Case Study: Clayton Homes Realizes That Not All Rulesets are Created Equalin by Jeff Hare
Most case studies about success stories; the before and after, the cost and the benefits. So, what is the difference between this case study and others?
Analysis in Brief
Founded in 1956 by Jim Clayton to refurbish and resell mobile homes, Clayton Homes was acquired by Berkshire Hathaway in 2003 and is now the largest builder of manufactured housing and modular homes in the United States.
When Clayton Homes moved from a legacy ERP solution to Oracle ERP Cloud, Matthew Rekers, in his roles as Internal Auditor, saw the advantage of properly addressing Segregation of Duties (SoD) controls in their new ERP Software, before implementing software.
Clayton Homes chose ERP Risk Advisors to help Identify SoD risks and define roles.
Clayton Homes successfully migrated to Oracle Cloud and Oracle SCM Cloud with minimal impact on user roles of SoD risks, passing their audit reviews with flying colors.
The largest manufactured home provider in the US achieved its new ERP implementation goals with help from ERP Risk Advisors… one of few companies gaining the benefits of a “Proactive” Approach
Most case studies about success stories; the before and after, the cost and the benefits. So, what is the difference between this case study and others? Well, this is how one of Berkshire Hathaway’s Subs decided to, against all odds, balance functionality and security/controls artfully on the front-end of their massive ERP implementation to Oracle Cloud. Perfectly illustrating the tangible and intangible benefits of being “proactive” when it comes to user access risk management and setting up security and controls correctly from the start.
Headquartered in Maryville, Tennessee, Clayton Homes was founded in 1956 by Jim Clayton to refurbish the resale of mobile homes. By 2002, Clayton Homes had a revenue of $1.2 billion and was acquired by Berkshire Hathaway in 2003. Clayton Homes is now the largest builder of manufactured housing and modular homes in the United States. Subsidiaries include Clayton Home Building Group, Clayton Properties Group, Vanderbilt Mortgage, 21st Mortgage, and the HomeFirst Insurance Agency.
When Matthew Rekers began his career at Clayton Homes over five years ago, he started in Internal Auditing. Soon after, Clayton Homes had outgrown their legacy ERP system and needed to move to a new cloud-based system. Clayton Homes chose Oracle Cloud to suit their company’s needs. Matthew’s experience in public accounting and his current position in an internal audit role made a clear way for him to see the opportunity to set up the new ERP system with proper Segregation of Duties (SoD) from the start. In a proactive move, he started an advisory project to make sure the SoD concerns and security were properly addressed before the company moved to Oracle Cloud and SCM Cloud.
Matthew contacted other Berkshire Subs and realized the task of reviewing and managing SoD controls for Oracle Cloud was extremely complex. He was advised on the need for a SoD software tool and a contextualized SoD conflict ruleset that could run against the new ERP system in order to help with the design and building of conflict free roles. In doing his due diligence on the SoD tool, he came across what he terms “a boutique risk advisory firm” called ERP Risk Advisors.
To his surprise, Matthew discovered many companies were struggling with their SoD and security risk conflicts as well. Additionally, He had heard of the cost and headache of managing the fixes within the business process. Instead of trying to make changes to the process before, companies would go live without adjusting and therefore train their employees on how to make gradual improvements over the years to account for this. These changes after they went live on the software were extremely time-consuming and costly. He was told by other companies that they could never go back and do it right and had to accept things as they were.
According to Matthew, “It turns out that many of the seeded roles within Oracle Cloud come with inherent SoD conflicts. I could never find anyone who dealt with SoD issues on the front-end, no matter what software was implemented so I thought it would be a worth-while goal to try with Clayton. We quickly gained the spotlight from Berkshire and were able to get post implementation big-four audit review prior to go-live.”
Matthew gained buy-in from the c-suit to pursue this quest for proper balance of functionality/control and joined the ERP Team. His SoD team also considered other SoD solutions, but in their view, those were not as robust, more expensive and challenging to use as those of ERP Risk Advisor’s. “Plus”, Matthew explained, “I knew I would be able to work with high-level ERP Team members throughout the project. ERP Risk Advisor’s rulesets are desired by big-four, and they have the only ongoing maintenance option with ERP Armor for staying up to date. They are ahead of others in this space since they can dedicate 100% on risk content and advisory where the other big firms had divided their time.”
ERP Risk Advisors allowed Clayton Homes to focus on what they needed for the design of custom user roles. It also allowed them to save significant amounts of money on the build of those custom roles by bringing this function in-house. “We also felt that ERP Risk Advisors would be the most responsive to any concerns we had through the process, and they exceeded this expectation,” Matthew concluded.
