Copyright © 2015, Oracle and/or its affiliates. All rights reserved.

Oracle Risk Management Top 10 T&E Reporting Controls for EBS CON7988

Glen Walton Oracle Application Development Oct 28, 2015

Presented with

___________ Source-to-Settle

Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |

Safe Harbor Statement

The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.

2

Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |

• Sangeeta Roy, Senior IT Manager, Finance and Employee Services IT, Cisco Systems

• Jeramie Taylor, Manager Internal Controls, Nobel Energy

• Joel Ninemire, Enterprise Applications Advisor, Noble Energy

• Gena Alexander, Snr Director Operations and Strategy, Oracle’s Source to Settle

• Chris Doxey, Chris Doxey Inc.

3

Today’s Panelists

Sangeeta Roy

Expense Management

October 28, 2015

Oracle Open World 2015

Cisco – GRC Implementation

About Sangeeta Roy

Senior IT Manager, Finance and Employee Services IT

Cisco Systems Inc

IT Service Owner for Payable & Expenses, Procurement Services and Fixed Asset Management Services

IT Service Owner - Oracle Financials platform

Have been part of multiple transformational efforts at Cisco involving Oracle Upgrades to R12 and Large Scale Service Implementations in the past 18 years

Current Focus - Simplification of Services, Transformation of End-to-End Experience, Deeper Insights with Data

Nearly 170,000 volunteer hours

Cisco At A Glance Revenue: $49.16B, Market Cap: 143.71B

$6.3 R&D

More than 71,000 employees

More than 70,000 channel partners

470 global sites doing business in 165+ countries

More than 18,000 patents

26,000+ Cisco Certified Engineers

#1 or #2 in most market segments we serve

More than 170 acquisitions

11,000+ Service professionals

FY15 Stats

Other Stats

Business Opportunity in an Evolving World

The Internet of Everything

Deeper Insights for Greater

Decision Making

Empower People/ Increase Efficiency

Create and Expand New Markets and Services

Create Better Experiences to Build Better Relationships

Need of Compliance Monitoring

Increased Quantity and Complexity of:

Compliance requirement from internal/external audits

Global country regulations

Acquisitions and new Cisco entities

Need for automation is required for:

Solution compliance validation

Capability to monitor 100% of data

Scalability for Oracle and non-Oracle integration

Utilize a Policy Maturity Model to

measure how effectively a policy:

• Identifies policy owner

• Dictates requirements

• Determines violations

• States remediation

• Is able to control

Current process for policy

violation detection and

remediation:

• Manual audit/sampling

• Manual process

design/implementation

• Manual communication

Majority of systems/tools requiring

compliance enforcement are not

integrated, and require:

• Invasive tool development

• Scripts to extract data

• Manual validation across multiple

tools/systems

• Leveraging current capabilities

Policy Process System

Policy

Evaluate policy for requirements and remediation;

increase “policy maturity” when required

Control Rules

Translate policy requirements into data level logic to identify

violations

Data Integration

Environment to consolidate transactions, and apply

logic rules to identify violations

Remediation & Tracking

Track violations, execute and track remediation

Compliance Monitoring with TCG

Policy CCM

Create compliance

rules in TCG

Publish reports for operations

Track and manage history Compliance rules in TCG

Compliance Tx

Reports from TCG

Transactions

Compliance assessment through

Incident and Remediation management

Process

Purchasing

iProcurement

iExpenses

General Ledger

Fixed Assets

Accounts Payable

Financials Landscape And Complexity

Core Financials

Employee

Self-Service

Oracle

R12.1.3

Travel

Legend:

Platform Size 9TB

# of Entities 119

# of Expense Reports/year 800K+

# of lines of Credit Card

Transactions/year

2M+

$ Purchase Reqs processed/year $4B+

Expense Management Controls

Accounts Payable

iExpense

File attachment on Expense Reports (ER) Identify ERs with supporting documents

in un-acceptable formats (like editable

attachments like .txt)

