oci - oracle grc advanced controls case study con7987 update #10
TRANSCRIPT
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |
Using Oracle GRC Advanced Controls to Achieve Your Procure-to-Pay Process Objectives CON7987
Hal Kazi Oracle GRC Product Development Oct 27, 2015
Presented with
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |
Safe Harbor Statement
The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.
2
3
OCI Enterprises (“OCI”) Company Profile
• OCI Enterprises is the North American subsidiary of OCI Company Ltd based in Seoul,
South Korea.
• Headquartered in Atlanta, Georgia, OCI Enterprises consists of two divisions: Chemical and
Energy.
• The Chemical Division primarily consists of a trona mining and soda ash production
business that is also a general partner in a master limited partnership (MLP) named “OCI
Resources” with shares publicly traded on the New York Stock Exchange.
• Trona is one of the world’s most abundant resources and is refined into soda ash, which is
used in glass making, detergents, chemicals and other consumer and industrial products.
• The Energy Division primarily consists of solar power development and solar panel
manufacturing.
Note: On October 23, 2015 Ciner Group, a Turkish company, purchased OCI Chemical from
OCI Enterprises. OCI Resources will become Ciner Resources.
4
OCI Business Case
• Due to public company reporting requirements of OCI Resources, LP, OCI sought to
strengthen the control environment
• Pain points included:
– Challenges analyzing and monitoring the user environment
– Lack of visibility to additions/changes to vendor master file
– Limited control of additions to the vendor master file
– Challenges monitoring key configurations and/or changes
• Company also desired a way to monitor transactions; ad hoc and future continuous
monitoring by both the business and Internal Audit
• OCI was well positioned to utilize Oracle Advanced Controls applications
• Partnered with PWC for implementation over a 5 month period
5
Project Approach
• Configuration Controls Governor
• Transaction Controls Governor
• Preventive Controls Governor
• Access Control Governor
User Access Analysis & Monitoring
Vendor Masterfile
Workflow & Monitoring
Purchasing & AP
Configuration and Set-up Monitoring
Continuous Monitoring:
Policy & Anti-Fraud
6
ACG: User Role Entitlements
• Selected key entitlements and built ACG controls to analyze existing
roles and discover potential conflicts:
Process Area Entitlements
Add/Modify Vendor Masterfile
• AP Supplier Master
Purchase Order Processing
• Requisition Entry • PO Entry
Receiving • Receiving Transactions
Invoice Processing • Invoice Entry • Invoice Matching • Recurring Invoice • Release Holds • Approve Invoices
Payment Processing
• AP Payments • Printing Checks • Voids
Process Area Entitlements
AP Configurations • AP Setups • Create Accounting • Update Accounting • Payment & Tax Info • Open/Close Periods
PO Configurations • PO Setups • Define Approval Supplier
List • Define Approval Group • Define Buyers • PO Receiving
Transactions
7
ACG: AP Model List Screen Shot Example
8
ACG: AP Create Accounting Model Results Example
9
ACG: Conflicts Analysis Example
Process Area: AP Configurations
Entitlement: AP Create Accounting
MSE Payables Superuser-Payables > Create Accounting
MSE Receivables Superuser-Receivables > Create Accounting
OCI OPM Financials Superuser-Process Manufacturing Financials > Create Accounting
SAT Payables Superuser-Payables > Create Accounting
SAT Receivables Super User-Receivables > Create Accounting
OCI Receivables Superuser-Receivables > Create Accounting
OCI Payables Superuser-Payables > Create Accounting
OCI Payables Manager-Payables > Create Accounting
OCI Payables User-Payables > Create Accounting
OCI Receivables Manager-Receivables > Create Accounting
OCI Receivables User-Receivables > Create Accounting
OCI OPM Financials Manager-Process Manufacturing Financials > Create Accounting
Identified Superuser roles to
eliminate
Manager & User could create accounting; created new “set-up” role for all set-up/config entitlements Discovered roles outside
AP could create AP accounting; eliminated AP create accounting for those roles
10
ACG/PCG: User Access Review Workflow Control
• Implemented a user access review process to eliminate manual review of spreadsheets and
allow role end dating by reviewers.
