Are you prepared to deal with the exposures associated with an Oracle ERP related breach?

Transcription

1 2016 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with Overview

2 Are you prepared to deal with the exposures associated with an Oracle ERP related breach? KPMG International Cooperative ( KPMG International ), a Swiss entity. All rights reserved. 1

3 Is your current Oracle ERP security & controls solution impeding the performance of your organization? KPMG International Cooperative ( KPMG International ), a Swiss entity. All rights reserved. 2

4 Does your legacy Oracle ERP security & controls solution support today s dynamic, global operational requirements? KPMG International Cooperative ( KPMG International ), a Swiss entity. All rights reserved. 3

5 Does your Oracle ERP security & controls solution provide a cost effective platform to support regulatory compliance requirements? KPMG International Cooperative ( KPMG International ), a Swiss entity. All rights reserved. 4

6 Oracle ERP Security & Controls Challenge How do you effectively and efficiently balance user enablement with transaction & data protection? Mobile Cloud Web Employees Client Server ERP Mainframe Key Business Drivers Increased Cyber Threats Burdensome Regulatory Requirements Operational Complexities Need to Empower Employees Unrelenting Technology Changes 5

7 Risk Compliance Controls Security Traditionally, Oracle ERP project teams are focused on core ERP functionality, prioritizing implementation activities to align with timeline limitations and budget constraints. This tactical approach commonly results in risk and control compromises not fully appreciated, until after go-live. Once the ERP solution is live and operational, organizations begin to realize the significance of their oversights and compromises and are forced to initiate post go-live remediation projects to make the necessary corrections. These projects are disruptive, exponentially more expensive and time consuming. The primary function of our Oracle Risk Consulting practice is to provide experienced resources to proactively assist ERP implementations through a focus on the Securing the ERP principles to help minimize the threat of costly rework after the ERP solution is operational. 6

8 Securing the ERP KPMG s Securing the ERP approach is a 360 degree view of ERP security and controls positioned to help industry leading organizations effectively balance the divergent tasks of empowering ERP business users while simultaneously protecting sensitive data and transactions. Oracle ERP Advanced Controls 7

9 Advanced Controls Oracle ERP Advanced Controls Key Business Drivers Revenue leakage ERP centric business processes complexities and inefficiencies Fraud and errors High ERP configuration costs Complex regulatory compliance requirements Greater transparency required for sensitive transactions Key Capabilities for Advanced Controls Business Process Controls Framework to organize manual controls, ERP application controls and automated controls Preventative Controls to mitigate process risks Detective Controls to monitor sensitive transactions and data changes Configuration Controls to track/monitor configuration changes and compare Oracle ERP instances Conversion & Interface Controls Fine grain Segregation of Duties Realized Value Automated controls Effective configuration management program Effective regulatory compliance program 8

10 Application Security Key Business Drivers Employees access to ERP applications Sensitive ERP transactions and data Fraud and error Complex regulatory compliance requirements Key Capabilities for Application Security Oracle ERP Authentication : Oracle ERP authentication/single sign-on Role Based Access Controls (RBAC) based on specific job functions Access Permissions Architecture based on specific requirements such as job role or geographic location Function Security restricts user access to individual menus of ERP functions, such as forms, HTML pages, or widgets Data Security to restrict the access to the individual data that is shown once a user has selected a menu or menu option. Operational Segregation of duties(sod) framework Realized Value Enabled ERP users aligned with job functions Reduced user administration costs Effective regulatory compliance program 9

11 Data and Infrastructure Key Business Drivers Data & Infrastructure Security External threats Internal threats Technology vulnerabilities Complex regulatory compliance requirements High availability Key Capabilities for Data & Infrastructure Oracle ERP Information protection to protect data at rest and data at motion, database security, data masking, vulnerability management Infrastructure Security harden operating system and hardware Cyber Security program to minimize the impact of cyber security attacks by proactively monitoring transactions & leveraging an incident response program Business and Technology Resilience to provide business continuity planning & management, disaster recovery, crisis management, high availability capabilities, performance monitoring Privilege user management program to manage administration and system to-system user accounts Realized Value Effective, risk-based information security program to protect ERP solution Effective regulatory compliance program 10

