1 / 52

Overview and Current Trends with Governance, Risk and Compliance Chris Martin Oracle GRC Specialist January

Overview and Current Trends with Governance, Risk and Compliance Chris Martin Oracle GRC Specialist January 19, 2010. Agenda. GRC Today Key Business Challenges GRC is Good Business Strategies to Consider-Solutions Today Wrap Up. The Big Picture.

athalia
Download Presentation

Overview and Current Trends with Governance, Risk and Compliance Chris Martin Oracle GRC Specialist January

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Overview and Current Trends with Governance, Risk and ComplianceChris Martin Oracle GRC Specialist January 19, 2010

  2. Agenda GRC Today Key Business Challenges GRC is Good Business Strategies to Consider-Solutions Today Wrap Up

  3. The Big Picture Boundary defined by management including public commitments, organizational values, contractual obligations, and other voluntary policies Voluntary Boundary Obstacles Objectives Strategic, operational, customer, compliance and reporting objectives cascaded throughout the organization Business Model Strategy, people, process, technology and infrastructure in place to drive toward objectives Obstacles impede progress toward achieving objectives Boundary established by external forces including laws, government regulation and other mandates. Mandated Boundary © OCEG

  4. Governance, Risk, and Compliance (GRC) At-a-Glance • Governance • Set and evaluate performance against objectives • Authorize business strategy & model to achieve objectives • Culture • Establish an organizational climate and individual mindset that promotes trust, integrity, and accountability Governance Culture Risk Compliance • Risk Management • Identify, assess, and address potential obstacles to achieving objectives • Identify / address violation of mandated and voluntary boundaries • Compliance • Encourage / require compliance with established policies and boundaries • Detect non-compliance and respond accordingly Source: Open Compliance and Ethics Group

  5. Governance, Risk, & Compliance Mgmt is more than just SOX SOX = Section 404, 302 • Enterprise Risk Management • Operational Risk Management • IT Governance • Identity Mgmt • Database Security • Industry Regulations • Environmental Regulations • Records & Retention Mgmt • Document and File Protections • eMail Security • OSHA Compliance Risks

  6. The Boundaries Constantly Changing • AMERICAS • HIPAA • FDA CFR 21 Part 11 • OMB Circular A-123 • SEC and DoD Records Retention • USA PATRIOT Act • Gramm-Leach-Bliley Act • Federal Sentencing Guidelines • Foreign Corrupt Practices Act • Market Instruments 52 (Canada) • EMEA • EU Privacy Directives • UK Companies Law • Restriction of Hazardous Substances (ROHS/WEE) • APAC • J-SOX, C-SOX, K-S0X, C49, etc • CLERP 9: Audit Reform and Corporate Disclosure Act (Australia) • Stock Exchange of Thailand Code on Corporate Governance • GLOBAL • International Accounting Standards • Basel II (Global Banking) • OECD Guidelines on Corporate Governance

  7. While Cost of Compliance Continues to Rise $32Billion $29Billion “Governance, risk management, and compliance (GRC) spending will exceed $32B for 2008, up 7.4% from 2007, as companies shift toward identifying, assessing, and managing risk across numerous business and IT areas.” The Governance, Risk Management, and Compliance Spending Report, 2008–2009, -- AMR Research

  8. MANUAL, REDUNDANT EFFORTS Cost REMEDIATION & STANDARDIZATION EMBEDDED GRC & OPERATIONAL EXCELLENCE DEFINE RATIONALIZE AUTOMATE, MONITOR & VERIFY Number of Controls Year 4+ Year 3 Year 1 & 2 Practical Lessons from Sarbanes-OxleyMost organizations progress through maturity curve • New AS5 Guidance: • Top-down risk-based approach • Tailor audit to specific company profile • External auditors can use work of others as evidence

  9. Agenda GRC Today Key Business Challenges GRC is Good Business Strategies to Consider-Solutions Today Wrap Up

  10. No real-time visibility and communication to/from data, results, and status Duplication of efforts – silos of compliance/audit activity with limited collaboration across functional groups companywide Non-standard information architecture for audit/compliance activities Lack a sustainable platform for growth and change in business environment C1a C2a C3a C1b C2b C3b C1c C2c C3c C5a C6a C7a C5b C6b C7b C5c C6c C7c C9a C10a C11a C9b C10b C11b C9c C10c C11c Pain Points Our Clients are Facing Multiple Requirements, Fragmented Response

