Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |

Using Oracle GRC Advanced Controls to Achieve Your Procure-to-Pay Process Objectives CON7987

Hal Kazi Oracle GRC Product Development Oct 27, 2015

Presented with

Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |

Safe Harbor Statement

The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.

2

3

OCI Enterprises (“OCI”) Company Profile

• OCI Enterprises is the North American subsidiary of OCI Company Ltd based in Seoul,

South Korea.

• Headquartered in Atlanta, Georgia, OCI Enterprises consists of two divisions: Chemical and

Energy.

• The Chemical Division primarily consists of a trona mining and soda ash production

business that is also a general partner in a master limited partnership (MLP) named “OCI

Resources” with shares publicly traded on the New York Stock Exchange.

• Trona is one of the world’s most abundant resources and is refined into soda ash, which is

used in glass making, detergents, chemicals and other consumer and industrial products.

• The Energy Division primarily consists of solar power development and solar panel

manufacturing.

Note: On October 23, 2015 Ciner Group, a Turkish company, purchased OCI Chemical from

OCI Enterprises. OCI Resources will become Ciner Resources.

4

OCI Business Case

• Due to public company reporting requirements of OCI Resources, LP, OCI sought to

strengthen the control environment

• Pain points included:

– Challenges analyzing and monitoring the user environment

– Lack of visibility to additions/changes to vendor master file

– Limited control of additions to the vendor master file

– Challenges monitoring key configurations and/or changes

• Company also desired a way to monitor transactions; ad hoc and future continuous

monitoring by both the business and Internal Audit

• OCI was well positioned to utilize Oracle Advanced Controls applications

• Partnered with PWC for implementation over a 5 month period

5

Project Approach

• Configuration Controls Governor

• Transaction Controls Governor

• Preventive Controls Governor

• Access Control Governor

User Access Analysis & Monitoring

Vendor Masterfile

Workflow & Monitoring

Purchasing & AP

Configuration and Set-up Monitoring

Continuous Monitoring:

Policy & Anti-Fraud

6

ACG: User Role Entitlements

• Selected key entitlements and built ACG controls to analyze existing

roles and discover potential conflicts:

Process Area Entitlements

Add/Modify Vendor Masterfile

• AP Supplier Master

Purchase Order Processing

• Requisition Entry • PO Entry

Receiving • Receiving Transactions

Invoice Processing • Invoice Entry • Invoice Matching • Recurring Invoice • Release Holds • Approve Invoices

Payment Processing

• AP Payments • Printing Checks • Voids

Process Area Entitlements

AP Configurations • AP Setups • Create Accounting • Update Accounting • Payment & Tax Info • Open/Close Periods

PO Configurations • PO Setups • Define Approval Supplier

List • Define Approval Group • Define Buyers • PO Receiving

Transactions

7

ACG: AP Model List Screen Shot Example

8

ACG: AP Create Accounting Model Results Example

9

ACG: Conflicts Analysis Example

Process Area: AP Configurations

Entitlement: AP Create Accounting

MSE Payables Superuser-Payables > Create Accounting

MSE Receivables Superuser-Receivables > Create Accounting

OCI OPM Financials Superuser-Process Manufacturing Financials > Create Accounting

SAT Payables Superuser-Payables > Create Accounting

SAT Receivables Super User-Receivables > Create Accounting

OCI Receivables Superuser-Receivables > Create Accounting

OCI Payables Superuser-Payables > Create Accounting

OCI Payables Manager-Payables > Create Accounting

OCI Payables User-Payables > Create Accounting

OCI Receivables Manager-Receivables > Create Accounting

OCI Receivables User-Receivables > Create Accounting

OCI OPM Financials Manager-Process Manufacturing Financials > Create Accounting

Identified Superuser roles to

eliminate

Manager & User could create accounting; created new “set-up” role for all set-up/config entitlements Discovered roles outside

AP could create AP accounting; eliminated AP create accounting for those roles

10

ACG/PCG: User Access Review Workflow Control

• Implemented a user access review process to eliminate manual review of spreadsheets and

allow role end dating by reviewers.