12 User Access Administration Key Business Drivers Ongoing user administration and control governance High user administration and Controls cost Complex regulatory compliance requirements Greater need to understand user activities and usage trends Oracle ERP Key Capabilities for User Access Administration ERP Security Operations and Controls Governance Organizational design & operational processes Policies and procedures Controls Governance & reporting ERP Controls enablement and remediation processes Segregation of Duties process User Access Administration Functions and Tools Registration / Approval Self Service Delegation User Provisioning : Add, Change, Inactive Password Management Certification User Analytics Realized Value Efficient ERP user administration program Reduced user administration cost Effective regulatory compliance program 11

13 Securing the ERP Roadmap 12

14 Roadmap Securing the ERP Works ho /8 Securing the ERP 'fiialj Journey Jumpstart Project Advanced Controls User Access Administration St rate gyt_ Assess 1fXesig'ti1= =~=- 1 il_@j Data Security cy \OJ\ ~t===-- Infrastructure Security ERP Project 13

15 Methodology Our KPMG Securing the ERP framework uses a risk-based phased approach to create more manageable and measurable engagements. Each phase logically leads to the next phase and leverages work performed in all prior phases, while managing the project closely with the client in each phase. Securing the ERP Securing the ERP Services Strategy, business requirements and business case development Facts to Value current state assessments Oracle ERP Security and Advanced Controls design and implementation Automated Controls implementation Preventative & Detective Application Security Advanced Controls Data & Infrastructure Security User Access Administration User Access Administration design and operational realization Data and Infrastructure security design an implementation Configuration controls implementation 14

16 Methodology Plan Design Build Implement Monitor Current State Assessment Advanced Controls Risk & Controls Matrix Review & Update Manual Controls Design EBS Controls Design Oracle Advanced Controls Design EBS Configuration OAC Install & Configuration Testing Cycles Validate Process Controls Blue Sky Strategy Workshop Application Security EBS Application Security Design RBAC Design Build & Validate EBS Roles & Responsibilities Testing Cycles ERP Application Security Convert & Validate Test Users Convert & Validate End Users Securing the ERP Strategy Securing the ERP Project Plan Data & Infrastructure Security User Access Administration SOD Design EBS Data Security Design EBS Infrastructure security Design Update User Administration Build Data Security Architecture Build Infrastructure Security Architecture KPMG International Cooperative ( KPMG International ), a Swiss entity. All Program rights reserved. SOD Review Permission SOD Review Users Testing Cycle Validate Data & Infrastructure Review User Administration Program Execute User Administration 15 Program

17 KPMG Security and Controls Practice 16

18 Practice Overview KPMG brings a depth and breadth of security and controls expertise to today s ERP security challenges. Our Oracle Security & Controls resources know the business advantages of a well-managed ERP system, and they know how to implement the right security & control solutions in a given context to not just foster a company s growth and efficiency, but help ensure that its assets and data are protected. KPMG s Oracle Security & Controls Practice Highlights 20 years of Oracle security and controls experience Global delivery team with 100+ Oracle security & controls resources Oracle Security & Controls implementations have included EBS, PeopleSoft, and integrations with Siebel, Hyperion, BRM, PIM, and OIM 100+ Securing the ERP engagements delivered by the team members Long standing relationships with Oracle Advanced Controls product development, and product support organization Thought Leadership Profit Magazine Securing the ERP Interview August 2014 Real-Life Examples: Oracle Advanced Controls (OAC) Benefits in Oracle EBSR12 Upgrades/Implementations March 2014 Record to Report (R2R) White Paper April

19 Tools and Accelerators Securing the ERP Methodology Risk & Controls Catalog Implementation Tools & Accelerators Role Designer Role Uploader Deliverable Process Analysis Templates Flowcharts Tools 18

20 Securing the ERP Maturity Model 19

21 Maturity Model Securing the ERP Maturity Model Security Individual Defined user RBAC UMX - User Identity User self service integration Permission Approach request and approval process Single Sign-on HR position based permissions Adaptive authentication Level Initial Repeatable Defined Managed Optimized Ad Hoc Reactive Automated Manual ERP Automated Detective Control driven Controls configurable SOD Controls Business Controls No SOD controls management Preventative Process Controls Optimization Controls matrix Configuration controls 20