  11. Cost of audit and compliance activities Not leveraging synergies of the broad spectrum of audit and compliance activities Cumbersome and manual processes – many man hours chasing and compiling paper Inconsistent audit plans, work paper methodologies, reporting, etc. No clearly defined roles and responsibilities holding individuals accountable for audit and compliance activities Pain Points Our Clients are Facing Insufficient Resources, Manual Efforts

  12. No automated(preventive or mitigating) controls embedded into business processes Limited Enterprise Value Management – compliance activities not built into the DNA of business process Paradigm shift for external auditors and other outside auditors to leverage technology GRC GRC GRC Business Processes Pain Points Our Clients are Facing GRC as an Afterthought, Holding Up the Business

  13. Agenda GRC Today Key Business Challenges GRC is Good Business Strategies to Consider-Solutions Today Wrap Up

  14. GRC Drives Value Reduced control deployment time by 80% Reduced time for normal audit from 2 months to 2 days Reduced controls testing by 67%, reduced 55% time savings among internal teams & 42% reduction in external auditor time Improved control pass rate by 27% in first year(0% before) Reduced consulting fees by $1,000,000 Reduced transaction time from 3-4 days to minutes Resolved 85% of SOD issues across ERP Reduced compliance turnaround time by 28% Reduce compliance costs by 30%

  15. Intuit Achieves Payback in Less Than Five Months

  16. ROI Impact Internal Controls Advisory Office Impact External Audit Impact Access Controls Review by CAO 350 hrs / month 350 hrs / month Review Time Access & Configuration Controls Testing External Audit Level of Effort 90 hrs / month 50 hrs / month 14 weeks 14 weeks 8 weeks Testing Time FY05 FY 06 FY 07 FY 08 ? 6 auditors 6 auditors 4 auditors # of Auditors Since 2006, the Controls Advisory Office only tests new or modified configuration controls. ? 2005 2006 2007 2008

  17. Qualcomm CUSTOMERPERSPECTIVE “By using the embedded controls and workflows, we have been able to streamline complex interactions across multiple operating units, eliminate bottlenecks and validate accuracy much faster.” Jeffrey Flecker, Snr VP & Corp Controller, Qualcomm • COMPANY OVERVIEW • World's premier wireless communications company • Top 100 operational & strategic excellence • – CIO magazine • Revenue > $7.5 Billion • 19 Operating Units • CHALLENGES / OPPORTUNITIES • Accelerate Financial close process • • SOX compliance and SOD and streamline • complex interactions across business units • • Eliminate bottlenecks • • Validate reporting accuracy and fast • Eliminated SOD conflicts to meet SOX • compliance and improve financial close process • • Time to close each month – 2 days • • Time to file 10Q – 25 days • • Time to file 10k – 37 days • RESULTS • SOLUTIONS • Oracle GRC Controls Suite

  18. reduced our issue & remediation tracking time by 30%” reduced our reporting efforts by 20%” reduced our control and document aggregation efforts by 25%” reduced our year-over-year audit fees by 18%” resulted in a payback period of just over 1 year” Customer Proof Points “Oracle’s GRC technology…

  19. Agenda GRC Today Key Business Challenges GRC is Good Business Strategies to Consider- Oracle Solutions Wrap Up

  20. Multiple Requirements,Fragmented Response 1 C1a C2a C3a C1b C2b C3b C1c C2c C3c C5a C6a C7a C5b C6b C7b C5c C6c C7c C9a C10a C11a C9b C10b C11b C9c C10c C11c GRC as an Afterthought, Holding Up the Business Insufficient Resources,Manual Efforts 2 3 GRC GRC GRC Business Processes Summary of Key Business Challenges Sources: Adapted from Deloitte Consulting, Open Compliance and Ethics Group, and IDC

  21. Strategies to Manage Risk and ComplianceActions You Can Take Immediately Oracle GRC Applications Oracle GRC Intelligence Oracle GRC Manager Oracle GRC Controls Consolidate: Multiple GRC Activities and Provide Real-time Visibility • Automate: Critical GRC Tasks • Embed: Automated Controls into Business Processes

  22. Oracle GRC Applications Oracle GRC Intelligence Oracle GRC Manager Oracle GRC Controls Strategies to Manage Risk and ComplianceActions You Can Take Immediately Consolidate: Multiple GRC Activities and Provide Real-time Visibility • Automate: Critical GRC Tasks • Embed: Automated Controls into Business Processes

  23. Oracle GRC Applications Oracle GRC Intelligence Oracle GRC Manager Oracle GRC Controls Strategies to Manage Risk and ComplianceActions You Can Take Immediately Consolidate: Multiple GRC Activities and Provide Real-time Visibility • Automate: Critical GRC Tasks • Embed: Automated Controls into Business Processes

