governance risk and compliance - · pdf filegrc manager . sod & access application...
TRANSCRIPT
REMINDER
Check in on the COLLABORATE mobile app
Governance Risk and Compliance Special Interest Group
Prepared by: Adil Khan Oracle GRC Advanced Controls Consultant FulcrumWay
What’s New with Oracle GRC Advanced Controls ? Advanced Transaction Analytics for ERP – Case Study Want to Learn More?
April 7, 2014
GRC Advanced Controls Update
This is a subtitle or bulleted list
Application Controls Monitoring & Enforcement
GRC Manager
SOD & Access
Application Configuration
Transaction Monitoring
GRC Intelligence
GRC Controls
Preventive Controls
Monitor Control Effectiveness
Enforce Policies in Context
What users can do
How is the process set up
How users execute processes
What users have done
What’s changed in the process
What are the execution patterns
SOD & Access Application Configuration Transaction Monitoring
Preventive
Oracle GRC Advanced Controls
5
Access Controls Governor GRC Manager
SOD & Access
Application Configuration
Transaction Monitoring
GRC Intelligence
GRC Controls Preventive
Compensating Policies
Preventive Provisioning
Remediation (Clean-up)
Access Analysis
• Accelerate deployment and time to value with pre-delivered controls library
• Mitigate risk of privileged user access to enterprise applications with approval workflow and audit trails
• Simplify segregation of duties enforcement with simulation and remediation
Define Access Controls
Detection Prevention
Enforce Proper Segregation of Duties in Applications
Manage Data Integrity
Enforce Change Control
Monitor Configuration
Changes
Document or Compare
Configurations
• Tightly control change management to accelerate development and test time
• Track complete audit trails for changes to key configurations
• Achieve consistent application setup and operating standards across multiple instances
Define Configuration
Controls
Detection Prevention
GRC Manager
SOD & Access
Application Configuration
Transaction Monitoring
GRC Intelligence
GRC Controls Preventive
Ensure Integrity of Critical Application Setups
Configuration
Controls
Configuration Controls Governor
7
Transaction Controls Governor GRC Manager
Application Configuration
Transaction Monitoring
GRC Intelligence
GRC Controls Preventive
Prevent Suspicious
Transactions
Enforces Transaction
Controls Investigate
Incidents Transaction
Analysis
• Identify anomalies missed by traditional audit and controls
• Apply Advanced Forensic and Pattern Analysis
• Continuous Monitoring of Controls and Transactions
Define Transaction
Controls
Detection Prevention
Test integrity of transactions and controls across business processes
SOD & Access
Review Audit Reports
Enforce Field
Validation
Initiate Approval Workflow
Prevent Read or Write Access
• Produce audit trail of change and approval history
• Initiate appropriate approval workflow in response to proposed modifications
• Enforce preventive controls for specific users and events natively within enterprise application
Define Preventive
Controls
Prevention
GRC Manager
SOD & Access
Application Configuration
Transaction Monitoring
GRC Intelligence
GRC Controls Preventive
Embed Controls Natively in Enterprise Apps
Preventive Controls Governor
What’s New in 8.6.5?
What’s New in 8.6.5?
What’s New in 8.6.5?
What’s New in 8.6.5?
What’s New in 8.6.5?
Business Process Models Service Oriented Architecture
Corporate Performance Management Collaboration
Strategic Sourcing & Contract Mgmt
Supplier Collaboration
Spend Categories
Indirect & MRO
Direct Materials
Services SWIFTNet
Settlement
Payment Processors
Requisition Purchase Goods / Services
Receive Goods / Services
Invoice Issue Payments
Banks
Example - Oracle Procure-to-Pay Procure-to Pay Controls are Required
Control Points
Advanced Controls
Business Process Models Service Oriented Architecture
Corporate Performance Management Collaboration
Supplier Collaboration
Spend Categories
Indirect & MRO
Direct Materials
Services SWIFTNet
Settlement
Payment Processors
Requisi- tion
Purchase Goods / Services
Receive Goods / Services
Invoice Issue Payments
Banks
Example - Oracle Procure-to-Pay
Are your vendors compliant with trade regulations? Are the vendors
blacklisted?
Do you have duplicate suppliers?
Are there inappropriate associations between a
vendor and an employee?
Are there frequent changes to Supplier
information?
Are you missing critical supplier information?
Is the information valid?
Strategic Sourcing & Contract Mgmt CONTROLS
Automated Controls for Strategic Sourcing & Contract Mgmt
Advanced Controls
Business Process Models Service Oriented Architecture
Corporate Performance Management Collaboration
Strategic Sourcing & Contract Mgmt
Supplier Collaboration
Spend Categories
Indirect & MRO
Direct Materials
Services SWIFTNet
Settlement
Payment Processors
Receive Goods / Services
Invoice Issue Payments
Banks
Example - Oracle Procure-to-Pay
Do you have duplicate Purchase Orders?
