oracle corp source to settle - grc advanced controls case study con7988 update# 7

Copyright © 2015 Oracle and/or its affiliates. All rights reserved. |

GRC Controls at Oracle Travel and Expense Reporting

Gena Alexander Sr. Director, S2S Strategy and Operations Oracle, Source-to-Settle October 26, 2015

Oracle Confidential – Internal/Restricted/Highly Restricted

Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |

Safe Harbor Statement

The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.

2


Introduction

• Gena started her career at Oracle as a Purchasing Buyer in June 1998 and evolved within the company as the Procurement Global Process Owner and Source-to-Settle Strategy Owner for 12 years.

• Gena is now a Senior Director leading both the Strategy and Operations teams supporting all Source-to-Pay and Expense-to-Pay functions at Oracle Corporation globally.

Oracle Confidential – Internal/Restricted/Highly Restricted 3


• $38.2B in revenue in FY15*

• 400,000 customers in 145 countries

• $60B on more than 100 acquisitions

• 25,000+ partners

• 18,000 customer support specialists, speaking 29 languages

• 17,000 implementation consultants

• 120,000+ employees

• 1.5M Expense Reports Annually

• 548K PO’s Issued Annually

• 941K Invoices Processed Annually

• #1 in 50 product and industry categories

• #2 software company in the world

• #2 cloud company in the world

• 17,000+ patents worldwide

• 36,000 developers and engineers

• 15 million developers in Oracle online communities

• 900 independent Oracle user groups with 500,000 members

4

Oracle Corporation

Scale Innovation

* GAAP revenue reported in USD as of May 31, 2015

Oracle Confidential – Internal


Oracle E-Business Suite – Release 12.3

Supplier Enablement Employee Self-Service

Supplier Management

Procure-to-Pay

Strategic Sourcing Contract Management

iSupplier Portal

Supplier Network*

Purchasing

Accounts Payable

iProcurement

iExpenses

Supplier Lifecycle Mgmt

Supplier Hub

Sourcing, OSOD

Sourcing Optimization

Procurement Contracts

Spend Classification Procurement & Spend Analytics Employee Expenses

Spend & Performance Analytics

Supplier Enablement Employee Self-Service

Supplier Management

Procure-to-Pay

Strategic Sourcing Contract Management

iSupplier Portal

Supplier Network*

Purchasing

Accounts Payable

Fixed Assets

iProcurement

iExpenses

Supplier Lifecycle Mgmt

Supplier Hub

Sourcing, OSOD

Sourcing Optimization

Procurement Contracts

Spend Classification Procurement & Spend Analytics Employee Expenses

Spend & Performance Analytics


Problem Summary

• Misuse and policy violations detected in one off situations by manual analysis.

• Expanding post payment analysis in line to organizations goal.

• Difficult to identify misuse over time with multiple expense reports.

• Only limited analysis performed by using multiple reporting tools followed by manual manipulation/review in excel (an inefficient and time consuming process).

• Need an internal tool to perform data mining and analysis on expense reports to support investigations and identify potentially high risk and fraudulent activities.


Strengthen Internal Expense Compliance

–Move audit approach from upfront audit to backend analysis. • Policy and Pattern based detection.

• Forensic audit on suspicious transactions.

• Identify repeat offenders.

• Targeted communication driven by audit findings.

Implementation Goal


GRC Footprint


Current Status

GRC Transaction Controls Governor has been implemented in 2013

GRC is used as a post payment expense audit tool to identify misuse and non-compliance with our policies

Increased targeted audits on suspicious transactions and added capabilities to audit across multiple

transactions/employees

Future Plans

Complete the upgrade of GRC to 8.6.5.8027 to improve performance and add additional functionality

Create additional, more complex expense controls and aim to reduce individual transaction audits

Enable GRC for Accounts Payable and Purchasing data in order to implement additional controls across

the Source-to-Settle area and increase policy compliance

Key Stats

10 controls that have identified > 10k transactions that required investigation

Educated non-compliant employees to increase future policy compliance


Lessons Learned

• GRC Control vs. Model or Report

– Clearly identify what criteria makes something suitable to be a GRC control versus what can be achieved through reporting during the initial stages of the project

– Ensure number of incidents reported is manageable for the end-users

• Promote Modules to Production – Use of export/importing of models and controls between test/production systems is

time-effective and guarantees identical setups on production

• Standard seeded models need adjustments to specific companies needs and available data points



Lessons Learned Continued

• Include data vs. exclude data

– Use of ‘include’ filtering is a more effective way to more precisely identify incidents. ‘Exclude’ filtering can result in a lot of false positives

• Credit Card Information and Usage

– Detailed Credit Card information allow for more detailed and accurate controls • Enforce use of Credit Cards

• Use Credit Card integration

• Enable 3rd level data import



What Makes a Good Control?


Definition of a Good Control

• Focus on identifying non-compliance that cannot be identified through the traditional audit process of

individual transactions. Look for patterns or duplications across multiple expense reports and/or employees

• Are the incidents identified individually actionable?

• Do you need to track the actions taken on all reported incidents?

Examples

• Good controls:

- Meal expense and Per Diem claimed for the same day by the same employee?

- Mileage and car rental expense claimed for the same day by the same employee?

- Meal with same attendees claimed for the same amount and day?

• Unsuitable controls:

- A list of top X expense submitters

- A list of all top expense types by $ value


Agenda

Panelist Introductions

Travel and Expense Reporting Controls - Panel Discussion

More Resources

1

2

3

13

Copyright © 2015 Oracle and/or its affiliates. All rights reserved. | 14

Oracle GRC Wins Ventana Technology Innovation Award!

“Oracle’s GRC solution provides a unique approach to the problem of risk management by automating risk controls which are embedded into critical business

processes; applying leading edge technologies to solve complex risk challenges.”

- Mark Smith, CEO of Ventana Research


Elite panel of judges (NASA CIO, FCC CIO, Army CIO and others) have selected PA Treasury IT project as one of

the top 10 public sector projects of the nation

15

Pennsylvania Treasury GRC Project Wins Multiple Awards


Case Studies and Speakers at OpenWorld 2015


_________________

Source-to-Settle

Copyright © 2015 Oracle and/or its affiliates. All rights reserved. | 17

Follow Us & join the conversation .

Oracle GRC Advanced Controls Group _______________________________________________________________

OracleAdvControls @OracleAdvCntrls

https://www.linkedin.com/groups/Oracle-GRC-Advanced-Controls-5185359

https://www.linkedin.com/groups/Oracle-GRC-Advanced-Controls-5185359

https://twitter.com/OracleAdvCntrls

Copyright © 2015, Oracle and/or its affiliates. All rights reserved. | 18

Classroom Training

Learning Subscription

Live Virtual Class

Training On Demand

Keep Learning with Oracle University

education.oracle.com

Cloud

Technology

Applications

Industries