1 / 0

Leveraging Oracle GRC Technology to Reduce Revenue Loss, Cost Leakage, and Fraud

Leveraging Oracle GRC Technology to Reduce Revenue Loss, Cost Leakage, and Fraud. September 23, 2013. Brian Cutlip, Senior Manager, Deloitte & Touche LLP Alex Vaz, Manager, Deloitte & Touche LLP 3:15pm–4:15pm. Speaker Introduction. Brian Cutlip Senior Manager, Deloitte & Touche LLP

gavivi
Download Presentation

Leveraging Oracle GRC Technology to Reduce Revenue Loss, Cost Leakage, and Fraud

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Leveraging Oracle GRC Technology to Reduce Revenue Loss, Cost Leakage, and Fraud

    September 23, 2013 Brian Cutlip, Senior Manager, Deloitte & Touche LLP Alex Vaz, Manager, Deloitte & Touche LLP 3:15pm–4:15pm
  2. Speaker Introduction Brian Cutlip Senior Manager, Deloitte & Touche LLP Brian has more than 13 years of management consulting expertise in providing information technology and business process solutions to clients in various industry sectors. Brian has extensive project management and hands-on experience in enterprise risk management, application security, business process optimization, data protection and privacy, internal controls (operational, financial, and technological), identity and access management, and governance, risk, and compliance (GRC). Alex Vaz Manager, Deloitte & Touche LLP Alex has 9 years of experience implementing information systems and performing internal and external audits. He focuses on designing, configuring, testing and deploying application security and business process internal controls for Oracle E-Business application. Alex has global Oracle project experience implementing the Oracle E-Business Suite R12 (Financials, Procurement, GRC and Human Resource modules).
  3. Agenda Today’s Enterprise Risk Challenges Addressing the Risk Decomposing the Business Process Oracle GRC Advanced Controls Use Case Scenarios Credit check and sales orders Creation of suppliers and making payments Q&A
  4. Objective Understand some of Today’s Enterprise Risk Challenges Articulate some typical IT and business challenges and ways an Oracle GRC Advanced Controls solution can address those challenges Describe some examples on how GRC Advanced Controls can reduce the risk of Revenue Loss, Cost Leakage, and Fraud
  5. Today’s Enterprise Risk Challenges
  6. Business Process Vulnerability Business processes are particularly vulnerable due to five principal reasons: Cross-functional dependencies Exposure to “cost leakage” Mismanagement of working capital Lack of standardized global processing Reliance on manual controls With heightened focus on governance, risk and compliance (GRC), minimizing exposure to fraud and errors associated with Enterprise Resource Planning (ERP) business processes, still remains a top-of-mind concern for many organizations. Many organizations are looking to address these vulnerabilities by enabling automated controls to achieve consistent management of business processes, and to help minimize the risks of fraud and error.
  7. Requirement Complexity Companies have been expected to comply with regulatory and operational requirements for years now, but have struggled to meet standards for aging demands as additional requirements continue to grow… Why is it so difficult? Regulators, Analysts, Investors, Stakeholders BCP Privacy Dodd-Frank Credit Audits Legal Internal Audit Risk Management Compliance External Audit Privacy Office Information Security Anti-Fraud SOX OSHA Clean Air Integrated ERP Business Processes
  8. Shift Toward Process Optimization Manual Automated Continuous Monitoring / Process Optimization Manually-intensive business and IT controls Redundant controls Labor intensive testing (internal and external audit) Large sample sizes High reliance on subjective human analysis Leverage automated, unique application-based business and IT controls that are set-up one time in the system Automate user access and Segregation of Duties (SoD) controls Deploy controls that are performed in an efficient manner Test controls using automated procedures Reduce sample sizes Monitor controls on a continuous basis for accurate reporting Implement a “proactive” approach to identifying and addressing control issues Establish a sustainable compliance process Demonstrate ROI/Business value Reduce testing
  9. Becoming Risk Intelligent Risk Intelligent Stakeholder Value Integrated Top Down Fragmented Initial Stages of Risk Management Capability Maturity Illustrative Risk Management Practices Ad hoc/chaotic Depends primarily on individual heroics, capabilities, and verbal wisdom Risk is defined differently at different levels of organization Risk is managed in silos and risk interactions are identified in a limited manner Limited alignment of risk to strategies Disparate monitoring and reporting functions Common risk framework, program statement, policy Enterprise-wide integrated risk assessments Communication of top strategic risks to the Board Executive/Steering Committee Knowledge sharing across risk functions Coordinated risk management activities across silos Risk appetite is fully defined Enterprise-wide risk monitoring, measuring, and reporting Technology enabled processes Contingency plans and escalation procedures Risk discussion is embedded in strategic planning, capital allocation, product development, etc. Early warning risk indicators used Linkage to performance measures and incentives Risk modeling/scenarios
