Case Study: GP Strategies
in by Jeff HareGP Strategies Corp. is a global performance improvement provider of sales and technical training, E-learning, management consulting and engineering services with headquarters in Columbia, Maryland.
Analysis in Brief
Company Profile
GP Strategies Corp. is a global performance improvement provider of sales and technical training, E-learning, management consulting and engineering services with headquarters in Columbia, Maryland. It is a $500M (USD) company with locations spanning 27 countries worldwide.
Business Situation
GP Strategies went live on Oracle ERP Cloud utilizing the seeded job roles provided by Oracle. Shortly thereafter, the problems that seeded job roles contain were discovered.
Solution
Customizing job roles at an affordable price, easy to manage, and clearer identification of conflicts; ERP Risk Advisors provided GP Strategies with its ERP Armor solution.
Benefits
GP Strategies is now able to prioritize over 150 SoD rules by risk, running the highest risk rules monthly. They are also able to process Role Reviews and Conflict Reviews by user on a quarterly basis to ensure the job roles are provisioned correctly and the mitigations are processed as needed.
A Controls Improvement Case Study
Situation
GP Strategies Corp. is a global performance improvement provider of sales and technical training, E-learning, management consulting and engineering services with headquarters in Columbia, Maryland. It is a $500M (USD) company with locations spanning 27 countries worldwide.
As with most companies implementing Oracle’s ERP Cloud solution, they were told by their system integrator that the seeded job roles would be the best to use as they worked fine and would give them the best ability to process their day-to-day business functions. So, following their system integrator’s advice, GP Strategies went live on Oracle ERP Cloud utilizing the seeded job roles provided by Oracle. Shortly thereafter, the problems that seeded job roles contain were discovered. Seeded job roles are fraught with segregation of duties conflict issues, as well as allowing extensive sensitive access risks to individuals that do not require it. It was determined that customizing the job roles was the necessary solution.
As a publicly traded company, GP Strategies must adhere to the Sarbanes- Oxley (SOX) compliance requirements in which both management and an external auditor must report on the adequacy of the company’s internal control over financial reporting. For many publicly traded companies, Sarbanes-Oxley (SOX) imposes heavy regulatory and financial costs as well as compliance burdens on an organization. Documenting and testing financial controls, both manual and automated, requires significant effort and is often the most expensive part of SOX compliance. To help meet SOX requirements and help reduce the internal compliance burden, GP Strategies looked for an audit and compliance solution that would integrate well with Oracle Cloud and provide them with detailed audit reporting, segregation of duties visibility, and sensitive access analysis without increasing overhead and support costs.
There is no easy process within Oracle ERP Cloud to review job roles for segregation of duties intra-role conflicts or across role conflicts. It takes many reports and hours of lookups and such to review one job role for conflicts. GP Strategies needed a tool that would help them review the new custom roles quickly and easily.
Solution
After some initial research, GP Strategies observed that most products (including Oracle’s Risk Management module) were cost prohibitive. Fastpath proved to be the only cost-effective solution that met their compliance requirements. Not only was it in budget and easy to manage from a functional perspective, but Fastpath also provided greater visibility into SoD conflicts and reduced time to issue identification and remediation. It also allowed for additional functionality that other products did not have (Audit Trail, Identity Manager, Access Certifications).
As with most Audit/SoD tools, Fastpath does not provide content needed to test access control risks. The content must be defined by the client or an external consulting firm, and the client must know the content that is required. To understand which privileges in Oracle ERP Cloud that are associated to each side of a segregation of duties conflict can be extremely difficult and time consuming to research. GP Strategies looked to ERP Risk Advisors for this requirement. ERP Risk Advisors provided GP Strategies with its ERP Armor solution. The heart of ERP Armor is the design of your ERP Risk solution that blends a proven ERP Risk Architecture and ERP Risk content developed over 20 years. ERP Armor is software agnostic and provides a support model of quarterly and annual updates. This approach provides GP Strategies continuous updates to the content to keep current with the risk introduced by Oracle on a quarterly basis.
GP Strategies also engaged Protiviti and their highly skilled team to perform a requirements analysis and provide the role customization process. Protiviti provided an in-depth evaluation of the roles required as well as the change management process associated. It was determined that 65+ custom roles would be required. An extensive analysis of segregation of duties conflicts would be required during the role design process. The partnership between Protiviti, ERP Risk Advisors, and GP Strategies was formed.
Results
Data Integrity and Simplified Reporting
The greatest benefit of implementing Fastpath is GP Strategies’ newfound confidence in the quality of data produced. With the content provided by ERP Armor, Protiviti was able to review each new custom job role for segregation of duties conflicts as the design development was in process. This enabled the design team the ability to make updates quickly and the project to move along smoothly.
Once the custom job role design was completed and the pilot in place, Fastpath was able to provide across role conflict analysis for GP Strategies. This allowed for control mitigations to be put in place where needed, and for additional role design or remediation to be done. GP Strategies is now able to prioritize over 150 segregation of duties rules by risk, running the highest risk rules monthly. They are also able to process Role Reviews and Conflict Reviews by user on a quarterly basis to ensure the job roles are provisioned correctly and the mitigations are processed as needed.
About GP Strategies
GP Strategies Corp. is a global performance improvement provider of sales and technical training, E-learning, management consulting and engineering services with headquarters in Columbia, Maryland. It is a $500M (USD) company with locations spanning 27 countries worldwide.
About ERP Risk Advisors
ERP Risk Advisors is a risk content company for ERP systems and technology tools. Our content, ERP Armor, is used by organizations and external auditors to identify and manage risk. We also assist organizations in identifying and implementing GRC-related software from industry-leading companies.
See how this worked for our customers: