Upload File

embedding controls to reduce risk

6
Minimising risks by designing and implementing an effective control environment www.pwc.com Embedding controls to reduce risk Effective Oracle security and controls design and implementation

Upload: others

Post on 21-Jan-2022

7 views

Category:

Documents


0 download

Report

TRANSCRIPT

Page 1: Embedding controls to reduce risk

Minimising risks by designing and implementing an effective control environment

www.pwc.com

Embedding controls to reduce riskEffective Oracle security and controls design and implementation

Page 2: Embedding controls to reduce risk

An organisation with controls embedded within its processes and operations is not only compliant with regulations; it can react to new opportunities and challenges more effectively. It is not possible to anticipate every risk that arises, however it is possible to position the organisation on a solid foundation from which to manage the business in an effective and efficient way.

This paper will explore the challenges clients face with regards to designing controls in their Oracle application and the services PwC can provide to support this.

Reducing cost, improving reporting and minimising the potential for fraud.

Page 3: Embedding controls to reduce risk

Why do organisations have difficulties implementing effective Oracle controls?A mature controls environment is sometimes the last thought on management’s mind when operating the business day-to-day, however controls can significantly reduce operating costs, improve reporting and minimise the potential for fraud. Every organisation has risks affecting them based on their size, industry, systems, regulatory environment, etc. The issue for management is identifying these risks and the most effective controls to help mitigate them.

Some recurring challenges we see at our clients include:

• As part of the design phase of an implementation, all risks are not identified or when identified, are not in line with the business strategy and objectives;

• A risk assessment is not performed to prioritise the significance and prevalence of the risks to the organisation;

• During implementation, the focus of the systems integrator is on implementing an Oracle system that works with little regard to the controls that will be operated across each process post go-live;

• Risk and control activities are not driving process improvement and value to the business;

• The controls identified during implementation are not correctly mapped to specific risks affecting the organisation, or risks are present without coverage from controls;

• Management does not know which controls are in place and/or if they are operating effectively;

• Configurable controls are not part of the project documentation such as process design documents or application setup documents;

• Automated controls are not optimised in order to minimise costly manual controls;

• The organisation has a good knowledge of risks, but do not have the functional Oracle knowledge to identify the required and most effective controls within the system; and

• Individuals within the organisation do not have the sufficient understanding of Oracle to embed automated controls during implementation.

The diagram below illustrates how an organisation will have a number of control objectives, which are based on different criteria that are important to the business. These objectives will be linked to key risks that are identified by the organisation, which are then mapped to specific controls to mitigate those risks. One risk can have multiple controls, just as one control can mitigate multiple risks.

How can these challenges impact an organisation?• Potential fraudulent activity might occur causing damage to the organisation’s reputation or result in a

financial loss;• Business processes are not operating as management intended, due to lack of mature controls, leading to

transaction processing errors;• Under usage of the automated activities and controls available in Oracle, relying on manual processes/controls.

This can cause errors due to manual processing and can lead to wasted time and money; and• Control deficiencies lead to low controls reliance during an audit; resulting in increased audit fees.

Compliance

Operations

Financial reporting

Control objectives Risks ControlsFinancial statement

asertions

Information processing objectives

Quality

Customer requirement

Data protection actOracle security

IT general controls

Manual/procedural controls

Oracle application controlsFinancial reporting

Operational

Fraud

Compliance

Compliance

Page 4: Embedding controls to reduce risk

As part of an implementation, organisations need to design appropriate controls to mitigate risks in their Oracle environment. PwC has extensive experience of helping organisations meet this challenge and can perform the following activities:

• Understand the business objectives and overall strategy of the organisation, to ensure alignment in business processes and controls;

• Understand the impact of planned changes to process design on risk assessments and controls requirements or design, this can be performed through workshops with business process owners;

• Work with management to assess the risks impacting the organisation for specific business processes, the relevant control objectives and work to create a detailed risk register;

• Agree restricted access controls, including segregation of duties conflicts according to company policy and good practice;

• Utilise PwC’s extensive Oracle risk and controls library to identify target controls to mitigate the identified risks, populate a risk and controls matrix and ensure the identified controls are embedded into project documentation such as the process design documents or the application setup documents; and

• Utilise PwC’s automated tools to confirm that automated/configurable controls and user security/segregation of duties are setup within the Oracle system as per the design.