  10. Addressing the Risk
  11. Establishing Guiding Principles Promote early inclusion of control requirements as an integrated activity Follow a top-down, risk-based approach Focus on adding value through industry leading practices around control rationalization, automation and end-to-end risk management Agree upon a uniform set of documentation standards Place a greater reliance on technology Properly scope and identify the higher risk areas and key controls Accountability Transparency Efficiency
  12. Enabling Controls Management Maturity An approach, supported by Oracle GRC, will provide a comprehensive solution to reduce the level of effort to controls management and testing while reducing the risk of material financial exposures Security, Controls, and GRC Approach Deliverables Flow SOD Rules Role-Based Application Security Oracle GRC Advanced Controls Process Controls Automated Controls Controls Management Maturity Level 3 — Defined Level 4/5 — Managed & Optimized Level 2 — Managed Level 0 — Incomplete Level 1 — Performed
  13. Enabling Advanced Controls Oracle GRC suite helps the organizations address various risks while significantly contributing to gain operational efficiencies during the process Control Domains Risks Oracle GRC Advanced Controls Change Management Financial Risks Application Access Controls Governor (AACG) Enterprise User Access Security Configuration Controls Governor (CCG) Compliance Risks Continuous Controls Monitoring Transactions Controls Governor (TCG) Preventive Controls Governor (PCG) Preventive Controls Operational Risks Configuration Integrity Oracle ERP Application
  14. Decomposing the Business Process
  15. Example Processes with Financial Impact Hire to Retire Plan to Make Order to Cash Procure to Pay Account to Close $
  16. Example Processes with Financial Impact Manage Customers Order to Cash Process Orders Ship Orders Bill Customer Manage Receivables
  17. Inherent Financial Risks Invalid Customer Credit Limits Order to Cash Process Orders Ship Orders Bill Customer Manage Receivables
  18. Inherent Financial Risks Invalid Customer Credit Limits Order to Cash Inaccurate Sales Order Details Ship Orders Bill Customer Manage Receivables
  19. Inherent Financial Risks Invalid Customer Credit Limits Order to Cash Inaccurate Sales Order Details Fraudulent Shipping Details Bill Customer Manage Receivables
  20. Inherent Financial Risks Invalid Customer Credit Limits Order to Cash Inaccurate Sales Order Details Fraudulent Shipping Details Missing Customer Invoices Manage Receivables
  21. Advanced Control Optimization Invalid Customer Credit Limits Order to Cash Inaccurate Sales Order Details Fraudulent Shipping Details Missing Customer Invoices Field-level validation on required data elements User access set up to only appropriate individuals Invalid Cash Receipts Monitor, detect, and report on potential anomalies Monitor and alert users provisioned with inappropriate access
  22. Example Processes with Financial Impact Manage Suppliers Procure to Pay Requisition Purchase Goods/Services Process Payables/Invoice Make Payments
  23. Inherent Financial Risks Fictitious Supplier Details Procure to Pay Requisition Purchase Goods/Services Process Payables/Invoice Make Payments
  24. Inherent Financial Risks Fictitious Supplier Details Procure to Pay Invalid Requisition Purchase Goods/Services Process Payables/Invoice Make Payments
  25. Inherent Financial Risks Fictitious Supplier Details Procure to Pay Invalid Requisition Fraudulent or UnauthorizedPurchase Order Process Payables/Invoice Make Payments
  26. Inherent Financial Risks Fictitious Supplier Details Procure to Pay Invalid Requisition Fraudulent or Unauthorized Purchase Order Processing of UnmatchedInvoices Make Payments
  27. Advanced Control Optimization Fictitious Supplier Details Procure to Pay Invalid Requisition Fraudulent or Unauthorized Purchase Order Processing of UnmatchedInvoices System enforcement of PO approval System Enforcement of 2 or 3 waymatching Fraudulent or Unauthorized Disbursement Report on POs in date range for same user and supplier Systematically alert unusual invoice activity
  28. Summary Processes, Risks, and Controls Order to Cash Procure to Pay
  29. Summary Processes, Risks, and Controls Hire to Retire Account to Close $
  30. Summary Processes, Risks, and Controls Plan to Make
  31. Key Benefits of Advanced Controls Optimization Timely analysis and remediation of control deficiencies Inherent risks prevalent to management override Deeper analysis of risky scenarios and transactions Time spent testing control effectiveness Time and cost to system customization Systematic prevention vs. manual detection
  32. Oracle GRC Advanced Controls Use Cases
  33. Scenario 1:Credit check and sales orders