Amex/Cash surfing Verify if same expense has been

claimed both as Amex and cash

Expense splitting ** Identify expenses that were split to avoid policy

violation

Forensic repeat offenders ** Identify expenses claimed in iExpense instead of booking

through approved channels

Collusion – analysis of attendees ** Analysis of attendees to highlight the pattern of

interrelationship with co-workers related to suspicious

ER activity

** Currently not Active

• Cost Savings

• Compliance

• Incident Volume

• Restitution Rate

• Policy violators identified

KPIs and Incident Metrics

200-300 per day

• Total Incidents generated

150-180 per day

• Incidents Resolved

15 active users

Control KPIs Incident Metrics

Benefits Summary

Benefit Description

Cost Savings • $800K-1.2M /year on Duplicate Entries/Payment Invoice Report

Compliance • Improved compliance with Amex Cash surfing logic identifying more than 1400 policy violators

in past year.

• Vendor duplicates identified and/or resolved in a year – 4000+. This has helped with better aligned

Expense reporting.

CCM AP Experience • Increase in CCM AP satisfaction by eliminating policy management via excel files

• Awareness through increased visibility

Technology Stack and Implementation Facts

• One (1) Year Data Analyzed

• 103 Million records processed Graph Initial

Build

• 800 Thousand records processed

Graph Incremental

Build

• Six (6) Custom Business Objects No. of Custom

BOs

• Six in Accounts Payables

• Five in iExpense No. of Controls

• Synch: Daily

• Controls: AP - Daily; Iexpense – Weekly

Sync and Control Analysis

Schedule

• GRC-all-8.6.5.1645 GRC

Version

• Oracle DB 11.2.0.3.10 Database

• Firefox 24

• Internet Explorer 9x, 8x Browser

• Oracle WebLogic Server 12.1.2 with Oracle JDK 1.7.0_51

• Application Development Runtime 12.1.2 and RCU 12.1.2

Application Server and Middleware

Lessons Learned

Business

• First establish the benchmark

metrics to help in deriving

business value

• Plan for the resources needed

for remediation

• Understand that TCG is not a

reporting tool

• Understand the importance of

Incident Status and State

Code and how it affects the

remediation process

• Iterative process ( fine tuning

to avoid false positives)

Oracle Support

• Early engagement with Oracle

• Tight collaboration and

partnership with Oracle

Hardware Configuration

• TCG analyzes millions of

transactions so it needs

enough resources (disk space

and memory)

• Follow Oracle recommended

h/w and s/w and make

adjustments based on the

volume of transactions

Model & Control

Analysis Assessment

• Optimize the design of models

• Avoid nested UDO

• Validate the model results first

before running the controls

• Verify the availability of

business objects for the use

cases

• Replicate read-only schema

instead of using apps schema

of EBS

ETL Performance Assessment

• Perform and document

multiple iterations of graph

build and Control Analysis.

Monitor sys resources

• Plan to get weekly or daily

refresh of datasource data with

production data

• Analyze transaction volume of

each business object used in

models

• Understand the ETL design

and Data Extraction criterion

Copyright © 2015 Oracle and/or its affiliates. All rights reserved. |

Agenda

Panelist Introductions

Travel and Expense Reporting Controls - Panel Discussion

More Resources

1

2

3

17

Copyright © 2015 Oracle and/or its affiliates. All rights reserved. | 18

Oracle GRC Wins Ventana Technology Innovation Award!

“Oracle’s GRC solution provides a unique approach to the problem of risk management by automating risk controls which are embedded into critical business

processes; applying leading edge technologies to solve complex risk challenges.”

- Mark Smith, CEO of Ventana Research

Copyright © 2015 Oracle and/or its affiliates. All rights reserved. |

Elite panel of judges (NASA CIO, FCC CIO, Army CIO and others) have selected PA Treasury IT project as one of

the top 10 public sector projects of the nation

19

Pennsylvania Treasury GRC Project Wins Multiple Awards

Copyright © 2015 Oracle and/or its affiliates. All rights reserved. |

Case Studies and Speakers at OpenWorld 2015

Oracle Confidential – Internal/Restricted/Highly Restricted 20

_________________

Source-to-Settle

Copyright © 2015 Oracle and/or its affiliates. All rights reserved. | 21

Follow Us & join the conversation .

Oracle GRC Advanced Controls Group _______________________________________________________________

OracleAdvControls @OracleAdvCntrls