Periodic Access Review Oracle ERP Cloud and HCM

Periodic Access Review Oracle ERP Cloud
Periodic Access Review Oracle ERP Cloud

Periodic access review of users' privileges is a key control for publicly listed businesses that must comply with Sarbanes Oxley section 404. However, this process creates a tremendous burden to collect user access data, then send out error-prone spreadsheets waiting for replies from control managers and process owners.

Auditors are increasingly demanding complete, accurate, and timely user access certification, a key control for financial risk and compliance management. It’s critical to have complete confidence that the access granted to users is limited to job roles and that privileges granted to the business applications are approved and periodically certified by authorized management.

Where your organization is using Oracle Fusion Cloud to support its ERP or HCM processes, you likely have many different reviewers for Roles owned by local finance and HR teams, for shared service centers, for IT users and for service accounts.

Automating the process not only replaces a manual time-consuming task, but ensures timely, complete, and accurate results ensuring compliance.

Join industry experts, Matt Luscombe (CEO, Systems Risk Services) and Adil Khan (CEO, SafePaaS) in the first of their series of sessions discussing the challenges in effectively controlling Oracle Cloud, along with best practices in how to simplify the access certification process and how technology can help.


Emma - Hello and welcome to today's session, “Take the Pain Out of Oracle ERP Cloud and HCM Periodic Access Reviews. Just a few housekeeping items before we get started so, the session will be recorded for on-demand viewing. All attendees are on mute, and if you do have any questions for our speakers today, feel free to pop those in the control panel and we'll get to those at the end of the session. My name is Emma, for those of you who don't know me. I'm delighted to be joined by Matt L Luscombe, CEO of Systems Risk Services, and Adil Khan CEO of SafePaaS. Matt and Adil will be sharing some great tips and recommendations on how to streamline the access certification process in Oracle ERP Cloud and HCM with some real examples, and case studies.

So, this is the agenda we'll be following today. We´ll be diving into business drivers, why is it a challenge in Oracle ERP Cloud and HCM,  essential capabilities you should look for in a solution, a case study, and then Q&A at the end.

So according to ISACA User Access Review is a control to periodically verify that only legitimate users have access to applications or infrastructure and Access Certification is part of the broader initiative of access governance.

Would you like to introduce yourself before we get started briefly, and then we can dive into this session.

Adil - Sure. Matt, go ahead, please.

Matt - Hi, I'm Matt Luscombe and I work for System Risk Services. I've been spending the last 25 years later this year working around Oracle security and controls both as an implementer and an auditor. I have an idea of some of the pain that can be existing in clients that use Oracle E-Business Suite and then more recently Oracle Cloud ERP and HCM, but also how can be implemented in a least painful way.

Adil - Thanks, Matt. Adil Khan. I'm the CEO here. SafePaaS founder, and our mission is to help companies produce compliance and audit risks using technology, reliable technology that we build on our platform. And it´s great to have folks like Matt to work with us, to help our customers become successful. And so I've been, also in this industry for a long time. I was on the board of Oracle GRC SIG for many years, I´ve written a book called Oracle Governance, Risk and Compliance Handbook that was published back in 2012 with a colleague of mine from Oracle, named Nigel King who was the Vice President of security, and did a lot of the design for Oracle Cloud security, So you can blame him if you don't like the security. I've helped about  about  200 some companies around the world on five continents, improve their internal controls using Oracle. I´m here to help you, share some of our stories, and hopefully these will help you improve controls in your business.

Emma - Absolutely. So let's dive into the session and talk about some of the business drivers for periodic access review. Adil?

Adil - Yeah. So as I said, you know, I work with quite a few customers around the globe and a majority of them in the US, though, so my perception is primarily in the US. But I think what I hear from our customers, what I'm going to share with you here, and these have been these bullet points and you can read the bullet points. I'll just give you a little story behind each of those. So growing scrutiny from auditors. So we have seen PCAOB put some guidelines, the organization that essentially oversees the oversight organization that was established as a result of Sarbanes Oxley back in 2002 by President Bush signing Sox into the law here in the US. So we've seen a number of directives come from PCAOB, through SEC. And last year, for example, we saw more emphasis on completeness and accuracy around testing. And so we'll get into that a little bit later. But that's one of the drivers we're seeing from our customers that are probably doing something. You know, they're using spreadsheets or whatever. They're looking at a more robust auditable solution. So, that's a great reason for you to consider moving to a solution. Or if you're even doing it manually, looking at putting some structure around it and, Matt, we'll get into it.