22 Client Use Case Examples 21

23 Client Use Case Examples Oracle ERP Application Security Business Driver: The client was in the middle of an R12 Upgrade when leadership became aware of a significant user access issue. Specifically, the organization had a limited understanding of which employees had access to critical transactions. ERP Users: 6,500 Responsibilities: 4,873 Solution: KPMG leveraged our Securing the ERP Role Based Access controls design accelerators to standardize functional roles and help our client realign user access to better enable the business processes. ERP Users: 6,500 Responsibilities: < 500 Oracle ERP 22

24 Client Use Case Example Oracle ERP Application Security Employee HR Position Role Responsibilities Job Position Role Role Role 23

25 Use Case Example User Access Administration Business Driver: The client s user management processes were inadequately supporting the user community. Client leadership was concerned with their auditor feedback related to user administration, certification and segregation of duties. Solution: Leveraged Oracle Identity Management products to streamline user management and automate the certification processes. In addition, the solution integrated Oracle Identity Management products with Oracle Advanced Controls AACG to address SOD challenges. Oracle ERP 24

26 Client Use Case Example User Access Administration Certification 25

27 Client Use Case Example Order to Cash Scrap Controls Business Driver: To support a business process improvement initiative the client s leadership wanted greater transparency of their order to cash processes. Specifically, leadership wanted to make the reason code mandatory when scrap transactions where processed by the business. Solution: Leverage Oracle Advanced Controls Preventative Controls Governor to make the reason code mandatory. Standard Oracle EBS functionality does not require this. Oracle ERP Advanced Controls 26

28 Client Use Case Example Order to Cash Scrap Controls Standard functionality of Miscellaneous Transactions form: Reason field optional. 27

29 Client Use Case Example Order to Cash Scrap Controls Leveraged Oracle Advanced Controls Preventative Controls Governor to make this field required. 28

30 Facts to Value 29

31 Facts 2 Value KPMG: Facts 2 Value A data analytics solution that is positioned to help our clients to identify irregularities and opportunities for improving efficiency and effectiveness in ERP operational and financial processes.. Risk & Control Focus Process Improvement Cost Savings Improving audits Full volume testing vs. sampling Using transactional data for testing application controls Central testing of automated controls Improving risk management Identify problem areas in processes Focus on issues instead of generic risks Improving internal control Determine customized control settings Verify master data reliability Scan authorizations including actual usage Identify key areas for control improvement Process effectiveness Full insight into actual flows (buckets) including number of documents and value Process efficiency Insight into document processing time Number and value of parked and blocked documents Benchmarking Internal between e.g. Organizations External with anonymous industry data Project reviews Pre-go-live scans Post-implementation reviews Working capital Days sales outstanding Evaluation of rebate agreements Days payables outstanding Evaluation of payment terms Stock analyses (dead, safety, etc.) Interest earnings Asset analyses Tax improvements Used tax determination scenarios Inaccurate use of tax code derivations Possible tax savings (reduce possible fines, apply lower tax schemes) 30

32 Facts 2 Value Business Process Controls Area of Focus Purchase to Pay Possible duplicate vendor invoices Display actual usage of 3-way match invoices Detect parked or held incoming logistic invoices Display use of invoice verification tolerance limits Display all changes to vendor master data Display outstanding parked invoices Detect goods receipt without a purchase order Display actual usage of 2-way and 3-way match invoices Detect incomplete foreign trade data for vendors Display incomplete vendor master data Order to Cash Detect blocked sales orders Detect invoices in Sales but not processed in Finance Sales orders delivered but not yet invoiced Display customers with exceeded credit limits Detect incomplete foreign trade data for customers Detect customers without credit limit Detect deliveries without goods issue Display all changes to customer bank account data Overview of created credit notes Detect incomplete customer master data Order to Cash Days Sales Outstanding DSO per customer DSO per country Early/late payments Used payment terms Frequency of invoicing Credit memo / invoice ratio Customer consignment orders Orders per user Invoices per user Frequency of dunning Used payment methods Contract compliance Order cancellations 31

33 Facts 2 Value Business Process Controls Area of Focus Purchase to Pay Days Payable Outstanding DPO per vendor DPO per country Early/late payments Used payment terms TAX reclaim analysis Contract compliance Orders per user Invoices per user Vendor return orders One-time vendor payments Vendor consignment orders Early payment rebates Frequency of invoicing Finance to Report Detect GL accounts allowed for manual postings Changes to GL account settings Display all changes to asset master data Display all open posting periods Display all open items per GL account Detect all FI postings not processed Detect unposted assets Manual customer payments Manual vendor payments Reconciliation Finance-Manufacturing Inventory Management Days Inventory Outstanding DIO per plant DIO per customer Material movement analysis raw materials Material movement analysis finished products Safety stock analysis minimum stock levels Safety stock analysis delivery reliability Vendor delivery quantity reliability Vendor delivery time reliability Quality lead time analysis raw materials Quality lead time analysis finished products Dead stock analysis 32

