Real-Life Examples: Oracle Advanced Controls (OAC) Benefits in Oracle EBS R12 Upgrades/Implementations

Similar documents
Is your ERP ready for COSO 2013?

Are you prepared to deal with the exposures associated with an Oracle ERP related breach?

Minimizing fraud exposure with effective ERP segregation of duties controls

ORACLE ADVANCED ACCESS CONTROLS CLOUD SERVICE

OAUG / DOAG SIG DAY Vienna Sept 27 th 2010 Oracle Governance Risk and Compliance OAUG. August 2010

UPK PRE-BUILT CONTENT FOR: ORACLE FUSION 11g RELEASE 1

Why Oracle GRC with every E-Business Suite Upgrade

Managing Risk in Your P2P Process: 10 Ways that Automation Can Help Mitigate Risk

Oracle GRC Controls Suite Fundamentals Ver. 8.5/7.3.1/5.5.1

How well does your procurement measure up?

SEGREGATION OF DUTIES for SAP

CHAPTER. Introduction to Oracle E-Business Suite

Secure Your ERP Environment with Automated Controls Naomi Iseri,Sr. GRC Solution Consultant

Oracle Enterprise Governance, Risk and Compliance. Release Notes Release Part No. E

Apples to Oranges: What is Your Financial Consolidation Comparing?

ORACLE ADVANCED FINANCIAL CONTROLS CLOUD SERVICE

ACUMATICA CLOUD KEY BENEFITS ACCESS YOUR ERP ANYTIME FROM ANY DEVICE, EASILY SCALE RESOURCES, AND CHOOSE YOUR DEPLOYMENT OPTION WORK THE WAY YOU WANT

SAP Lease Accounting Solution

Data, Analytics and Your Audit

Leverage T echnology: July 19 th, 2013 Adil Khan. Move Your Business Forward. Copyright. Fulcrum Information Technology, Inc.

City of Markham. Report of the Auditor General Human Resources Information System ( HRIS ) Implementation Audit. Presented to:

Infor Risk & Compliance Monitor and control risk across your business

Sage MAS 90 and 200 Product Update 2 Delivers Added Value!

Internal controls over financial reporting

Oracle Revenue Management Cloud

ORACLE UPK PRE-BUILT CONTENT FOR: E-BUSINESS SUITE R12.2

Revenue Recognition Changes Coming Sooner Than You Think: Five Key Considerations for Adopting ASU

HIDDEN BENEFITS OF ORACLE GRC

Our Services. Staff Augmentation Provision of quality resources Long term, medium term and short term engagements

QUICK FACTS. Supporting an International Infrastructure Organization with its Legacy Oracle ERP Environment

The need for optimization: Getting the most from Microsoft Dynamics GP

ORACLE SYSTEMS MIGRATION SERVICES FOR IBM ENVIRONMENTS

2017 Internal Controls Survey

AXIO ProServ: Optimized Operations for the Global Project Management-based Enterprise

Oracle Financials Accounting Hub

Oracle Revenue Management Cloud

Finance disrupted. Future of finance in healthcare: As the industry adjusts to continuous disruption, the finance function has an opportunity to lead

NetSuite OneWorld. Why NetSuite OneWorld? The Platform for Your Global Business. Manage Multiple Subsidiaries, Business Units and Legal Entities

Plugging the Gaps in Financial Controls Monitoring

Powered by DATA+ ANALYTICS. KPMG Audit

Leverage T echnology: Move Your Business Forward

Solutions. Cash & Logistics Intelligent and Integrated Solutions to Optimize Currency Levels, Reduce Expenses and Improve Control

Internal controls over financial reporting

Emerging & disruptive technology risks

Sarbanes-Oxley Compliance

Oracle ebusiness Rel Prototype & CRP. Steve Crosby & Roly Miles. Claremont is a trading name of Premiertec Consulting Ltd

