What you need to know to achieve effective Segregation of Duties in Oracle ERP CloudCan't work out the net effect of Security

Oracle ERP Cloud is the Enterprise Resource Planning (ERP) solution in Oracle’s family of Cloud SAAS products, and the company is actively incentivizing Oracle E-Business Suite and JD Edwards users to move in that direction.  But in order to make a successful move you need to do a full and detailed functional analysis. Please do not take the word of a salesman that it will properly support all your business functions.

Part of that evaluation has to be around the security and control of access to the system. This is a key company asset. You need to make sure you are not opening your company up to fraud, and you will need to satisfy your auditors about key issues like Segregation of Duties (SoD). In addition, if you’re subject to SOX compliance or similar legislation, there are key considerations that you need to be aware of.

Oracle ERP Cloud is a suite of applications for finance, project management, procurement, risk management and other core day-to-day activities important to every business, regardless of size, industry or geography.  The functionality is constantly evolving; you can find up-to-date information about its capabilities here.

SaaS (Software as a Service) applications can deliver huge business benefits, such as rapid implementation of new functionality at a much lower cost, reduced maintenance costs, and scalability, as discussed in this blog on Oracle.com.

With these new applications and their associated benefits comes an interesting evolution in security management: out of box roles, or Seeded Roles, as Oracle calls them. Although the concept is not new, deploying standardized roles in an integrated cloud-based environment brings both advantages and disadvantages.

Using Seeded Roles in Oracle ERP Cloud: the pros and cons

Oracle’s security methodology can be summarized with the statement: “Who can do what with which set of data”.

As recommended by all security implementation experts, Oracle ERP Cloud uses role-based access control (RBAC). Access to functions and data is defined at the role level rather than at the user level, which is the most efficient way to manage security, especially in large organizations that require scalability.

Three roles types are available:

  • Job Roles – what users with a particular job can do; e.g. financial analysts
  • Abstract Roles – common functionality that is not job specific; e.g both managers and employees need access to functions such as time sheet submission and expense reporting
  • Data roles – define which set of data a user can access.

Within the Oracle Financials Cloud module, for example, there are several common job roles that come “out of the box.” These Seeded Roles can be used as delivered or modified to suit your business; or you can create new roles from scratch.

The advantages of using Seeded Roles are very much in line with the benefits that Oracle promotes for adopting ERP Cloud:

  • Faster time to value, with pre-defined roles that can be provisioned immediately after installation
  • Reduced operational security management costs from using standardized roles
  • Scalability; these standard Seeded Roles exist in all Oracle ERP Cloud products. So, from the security implementation standpoint, adopting a new module should be a breeze – potentially.

But when you dig deeper and consider SoD and SOX compliance, the disadvantages of using the Seeded Roles come to light.

Oracle recognizes the need to “separate activities such as approving, recording, processing, and reconciling results so you can more easily prevent or detect unintentional errors and willful fraud”, and has designed its Seeded Roles accordingly.

To those of us implementing security that must adhere to strict compliance requirements, this sounds almost too good to be true…. and it is!

Oracle states that the duty definitions in Seeded Roles have been defined using the “Oracle Cloud SoD Policies”, but with no sight of the SoD policies, and no easy means of reporting on SoD violations, users can be left in the dark about the suitability of their security.

Of course, Oracle have a solution to this problem, the Oracle Risk Cloud (ORC). This is a huge and extremely functionally rich product set, but if SoD is an issue to you, you need to look closely at the price before you start your move to the cloud. And make sure you are sitting down at the time.

Users who aren’t licensed to use ORC can be left with a false sense of security that these Seeded Roles are compliant when they may not be. Factors that affect compliance within a role include:

  • Changes to roles – as soon as a Seeded Role is copied and modified it may no longer be compliant if privileges are added or removed
  • System configuration – if controls such as approval by batch type are implemented within the system, this may no longer be considered an SoD violation. The rules should be updated to reflect this functionality.
  • Use of data roles, access types and risk tolerance levels – how these are used can affect whether access rights breach SoD policies or not.

In all these examples, it’s very difficult to ascertain the true compliance status, until an auditor tests it and tells you.  This makes it impossible to be confident in your SoD controls:

  • Without knowing the SoD rules or the policies the Seeded Roles were designed against, how do you truly know they are compliant?
  • Without ORC, how can you test that any changes to roles, system configuration or newly created roles maintain compliancy?
  • How do you know if Oracle Cloud SoD Policies are the right fit for the risks that are important in your business?

During Oracle sessions at Oracle OpenWorld last October, some Oracle ERP Cloud customers were saying that their internal auditors had found many unexpected SoD violations while using the Seeded Roles. Our audit runs show many similar risks that most businesses will find shocking if they try and use this time saving but misguided approach.

Getting the right balance: Standardization vs Risk and Compliance

Standardization brings many benefits, but, as always, there’s a downside; Oracle assumes that the Seeded Roles will fit your organization with little to no customization and that the pre-defined Oracle Cloud SoD policies used to design the Seeded Roles will adequately test the risks in your business.  As experienced security implementors, we know very well this is almost never the case.

To corroborate this point, this Deloitte document on creating a robust control environment on Oracle ERP Cloud notes that “financial controls, segregation of duty free roles and IT controls do not come configured out of the box and are often not considered by system implementors.”  It says that Oracle ERP Cloud provides a platform for robust controls, provided the functionality is “switched on.”  It also recommends that the standard Oracle ERP Cloud controls should be enhanced.

One means of enhancing the controls is to use ORC, but as well as incurring extra costs, the product is still under development, and the implementation time will be months not days.

If your company is required to produce audit reports on SoD compliancy there is another option.

Our QCloud Audit As A Service enables you to conduct a Segregation of Duties audit of your Oracle ERP Cloud system quickly and easily, whenever you need it, with no strain on in-house technical resources.

This audit can help you to:

  • Prepare for an external audit
  • Produce SOX compliance reports
  • Prevent fraud
  • Prioritize and cost-justify remediation work

And the setup time is half an hour if you use one of our rule sets, or half a day if you want to import your own.

No longer will you be left guessing as to whether changes to Seeded Roles have been made and if they are compliant. This cost-effective solution delivers everything you need to build a customized SoD rule set with policies that are specific to your business processes.

The cloud-based service is easy to use, delivers results within a few hours and can be used by anyone within your business.  Our solution and services will have you up and running within a week – a compliance solution that truly has a faster time to value, keeps up with the latest cloud innovations trends and offers scalability – all at the right price.

Find out more here or contact us if you’d like to arrange a demo.