  24. Oracle GRC Applications Oracle GRC Intelligence Oracle GRC Manager Oracle GRC Controls Strategies to Manage Risk and ComplianceActions You Can Take Immediately Consolidate: Multiple GRC Activities and Provide Real-time Visibility • Automate: Critical GRC Tasks • Embed: Automated Controls into Business Processes

  25. GRC Intelligence Alerts Reports Dashboards Key Risk & Control Indicators GRC Manager Risks Issues Processes Assessments Policies Remediation Procedures Suppliers Finance GRC Controls Transaction Controls Governor Application Access Controls Governor Configuration Controls Governor Sales R&D Preventive Controls Governor Applications Transaction Controls Legal Mfg Infrastructure Customers HR GRC Application Suite – A la Carte 360º Visibility • Single source of GRC Information • Pre-built dashboards • Respond to KRI and issues Centralized GRC Oversight • Common Repository for GRC • Audit and Assessment of Controls • Integrated remediation management Embedded Controls • Detective, Preventive, Contextual • Automated controls testing • Pre-built controls library

  26. Access Controls Configuration & Change Management Controls Transaction Controls Preventive Controls Governance, Risk & Compliance Controls Enforce Compliance with Access, Configuration & Transactional Controls Process Control

  27. Preventive versus Detective Controls • Detective controls based on monitoring or scanning databases for predefined conditions. • Value is in “finding violations faster”…after the fact. • Still have to remediate every violation. • Preventive controls come in two flavors: • Basic prevention affects provisioning of user rights. • Contextual prevention affects user behavior in real-time. • Preventive controls eliminate remediation. • Value increases as you refine policies and processes. • Need both detective and preventive controls to: • Balance risk with business continuity • Verify that controls are consistently effective

  28. Access Controls Provide Fine Grained Access Control and Segregation of Duties Know who has access to do what and ensure that someone isn’t given inappropriate privileges Prevention Detection Define Access Controls Access Analysis Remediation (Clean-up) Preventive Provisioning Compensating Policies Remediation and analysis via pre-packaged reports & what-if simulation Execute access analysis engine that understands application’s detailed access architecture Handle exceptions with compensating process & transaction analysis policies Real-time enforcement of SOD controls during user provisioning Define SOD conflict & business rules and policies

  29. Best Practice Policy Library *Note: Best practice policy libraries deliver content from years of hands-on customer implementations.Each policy is comprised of several sub-policies and controls based on its complexity, the sum total of these sub-policies and controls is over 3,000, per ERP

  30. Entitlements = Groups of Access Points Use Entitlements to group access points that correspond to a common privilege (e.g. several different pages allow you to enter a journal entry…)

  31. Manage False-positives with Exception Conditions Use Global and Policy-level conditions to exclude false-positives from analysis and reporting.

  32. Conflict Paths Conflict Paths • • Policy Library Policy Library • • • Policy Library Lawson-1275 Lawson

  33. Application Configuration Controls Detect and prevent configuration control failure Ensure that critical setups conform to best practices and follow robust change management procedures Prevention Detection Define Configuration Controls Document or Compare Configurations Monitor Configuration Changes Enforce Change Control Manage Data Integrity Define best practice policies & operating rules Validate that setups and data updates conform to valid values Require conditional approval cycles (e.g., exceed threshold) Record changes to sensitive setup data. Compare before and after values for changes Monitor for setup inconsistencies across multiple instances

  34. Operational Data Customers Suppliers Employees Buyers Items Chart of Account Values Category Codes • Key Controls • Vendor tolerances • 3-way matching of PO, Invoice and Receipt • Document spending limits (authorization of PO) • Security rules – access to sensitive transactions • Employee salaries • Chart of account values • Financial statement reports (FSGs) • Price lists • Inventory attributes • Action for late delivery of goods • Inventory stocking rules • Rules to create tax on sales orders • Depreciation methods Example of Setups and Key Controls • Setup Data • Application Security • Document Approvals • Chart of Accounts • Profile Options • Users • Application Setups • MRP rules Setups = Key Controls

  35. Document Configurations

  36. Compare Configurations Differences

  37. When? Who? Where? What? Monitor Configuration Changes

  38. Transaction Controls Detect and prevent erroneous and fraudulent transactions Monitor transactions to detect business policy violations or unacceptable levels of risk or inefficiency Prevention Detection Define Transaction Controls Perform Transaction Analysis Review and AddressSuspects PreventiveTransactionControl Identify transactions violating policy (e.g. un-approved vendor) Initiate review / approval cycle based on automated policies Detect patterns representing aggregate risk (e.g. micro-payments) Approvals based on transaction data thresholds

