops. Analyze your current controls and make sure you can reconcile them with future controls. That's the best way to get success in your cloud transformation. And that's how the ROI will be attained because your controls will drive to that ROI.

Emma: We've touched on the challenges a little bit. You want to dive into them in a bit more detail, Rick?

Rick: Yeah, I think I've talked through some of these, talked to the IT driven project, versus a business transformation. We talked about that, and that's where I've seen a number of challenges. I had to go live with a well-named skin treatment company, where they, it was an IT driven project, and, upon go live, the business had considerable issues, because there were a lot of considerations that weren't made. It's all fixable. It's all being done, but it would have been a lot easier transition moving them from one system to the next if the business was included through the whole process.

So, I always, because this is ERP and HCM, and supply chain, you definitely need the business involved. It doesn't matter if it's a small project, or a big project.

Understanding the impact of the business. Again, you have to understand, this is going to be a disruption to the business. You've got to continue to hit your quarterly goals as a business and your sales, and continue to drive forward. So, understanding that one is, this isn't going to be invasive and through the whole process, there's going to be demands on the teams. But they have to make themselves available when during those critical areas like design phase, like the testing - those are areas where we need the user engagement and the business leaders involved. So, they need to understand during that implementation there's going to be a requirement. What happens if you don't do that is the project gets lengthened. Your go live starts to stretch, because we can't get sign offs on design and such. So, and that has a commercial impact. That, obviously has a commercial impact. While it's a challenge, it doesn't mean it's going to fail, but it is a challenge, and that people need to be aware of that.

We talked a little bit about parity, we've talked about where that parity needs to be. It's not just the parity from your current system – it’s looking at your complete design, your application footprint, and seeing where you can actually gain some benefit by having one enterprise.

One thing I really didn't talk about is global design. When we take on a customer, a global customer, we handle it very differently. We have a global design phase, which is really important to understand all the localization. I can tell you stories of a of a multi-billion-dollar company that was based out of Europe and they rolled out to the US. They didn't have an understanding of the localizations. We were brought in to fix that, because they didn't have a good understanding of all those localizations globally and how their business processes are done in those specific countries. So, it's really, make sure, it's really important that you have that global design phase, and make sure that your SI is aware of that.

I talked about the enhancements that we have for, on a quarterly basis that are happening out there, and you have to be able to commit to those enhancements, and talk through what is today and then, what, how are you going to manage the business in the future with these additional enhancements. They come out, they give you, Oracle gives you a preview of those enhancements. At least a couple of quarters in advance, so you can have that understanding, and you can take advantage of it. But I always say, make sure you have a partner, or it's not just strictly support, where you just have a bundle of hours that you pulled out. Those are the old days of on premise. You really need to have a partner like Evosys that understands that these quarterly releases, they may break some of these integrations or some of these extensions, and you'll be able to work on that. As well as all these other enhancements and features you'll be receiving.

Solutions

Adil: From a control’s perspective one of the first questions that comes up is how do we design our roles, so that they comply with our existing policies, or maybe revised and new policies. So, when you think about, I'll get a little tactical now, so we've covered all the big picture stuff. So, when you think about your roles that you need to run your business, there are 2 or 3 approaches we're seeing from our customers. One is to throw away everything you've done, and we're going to start from scratch, we’re going to do new workshops and really think about job roles in this new world.  The world has changed the last two years, and supply chain has changed, and we're going to find a new way. Those customers are typically designing roles in conjunction with workshops with their partners, and their functional users, and partners like us, to, let's say, what does a finance user need? They need the ability to post journal entries, do inquiry on payments that have come from a sub leger accounts payable. They want to be able to look at fixed assets to see how the depreciation would work. So, let's say that's a role, and then they want to be able to do that in Germany, or France, or US. So, that's the data segmentation within that group. So, those are the kind of questions we get. What SafePaaS provides you is the ability to design that role within SafePaaS. We call it Enterprise Roles Manager. But that, that's kind of a very basic question that comes up. It's incredible, how much time customers are spending doing this all manually. You can do it all manually. The challenge doing it is that, number one, it's not easily replicated. So, as you have your SDLC process, where you go from a lower instance, to a higher instance into UAT., you want to ensure that all those privileges that make up the role, all those data security groups, all those duty roles for example, they all transform and you don't miss a single privilege or a permission. Because, if that happens, then, basically, again, you've lost all that investment you've made and it's a very manual process. So SafePaaS came to the market, with role design capabilities where you can simulate that, you can extract that and even for some customers, you can upload that, depending on your version of cloud you're on, and so forth. So, that's a big advantage. It's also an accelerator for partners, Sometimes, two months or more is spent on just role design, that's a significant chunk of the project time. So, you want to be able to move at a faster pace that cloud dictates. Being able to do that in two weeks or in some cases, less than that to an automated solution. So that's one category of customers that are starting.