Many of our clients have been up and running with their Oracle application for a number of years and have controls already embedded within their business processes. It is however important to periodically confirm that these controls are still in place and operating effectively.

PwC can perform the following activities as part of a controls confirmation review:

• Perform a review of the business processes, risk registers, and controls matrices to confirm they are aligned to the overall strategy of the organisation;

• Evaluate the controls currently in place to confirm design effectiveness and operating effectiveness using the following techniques:

• Risk and controls review, supported by PwC’s proprietary toolkit, Oracle Optics;

• Compare the control environment to PwC’s Oracle Risk and Controls library to confirm the best available controls are being used and have been configured correctly in the Oracle system; and

• Test controls against management’s controls register.

• In addition to the testing of the configurable Oracle controls, using Oracle Optics, PwC can provide comfort over restricted access and segregation of duties; and

• Identify any issues and provide recommendations on processes and controls improvements, while developing a strategy to remediate control weaknesses and work with management to create more robust controls.

Controls confirmation

PwC’s Oracle team specialise in helping organisations design controls to mitigate identified risks. With a dedicated team of Oracle Security and Controls professionals based throughout the UK, we have a range of proven methodologies and market leading tools to help design and deliver effective Oracle controls.

Attention to the design, documentation and operation of controls is critical to ensuring the accuracy and timeliness of information used for financial reporting and management decision-making.

Controls design

Page 5: Embedding controls to reduce risk

Oracle Optics

PwC performs risk and controls reviews, supported by PwC’s proprietary toolkit, Oracle Optics. PwC’s Oracle Optics tool provides an in depth analysis across the Oracle system’s configuration, security and user access.

Oracle Risk CloudOracle Risk Management Cloud consists of Advanced Access Controls, Advanced Financial Controls, Financial Reporting Compliance and a Library of Best Practice Controls. These allow an organisation to efficiently embed automated controls in and around Oracle.

Oracle Advanced Access Controls enables organisations to define and monitor access controls by identifying and remediating segregation of duty (SOD) violations.

The Advanced Financial Controls module can be configured to implement transaction level controls which monitor transactions on almost a real time basis and can send out a notification to the control owner when an exception is detected and needs to be addressed, minimising the time of exposure.

Finally, Financial Reporting Compliance can be used as a repository of all your risks and controls and link in to the automated controls in Access Controls and Financial Controls allowing real time monitoring of risks and issues.

Optics is utilised to provide assessments over the:

• Development of system security;

• Design of user responsibilities or roles; and

• Automated/Configurable controls within the Oracle modules.

Optics can be used to perform detailed reviews throughout an Oracle implementation or upgrade project, pre and post go-live. The Optics tool accelerates the analysis and appreciation of risks during the configuration phase of a project, and helps to quickly identify the controls required to manage and mitigate them. Parameter set-up reports help pin-point control weaknesses in how a module has been configured. Detailed Segregation of Duties reports provide comprehensive information about users and their access.

Assess automated business process and security controls

A risk and controls review, supported by PwC’s proprietary toolkit, Optics, extracting configurable control settings and security controls for each module on review. These settings will be analysed to establish if any do not meet generally accepted good

practices or expose the client to operational or financial risks.

Access permissions and segregation of duties

Analysis is performed on the design of the user roles and responsibilities and assignment of those to users, using Oracle Optics. This will establish if any potential weaknesses exist around inappropriate levels of access or segregation of duties.

Recommend improvements/Continuous improvement

Page 6: Embedding controls to reduce risk

www.pwc.comPwC UK helps organisations and individuals create the value they’re looking for. We’re a member of the PwC network of firms in 158 countries with more than 180,000 people committed to delivering quality in assurance, tax and advisory services. Tell us what matters to you and find out more by visiting us at www.pwc.com/uk.

