1 / 47

Oracle Applications: Governance, Risk and Compliance

Oracle Applications: Governance, Risk and Compliance. Windge Chen Senior Manager Applications Center of Excellence Windge.Chen@Oracle.com. Agenda. Introduction to GRC Advanced Controls Typical Solutions for GRC Advanced Controls GRC Application Suite Success Stories.

curry
Download Presentation

Oracle Applications: Governance, Risk and Compliance

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Oracle Applications: Governance, Risk and Compliance Windge ChenSenior Manager Applications Center of Excellence Windge.Chen@Oracle.com

  2. Agenda • Introduction to GRC Advanced Controls • Typical Solutions for GRC Advanced Controls • GRC Application Suite • Success Stories

  3. Gartner Research Paper (November 2012) Transaction Controls Monitoring Can Improve Productivity and Financial Governance “ERP and financial applications have built-in internal controls with simple gated logic. However, the existence of these built-in automated controls does not ensure that they are turned on, that they are configured appropriately, and that they are not regularly overridden or bypassed— thus establishing the need for a solution that can monitor these controls.”

  4. Market Drivers GlobalExpansion Increased Regulations M&A Activity NewTechnology

  5. Manual Processes Customizations Change Control More Audits Functional Compliance Levels • Advanced Controls: • Controlled, Managed Upgrades • New Automated Controls • Expanded Existing Scope • Advanced PTP & OTC Controls • Challenges: • Multiple ERPs • New Regulations • More Legal Entities • Supplier Agreements GAP Controls Integrating Acquisitions New Markets New Regions Renegotiate Supplier Agreements

  6. Functional Compliance Levels • Advanced Controls: • Controlled, Managed Upgrades • New Automated Controls • Expanded Existing Scope • Advanced PTP & OTC Controls Controls Integrating Acquisitions New Markets New Regions Renegotiate Supplier Agreements

  7. Result is High Operational Risk Data Errors FRAUDULENT ACTIVITY Disparate Systems Lack of Visibility MANUAL PROCESSES Revenue Recognition Errors NON-COMPLIANCE WITH POLICIES Inappropriate User Access Decentralized Operations Inefficient Processes FINANCIAL MISSTATEMENTS REACTIVE POLICIES M&A Activity INCONSISTENT DATA DUPLICATE PAYMENTS

  8. Financial Opportunity Amount of Financial Leakage: $ 1,000,000 On Every: $1 B in Spend Protiviti 2010 - Procurement Assessment and AP Recovery Solutions

  9. Challenges to Bottom Line Results 51% Make Payments Early, Discounts Not Taken 64% Make Payments Late, Discounts Lost 55% Unable to Collect Cash Receipts Timely * Accounts Payable Network Benchmark: AP Controls May 2011; 425 Companies ** Made to measure CFO’s on finance and procurement process improvement, CFO Research, May 2012

  10. Strategic Priorities Survey of 263 Finance Executives BETTER CONTROLS AND EFFICIENCIES Business Risk Analysis Audit and Control of Procurement Understanding Payables Exposure Compliance Reaching New Heights: The Dividends of Collaboration between Finance and Procurement is published by CFO Publishing LLC, May 2012

  11. Advanced Controls Enables you to: …by Continuously Monitoring Your ERP Applications Increase Process Effectiveness Improve Bottom-Line Reduce Operational Risk

  12. Advanced Controls Detect unwanted transactions Improve Bottom Line Detect settings that cause loss Make Processes More Effective, Efficient Detect problematic exceptions Reduce Operational Risk Automate policy management

  13. Agenda • Introduction to GRC Advanced Controls • Typical Solutions for GRC Advanced Controls • GRC Application Suite • Success Stories

  14. Oracle Advanced Controls Solutions 1 2 3 Advanced Controls for Procure to Pay Advanced Controls for Access & SOD Advanced Controls for Order to Cash ACCESS PAYMENTS ORDERS

  15. Processes Requiring Strong Controls Source: “2011 OAUG Governance, Risk & Compliance Best Practices Survey”, Unisphere Research, Feb 2011

  16. Control Challenges Survey of 425 companies • Lack of Staff • False Positives • Access to Data • Visibility to Issues • Mergers & Acquisition • Decentralized Operations • Outsourcing DRIVERS *Accounts Payable Network Benchmark: AP Controls May 2011

  17. Example: Duplicate Invoice AP Clerk Supplier Audit Approve AP Invoices for Payment Reject Approve

  18. Example: Duplicate Invoice AP Clerk Supplier Audit Approve AP Invoices for Payment Reject Approve

  19. Example: Duplicate Invoice AP Clerk Supplier Audit ! Approve AP Invoices for Payment Potential Incident Reject Approve

  20. Example: Duplicate Invoice AP Clerk Supplier Audit ! Approve AP Invoices for Payment Potential Incident Reject Approve

