WORKSHOP 84 STREAMLINING COMPLIANCE THROUGH GRC INTEGRATING A-123 UPDATES AND MORE!

Transcription

1 WORKSHOP 84 STREAMLINING COMPLIANCE THROUGH GRC INTEGRATING A-123 UPDATES AND MORE!

2 BOB THORSON ACCENTURE Bob Thorson is a Senior Manager in Accenture Federal Service s Defense Practice, specializing in Governance, Risk, and Compliance (GRC) tools and human capital solutions. Bob currently oversees DLA s SAP GRC implementation, working to automate their internal controls testing and documentation, and the Department of the Navy s (DON) Managers Internal Control Program (MICP) contractor support, working to create the DON Statement of Assurance. In addition to being Accenture s financial GRC capability lead, Bob has an extensive background in organizational job design, training, and change management. 2

3 SIMONE REBA ACCENTURE Simone Reba is a senior financial manager with Accenture Federal Services, primarily focused on supporting the Department of Navy Financial Improvement Program (FIP). Prior to her move to Accenture, Reba served 30 years with the Defense Logistics Agency (DLA), culminating in her induction into the Senior Executive Service in May 2007 as the DLA s Deputy Chief Financial Officer (CFO). As Deputy CFO, she oversaw and provided guidance to all core financial functions budget, accounting, audit, and process management, served as the Agency budget officer, and the Agency s audit readiness program manager. As Agency s Audit Readiness Program Manager, she successfully led DLA s 27,000 DLA employees to a successful financial statement audit readiness assertion in FY 2015, making DLA the first Defense entity of its size and complexity to assert readiness (two years ahead of the 2017 Congressional Mandate 3

4 NAVIGATING A-123 UPDATES 4

5 OMB A-123 UPDATES WHAT S CHANGED? Takes an Enterprise Risk Management based approach for more effective internal controls, integrating risk management and internal controls Creates a holistic portfolio view of risk, providing agencies greater visibility into uncertainties, enabling better decision making Requires documentation of compliance with 17 GAO Green Book principles Requires creation of a Senior Management Council (or similar existing group) to provide oversight and governance in establishing risk profiles, overseeing operation of an effective system of internal control and implementing an ERM Enterprise Risk Management Establishes an ERM program integrating risk and internal controls throughout all management processes, including budget, strategy, accounting, and audits Internal Controls and System Assessments Increased documentation requirements will require a solid reporting structure for compliance, leveraging an SMC to manage towards an annual Statement of Assurance, that now includes a summary of an Agency s risk profile Deficiencies and Reporting To receive the most benefit from the A-123 revisions, agencies should promote comprehensive corrective action plan documentation and follow-up 5

6 INTEGRATION OF PERFORMANCE, RISK AND INTERNAL CONTROLS Why Reduce risk and cost of mitigation Revised GAO Green Book GAO Fraud Risk Management Framework Upcoming Fraud Reduction and Data Analytics Act OMB A-11 What Agencies Have to Do Develop ERM implementation plan Include findings from Risk Profile as a component of Strategic Review meetings Provide assurance (SOA) on the effectiveness and efficiency of IC over ALL processes & reporting Include risk profile in SOA Integrate ERM and IC Update Risk Profile: Annually by June 3rd Document evidence to substantiate Green Book compliance Leverage/create Senior Management Council (SMC) to: provide risk appetite, risk profile, IC and ERM governance Increases performance - streamlined processes that: o o o Value Reduces business operations cost Reduces mitigation, CAP & compliance cost Increases effectivenss Reduces risk Increases accountability Increases transparency

7 DLA S JOURNEY 7

8 DLA s Mission, Vision, and Values Mission America s Combat Logistics Support Agency, the Defense Logistics Agency (DLA) provides effective and efficient worldwide support to Warfighters and other customers Vision Warfighter-focused, globally responsive, and fiscally responsible supply chain leadership Values Warfighter s needs guide DLA Integrity defines DLA Diversity strengthens DLA Excellence inspires DLA 8

