This article highlights some of the key considerations when working with Cloud ERP systems for Sarbanes-Oxley (SOX) requirements.
Pick your favorite cloud infrastructure; what do they all have in common? If the word scalability comes to mind, you aren’t alone; many organizations are opting to switch out their on-premise systems for scalable tools like Oracle’s Fusion Enterprise Resource Planning (ERP) Cloud and Oracle Enterprise Performance Management (EPM) Cloud. One of many benefits of using a cloud ERP system is the ability to scale and to centralize an organization’s many applications into one system, all while the vendor is responsible for managing the behind the scenes infrastructure. This sounds like a dream come true, but don’t get your hopes up too high, because your organization still has many key responsibilities. Organization’s must understand that with implementing a cloud ERP system, they are still responsible for how the application is configured, how to use them securely, and how to implement robust controls across the entire platform. Oracle’s Fusion ERP Cloud is a popular cloud ERP system that organizations may choose when opting for a scalable cloud ERP system. Oracle’s Fusion ERP Cloud has become a one-stop-shop; from providing modules for inventory, fixed assets, payables, receivables, general ledger, to creating custom reports to help with month-end close, everything is contained within one platform – and that just naming a few of the modules they offer.
In addition to this, Oracle also offers Oracle EPM Cloud, which offers organizations modules for account reconciliation (ARCS), financial consolidation and close (FCCS), data management (EDM), and planning and budgeting (EPBCS), which can tie directly into the Fusion ERP Cloud to provide a seamless integration that is invaluable to an organization. Implementing a cloud ERP or EDM system can quickly change an organization’s IT systems from legacy to legendary; but what are the key responsibilities as mentioned above? From a 1000-foot view, organizations are still responsible for their overall control environment. They must implement formal controls to ensure the control effectiveness of change management, user access management, and monitoring and support.
Oracle Cloud change management can be grouped in the following categories: 1) vendor upgrades, 2) custom report changes, 3) configuration changes. Oracle Fusion ERP Cloud system upgrades are released quarterly, and Oracle EPM Cloud system upgrades are released monthly. Organizations should create defined procedures to test any and all upgrades. In addition, key business stakeholders should be involved when functionality is changes to any module and formal approval should be given. All key controls should be tested for efficacy to ensure the upgrade does not affect functionality. Further, end-users should be notified of system outages.
Change management is not limited to system upgrades. Organizations have control over the development of custom reports and also configurations of different key settings within the various modules. Managing changes to custom reports and configurations, including who can perform changes and how they are tracked, is fundamental to ensuring proper change management procedures. Development activities such as these should be limited to appropriate individuals and tracked. Organizations new to the Oracle Fusion ERP Cloud and Oracle EPM Cloud must understand that changes to custom reports and configuration settings are not logged out of the box. Without the proper logging of changes, organization will not be able to maintain a complete and accurate audit trail of these changes. This audit trail is required to comply with Sarbanes-Oxley (SOX) compliance in order to provide auditors with a complete and accurate population to ensure that all changes were approved and followed necessary procedures as defined by the organization. For custom reports, logging is not systematically available to capture the changes to key reports throughout the year; the organization must develop alternative procedures to track all changes throughout the year. For configuration changes, logging must be turned on for each individual configuration setting. Audit policies must be turned on for the area in which the configuration setting lives for each key automated control. The process is time consuming and manual. When defining requirements for the implementation of the cloud system, organizations should budget the necessary hours to ensure completion during the overall implementation effort. A good starting point is to identify key Oracle automated controls.
