reduce sod access violations with effective roles management techniques

Leverage T echnology:

Move Your Business Forward™

Enterprise Risk Management Financial Close Monitor Advanced Controls Catalog Enterprise Audit GRC Monitor

FulcrumWay Leading Provider of Enterprise Risk Assessment Mitigation and Remediation Solutions

Copyright ©. Fulcrum Information Technology, Inc. Give me a lever long enough and a fulcrum on which to place it, and I shall move the world - Archimedes

Rapidly reduce Segregation of Duty Violations in Oracle EBS R12 Responsibilities with effective roles management techniques.

.

www.fulcrumway.com Copyright © FulcrumWay

Reduce SOD Access Violations with effective

roles management techniques.

Introduction

Top SOD Challenges in Oracle EBS

SOD Controls Assessment Overview

Role Design Techniques

Case Study

Q&A

Agenda


FulcrumWay Intelligent, Integrated Instant Risk Management™

FulcrumWay: is the #1 End-to-End Provider of Enterprise Risk Management Expertise,

Solutions and Software Services for Oracle EBS, PeopleSoft and JDE customers with

over 200 Fortune-500 to Middle Market clients. Since 2003, we have successfully

assisted companies across all major industry segments.

Expertise: Risk Advisory Services. Advanced Controls Design for Enterprise Business

Applications. Best Practices for Risk Mitigation and Internal Controls Automation.

Audit, Compliance, Financial, Enterprise and Operational Risk Assessments. Risk

Remediation Services such as Segregation of Duties.

Packaged Solutions: FulcrumWay is the #1 choice of Oracle customers for Oracle GRC

Manager, GRC Controls and GRC Intelligence/OBIEE software implementation. Oracle

has certified us as the only partner with Accelerators for Oracle GRC. We also provide

Managed Services and Hosting for Oracle GRC applications.

Software Services: Risk Management Tools: Enterprise Risk Manager, Financial Close

Risk Manager, Risk Based Audit Manager, IT Risk Workbench, and Advanced Controls

Catalog. Data Management Tools: Rules Repository, DataProbe™ adaptors and Data

Hub.

USA Presence: Privately held Delaware Corporation with US offices in New York City,

Dallas and San Francisco

International Presence: in Chennai, Dubai, Kampala, London, Rome, Santiago,

Singapore

Introduction


Government Oil and Gas

Healthcare

Communications

Financial Services

Industrial

Equipment

Natural

Resources

Manufacturing

Retail

FulcrumWay Clients

High Tech

Our Experience

Media and

Entertainment Life Sciences

http://www.rd.com/

http://www.alliedhealthcare.com/index.aspx

http://www.arvinmeritor.com/

http://www.semiconductorstore.com/pages/asp/supplier.asp?pl=0133

http://www.integralife.com/index.aspx


FulcrumWay™ Insight

Thought Leadership

Our Experience

Co-Authored GRC Book: First book on GRC for Oracle Applications

Executive Round Tables – GRC Solutions for Energy Industry, Houston, November 2012

OAUG GRC Solution Lab - April 7th – 11th Denver: GRC Case Studies and Best Practices

IIA - Presentations - Top Five Reasons for Automating Application Controls

Collaborate 13 – GRC Client Appreciation Dinner April 9th , 2013 Denver

Webcasts – GRC Best Practices, Trends and Expert Insight

Oracle Open World – Annual GRC Dinner on September 23rd , 2013 W Hotel San Francisco

LinkedIn –FulcrumWay Risk, Compliance and Audit Software Group

YouTube Podcasts – FulcrumWay Instant Insight in 10 min or less




Introduction




Case Study

Q&A

Agenda


Enforce Segregation of Duty

Controls and Security Polices

We can not use Oracle “seeded” Responsibilities because of

inherent SOD conflicts. GL Supper User can Enter Journals, Post

Journal. Change Approval Limits, Update GL Accounts, Change

Calendar. Our R12 Patches created even more SOD issues.

Which SOD Policies will mitigate the risk in our Oracle

Responsibility Design?

How do we ensure that the activities of users granted “super

user” Responsibilities have effective compensating control?

Why do have so many False Positives and how do we remove

them from our analysis?

What is an effective approach to Design and Test Oracle Security

Model before deployment?

When will be able to close all SOD incidents?