PEOPLESOFT ENTERPRISE UPK PRE-BUILT CONTENT FOR: FINANCIALS, ESA AND EPM 9.0

Best of Breed Automation September 2014

Product serialization and traceability mandates. kpmg.com

IT Service Delivery And Support

Key TSA provisions your M&A team needs to know now

JD EDWARDS UPK PRE-BUILT CONTENT FOR: WORLD A9.3

Oracle Fusion Applications Project Management, Project Costs Guide. 11g Release 1 (11.1.4) Part Number E

SOFTWAREONE PYRACLOUD PLATFORM

The Next Level of Controls Automation: How you can fully automate controls testing in financial systems by combining MetricStream and IRC

<Insert Picture Here> JD Edwards EnterpriseOne Financial Management

ORACLE CLOUD FOR FINANCE

QAD FINANCIALS BENEFITS

Proactively Managing ERP Risks. January 7, 2010

How LeaseAccelerator Makes It Easy to Transition to the New Lease Accounting Standard On Time

Oracle s GRC Strategy is Flawed and Failing their Customers

Microsoft Dynamics GP What s New

Microsoft Dynamics GP What s New

REPORT 2014/162 INTERNAL AUDIT DIVISION

Oracle Cloud Procure to Pay Co-existence and Integration Options

JD EDWARDS ENTERPRISEONE 8.12 USER PRODUCTIVITY KITS

Invu Purchasing Providing control to the purchase order process

Nothing in this job description restricts management's right to assign or reassign duties and responsibilities to this job at any time.

Fraud Risk Management

Integrating Oracle EBS R12 and Maximo EAM Using the Maximo Enterprise Adapter Michigan Oracle Users Summit (MOUS) November 8th, 2017

Source-to-pay: Delivering value beyond savings

Continuous Controls Monitoring for Transactions: The Next Frontier for GRC Automation

Casper Suite: an ROI overview

Short, engaging headline

Detect. Resolve. Prevent. Assure.

U.S. Bank Access Online

CENTRE (Common Enterprise Resource)

Article from: CompAct. April 2013 Issue No. 47

I just want to see my data

munis a tyler erp solution

E-Business Suite Organizations Spend As Much As $19 Million Anually on Finance Operations

An Oracle White Paper March Access Certification: Addressing and Building On a Critical Security Control

PEOPLESOFT eprocurement

An Oracle White Paper May Oracle Fusion Applications Setting Up a Minimal Enterprise Structure to Support Procurement Shared Services

Technical Brief. SBS Group offers: Solution Differentiators. Rapid Deployment and Adoption. A Truly Global Solution. Scalable and Agile

What does an external auditor look for in SAP R/3 during SOX 404 Audits? Ram Bapu, CISSP, CISM Sandra Keigwin, CISSP

METRO. Audit results. September 30, 2017

Infor SunSystems. Grow with flexibility. Integrate

Future of finance: Finance disrupted. How should the CFO respond to a business environment in turmoil? kpmg.com/us/futurefinance

Your supply chain is dying

WHITE PAPER MARCH Improve ROI of PeopleSoft Enterprise With Business Automation

Appraisal Order Management Suite (OMS) For AMC Organizations.

Procure-to-Pay Automation for Microsoft Dynamics AX

The bots are coming: Intelligent automation and the modern corporate treasury department

CHAPTER 9 TESTS OF CONTROLS

City of Markham. Human Resource Information System ( HRIS ) Implementation Audit. June 18, Richmond Street West Toronto, ON M5H 2G4

SAP S/4HANA Cloud 1611 Release Highlights

ReconArt for NetSuite

MISys Manufacturing 6.0 Integration with Sage Accpac ERP FAQ 8/7/20128/7/2012. What versions of Sage Accpac is MISys Manufacturing compatible with?

