Risk Management and Controls for Oracle ERP Cloud
As organizations embark on Oracle ERP Cloud transformation journeys, more frequently than not risk management and controls are left behind. In this session, you will learn how to make risk management the driving force behind any transformation project, and how risk management can help you achieve your real business objectives.
Join EY’s Nick Stanoszek, Kara Smith, and SafePaaS’ Adil Khan and Navinder Kaplish as they discuss why businesses should integrate risk management into people, processes, and technology and how it can become a strategic component of a cloud transformation project.
They discuss some of the major considerations for designing, deploying, and operating controls to excel your business forward.
Join our thought leaders from EY and SafePaaS
Emma - Good morning, afternoon, wherever you may be in the world today, and welcome to today's session Risk Management: the Essential Ingredient for Cloud Transformation. My name is Emma, for those of you who don't know me, and I'm on the marketing team here at SafePaaS. I'm delighted to be joined today by Senior Manager at EY Nick Stanoszek, Kara Smith, Manager Technology Consulting at EY, and then Navinder Kaplish and Adil Khan CEO here at SafePaaS.
Just a few housekeeping items before we do get started. The session will be recorded and you will receive a recording of the session afterwards. If you do have any questions, we would love you to participate in the session, so please feel free to pop those in the control panel, and we'll hopefully have time for some Q&A at the end of the session.
This is the agenda we'll be following:
We'll start off with some brief introductions, talk about some considerations for a move to the Cloud, cloud versus on-premise complexities, and then go on to talk about solutions that can help you overcome those challenges. So, Nick, over to you.
Nick - Sorry, I was on mute! Nick Stanoszek, Senior Manager with Ernst and Young, I've been working specifically in our Oracle GRC technology group.
Our focus is any of the Oracle products NetSuite, as well as Workday, as well, that doesn't fall under the Oracle name. But, we also have peers that are over in the SAP side as well, but as a whole and Oracle GRC technology, our goal here is to build a trusted application, a system that has controls in place, a system that has application security to be confident in all of these types of things. So, that way, when you go live or your providers go live, everything is trusted, and everything is controlled. So, we have five pillars in our ERP trusted solutions that come into these five pillars. So we have risk and internal controls, which are your business process controls, IT controls, application controls, all of those different types of setups within the application itself. We have application and data security. So, application roles, for example, Oracle Cloud. We have segregation of duty, so absolutely frameworks. We also have sensitive access in there as well. Authentication and data privacy. We have user and identity governance. So, role-based access, how are we maintaining roles within the business? Not just roles within the application but roles across the enterprise. How does that all tie together? Enterprise roles - things like that. So maybe you have a specific role that's going to span several systems, that's automatically going to provision a user access to those systems, and how's that managed and UARs across on a quarterly basis. Evolving risk management. So how are we managing all of our controls? How are you managing our control environment? So whether it’s application in release management for Oracle Cloud, or any of the other cloud systems. Any of these releases that are going to come out. How are we managing that? How are we managing our process controls on a regular basis? How are we managing Change Management overall? How are we getting all that detail?Then, lastly, implementation risk management, which is, I think, a big oversight in a lot of transformations how do we know we're ready for go live? How do we know we're going to have a successful go live? And a lot of these bullet points here are going to help us address those specific points during our transformations. So, we have maybe you have touch points during the transformation, and ensure that we have controls in place. We have security in place, so that way we can rely on those controls. And, we have done our due diligence in terms of conversions, or interfaces, all these types of those touch points to make sure that, when the system goes live, everything is confident, everything is trusted. So, that is EY GRC technology as a whole. Again, touching on those five pillars there, and then making sure that all of our clients and all of their systems are ready to go live successfully.
Our GRC technology group, I touched a little bit about our trusted solutions. In some of these areas now, are the areas that we, specifically can provide services on. And we provide services. I like to think of us as the intermediary between an SI and our internal controls internal audit or risks transformation, if you were. So where are they in between there that are going to develop controls, develop ways to make sure that we have a trusted solution. So, some of the areas, these four areas, are ways that we help clients today. And again, here on the left side, you'll see that we have several different systems that we work in. Specifically myself and Kara, however, we do have peers at work in the applications as well, such as SAP and so on. So just kind of this is just going to be a high level on us, but we do have others that do the other applications as well. Some of the areas that we help with security control, implementation. So everything from designing application security controls, and that includes business process controls, And it also includes IT controls, designing those, building them in the application, and testing them and obviously, going live with those at go live. Building SoD frameworks from the ground up, as well as testing that, testing the application, control our application roles, as well with that framework. And you'll see as we kind of come down here, and the number three I'll touch on this testing those SoD controls is where SafePaaS a lot of times is going to come into play. So, a way that we can actually automate testing process for validating whether or not we have intra conflicts. Internal conflicts and that's a great tool. Obviously, we will touch on a lot about what they do, but it's a great tool to automate that process.