Matt - I think just to add to that, and even for those that are not Sarbanes Oxley. I mean, I'm still seeing others, my clients, where they're getting a little bit more of a poke from their auditors now around access. So, things that they might have got away with a few years ago. Even public sector and local government organizations where they didn't have a Sarbanes Oxley requirement, et cetera. But they're still being asked, OK, show me that you have reviewed all of your access and it's still appropriate for those people.

Adil - Yeah, very good point. And, I hear the same from our customers all the way in South Africa. Are you being in UK, you're quite familiar with international customers as well.  And what I hear from the audit firms, too, that I talk to, is that good audit standards, whether it's Sox or not, they're being applied across the markets to customers, just because, all of us want to do a good job. And if there's some new ways of improving the quality of your audit, you all want to adopt. That's a great point Matt there.

The other thing that I think has just changed over the last few years since COVID I guess, is this hybrid work. I have an office at home that I work from often. I´m there today. I can see many of the people attending this might be working remotely and so there's just that need to have a little more confidence around people having multiple devices. Many more applications as part of the hybrid work, also, I've heard the term, bring your own device, but also bring your own app. So, people are using more apps and in the context of today's session you may have some different ways of interfacing into Cloud ERP, which can post journal entries or ultimately have financial risk. So, privileges that are granted are getting more complex. Matt and I have talked a lot about the quarterly patch process. And, Matt, may you want to say something specific to Oracle as well. Because that's a burden that people didn't have to deal with in the on-premise world, right?

Matt - I agree. And whilst it shouldn't have hopefully very much impact on periodic access review, it may. It definitely needs to be thought about.

Adil - Right. The last  2 or 3  points, just to kind of wrap up this slide, control access to meet audit standards, established and expected. Having good controls, good hygiene. 

Effective controls to make sure you're provisioning, your de-provisioning, essentially, that identity life cycle is under good control. And good management.  And it's different when you do it in cloud because I grew up in the on-premise world like many people who have been in this industry for a long time, and moving to the cloud, we've learned a lot of new things. That to make cloud more efficient more, I guess, agile, many companies are using the cloud to become more agile. There are some, quite a bit of things you can do which creates, unfortunately, some risk. That's another area where customers are saying, OK, we want to meet our standards and improve the controls for certification, than what we had. And, in many cases, the hybrid environment, going back to that point, is not just the hybrid work, but also the hybrid technology. 

Because you may have things that are still on-premise, and you have to take them into account.

The last couple of points are really pretty standard, around anybody that's doing things manually. The pain points. We don't have to drill into it, but spreadsheets tend to be more complex to manage, even with the best of us knowing the Excel experts pivot tables and all that still gets hard at some point when data changes, underlying data changes.

Then, the last point is. Matt can comment more than I can on data privacy, the need for having, especially GDPR in Europe has been a big concern. So it's, it's also just kind of keeping those keys to the kingdom away from the people that don't need it. So from what I know about GDPR, least privilege, there´s kind of a philosophy around it.

Matt - Yeah, that's right. I mean, one of the requirements around the GDPR is to make sure that any appropriate people have access to data. Well, OK, part of that. If you're talking about GDPR, you're talking about personal identifiable information. That could include HR records, clearly and payroll. That also will include things like suppliers and customers where you've got individuals, either suppliers or customers say, you need to make sure that on a periodic basis, that that is still appropriate.

Adil - Makes sense.  And so, hopefully, you can use these points and correlate them to your organization, and see if these resonate with the folks in your teams to create a business case for access certification.

Emma - So, why is it such a challenge in Oracle ERP Cloud and HCM, Matt? 