The other category of customers that we're seeing is customers that are basically lifting and shifting. Even though the cloud is transformation, they’re saying, we already have these responsibilities in E-Business Suite, for example, already blessed. We, and you guys are already testing that for us through SafePaaS, we just want to take this GL manager responsibility and turn that into a GL Manager role. Obviously, it's apples to oranges because security models are different but in fact, the permissions or privileges are similar to functions or menus in in E-Business Suite. So, we also can provide some assistance to our customers through a network of our partners and our own service team, where we can help you do that lift and shift from responsibilities to roles.

It is somewhat manual, but because we have these tools, you can take the responsibility information from an ERP system like E-Business Suite and match that to the closely we're using our Roles Manager for EBS and point it to Roles Manager for cloud ERP and do that comparison. You'll still have to go through some variance analysis. I'm not saying it's kind of point and click, but it's a significant saving again. But the benefits are now that your roles are in the Cloud, and the permissions match up with the functions and capabilities, or activities that we call it in SafePaaS - your activities haven't changed. So, if you could perform the ability to post a Journal entry and only view an invoice because that was a segregation issue, now, you still have that same activity. So, because we have the concept of activities some people call it entitlement in the IDM world or ID Governance world. So, entitlement or activity remains the same. It's just that the composite of that activity is now based on privileges, permissions, and duties versus Functions, Menus, and Profile options let's say.

So, once you've got the solution design done, the one thing that I can't see here is around the configurations, because one of the things that Rick said that's very valuable is that, you know, they've got a service that not only helps you go live and be successful, but because, through these enhancements and other things that are coming in, you want to make that sustainable. You want to remain current with the latest trends and innovation that makes your business more productive and agile. So, to do that, you need to have configurations that are possibly changed from time to time, quarter to quarter. So, you have these additional controls that are emerging, that are becoming really important for our customers that are on a quarterly basis there, as part of their financial close they also look at the configurations that are really the controls inside the process. So, I mentioned three-way match as the most obvious example, this, the credit limits for customers. It's the vendor setup process suppliers. Third parties in general are under big scrutiny right now, supply chain issues, so those types of controls are what your management is relying on to make sure that the financial statements that ultimately come out of the cloud, and the reports that the Chief Operating Officer needs to operate the business are all accurate, timely, a single source of truth to use a term that Rick used earlier.

For those cases, you also want to be able to monitor the changes within the process, whether it's the configuration, or the master data, or transaction. So, the flip side of this is not only do you have good design in your controls, which we talked about as an example, your role design, but also that good design is operating effectively in terms of your processes. So, there are no duplicate payments being made, we’re preventing those. Configuration on approval hierarchies aren't being changed. A three-way match control is sacred and safe. AP terms are accurate and timely. Your supplier bank accounts are correct and not changed by people that shouldn't change them. They don't look like your employee bank accounts. For example, those are some examples of controls that I call process controls. So, there's the access control, then there's a process control. Those process controls can also be embedded into your cloud. Most likely are, but the monitoring of those controls become a burden on the customers. Obviously if you’re doing that by bunch of people, watching screen shots, and doing that manually, it can become very costly. So, what we offer is the same solution you have had for many years for, our on-premise customers, basically, monitoring those configuration, and transaction, and basically everything that impacts that process, the output of a process, to monitor all that so you can sleep better at night, your CFO can sign off the financial statements, without any risk, because they know that the controls haven't shifted, the configuration haven't changed. Wrong people don't have access to too much information to say, do the wrong things in the system. That's the continuous monitoring aspect of SafePaaS, that our customers are adopting very quickly in the Cloud, because of the nature of the reason they're transforming their business and making that sustainable, So, that's the second side of that story.

Rick: I think again, customers really need to look at that in the beginning, during that design phase, because sometimes it's when the auditors, as Adil said when the auditors are in halfway through. Then there’s panic and things become costlier because the project is paused while they look for the solution. So absolutely, as part of that whole design phase.

Q&A

Emma: How do you deal with customers who from a finance process perspective would like to move to the cloud but from an IT perspective have customized their legacy and ERP applications so much that they have an unhealthy dependency on developers contractors and Oracle support which is not only time consuming, but very costly?