Pre and post-go live assessments, we've touched on that is are our clients ready for go live? Have they done the due diligence to make sure they're ready for Go Live, and to have a successful and trusted application at go live? So, SDLC, controls, business process controls, application security, data conversion, IT controls, all these aspects of the business. When we go from an on premise application to a Cloud application. There are going to be a lot of differences, a lot of nuances between the two. And so we need to make sure that our clients have coverage in these areas prior to go live. So that way when they come to go live, there isn't a step in their work. They don't have confident controls. There are maybe inadequate controls at all live, where maybe you have to do procedures, etc. So, that's a very important step, especially, as we kind of go to the cloud, is, there's a lot of nuances with the cloud.
Technology, enablement, SafePaaS, for example, where we can actually enable technology during given transformations and for post go live. So, they can manage and monitor application security controls on an ongoing basis. So, helping with that making sure that the right tools are there, and the right processes are in place.
Then, lastly, segregation of duties. Pretty simple and straightforward, but assessing roles and responsibilities on a regular basis, or on an ad-hoc basis. This includes validating and baseline a framework. the framework exists. This also includes creating a framework if one doesn't exist. So, ensuring that we have some type of control on the application security prior to go live, is great! If obviously, we do the design as well, but again, you also think about post go live, making sure that the roles and responsibilities are managed and maintained correctly against that framework. So, assessing those on a regular basis.
So why are why our clients going to the cloud? What are the top considerations and objectives for going to the cloud. Obviously, one of the biggest pieces here is the lower cost of ownership. There's no servers to maintain on a regular basis. There are, you know, we're moving away maybe for Oracle cloud example, moving away from those DBAs where we have databases to maintain and all these types of things. So overall, lower cost of ownership, a lot more up time to be able to rely on the application.
It's a lot more scalable and a lot more flexible, easier deployment. You have a complete solution. They are a lot more innovative. It's a, it's a lot more newer technologies. There's some competitive advantages in there, there's a lot more times from outside applications,.
And then obviously, you have some data analytics. So moving to the Cloud, there's a lot of lot of reasons to move. I think to me, the biggest one is the lower cost of ownership, ease of deployment. If we think about the on premise solutions in the past, getting an application up and running is a task, in and of itself, with the cloud everything is up and running. You kind of deliver the solution, and all you have to do do then is going to consider the solution. So it's a little bit quicker to go live.
Aside from that, we look at an ongoing basis, patches, and releases, and all of these different things that are going to impact the application regularly. This is more of a consistency across. So, there's gonna be patches that are released and not on a quarterly basis or monthly basis. Whatever is with, everybody's gonna be on the same application, so we're gonna benefit from other issues, other bugs, other improvements that maybe other clients have come up with, and you're gonna benefit from those on a regular basis.
So, overall, keeping it innovative, staying up with patches, all of these things are going to be more consistent and more flexible, more scalable on a regular, ongoing basis. So, I think there's some massive considerations here, and you'll start to see this more and more as we kind of proceed into the next couple years.
Kara, I'm going to hand this over to you to kind of talk a little bit about the cloud versus on-premise. Obviously, there are complexities here, and there are a lot of differences between the two. And some risk considerations across that. So, I'll hand that over to you.
Kara - Thanks, Nick. Hello, all. I'm Kara Smith with EY, And one of the things that we know as we move into a cloud environment is that the changes that you will see from an on-premise solution to the cloud does necessitate some changes within your organization and how you think about your solution going forward to make it robust, scalable, and sustainable over the longer term.
Some of the big, fundamental changes that you should consider as you're moving into this new environment is hosting is substantially different. It used to be on on-premise, you had DBAs, and IT teams, who were managing the application in house, you had complete control over when things were migrated, when you put in patches, when you updated your environment, you make configuration changes. All of those things were part and parcel of what you would do with an on premise system..