Top Challenges


Responsibility

Form

Complicated Security Model

High Risk of Segregation of

Duties Issues

Menu

Function

User

Evaluate User Access • Test by User

• Test by Privilege

Manage Segregation of Duties • Identify incompatible Privileges

• Predefined & Extensible SOD

Rule Sets

Top Challenges


Key Factors impacting SOD

violations Top Challenges

EBS Release and Business Cycles enables by Oracle modules:

Order to Cash, Procure to Pay, Record to Report, Hire to Retire,

Design to Build, etc:

– An average R12 customer has over 35,000 functions and 12,500 menus

Number and complexity of SOD Policies

– Range from 25 to 250

Number of Business Units and variation in Responsibilities

across the business

Security Model – RBAC, Single-Sign-On, OIM, etc

Number of Users and Responsibilities


User: John Doe

Responsibility: Payables Manager, US

Menu: AP_Navigate_GUI12

Submenu: AP_Invoices_Entry

Function: Invoice Batches

User: Mike Jones

Payables Users

Responsibility: Payables Supervisor

Responsibility:

Payables User Menu: UK_AP_Navigate_GUI12

SubMenu: AP_Invoices_Entry

SubMenu: AP_Invoices_GUI12_G Menu: AX_Payables_User

Responsibility: Payables Supervisor

Responsibility: Payables Manager, US

Responsibility:

Payables User

Remediation in Oracle EBS is a

permutation problem

What if we exclude ‘Invoice

Batches’ from

AP_Invoices_Entry?

Root Cause Analysis is

required for remediation!

Top Challenges




Introduction




Case Study

Q&A

Agenda


Select ERP

Controls from

FW Controls

Catalogs

Detect

Control

Violations

Analyze

Issues

Confirm

Findings

Present

Project

Plan

Implement

ERP

Advanced

Controls

Prepare

Assessment

Checklist

Probe

ERP

Data

Manage

Exceptions

Prepare

Remediation

Plan

FW Risk

Advisor/Client

Lead/Control Owners

FW Risk

Advisor/Client Lead

Client

Executive

Sponsors

FW/Client

Project Team

Establish

Test

Environment

FulcrumWay™ Application Risk

Assessment Best Practices Controls

Assessment


DataProbe™ extracts the security,

setup and master data information

DataProbe™ is a desktop utility for the client DBA/manager to provide the data

On average it takes our cleints less than an hour to install and extract the ERP security , setup and master data for submission to FulcrumWay risk advisory services

Controls

Assessment


FW Controls Catalog with over 1,000

advance controls

Select SOD, Master Data, Setup, and Transaction Controls Risk Assessment

Detect control weaknesses across ERP system to identify business process optimization opportunities

Controls

Assessment


ERP Test environment consists of ERP

configurations and data objects

Selected security, setup and data objects are included in the environment

ERP Configuration such as 3-way match in payable options, master data such as Users, Responsibilities, Customers, Invoices, Suppliers, Assets and Payments records are analyzed for control failure risks

Controls

Assessment


Advanced Analytics to analyze ERP

Risks

Pre-built Risk Analytics. Risk Reports available for client review

Risk Advisory identifies controls violations and has the capability to analyze

issues, remove false positives to prepare the findings report

Controls

Monitoring


Mitigate and Control Risks

Monitor Control Effectiveness

Enforce Policies in Context

What users can do

How is the process set up

How users execute processes

What users have done

What’s changed in the process

What are the execution patterns

SOD & Access Application

Configuration Transaction Monitoring

Preventive

GRC Manager

SOD & Access

Application Configuration

Transaction Monitoring

GRC Intelligence

GRC Controls

Preventive

Controls

Assessment


Compensating Policies

Preventive Provisioning

Remediation (Clean-up)

Access Analysis

• Accelerate deployment and time to value with pre-delivered controls library

• Mitigate risk of privileged user access to enterprise applications with approval workflow and audit trails

• Simplify segregation of duties enforcement with simulation and remediation

Define Access Controls

Detection Prevention

GRC Manager

SOD & Access



GRC Intelligence

GRC Controls

Preventive

Enforce Proper Segregation of Duties in

Applications

Controls

Assessment


Prevent Suspicious

Transactions

Enforce Transaction

Controls

Investigate Incidents

Transaction Analytics

• Identify anomalies missed by traditional audit and controls

• Apply Advanced Forensic and Pattern Analysis

• Continuous Monitoring of Controls and Transactions

Define Transaction

Controls

Detection Prevention

GRC Manager

SOD & Access



GRC Intelligence

GRC Controls

Preventive

Test integrity of transactions and controls

across business processes

Controls

Assessment




Introduction




Case Study

Q&A

Agenda


FulcrumWay Roles Manager

Overview

Eliminate Root Cause of Access Control Violations in ERP:

Improve Segregation of Duty controls within mission critical

applications

Reduce ERP implementation and upgrade costs with pre-configured

roles

Lower ERP Total Cost of Ownership by assigning pre-approved

Roles

We enable ERP Administrators:

Select pre-configured ERP roles from a roles catalog

Update, Review and Approve Role design changes.