This content is for general information purposes only, and should not be used as a substitute for consultation with professional advisors.

© 2018 PricewaterhouseCoopers LLP. All rights reserved. PwC refers to the UK member firm, and may sometimes refer to the PwC network. Each member firm is a separate legal entity. Please see www.pwc.com/structure for further details.

180411-165531-JL-OS


Controls Can Be Strengthened to Reduce the Risk of … · Controls Can Be Strengthened to Reduce the Risk of ... Vermont farms suspected of having BSE. ... elk, and deer

Embedding eBook

Directorate of Defense Trade Controls: Licensing · PDF fileDirectorate of Defense Trade Controls: Licensing Update ... –Reduce current incentives for companies in non-embargoed

Project Controls Expo, 18th Nov 2014 - "Embedding Best Practice Processes and Automation within Your Project Teams" By Gero Renker

ImprovingDialogSystemsusingKnowledgeGraph Embeddings · response generation is word embedding, a dimensionality reduction technique com-monly used to reduce the size of the input

Pre Embedding

Keysight Technologies De-Embedding and Embedding …literature.cdn.keysight.com/litweb/pdf/5980-2784EN.pdf · Keysight Technologies De-Embedding and Embedding S ... Advanced Design

The Importance of Proper Controls. 5 Network Controls Developing a secure network means developing mechanisms that reduce or eliminate the threats

Using Modbus Controls For EC Fans to Reduce …...Using Modbus Controls For EC Fans to Reduce HVAC Energy Consumption By Vincenzo Nuzzi, Engineer, Rosenberg GmbH Controlling energy

Supervisory Controls Strategy to Reduce Utility Factor

Embedding SQL

Embedding SQL Server Express into Custom Applications - Web viewFilename: #1266 Embedding Express Cust_Apps3. Embedding SQL Server Express into Custom Applications3. Embedding SQL

PRE-PROPOSAL CONFERENCE FOR PROJECT CONTROLS …Project Controls Division 7 •Cost effective project delivery •Robust cost estimating •Design to budget •Reduce cost overruns.…

Agilent De-embedding and Embedding S-Parameter …anlage.umd.edu/Microwave Measurements for Personal Web Site/5980...De-embedding and Embedding S-Parameter Networks Using a ... ial

Preventing Fraud - Reduce Risk and Save Money with a Few Key Controls

Why Passive Fire Protection of Critical Controls? · Why Passive Fire Protection of Critical Controls? Passive Fire Protection is risk minimization. It is designed to reduce overall

Embedding Technology

Embedding BI

Celloidin Embedding

 · Engineering Controls Engineering controls reduce exposures to employees by removing the hazard from the process or placing a barrier between the hazard and the employee. Engineering

Embedding ea

Embedding sustainability

Embedding JGit

Controlling health and safety hazards Hierarchy of ... · PDF fileEngineering/elimination controls Engineering controls eliminate or reduce ... Controlling health and safety hazards

Module 5: Control Measures to Reduce Exposures. Control Measures Control Measures Engineering Controls Engineering controls are those that mitigate the

On-tool controls to reduce exposure to respirable dusts in ... · PDF fileHealth and Safety Executive On-tool controls to reduce exposure to respirable dusts in the construction industry

INTERNAL CONTROLS: How to Reduce Risk AND Increase Efficiency

Oracle Security & Controls - Embedding Controls to Reduce Risk - Single

Embedding Research

Embedding Design

Virtual embedding

Agilent De-embedding and Embedding S-Parameter …web.doe.carleton.ca/~nagui/labequip/loadpull/papers/sparams/Agile... · De-embedding and Embedding S-Parameter Networks Using a

Trane Thermostats and Advanced Controls · Reduce energy consumption up to 15% and lower your carbon ... and air conditioning systems, indoor air quality solutions, advanced controls,

OPTIMIZER: Manages, controls and helps to ... - Total S.A.ressources.total.com/websites/total_co_za/Optimizer-brochure-a.pdf · OPTIMIZER: Manages, controls and helps to reduce your

App embedding