Now, with the cloud, system configurations are centralized in the application, and they're usually managed by third-party providers. There are some configurations that you are in charge of and have complete access , however, if you need a new function or you need additional development, that's something that you'll have to coordinate with your service provider on in terms of timing. Other things to consider are around application security. Again, with on prem, you'll have a lot of control over those application security roles, responsibilities and privileges, making changes, and updating them, all of which continues to be the case in cloud. However, the underlying configuration is substantially changed in the cloud. There's an increased amount of complexity here. What you were used to doing in a previous environment has changed quite dramatically. As an example, many of our clients, especially Global clients, or people who have multiple business units, as you may have what they're finding is that, in their on prem systems they were developing responsibilities, They were really fine-tuned for those business units. Now, managing those roles is quite different, in that you may have one global world, and you're managing access and privileges through data security. So, conceptually, it's quite different. It does change your framework a bit, and it certainly requires you taking a look at things, like your sensitive access or privileged access rules to ensure that they're aligned as you move forward.
We talked about roles and responsibilities a little bit. I can't understate the complexity of the architecture. Architecture in this space is very complex. There are a lot of changes and a lot of nuances in the way that roles interact with each other is no longer a straightforward analysis. So things like GRC enablement tools are going to help you identify potential inherent conflicts or excessive or pervasive access. Without those tools, the level of analysis in detail that you will need in order to really understand how these roles are configured and what accesses they grant, especially as they're combined with others, may change substantially and require a great deal of effort. So something to consider, as you move forward.
Can we go to the next slide?
OK, system configuration and change management also is quite different, so again, you have an increased, so in the past, in on prem systems, you as a business owner and a stakeholder really could dictate when you had patches introduced into your system. If you had bug fixes, if you had other things that you wanted to introduce into your application, you have much more control over the timing of those changes. Now, with cloud being a hosted environment, you will have more you'll be more subject to Oracle's timing in terms of quarterly patch releases and what they're going to be releasing into your system. So, having a proactive view of those changes, and making sure that you have integrated change testing, that is very proactive, to make sure you understand the impact of those changes to your environment is going to be very important for you as you operate.
Change monitoring. Oracle Cloud does offer audit functionality in which you can actually, you can turn on audit rules for selected configurations. You can configure different audit rules to assist you in audit and ensure that you have a clear line of sight and traceability on some of the key changes that may happen in your environment. This is quite different from the on premise approach where used to be that you could just run SQL queries against your database. And you could pull reports that tell you, oh, hey, these are the changes, this is what happened. Here's who did it. Now, you have less of that access, in fact, none at all, depending on your solution. So you do have to rely more on some of this audit reporting to manage and understand the changes taking place in your environment.
Last but not least, business and IT General Controls, I can't stress enough that taking a look at these early and often during your implementation life cycle is going to be very important. It's not safe to assume that your business controls and your IT general controls will remain the same. There will be updates and changes that are required in order to keep you compliant and ensure that you're addressing the right risks in your environment. So, things to consider as you do that. One of the things that we've seen that is most successful in the implementations that we work on from an EY team, is that you have early integration of your internal audit or internal compliance teams to ensure that you have a good line of sight on some of the changes that may be required in this space. So things to consider as you move forward. Don't assume that your current risk and controls matrices are going to address the risks that you may see in the cloud environment as you move forward. So with that, I'm going to pass it back. I think, Are we going to Navinder?
Navinder - Yes, yeah. Thank you, Kara. Hopefully, everybody can hear me OK?
Navinder - OK, I'm going to build on what Kara and Nick said, and start with a customer story. So, this is an actual case study from a customer, but we have this capability to integrate with other systems for customers generally. Specifically, in this case, the customer going live with Oracle Cloud, legacy EBS customer.
Also, they had a fairly complex application environment. The IDM system in place is SailPoint, quite popular with large enterprise customers, the IT Service Management system is ServiceNow, also very popular. And this particular use case that you're talking about is specifically for user access reviews or access recertification. And what we did there, in this case, is, we basically integrated with SailPoint, ServiceNow and Oracle Cloud. And we're basically using source data from Oracle Cloud and other applications that we've done this. We are extracting various security model-related information from the IDM, which is SailPoint. We built an integration, thereby APIs. And once the periodic user certification happens in the SafePaaS system, which is basically the periodic user access survey, based on accesses that are terminated, automatically, we've integrated with ServiceNow whereby tickets are generated in ServiceNow, or end dating that access, and assigned to the correct teams in that business, for removing that access.
