Real-Life Examples: Oracle Advanced Controls (OAC) Benefits in Oracle EBS R12 Upgrades/Implementations

TIM MURPHY, Director – Governance risk & Compliance

kpmg.com

2 / Real-Life Examples

IntroductionImplementing or upgrading an Oracle eBusiness Suite (EBS) environment is a challenging undertaking, but when done well, can deliver business process improvement and enhanced business controls. Implementing customizations, maintaining consistent configuration settings, designing and implementing appropriate security and controls are critical to the success of an implementation. This white paper will discuss ways in which the Oracle Advanced Controls Suite of products has been used by organizations to enhance their performance in these key areas of their implementation and upgrade projects.

0 10 20 30 40 50 60 70 80

Limited staff

Maintaining customizations

Testing

Overall downtime/disruption

End user adoption

Business processes damaged/alteredExecutive sponsorship

Data being damaged/altered

Increase in processing costs

Rise in training costs

Don’t know/unsure

Other

Missed product launches/slower time to market

Increase in costs related to additional hardware required

63%

62%

60%

41%

36%

27%

21%

19%

10%

5%

5%

5%

3%

8%

Source: New Functionality, New Opportunities: 2012 Quest International Users Group Survey on Enterprise Application/ERP Suite Upgrade Strategies. Unisphere Research.

Key Drivers for an Implementation or UpgradeWhile implementations and upgrades may differ in terms of scope, technology, and implementation approach, implementations are typically undertaken based on the same set of common drivers:

• Business Requirements – New functionality available in the latest release of Oracle EBS may support the achievement of a business requirement that is currently either unmet or is being met through manual workarounds. The ability to deliver enhanced functionality to the business may serve as the impetus for an ERP implementation or upgrade.

• Market Demands – In order to keep up with competitors and continue to meet the demands of stakeholders such as customers and investors, it may be necessary to implement new business software such as Oracle EBS. Improved business software can enable an organization to increase operational efficiency, decrease cost, increase profitability, and deliver enhanced customer service.

• Compliance – In an environment of increased regulatory scrutiny and more active oversight from management and boards of directors, it is increasingly important for organizations to maintain technology environments that support compliance and strong information security controls. ERP packages such as Oracle EBS include security and control features that, if deployed correctly, can help a company safeguard its assets and strengthen its internal controls.

• Technology – Through delivery of more modern technology that can improve the end user experience, an organization can increase end user satisfaction. Additionally, operating costs may be lower than that of maintaining legacy applications.

In order to improve the likelihood of a successful outcome for an implementation or upgrade project, it is critical that an organization maintain awareness of these risks and design and execute on strategies for addressing each of these risks. The Oracle Advanced Controls (OAC) suite of products can be an effective component of an organization’s strategy for mitigating several of the major risks noted above.

Implementation and Upgrade RisksIn addition to having similar drivers, ERP implementations and upgrades typically face a common set of risks that may threaten the successful achievement of the intended benefits. The table below summarizes the results of a recent Quest International User Group survey regarding ERP implementation risks:

Figure 1 – Commonly Identified ERP Implementation Risks

Real-Life Examples / 3

Introducing the Oracle Advanced Controls SuiteThe Oracle Advanced Controls Suite consists of four modules that can support the deployment of improved controls both during the implementation lifecycle and following go-live. The modules of the Oracle Advanced Controls Suite, along with the key features of each, are defined as follows:

Figure 2 – Oracle Advanced Controls (OAC) Suite Overview

There are many benefits the OAC suite of products can bring during an implementation or upgrade in order to help an organization mitigate the previously-discussed risks. These include:

• Customization Reduction and Efficiencies

• Instance Governance

• Application Security & Controls

Customization Reduction and EfficienciesNearly all implementations and upgrades set the objective of “going vanilla”. There are many valid reasons for this. Customizing an ERP application significantly increases the cost of implementation as it increases the need for development resources as well as the time required to design, develop, implement, and test the solution. Additionally, customizations can increase support costs as they must be supported by internal resources due to the lack of vendor support. Customizations are also one of the most challenging areas of an upgrade or patch application. For each customization, it Is necessary to determine whether it will be migrated to the new Oracle EBS version or will be impacted by a patch as well as whether it requires any changes in order to function correctly in the new version. Extensive testing must also be performed to confirm that the customization was migrated successfully.