Transcription:

Real-Life Examples: Oracle Advanced Controls (OAC) Benefits in Oracle EBS R12 Upgrades/Implementations TIM MURPHY, Director Governance risk & Compliance kpmg.com

Introduction Implementing or upgrading an Oracle ebusiness Suite (EBS) environment is a challenging undertaking, but when done well, can deliver business process improvement and enhanced business controls. Implementing customizations, maintaining consistent configuration settings, designing and implementing appropriate security and controls are critical to the success of an implementation. This white paper will discuss ways in which the Oracle Advanced Controls Suite of products has been used by organizations to enhance their performance in these key areas of their implementation and upgrade projects. Key Drivers for an Implementation or Upgrade While implementations and upgrades may differ in terms of scope, technology, and implementation approach, implementations are typically undertaken based on the same set of common drivers: Business Requirements New functionality available in the latest release of Oracle EBS may support the achievement of a business requirement that is currently either unmet or is being met through manual workarounds. The ability to deliver enhanced functionality to the business may serve as the impetus for an ERP implementation or upgrade. Market Demands In order to keep up with competitors and continue to meet the demands of stakeholders such as customers and investors, it may be necessary to implement new business software such as Oracle EBS. Improved business software can enable an organization to increase operational efficiency, decrease cost, increase profitability, and deliver enhanced customer service. Compliance In an environment of increased regulatory scrutiny and more active oversight from management and boards of directors, it is increasingly important for organizations to maintain technology environments that support compliance and strong information security controls. ERP packages such as Oracle EBS include security and control features that, if deployed correctly, can help a company safeguard its assets and strengthen its internal controls. Technology Through delivery of more modern technology that can improve the end user experience, an organization can increase end user satisfaction. Additionally, operating costs may be lower than that of maintaining legacy applications. 2 / Real-Life Examples Implementation and Upgrade Risks In addition to having similar drivers, ERP implementations and upgrades typically face a common set of risks that may threaten the successful achievement of the intended benefits. The table below summarizes the results of a recent Quest International User Group survey regarding ERP implementation risks: Figure 1 Commonly Identified ERP Implementation Risks Limited staff Maintaining customizations Testing Overall downtime/disruption End user adoption Business processes damaged/ altered Executive sponsorship Increase in costs related to additional hardware required Data being damaged/altered Increase in processing costs Missed product launches/ slower time to market Rise in training costs Don t know/unsure Other 63% 62% 60% 41% 36% 27% 21% 19% 10% 5% 5% 5% 3% 8% 0 10 20 30 40 50 60 70 80 Source: New Functionality, New Opportunities: 2012 Quest International Users Group Survey on Enterprise Application/ERP Suite Upgrade Strategies. Unisphere Research. In order to improve the likelihood of a successful outcome for an implementation or upgrade project, it is critical that an organization maintain awareness of these risks and design and execute on strategies for addressing each of these risks. The Oracle Advanced Controls (OAC) suite of products can be an effective component of an organization s strategy for mitigating several of the major risks noted above.

Introducing the Oracle Advanced Controls Suite The Oracle Advanced Controls Suite consists of four modules that can support the deployment of improved controls both during the implementation lifecycle and following go-live. The modules of the Oracle Advanced Controls Suite, along with the key features of each, are defined as follows: Figure 2 Oracle Advanced Controls (OAC) Suite Overview CCG PCG TCG AACG Configuration Controls Governor Preventive Controls Governor Transaction Controls Governor Application Access Controls Governor There are many benefits the OAC suite of products can bring during an implementation or upgrade in order to help an organization mitigate the previously-discussed risks. These include: Customization Reduction and Efficiencies Instance Governance Application Security & Controls Monitor/compare configurations through snapshots, comparisons, and auditing. Enforce business rules through modification/extension of form behavior and execution of complex flow rules. Monitor transactions to identify unusual or suspicious activities. Monitor and enforce access control and segregation of duties. Customization Reduction and Efficiencies Nearly all implementations and upgrades set the objective of going vanilla. There are many valid reasons for this. Customizing an ERP application significantly increases the cost of implementation as it increases the need for development resources as well as the time required to design, develop, implement, and test the solution. Additionally, customizations can increase support costs as they must be supported by internal resources due to the lack of vendor support. Customizations are also one of the most challenging areas of an upgrade or patch application. For each customization, it Is necessary to determine whether it will be migrated to the new Oracle EBS version or will be impacted by a patch as well as whether it requires any changes in order to function correctly in the new version. Extensive testing must also be performed to confirm that the customization was migrated successfully. Despite these challenges, most implementations do involve some level of customization. Customizations are often intended to address unique ways of doing business that give the organization a competitive advantage. In such cases, an organization may determine that the benefits of pursuing the customization outweigh the costs and risks. The OAC Preventive Controls Governor (PCG) module offers functionality that can lower the risk associated with customizations, enhance the ease with which an inventory of customizations can be maintained, and increase the ability to migrate customizations between environments. In relation to other methods of customization, PCG provides the following benefits: GUI-driven, providing greater ease of use Does not require significant development knowledge Shorter development cycle Greater ease of inventorying customizations Migration utility to move across environments Portable through patches and upgrades Real-Life Examples / 3