Also, once the access is removed, and the ticket is closed, we get a notification back into SafePaaS via another interface, So, instead, you have clear, complete details for this particular control. You've got the end-to-end survey, which is completely automated, approver, approvals, and rejections of access. We have all the details of which accesses were supposed to be removed. And their ticket is raised. You also have details of which tickets were actioned. So, it's a one-stop shop as an audit platform. And that's what we're seeing more and more demand of. We've got customers going from on premise to the cloud, and some of the things that Nick talked about in terms of challenges. We see those challenges. We've also got other integrated systems that also need to be involved in the key controls, We work closely with internal audit and internal compliance and control teams in this example to perform this integrations.
So Adil , I don't know if there's anything else you want to add, from an architectural perspective? I think I covered the big picture customer story.
Adil - Yeah, that's a good example of one of many access governance components. So SafePaaS platform, I think Nick mentioned earlier about the segregation of duties and Kara talked a little bit about the need to have those change controls in place. Because the way the cloud architecture is different and the need for having those audit changes. So these are all examples of how access has different ways of materializing risk in the cloud versus on premise. And SafePaaS provides the full coverage from roles design simulation as there's a question I saw popped up.
You mentioned Nav around the certification and recertification of access on an ongoing basis in the cloud. One of the challenges, if, when you use ServiceNow, from an architectural standpoint, that I can maybe add to what you said Nav is that if you're using ServiceNow or some other provisioning system, they're based on catalogs, So, you have created a catalog for Cloud ERP as part of your go live. That catalog is typically at the abstract role level, which means that you may have someone called Finance Manager. Finance Manager may consist of four different roles in Oracle Cloud ERP, which includes, let’s say, payables, inquiry, AR inquiry and GL. And then there are data groups and contextualize access by business units. So, what we used to call profile options, are now constraints around data groups, and construct the context and so, to build all that. We have the ability in SafePaaS to model the data that's in ServiceNow, to our standard out of the box APIs for ServiceNow, and model the data that's straight out of the box, from Cloud ERP. So, we take those security models. We can even mark them and cross link them in SafePaaS. So when the user receives a action, or issue for violation, whether it's SoD or, provisioning request, for someone to be approved or certification. As we're talking here. They can see the full picture. That how it was requested, approved certified, and how is it being granted in Cloud ERP So that takes away one of the major audit finding that we're seeing in the cloud customers, which is IT provisioning systems that have gone online as I think Nick said earlier, and you've got your ERP's online. So now you've got all this online in the cloud information but, they don't reconcile. So you may run into issues of people requesting access directly in cloud, people requesting e-mails as well as, through your provisioning system, your ITSM system that is supposedly doing the fulfilment, but it's not testing your fulfilment request for SoD, so you can end up with segregation of duty issues. And also, it's not providing the full picture. So you have to manually maintain these catalogs. So we're finding that our customers and their auditors are raising that as a concern. So to solve that problem, we built this architecture that looks complex with these eight different integrations. But what it does, it takes away, months and months, if not years of effort and cost from your projects. So, if you're thinking about going down to a on-premise to cloud, this is one component of risk in your project that you can eliminate by adding automated capabilities within SafePaaS. Or if you're already live and you're operating the business on cloud. You can, again, reduce the risk of findings, and, remediation if you can ensure that your provisioning system is sending fulfilment requests that are SoD tested, as well as completed with that consistency between what's provisioned and what was the provisioning request because those gaps create chaos, especially in the cloud, because you have limited access to go run SQL queries. Or, as Kara said, no access, really.
So, yeah, that's where some of this architecture, I can get a lot deeper into it, but given limited time, that's all I'll say.
But, if you need any specific details on this architecture, please reach out through Emma and I would be glad to talk to you through it specific to your needs, because, what I said about ServiceNow also applies to Remedy and Jira, whatever service ticketing system you use, and whether you SailPoint or Saviynt, Okta or any of those IDM, IGA solutions, all of that as well.