Rick: I've dealt with that as I've got a case study. The IT, the Global Head of Applications said, “we have got way too many applications. I've got a team of 50. We can't do it,” but the CIO said, “You know what, there's too much dependency. Should that person that's running that director, and God forbid a bus hits him, there was no documentation, there was no allotment of information. So, he understood the risk involved, and we're talking about risk today. I think what you'd have to do with the finance department is bring in Evosys. We do it for free. We'll have that assessment, will understand what their systems currently are. It’s non-invasive. We'll show them what it will look like in cloud, how long it will take, the complexity of it, but also a ballpark figure on cost.

We can do this and it's really easy to do. That's why, actually, businesses are the people that often drive it.

Adil: You're making into your customers and why your customers are successful, because, you know, I know for a fact that other companies that do cloud don't offer that for free. So, I think that certainly shows your commitment to the customer. That's admirable.

Does SafePaaS provide risk governance and SOX audit, and how does it work?

Adil: SafePaaS is an audit platform. In fact, when customers our customers that have implemented SafePaaS, refer to it, as well as their audit platform, which is music to our ears. So, yes, it absolutely has audit standards.  Audit firms use SafePaaS to perform audits as part of their engagement with the customer, or even in some cases, directly with SafePaaS to perform audits. It's built around the audit principles, that's where our founders including myself, we come from that background. So yeah, it is an audit system. Basically, just give you an example, so we talked about roles quite a bit and that's one of the first things that we see as a symptom of the bigger audit issue.

So, role design, we talked about that. So, one of the things your auditors will ask you for is a segregation of duty report on all your roles, even before the assignments are made.

You'll be able to pull out a report in SafePaaS that shows you all the customizations you have done to the rules, privileges even inherited privileges. That's something we do very uniquely, qualified to do. That I understand that not everybody can offer you that.

So, inherited role may have privileges that are inherited that basically expose the process to the user, to more process capabilities than the policy dictates. So, you'll be able to see all those policies and report them and hopefully remediate them within SafePaaS using a simulation capability and auditors will simply look for the evidence of that as opposed to auditing everything from themselves which can run into weeks, if not months, and tens of thousands of dollars of time, just on that one specific audit. So that's a popup report. I have a customer Chicago working with right now. That's exactly what the external auditors have asked. They were able to get that report within a week.

We set up 50 some rules in their policies, SoD policies, sensitive access policies.

We connected to the cloud ERP, which we have APIs for. Oracle provides those, we extract the snapshot. We run the analysis and review the results with them, all that integration, analysis, output is all done through basically a hyper automated application platform we have built for audit. We can easily do that very quickly. Whenever we get the rescue project, that's what we do to understand what's happening.

One of our key challenges is around Managing Research Finance, which is not currently part of Oracle Cloud and also, we have a very highly customized on prem EBS system. So how best do you manage the move away from customizations and get the business to align with more standard processes?

Rick: Go to Evosys.com and look up Glide Program. One of our customers had 2100 customizations. And again, the person that managed that application, said, “We can't move to cloud.” We did an examination, and said, “OK, of your 2100 customizations, you haven't used over half in the last five years. So now we're down to about 1100.

Then we did a further examination through that assessment process, and said, “OK, what we've realized is you use best practices in about 70% of these customizations. So that is now inherent in the Oracle Cloud product. So now we're down to about 300 customizations. Then we worked with change management. Then we saw that these additional 120 or so, actually, no more than that, came out and now there's only 80 customizations. Out of those 2100, there's 80 customizations that have to be developed for them. Then a bulk of those were for one specific business process that we develop an extension for that addressed more than 50% of those customizations. So now, we're really down to a very manageable chunk of customizations. So that's addressing how that happens, and we go through that process with you. Now, your point about ‘Research’ is very valid. Now, we've done this with a number of other companies that had certain processes that an application addressed that Oracle didn't have. I'll give a perfect example. I've got two actually, one for subcontractor management within the construction industry. Oracle does not do that. We wrote an application, it's basically an extension to address just that. E-business has a property management module cloud does not. We wrote, we actually wrote the mir of that in an extension application in Oracle PaaS and it's been deployed at about 15, 20 customers. So, if your application, the research application is not too complex, let's take a look at it, let’s see what it is, but we take those challenges on, and because we're an Oracle only company, we've got probably some of the best developers out there in developing these extensions and business processes.

Our Speakers

rick anthony

VP Evosys

Rick Anthony is VP at Evosys, with over 24 years of experience in implementing Oracle applications globally. Rick has built, trained, and managed successful sales and marketing teams for global System Integrators for 15 years. 

Adil Khan

adil khan

CEO SafePaaS

CEO at SafePaaS with over 25 years of experience in enterprise business systems. Adil serves on the board of the Oracle Applications Users Group (OATUG) GRC SIG. He has delivered over 75 presentations on access management trends, best practices, and case studies at many industry conferences.