REMINDER

Check in on the COLLABORATE mobile app

Governance Risk and Compliance Special Interest Group

Prepared by: Adil Khan Oracle GRC Advanced Controls Consultant FulcrumWay

What’s New with Oracle GRC Advanced Controls ? Advanced Transaction Analytics for ERP – Case Study Want to Learn More?

April 7, 2014

GRC Advanced Controls Update

This is a subtitle or bulleted list

Application Controls Monitoring & Enforcement

GRC Manager

SOD & Access

Application Configuration

Transaction Monitoring

GRC Intelligence

GRC Controls

Preventive Controls

Monitor Control Effectiveness

Enforce Policies in Context

What users can do

How is the process set up

How users execute processes

What users have done

What’s changed in the process

What are the execution patterns

SOD & Access Application Configuration Transaction Monitoring

Preventive

Oracle GRC Advanced Controls

5

Access Controls Governor GRC Manager

SOD & Access

Application Configuration

Transaction Monitoring

GRC Intelligence

GRC Controls Preventive

Compensating Policies

Preventive Provisioning

Remediation (Clean-up)

Access Analysis

• Accelerate deployment and time to value with pre-delivered controls library

• Mitigate risk of privileged user access to enterprise applications with approval workflow and audit trails

• Simplify segregation of duties enforcement with simulation and remediation

Define Access Controls

Detection Prevention

Enforce Proper Segregation of Duties in Applications

Manage Data Integrity

Enforce Change Control

Monitor Configuration

Changes

Document or Compare

Configurations

• Tightly control change management to accelerate development and test time

• Track complete audit trails for changes to key configurations

• Achieve consistent application setup and operating standards across multiple instances

Define Configuration

Controls

Detection Prevention

GRC Manager

SOD & Access

Application Configuration

Transaction Monitoring

GRC Intelligence

GRC Controls Preventive

Ensure Integrity of Critical Application Setups

Configuration

Controls

Configuration Controls Governor

7

Transaction Controls Governor GRC Manager

Application Configuration

Transaction Monitoring

GRC Intelligence

GRC Controls Preventive

Prevent Suspicious

Transactions

Enforces Transaction

Controls Investigate

Incidents Transaction

Analysis

• Identify anomalies missed by traditional audit and controls

• Apply Advanced Forensic and Pattern Analysis

• Continuous Monitoring of Controls and Transactions

Define Transaction

Controls

Detection Prevention

Test integrity of transactions and controls across business processes

SOD & Access

Review Audit Reports

Enforce Field

Validation

Initiate Approval Workflow

Prevent Read or Write Access

• Produce audit trail of change and approval history

• Initiate appropriate approval workflow in response to proposed modifications

• Enforce preventive controls for specific users and events natively within enterprise application

Define Preventive

Controls

Prevention

GRC Manager

SOD & Access

Application Configuration

Transaction Monitoring

GRC Intelligence

GRC Controls Preventive

Embed Controls Natively in Enterprise Apps

Preventive Controls Governor

What’s New in 8.6.5?

What’s New in 8.6.5?

What’s New in 8.6.5?

What’s New in 8.6.5?

What’s New in 8.6.5?

Business Process Models Service Oriented Architecture

Corporate Performance Management Collaboration

Strategic Sourcing & Contract Mgmt

Supplier Collaboration

Spend Categories

Indirect & MRO

Direct Materials

Services SWIFTNet

Settlement

Payment Processors

Requisition Purchase Goods / Services

Receive Goods / Services

Invoice Issue Payments

Banks

Example - Oracle Procure-to-Pay Procure-to Pay Controls are Required

Control Points

Advanced Controls

Business Process Models Service Oriented Architecture

Corporate Performance Management Collaboration

Supplier Collaboration

Spend Categories

Indirect & MRO

Direct Materials

Services SWIFTNet

Settlement

Payment Processors

Requisi- tion

Purchase Goods / Services

Receive Goods / Services

Invoice Issue Payments

Banks

Example - Oracle Procure-to-Pay

Are your vendors compliant with trade regulations? Are the vendors

blacklisted?

Do you have duplicate suppliers?

Are there inappropriate associations between a

vendor and an employee?

Are there frequent changes to Supplier

information?

Are you missing critical supplier information?

Is the information valid?

Strategic Sourcing & Contract Mgmt CONTROLS

Automated Controls for Strategic Sourcing & Contract Mgmt

Advanced Controls

Business Process Models Service Oriented Architecture

Corporate Performance Management Collaboration

Strategic Sourcing & Contract Mgmt

Supplier Collaboration

Spend Categories

Indirect & MRO

Direct Materials

Services SWIFTNet

Settlement

Payment Processors

Receive Goods / Services

Invoice Issue Payments

Banks

Example - Oracle Procure-to-Pay

Do you have duplicate Purchase Orders?

