Case Study: Casey’s General Stores
in by Jeff Hare
Casey’s General Stores, Inc. (Casey’s) is a chain of convenience stores in the Midwestern United States. The company is headquartered in Ankeny, Iowa, a suburb of Des Moines. As of April 30, 2019, Casey’s had 2,146 stores in 16 states with a revenue of $9B and growing. They employ over 36,000 personnel.
Analysis in Brief
Company Profile
Founded in 1968 in Boone, Iowa, Casey’s has steadily grown from the heart of one community to the next. Today they serve communities across 16 states with more than 2400 store locations.
Business Situation
Casey’s went live with Oracle Cloud using the seeded job roles, as well as customizing some of the job roles. They understood the implications of utilizing all the seeded roles and the issues they would cause. They were unable to utilize only the custom roles, so they currently are using a hybrid method of both custom and seeded job roles.
Solution
Casey’s chose ERP Risk Advisors to help understand which privileges in Oracle ERP Cloud were associated to each side of a SoD conflict using ERP Armor.
Benefits
Casey’s is now able to prioritize over 100 segregation of duties/excessive access rules by risk, running the highest risk rules monthly. They are also able to process Role Reviews by user on a quarterly basis to ensure the job roles are provisioned correctly and the mitigations are processed as needed.
A Risk Management Cloud Case Study
Situation
Casey’s General Stores, Inc. (Casey’s) is a chain of convenience stores in the Midwestern United States. The company is headquartered in Ankeny, Iowa, a suburb of Des Moines. As of April 30, 2019, Casey’s had 2,146 stores in 16 states with a revenue of $9B and growing. They employ over 36,000 personnel.
Casey’s went live with Oracle Cloud using the seeded job roles, as well as customizing some of the job roles. They understood the implications of utilizing all the seeded roles and the issues they would cause. They were unable to utilize only the custom roles, so they currently are using a hybrid method of both custom and seeded job roles.
As a publicly traded company, Casey’s must adhere to the Sarbanes-Oxley (SOX) compliance requirements in which both management and an external auditor must report on the adequacy of the company’s internal control over financial reporting. For many publicly traded companies, Sarbanes-Oxley (SOX) imposes heavy regulatory and financial costs as well as compliance burdens on an organization. Documenting and testing financial controls, both manual and automated, requires significant effort and is often the most expensive part of SOX compliance. To help meet SOX requirements and help reduce the internal compliance burden, Casey’s looked for an audit and compliance solution that would integrate well with Oracle ERP Cloud and provide them with detailed audit reporting, segregation of duties visibility, and sensitive access at a reasonable cost.
There is no easy process within Oracle Cloud to review job roles for segregation of duties intra-role conflicts or across role (inter-role) conflicts. It takes many reports and hours of lookups and such to review one job role for conflicts or excessive access. Casey’s needed a tool that would help them review and improve their controls environment and stay on top of the segregation of duties conflicts and access controls.
Solution
After some research, it was determined that Casey’s would utilize the Risk Management Cloud application that Oracle has integrated with the ERP Cloud. Since the application is already built into the system, there is no outside or legacy integration necessary. Oracle Cloud has done the integrations for you.
As with most Audit/SoD tools, Risk Management Cloud does not provide content needed to test access control risks. The content must be defined by the client or an external consulting firm, and the client must know the content that is required.
To understand which privileges in Oracle ERP Cloud that are associated to each side of a segregation of duties conflict can be extremely difficult and time consuming to research. Casey’s looked to ERP Risk Advisors for this requirement. ERP Risk Advisors provided Casey’s its ERP Armor solution. The heart of ERP Armor is the design of your ERP Risk solution that blends a proven ERP Risk Architecture and ERP Risk content developed over 20 years. ERP Armor is software agnostic and provides for a support model of quarterly and annual updates. This approach provides Casey’s continuous updates to the content to keep current with the risk introduced by Oracle on a quarterly basis.
Casey’s team and the ERP Risk Advisors’ team formed a great partnership while implementing the Advanced Access Controls (AAC) module and the Advanced Financial Controls (AFC) module. The AAC module was instrumental in helping Casey’s see the segregation of duties issues that needed remediation and helped to improve the controls environment. The AFC module aided them in the ability to review and audit configuration changes that have been made within their system during a specific time frame.
Results
The greatest benefit of implementing the Risk Management application is Casey’s newfound confidence in the quality of data produced. With the content provided by ERP Armor, Casey’s was able to review and remediate their segregation of duties conflicts, as well as excessive access risks. They were able to create and run controls associated with the auditing of configurations to review and prevent fraud and help with their compliance requirements.
Casey’s is now able to prioritize over 100 segregation of duties/excessive access rules by risk, running the highest risk rules on a monthly basis. They are also able to process Role Reviews by user on a quarterly basis to ensure the job roles are provisioned correctly and the mitigations are processed as needed.
About Casey’s General Stores
Founded in 1968 in Boone, Iowa, Casey’s has steadily grown from the heart of one community to the next. Today they serve communities across 16 states with more than 2400 store locations. Their focus will never waver from being the friendly face who brews your first cup of coffee to greeting you with a smile on your last stop after work. While they continuously aim to create innovative services and offerings, they always stay true to making life better for their communities and guests every day.
About ERP Risk Advisors
ERP Risk Advisors is a risk content company for ERP systems and technology tools. Our content, ERP Armor, is used by organizations and external auditors to identify and manage risk. We also assist organizations in identifying and implementing GRC-related software from industry-leading companies.