Despite these challenges, most implementations do involve some level of customization. Customizations are often intended to address unique ways of doing business that give the organization a competitive advantage. In such cases, an organization may determine that the benefits of pursuing the customization outweigh the costs and risks.

The OAC Preventive Controls Governor (PCG) module offers functionality that can lower the risk associated with customizations, enhance the ease with which an inventory of customizations can be maintained, and increase the ability to migrate customizations between environments. In relation to other methods of customization, PCG provides the following benefits:

• GUI-driven, providing greater ease of use

• Does not require significant development knowledge

• Shorter development cycle

• Greater ease of inventorying customizations

• Migration utility to move across environments

• Portable through patches and upgrades

Configuration Controls Governor

Monitor/compare configurations through snapshots, comparisons, and auditing.

Preventive Controls Governor

Enforce business rules through modification/extension of form behavior and execution of complex flow rules.

Transaction Controls Governor

Monitor transactions to identify unusual or suspicious activities.

Application Access Controls Governor

Monitor and enforce access control and segregation of duties.

CCG

PCG

TCG

AACG

4 / Real-Life Examples

PCG rules are typically very organization specific and must be tailored to serve a purpose within the broader population of internal controls in place within an organization’s business processes. Selected examples of PCG rules utilized at some of our clients include:

• Defining required fields (e.g., reason codes required when entering scrap transactions)

• Populating default values or lists of values (LOVs) based on conditions (e.g., Order Type LOV restriction for certain responsibilities)

• Enforcing business policies in a preventive manner (e.g., prevent direct entry of purchase orders and allow only AutoCreate from approved requisitions)

• Enabling real-time validation of data prior to completion of a transaction (e.g., identify A/P invoices coded to a fixed asset account without the “track as an asset” flag checked.)

Example 1 – Reason Code for Scrap Transactions

Based on standard functionality of Oracle EBS R12, the Reason Code field on the Miscellaneous Transaction form is an optional field.

Real-Life Examples / 5

Through the definition of a form rule, the field can be set to required:

Step 1: Form Rule defined and triggering event set

Step 2: Subscribers are set to define applicability of the rule (i.e., specific users, responsibilities, operating units, data attributes, etc.)

6 / Real-Life Examples

Step 3 – Rule actions are defined (set Reason Code as required field). Generate notification that reason code is required.

The Form Rule in operation: In short, Form Rules can allow for the implementation of simple or complex logic to extend the base-level functionality of Oracle EBS forms. Using import/export functionality provided with PCG, rules can be migrated between instances of Oracle EBS and Form Rules are generally portable across implementations and upgrades, though some testing is necessary to assess whether they will continue to function correctly in view of changes to base form functionality. One limitation users should be aware of is that Form Rules cannot be defined for pages developed using OA Framework. In these cases, it may be possible to achieve the intended objective using OA Framework Personalization. In addition to Form Rule functionality, PCG offers Flow Rule functionality that enables the configuration of complex business flows including approvals and notifications without developing custom workflows using Oracle Worflow Builder.

Real-Life Examples / 7

Instance GovernanceImplementation team members often face very tight timelines for configuring ERP environments in advance of each stage of an implementation (e.g., development, unit test, CRP 1, CRP 2, User Acceptance Test, etc.). Additionally, configuring Oracle EBS set-up options is often a very manually intensive task. One of the results is that configuration errors are very common. Testing issues identified during each stage are often corrected through configuration changes. Failure to properly reflect configuration changes in subsequent environments can lead to unnecessary and costly additional regression testing cycles. Application of patches during and after the implementation or upgrade may also introduce the risk of unintended changes to configurations. At the time of go-live, unintended cofiguration differences between various operating

units, inventory organizations, and ledgers may result in non-standard business processes, transaction processing errors, or weaknesses in internal control.

The OAC Configuration Controls Governor (CCG) module can enable an organization to take snapshots of key configurations and perform comparisons between snapshots from different Oracle EBS instances or of the same instance from different points in time. These snapshots and comparisons can enhance the efficiency with which configurations can be reviewed and quickly identify unintended configuration differences between environments, operating units, inventory organizations, or ledgers. This may considerably increase the timeliness with which the organization identifies configuration errors, reduce testing issues and the need for re-testing, and mitigate the risk of introducing erroneous configurations in production.

