Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |

Safe Harbor Statement

The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.

2

Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |

Controlling for Multiple ERP Systems with Oracle Advanced Controls CON8154

Eugene Hugh - InterContinental Exchange Dane Roberts – Oracle GRC Strategy Stephen D’Arcy - PWC October 2, 2014

Presented with

@OracleAdvCntrls

Oracle GRC Advanced Controls

Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |

Agenda What are Oracle GRC Advanced Controls?

Case Study:

•Background

•ICE Requirements

•Challenges

•Solutions

•Project Summary

•What’s Next?

Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | 5

Reality: Document/Email Approaches Challenge GRC

OCEG SURVEY • 2014 GRC Technology Strategy Survey • www.OCEG.org HOW ORGANIZATIONS APPROACH AND ADAPT THEIR TECHNOLOGY STRATEGY FOR GRC

70%

SPREADSHEETS, DOCUMENTS, EMAIL & IN-HOUSE SOLUTIONS

30%

1 OR MORE COMMERCIAL GRC SOLUTIONS

The lack in modern technology makes achieving goals challenging

The impact on FTE’s is particularly significant

One financial services

organization stated that 80%

of their GRC staff resources

were nothing more than

document reconciles for

reporting. […] A mess they are

aggressively trying to correct.

of GRC professionals reported that they use Spreadsheets, Emails, Custom Reports Apps.

70%

Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | 6

When looking for new GRC technology, organizations indicate that the primary goals they aim to achieve are:

Drivers: for Adopting New GRC Technology

OCEG SURVEY • 2014 GRC Technology Strategy Survey • www.OCEG.org HOW ORGANIZATIONS APPROACH AND ADAPT THEIR TECHNOLOGY STRATEGY FOR GRC

INCREASE ANALYTICS & RAPID VISIBILITY OF RISK Complex risk and regulatory environments demand advanced capabilities of risk data integration and analytics to provide full situational awareness of risk”

#1 IMPROVE CONSISTENCY OF INFORMATION Organizations are realizing that good GRC requires good information, there is increasing focus on the integrity and consistency of GRC information”

#2 MEET NEW REGULATORY REQUIREMENTS Regulatory change has more than doubled in several industries over the past five years (e.g., banking, insurance, healthcare) and drives the organization to GRC technologies that enable regulatory intelligence and agility”

#3 REDUCE COSTS & IMPROVE PERFORMANCE When deploying new GRC technologies the organization is driven to reduce costs while increasing the performance of business operations”

#4

Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |

Comprehensive Risk & Controls Management

Detect and Fix Issues

Continuous Improvement and Monitoring

Assess Risk & Compliance

Close the

LOOP

Identification

Analysis

Evaluate

1. BUSINESS RISKS

Document

Assessments

Reviews

2. CONTROL OBJECTIVES

Author

Execute

Investigate

3. CONTINUOUS MONITORS

Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |

Custom or Legacy Applications

Enterprise Risk and Controls Foundation One Unified Platform

Flexible

• Graphical Authoring • Detect and Prevent • Access, Transactions, Setups

Data Driven

• 100% of Transactions • Manage by Exception • Pattern Analysis

Comprehensive

• Multiple GRC Projects • From Documentation to Test • Closed Loop Approach

Enterprise Risk & Controls Foundation

Dashboards, Reports and Alerts

Notifications Worklists Email Perspectives Search

Risk, Controls & Compliance Management

Reviews Documentation Assessments Remediation Surveys

Continuous Controls & Risk Monitoring

Setups Access Master Data Audit Tests Transactions

User Authored Controls Data Connectors Fraud & Error Patterns

Ro

le B

ased

Acc

ess

Secu

rity

Web

Se

rvic

es

& A

PIs

Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |

Specialized Partners Increase your Return On Investment

• Get more from Advanced Controls Specialists address more of your needs with Advanced Controls’ many capabilities

• Increase your organization’s effectiveness Specialists help you embed Advanced Controls in your business processes

• Accelerate your implementation Specialists guide and support you during planning, implementation and go-live

Oracle Confidential – Internal/Restricted/Highly Restricted 10

Intercontinental Exchange, Inc. (ICE)

Oracle Advanced Controls Implementation “One AC instance connected to two different ERP’s”

www.pwc.com

“Any trademarks included are trademarks of their respective owners and are not affiliated with, nor endorsed by, PricewaterhouseCoopers LLP.”

About ICE

Background

13

Client Background

• ICE (runs PeopleSoft) located in Atlanta

• PeopleSoft is hosted off-premise by a Hosting Provider

• ICE recently acquired NYSE, (run Oracle EBS)

• EBS is hosted on premise in New York

Oracle Advanced Controls

• Needed a solution to address operational and compliance needs

• Goal to implement by summer 2014

• Needed a partner to navigate their complex IT environment and implement a right-sized, sustainable, scalable solution

• Decided to implement an on premise Advanced Controls Environment

Requirements

14

EBS Visibility

Having recently acquired NYSE, ICE wanted to gain visibility into the risks, controls and transactions within their EBS environment.