It is important to address security and controls, which includes segregation of duties on the front-end and bake it into the already huge changes the company is about to embark on with an ERP implementation. Having the right rule stick/eyeglasses to review is crucial to success and that is why we chose ERP Risk Advisors. – Matthew Rekers ERP Specialist III and Risk Advisory Lead, Clayton Homes
Matthew’s team used ERP Risk Advisors to design user roles for both the Oracle Cloud financial and supply chain products prior to go-live. This allowed them to pass their Big Four auditor reviews with flying colors.
Leveraging ERP Risk Advisors from the start of their Oracle Cloud implementation made it much easier for Matthew’s team to monitor and maintain the security and roles within Oracle. ERP Risk Advisors lets his team review weekly SoD automated reports. “Monthly, Sensitive Access (SA) reviews and quarterly user access reviews with the business and has made ITGC and SOX compliance less of a concern,” he said. “And if anything is a problem, I learn about it through our monitoring reviews. We sleep better at night knowing we set up preventative controls on the front end. And if anything else gets through, it will be caught by our detective corrective reviews.”
The ERP Risk Advisor team can make updates to the custom roles internally and maintain sustainability without having to reach out to consulting firms and pay additional fees for updates. With their ERP Armor, they are always a phone call away to help with any questions as it relates to monitoring sensitive access issues and in keeping up with any changes with Oracle’s quarterly patches.
“We have been so pleased with ERP Risk Advisors! We have used them on additional projects such as the HR and Payroll systems update to Workday and the additional role out of Oracle Transportation Management (OTM),” Matthew explained.
Lessons Learned … Before the Fact
When sharing his feedback about Clayton’s experience with ERP Risk Advisors, Matthew was compelled to stress that the CFO would like to use them when any new opportunities arose.
A key to the success of Clayton Homes implementing ERP Risk Advisors was to plan for and address SoD roles, controls, and rulesets on the front end, before the implementation began. “Many companies wait until the implementation is over and the roles have been baked in,” said Matthew. “Changing the roles at that point requires a complete overhaul of the business processes within the organization. This affects not only change management, but also the business practices after the users become used to how the new systems work.
“Setting up the security, SoD, controls, and roles with the proper functionality during the implementation makes it much easier for users because they are already changing their work routines with the new software and will not notice the difference.”
So, if this problem is so prevalent, why do so many companies fall into this trap? Matthew thinks he knows at least some of the reasons:
“It’s the nature of SaaS systems and the complexities of going to the cloud, along with the SI’s not scoping in the security and controls into their bids because of fear of losing the contracts.”
The CFO is ultimately responsible for the control environment, but with the pace and growth of technology, you also need someone who understands the financial controls as well as the systems. That really is the challenge – having the right people on the team that can keep up with the technology.”
Another piece of the puzzle involves the systems integrator (SI):
“Most companies don’t know that implementing system functionality and configuring the system security and controls are two distinct parts of the job. Nobody audits on the front-end and tells them there are these gaps for exposure. And there are so many changes the system integrator is making when moving to a new system that it can easily get lost. Also, management seems to feel like this is already included with the SI, since they will through the term security loosely in their proposals. The company is then forced to make the user and role changes after go-live, which can be very costly and disruptive on the business. Besides, no one is thinking that there might be inherent deficiencies in the seeded roles from large companies like Oracle. The SIs are often not even aware there is a problem with the seeded roles.”
According to Matthew, the CFO is ultimately responsible and needs someone to rely upon to make sure the security and IT teams get the necessary controls in place before going live. Functionality is usually “king” when it comes to implementations, and security and control can take the back seat very easily and be bypassed. Getting it right from the start will have an enormous impact on the employees using the systems, provide tremendous cost savings, and prevent the business from being blindsided on the backend when they get audited. “The front end,” he concludes, “is the best place to help companies begin a new implementation project and seamlessly move forward. ERP Risk Advisors has been the most effective and cost-effective solution in doing that.”
About Clayton Homes
Founded in 1956, Clayton is committed to opening doors to a better life and building happiness® through homeownership. As a diverse builder committed to quality and durability, Clayton offers traditional site-built homes and off-site built housing – including modular homes, manufactured homes, CrossMod™ homes, tiny homes, college dormitories, military barracks, and apartments. All Clayton Built® homes are proudly designed, engineered, and assembled in America. In 2021, Clayton built 60,701 homes across the country. Clayton is a Berkshire Hathaway company. For more information, visit claytonhomes.com.
About ERP Risk Advisors
ERP Risk Advisors is a risk content company for ERP systems and technology tools. Our content, ERP Armor, is used by organizations and external auditors to identify and manage risk. We also assist organizations in identifying and implementing GRC-related software from industry-leading companies.