Are there purchases with non-preferred vendors?
Are there split POs?
Are POs created on the same day as goods
arrive? Requisition
Purchase Goods / Services
CONTROLS
Automated Controls for Requisitions and Purchases
Advanced Controls
Business Process Models Service Oriented Architecture
Corporate Performance Management Collaboration
Strategic Sourcing & Contract Mgmt
Supplier Collaboration
Spend Categories
Indirect & MRO
Direct Materials
Services SWIFTNet
Settlement
Payment Processors
Requisi- tion
Purchase Goods / Services
Banks
Example - Oracle Procure-to-Pay
Are you making accurate and timely payments?
Did the person making the payment create or modify
the vendor?
Are there discrepancies in freight charges?
Receive Goods / Services Invoice
Issue Payments
CONTROLS
Are payment term changes reviewed before payment?
Are there duplicate invoice amounts being
processed?
Automated Controls for Receiving, Invoices, and Payments
Advanced Controls
Case Study
This is a subtitle or bulleted list
Fiscal watchdog ensures tens of billions of dollars in
payments are lawful and correct Our Client
A state government agency responsible for safeguarding financial assets – more than $120 billion of public funds. Helps local governments and nonprofits invest their money with flexibility, security, and confidence.
Challenges Replace fragmented legacy system for recovery audit department with a single incident management system Replace manual control checklists with a audit analytics system to identify suspicious vouchers submitted for payments by 28+ agencies across the state. Assign suspension transaction to auditors for final review and approval using a pattern matching system
Solutions Oracle GRC Advanced Controls
Results: Reduce erroneous payment processing by 5% on millions of payments processed each day by consolidating all vouchers across 28 agencies into a single data hub. Improve incident investigation process by establishing business rules to assign incidents based upon risk level, investigation type, priority that match the auditor skills and job role Provide management visibility and independent oversight to monitor approved and rejected payments Eliminate inconsistent and contradictory actions by auditors by providing a structured investigation process based on approved investigation checklists based on type of the suspicious transaction. Optimize recover audit business process with integration to the ERP system for vendor management and payment processing
Client case
Audit Sampling Criteria
Workflow
Legacy Audit Approach - Sampling
Legacy Audit Approach - Checklist
Required access to agency systems e.g. SAP
1
2 3
4 5
6
7
SAP Payment: FB03 Screen
1
2
3
4
5
6
7
Manual Bill Review
Control Requirements Client case
Duplicate Payments Split Payments Payment to Prohibited Vendors Invoice Sequence Anomalies Invoice Amount Exceeding Limit Purchase Orders Duplicate Vendors Not in Accordance with Policies and
Procedures Missing Support Address Incorrect Payee Incorrect TIN Incorrect Department Request Not in Accordance with Contract No Contract in Place Services prior to effective date of contract
Not with intent of appropriation No Waiver in place for appropriation Not properly Authorized Not in accordance with legislation Insufficient Cash Amount Incorrect Credit Not Taken Potential Fraud Improper Bank Account Federal 1099 Reporting Requirement Discount Not Taken Inefficient Process Physical Custody Overall Reasonableness of Payment Payroll Segregation of Duties
Fiscal Review – Pre-Audit Process Client case
Architecture – Peoplesoft + TCG Client case
1. Payment Request: All 28 state agencies send payment request to the treasury department
2. ERP Vouchers: PeopleSoft MS-SQL interface tables stage payment requests from many sources include SAP, Legacy systems, etc… Request are converted to Vouchers
3. Oracle TCG: ETL Process is initiated daily to receive Voucher Data into OAC Oracle DB. Incidents generated in TCG Berkley DB (Big Data). Incident Data in transferred to OBIEE Star Schema
4. Auditor Workbench: Incidents in DA Schema transferred to Audit Workbench for auditor review before payment
1 2
3 4
Application Design Client case
Case Study
This is a subtitle or bulleted list
Corporate Overview
• Large Mining, Chemical, Energy & Oil company headquartered in West Palm Beach, FL
• 1,200 Employees worldwide and $4B annual revenue
• Own Oracle E Business Suite R12 and several Non-Oracle Systems
Overall Challenges and the Need for GRC
• Heterogeneous business application environment
• Inability to track unusual activity on sensitive financial data
• Lack of proper internal controls in various processes
• Insufficient documentation on access, configurations and transaction controls
30
31
Advanced Controls Methodology Form Rules i.e. limiting access to a field Flow Rules i.e. approval rule informational message on trigger Audit Rules i.e. track changes Change Control Rules i.e. reason code as to why a field is changed
Preventive Controls
Snapshots i.e. capturing specific setup/configuration info
Comparisons i.e. comparing snapshots between ledgers, operating units, instances
Change Tracking i.e. monitor any change to configuration
Configuration Controls
Segregation of Duties
Policy Load User Provisioning i.e.