PeopleSoft Visibility

Access, configurations and transactions were difficult to manage with standard PeopleSoft functionality alone.

Operational Efficiency

The business needed to analyze certain risky transactions on a periodic basis, and was stuck with ad-hoc queries written by IT and manual investigation in the ERP systems.

Controls Automation

ICE was looking to drive automated control over access and configurations to improve the efficiency of their internal and external audits.

Scalability

Given the extent of integration and expansion that is and will be going on at ICE over the next several years, the solution had to be scalable to accommodate future change.

Audit Support

Build a sustainable automated solution that could evaluate security, segregation of duties, automated controls and transactional activity to support Internal and External Audits.

Solutions

15

The right Collaboration PwC worked with ICE to help create a tailored, right-sized solution to their operational and compliance needs.

Business, internal audit, and IT stakeholder involvement was a key success factor from requirements gathering through implementation.

Transactions Led by the business, the stakeholders identified 22 ways they could use TCG to improve exception-based transaction reporting.

This was narrowed down to 18 key requirements for Phase I across 5 business and IT processes.

Security & Segregation of Duties The stakeholders identified 98 ways they could use AACG to address existing operational and compliance concerns.

This was narrowed down to 61 key requirements for Phase I across 8 business and IT processes.

Configuration Mgmt. In a discussion driven by IT, the stakeholders identified 141 opportunities for continuous configuration monitoring using CCG.

This was narrowed down to 130 key requirements for Phase I across 7 business and IT processes.

Systems Diagram

AACG & TCG CCG

Project Scope/Summary/Benefits

17

Delivered Scope

Approximately 90-120 Security and SOD controls in AACG Approximately 90-120 Configuration Change Trackers in CCG Approximately 15-25 Transaction Analytic controls in TCG PCG considered for NYSE but not included

Timeline

Phase I: February – August 2014 Initial go-live for NYSE AACG and CCG given audit requirements (June 2014) Final go-live for NYSE TCG and ICE AACG, CCG and TCG (Aug 2014)

ICE business process control owners for key processes ICE and NYSE system administrators ICE internal audit team

Increased automation in the quarterly access review process Increased visibility into risks in the EBS and PeopleSoft environments Resulting changes made to improve security, configurations & processes. Automation of various audit activities

Stakeholder Groups

Benefits

Advanced Controls Examples

• GL Entries not posted at month end

• AR Entries without GL entries

• Duplicate Employees

• Duplicate Invoice Payments

• Refunds over specific threshold

• Unusual Journals – Debit Rev, Credit Expenses

• Inactive users

Business Solutions beyond Compliance and Internal Audit

Advanced Controls Examples (cont’d)

• Custom Content/Objects for PeopleSoft

• Change trackers to monitor changes to automated controls

• Impact assessment during patch application

• Ability to compare setup changes during integration of NYSE (EBS) on to ICE PeopleSoft environment

Main Project Challenges

20

Stakeholder Availability 01

Stakeholder Availability

02

Standardizing processes during

acquisition

03

Educating Stakeholders

04

Technology Delays

What’s Next?

21

Controls Operation

RMB Integration

EBS Migration

Future Expansion

Business process control owners have already began operating their monthly and quarterly access and transaction controls, and system administrators are continuing to investigate configuration changes as they occur.

PwC is implementing Oracle Revenue Management and billing as ICE’s optimized billing solution, and will build custom connectors to allow RMB to interface with billing rules that will be implemented into Advanced Controls.

In 2015, ICE will begin to migrate NYSE from EBS into ICE’s PeopleSoft environment. This will require consideration of the impact to Advanced Controls and may require changes to existing rules.

As ICE becomes more comfortable with Advanced Controls capabilities and their existing solution, there will be opportunities to expand their use of the applications and increase the value they derive from it.

Questions?

Copyright:

© 2014 PricewaterhouseCoopers LLP, a Delaware limited liability partnership. All rights

reserved.

Definition:

PwC refers to the US member firm, and may sometimes refer to the PwC network. Each

member firm is a separate legal entity. Please see www.pwc.com/structure for further details.

Contact Information: Stephen D'Arcy - Director (PwC) stephen.j.darcy@us.pwc.com Ph: 856.577.0022

Copyright:

© 2014 PricewaterhouseCoopers LLP, a Delaware limited liability partnership. All rights

reserved.

Definition:

PwC refers to the US member firm, and may sometimes refer to the PwC network. Each

member firm is a separate legal entity. Please see www.pwc.com/structure for further details.

Follow Us & join the conversation .

Oracle GRC Advanced

Controls Group

@OracleAdvCntrls

Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | 25

Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |

Safe Harbor Statement

The preceding is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.

26