Identify SOD conflicts before the Roles are assigned to Users.

Role Design


Role Manager is an ERP security design tool

Contains a pre-configured catalog of roles which comply with

segregation of duty (SOD) policies.

Roles by ERP module and typical access requirements for those

modules such as Manager, Supervisor, Clerk, Inquiry, Business

Setup and IT Setup.

You can use this tool to view existing role templates and design new

roles by easily selecting or deselecting ERP functions/transaction.

Once you complete the roles design, you can send it, using

workflows, to pre-assigned reviewers and approvers to finalize the

roles.

The role preparers, reviewers and approvers can also assess the

SOD control risks before finalizing the roles.

Leverage FW DataProbe/Scripts to load current Roles

Secure Access from fulcrumway.com portal

Role Design FulcrumWay Roles Manager

Features


Access to Roles Manager Role Design

Sign-in to ERP Controls and Navigate to Roles Manager at FulcrumWay.com

Roles Manager is a component of the FulcrumWay Risk Remediation software services that is available instantly over a secure internet-connection.


Select the Access Monitor Icon. Then click on the Maintain Access Roles Tab

Search and Browse through catalog of

Roles for Oracle EBS R12

Roles Manager contains hundreds of Oracle EBS Responsibilities with SOD Controls Designed into the configuration to give you a jump start

Role Design


Access to Roles Manager

Use a “source” role to create a new “target” role. View existing SOD issues with the “source” role. Assign Reviewers and Approvers for the role

Embed SOD Controls into Oracle Responsibilities design by eliminating conflicting business activities inherent in the EBS Responsibility configuration

Role Design



Select/ Deselect business activities to update Role configuration automatically

Reduce Role design time and effort by selecting business activities to drive the configuration of Oracle Responsibilities.



Select/ Deselect Request Sets to update Role configuration automatically

Effective SOD Controls should include access to Concurrent Request. Remember in R12 you can open/close GL Periods by submitting a request.



Review and approve Roles using email notifications

Reduce ERP implementation/upgrade costs and audit fees by enabling change controls over the Oracle Responsibilities. Reduce risk of SOD control failure



Access the link to approve or reject the new Role




Assign Application Role Owner, Reviewer, Approver and Security Admin





Introduction




Case Study

Q&A

Agenda


Global car and equipment rental company,

improves employee productivity

Our Client

Leader in the car and equipment rental businesses worldwide

Providing quality car rental service for over 90 years.

Over 30,000 employees

Challenges Replace multiple legacy systems with one ERP solution Improved Segregation of Duty controls within mission critical applications Maintain consistent ERP system access roles across the subsidiaries leveraging the shared services model Increase external auditor’s reliance on ERP Access Controls Monitoring

Solutions

GRC DataProbe

ERP Controls Catalog

ERP Roles Monitor

Results: Reduce ERP Role design, build, testing and implementation time by 80% resulting in over $200,000 cost savings during ERP system implementation and global roll-out. Created over 100 Segregation of Duty compliant Roles by business segment with two weeks from FulcrumWay Role Templates within the controls catalog. Lowered ERP Total Cost of Ownership by reducing SoD remediation time and costs by ensuring that all users a assigned only the pre-approved Roles Improve SoD and Access Controls testing time by providing auditors the access log reports showing all Update, Review and Approve Role design changes. Accelerated ERP testing and deploying time by identifying SOD conflicts before the Roles are assigned to Users.

Client case




Introduction




Case Study

Q&A

Agenda


Thank You! Join us on LinkedIn to view

webinar and discussion Summary and Q&A

reduce sod access violations with effective roles management techniques

Technology

grc controls

oracle grc manager

oracle grc applications

sod challenges

sod violations

enterprise risk manager

risk mitigation

risk management tools