34 Facts 2 Value Business Process Controls Area of Focus - HR Personnel Master Data Employment & Absence Time Reporting Benefits & Salary Non-registered staff using actions Duplicate employee data Employees with no addresses Incomplete personnel members Duplicate personnel members Employees with multiple Oracle ERP account names Active employees without an Oracle-user Manual change of the contract without changes in leave Temporary employments Overtime for specific functions Untimely sickness reporting Untimely or incorrect registration of leave More than 8 hours a day More than 40 hours a week Total hours per week Timeliness of timesheet entering Timeliness of timesheet approval Hours not yet approved Hours booked per week Hours transferred to other project or WBS element Additional payments (wages) inconveniences Requested move expenses without address change Work at home costs without changed commuting compensation Ratio variable and fixed income Changes in salaries Changed own salary Manual changes of leave without a contract change Personnel with a contract but not in the organization chart Hours entered and approved Approve own hours 33

35 Facts 2 Value Business Process Controls Purchase to Pay Visualization Purchase order Processed Orders with receipt $ 554m 163,882 orders Receipt Processed Receipts $ 559m 669,532 receipts Invoice (inc. VAT) Processed Invoices 3-way match invoices $ 499m (48%) 331,426 invoices (34%) Matched $ 187m (37%) 196,417 invoices Manual release $ 312m (63%) 135,009 invoices Payment (AP) (inc. VAT) Processed AP Items Regular AP payments (payment run) $ 772m 58,111 items without receipt $ 283m 475,710 orders Processed Receipts Receipts without orders $ 0 0 receipts 2-way match invoices $ 248m (24%) 450,440 invoices (46%) Matched Manual release $ 208m (84%) $ 40m (16%) 373,559 invoices 76,881 invoices Direct invoices (without PO) $ 296m (28%) 189,699 invoices (20%) Auto. release $ 231m (78%) 142,594 invoices Manual release $ 65m (22%) 47,105 invoices Manual AP payments $ 3m 267 items Other AP postings Not analyzed Open AP Items Legend System controlled process Processed Credit Memos Credit memos $ 98m (9%) 14,576 credit memos $ 185m (193,636 items) Due for payment: 0 60 days: $ 183m (192,066) days: $ 590k (620) >120 days: $ 1.8m (950) Manually controlled process Open / parked documents Open orders (> 3 months) Not analyzed Invoices not processed in AP $ 1m 695 invoices Possible duplicate invoices $ 0 0 invoices 34

36 Securing the ERP Workshop 35

37 Securing the ERP Workshop Goal Review KPMG s Securing the ERP areas of focus and understand how this program can be used to strategically align Oracle ERP Security & Controls related spend and operational priorities 9:00 to 11am Review Securing the ERP Areas of Focus - Controls Enabled Business Process Optimization and Performance Analytics - ERP Advanced Controls (Automated, Detective, User, Configuration) - ERP Application Security (Users, Permissions, Role Based Access Controls, SOD) - User Access Administration (User Operations, Business Processes & Analytics) - Data & Infrastructure Security ( Data in Motion/Data at Rest, Cyber Risk, ) Agenda 11:00 to 12 noon Lunch and Real-Life Example / Use Case Discussion Strategy & Planning Deep Dive - Strategic Planning Considerations 1:00 to 3pm - Prioritization & Budgeting - Current State White Board Assessment - Strategic Roadmap Deep Dive 24 Month Output - Current State White Board Assessment - Prioritized Strategic Roadmap KPMG LLP, a Delaware limited liability p artnershi p and the U.S. member firm of the KPMG network of indep endent member firms affiliated with

38 Securing the ERP Workshop Chief Information Officer Director of Internal Audit Controls Leader Finance ERP Project Leader Chief Risk Officer Human Resources Chief Information Security Officer 37

39 Laeeq Ahmed (818) Brian Jensen (817) KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ( KPMG International ), a Swiss entity. All rights reserved. The KPMG name, logo and cutting through complexity are registered trademarks or trademarks of KPMG International.