Case Study/ GP Strategies
GP Strategies Tames Access Controls, SoD Risks, and Compliance Demands with Fastpath
GP Strategies Corporation is a global performance improvement provider of sales and technical training, e-learning, management consulting, and engineering services. It is a $500M (USD) company with locations in 27 countries.
As with many companies implementing Oracle’s ERP Cloud solution, GP Strategies received a recommendation from their system integrator to use the Oracle seeded job roles. The integrator told them the seeded roles “worked fine” and provided the best ability to manage day-to-day business operations.
Following this advice, GP Strategies went live on Oracle ERP Cloud utilizing the seeded job roles provided by Oracle. Shortly thereafter, however, the problems that often accompany seeded job roles became apparent.
Seeded job roles are fraught with separation of duties (SoD) conflict challenges. Additionally, the seeded job roles allow extensive sensitive access to individuals who do not require it. This also increases risk, so
As a publicly traded company, GP Strategies must adhere to the Sarbanes-Oxley (SOX) compliance requirements. This means both management and an external auditor report on the adequacy of the company’s internal control over financial reporting.
For many publicly traded companies, SOX imposes heavy regulatory and financial costs as well as compliance burdens. Documenting and testing financial controls, both manual and automated, take significant effort and often are the most expensive piece of SOX compliance.
To help meet SOX requirements and reduce the internal compliance burden, GP Strategies looked for an audit and compliance solution that would integrate well with Oracle Cloud. The path forward also needed to provide detailed audit reporting, SoD visibility, and sensitive access analysis without increasing overhead and support costs.
Since there is no easy process within Oracle ERP Cloud to review job roles for SoD intra-role conflicts or across-role conflicts (this currently requires many reports and hours of research to review one job role) GP Strategies also needed a tool that would help review the new custom roles quickly and easily.
After some initial research, GP Strategies observed that most products were cost prohibitive. Fastpath proved to be the only cost-effective solution that met their strict compliance requirements. Not only was it within their budget and easy to manage from a functional perspective, but Fastpath also provided greater visibility into SoD conflicts and reduced time-to-issue identification and remediation. Further, it allowed for additional functionality other products did not offer (Change Tracking, Identity, Certifications).
As with most Audit/SoD tools, Fastpath does not provide content needed to test access control risks. The content must be defined by the client or an external consulting firm, and the client must know the content that is required. To understand which privileges in Oracle ERP Cloud are associated to each side of a separation of duties conflict can be extremely difficult and time consuming to research. GP Strategies looked to ERP Risk Advisors for this requirement.
ERP Risk Advisors provided GP Strategies its ERP Armor solution. The heart of ERP Armor is the design of your ERP Risk solution that blends a proven ERP Risk Architecture and ERP Risk content developed over 20 years. ERP Armor is software agnostic and provides a support model of quarterly and annual updates. This approach provides GP Strategies with continuous updates to the content to keep current with the risk. GP Strategies also engaged ERP Risk Advisors to perform a requirements analysis and supervise the role customization process. ERP Risk Advisors provided an in-depth evaluation of the roles required as well as the change management process associated with customizing roles. It was determined that 65+ custom roles would be required. An extensive analysis of SoD conflicts would be required during the role design process.
The greatest benefit of implementing Fastpath is GP Strategies’ new-found confidence in the quality of data produced. With the content provided by ERP Armor, they were able to review each new custom job role for SoD conflicts as the design development was in process. This enabled the design team to make updates quickly and the project to move along smoothly.
Once the custom job role design was completed and the pilot was in place, Fastpath was able to provide across-role conflict analysis. This allowed for control mitigations to be put in place where needed and for additional role design or remediation to be done. GP Strategies is now able to prioritize more than 150 SoD rules by risk, running the highest risk rules on a monthly basis. They are also able to process Role Reviews and Conflict Reviews by user on a quarterly basis to ensure job roles are provisioned correctly, and the mitigations are processed as needed.
Related case studies
A family-owned manufacturer needed help to review their risk management.
SBA Communications Improves SOX Compliance Processes and Reliability with Fastpath
National Manager of Assisted Living Communities
Start Up Real Estate Management Company Builds SOX Compliant and Scalable D365FO Security Framework in Expedited Timeframe