  21. Example: Duplicate Invoice • Application Access Controls Governor • Ensure proper SOD is in place • No users can create payments and invoices for same supplier • Enterprise Transaction Controls Governor • Monitor duplicate invoices • Check for similar amounts, dates within 14 days of each other and to the same supplier • Preventive Controls Governor • Put duplicate invoices on hold in EBS • To prevent overpayment from happening

  22. Oracle Procure-to-Pay Procure-to Pay Controls are Required Control Points Spend Categories  Corporate Performance Management  Collaboration Settlement Strategic Sourcing & Contract Mgmt Indirect & MRO Banks PurchaseGoods /Services Receive Goods /Services IssuePayments Invoice Requisition DirectMaterials PaymentProcessors Supplier Collaboration Services SWIFTNet  Business Process Models  Service Oriented Architecture

  23. Oracle Procure-to-Pay Continuous ControlsAutomated Controls for Strategic Sourcing & Contract Mgmt Spend Categories  Corporate Performance Management  Collaboration Settlement Strategic Sourcing & Contract Mgmt CONTROLS Indirect & MRO Banks Are there frequent changes to Supplier information? Are there inappropriate associations between a vendor and an employee? Receive Goods /Services PurchaseGoods /Services Requisi-tion IssuePayments Invoice DirectMaterials PaymentProcessors Do you have duplicate suppliers? Are you missing critical supplier information? Is the information valid? Are your vendors compliant with trade regulations? Are the vendors blacklisted? Supplier Collaboration Services SWIFTNet  Business Process Models  Service Oriented Architecture

  24. Oracle Procure-to-Pay Continuous Controls Automated Controls for Requisitions and Purchases Spend Categories  Corporate Performance Management  Collaboration Do you have duplicate Purchase Orders? Settlement Strategic Sourcing & Contract Mgmt Indirect & MRO Banks Are POs created on the same day as goods arrive? CONTROLS Receive Goods /Services PurchaseGoods /Services IssuePayments Invoice Requisition DirectMaterials PaymentProcessors Are there split POs? Supplier Collaboration Are there purchases with non-preferred vendors? Services SWIFTNet  Business Process Models  Service Oriented Architecture

  25. Oracle Procure-to-Pay Continuous Controls Automated Controls for Receiving, Invoices, and Payments Spend Categories  Corporate Performance Management  Collaboration Are you making accurate and timely payments? Settlement Strategic Sourcing & Contract Mgmt Are payment term changes reviewed before payment? Indirect & MRO Banks CONTROLS Receive Goods /Services Are there duplicate invoice amounts being processed? PurchaseGoods /Services Requisi-tion IssuePayments Invoice DirectMaterials PaymentProcessors Did the person making the payment create or modify the vendor? Supplier Collaboration Are there discrepancies in freight charges? Services SWIFTNet  Business Process Models  Service Oriented Architecture

  26. Advanced Controls Example Prevent “vendor” payments to an employee account Find frequently returned goods or expedited deliveries Restrict users’ access to create & approve requisitions (e.g. non-catalog items) Detect multiple transactions that in reality comprise a single PO (i.e.“split-PO”) Requisition Purchase Goods/Services ReceiveGoods/Services Invoice Issue Payments Standard ERP Control: Only assign certain users ability to approve requisitions Standard ERP Control: Always require approval for PO’s over $5,000 Standard ERP Control: Perform 3-way match Standard ERP Control: Do not assign same user ability to create vendors and approve payments Advanced Controls: Apply the tenet of “least privilege”, limiting users’ access to essential menus, functions, pages Advanced Controls: Identify attempts to circumvent standard controls Advanced Controls: Evaluate vendor performance to standards Advanced Controls: Early detection of potential payments to illegal vendors

  27. Any Time Transform your business processes Advanced Controls for ERP Projects ERP Implementation Provide optimal control solutions from day 1 ERP Upgrade Add advanced controls to monitor and enhance ERP controls

  28. Agenda • Introduction to GRC Advanced Controls • Typical Solutions for GRC Advanced Controls • GRC Application Suite • Success Stories

  29. Adoption of GRC Advanced Controls Top Trends • Shift from manual compliance activity to automated controls • Focus on Performance (in addition to Compliance) • Single, Enterprise-wide Approach (not silos) • Expect Business to enforce Policy (not just Finance Ops or Audit) • Shift from data sampling to analyzing the entire data set • Shift from detection to prevention

  30. Performance Driven Controls 1 ENTERPRISE PERSPECTIVE Process Goals 2 Human Capital Optimization Order Mgmt. Compliance Accounting Working Capital Procurement Leakage 3

  31. Integrated Risk and Controls Management Steps Assess Risk and Compliance Identification 1 Analysis Evaluate Detect and Fix Issues Document 2 Assessments Reviews Author 3 Execute Continuous Improvement & Monitoring Investigate

