Fastpath Blog- Articles on Security, Audit and Compliance

Maintain continuous user security after sunsetting of Oracle GRC

Written by Fastpath | Aug 15, 2024 9:57:47 AM

As the deadline looms closer for Oracle to sunset all customer Oracle GRC support, now is the time to understand what it means for your company, your user security and how to maintain continuous security after May 2025 deadline. On July 23rd, Fastpath, now part of Delinea, experts Frank Vukovits and Pat Wadland discussed what is being affected, what your options are post sunsetting, typical internal controls challenges and what your options are moving forward to maintain strong controls inside Oracle E-Business Suite (EBS).

What is being affected after sustaining support?

Oracle’s sustaining support doesn’t go beyond programme essentials, including updates, fixes, security alerts of upgrade scripts. Fundamentally, if your question is not about program updates, fixes, security alerts, or upgrade scripts from the Premier and Extended Support periods, you are responsible for your own support.

Oracle may provide updates for products and technologies, including general maintenance, selected features, and documentation. However, they are not required to make any improvements or add new functionality. As Pat remarks “good luck with software on Sustaining Support, customers!”

What are your options?

Now that we know what the challenge is, what are your current options to consider moving forward?

  1. Option One – Continue to use the Oracle GRC product

Whilst this is a viable selection for current customers, as outlined earlier, support options are extremely limited. The biggest consideration here, as Frank explains, that you could be paying the same licence fee for a product that isn’t supported. In addition, any Oracle GRC licences could be linked to Oracle EBS and as more licences get added Oracle EBS, there is a scenario where you’re paying for a product that is out of support. Wise to check your sales agreement to see exactly how your current Oracle GRC is licensed.

  1. Option Two – Manual Reports / Spreadsheet

A far less effective option would be to run reports manually, using offline tools such as spreadsheets. This approach is extremely time-consuming, prone to errors and will reduce overall effectiveness dramatically. Reports that are run automatically in Oracle GRC will need to be pulled by IT teams, and anomalies or control issues will need to be identified manually. This labor-intensive exercise is also one auditors tend to examine closely, due to the manual nature.

  1. Option Three – Third Party Solutions

There are options out there that allow you to stay with Oracle EBS, even without Oracle GRC. Frank explains, “Fastpath’s GRC module is a great option!”. Fastpath has many Oracle EBS customers who have run Fastpath’s Access Control and Change Tracking modules for a long time, to compliment Oracle EBS and provide a comprehensive GRC solution. There are strong solutions in the marketplace, including Fastpath, to help replace the functionality of Oracle GRC and work alongside Oracle EBS. Fastpath’s GRC module goes beyond traditional financial GRC, providing Separation of Duties (SoD) capabilities, user access reviews, tracking of changes to master data and monitoring of sensitive access along with elevated privileges.

Internal Control Challenges

Within Oracle business applications, such as Oracle EBS or Oracle Cloud Fusion specifically, strong controls are a must, if financials are to be trusted.

Control challenges specific to Oracle applications include:

  • Application Controls (P2P, O2C, R2R, etc.)
    • Duplicate Invoice Payments
    • Complexity of Configurations - Multiple configurations must be synchronized appropriately for many essential control activities to operate effectively. 
      • P2P = Invoice Matching
      • O2C = Customer Credit Checking
      • R2R = Journal Approval
    • IT General Controls (ITGC) – User Access
      • AZN Menus (EBS) – Backdoor access via Processes tab
      • Obtaining Reports of Active User-Job Role & User-Responsibility Assignments – Especially during EBS to Cloud migrations, these reports can help validate whether EBS user-responsibility assignments were mapped appropriately to Cloud user-job role assignments.
    • IT General Controls (ITGC) – Change Management
      • Diagnostics Menu (EBS) - Users can directly edit data, potentially bypassing controls
      • Oracle Cloud - Tracking key configuration changes not covered by Oracle’s native Audit Policies

Download the webinar slides to take a deeper dive into the specific Oracle Internal Control challenges. You can find out more about the importance of having a best-in-class Oracle GRC solution after sunsetting.

Internal Control Technology Buy-in best practices

When it comes to replacing Oracle GRC, this question always comes up at conferences or when talking to our peers in the industry – how can you convince stakeholders to invest in new technology, like a GRC tool? What benefits move the investment needle?

Moving to a GRC is not just an IT project or finance project. Using a tool to help with automation of internal controls can help your team and your organization with operational effectiveness. Some of the benefits that can help convince internal stakeholders include:

  • Cross-department commitment required, cannot just be a Finance project
  • Organizational Change Management (OCM) Linkage
  • Operational benefits
  • Redeploying resources
  • Doing more with less

To maximise the benefits of any GRC solution, Frank Vukovits always refers back to the compliance equation – people, process, technology. All three need to work harmoniously together, to ensure you meet compliance needs. Again, download the webinar slides and see how Frank dives deeper into the equation and maximise any internal controls solution.

Conclusion

With time running out fast for the sunsetting of Oracle GRC support, it’s imperative to a solution to keep your organisation compliant and to maintain strong internal controls. As Frank outlined, in most cases, Oracle GRC users have three options – stick with Oracle GRC, go offline and manual, or look for an alternative solution. Whilst there are positives and negatives for each, Fastpath’s GRC module works seamlessly with Oracle EBS, making for a stronger internal business case to stay on Oracle EBS and run an automated GRC solution.

Find out more about alternative GRC solutions available by visiting the Fastpath for Oracle EBS dedicated page.

Alternatively, if you want to learn more about Fastpath’s automated access certifications module, speak to one of our experts.