Are there purchases with non-preferred vendors?

Are there split POs?

Are POs created on the same day as goods

arrive? Requisition

Purchase Goods / Services

CONTROLS

Automated Controls for Requisitions and Purchases

Advanced Controls

Business Process Models Service Oriented Architecture

Corporate Performance Management Collaboration

Strategic Sourcing & Contract Mgmt

Supplier Collaboration

Spend Categories

Indirect & MRO

Direct Materials

Services SWIFTNet

Settlement

Payment Processors

Requisi- tion

Purchase Goods / Services

Banks

Example - Oracle Procure-to-Pay

Are you making accurate and timely payments?

Did the person making the payment create or modify

the vendor?

Are there discrepancies in freight charges?

Receive Goods / Services Invoice

Issue Payments

CONTROLS

Are payment term changes reviewed before payment?

Are there duplicate invoice amounts being

processed?

Automated Controls for Receiving, Invoices, and Payments

Advanced Controls

Case Study

This is a subtitle or bulleted list

Fiscal watchdog ensures tens of billions of dollars in

payments are lawful and correct Our Client

A state government agency responsible for safeguarding financial assets – more than $120 billion of public funds. Helps local governments and nonprofits invest their money with flexibility, security, and confidence.

Challenges Replace fragmented legacy system for recovery audit department with a single incident management system Replace manual control checklists with a audit analytics system to identify suspicious vouchers submitted for payments by 28+ agencies across the state. Assign suspension transaction to auditors for final review and approval using a pattern matching system

Solutions Oracle GRC Advanced Controls

Results: Reduce erroneous payment processing by 5% on millions of payments processed each day by consolidating all vouchers across 28 agencies into a single data hub. Improve incident investigation process by establishing business rules to assign incidents based upon risk level, investigation type, priority that match the auditor skills and job role Provide management visibility and independent oversight to monitor approved and rejected payments Eliminate inconsistent and contradictory actions by auditors by providing a structured investigation process based on approved investigation checklists based on type of the suspicious transaction. Optimize recover audit business process with integration to the ERP system for vendor management and payment processing

Client case

Audit Sampling Criteria

Workflow

Legacy Audit Approach - Sampling

Legacy Audit Approach - Checklist

Required access to agency systems e.g. SAP

1

2 3

4 5

6

7

SAP Payment: FB03 Screen

1

2

3

4

5

6

7

Manual Bill Review

Control Requirements Client case

Duplicate Payments Split Payments Payment to Prohibited Vendors Invoice Sequence Anomalies Invoice Amount Exceeding Limit Purchase Orders Duplicate Vendors Not in Accordance with Policies and

Procedures Missing Support Address Incorrect Payee Incorrect TIN Incorrect Department Request Not in Accordance with Contract No Contract in Place Services prior to effective date of contract

Not with intent of appropriation No Waiver in place for appropriation Not properly Authorized Not in accordance with legislation Insufficient Cash Amount Incorrect Credit Not Taken Potential Fraud Improper Bank Account Federal 1099 Reporting Requirement Discount Not Taken Inefficient Process Physical Custody Overall Reasonableness of Payment Payroll Segregation of Duties

Fiscal Review – Pre-Audit Process Client case

Architecture – Peoplesoft + TCG Client case

1. Payment Request: All 28 state agencies send payment request to the treasury department

2. ERP Vouchers: PeopleSoft MS-SQL interface tables stage payment requests from many sources include SAP, Legacy systems, etc… Request are converted to Vouchers

3. Oracle TCG: ETL Process is initiated daily to receive Voucher Data into OAC Oracle DB. Incidents generated in TCG Berkley DB (Big Data). Incident Data in transferred to OBIEE Star Schema

4. Auditor Workbench: Incidents in DA Schema transferred to Audit Workbench for auditor review before payment

1 2

3 4

Application Design Client case

Case Study

This is a subtitle or bulleted list

Corporate Overview

• Large Mining, Chemical, Energy & Oil company headquartered in West Palm Beach, FL

• 1,200 Employees worldwide and $4B annual revenue

• Own Oracle E Business Suite R12 and several Non-Oracle Systems

Overall Challenges and the Need for GRC

• Heterogeneous business application environment

• Inability to track unusual activity on sensitive financial data

• Lack of proper internal controls in various processes

• Insufficient documentation on access, configurations and transaction controls

30

31

Advanced Controls Methodology Form Rules i.e. limiting access to a field Flow Rules i.e. approval rule informational message on trigger Audit Rules i.e. track changes Change Control Rules i.e. reason code as to why a field is changed

Preventive Controls

Snapshots i.e. capturing specific setup/configuration info

Comparisons i.e. comparing snapshots between ledgers, operating units, instances

Change Tracking i.e. monitor any change to configuration

Configuration Controls

Segregation of Duties

Policy Load User Provisioning i.e.