Matt -  Oracle gives you a couple of starting points. So, one of those is the User Role Membership Report. So this shows a list of roles that are assigned to users, which is great. You'll see on the little screenprint that I've tried to include it, depending on how big your screen is. Any one user role assignment might be split over multiple lines. So, in this particular example, there's a User that ends in 881 for the sample client AP Manager. All those six rows are all one single role assignment. So, at that point, you're going end up having to, not only download it, but you're going to have to manipulate it by deleting the Policy Stripe, which is column G, And then removing duplicate records if you don't have to do it with an Excel. That's still fine, but you then need to document your process to provide assurance over the completeness and accuracy.

How do you prove to people that you've not accidentally or intentionally removed the lines from your spreadsheet so that somebody else can go back and reperform this if they want to.

So for those organizations that have just a single ledger or a single business unit, that might be fine. But what we find is that quite often, organizations that have global organizations, they have multiple business units or multiple ledgers. You then, typically in, unlike, in E-Business Suite where you might have, before the days of multi org access control, you probably would have created a different responsibility for each country around the world, and then link them off to the organizations or ledgers. In Oracle Cloud ERP in particular, you'd have it limited to just, you'll have a single role. And then that will cover everybody around the world and you´ll use the data access security to link it to those.

Now, that creates a challenge for access certifications because, certainly,  some of the clients that Adil and I work on together. They have global reviewers. They don´t have a single reviewer that's going to know everybody around the world. So, if you've got people in the US and UK and other parts of the world, do they really know whether or not that role is appropriate, which is really what the whole point of access certification is,  verifying the appropriateness of any one role assignment.

Now, once again, Oracle gives you another report. So, you can export the data access, and then you can then link it with the user role membership report and combine it. There are a few challenges around that. So, if I revoke a role within Oracle Cloud itself, it does not revoke the data access from that user role assignment. So, you end up with orphaned lines. Equally, not all data access assignments are high risk, particularly for report. So, quite often, our clients use secondary data just for reporting where they'll have a primary ledger of the functional currency might be GBP. But, if they're part of a group that has to report into USD, for example, they might have a secondary ledger for translating the balances into USD.

That in itself, the Secondary ledger is not necessarily going to be high risk. I might be able to have access to it to be able to view the information. But I'm not going to put an AP invoice directly into my secondary leger, for example. So, I wouldn't necessarily worry about having to sign off all of those data access assignments. Equally, there are other challenges around, I might have roles that are used by service accounts, where they might have access to every single ledger around the world, every single business unit around the world. Do I really want to review every single one of those role assignments, every single data access for that particular user role assignment, not really because that could end up with hundreds of lines even for areas where I think is high risks are the primary ledgers, the business units, etc… There needs to be a more sensible solution that doesn't involve looking at every single line. And so really, the way that Oracle Cloud is set up is also slightly inconsistent with HCM as well. HCM uses data security, but not data access security. I know that's semantics for many people, but it's a completely different security approach. And that impacts access reviews as well if you've got a combined ERP and HCM system.

Adil - Yeah. I mean, I'll pick up here. So, I know that's a common concern that you and I are dealing with cloud ERP customers together and you've helped us come up with some better ways of doing that. I guess people might be wondering, how do you, how would you go about putting together a solution where you can make it more risk-based. Matt, like, you know, certain things like secondary leger, for example. They may not be required. So, I mean, do you have some guidance for people that are listening in to help them sort out through this?

Matt - Yeah. I think, to me, that the first step is to identify what are the security contexts, what other data access that are actually in use. There's about 10 or 15 security contexts seeded by Oracle. You can't change them. And then, on top of that, you'll then define your own security context values for those For each of those to then go through and say, Is this high risk? And if we put it in Scope, how many extra lines that might end up having to review? But also, do I have an approach that allows me to take plan B for ones that are out-of-the-box roles that are used by service accounts, but I know have got loads of mitigating controls. Not ideal. Most clients, unfortunately, do have that approach there. It needs to be risk-based, so that I'm not necessarily reviewing every single line.

Adil - Compliance is not just about creating more work, It's also about reducing some work, and that's a great example. Talk to Matt and he´ll show you an approach that fits your specific organization.

Matt - So, for example, employee roles and line manager roles, they are usually auto-provisioned to all employees and line managers based on something called HCM provisioning rules. Well, if it's automatically provisioned based on my HR record, why would I want to review that, as part of an access review? Because it's not manually assigned, it's being assigned directly by Oracle itself. So for many organizations, there will be plenty of people that are employees, and that's it.

particularly if they use HCM. 

