“We’re moving to ERP Cloud. Why should we review our current EBS security & controls now?”
A number of our clients are currently considering whether to stay on their reliable, stable, existing Oracle E-Business Suite (EBS) systems or move to Oracle ERP Cloud. We’ve previously shared our thoughts around planning security and controls into the ERP Cloud implementation, but a key recommendation we’d make is that you should review and tidy up your security and controls in your EBS system first. This is because:
1) If you don’t identify issues now, they’ll still exist in ERP Cloud. Our analysis shows that 8 of the 11 most common EBS Security and Control challenges will still cause you issues in ERP Cloud – poor segregation of duties, excessive number of administrators, weak monitoring controls of changes to key master data – these are not going to fixed just by ‘moving to ERP Cloud’. Nobody wants you to commit the time and energy to implementing a new ERP only to have auditors or reviewer come along and point out weaknesses in controls that could have been considered and fixed beforehand.
2) Fixing issues now will save you time as part the ERP Cloud implementation. Identifying inconsistencies and addressing them now will mean you don’t need to spend that time later, when the implementer’s clock is ticking. For example, different parts of the organisation with different matching options in a purchase-to-pay process can be identified now, discussed now and a policy agreed before an implementer is on site. Equally, segregation of duties issues that result from operating model issues usually take a while to agree what the access model should look like, and where this isn’t possible to segregate access, defining what is a legitimate mitigating control usually requires senior decision makers to agree a policy.
3) You can make better decisions around what you actually need. You may think you’ve got 500 Oracle Financials users on your EBS system so that’s how many subscriptions you need for Oracle Cloud Financials. However, a review of inactive users and the privileges that the current ones are using may drop this down significantly, saving your organisation thousands of pounds a year in subscription fees. Additionally, if you know that maintaining segregation of duties is likely to remain an issue for your organisation, you may wish to implement additional modules such as ‘Oracle Fusion Advanced Access Controls’ and ‘Oracle Cloud Advanced Financial Controls’ which are both due in Oracle ERP Cloud Release 13 and will allow you to define and enforce segregation of duties rules, along with monitoring any exceptions where users have actually created a supplier and recorded an invoice to this same supplier.
4) Gives you power as part of the negotiations and during the implementation. ERP Cloud implementers will often talk about fixed cost/fixed timeline implementations. The only way this works is to use their standard templates so that they can roll out your new system. Having your key business and systems risks documented, agreed and approved by senior management will save you time in identifying business requirements, but will also allow you to better review the implementers templates – and allow you to force the implementers to demonstrate how they’re controlling your risks. This is key for your organisation – you can then focus on reviewing whether what they’ve said meets your requirements actually does in practice, and if there are any gaps in the solution, that senior colleagues can sign off these gaps (or push the implementer to fill them) based on an awareness of business risk they are agreeing to, along with any potentially mitigating controls.
At Systems Risk Services we recognise that the move from EBS to ERP Cloud can be a move to the unknown for Finance professionals and Internal Auditors. This is one reason why we created our bespoke, fast and high quality Remote EBS Security and Controls Analytics service, which allows us to highlight both current issues in EBS and where these will cause a challenge in a future ERP Cloud system. Please click here for more information on this service or contact us if you wish to know more about our Oracle EBS and ERP Cloud security and controls services.