Oracle Whitepaper

8/11/2019 Oracle Whitepaper

1/12

Real-Life Examples: Oracle AdvancedControls (OAC) Benefits in Oracle EBS

R12 Upgrades/ImplementationsTIM MURPHY, Director Governance risk & Compliance

kpmg.com


2/12

2 / Real-Life Examples

IntroductionImplementing or upgrading an Oracle eBusiness Suite (EBS) environmentis a challenging undertaking, but when done well, can deliver businessprocess improvement and enhanced business controls. Implementingcustomizations, maintaining consistent configuration settings, designingand implementing appropriate security and controls are critical to thesuccess of an implementation. This white paper will discuss ways inwhich the Oracle Advanced Controls Suite of products has been used byorganizations to enhance their performance in these key areas of theirimplementation and upgrade projects.

0 10 20 30 40 50 60 70 80

Limited staff

Maintaining customizations

Testing

Overall downtime/disruption

End user adoption

Business processes damaged/ alteredExecutive sponsorship

Data being damaged/altered

Increase in processing costs

Rise in training costs

Dont know/unsure

Other

Missed product launches/ slower time to market

Increase in costs related toadditional hardware required

63%

62%

60%

41%

36%

27%

21%

19%

10%

5%

5%

5%

3%

8%

Source: New Functionality, New Opportunities: 2012 Quest International Users GroupSurvey on Enterprise Application/ERP Suite Upgrade Strategies. Unisphere Research.

Key Drivers for an

Implementation or UpgradeWhile implementations and upgrades may differ in termsof scope, technology, and implementation approach,implementations are typically undertaken based on the sameset of common drivers:

Business Requirements New functionality available in thelatest release of Oracle EBS may support the achievementof a business requirement that is currently either unmet oris being met through manual workarounds. The ability todeliver enhanced functionality to the business may serve asthe impetus for an ERP implementation or upgrade.

Market Demands In order to keep up with competitorsand continue to meet the demands of stakeholders such ascustomers and investors, it may be necessary to implementnew business software such as Oracle EBS. Improvedbusiness software can enable an organization to increaseoperational efficiency, decrease cost, increase profitability,and deliver enhanced customer service.

Compliance In an environment of increased regulatoryscrutiny and more active oversight from managementand boards of directors, it is increasingly important fororganizations to maintain technology environments thatsupport compliance and strong information security controls.

ERP packages such as Oracle EBS include security and controlfeatures that, if deployed correctly, can help a companysafeguard its assets and strengthen its internal controls.

Technology Through delivery of more modern technologythat can improve the end user experience, an organization canincrease end user satisfaction. Additionally, operating costsmay be lower than that of maintaining legacy applications.

In order to improve the likelihood of a successful outcomefor an implementation or upgrade project, it is critical that anorganization maintain awareness of these risks and design andexecute on strategies for addressing each of these risks. TheOracle Advanced Controls (OAC) suite of products can be aneffective component of an organizations strategy for mitigatingseveral of the major risks noted above.

Implementation and Upgrade

RisksIn addition to having similar drivers, ERP implementations andupgrades typically face a common set of risks that may threatenthe successful achievement of the intended benefits. The tablebelow summarizes the results of a recent Quest InternationalUser Group survey regarding ERP implementation risks:

Figure 1 Commonly Identified ERP Implementation Risks


3/12

Real-Life E xamples / 3

Introducing the Oracle Advanced

Controls SuiteThe Oracle Advanced Controls Suite consists of four modulesthat can support the deployment of improved controls bothduring the implementation lifecycle and following go-live. Themodules of the Oracle Advanced Controls Suite, along withthe key features of each, are defined as follows:

Figure 2 Oracle Advanced Controls (OAC) Suite Overview

There are many benefits the OAC suite of products can bringduring an implementation or upgrade in order to help anorganization mitigate the previously-discussed risks. Theseinclude:

Customization Reduction and Efficiencies

Instance Governance

Application Security & Controls

Customization Reduction and Ef ficiencies Nearly all implementations and upgrades set the objective

of going vanilla. There are many valid reasons for this.Customizing an ERP application significantly increases the costof implementation as it increases the need for developmentresources as well as the time required to design, develop,implement, and test the solution. Additionally, customizationscan increase support costs as they must be supportedby internal resources due to the lack of vendor support.Customizations are also one of the most challenging areas ofan upgrade or patch application. For each customization, it Isnecessary to determine whether it wil l be migrated to the newOracle EBS version or will be impacted by a patch as well aswhether it requires any changes in order to function correctly inthe new version. Extensive testing must also be performed to

confirm that the customization was migrated successfully.

Despite these challenges, most implementations do involvesome level of customization. Customizations are oftenintended to address unique ways of doing business that givethe organization a competitive advantage. In such cases, anorganization may determine that the benefits of pursuing thecustomization outweigh the costs and risks.

The OAC Preventive Controls Governor (PCG) moduleoffers functionality that can lower the risk associated withcustomizations, enhance the ease with which an inventory ofcustomizations can be maintained, and increase the ability tomigrate customizations between environments. In relation to othermethods of customization, PCG provides the following benefits:

GUI-driven, providing greater ease of use

Does not require significant development knowledge

Shorter development cycle

Greater ease of inventorying customizations

Migration utility to move across environments

Portable through patches and upgrades

ConfigurationControlsGovernor

Monitor/compare configurationsthrough snapshots, comparisons, andauditing.

PreventiveControlsGovernor

Enforce business rules throughmodification/extension of formbehavior and execution of complexflow rules.

TransactionControlsGovernor

Monitor transactions to identifyunusual or suspicious activities.

ApplicationAccessControlsGovernor

Monitor and enforce access controland segregation of duties.