Adil - Yeah, they're because every employee has an ID. And it's not like they're posting journal entries all day long.

Matt - No, I don't really want to have to sign off thousands of lines just because they are employees.

Adil - That's right. Yeah, we'll talk about a case study later on in the presentation. So stay tuned for more information on how we deal with these situations. But you can see that it's pretty daunting to do this in a spreadsheet and get it right.

Emma - So what are the essential capabilities that they should look for in a solution?

Adil - So yeah, let's take a look at it. I mean, this is where we spend a lot of time at SafePaaS thinking about how to build good reliable software, that´s self-service, our customers want less overhead on compliance and audit, they want to get their audit right. They want to have it so that there's good visibility. And these are some of the key capabilities if you're out in the market, whether you're talking to SafePaaS or anybody else, this is what our clients are asking for. And so this is a cheat sheet for you to help build your own requirements, essentially. Learning from what we have seen in the market, and what we heard from our customers.

So, what customers tell us that they want is sort of an intuitive way to this whole process. Look, we can do this in a spreadsheet, but as I mentioned, it's complicated, and it gets really difficult to control the errors in a spreadsheet. So, to keep it accurate and complete, you want to have simple dashboards where you can track status of where you are.

What lot of customers complain to us about is the amount of chasing it takes to get things done, especially if you're spread across multiple locations or you have a hybrid work environment.  You don't have everybody sitting in the same office for most of our customers. So you can't just walk up to the desk. So, intuitive review and certification dashboards are really important -  reminders, escalations, all of those workflow capabilities that you expect as an enterprise customer of Oracle. You want to be able to see the same kind of capabilities in your certification tool, whether it's SafePaaS or whatever you select. So, that's kind of number one. You want to have good control over the whole overall process of certification.

The other point, as I move from left to right top along the row there. The second item is consolidated controls and management of those controls administration. So, you may have multiple applications. Oracle, maybe just one of them. And if it's only Oracle, great, your problem is solved. But if you have multiple applications that are in scope for your audit, then you want to be able to see them all in one dashboard in one place, and you want a solution that can show you all the controls in one place because that's what your auditors will also test for. And being able to manage it all from the same central location helps. So that's sort of the other key, important point that comes up.

The third point is that closed-loop approach. So, what I often hear from our customers is that, Yeah, we sent them e-mails, and I think they did something, but the question is, Well, how do you know it actually occurred? So, let's say you went through a spreadsheet, or whatever approach you have, you went through role and user assignments. And let's say you've done all those hygiene points that we discussed on the previous time. So you've done your security context, right. You've looked at the roles and eliminated all the employees, as Matt said and you only have these key, high-risk roles assigned to users that you're reviewing. Well, the problem that still remains is that at the end of that review what's the deliverable? Is it just another spreadsheet or a report? Is it a report from a system that shows you what should be removed?

Or is it actually ensuring that the risk is remediated timely by actually providing the evidence that that access was taken away?

So, let's say we found that Emma had access to general ledger in Spain. But she works in marketing, she shouldn't have that access, and I'm  as her manager I put a request in to take that out. That remediation has to be evidenced independently by an independent auditor that that occurred. Otherwise, it's just a waste of everybody's time. So, that's what I mean by closed-loop.

And that's really important to our customers and our auditors.

The last item, obviously, is to integrate which sort of feeds into my previous point, that if you have an IT service management system. You have information in there. So now you're going to have to duplicate that. You're going to put the request in our system or whatever system, you have a spreadsheet, and then you're going have to go create a ticket and then monitor that ticket.

If you're using a provisioning system, let's say, an identity governance system or IAM system, it has a lot of useful information in there, even your AD Active directory. Like, who's the manager of that employee? When were they first granted access? What´s the current department they work in? and Who approved the last access?

So I think for your more mature organizations. We have this maturity model for access governance, that you guys should look at. Level three is where most customers are today but to move to level four or level five, which is optimized and repeatable  using the CMM terminology.