So, yeah, this, I wanted to talk a little bit about a customer that both Nav and I work with Nav that being the PMO. And again, I'll cover the architecture side, but now, if you can just kind of talk about how we monitor configurations. And I know you're working on a number of projects right now where we're helping address those concerns, both on premise and cloud. That'd be great.
Navinder - Yeah. So this is a specialized area in terms of controls, configuration monitoring, or in some risk and control matrices. How do you track privileged activity in the system? So, for this particular example, we've got another customer story. What we did is basically work with the client to draw up a list of key configuration controls that they wanted to enable audit tracking on and with the SafePaaS solution MonitorPaaS we basically implemented object level tracking whereby you could see who's made a change to that particular form in Oracle and when the change was made with the old value, what the new value is and we can do this not just for EBS which is on premise, the older version, but we're also doing a project now where we are doing this for ERP cloud. So, in terms of, you know, the benefits it is easily demonstrable to the auditors that you're actually tracking key configurations. And especially valuable if you've got a managed services partner or if you've got an external team, which is supporting and managing your configurations, and you want confidence around that whatever is actually what's being implemented and nothing else. So, yeah, that's basically what we did in nutshell.
Adil - Yeah, so you might be wondering why would we build a second mousetrap if Oracle has auditing as Kara said? So auditing that's available in Oracle has some gaps, but that's a great start to get started. But it has some gaps, for example, it doesn't provide full coverage, it’s only available when Oracle makes it available on certain objects. So where it's available, we leverage it. But where it's not available, we have built out this capability within SafePaaS where we can leverage the APIs that Oracle exposed to us to essentially, enable auditing. And then using the OTBI reporting capabilities, be able to launch frequent snapshots and treat them, because we can't build triggers. And we can track changes. We're able to take frequent snapshots and then internally within SafePaaS architecture, be able to compare them. So, the burden, a couple of burdens on audit and compliance folks, and not to mention the business users is that when that change occurs you're now obligated to compare that with the previous results. As well as take an action, if the change was inaccurate. So, somebody changed the payment terms of a supplier bank account that you want to not approve and prevent that from happening.
So, we're able to, with our architecture, able to not only notify that through a workflow to that control owner or the auditor as an FYI required, we can also notify that that change was unauthorized. So our customers are using this in many different ways.
So customers are, again, using an ITSM system, like ServiceNow, we've talked about, it's popular right now, where they will log a ticket for change. So somebody says, OK, I want to introduce a new payment term, so that is logged as a ticket into your service system. That ticket, actually, that means that you give somebody the access to go to setups, and now you're creating a high privilege for that user to go in and we call it Firefighter at SafePaaS. But that user goes in and makes a change. But you want to make sure that's the only change they made, they didn't go change the supplier bank account. So now you need a control around that process. So SafePaaS takes that to the next level. As I said we can grab the audit tables through APIs where available, but for where they're not available, we can also launch our API services that will track that activity. And so what that means to you is that you're going to have complete coverage, which is what auditors are looking for and what your management needs.
That there is complete coverage on a process flow. So, if you think about, let's say, your source to pay process. There are many of these opportunities for defects in the control, and to prevent those defects and make sure the control is continuously operating correctly you'll want to make sure that your partner like EY, when they design the control, and they tell you about these controls, that you can then monitor them using a combination of approaches that best suits your business and optimize that for performance.
As I said, we have incident tracking, too, So, if there's an incident, it's tracked and a in closed loop manner, including the ability to track the incident number from your ServiceNow account. So, when it comes down to a quarter-end reconciliation between what was requested, and what was changed in the system after you've gone live, you have a complete trail on that. So, that's on customers that already live on cloud.
By the way, this technology worked for other non-Oracle systems, too. So, since we're focusing on Cloud ERP, I'll stick with that.
So, the second piece is, what if you're starting a project. So now, you have a different use case before you get to that steady state. So you're designing these controls, and you're working with your partner EY let's say, and they're giving you this great input on where to enable the standard controls within Cloud ERP, because that's your first line of defense, really. And you're enabling three-way matching, approval hierarchy, workflows, maybe you're building custom workflows and reports to do a special reconciliation based on your business model. So now you have all this activity going on and you've got a a cloud-based environment as Kara said. You're moving across your SDLC environments. So you're starting with a lower environment like dev and eventually getting to test QA UAT and prod, pre prod, whatever example, that you know, that you want to use. And so now you've got a change management problem during the project.