  34. Scenario 1: Credit check and sales orders (1 of 7) Risk mitigation Oracle EBS in-built functionality Oracle GRC detective pattern analysis Oracle GRC preventive change control rule Impact The customer may not be able to pay which may lead to loss of revenue for the organization How it can happen? A sales order is created for the customer which exceeds his AR balance An unauthorized change is made to the credit check setup  Scenario risk Manipulating credit information may lead to processing of sales orders with exceeded limits
  35. Scenario 1: Credit check and sales orders (2 of 7) 1 RISK EXPOSURE A sales order is created for the customer which exceeds his AR balance Sales clerk Customer credit limits up to $120,000 Process sales order with exceeded limit ($140,000) ! Customer is setup with these credit limits Loss of Revenue Customer could not pay the complete amount Organization Invoicing  Receipt Customer CashReceipts
  36. Scenario 1: Credit check and sales orders (3 of 7) 1 EBS PREVENTIVE SOLUTION OPTION EBS standard functionality, ‘credit check rules’ can be configured to put the sales orders with exceeded limits on hold The sales supervisor can review and either approve or reject the sales order Sales clerk Customer credit limits up to $120,000 Process sales order with exceeded limit ($140,000) ! Customer is setup with these credit limits Sales order put on hold as it exceeds the limits ‘Credit check rules’ a standard EBS functionality Organization  Sales manager Process sales order with exceeded limit ($140,000) Approve Reviews the sales orders Block sales order with exceeded limit ($140,000) Reject
  37. Scenario 1: Credit check and sales orders (4 of 7) 2 GRC DETECTIVE SOLUTION OPTION Continuous monitoring rules can be defined to report fraudulent transactions periodically to the sales manager for review and take any corrective measures Sales clerk Customer credit limits up to $120,000 Process sales order with exceeded limit ($140,000) ! Customer is setup with these credit limits GRC detective rule finds all sales orders processed with exceeded limits Organization  Credit manager Review and correction action Pattern analysis
  38. Scenario 1: Credit check and sales orders (5 of 7) 2 RISK EXPOSURE An unauthorized change is made to the credit check setup Credit checking can be disabled either in customer profile classes, payment terms or order type definitions Sales clerk Process sales order with exceeded limit ($200,000) Credit Check Setup Profile classes Order type Payment term ! Unauthorized change in credit check setup Sales order is processed successfully as the ‘credit checking’ is by-passed due to the unauthorized change in credit check setup Loss of Revenue Customer could not pay the complete amount Organization  Invoicing Receipt Customer CashReceipts
  39. Scenario 1: Credit check and sales orders (6 of 7) 3 GRC DETECTIVE SOLUTION OPTION Continuous monitoring rules can be defined to report fraudulent transactions periodically to the sales manager for review and take any corrective measures Sales clerk Credit Check Setup Profile classes Order type Payment term Credit Check Setup Profile classes Order type Payment term ! Unauthorized change in credit check setup GRC detective rule finds all changes done to credit check setup Organization  Credit manager Review and correction action Pattern analysis
  40. Scenario 1: Credit check and sales orders (7 of 7) 4 GRC PREVENTIVE SOLUTION OPTION Enabling a combination of rules can prevent the user from performing any unauthorized change Form rule to make the field ‘credit limits’ non-updateable to the sales clerk in the profile class definition Form rule to make the field ‘credit check rule’ mandatory in the order type definition Change control rule to route every change made to the field ‘credit check’ in the payment terms form to credit manager for his approval GRC preventive solution Sales clerk Credit Check Setup Credit Check Setup Profile classes Order type Payment term Profile classes Order type Unauthorized change in credit check setup Payment term Credit manager Correction Changes on hold ReviewChanges ! Reject  Organization Receipt Customer Create and process sales order withinthe limit No Loss of Revenue Invoicing CashReceipts
  41. Scenario 1: Summary Multiple detective and preventive solution options are available to mitigate the business process risk exposures within the organization. Based on the business, control and regulatory requirements, one or more solutions can be implemented to address the risks 
  42. Scenario 2: Creation of suppliers and making payments