That's what our level four customers are and they're moving to Level five. Where they can automatically leverage the tools they have in place to generate the tickets, make sure that action that the remediation action is performed, and then provide verification through audit analytics that has happened. So, now you are at a more mature leve where are your processes around Access? Management is more streamlined versus having to go across these different islands of technology.

So, that's kinda the top four things on the top, The bottom four, obviously, everybody wants to reduce the burden around audit, audit fatigue. Having good insight into your current state, what's very stressful is your deadline is approaching, and you still have 50 % of your work outstanding.

And then what do you do if you're spread out? So being able to have good risk intelligence and looking at where you are in the process, drilling down into it, and maybe escalating items to the management when you're not getting the responses.

It may sound like a simple day-to-day operating procedure, but it's difficult to do because of all those elements that we just talked about that make up the certification. Having that burden lifted is important. 

You can prevent ITGC general control failures by taking a fine-grained look at it. A number of our customers have been doing that. They've moved from spreadsheets into some sort of a tool, but the tool has this concept of reviewing the roles in the business context, so they may be using, let's say, ServiceNow, where they have created these abstract roles. So, Finance Manager gets, a number of, let's say, GL AP roles within Cloud ERP. But what people are certifying today is that finance manager and auditors coming in and saying, Well, what does that mean when you say finance manager has access, what have you understood? So being able to go fine-grained and it's up to you what level you want to go. You can also go too much. So you have to dial it up or down. And folks, like Matt can help you, based on your organization size, risk, and so forth, on the right level, is for you on that.

Matt - The only thing I was going say on that one is that it might be supposed to be provisioned via ServiceNow or another tool, but there's still always going to be the backdoor. And that's the challenge. If you just do it at a ServiceNow level, you're not going to pick up that somebody has assigned a role directly within Oracle Cloud, via Security Console, via HCM data loader via REST APIs..All of the backdoors that Oracle has allowed him to do provisioning.

Adil - Very good point. This is a key source of findings that´s very useful to know. Just to wrap up the slide and try to stay on track for the time. Rapid deployment. That's something customers demand today in the cloud for anything. To be able to get the solution up and running fast.

And I think if you've been there done that, it's easier to rinse and repeat. Now, each customer's differentia requirements are different. Your risk profile is different, so it's not one size fits all. But I think having dealt with lots of situations and scenarios like Matt and I have over the 25 years or so. It helps you just kind of contextualize that and make sure that you're making good decisions to incorporate this process or enhance the process you already have.

Then the last point on the bottom row of that slide is global roles, and entitlement management.

It's becoming more and more important where companies are introducing multiple applications as sort of best-of-breed. So we had this trend in the nineties to move everything to a centralized, monolithic ERP system. But we learn a decade ago, that for customer management, we need a dedicated CRM system for procurement, we need a dedicated procurement system. ERPs are great for centralizing and how's the information, but as we are building these additional point solutions around the organization or best-of-breed solutions, I think the importance of global roles, and entitlements becomes important because you may be doing procurement in Ariba or Coupa or something like that, depending on what you have, You may be doing your customer management, the activities in something like Salesforce, let's say, your HR might be in Workday.

So, we're seeing that combination for those customers that have best-of-breed around the ERP, Cloud ERP, and Oracle ERP, and that's something to consider as well. You work a lot with roles Matt. Can you help customers with advice on how to build good roles?

What do you think would be helpful here?

Matt - I think there's a bit around making sure you have the appropriate set of roles for your business, but not too many. And really knowing what's in them. I mean, all of the out the box roles come with a whole heap of pain. It doesn't necessarily impact Access Certification as much, but will absolutely cause an unbelievable amount of pain for  segregation of duties, which we'll talk about in a couple of months' time in the next webinar. You definitely want to try and get rid of the box roles, you definitely want to try and replace them with a cut down version that are clean, segregated. But then it comes down to operating model, it comes down to making sure that your at your teams actually support the requirements around segregation of duties. That you´ve documented your mitigating controls, and they are operating effectively. I think around access certification itself there are a couple of things I'd probably add to that. This around whatever you're using, even if it's a spreadsheet, you need to make sure there are access controls around the responses. So, you need to make sure that you can be absolutely certain if somebody has signed something off that, either positively or negatively, that then doesn't get edited by someone else, you need to be able to prove that. But also, you might need more than one person to review any one role assignment. So there might be somebody that sits as a local team member. But actually, there might be somebody else that needs to sit above them as the line manager to say, Well, wait a minute, OK, You might need that for that reason, but actually, I don't think you need that for a different reason. And that becomes difficult to manage through things like spreadsheets.