User Access Management
Understanding the Oracle security structure can be cumbersome. Inappropriate user access can have catastrophic affects if not restricted appropriately. Oracle’s Fusion ERP Cloud and EPM Cloud come jam-packed with out-of-the-box roles that can be used to implement role-based access. Organizations, however, should use caution when relying exclusively on out-of-the-box roles; separation of duties (SOD) analysis should be performed, and custom roles should be developed if SOD issues exist. Each role is comprised of many entitlements, also known as privileges. A user is typically assigned one or more roles. Using only out-of-the-box roles may violate the principle of least-privilege as users may be inadvertently be given inherited entitlements that are not needed to perform their job function. To assist with analyzing roles and entitlements, organizations should consider implementing the Advanced Access Controls (AAC) Cloud, which “…enables continuous monitoring of all access policies in Oracle ERP, potential violations, insider threats and fraud”. Oracle’s AAC service allows organizations to evaluate access to sensitive areas within the system, as defined by the organization.
Oracle’s Fusion ERP Cloud and EPM Cloud are completely separate, and therefore user security is different. Oracle Fusion ERP Cloud’s most powerful roles include the Application Implementation Consultant (AIC) role, which has administrator level access, and IT Security Manager, which is used to manage users and their assigned roles. Oracle EPM Cloud has separate user security for each module implemented (i.e. ARCS, FCCS, EDM, EPBCS, etc) in addition to having completely separate user security than Oracle Fusion ERP Cloud. Although user security must be configured separately, the most privileged role stays the same: Service Administrator. Organizations must place heavy emphasis on restricting access to these roles and implementing least privilege to ensure users do not inadvertently modify system configurations that are critical to the organization. Unauthorized changes may affect system functionality, and from a SOX perspective, be the cause for a control exception.
In addition to the highly privileged roles mentioned above, organizations should identify all roles that have access to modify key control configurations. To do this, an organization must identify where the configuration item lives, and then parse through the entitlements for every role to determine the roles that have that access. For example, a key configuration might live in the “Manage Journal Sources” area within Oracle Fusion ERP Cloud; any control that has a key configuration within this area may be affected by any role with the “Management Journal Sources” entitlement.
Monitoring and Support
So you’ve completely implemented Oracle Fusion ERP Cloud or Oracle EPM – what’s next? Your organization needs to be able to provide continuing support for your user base, and chances are, the current IT department doesn’t have the knowledge or size to support it to the level that is needed. Until those resources are gathered and information is learned, a third-party provider may be brought in to support user tickets or to troubleshoot items. Emphasis should be placed on the roles and/or entitlements given to these users; although they may be an extension of your company, privileged roles such as AIC, IT Security Manager, or Service Administrator should be heavily restricted.
From a completeness and accuracy perspective, your organization should also implement controls to ensure data transfers and reconciliations between cloud systems are correct and timely. Tollgates should be placed in the process to require review and approval prior to final signoff after any data transfer.
From a due diligence perspective, procedures should be performed on any vendor or third-party that is providing a service. Oracle’s SOC 1/2 Type II reports for Oracle Fusion ERP Cloud and Oracle EPM should be reviewed in depth on an annual basis, and management may also decide to perform a walkthrough of the data center that is housing their infrastructure. Further, any third-party with access to your systems, if applicable, should be reviewed on an annual basis, and reliance should only be placed on a SOC 1/2 Type II report, which shows the operating effectiveness of the controls in place at that organization.
Schneider Downs’ dedicated IT, financial, and operational audit professionals have Sarbanes-Oxley experience working with a wide variety of industries of all sizes, both domestic and international. We have proven experience with the all the commonly used processes, applications, platforms, and databases, including Oracle Fusion ERP Cloud and Oracle EPM Cloud.
You’ve heard our thoughts… We’d like to hear yours
The Schneider Downs Our Thoughts On blog exists to create a dialogue on issues that are important to organizations and individuals. While we enjoy sharing our ideas and insights, we’re especially interested in what you may have to say. If you have a question or a comment about this article – or any article from the Our Thoughts On blog – we hope you’ll share it with us. After all, a dialogue is an exchange of ideas, and we’d like to hear from you. Email us at [email protected].
Material discussed is meant for informational purposes only, and it is not to be construed as investment, tax, or legal advice. Please note that individual situations can vary. Therefore, this information should be relied upon when coordinated with individual professional advice.