  32. Fusion GRC Product Strategy One Enterprise Foundation 1 Enterprise Risk & Controls Foundation Dashboards, Reports and Alerts Risk, Controls & Compliance Management 2 Continuous Controls Monitoring 3 Custom or Legacy Applications

  33. Fusion GRC Product Strategy A complete platform in a single application • All Users • All Processes • All Organizations • All Application Instances • All Application Data • User Security • Setup & Configuration • Master Data • Transactions • Advanced Detection Patterns • Intelligent Exception Management • Independent Assurance Enterprise Risk & Controls Foundation Dashboards, Reports and Alerts Risk, Controls & Compliance Management Continuous Controls Monitoring

  34. Fusion GRC Product Strategy One Enterprise Foundation • Document Risk & Controls • Assess and Certify • Automate Control Testing • Detect Policy Violations • 100% Assurance Enterprise Risk & Controls Foundation Setup and Administration Dashboards, Reports & Alerts Role Based Access Security Worklists Notifications Perspectives Email Search Risk, Controls & Compliance Management Documentation Reviews Assessments Remediation Surveys Continuous Controls & Risk Monitoring • User Access • Financial Reporting • Procure to Procurement • Order to Cash Access Setups Master Data Audit Tests Transactions User Authored Controls Data Connectors Fraud & Error Patterns Custom or Legacy Applications

  35. Advanced ControlsProducts Monitor Control Effectiveness What userscan do How users execute processes How is the process set up Preventive Controls Governor (PCG) Access Controls Governor (ACG) Configuration Controls Governor (CCG) Transaction Controls Governor (TCG) Enforce Policies in Context What’s changed in the process What usershave done What are the execution patterns

  36. Application Access Controls Governor (ACG) Advanced SOD and Security Controls • Document, assess and certify Application Security/SOD policies • Library of pre-built automated SOD controls for EBS, PSFT & Fusion • Author new controls, extend to any business application Detection Prevention Define Access Controls Access Analysis Remediation (Clean-up) Preventive Provisioning Compensating Policies

  37. Configuration Controls Governor (CCG) • Achieve consistent application setup and operating standards across multiple instances • Track audit trails for changes to key configurations • Tightly control change management to accelerate development and test time Advanced Configuration Controls Detection Prevention Define Configuration Controls EnforceChange Control ManageDataIntegrity Define Configuration Controls Compare Configuration Deployed Monitor Configuration Changes Enforce Change Control Manage Data Integrity

  38. Enterprise Transaction Controls Governor (TCG) Advanced Transaction Controls • Continuously monitor accuracy of transactions and mitigate exposure to fraud • Test against thresholds • Search for anomalies • Perform transaction sampling Detection Prevention Review and Address Suspects Define Transaction Controls Perform Transaction Analysis Identify & Review Suspects Preventive Transactions Controls

  39. Preventive Controls Governor (PCG) Oracle E-Business Suite In-line Controls • Configure advanced controls in Oracle EBS • Replace Forms customizations for easier support and upgrades • Change-track critical fields for auditing • Require approval for changes to critical data Mask Sensitive Data Detection Prevention Review and Address Suspects Logged Changes to Critical Data Notification of Changes Required Approvals Blocked Access to Sensitive Data

  40. GRC Advanced Controls Solutions

  41. Agenda • Introduction to GRC Advanced Controls • Typical Solutions for GRC Advanced Controls • GRC Application Suite • Success Stories

  42. Oxbow CUSTOMER PERSPECTIVE “We selected Oracle Governance, Risk, and Compliance Controls Suite because it goes hand-in-hand with the Oracle E-Business Suite Release 12 implementation process that we’re executing. Together, they are the most flexible and robust out-of the-box solution available and are instrumental in helping to create and modify various rules and controls to suit our business needs.” Manager of Internal Audit After • Solution: • Automate continuous monitoring of ERP controls during EBS implementation • Detect and prevent inappropriate user access • Results: Increased visibility into controls environment across multiple ERP systems. Instilled a preventive approach regarding inappropriate user access. • Situation: Oxbow Carbon, focused on growth, has gone through numerous acquisitions in recent years. • Challenge: The company was running 13 distinct enterprise resource planning (ERP) systems, which limited visibility of critical business information and created IT governance challenges. • Before

  43. Parexel Case Study After • No visibility into inter-role conflicts and enforce access security policies • Manually SOD monitoring done through documentation and check lists • Unable to ensure OFAC compliance • Inability to validate suppliers against OFAC watchlist and monitor transactions in P2P process • Before • Identified riskiest policies and conflicts • Implemented 25-40 different controls and SOD rules • Automated OFAC compliance by tracking transactions against SDN listing • New process step in supplier setup makes supplier inactive until the supplier check on the OFAC watchlist is completed • Improved health and confidence in P2P process

  44. Customer Success

  45. Graphic Section Divider

More Related