Rapidly Reduce Segregation of Duty Violations in Oracle EBS R12 Responsibilities Session ID#: 15042

Size: px

Start display at page:

Download "Rapidly Reduce Segregation of Duty Violations in Oracle EBS R12 Responsibilities Session ID#: 15042"

Tabitha Richard
5 years ago
Views:

Rapidly Reduce Segregation of Duty Violations in Oracle EBS R12 Responsibilities Session ID#: 15042 Responsibility templates from a catalog of pre-configured ERP roles.

1 Rapidly Reduce Segregation of Duty Violations in Oracle EBS R12 Responsibilities Session ID#: Responsibility templates from a catalog of pre-configured ERP roles. Workflow to update, review as well as approve role design changes. Roles management techniques to improve Design Prepared by: Adil Khan Oracle GRC Advanced Controls Consultant FulcrumWay REMINDER Check in on the COLLABORATE mobile app

2 Agenda Introduction Top SOD Challenges in Oracle EBS SOD Controls Assessment Overview Role Design Techniques Case Study Q&A

3 Introduction This is a subtitle or bulleted list

FulcrumWay: Adil Khan Managing Director and GRC Consultant Over 20 years of experience in

Group Governance, Risk and Compliance Group (OAUG-GRCSIG) Successfully designed and

on NYSE and NASDAQ Previously served as a board member and Chief Executive Officer of ALTM

Risk and Compliance processes based on industry standards such as ERM-COSO and CoBIT

OAUG as well as others and will be presenting at IIA/ISACA GRC 2014 Provides Webcasts GRC

4 FulcrumWay: Adil Khan Managing Director and GRC Consultant Over 20 years of experience in enterprise business systems Currently serves on the board of the Oracle Applications Users Group Governance, Risk and Compliance Group (OAUG-GRCSIG) Successfully designed and implemented internal controls management systems for more than 15 global companies listed on NYSE and NASDAQ Previously served as a board member and Chief Executive Officer of ALTM - a public company listed on the NASDAQ Expertise: Streamlining and automating Governance Risk and Compliance processes based on industry standards such as ERM-COSO and CoBIT Co-Authored GRC Book: First book on GRC for Oracle Applications Presented: Open World, OAUG as well as others and will be presenting at IIA/ISACA GRC 2014 Provides Webcasts GRC Best Practices, Trends and Expert Insight Created an Organization: which serves over 200 Oracle companies

5 FulcrumWay: A leader in Risk Based Enterprise Controls Management FulcrumWay: is the #1 End-to-End Provider of Enterprise Risk Management Expertise, Solutions and Software Services for Oracle EBS, PeopleSoft and JDE customers with over 200 Fortune-500 to Middle Market clients. Since 2003, we have successfully assisted companies across all major industry segments. Expertise: Risk Advisory Services. Advanced Controls Design for Enterprise Business Applications. Best Practices for Risk Mitigation and Internal Controls Automation. Audit, Compliance, Financial, Enterprise and Operational Risk Assessments. Risk Remediation Services such as Segregation of Duties. Packaged Solutions: FulcrumWay is the #1 choice of Oracle customers for Oracle GRC Manager, GRC Controls and GRC Intelligence/OBIEE software implementation. Oracle has certified us as the only partner with Accelerators for Oracle GRC. We also provide Managed Services and Hosting for Oracle GRC applications. Software Services: Risk Management Tools: Enterprise Risk Manager, Financial Close Risk Manager, Risk Based Audit Manager, IT Risk Workbench, and Advanced Controls Catalog. Data Management Tools: Rules Repository, DataProbe adaptors and Data Hub. USA Presence: Privately held Delaware Corporation with US offices in New York City, Dallas and San Francisco International Presence: in Chennai, Dubai, Kampala, London, Rome, Santiago, Singapore

6 Top Segregation of Duties Challenges on Oracle E- Business Suite R12 This is a subtitle or bulleted list

What have we learned from Oracle EBS Customers We can not use Oracle seeded Responsibilities because of inherent SOD conflicts. GL Supper User can Enter Journals, Post Journal.

7 What have we learned from Oracle EBS Customers We can not use Oracle seeded Responsibilities because of inherent SOD conflicts. GL Supper User can Enter Journals, Post Journal. Change Approval Limits, Update GL Accounts, Change Calendar. Our R12 Patches created even more SOD issues. Which SOD Policies will mitigate the risk in our Oracle Responsibility Design? How do we ensure that the activities of users granted super user Responsibilities have effective compensating control? Why do have so many False Positives and how do we remove them from our analysis? What is an effective approach to Design and Test Oracle Security Model before deployment? When will be able to close all SOD incidents?