11
PCG: Vendor Master File Workflow & Monitoring
• Prior to project, any user responsibility with Supplier Master entitlement could add and
modify the vendor master file and visibility to changes were limited.
• Solution was two parts utilizing PCG:
1) Developed a one level approval workflow that tightly controlled who could create and
approve new vendors.
2) Developed a vendor master file Audit Report that showed all additions and changes to the
vendor master, as well as users who made the changes, a time stamp and respective
approvals.
12
PCG: Vendor Master File Change Report Example
Change in Terms
Addition of new vendor, time stamp of who entered and time stamp of approval
Change in Tax ID and
Zip
13
CCG: Purchasing & AP Configuration Monitoring
Purchasing Purchasing Accounts Payable
Change Trackers 11 10
Snapshots 34 31
CCG allowed OCI to better understand configuration for Purchasing & AP by utilizing the following:
• OCI is now analyzing if settings are appropriate and/or fully utilized, for example: • There are over 90 types of holds; Are all necessary and have they been reviewed recently? • “Use Invoice Approval Workflow” is not utilized, representing an opportunity for future
process enhancement by eliminating a manual approval process and leveraging existing Oracle ERM capability.
• Another benefit is enhanced monitoring and audit capability by department managers, Internal Audit and External Audit.
14
CCG: Change Tracker Example
List of Change Trackers: PO
selected
List of PO Trackers with Results;
Buyer results on next slide
15
CCG: Change Tracker Results Example, Buyers Object
• The first record a new buyer was added; second record a buyer was end dated.
16
TCG: Created Models Example
• Upon evaluation of OAC, OCI wanted to leverage TCG to enhance its ability to monitor sensitive transactions as well as develop a continuous monitoring program.
• Below are examples of models created:
17
TCG: Duplicate Invoice Model- Invoice # & Invoice $
1. Pick Objects
2. Set Logic & Filters
3. Choose how to view results
18
Implementation Approach For Purchasing & AP
Internal Audit PMO & Facilitator
PWC Implementation Partner
IT Steering Committee
Controller Director of
Procurement
Accounts Payable Process Oracle AP Module
Purchasing Process Oracle Purchasing
Module
Project Management & Implementation
Business & Control Owners
Oracle Module Ownership
Governance Level
Other Owner
Other Oracle Module
19
Challenges and Opportunities with OAC
• Challenges:
– Due to a smaller organization, encountered challenges with:
• General Administration
• Business adoption due to bandwidth
• Volume of data
• Opportunities
– However, due to a smaller organization, opportunities:
• Greater insight for those who do use the tool
• Key people become more familiar with Oracle and their respective modules
• Cost savings with leveraging power of the tool vs. customization
• Etc.
20
Next Steps
• ACG: Initiate role enhancement project; includes evaluation of role design and assignment
of roles to respective users.
• ACG/PCG: PO and AP “module” owners will now review PO/AP users for appropriate
access ensuring controlled user population.
• CCG: Formally leverage CCG results to enhance policy, further optimize controls with any
underutilized set-ups and actively monitor key configurations/set-ups.
• TCG: Build out continuous monitoring program by leveraging existing “models” but add
models over time as gain expertise.
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |
Session Surveys
Help us help you!! • The ERP Central would like to invite you to take a moment to give us your
session feedback. Your feedback will help us to improve your conference.
• Please be sure to add your feedback for your attended sessions by using the Mobile Survey or in Schedule Builder.
21
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. | 22
Follow Us & join the conversation .
Oracle GRC Advanced Controls Group _______________________________________________________________
OracleAdvControls @OracleAdvCntrls
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |
Risk Management Cloud Resources
23
cloud.oracle.com
Release 10 Readiness
Documentation
Customer Connect
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |
Candidates & Registered Speakers
Oracle Confidential – Internal/Restricted/Highly Restricted 24
_________________
Source-to-Settle
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |
Safe Harbor Statement
The preceding is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.
25