Encana Corp., based in Calgary, Alberta, Canada, is a leading North American energy producer focused on growing its natural gas, oil, and natural gas liquids business. The company has operations in Canada and the US.
Encana uses JD Edwards EnterpriseOne for HR, supply management, and financial transactions. Enterprise resource planning (ERP) operations are always complex for big energy firms, but complexity increased for Encana when it, like other large publicly traded companies, had to comply with federal corporate accountability regulations as part of the Sarbanes-Oxley Act.
Greg Whitehead, manager, E1 Security and Controls, at Encana, focuses on ERP security and financial processes. He observes that when Encana originally implemented JD Edwards EnterpriseOne, they used an open security model. This gave everyone security access to everything, with access reduced on an as-required basis.
“Sarbanes-Oxley forced us to adopt a closed security model where specific roles are defined and people are only given access to the applications and processes they require for their particular job roles.”Going All-In with ALL Out
Recently, Encana decided to upgrade to JD Edwards EnterpriseOne 9.1 and to evaluate risk and compliance solutions to move to a closed security model. The tools would need to keep personal data secure and establish controls to reduce the risk of fraud. Fortunately, Whitehead and his E1 Security team found a solution that met—and exceeded—their requirements: ALL Out Security’s toolset for risk, security, audit/compliance, and segregation of duties (SoD) management.
In the past, we had to run different reports and do manual analysis to detect risk issues. Our processes are more streamlined now.”—Greg Whitehead, Manager, E1 Security and Controls, Encana Corp.
For Encana, two of the most useful ALL Out tools are the Project+ and Risk Reporting modules. Tools in Project+ automate the process for granting access to the security roles required for the Deny All security model. Project+ also includes applications for defining roles, users, and role assignments. Once roles are set up and input into the system, Risk Reporting makes it easy to run SoD reports and generate immediate alerts if any SoD risks are flagged.
For example, the SoD tool helps mitigate risks to eliminate A/P fraud—no small matter in a company that processes tens of thousands of A/P transactions a month. Now, if a user has a role to manage A/P invoice processing, SoD rules are set up within ALL Out so that people who make changes to invoices cannot also make changes to address book records. The system automatically reports any users who have this access so it can be eliminated. Now, users can’t go into address book records and change information to send invoice payments to themselves, but make it look like the payments are actually going to others.
“In our business, we require the ability to run reports to tell automatically if there are risks or broken controls,” says Whitehead. “In the past, we had to run different reports and do manual analysis to detect risk issues. Our processes are more streamlined now.”
Each week, the E1 Security team uses the ALL Out solution for security architecture and maintenance, and they also do weekly and quarterly security reviews. The team highly rates the reporting ALL Out delivers, which has negated the need to create customized reporting—especially useful when completing yearly compliance reviews.
This advertorial was originally published in the August 2015 JD Edwards special edition of Profit.
ALL Out Security and Oracle