Adil - Great points, Thank you. Let's move on. 

Emma - OK, next, we have the case study. Adil, do you want to walk us through, talk us through the case study?

Adil - Every customer we engage with, our goal is to build, a lessons-learned slide that we can share with other customers and ourselves internally to get better at what works, what success looks like. What's the outcome we should be driving towards? And so, this is a simplified version of it. I'll spend a little bit of time on talking high level. And, again, these are kinds of things, you want to really have one-on-one discussions with folks like Matt and myself, and our teams, to really drill into it, so because, obviously, it's confidential, and we can publicly disclose a lot of the return on investment type details here. But we'll be glad to share those with you in more detail.

We picked an example of a recent customer with whom Matt and I have collaborated, our teams have collaborated. And we picked a global household brand that is well-recognized across the globe. I'm not overstating that. I don't think, they are in ahundred different countries.You probably have seen their logos as you drive or walk or bike. They had a mandate to move to cloud and they chose Oracle ERP Cloud to be that solution. There are hundreds of applications, by the way. It's just cloud is their main, obviously, ERP that they're moving to and they're moving just, so, you know, they're moving from Oracle, ultimately, from Oracle e-business suite, although cloud, it has many more, I guess, use cases for them.

They also are a big user of ServiceNow and SailPoint.I'm just giving you the very brief version the footprint. There's a lot more, it's a complex organization with lots of things happening at once. So, when they came to us, the challenges were around lack of visibility around this periodic access review process as you may call it, or the certification process as well. The problems were that they were doing it in spreadsheets, and the external auditor had raised some concerns around the quality of evidence that was coming out of spreadsheets at a high level. They had had some issues with the spreadsheets. What was making the problem worse is that they couldn't re-perform the control. That's very important for independent auditors to be able to go in and reperform a control. Even though you have a compliance layer of defense, you have an internal audit line of defense, ultimately, external auditors want to be able to do that. And that was a challenge for them. And obviously, since they were doing a lot of things offline, they were doing some things online in one of their tools, too. But that online tool itself had even made the problem worse. Because, as I mentioned before, they were doing it at an abstract role level, which, by itself, wasn't quite sitting perfectly with their roles. And so, as they were moving to this new platform, transforming to a cloud, they felt like this would be an area to make improvements. That's where we engage with them. So, you can see there's lots of different technologies. And as a result, they have elevated risk. When they went with Oracle Cloud, they also recognized the importance of service accounts, which are great, technology innovations, for us to be able to integrate, companies, accounts, and all that information we need to have at our fingertips. Same token it introduces a tremendous amount of risk and I want Matt to talk a little bit about the risk in service accounts, because that's an area that, Matt, I know you spend a lot of time guiding us on how to avoid, especially in Oracle Cloud. Do you want to say a few words?

Matt - Yeah so I mean typically the way that people get handed it via their systems integrators are implementers.  Without being mean to some of my friends at integrators, they get handed it for the easiest route. The quickest route possible to implement, which is, you're going, they're goinga give you a whole heap of out-the-box accounts because they know they work and it's a bit difficult to work out what they genuinely need as the minimum required privileges. Quite a lot of the work that I've ended up doing in the past couple of years is starting to unpick some of that, literally down to which processes they need to be able to run. What are the integrations that they are running? What privileges do I need therefore, to run those?

And what we at this particular organization, we chopped out, we created a couple of custom roles for service accounts. Every single service account has got its own custom role apart from one where that is the main integration. So, for that one, we put in a whole heap of mitigating controls that stop anybody from actually logging in and using it instead. So, therefore, we are reducing the risk of fraud for every other service account and mitigating the risk of fraud for the one main one. But, other organizations have successfully killed everything. In terms of security and access problems, not in terms of integrations I should point out. So, we managed to cut one particular individual account. It was triggering about 3000 Segregation of Duties violations before. And now triggers zero. It still works in exactly the way it needs to but it just doesn't have all of the extra privileges, because we've done the extra work to work out, what is the minimum. 

