WIXLIB

Think. Evaluate. Transform.Oracle EBS Post Implementation ReviewSeptember 2018Private and confidential

IntroductionOracle EBS post implementation review offerings03Our approach05Scope of work and deliverables07Our work experience15Appendix 1 – Sample analytics dashboards17

Oracle EBS Post Implementation Review Oracle EBS post implementation review offeringsOracle EBS post implementation review offeringsOracle EBS BusinessBlueprint reviewReview of Oracle EBS Blueprint documentwith the current Oracle EBS systemfunctions.Oracle EBS post implementationreview offeringsAuthorisation and SOD reviewReview of sensitive authorisations andSOD conflicts in Oracle EBS.Application controls reviewGeneral IT Controls reviewValidate configuration settings andsystem controls in Oracle EBS systemValidation of GITC control areas viz.Access security, Computer Operations &Change Management.Data Migration reviewData AnalyticsValidating the procedures performed forconversion of data from legacy system toOracle EBS system including master datareview. Interface Integrity Master data analysisProcure to PayOrder to CashHire to RetireFixed Assets

Oracle EBS Post Implementation Review Our approachOur approachApplication integrity frameworkNetwork/ Hardware RelevanceTestingIn-built controlsData migrationApplication Integrity Security & control design Application management Authorisation and SODOur approachApplicationsInterface IntegrityOperating SystemDatabaseOracle EBSMaster Data analysisCompleteness of dataOutliers in the dataBusiness ProcessesAs part of our approach Oracle EBS and the supportinginfrastructure will be covered as part of the reviewGeneral ITControls review Access security Computer operations Change managementBusiness blue printand Application review Blue Print reviewBusiness riskControl objectivesControl requirements

Oracle EBS Post Implementation Review Scope of work and deliverablesOracle EBS business blue print review and understandingProcessScope of WorkBusiness blueprint review Review Oracle EBS business blueprints, Technical specification documents, Functionalspecification documents, Business requirement documents – identify control requirements Examine high level policies, procedures, and guidelines and Understand the controlenvironment / requirements Review of Implementation results of Oracle EBS. Review usage/adherence to business processes implemented in Oracle EBS. Review results of integration testing.ClientinvolvementAvailability of process owners such as Manager, Role Owners and IT teams for discussionsDeliverablesDocument as-is current process and recommendation for changes towards OracleEBS OptimisationScope of work and deliverables

Oracle EBS Post Implementation Review Scope of work and deliverablesOracle EBS Post Implementation Review Scope of work and deliverablesOracle EBS application controls reviewOracle EBS data migration reviewProcessApplication controls review Scope of WorkReview Oracle EBS Implementation blueprint to understand control environment / requirementsReview of Business and technical parameters setups and configurations in Oracle EBS on all modulesReview control frameworkReview Industry policies, procedures and best practices for managing critical configurations in Oracle EBSReview of Automated Business controls incorporated in Oracle EBS for below modules: Oracle Financials Oracle Human Resource and Payroll Oracle Order Management and Discrete Manufacturing (for Inventory) Oracle Purchasing / Procurement and eProcurement Oracle Projects Assess the gaps in the existing configuration controls areas with leading industry practices anddocument them Discuss the gaps and industry leading practices and provide the recommendation to streamline theprocessProcessData migration review Review Oracle EBS Implementation blueprint to understand control environment /requirementsScope of Work Review the data conversion results (i.e. management approvals, accuracy and completenessof the data used, actions taken on errors or reconciliation differences if any) Re-perform the data conversion reconciliations Integrity checks on Oracle EBS Master data (Masters pertaining to Vendors, Customers,Material, Price, Asset, General Ledger) for accuracy, duplicity and to show trends Assess the gaps in the data migration process, reconciliation difference and master data Provide recommendation on data migration process and optimise master dataClientinvolvementAvailability of process owners such as Manager, Role Owners and IT teams for discussionsClientinvolvementAvailability of process owners such as Manager, Role Owners and IT teams for discussionsDeliverablesDocument as-is current process and recommendation for changes towards Oracle EBS OptimisationDeliverablesAssessment report consisting of gaps, findings & recommendations. Analytical Dashboardsdetailing the results of master data review