Example 2 – Instance Governance Across Environments

Step 1: Snapshot definition created, including key Oracle Payables objects

Step 2 – Payables set-up inadvertantly changed between CRP1 and CRP2

8 / Real-Life Examples

Step 3: Comparison of snapshots before and after the change displays the difference, supporting troubleshooting.

prior to go live may greatly reduce the likelihood of errors and malicious activity within the production environment. Implementation and monitoring of internal controls can be made considerably more efficient and effective through the use of the Oracle Advanced Controls Suite.

The OAC Application Access Controls Governor (AACG) module can be used to define the organization’s application security and segregation of duties policies. The organization can then monitor an Oracle EBS environment to identify users and responsibilities with access to sensitive functionality (such as vendor master file access) and access to combinations of functions that pose segregation of duties conflicts (such as the combination of vendor master file and payment access). Some of the common uses during an implementation or upgrade may include:

• Confirming the appropriateness of responsibility and user access set-up

• Identifying users with access to new and sensitive functionality introduced as part of an upgrade (e.g., EBS R12 Subledger Accounting Functionality)

• Confirming that implementation team member access is appropriately restricted prior to go-live in order to prevent excessive access or segregation of duties conflicts

• Confirming that access to one-time-use functionality (e.g., data conversion programs) is removed from all responsibilities prior to go-live

Once the configuration differences have been identified through review of comparison reports as depicted above, these differences can be corrected efficiently before scarce implementation team resources begin spending their time conducting testing activities. Snapshots and comparisons can also be conducted before and after applying patches or between different operating units, inventory organizations, and ledgers within the same environment in order to identify configuration errors. An additional feature of CCG that may be of benefit in managing the configuration of an EBS environment is change tracking, which maintains before and after values for any configuration that has been changed along with the user who performed the change and the date on which the change occurred. It is also possible to require a reason code for a change or to require approval from a configuration “owner” prior to allowing the change to take effect.

Application Security & ControlsFor organizations facing regulatory scrutiny and compliance requirements such as Sarbanes-Oxley, Basel III, and others, it is critical to ensure that an adequate system of internal controls has been designed and placed into operation. For organizations with modern ERP systems, automated controls and security typically form an important part of the overall internal control environment. Implementing proper automated controls and security prior to go-live is considerably more cost effective than retro-fitting these controls into an existing process after go-live. Additionally, designing and implementing controls

Real-Life Examples / 9

Example 3 – Access to new Oracle R12 functionality

Step 1: Relevant R12 Subledger Accounting functionality is identified and an entitlement is defined

Step 2: Access Model Defined including the new entitlement

10 / Real-Life Examples

Step 3: Model Run and Users/Responsibilities with access identified. Output exported to Excel for review and follow-up action.

Once access issues and segregation of duties concerns have been resolved with the use of AACG, the application can also be configured to enforce rules preventively by either preventing system administrators from assigning inappropriate access rights or requiring approval from a designated business owner before such access can be granted. This can help ensure the organization does not go-live with appropriately allocated access rights only to subsequently introduce segregation of duties conflicts through errors in the user provisioning process.

While it is sometimes necessary to allow users to have access to conflicting functionality that it would be preferable to segregate, the OAC Transaction Controls Governor (TCG) module can be configured to monitor business transactions and identify those bearing certain attributes the organization considers “suspect”. Among other purposes, this module may be used to assess whether a user has performed multiple conflicting activities related to the same transaction (e.g., creating a vendor and entering an invoice and a payment for the vendor).

SummaryAs discussed in the examples illustrated in this white paper, if properly configured and utilized, OAC can enhance an organization’s ability to manage key implementation and upgrade risks and go-live with stronger automated controls and security. OAC can provide the organization with greater capability to perform necessary customizations in a more supportable manner using the PCG module. The CCG module can expand the organization’s resources for identifying and correcting configuration issues before they cause testing issues and the need for re-testing, or worse, erroneous configurations in the production environment. The AACG module can be used to assess whether security is properly configured prior to go-live and maintain security following go-live. The benefits benefits provided by OAC can greatly enhance the outcome of an ERP implementation or upgrade project.

Real-Life Examples / 11

COLLABORATE 14

© 2014 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.

KPMG services described herein are not permissible for KPMG audit clients and their affiliates.NDPPS 258939

Contact us

Tim MurphyDirector, KPMG LLP617-988-5775 tlmurphy@kpmg.com

kpmg.com