9 What is DLA? DLA is the largest agency within the DoD Provides technical and logistics services to military services and several agencies Supplies almost every consumable item military services need to operate, from food to fuel DLA Statistics Military and civilian personnel (48 states and 28 countries) Over 25,000 Items managed in 9 supply chains ~6M Requisitions per day Over 100,000 Contract actions per day (new awards and mods) 9,000+ Annual Revenue $34B Weapon systems supported ~2,400 Distribution centers managed worldwide 25 Support items annually for 112 nations $2.1B 9

10 EBS Enclave Enterprise Business System (EBS) EBS is DLA s enterprise approach utilizing necessary leading edge technology, to allow DLA to focus on its core business Re-engineered and transformed how DLA does business Enables DLA to consistently deliver new capabilities, minimizes transition risk to DLA and the warfighter Integrates all enterprise system capabilities Financial system of record Single face to customers, suppliers, and external stakeholders External Portal Web/Application Services/SOA Netweaver/WAS, SAP PI WS, BEA Web Logic,Tomcat Enterprise Portal (Internal) - SAP Enterprise Portal, Role, Navigation Smart Forms Terminal Services Adobe Citrix (SAPGUI, BEX) Direct Web Services Microsoft IIS SAP SCM SAP HANA Sidecar SAP BW SAP CRM SAP SRM SAP ECC JDA Manu GRC Access Controls Process Controls Risk Management Greenlight/ Laserfocus 10

11 GRC Audit Readiness Goals Eliminate or mitigate Segregation of Duties violations within the System Access Profiles (Job Role) Establish enterprise process to prevent recurrence of violations with future access profile maintenance or creation Guard against employee fraud, abuse, mistakes, and mistake cover-ups Implement a tool to manage risk, reduce costs, and minimize complexity to support day-to-day management efforts across DLA Pass FISCAM and Internal Controls A-123 audit 11

12 Existing Control Environment Manual Control testing conducted through extensive coordination, meetings and collaboration to determine: Program or process to be tested Testers, reviewers, approvers Site locations Controls to test TOD/TOE Monitoring: data collection, storage, remediation Reporting Enterprise Risk E2E Program/Process Control Test Inability to adapt to a constant and evolving environment P2S Law Enforcement Support Office (LESO) Annual Physical Inventory Inspection Improper Handling of controlled material P2S Safeguarding of control substances Verification of storage vault, vault log, personnel clearances, alarm monitoring, and quarterly inventories 12

13 GRC Implementation Timeline June 2013: Established enterprise access control processes & procedures March 2014: SAP GRC Access Controls identifies and monitors risks for enterprise systems based on enterprise SoD ruleset June 2014: Implemented Emergency Access Management (EAM) for IT Production Support users June 2015: Redesigned end user system access to remove or mitigate SoD violations and implemented ongoing monitoring of SoD violations using Access Violation Management September 2016: Implemented SAP GRC Process Controls and Risk Management for internal control documentation and testing June 2017: Implementing automated monitoring and policy management through SAP GRC 13

14 AUTOMATING COMPLIANCE 14

15 SAP GRC PROCESS CONTROL CONVERGENCE OF COMPLIANCE PROCESS MANAGEMENT AND CONTINUOUS CONTROLS MONITORING Certify and Sign-off (302, Designs, ) One system for end-to-end enterprise control management Deploys controls using riskbased approach Document Test Monitor Certify Review Exceptions Test Automated Controls Business Processes IT Infrastructure Test Manual Controls Remediate Issues Perform Self- Assessments Automatically monitors controls in multiple enterprise applications Detects global risks and prioritizes corrective action Process-Control-Objective-Risk

16 CONTINUOUS CONTROL MONITORING (CCM) AUTOMATING COMPLIANCE CCM enables GRC users to continuously monitor and report on master data, business transactions, and configuration changes, enabling: Improved oversight of key business controls Rapid response to identified deficiencies Significant reduction in compliance cost and effort Source: SAP 16

17 CONTINUOUS CONTROL MONITORING (CCM) AUTOMATING COMPLIANCE Automates running reports or monitoring tables in other systems Results are returned to GRC tool and sent to identified users for review Integrates easily with many different systems Enables automation of compliance testing Examples of automated controls include: Monitoring of high dollar transactions Timely resolution of key interface failures Monitoring compliance of cyber security standards Reliability and Consistency of Testing Cost of Compliance 17

18 QUESTIONS? 18