So if you're let's say Systems Integrator like Accenture or EY or whoever that is, your partner you also have to make sure that you are controlling that change during the project to ensure project governance and reducing the project risk itself. So we provide you the ability to do comparisons. This is the same technology we had with E-Business on premise world, we have obviously adapted the same capability for the cloud. So you can do comparisons across different instances to make sure that those changes that are approved and accepted are being propagated into the higher environments so your setups are not getting changed, and you can use that as documentation to ensure that your controls are in place. So by the end, EY has all of this controls knowledge. In some cases, we also work with you and why we're there working with an existing SI that doesn't have that knowledge, so that's a deficiency in their offerings and that's where we partner up with EY to come in and say OK guys while the customer is flipping the switch is through and enable the process as SafePaaS and EY we can help you ensure that during the project that all those governance controls that you should have, that would eventually be tested as part of your SDLC life cycle they're all in place. So, that's another way to utilize SafePaaS and EY together to be able to ensure that when your project gets into UAT during the deployment stages, user acceptance testing, that, that's not the time that you bring in the audit folks or the advisory folks, because that's too late You have a big burn rate. You're basically trying to go live and you're external auditors are holding you up because your controls are not fully effective. And they don't have good evidence that what was signed off has made it in the design has made it to prod. So traceability matrix, that's a term I hear a lot from our customers is accurate. So many ways to use that configuration. This customer used it in one way, but we have many other examples. So, key, again, is to talk to us, and we'll help you identify those risks.
And that's just basically talks about how we enable that. So I sort of covered that on the previous slide. I was thinking about this one, but basically how, so one of the things that Nick said earlier was, Well, how does GRC Technology enable this? And that's what we're going to talk about next. So these are enabling technologies that I'll get into for those of you that are thinking about considering SafePaaS or something similar for deployment, I'll get into a little more of the details on how to enable this and SafePaaS
So, as I mentioned, a minute ago, that number one talks about creating that collaboration, and it's not just about customers that are deployed, but in the project, it's even more chaotic because we're all working in a hybrid environment, many are remote across the globe, Most of our customers are global so the project teams are global.
And so, the collaborations aspect of how do we get good requirements, design the solution, and configure and deploy that they're happening now in SafePaaS using dashboards and roles, for example, being able to simulate role design and tracking that. So that's all enabled in SafePaaS and what happens when you go live not only are you going live with your ERP, but you're also taking on all of these controls you've developed during the project, and flipping the switch to make sure that continuously monitor the controls, that you're relying on for financial statement, risk management, and so forth.
Second point is early detection of potential issues. So, this is where you've gone live and you now you have issues with, let's say you loaded data through a third party tool or you had some manually entered, you brought in some contractors, put data in. Now you have issues where that's a duplicate master data or even transaction. So, invoices got paid twice. You want to prevent that. So, with the fuzzy logic in SafePaas, you can do transaction monitoring. You can also use it for what we call look back analysis which is auditors call it. Look back analysis which is to say that you can see what risk has materialized. In other words, SoD is a good example. It tells you what people can do and the materialized risk analysis look back analysis to advance analytics and SafePaaS will tell you, what do they do. So if they have the ability to create suppliers and pay supplier too bad, we didn't catch that. Or we didn't remediate that in time.
But now you've got to explain to your audit committee, why did that not get caught?
And what you can do to figure out if that actually resulted in materialized risks. So being able to do that analysis, that lookback analysis really helps you kind of pinpoint if that can do turn into do-do. So you want to avoid that.
The third point is rapid deployment. So these configurations and controls, you obviously, because we are SaaS platform, we have over six million users using our platform, being monitored every day - highly scalable platform. So, we have collected over the years, we've been doing this for a long time for the Cloud, for the last 5 years, we’ve collected a lot of this controls logic. So, that's part of SafePaaS repository.
And our partners, like EY, have a ton more. So, by working with the two teams here, you can pick and choose with the guidance and advisory coming from EY on which controls the relative, but it's a jumpstart. So you're not starting from scratch. EY is great as using the templates and content you already have and build on that. I mean, three-way match testing is pretty much the same, whether you're a company that does distribution or retail. So, when you taken your PO process, that's pretty much the same.
