Driving automation and continuous monitoring across process controls in Oracle Applications

Turning risks into results

Optimize controls mix

What we are seeing in the market

• Increasingly the market is focused on automating controls to reduce the cost of compliance, improve the control environment, and realize efficiencies.

• Leading companies are focused on making their internal controls frameworks as efficient and effective as possible by:

• Rationalizing, optimizing and redesigning process controls to eliminate redundancy, reduce the volume of controls and effectively mitigate business risk

• Identifying opportunities to automate process controls to enhance their mix of controls (e.g., manual, IT-dependent, automated) and improve transaction processing

• Leveraging GRC technology to implement preventive controls through automation and continuous controls monitoring

• The benefits of controls automation and optimization include:

• Lower costs due to a reduction in the number of controls, enhanced standardization, reduction in compliance costs (e.g., internal costs, external audit fees)

• More-appropriate risk coverage with a keen focus on the risks that really matter

• Process efficiencies due to reduction in transaction processing cycle time

• A more scalable and sustainable compliance framework

• Improved alignment between IT, business and compliance functions

Ernst & Young benchmarks show that leading companies automate 70% of their process controls.

IT dependent

35%

IT dependent

25%

Manual 50%

Manual 10%

Automated 15%

Automated 65%

What are the opportunities at your company?

Illustrative process controls improvement case study

The client suffered from a substantially manual and labor-intensive control environment that hampered transaction processing and drove up internal compliance costs. Ernst & Young was engaged to examine the client’s procure-to-pay process to identify opportunities to automate and reduce the number of controls while minimizing risk exposure.

Value realized• Improved transaction processing cycle time and increased business process efficiencies

• Reduced documentation and testing effort resulting from rationalized process controls

• Decreased external audit fees due to increased reliance on management’s risks and controls portfolio

• Sustainable and enhanced internal controls framework

Using GRC technology to optimize controls and processes

Access Controls Governor

Prevent the assignment of responsibilities that compromise proper SoD policies

Real-time monitoring and enforcement of SoD rules

Standardized and risk-prioritized segregation of duties and critical access rule sets

Configuration Controls Governor

Baseline application controls and ensure consistent setup of target operating units

Verify application setup is being consistently applied across organizations

Detect changes to critical module setups to maintain the integrity of business transaction

Preventive Controls Governor

Extend inherent Oracle security model to secure and protect sensitive data

Create business rules to enforce data integrity

Create detailed audit trails of field-level changes

Transaction Controls Governor

Create business rules to prevent transactions from occurring if business rules are violated

Detect transaction anomalies to identify future process or control improvements

Create transaction monitors

Value to the business

Risk

Cost

Value Risk

Cost

Value Risk

Cost

Value

Ente

rpris

e vi

sion

and

str

ateg

y

Busi

ness

pro

cess

con

trol

s

• Improved control mix that addresses key business risks while driving process efficiencies

• A sustainable risk and controls framework that enables process improvement and proactive risk mitigation

• Increased integration and coordination among IT, the business and compliance

• Improved alignment to the objectives and strategy of the business

• Reduced level of effort associated with performing and testing controls

• Reduction in compliance and audit costs, including external audit fees

• Increased control and process efficiencies enabled through automation and continuous monitoring

• Improved return on IT investments due to reliance on application controls rather than manual controls

• Better-aligned risk coverage, including the identification of stronger, more pervasive controls

• Improved visibility of risks that matter most to the organization, enabling resources to proactively focus on the most significant risks

• Improved and sustainable internal controls framework

Direction Process TechnologyIllustrative benefits

GRC enables various stakeholders to realize process efficiencies and reduce risk by optimizing and automating process controls.

• Industry-specific knowledge and extensive experience in working with many other organizations within specific sectors

• An integrated, well-balanced viewpoint regarding Oracle, risk and controls and business processes to enable a holistic approach toward managing compliance

• A global approach and integrated team with a breadth of experience in governance, risk and compliance

• Proven accelerators integrated within our methodology to assist you in efficiently designing and optimizing your Oracle process controls

Purpose Oracle GRC applications

Business Oracle EBS AACG CCG TCG PCG eGRCM/I

Centralize and automate approach to managing SoD across sectors

Increase transparency into access, change control and transaction anomalies

Improve visibility of operational and financial transactions and increase integrity over master and configuration data

Strengthen overall control environment and increase reliability of controls by implementing more automated controls

Compliance

Reduce level of effort associated with SoD and access control testing both internally and with external auditors; increase integrity of business transactions through a standard approach to monitoring SoD and sensitive access

Enable continuous controls monitoring across multiple Oracle instances, ledgers (sets of books) and operating units; increase reliance on application controls and reduce compliance testing efforts

Redirect internal audit activities to other risk areas by reducing effort needed to review and test key application controls

Enable exception-based reporting on critical and high-risk transactions

IT

Reduce level of effort associated with generation of data for business and internal audit (e.g., creation and running of queries to generate access rights information, reduce audit trail maintenance and setup effort)

Increase visibility into changes (intentional or unintentional) caused by applying patches or through IT personnel having elevated access to Oracle modules

Contact usKeith Young keith.young@ey.com+1 617 585 0305

Michael Stanzialemichael.stanziale@ey.com+1 919 981 2868

Ernst & YoungAssurance | Tax | Transactions | Advisory

About Ernst & YoungErnst & Young is a global leader in assurance, tax, transaction and advisory services. Worldwide, our 152,000 people are united by our shared values and an unwavering commitment to quality. We make a difference by helping our people, our clients and our wider communities achieve their potential.

Ernst & Young refers to the global organization of member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients. For more information about our organization, please visit www.ey.com.

Ernst & Young LLP is a client-serving member firm of Ernst & Young Global Limited operating in the US.

© 2012 Ernst & Young LLP. 1203-1345623All Rights Reserved. SCORE no. BT0206 ED None

This publication contains information in summary form and is therefore intended for general guidance only. It is not intended to be a substitute for detailed research or the exercise of professional judgment. Neither Ernst & Young LLP nor any other member of the global Ernst & Young organization can accept any responsibility for loss occasioned to any person acting or refraining from action as a result of any material in this publication. On any specific matter, reference should be made to the appropriate advisor.

Why Ernst & Young?