Detection and remediation of SODs
Conflict Reports i.e. Report on Intra and Inter
Responsibility conflicts
Access Controls
Transaction Controls
Business Objects i.e. Tables and fields within
EBS Suite Parameters i.e. Filters, Patterns and Functions
TCG Models i.e. string of business objects that generate suspects
Governance Risk Compliance Project Implementation
Configuration Controls
Functionality What it does for us:
Snapshots Automate time-stamped documentation of key controls across all Oracle Applications modules.
Comparison Difference Analysis: determine what’s different when problems occur, verify what’s changed after project activity. Monitor consistency of controls across Instances, Versions, Points in Time, Operating Units, and Sets of Books.
Change Tracking Automate real-time monitoring of key controls in Oracle. Ensure visibility and integrity of controls over a period of time.
Snapshots
• Take Snapshots of Configuration Setups • Data is pulled from Oracle Application Tables • Specify constraints to focus on certain tables • Export Values into HTML, PDF, or Excel Formats
33
Retrieve Configuration Setup Data
Comparison
Change Tracking • Query a change tracker to identify changes across multiple instances.
• Select multiple applications to monitor
• Query requires Change Tracking Transfer program to run before any data can be collected. (This program transfers change tracking data from the
ERP instances to CCG.)
Change Tracking Continued… • Monitor Configuration Changes • Users and administrators can monitor before-and-after values, responsible user, and time stamp
Configuration Control Objects
37
S=Snapshot Comparison Frequency AP - Oracle Payables C=Change Tracker Daily Weekly Monthly AP Payment Terms S X Account Derivation Rules S X Accounting Calendar S X Accounting Event Class Options S X Acctng Attribute Assignments S X Application Acctg Defs History S X Application Acctng Definitions S X Bank Branches S X Banks S X Descriptive Flexfield Segments S X Descriptive Flexfields S X Financials Options S X Income Tax Regions S X Invoice Tolerances S X Key Flexfield Segments S X Key Flexfields S X Open Acct Balances Listing Def S x Open and Close Periods S x Payables Options S X Payables System Setup S X Supplier Banking Details- Bank S X Supplier Banking Dtls- Branch S X Supplier Contacts S X Supplier Sites S X Suppliers S X Suppliers (Sites) Attachments S X Tax Codes S X
Building an Optimized Control Environment Preventive Controls • Set of applications that run within Oracle EBS as a component of the GRC
Application Suite • Prevent ‘Out of Policy’ activity from occurring, notify & alert key personnel with
variances
• Modifies security, navigation, field and data properties Form Rules
• Defines & implements business processes Flow Rules
• Tracks changes to the values of fields in database tables Audit Rules
• Regulates changes to the values of fields in EBS forms.
Change Control
Advanced Controls
EBS Form Rule Capabilities
Set security attributes Compile lists of values (LOV)
Establish navigation paths Set field attributes
Display messages Run SQL statements
Define default values for fields Execute Flow Rule process
39
• Defines what actions the element performs
• Empowers the user to make changes to EBS forms and processes
Advanced Controls
Audit Rules Highlights • Document changes to database field values
– Old vs. New Values – Transaction Type (Insert, Update or Delete) – User Responsible for Change – Timestamp – Audit Report
Advanced Controls
Change Control Highlights • Ensure Data Integrity • Regulate changes to fields in EBS forms • Set approval and reason code requirements for enforced management
Enable visual attributes to identify
controlled fields
Build reason codes to clarify why a change occurred
Advanced Controls
Embedded Controls Prevent Incidents and Escalation
• Real-time, automated controls and alerts prevent fraud and errors before it occurs
• Controls installed directly into applications and without technical expertise
• Risk of fraudulent data and application changes reduced with approval workflow and audit trails Prevent Fraud and Errors Before
it Occurs
Advanced Controls
Want to Learn More ?
This is a subtitle or bulleted list
REMINDER
Check in on the COLLABORATE mobile app
Rapidly Reduce Segregation of Duty Violations in Oracle EBS R12 Responsibilities
Prepared by: Adil Khan Oracle GRC Advanced Controls Consultant FulcrumWay
Responsibility templates from a catalog of pre-configured ERP roles. Workflow to update, review as well as approve role design changes. Roles management techniques to improve Design
Session ID#: 15042