SAN FRANCISCO -- Henry Lyles is passionate about security. So as soon as he got the chance, the director of E-Business Suite functional support at McDonald’s got in front of senior executives to see if security was a priority for them.
It was. Executive support behind him Lyles then began a 12-week process of interviewing employees to determine their business roles, cleaning up separation of duties (SOD) conflicts, and training his employees on how to monitor and prevent them in the future.
“The security of the systems are always top-of-mind for executives,” he said. “For us we wanted to make sure we had a lot of controls around it and making sure we were proactive.”
The company has about 10 different modules within its Oracle E-Business Suite 12.1.2 application, and it wanted to make sure that employees weren’t taking on multiple duties that could create possible financial conflicts. The first part was business process mapping. Interviewing business users and finding out what they did gave Lyles and his team an idea of what people in different departments – accounts payable, general ledger, inventory, etc. – were doing.
As Lyles put it, there are many functions and user menus within E-Business Suite. Sometimes you might think you’re putting the right menus and functions together, but when you start looking across the various modules, you could easily run into some SOD conflicts. To that end, Lyles and others built a spreadsheet they could refer to later and which could serve as a guide when future business units came aboard.
“I didn’t want to do a one-time cleanup and that’s it,” he said. “I wanted something that my team could continue to run and detect if there were problems later.”
Bringing McDonald’s internal audit team in from the start so they could see what Lyles and his team were doing was an important part of the process. That way there was a common message when reporting back to upper management, who were keyed in on making sure the company had adequate security controls.
The project helped McDonald’s later when it brought in a new business unit. The company was able to be proactive, making sure that when it created a new business role it would not create an unapproved conflict.
“You want to make sure you have standards around the setups of responsibilities,” Lyles said. “It’s very helpful.”
All of this work was done with the help of Infosys. Now McDonald’s is considering buying Oracle Governance, Risk and Compliance applications to monitor not only the SOD issues but everything else around GRC. Lyles said there is no specific timeline for McDonald’s implementing Oracle GRC, as there are other, different Oracle projects within the company that are still underway.