CCG

PCG

TCG

AACG


4/12


PCG rules are typically very organization specific and mustbe tailored to serve a purpose within the broader populationof internal controls in place within an organizations businessprocesses. Selected examples of PCG rules uti lized at some ofour clients include:

Defining required fields (e.g., reason codes required whenentering scrap transactions)

Populating default values or lists of values (LOVs) basedon conditions (e.g., Order Type LOV restriction for certainresponsibilities)

Enforcing business policies in a preventive manner (e.g.,prevent direct entry of purchase orders and allow onlyAutoCreate from approved requisitions)

Enabling real-time validation of data prior to completion of atransaction (e.g., identify A /P invoices coded to a fixed assetaccount without the track as an asset flag checked.)

Example 1 Reason Code for Scrap Transactions

Based on standard functionalit y of Oracle EBS R12, the Reason Code field on theMiscellaneous Transaction form is an optional field.


5/12


Through the definition of a form rule, the field can be set to required:

Step 1: Form Rule defined and triggering event set

Step 2: Subscribers are set to define applicability of the rule (i.e., specific users, responsibilities,operating units, data attributes, etc.)


6/12


Step 3 Rule actions are defined (set Reason Code as required field). Generatenotification that reason code is required.

The Form Rule in operation: In short, Form Rules can allow for the implementation of simpleor complex logic to extend the base-level functionality of OracleEBS forms. Using import/export functionality provided with PCG,rules can be migrated between instances of Oracle EBS andForm Rules are generally portable across implementations andupgrades, though some testing is necessary to assess whetherthey will continue to function correctly in view of changes tobase form functionality. One limitation users should be aware ofis that Form Rules cannot be defined for pages developed usingOA Framework. In these cases, it may be possible to achievethe intended objective using OA Framework Personalization.In addition to Form Rule functionality, PCG offers Flow Rulefunctionality that enables the configuration of complex businessflows including approvals and notifications without developingcustom workflows using Oracle Worflow Builder.


7/12


Instance Governance Implementation team members often face very tight timelinesfor configuring ERP environments in advance of each stage ofan implementation (e.g., development, unit test, CRP 1, CRP2, User Acceptance Test, etc.). Additionally, configuring OracleEBS set-up options is often a very manually intensive task. Oneof the results is that configuration errors are very common.

Testing issues identified during each stage are often correctedthrough configuration changes. Failure to properly reflectconfiguration changes in subsequent environments can leadto unnecessary and costly additional regression testing cycles.Application of patches during and after the implementation orupgrade may also introduce the risk of unintended changes toconfigurations. At the time of go-live, unintended cofigurationdifferences between various operating

units, inventory organizations, and ledgers may result innon-standard business processes, transaction processingerrors, or weaknesses in internal control.

The OAC Configuration Controls Governor (CCG) module canenable an organization to take snapshots of key configurationsand perform comparisons between snapshots from differentOracle EBS instances or of the same instance from differentpoints in time. These snapshots and comparisons can enhancethe efficiency with which configurations can be reviewed andquickly identify unintended configuration differences betweenenvironments, operating units, inventory organizations, orledgers. This may considerably increase the timeliness withwhich the organization identifies configuration errors, reducetesting issues and the need for re-testing, and mitigate the riskof introducing erroneous configurations in production.

Example 2 Instance Governance Across Environments

Step 1: Snapshot definition created, including key Oracle Payables objects

Step 2 Payables set-up inadvertantly changed between CRP1 and CRP2


8/12


9/12


Example 3 Access to new Oracle R12 functionality

Step 1: Relevant R12 Subledger Accounting functionality is identif ied and an entitlement is defined

Step 2: Access Model Defined including the new entitlement


10/12


Step 3: Model Run and Users/Responsibilities with access identi fied.Output exported to Excel for review and follow-up action.

Once access issues and segregation of duties concerns havebeen resolved with the use of AACG, the application can alsobe configured to enforce rules preventively by either preventingsystem administrators from assigning inappropriate accessrights or requiring approval from a designated business ownerbefore such access can be granted. This can help ensure theorganization does not go-live with appropriately allocatedaccess rights only to subsequently introduce segregation ofduties conflicts through errors in the user provisioning process.

While it is sometimes necessary to allow users to have access toconflicting functionality that it would be preferable to segregate,the OAC Transaction Controls Governor (TCG) module can beconfigured to monitor business transactions and identify thosebearing certain attributes the organization considers suspect.Among other purposes, this module may be used to assesswhether a user has performed multiple conflicting activitiesrelated to the same transaction (e.g., creating a vendor andentering an invoice and a payment for the vendor).

SummaryAs discussed in the examples illustrated in this white paper,if properly configured and utilized, OAC can enhance anorganizations ability to manage key implementation andupgrade risks and go-live with stronger automated controlsand security. OAC can provide the organization with

greater capability to perform necessary customizations ina more supportable manner using the PCG module. TheCCG module can expand the organizations resources foridentifying and correcting configuration issues before theycause testing issues and the need for re-testing, or worse,erroneous configurations in the production environment.The AACG module can be used to assess whether securityis properly configured prior to go-live and maintain securityfollowing go-live. The benefits benefits provided by OAC cangreatly enhance the outcome of an ERP implementation orupgrade project.


11/12

Real-Life Examples / 11


12/12

COLLABORATE 14

2014 KPMG LLP, a Delaware limited liabilit y partnership and the U.S. member fir m of the KPMG network of independent membe rfirms affiliated with KPMG International Coo perative (KPMG International), a Swiss entity. All rights reserved.

KPMG services described herein are not permissible for KPMG audit clients and their affiliates.NDPP S 25893 9

Contact us

Tim MurphyDirector, KPMG [email protected]

kpmg.com

Oracle Whitepaper

Documents

Transcript of Oracle Whitepaper