Detection and remediation of SODs

Conflict Reports i.e. Report on Intra and Inter

Responsibility conflicts

Access Controls

Transaction Controls

Business Objects i.e. Tables and fields within

EBS Suite Parameters i.e. Filters, Patterns and Functions

TCG Models i.e. string of business objects that generate suspects

Governance Risk Compliance Project Implementation

Configuration Controls

Functionality What it does for us:

Snapshots Automate time-stamped documentation of key controls across all Oracle Applications modules.

Comparison Difference Analysis: determine what’s different when problems occur, verify what’s changed after project activity. Monitor consistency of controls across Instances, Versions, Points in Time, Operating Units, and Sets of Books.

Change Tracking Automate real-time monitoring of key controls in Oracle. Ensure visibility and integrity of controls over a period of time.

Snapshots

• Take Snapshots of Configuration Setups • Data is pulled from Oracle Application Tables • Specify constraints to focus on certain tables • Export Values into HTML, PDF, or Excel Formats

33

Retrieve Configuration Setup Data

Comparison

Change Tracking • Query a change tracker to identify changes across multiple instances.

• Select multiple applications to monitor

• Query requires Change Tracking Transfer program to run before any data can be collected. (This program transfers change tracking data from the

ERP instances to CCG.)

Change Tracking Continued… • Monitor Configuration Changes • Users and administrators can monitor before-and-after values, responsible user, and time stamp

Configuration Control Objects

37

S=Snapshot Comparison Frequency AP - Oracle Payables C=Change Tracker Daily Weekly Monthly AP Payment Terms S X Account Derivation Rules S X Accounting Calendar S X Accounting Event Class Options S X Acctng Attribute Assignments S X Application Acctg Defs History S X Application Acctng Definitions S X Bank Branches S X Banks S X Descriptive Flexfield Segments S X Descriptive Flexfields S X Financials Options S X Income Tax Regions S X Invoice Tolerances S X Key Flexfield Segments S X Key Flexfields S X Open Acct Balances Listing Def S x Open and Close Periods S x Payables Options S X Payables System Setup S X Supplier Banking Details- Bank S X Supplier Banking Dtls- Branch S X Supplier Contacts S X Supplier Sites S X Suppliers S X Suppliers (Sites) Attachments S X Tax Codes S X

Building an Optimized Control Environment Preventive Controls • Set of applications that run within Oracle EBS as a component of the GRC

Application Suite • Prevent ‘Out of Policy’ activity from occurring, notify & alert key personnel with

variances

• Modifies security, navigation, field and data properties Form Rules

• Defines & implements business processes Flow Rules

• Tracks changes to the values of fields in database tables Audit Rules

• Regulates changes to the values of fields in EBS forms.

Change Control

Advanced Controls

EBS Form Rule Capabilities

Set security attributes Compile lists of values (LOV)

Establish navigation paths Set field attributes

Display messages Run SQL statements

Define default values for fields Execute Flow Rule process

39

• Defines what actions the element performs

• Empowers the user to make changes to EBS forms and processes

Advanced Controls

Audit Rules Highlights • Document changes to database field values

– Old vs. New Values – Transaction Type (Insert, Update or Delete) – User Responsible for Change – Timestamp – Audit Report

Advanced Controls

Change Control Highlights • Ensure Data Integrity • Regulate changes to fields in EBS forms • Set approval and reason code requirements for enforced management

Enable visual attributes to identify

controlled fields

Build reason codes to clarify why a change occurred

Advanced Controls

Embedded Controls Prevent Incidents and Escalation

• Real-time, automated controls and alerts prevent fraud and errors before it occurs

• Controls installed directly into applications and without technical expertise

• Risk of fraudulent data and application changes reduced with approval workflow and audit trails Prevent Fraud and Errors Before

it Occurs

Advanced Controls

Want to Learn More ?

This is a subtitle or bulleted list

REMINDER

Check in on the COLLABORATE mobile app

Rapidly Reduce Segregation of Duty Violations in Oracle EBS R12 Responsibilities

Prepared by: Adil Khan Oracle GRC Advanced Controls Consultant FulcrumWay

Responsibility templates from a catalog of pre-configured ERP roles. Workflow to update, review as well as approve role design changes. Roles management techniques to improve Design

Session ID#: 15042