So many of the things can be scaled, and others are industry specific which is where, EY brings that domain knowledge that you can rely on, but the things that are supplier changes, customer credits and all that are fairly standard. So prebuilt content is a good way to jumpstart your controls if let's say you just missed that, wasn't part of your initial talk, the project and it was a part of the plan it's not too late, we can help you jump start.
So that's the point we wanted to make about how you can proactively manage risks with SafePaaS and EY together.
Emma - Thanks for that Adil. In the interest of time. I'm going to skip over the flows and best practices for the moment and go on to a customer case study, and then if we have time, we'll go back to the flows, but the slides will be available to all attendees, anyway, with a summary of the session. So Navinder if you can just walk us through this case study.
Navinder - So, a very famous company, one of our clients. Some of the challenges, number one, SoD controls, and Adil covered it in some detail earlier, but for this client, they had a lot of manual spreadsheets, and SoD was managed manually.
And they really wanted a platform that can, that can enable them to periodically review and correct SoD. They also had some issues with user provisioning. They had different sources of information in that regard, and sometimes access via e-mail approvals, Sometimes with ServiceNow. Sometimes by SailPoint so there's no common control, one central location where everything was sort of managed from a control perspective. User provisioning was also a big issue, not just for Oracle, but for many of the global financial systems in scope of SOX. These are the challenges they had and what we implemented there we've basically done three things.
Number one, implemented our products for segregation of duties, enterprise access monitor or policy monitor, depending on the system. So now they've got fine grained SoD, which really helps them with their audit and control, which wasn't the case earlier.
We’ve also implemented an end to end access recertification system there, which was completely automated, without, it saves them a lot of time, and a lot of effort because like I said, it's a single central audit platform. And they don't need to get data and run surveys for recertification of access. And we're also implementing MonitorPaaS™ which is basically for tracking changes to key configurations. The automation aspect has been really appreciated, because sometimes our main sponsors are from the IT, the IT controls, or, the internal audit teams. But, and sometimes they’re from IT pure IT. And, what happens with greater automation is that folks who are more IT oriented also see an improvement from perspective of operational expenditure OpEx. So, the money they're spending here, which is primarily for the investment that's being made, which is primarily for improving their control and helping them in audit challenges, also ends up helping them from an operational expenditure perspective as it’s less manual work. I think Emma in a nutshell, I think I've covered all the other key points. I don't know if Adil has anything else to add, but I think that's yeah, worthwhile I think.
Adil - I think you covered it. I just want to kind of put a bow on here by saying yeah, so when you're thinking about taking on this major transformative project, I think people that know what they're doing, and experts who've done it before and technology can really help enable that process and take some of that risk, and ultimately cost out of this massive endeavour.
Emma - I am going to go on to the questions, because we have had some questions come in, so feel free to jump in and provide answers here. So, question here “As an implementation consultant solution architect, I know that a custom role from an application perspective may conflict with the need for this role from the business as usual perspective. So, if we customize a seeded role to accommodate this it may cause issues in terms of complexity and maintenance. What are your thoughts here?
Kara - I can jump in here. As a top line thought on this is, it is a much better proposition to build customized roles with the least privileged access perspective, due to a number of factors, one, if you think about risk, and controls you really do want to make sure that you're giving your users what they need and no more than what they need. It minimizes questions and minimizes concerns later. It minimizes rework in later terms. The other thing to consider is that delivered roles in Oracle Cloud what we have observed at EY is the majority of those roles have inherent SoD conflicts. They provide excessive access and they also introduce segregation of duties conflicts for your users in an environment that you're trying to reduce those types of conflicts. So we, we steer away from the use of the delivered roles for the majority of end users. There are exceptions, of course. There are always exceptions, but we would suggest strongly that you consider the use of customized roles that are fit to purpose for your organization. Does that answer the question?
Adil - That's exactly what we would help our customers do. From a tools perspective though we have this thing called Roles Manager. I don't know if you want to go back to that slide real quick, since we have a little bit of time, just for me to talk through that. So, what we do is, basically, help you simulate that rule. And so that role, once we create the security model that we were talking about earlier, we're able to then work with partners like EY, and basically choose what permissions, let's say, your custom role, You can simply by clicking, remove those privileges that are causing the excessive access, as Kara said paraphrasing and then also from an SoD perspective. So, you can take a, take a standard role from Oracle and minimize it to what the user actually needs, and also run a simulation within SafePaaS. So, from an SDLC perspective, it saves you a quite a bit of time and effort on a project. We had a customer that was able to generate, I think, 200 roles in10 or 20% of the time, than, it would have taken them to build it from scratch. And all we did was really automate that simulation step, because what they were finding is that even though they had good people designing the role - the time it took from the role to move from Dev, to test to QA all the way to pre prod for UAT that time was really causing a lot of delay, and there were changes coming in like projects you don't always get perfect requirements. So what a simulator does is basically addresses both the functional requirements that the business consultants have, as well as the control's requirement that ultimately management cares for.