  43. Scenario 2: Creation of suppliers and making payments (1 of 4) Risk mitigation Oracle GRC preventive flow rule Oracle GRC detective transaction monitoring rule Impact The user can create a fictitious supplier, fictitious invoice and make an unauthorized payment, leading to misappropriation of funds How it can happen? The user can obtain access that grants conflicting ability to create suppliers, invoices and making payments Scenario risk The user can create a new supplier, create an invoice and make a fraudulent payment
  44. Scenario 2: Creation of suppliers and making payments (2 of 4) RISK EXPOSURE When access to supplier master file, AP invoices, and payments are granted to the same user, he may create a fictitious suppliers and cover up this misappropriation through making fictitious payments SOD Rule Setup No rule for segregation of duties Enter AP Invoice Payables user The access to supplier master file, AP invoice and payments is given to the same user due to lack of SOD rules which might cause potential risk Enter Payments Create/Update Supplier Master Potential Risk Transaction Payables clerk Creates a fictitious supplier Payables clerk The user creates a fictitious payables invoice and makes a payment ! User creates a fictitious supplier Organization Payment Misappropriation of funds;payment made for the fictitious payables invoice
  45. Scenario 2: Creation of suppliers and making payments (3 of 4) 1 GRC DETECTIVE SOLUTION OPTION Deploying ‘monitor’ control rule can enforce any conflicting access given to the users to be granted but routed to the manager for monitoring purposes SOD Rule Setup No rule for segregation of duties Enter AP Invoice Payables user The access to supplier master file, AP invoice and payments is given to the same user due to lack of SOD rules which might cause potential risk Enter Payments Create/Update Supplier Master Potential Risk Transaction Payables user AP invoice Create/updates suppliers ! User enters fictitious invoice against the supplier record User creates/ updates a supplier record Payables manager Review and remediation GRC SOD monitor rule does not prevent/block any access given to the user. It notifies the manager about all the conflicting accesses
  46. Scenario 2: Creation of suppliers and making payments (4 of 4) 2 GRC PREVENTIVE SOLUTION OPTION Deploying approval required control can enforce any conflicting access given to the users to be routed through an approval workflow SOD Rule Setup Payables user Payables user 1 Rules exist for segregation of duties Enter AP Invoice Approve Enter Payments Reject Create/Update Supplier Master Payables user 2 Payables user 3 GRC SOD preventive rule checks for segregation of duties and provides the option to accept/reject the access given to a user Transaction Payables user 1 Enter AP Invoice Segregating the duties will prevent the user to fraudulent transactions Payables user 2 Enter Payments Create/Update Supplier Master Payables user 3
  47. Scenario 2: Summary A detective and preventive option is available to mitigate the business process risk exposures within the organization. Based on the business, control and regulatory requirements, either solution can be implemented to address the risks through GRC functionality
  48. Summary
  49. Summary Conclusion Shift towards controls automation and reduction on manual controls and customizations Controls management maturity Balancing act between control and efficiency for your organization Improve data integrity
  50. Q&A
More Related