Oracle EBS Post Implementation Review Scope of work and deliverablesOracle EBS Post Implementation Review Scope of work and deliverablesOracle EBS authorisation and SOD reviewOracle EBS general IT controls reviewProcessScope of WorkAuthorisation and SOD review Review access to sensitive and critical Oracle EBS menus and functions Workshop with process owners to understand SOD monitoring frequency Approval process for SOD rulebook update and the procedure for updating the rulebook Approval process for Mitigation Control update and the frequency of update Remediation process for identified conflicts Assess the gaps in critical authorisations, existing SOD monitoring, remediation andmitigation process with leading industry practices and document them Discuss the gaps and industry leading practices and provide the recommendation tostreamline the processProcessGeneral IT controls review Scope of Work Review security design documents, role administration processes and user administrationprocessesReview information security and change management policies, procedures, and guidelines asapplicable to the Oracle environmentReview IT General Controls of Oracle EBS along with its underlying infrastructure i.e. Operatingsystem, database and Networks for Access security, Computer Operations & ChangeManagement domainsReview client IT controls framework against industry leading practices and providerecommendationsAssess the gaps in the existing process with leading industry practices and document themDiscuss the gaps and industry leading practices and provide recommendations to the processClientinvolvementAvailability of process owners such as Manager, Risk Owners, Mitigation Control Approver,Mitigation Control Monitor and IT teams for discussionsClientinvolvementAvailability of process owners such as Manager, Role Owners and IT teams for discussionsDeliverablesAssessment report consisting of gaps, findings & recommendationsDeliverablesDocument as-is current process and recommendation for changes towards Access security, ChangeManagement and Computer operation process. Assessment report consisting of gaps, findings &recommendations

Oracle EBS Post Implementation Review Scope of work and deliverablesOracle EBS Post Implementation Review Scope of work and deliverablesOracle EBS application controls reviewClient involvementProcess ownersProcessGeneral IT controls review Review security design documents, role administration processes and user administration processesDeloitte team will have regular discussions with process ownersto understand the process in detail. Owners, referred to, are thepeople responsible to approve and reject the requests raised forvarious process being reviewed. Review information security and change management policies, procedures, and guidelines as applicableto the Oracle environmentScope of Work Review IT General Controls of Oracle EBS along with its underlying infrastructure i.e. Operating system,database and Networks for Access security, Computer Operations & Change Management domains Review client IT controls framework against industry leading practices and provide recommendations Assess the gaps in the existing process with leading industry practices and document them Discuss the gaps and industry leading practices and provide recommendations to the processClientinvolvementDeliverablesManagerRole OwnerEmergencyAccess OwnerEmergencyAccess ReviewerSupervisor of the user,responsible for userverificationResponsible for rolecertification & Approver forrole assignments to usersApprover of emergency/sensitive accessReviewer of activitiesperformed by the emergencyaccess provided to userRisk OwnersMitigationControl ApproverMitigationControl MonitorApprover for mitigatingthe risksResponsible for monitoringuser actions for themitigated risksAvailability of process owners such as Manager, Role Owners and IT teams for discussionsDocument as-is current process and recommendation for changes towards Access security, ChangeManagement and Computer operation process. Assessment report consisting of gaps, findings &recommendationsResponsible for approvingupdates to risks within abusiness process in theSOD rulebook

Oracle EBS Post Implementation Review Our work experienceOracle EBS application controls reviewLargest jewelrymanufacturing andretail company Review of application controls / processes vis-à-vis blueprint documentsBusiness cycle controls assessmentAuthorisation reviews and Master data analysisSecurity health checksSoD conflict analysis and remediation controls evaluation Application review involving testing of configurations andautomated controls Review of integration testing Review of General IT controlsNon bankingfinancial industryOur work experience One of India’slargest integratedsolar player Review IT General Controls of Oracle EBS along with its underlying infrastructurefor Access security, Computer Operations & Change Management domains Review of automated controls and reports present in Oracle EBS Gap reporting and process improvementsLogical security review of super usersSegregation of duty analysis using Automated controls testing tool (ACTT)Testing of interfaces present between Oracle and other legacy systemsReview of general IT controls over computer operationsA leading globalprovider of newgeneration ITsolutions

Oracle EBS Post Implementation Review Appendix 1 - Sample analytics dashboardsSample analytical dashboards for vendor masterSnapshot of Analytics 1 Vendor MasterTabular view of datafor further analysisFilters to restrict allthe views to showdata specific toselectionAppendix 1Sample analytics dashboardsMOM vendor duplicationtrends basis details for: Bank PAN Vendor Names AddressDuplicate vendoractivity basisduplicate groupsUser wise vendordetails changedthrough the periodContinuous monitoring andmanagement of VendorMaster by identifying vendorduplicates, changes to vendormaster and missing/invalidfields in Vendor MasterMoM trend depictionfor number ofchanges made tovendor detailsVendor wisePO counts andINV amount

Oracle EBS Post Implementation Review Appendix 1 - Sample analytics dashboardsSample analytical dashboards for vendor masterObjectiveSnapshot of Analytics4 Fixed AssetsAnalysing exceptions andtrends in the fixed assetsprocessVisual representation of yearly and monthly trend of Assets based ontheir value and count. A spike in the year 2016 can be observedSpread of Life Years of Assets belonging to the same assetCategory. Assets belonging to the same category having a hugedeviation in useful years would be potential outliersKey ContactsCo-Relation between Asset Quantity and its value. Helps inidentifying cases where assets are of High Value – Low Quantity

Key ContactsJohar BatterywalaPartnerjobatterywala@deloitte.comDeepa SeshadriPartnerdeseshadri@deloitte.com