Adil - That's where I think, we really value Matt your background with audit too. Because this is where, you know, if we don't do these kinds of things, it ends up, in the worst case, an audit committee at the board level. 

Matt - Well, people make changes via the service account. They're not monitored, because they assume that it's an integration, and I can get away with changing back accounts. I get away with doing transactions.

Adil - You can actually end up with materialized fraud as well.

Matt - Because all of the integrations, they are all update versions, just read only the way Oracle provides it.

Adil - So, watch out. I mean, you've got a very powerful Formula One car, but you can wreck it very fast. Thanks for that insight. Given the regulatory environment, we're in. These kinds of innovation and technology need to be judged against, whether it's everybody's talking about AI and ChatGPT and how to regulate that. Even the basics. ERP's been around forever. But even you can see that ERP needs those controls that Matt has just outlined on service accounts and there are many aspects. So, this was a big challenge in moving to this Cloud ERP for the customer, with these new capabilities, this new power. This new capability needed to be controlled and regulated.

And the last piece is the challenges around the transformation itself. Because there's something that I want to just kind of have you guys hear from Matt, also is because when you move to the cloud, and your security model is different than what you had, you have new considerations.

I know we talked about security context in the past, but, I mean, how you grant roles to people in Australia versus the UK versus the US is different, right, Matt? I mean, compared to how you did this in an EBS world.

Matt - In EBS you hoped that you had a global solution and global team that were controlling access. But, I mean, there are many more ways I can get roles assigned to me in Oracle Cloud, and that could be that they are auto-provisioned. It could be that somebody is manually assigning them. It could be that there is an integration is doing it for me, It could be that I´m using HCM data loader to bulk upload for particularly for cut overs and new go-lives etc. 

I think there's also a challenge around the controls because typically, the control itself will still have to operate over a period of time. So, you suddenly now need to think about, when am I going to implement a new approach to access review and still meet my controls requirements that are going to be on a periodic basis, typically six-monthly, maybe quarterly, depending on the roles being reviewed. 

Adil - Let's talk about the solution. But I think you're getting into that, Matt, as well. So the solution, obviously, was for them to look at the products they have purchased from us SafePaaS and see how they can implement and deploy them to meet these challenges. 

And, one of the things, as I go into a little bit on the product side now for those of you that are potentially looking at automation. Many products are out there that can basically automate the high-level workflow. As I mentioned previously, the challenges when you're selecting a solution is, does it really get me the outcome I want? This means, do I have less risk after I've run through it through this product? And this customer wanted us to make sure we solve the problem of these multiple provisioning, multiple methods of provisioning that happen. I think, Matt, you talked a little bit about that. But, you can have it coming from SailPoint. You can have it coming through ServiceNow. You can have it coming direct, even an e-mail from the CFO. Hey, I need this access for my new advisor. So, you have many different sources on how access is coming into your Cloud ERP. The challenge and then the solution we provided customer was integration into AD into Azure, all these sources where there are pieces of information that are critical in the certification process. The mandate from the customer is OK, I want a solution. That's self-service. I don't want to have to babysit it and just move the spreadsheets over to a tool that I have to babysit the tool then.  I really want this tool to be streamlined and self-supporting and also to lower the cost of management customer has outsourced a lot of these functions to third party providers. So, there's hard dollars that are going out. And there's definitely an ROI of automation here. So there's the business case for you. So by integrating for them, we're able to provide a solution that, when the ticket is generated, when a termination request is sent to us in SafePaaS, we actually create a ticket through SafePaaS into ServiceNow. And that's a POST function that we support, a special format that gets all posted there. It also provides some hints and routing that the customer has in place, so it's configurable. So, if they're going with Cloud ERP versus a different product, that they want to use this for their routes to the right data specialists that can de-provision or control or change that access. So, that's an important piece of the solution, that it's often overlooked, but, however, that's not all. There's also the confirmation  that the ticket is actually performed by the data specialists. So, we're going deep into this process and providing our customer, the total solution, where they can evidence the fact that some data specialist in ServiceNow performed that duty, they closed the ticket,, and then we can see that request for removing a role from a user has been completed.

But the auditors wanted further confidence that, OK, how do I know from the Cloud ERP that that role has actually been removed from that user, without doing another certification? You don't want to tie down your organization with certifications all year long. So, we also provided them this audit analytics capabilities, access audit analytics, where they can see what's, in my ServiceNow status in the ticket, what´s in SafePaaS, and what's in the Cloud ERP itself. So, for some reason, if the ticket was closed incorrectly, in other words, the role was not actually removed for whatever reason because these systems aren't integrated. SafePaaS is integrated, so it brings in all that information into an audit hub with the auditors, internal auditors can perform their testing and verify that that access has actually been removed from that user. Anything you'd like to add to that? 

Matt - I just think that saves many hours of some poor person having to raise all of the tickets to remove access in the first place and make sure that they're all consistent. And then saves many more hours reconciling to prove that what should have been taken away, has actually been taken away.

Adil - Absolutely. We always consider ROI as part of our solution offering to our customers. So as you're thinking about where the savings will be. This is a key area that Matt talked about just a minute ago. 

So automated access certification by application is another important point. While we're talking today about the cloud, the customer has on-premise applications, too. And, that may not be relevant to you today, but you might have some other applications that are running with Oracle Cloud infrastructure, and they may be in scope for your certification. In this case, they were. So, we also provided the same capability and solution with slightly different workflows, obviously, because there are different people doing those types of things. So, that's also possible, I'm seeing many of our customers who are buying Oracle Cloud are also buying Oracle Cloud infrastructure for moving some of those customizations or other interfaces and so forth onto OCI. That's definitely, if it says scope, we can support that beyond that point solution of Oracle Cloud to an enterprise solution. We're trying to offer to the market here that scales with your business, growing and changing.

Integrated corrective actions, I think I've emphasized that enough. So, that's a big part of that automation. That´s kind of the solution footprint. There are also other solutions that the customer has adopted, but we wanted to stay focused on access certification today. The success and the benefits that you can take away from this case study is around lowering the audit burden by streamlining your access certification process, making it more self-service, and making it more visible for folks who are involved in this process. 

So let's talk about who's involved in the process. Certainly, we've talked a lot about the auditors and the compliance folks. But it's the people that are in different, departments that are responsible for certain roles. You can call them role managers. So if I'm working in Australia in a finance department, I might be responsible for the finance roles that are in my market. And I'm responsible for reviewing them quarterly, semi-annually, whatever your frequency is. And so, make it easy on them, so they can see,  not only what am I certifying, but also, what does that role make up like? And the history of the role? When was it granted? Because often when you go live with a new system like Oracle Cloud ERP, you may have business reasons to give people more privileges that don't really need that on an ongoing basis, on a business-as-usual level.

So, you may find that the level of detail you need to be able to make those decisions requires you to know what you provisioned. Where did that provisioning request come from? And so, that was that was a big benefit to the customer by having that visibility, to be able to see, what resources are still available to the users and do they really need them. If there's any excessive privileges that were granted early on in the project, or for a special need, they can be quickly remediated, and having that confidence through the closed loop consolidation and closed loop approach where they can see what they've certified. So, one interesting problem, I felt like it was a big benefit for this customer, was they used a lot of third-party contractors for managing their Oracle Cloud ERP environment, and so for them, it was really important to, because some of the people that are certifying in the company don't know all the contractors that are working. That's often a problem I hear from enterprise customers that outsource Service management pieces. So they're able to route those requests, download them, or route them to folks in these contractor organization managed service organizations that are supporting the customer.  So, the closed loop is, can become a little more complex, So this customer, that was a big win to be able to meet that requirement.

Anything else you'd like to add, Matt that you think is a good success here?

Matt - I mean, I think it's all having it all in one place. All the results are in one place. You can easily certify that everything was received and there´s a SOC 1 Type 2 report that covers the process that it goes through. There's confidence that the information has not been tampered with. 

Adil - So hopefully this helped you connect on how you can take this information to your organization and identify similar challenges, look at solutions and the benefits you might receive to help you create a business case.