That's just a quick way of automating. This flowchart describes how you can set that up in SafePaaS quickly and get started to get clean roles.There's also partners and folks out there that provide pre developed content that you can start with and you can start with that and then customize it. So lots of different ways of doing this.
Emma - That's great. I had a question come in through LinkedIn earlier.
Buy in for risk and controls often gets pushed back, so how can we prove that risk can be an actual driver rather than an obstacle in a project like this.
Navinder - So, I mean a couple of quick comments both. Firstly, it depends on the geography and the regulation, I mean if you're in the US enlisted on either the New York Stock Exchange or the NASDAQ, it's kinda mandatory that your SOX compliant and their risk is you need to manage risk even if you don't use expertise that we've talked about on this call, You've got to find some other solution, because there is no way out. Some of these controls are quite critical from an IT general controls perspective. So you have to do it.
If you're not in the US, or if you're not listed in the US exchanges, then, I think, globally, there is a movement towards better compliance and better controls in the UK I know, for example, we've had a government level conversations, and there's been there have been reviews for having a UK SOX like type model because there have been a number of companies recently, which have led to very significant issues with audit, managing audit. And various things that happened in the company that really caused them to fail completely. In the UK, we've had quite a few prominent examples, and also in Germany, recently.So, I think that the direction of it is that. If you strictly look at it from an internal investment perspective, if you don't take care of risks, attached critical controls and risks at the start of a project like this, it's likely to come back and do some really complicated systems. They're not something that, that you can fix in a day even if you’re not SOX compliant. For example in ERP Cloud, the standard role is that there are many layers of roles underneath that a parent child relationships and inherited roles
If you have SoD and you've been using standard roles, as you know, that's going to be a huge for remediation effort and that’s significant expenditure that's coming your way. At some point, if you haven't, that. Other controls are similar, once you implement a process for assigning access, once you implement reconfiguration controls, change management. All of these areas that you've talked about today, prevention is better than cure. Basically, because your cure is going to be a lot more painful, and a lot more bitter, from my experience. So I think the case builds itself, if you can sell that to your, your management at, and if you can't, I mean, this is really something that should have buy in from the top most levels of finance and IT management. But if you think about the three lines of defense, is the second line of defense, really, especially, your internal control team, should step up and help with this. I mean, I've seen these play a huge role, in preventing some of, these issues to get out of hand. So I would really encourage conversations cross teams because eventually, it affects everybody if something goes wrong.
Hopefully, that helps them.
Kara - If I could just add, one other thing I think I alluded to this earlier and Navinder has touched on it as well Early Integration of your compliance and internal audit teams are going to help support this implementation, and make sure that you are proactively looking at how this change affects your organization from an enterprise risk perspective. As well as just an ongoing operations perspective. One of the things that I've seen most successful is having early, and often communication from your project leadership and your organizational leadership, encouraging a partnership with those types of teams internally to work through what’s it going to mean to me as an organization. So, that everybody's kind of at the table, at the right time, hoping to think about some of the risks that you may be looking at some of the changes that you may be looking at in your organization. So, early and often, lots of leadership support tends to lead to the most successful changes and implementations that I've seen.
Emma - Absolutely. So, does anybody have any closing comments, any top pieces of advice that they'd like to give our audience today on how to make a move to the cloud successful?
Navinder- If you already live on the Cloud, or if you're moving to the Cloud. And it's new to you just make sure you track the quarterly patches updates. This is quite a significant shift from premise release 12 to the cloud. Basically Oracle, every quarter comes out with a lot of updates for literally every single application and some of them create new permissions, a new functions, some of them are completely new functionality, some functionalities changed. It is quite a significant thing. It's not, like the olden days, I guess, one way. So, I would highly recommend focus attention on that, and don't underestimate that.