  39. Comprehensive Transaction Monitors Detect patterns of heightened risk in business activity • Test against Material Thresholds • Journal Entry > $ threshold • Employee Checks (individual & sum) > $ threshold • Search for Anomalies • PO terms differ from vendor • Sales orders > acceptable $ range • Sampling of Transactions • 4th quarter invoices • Days sales outstanding balances • Detect Fraudulent Behavior • PO changes after approval • Duplicate suppliers with same address • Embed Contextual / Automated Compensating Controls • Alert on customer transactions over $ threshold • Prevent journals from being entered and posted by same individual

  40. GRC Intelligence Alerts Reports Dashboards Key Risk & Control Indicators GRC Manager Risks Issues Processes Assessments Policies Remediation Procedures Suppliers Finance GRC Controls Transaction Controls Governor Application Access Controls Governor Configuration Controls Governor Sales R&D Preventive Controls Governor Applications Transaction Controls Legal Mfg Infrastructure Customers HR Efficient, Flexible Risk and Compliance Mgmt • Improved Scoping / Audit Testing Processes – efficiencies in AS5 • End-to-end Certification Mgmt • Linking risks and controls to multiple regulations / processes • Integrated control management • Closed-loop issue remediation and reporting • Workflow reassignment

  41. GRC Orchestration Unifies risk and compliance documentation with automated monitoring & notification • Enterprise GRC System of Record for Process / Policy and Compliance Documentation Mgmt • Integrated Control Management • Integrated, Centralized Survey Management • Closed-loop Issue Remediation & Reporting • Supports all Enterprise functional groups/users: Internal Audit, SOX, Corp Compliance and Risk Mgmt Sign-off and Publish Certify Remediate Retest Optimize Respond InvestigateExceptions Receive Alerts Review Reports Analyze PerformRisk Assessment TestManualControls MonitorAutomated Controls Scope Audits Assess • COSO/COBIT Frameworks • Risk-Control Matrix • Policies and Procedures • Evidence & Records Retention Document

  42. Search Content Management is the CornerstoneSingle System of Record for Compliance Information Date Effective Chain of Custody Single Source of Information Secure Enterprise Search All Content Types Central Repository • Link policies and procedures to laws, regulations, and standards as evidence of compliance • Link shared policies and controls across laws, regulations, and standards • Apply and track permission-based access to policy and procedure documents • Leverage advanced search function with familiar look and feel

  43. GRC Manager Provides single repository for Regulatory Objectives, Risks, Controls

  44. GRC Manager - Entity Level ControlsProvides library to share controls and reduce testing A single control can be shared across the organization’s separate business units

  45. GRC Manager – user defined Hierarchies Provides many-to-many linkage for Objectives, Risks, Controls Multiple hierarchies exist to represent regulations, business units and financial structures.

  46. A full version history is maintained for all changes to all compliance elements in GRC Manager. You can always “go back in time” to view the state of your compliance environment as of “XX/YY/ZZ” date, by simply clicking on the history tab, and selecting the earlier version.

  47. Suppliers Finance Sales R&D Legal Mfg Customers HR No Surprises GRC Intelligence • Pre-built dashboards aggregate information from all sources • Combine GRC information from the entire stack • Role tailored Analytics • Produce attestations and disclosures • Briefing Books – segmenting critical data to diverse groups • Email alerts Alerts Reports Dashboards Key Risk & Control Indicators GRC Manager Risks Issues Processes Assessments Policies Remediation Procedures GRC Controls Transaction Controls Governor Application Access Controls Governor Configuration Controls Governor Preventive Controls Governor Applications Transaction Controls Infrastructure

  48. Oracle GRC Manager This is to notify you of Regulatory alerts requiring your attention. The Executive Dashboard is awaiting your review. Please use the following link to access your reports Go To “Executive Dashboard” No Surprises: Enterprise Visibility to GRCSecured and targeted delivery of role-based dashboards • Easy to use • Transparency across ALL GRC initiatives • Summarized view of key information, highlighting potential trouble areas • Graphical, Tabular, Drill down and integrated…

  49. See which process is failing and which regulations are impacted Identify which business units are having the most control issues. Open issue identification by business cycle and who originated it.

  50. Perform top-down risk based scoping by tying risks, control status, and issues to the consolidated financial picture.

More Related