<img height="1" width="1" style="display:none;" alt="" src="https://dc.ads.linkedin.com/collect/?pid=523033&amp;fmt=gif">
The Trade Desk
Case Study / Technology Company

The Trade Desk

Streamlining Separation of Duties for SOX Compliance in Oracle ERP Cloud

The Challenge

The Trade Desk is a technology company that offers a self-service, cloudbased media-buying platform where ad buyers can create, manage, and optimize digital advertising campaigns across ad formats and devices. But there’s more to the story. The Trade Desk built its platform with the goal of transforming media by helping brands deliver a more relevant, accurate ad experience—and it accomplishes this goal by maintaining a pure, buy-side focus, maintaining objectivity, independence, and transparency. This business approach has clearly resonated. 
Launched in 2009, The Trade Desk has quickly become the fastest growing demand-side platform in the industry, going public in 2016 with triple digit revenue growth and profitability in an industry ruled by Google and Facebook. This success brought with it the need for Sarbanes–Oxley (SOX) compliance as well as putting other checks and balances in place to ensure smooth operations and audits. At the time of the IPO, The Trade Desk was using Intacct as its ERP system but by 2018 had outgrown it and chose Oracle’s Cloud ERP. 

“As we were doing the implementation, our concern was that when we were in the Intacct environment, system limitations required a lot of extra SoD conflict rule sets to monitor and a lot of extra manual controls. With Oracle, there’s a lot more system functionality that prevents that, but we were still concerned about going into the new system and missing something. But Fastpath provides an off-the-shelf standard ruleset for Oracle, which has proven to meet all of our needs. What you’re hoping for with this kind of software is that there’s nothing left to chance, and that is exactly what we have experienced with Fastpath.”

Michael Higgins, Sr. Manager, SOX Compliance, The Trade Desk

The solution

After evaluating their separation of duty (SoD) and other requirements, the company determined that the user access and security product closely associated with Oracle did not measure up to Fastpath’s comprehensive, interactive tool that enables companies to identify security conflicts within their ERP application, better understand their overall security, and provide
the necessary documentation to both internal and external audit teams. The Trade Desk was already using Fastpath with Intacct, so they expanded their use to include SoD with their new Oracle implementation, since SoD was a requirement of the SDLC (software development life cycle) controls. Both systems were up and running fully in July 2019.

The results

“It’s been very positive,” said Michael Higgins, Senior Manager, SOX Compliance for The Trade Desk. “We have over 1,200 global users and more than 100 people in accounting and finance roles across three geographies. All are up and running on Fastpath. The revenue team is super happy to be able to generate critical change reports using the audit trail module.” 

On his end, Michael says the processes around Fastpath reporting monthly on conflicts, which he and the associate assistant controller address, has been working consistently, along with the twice-yearly SoD analysis. He also likes the fact that Fastpath put him in touch with a consultant who provides him with best practices, evaluating the company’s setup to ensure they are using Fastpath to its fullest. Incidentally, the answer to that question of using Fastpath to its fullest was a resounding “Yes”. The Trade Desk is indeed maximizing Fastpath reports and the Controls Library as well as the mitigation features. The SOX team was also given the responsibility to manage user access reviews and role reviews to ensure there were no role conflicts and no SoD conflicts within the roles. “As we were doing the implementation, our concern was that when we were in the Intacct environment, system limitations required a lot of extra SoD conflict rule sets to monitor and a lot of extra manual controls,” said Michael. “With Oracle, there’s a lot more system functionality that prevents that, but we were still concerned about going into the new

system and missing something. But Fastpath provides an off-the-shelf standard ruleset for Oracle, which has proven to meet all of our needs.” But that’s not the end of the story. Around the time the Oracle implementation was completed, Fastpath rolled out the audit trail module. This was fortuitous because Michael’s team discovered that there were required reports that Oracle was not equipped to provide. After implementing the audit trail module, the revenue team was very happy that Fastpath allowed for reporting of changes and custom fields in customer master data. Michael and his team are happy, and the revenue team is happy, but perhaps more importantly, the company’s auditors are very happy.  

After two years of comparing Fastpath with their internal tool, they are pleased with what they are seeing from Fastpath. Michael also points out that Fastpath has the flexibility to deal with somewhat of a moving target; as regulations change, it is able to provide information and answers to questions the auditors haven’t asked in the past, and if a new requirement pops up, Michael can easily reach out to Fastpath to discuss possible enhancements to the product to accommodate. Michael’s final statement says it all: “What you’re hoping for with this kind of software is that there’s nothing left to chance, and that is exactly what we have experienced with Fastpath.”