driving automation and continuous monitoring across process
TRANSCRIPT
Driving automation and continuous monitoring across process controls in Oracle Applications
Turning risks into results
Optimize controls mix
What we are seeing in the market
• Increasingly the market is focused on automating controls to reduce the cost of compliance, improve the control environment, and realize efficiencies.
• Leading companies are focused on making their internal controls frameworks as efficient and effective as possible by:
• Rationalizing, optimizing and redesigning process controls to eliminate redundancy, reduce the volume of controls and effectively mitigate business risk
• Identifying opportunities to automate process controls to enhance their mix of controls (e.g., manual, IT-dependent, automated) and improve transaction processing
• Leveraging GRC technology to implement preventive controls through automation and continuous controls monitoring
• The benefits of controls automation and optimization include:
• Lower costs due to a reduction in the number of controls, enhanced standardization, reduction in compliance costs (e.g., internal costs, external audit fees)
• More-appropriate risk coverage with a keen focus on the risks that really matter
• Process efficiencies due to reduction in transaction processing cycle time
• A more scalable and sustainable compliance framework
• Improved alignment between IT, business and compliance functions
Ernst & Young benchmarks show that leading companies automate 70% of their process controls.
IT dependent
35%
IT dependent
25%
Manual 50%
Manual 10%
Automated 15%
Automated 65%
What are the opportunities at your company?
Illustrative process controls improvement case study
The client suffered from a substantially manual and labor-intensive control environment that hampered transaction processing and drove up internal compliance costs. Ernst & Young was engaged to examine the client’s procure-to-pay process to identify opportunities to automate and reduce the number of controls while minimizing risk exposure.
Value realized• Improved transaction processing cycle time and increased business process efficiencies
• Reduced documentation and testing effort resulting from rationalized process controls
• Decreased external audit fees due to increased reliance on management’s risks and controls portfolio
• Sustainable and enhanced internal controls framework
Using GRC technology to optimize controls and processes
Access Controls Governor
Prevent the assignment of responsibilities that compromise proper SoD policies
Real-time monitoring and enforcement of SoD rules
Standardized and risk-prioritized segregation of duties and critical access rule sets
Configuration Controls Governor
Baseline application controls and ensure consistent setup of target operating units
Verify application setup is being consistently applied across organizations
Detect changes to critical module setups to maintain the integrity of business transaction
Preventive Controls Governor
Extend inherent Oracle security model to secure and protect sensitive data
Create business rules to enforce data integrity
Create detailed audit trails of field-level changes
Transaction Controls Governor
Create business rules to prevent transactions from occurring if business rules are violated
Detect transaction anomalies to identify future process or control improvements
Create transaction monitors
Value to the business
Risk
Cost
Value Risk
Cost
Value Risk
Cost
Value
Ente
rpris
e vi
sion
and
str
ateg
y
Busi
ness
pro
cess
con
trol
s
• Improved control mix that addresses key business risks while driving process efficiencies
• A sustainable risk and controls framework that enables process improvement and proactive risk mitigation
• Increased integration and coordination among IT, the business and compliance
• Improved alignment to the objectives and strategy of the business
• Reduced level of effort associated with performing and testing controls
• Reduction in compliance and audit costs, including external audit fees
• Increased control and process efficiencies enabled through automation and continuous monitoring
• Improved return on IT investments due to reliance on application controls rather than manual controls
• Better-aligned risk coverage, including the identification of stronger, more pervasive controls
• Improved visibility of risks that matter most to the organization, enabling resources to proactively focus on the most significant risks
• Improved and sustainable internal controls framework
Direction Process TechnologyIllustrative benefits
GRC enables various stakeholders to realize process efficiencies and reduce risk by optimizing and automating process controls.
• Industry-specific knowledge and extensive experience in working with many other organizations within specific sectors
• An integrated, well-balanced viewpoint regarding Oracle, risk and controls and business processes to enable a holistic approach toward managing compliance
• A global approach and integrated team with a breadth of experience in governance, risk and compliance
• Proven accelerators integrated within our methodology to assist you in efficiently designing and optimizing your Oracle process controls
Purpose Oracle GRC applications
Business Oracle EBS AACG CCG TCG PCG eGRCM/I
Centralize and automate approach to managing SoD across sectors
Increase transparency into access, change control and transaction anomalies
Improve visibility of operational and financial transactions and increase integrity over master and configuration data
Strengthen overall control environment and increase reliability of controls by implementing more automated controls
Compliance
Reduce level of effort associated with SoD and access control testing both internally and with external auditors; increase integrity of business transactions through a standard approach to monitoring SoD and sensitive access
Enable continuous controls monitoring across multiple Oracle instances, ledgers (sets of books) and operating units; increase reliance on application controls and reduce compliance testing efforts
Redirect internal audit activities to other risk areas by reducing effort needed to review and test key application controls
Enable exception-based reporting on critical and high-risk transactions
IT
Reduce level of effort associated with generation of data for business and internal audit (e.g., creation and running of queries to generate access rights information, reduce audit trail maintenance and setup effort)
Increase visibility into changes (intentional or unintentional) caused by applying patches or through IT personnel having elevated access to Oracle modules
Contact usKeith Young [email protected]+1 617 585 0305
Michael [email protected]+1 919 981 2868
Ernst & YoungAssurance | Tax | Transactions | Advisory
About Ernst & YoungErnst & Young is a global leader in assurance, tax, transaction and advisory services. Worldwide, our 152,000 people are united by our shared values and an unwavering commitment to quality. We make a difference by helping our people, our clients and our wider communities achieve their potential.
Ernst & Young refers to the global organization of member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients. For more information about our organization, please visit www.ey.com.
Ernst & Young LLP is a client-serving member firm of Ernst & Young Global Limited operating in the US.
© 2012 Ernst & Young LLP. 1203-1345623All Rights Reserved. SCORE no. BT0206 ED None
This publication contains information in summary form and is therefore intended for general guidance only. It is not intended to be a substitute for detailed research or the exercise of professional judgment. Neither Ernst & Young LLP nor any other member of the global Ernst & Young organization can accept any responsibility for loss occasioned to any person acting or refraining from action as a result of any material in this publication. On any specific matter, reference should be made to the appropriate advisor.
Why Ernst & Young?