PCG rules are typically very organization specific and must be tailored to serve a purpose within the broader population of internal controls in place within an organization s business processes. Selected examples of PCG rules utilized at some of our clients include: Defining required fields (e.g., reason codes required when entering scrap transactions) Populating default values or lists of values (LOVs) based on conditions (e.g., Order Type LOV restriction for certain responsibilities) Enforcing business policies in a preventive manner (e.g., prevent direct entry of purchase orders and allow only AutoCreate from approved requisitions) Enabling real-time validation of data prior to completion of a transaction (e.g., identify A/P invoices coded to a fixed asset account without the track as an asset flag checked.) Example 1 Reason Code for Scrap Transactions Based on standard functionality of Oracle EBS R12, the Reason Code field on the Miscellaneous Transaction form is an optional field. 4 / Real-Life Examples

Through the definition of a form rule, the field can be set to required: Step 1: Form Rule defined and triggering event set Step 2: Subscribers are set to define applicability of the rule (i.e., specific users, responsibilities, operating units, data attributes, etc.) Real-Life Examples / 5

Step 3 Rule actions are defined (set Reason Code as required field). Generate notification that reason code is required. The Form Rule in operation: In short, Form Rules can allow for the implementation of simple or complex logic to extend the base-level functionality of Oracle EBS forms. Using import/export functionality provided with PCG, rules can be migrated between instances of Oracle EBS and Form Rules are generally portable across implementations and upgrades, though some testing is necessary to assess whether they will continue to function correctly in view of changes to base form functionality. One limitation users should be aware of is that Form Rules cannot be defined for pages developed using OA Framework. In these cases, it may be possible to achieve the intended objective using OA Framework Personalization. In addition to Form Rule functionality, PCG offers Flow Rule functionality that enables the configuration of complex business flows including approvals and notifications without developing custom workflows using Oracle Worflow Builder. 6 / Real-Life Examples

Instance Governance Implementation team members often face very tight timelines for configuring ERP environments in advance of each stage of an implementation (e.g., development, unit test, CRP 1, CRP 2, User Acceptance Test, etc.). Additionally, configuring Oracle EBS set-up options is often a very manually intensive task. One of the results is that configuration errors are very common. Testing issues identified during each stage are often corrected through configuration changes. Failure to properly reflect configuration changes in subsequent environments can lead to unnecessary and costly additional regression testing cycles. Application of patches during and after the implementation or upgrade may also introduce the risk of unintended changes to configurations. At the time of go-live, unintended cofiguration differences between various operating units, inventory organizations, and ledgers may result in non-standard business processes, transaction processing errors, or weaknesses in internal control. The OAC Configuration Controls Governor (CCG) module can enable an organization to take snapshots of key configurations and perform comparisons between snapshots from different Oracle EBS instances or of the same instance from different points in time. These snapshots and comparisons can enhance the efficiency with which configurations can be reviewed and quickly identify unintended configuration differences between environments, operating units, inventory organizations, or ledgers. This may considerably increase the timeliness with which the organization identifies configuration errors, reduce testing issues and the need for re-testing, and mitigate the risk of introducing erroneous configurations in production. Example 2 Instance Governance Across Environments Step 1: Snapshot definition created, including key Oracle Payables objects Step 2 Payables set-up inadvertantly changed between CRP1 and CRP2 Real-Life Examples / 7

