Secure Your ERP Environment with Automated Controls Naomi Iseri,Sr. GRC Solution Consultant

Transcription

1 Secure Your ERP Environment with Automated Controls Naomi Iseri,Sr. GRC Solution Consultant

2 Agenda Introductions & Objectives Why Automate Controls What types of Automation Controls Do I Need When to Implement Automated Controls

3 Agenda Introductions & Objectives Why Automate Controls What types of Automation Controls Do I Need When to Implement Automated Controls

4 Why Tighten Security & Controls Now? It Won t Happen To Me.. We don t have a Problem.. We Trust our People.. 4 4

5 85% of internal controls at an average firm are manual. - Financial Executives Research Foundation Through 2010, companies that select individual solutions for each regulatory challenge they face will spend 10 times more than companies that take a proactive and more integrated approach. - Gartner More than half (55 percent) of Certified Fraud Examiners say the number of frauds increased during the past year when compared to the level of fraud they ve investigated or observed in years prior. In addition, 49 percent observed an increase in the dollar amount lost to fraud during the same period. Compliance Week April 2009 Some 68 percent of staff admit to bypassing their employer s information security controls in order to do their jobs. Financial Times, May

6 Agenda Introductions & Objectives Why Automate Controls What types of Automation Controls Do I Need When to Implement Automated Controls 6

7 ERP Systems Do NOT Address Segregation of Duties Security model is complex and flexible allowing you to design access to meet the business BUT designing in appropriate SOD becomes VERY difficult No automated, continuous way to detect, remediate and prevent SOD violations. No auditable reports to support the controls environment. Not sustainable - point and time audits are expensive and not reliable. Can t prevent SOD violations at the point of access. Time consuming and costly to implement customizations to detect, mitigate and prevent SOD Violations. Managing false positives is difficult 7

8 ERP Systems Don t Address Configuration Change Management Don t have the desired level of visibility into the management of the critical set-ups that drive the Oracle EBS environment. Don t have an automated way to detect or record changes to sensitive set up data across instances, locations, or points in time. Difficult to prevent changes to critical set ups from occurring repeatedly Need a better way to enforce change control, insure data integrity, identify fraud. Difficult and time consuming to generate reports that provide the auditable evidentiary support of your controls environment that supports your critical set-ups that auditors demand. Data privacy and protection of sensitive data requires extensive application customization

9 Automated Controls Monitor Control Effectiveness Detective Controls What users have done What s changed in the process What are the execution patterns SOD & Access Application Configuration Transaction Monitoring What users have done What s changed in the process Preventive Controls What are the execution patterns Enforce Policies in Context

10 Automated Controls Enforce SOD & Access Rules Analyze and remediate conflicts of interest or improper access for a given user or role Access Control Policies Enforce policies on who can access application functionality Transaction Controls Policies Enforce policies on business transactions Master Data Control Policies Enforce policies on Configuration & Master Data Access Simulation Sensitive Access Control Policy based Detection Pattern based Detection Change Control Perform what-if analysis on proposed changes to access rights or application structure Enforce preventative access restrictions based on fine-grained user entitlement policies Identify and remediate historic transactions that represent risk or violate business policies Assist policy definition and detection of fraud based on patterns or complex algorithmic rules Enforce business policies for at-risk transactions by applying fine-grained, conditional controls at execution time Configuration Controls Policies Enforce policies on business process setups Change Tracking Setup Analysis Continuously monitor changes to business process setups in enterprise applications Analyze critical configurations or business process setups in enterprise applications

11 Customer Scenario Trusted long-time employee who has Multiple User Access Creates Invoices to pay suppliers that were not approved ($6M over three years) Company s financial controls in place but never detected Money is not recoverable

12 Customer Scenario Created fictitious firms to pay Paid/stole $10k-$30k at a time One way it could have done: Purchase Order #1 To: Supplier A Supplier B Remit-To Override Invoice Re: Purch. Order #1 From: Supplier B Could this have been detected?

13 With Automated Controls Would Have Flagged User s Overly-broad Access

14 With Automated Controls Would Have Flagged User s Overly-broad Access

15 With Automated Controls Would Have Flagged Inappropriate Setup Changes

16 With Automated Controls Would Have Flagged Suspicious Transactions

17 With Automated Controls Warning Employee is creating both Suppliers and Invoices Action Employee, along with other users, have unintentional permission to create both Suppliers and Invoices Review responsibility assignments, and if necessary, redefine responsibilities

18 With Automated Controls Warning Employee is creating invoices from parties who don t match the POs suppliers Action Employee X is defeating, then re-enabling, the control so Employee can evade it Prevent the defeat of the internal control by requiring real-time third-party approval of any changes

19 Agenda Introductions & Objectives Why Automate Controls What types of Automation Controls Do I Need When to Implement Automated Controls

20 GRC Maturity Progression Maturity Informal Compliant but at a high cost to business Manual control Adhoc approach No best practices Reactive Risks are documented Manual risk assessment and reporting Tactical approach After the fact reporting Proactive Policies are enforced Automated Process Unified, standardized & strategic approach Prevent policy violation Optimized Analyze and trend Automated risk mitigation / Predictive risk assessments GRC objectives embedded throughout the organization Time 20

21 When to Start Cost and Effectiveness Implications Cost Retrofit Approach Less impact to project timeline Less up-front costs Higher long-term costs Higher control risks with delayed identification Time Design-In Approach Most effective control baseline Minimal rework Lower long-term costs Lower control risks with continuous control improvements 21

22 Implementation Best Practices 22

23