11

PCG: Vendor Master File Workflow & Monitoring

• Prior to project, any user responsibility with Supplier Master entitlement could add and

modify the vendor master file and visibility to changes were limited.

• Solution was two parts utilizing PCG:

1) Developed a one level approval workflow that tightly controlled who could create and

approve new vendors.

2) Developed a vendor master file Audit Report that showed all additions and changes to the

vendor master, as well as users who made the changes, a time stamp and respective

approvals.

12

PCG: Vendor Master File Change Report Example

Change in Terms

Addition of new vendor, time stamp of who entered and time stamp of approval

Change in Tax ID and

Zip

13

CCG: Purchasing & AP Configuration Monitoring

Purchasing Purchasing Accounts Payable

Change Trackers 11 10

Snapshots 34 31

CCG allowed OCI to better understand configuration for Purchasing & AP by utilizing the following:

• OCI is now analyzing if settings are appropriate and/or fully utilized, for example: • There are over 90 types of holds; Are all necessary and have they been reviewed recently? • “Use Invoice Approval Workflow” is not utilized, representing an opportunity for future

process enhancement by eliminating a manual approval process and leveraging existing Oracle ERM capability.

• Another benefit is enhanced monitoring and audit capability by department managers, Internal Audit and External Audit.

14

CCG: Change Tracker Example

List of Change Trackers: PO

selected

List of PO Trackers with Results;

Buyer results on next slide

15

CCG: Change Tracker Results Example, Buyers Object

• The first record a new buyer was added; second record a buyer was end dated.

16

TCG: Created Models Example

• Upon evaluation of OAC, OCI wanted to leverage TCG to enhance its ability to monitor sensitive transactions as well as develop a continuous monitoring program.

• Below are examples of models created:

17

TCG: Duplicate Invoice Model- Invoice # & Invoice $

1. Pick Objects

2. Set Logic & Filters

3. Choose how to view results

18

Implementation Approach For Purchasing & AP

Internal Audit PMO & Facilitator

PWC Implementation Partner

IT Steering Committee

Controller Director of

Procurement

Accounts Payable Process Oracle AP Module

Purchasing Process Oracle Purchasing

Module

Project Management & Implementation

Business & Control Owners

Oracle Module Ownership

Governance Level

Other Owner

Other Oracle Module

19

Challenges and Opportunities with OAC

• Challenges:

– Due to a smaller organization, encountered challenges with:

• General Administration

• Business adoption due to bandwidth

• Volume of data

• Opportunities

– However, due to a smaller organization, opportunities:

• Greater insight for those who do use the tool

• Key people become more familiar with Oracle and their respective modules

• Cost savings with leveraging power of the tool vs. customization

• Etc.

20

Next Steps

• ACG: Initiate role enhancement project; includes evaluation of role design and assignment

of roles to respective users.

• ACG/PCG: PO and AP “module” owners will now review PO/AP users for appropriate

access ensuring controlled user population.

• CCG: Formally leverage CCG results to enhance policy, further optimize controls with any

underutilized set-ups and actively monitor key configurations/set-ups.

• TCG: Build out continuous monitoring program by leveraging existing “models” but add

models over time as gain expertise.

Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |

Session Surveys

Help us help you!! • The ERP Central would like to invite you to take a moment to give us your

session feedback. Your feedback will help us to improve your conference.

• Please be sure to add your feedback for your attended sessions by using the Mobile Survey or in Schedule Builder.

21

Copyright © 2015, Oracle and/or its affiliates. All rights reserved. | 22

Follow Us & join the conversation .

Oracle GRC Advanced Controls Group _______________________________________________________________

OracleAdvControls @OracleAdvCntrls

Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |

Risk Management Cloud Resources

23

cloud.oracle.com

Release 10 Readiness

Documentation

Customer Connect

Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |

Candidates & Registered Speakers

Oracle Confidential – Internal/Restricted/Highly Restricted 24

_________________

Source-to-Settle

Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |

Safe Harbor Statement

The preceding is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.

25