Step 3: Comparison of snapshots before and after the change displays the difference, supporting troubleshooting. Once the configuration differences have been identified through review of comparison reports as depicted above, these differences can be corrected efficiently before scarce implementation team resources begin spending their time conducting testing activities. Snapshots and comparisons can also be conducted before and after applying patches or between different operating units, inventory organizations, and ledgers within the same environment in order to identify configuration errors. An additional feature of CCG that may be of benefit in managing the configuration of an EBS environment is change tracking, which maintains before and after values for any configuration that has been changed along with the user who performed the change and the date on which the change occurred. It is also possible to require a reason code for a change or to require approval from a configuration owner prior to allowing the change to take effect. Application Security & Controls For organizations facing regulatory scrutiny and compliance requirements such as Sarbanes-Oxley, Basel III, and others, it is critical to ensure that an adequate system of internal controls has been designed and placed into operation. For organizations with modern ERP systems, automated controls and security typically form an important part of the overall internal control environment. Implementing proper automated controls and security prior to go-live is considerably more cost effective than retro-fitting these controls into an existing process after go-live. Additionally, designing and implementing controls prior to go live may greatly reduce the likelihood of errors and malicious activity within the production environment. Implementation and monitoring of internal controls can be made considerably more efficient and effective through the use of the Oracle Advanced Controls Suite. The OAC Application Access Controls Governor (AACG) module can be used to define the organization s application security and segregation of duties policies. The organization can then monitor an Oracle EBS environment to identify users and responsibilities with access to sensitive functionality (such as vendor master file access) and access to combinations of functions that pose segregation of duties conflicts (such as the combination of vendor master file and payment access). Some of the common uses during an implementation or upgrade may include: Confirming the appropriateness of responsibility and user access set-up Identifying users with access to new and sensitive functionality introduced as part of an upgrade (e.g., EBS R12 Subledger Accounting Functionality) Confirming that implementation team member access is appropriately restricted prior to go-live in order to prevent excessive access or segregation of duties conflicts Confirming that access to one-time-use functionality (e.g., data conversion programs) is removed from all responsibilities prior to go-live 8 / Real-Life Examples

Example 3 Access to new Oracle R12 functionality Step 1: Relevant R12 Subledger Accounting functionality is identified and an entitlement is defined Step 2: Access Model Defined including the new entitlement Real-Life Examples / 9

Step 3: Model Run and Users/Responsibilities with access identified. Output exported to Excel for review and follow-up action. Once access issues and segregation of duties concerns have been resolved with the use of AACG, the application can also be configured to enforce rules preventively by either preventing system administrators from assigning inappropriate access rights or requiring approval from a designated business owner before such access can be granted. This can help ensure the organization does not go-live with appropriately allocated access rights only to subsequently introduce segregation of duties conflicts through errors in the user provisioning process. While it is sometimes necessary to allow users to have access to conflicting functionality that it would be preferable to segregate, the OAC Transaction Controls Governor (TCG) module can be configured to monitor business transactions and identify those bearing certain attributes the organization considers suspect. Among other purposes, this module may be used to assess whether a user has performed multiple conflicting activities related to the same transaction (e.g., creating a vendor and entering an invoice and a payment for the vendor). Summary As discussed in the examples illustrated in this white paper, if properly configured and utilized, OAC can enhance an organization s ability to manage key implementation and upgrade risks and go-live with stronger automated controls and security. OAC can provide the organization with greater capability to perform necessary customizations in a more supportable manner using the PCG module. The CCG module can expand the organization s resources for identifying and correcting configuration issues before they cause testing issues and the need for re-testing, or worse, erroneous configurations in the production environment. The AACG module can be used to assess whether security is properly configured prior to go-live and maintain security following go-live. The benefits benefits provided by OAC can greatly enhance the outcome of an ERP implementation or upgrade project. 10 / Real-Life Examples

Real-Life Examples / 11

Contact us Tim Murphy Director, KPMG LLP 617-988-5775 tlmurphy@kpmg.com kpmg.com COLLABORATE 14 2014 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ( KPMG International ), a Swiss entity. All rights reserved. KPMG services described herein are not permissible for KPMG audit clients and their affiliates.ndpps 258939

2024 © businessdocbox.com Privacy Policy | Terms of Service | Feedback