8 Access Management Challenges ERP Roles need significant changes to meet requirements Access to sensitive data is not protected No audit trail on ERP configuration controls User provisioning does not prevent control violations Segregation of Duty controls are deficient Can not prevent unauthorized Master Data changes Super User activity in not monitored Periodic user Certification is not reliable Terminated employees have access to ERP

9 Complicated Security Model High Risk of Segregation of Duties Issues User Responsibility Evaluate User Access Test by User Test by Privilege Menu Function Manage Segregation of Duties Identify incompatible Privileges Predefined & Extensible SOD Rule Sets Form

Key Factors impacting SOD violations EBS Release and Business Cycles enables by Oracle modules: Order to Cash, Procure to Pay, Record to Report, Hire to Retire, Design to Build, etc: An average R12

10 Key Factors impacting SOD violations EBS Release and Business Cycles enables by Oracle modules: Order to Cash, Procure to Pay, Record to Report, Hire to Retire, Design to Build, etc: An average R12 customer has over 35,000 functions and 12,500 menus Number and complexity of SOD Policies Range from 25 to 250 Number of Business Units and variation in Responsibilities across the business Security Model RBAC, Single-Sign-On, OIM, etc Number of Users and Responsibilities

11 Remediation in Oracle EBS is a permutation problem Complete visibility into the remediation impact! User: John Doe Responsibility: Payables Manager, US Menu: AP_Navigate_GUI12 What if we exclude Invoice Batches from AP_Invoices_Entry? Submenu: AP_Invoices_Entry Function: Invoice Batches SubMenu: AP_Invoices_Entry SubMenu: AP_Invoices_GUI12_G Menu: UK_AP_Navigate_GUI12 Responsibility: Payables Supervisor Menu: AX_Payables_User Responsibility: Payables User User: Mike Jones Payables Users

12 SOD Controls Assessment Overview This is a subtitle or bulleted list

13 FulcrumWay Application Controls Management Best Practices Prepare Assessment Checklist Manage Exceptions Prepare Remediation Plan Select ERP Controls from FW Controls Catalogs Establish Test Environment Detect Control Violations Analyze Issues Confirm Findings Present Project Plan Implement ERP Advanced Controls Probe ERP Data FW Risk Advisor/Client Lead FW Risk Advisor/Client Lead/Control Owners Client Executive Sponsors FW/Client Project Team

14 DataProbe extracts the security, setup and master data information

15 DataProbe extracts the security, setup and master data information

16 ERP Test environment consists of ERP configurations and data objects

17 Advanced Analytics to analyze ERP Risks

18 Mitigate and Control Risks

Controls Assessment GRC Intelligence GRC Manager GRC Controls Enforce Proper Segregation of Duties in Applications Preventive SOD & Access Application Configuration Transaction Monitoring Simplify

19 Controls Assessment GRC Intelligence GRC Manager GRC Controls Enforce Proper Segregation of Duties in Applications Preventive SOD & Access Application Configuration Transaction Monitoring Simplify segregation of duties enforcement with simulation and remediation Mitigate risk of privileged user access to enterprise applications with approval workflow and audit trails Accelerate deployment and time to value with pre-delivered controls library Detection Prevention Define Access Controls Access Analysis Remediation (Clean-up) Preventive Provisioning Compensating Policies

Transactions Apply Advanced Forensic and Pattern Analysis Identify anomalies missed by traditional audit and controls Detection

20 Controls Assessment GRC Intelligence GRC Manager GRC Controls Test integrity of transactions and controls across business processes Preventive SOD & Access Application Configuration Transaction Monitoring Continuous Monitoring of Controls and Transactions Apply Advanced Forensic and Pattern Analysis Identify anomalies missed by traditional audit and controls Detection Prevention Define Transaction Controls Transaction Analysis Investigate Incidents Enforces Transaction Controls Prevent Suspicious Transactions

21 Role Design Techniques This is a subtitle or bulleted list

22 FulcrumWay Roles Manager Overview: Eliminate Root Cause of Access Control Violations in ERP: Improve Segregation of Duty controls within mission critical applications Reduce ERP implementation and upgrade costs with pre-configured roles Lower ERP Total Cost of Ownership by assigning pre-approved roles We enable ERP Administrators: Select pre-configured ERP roles from a roles catalog Update, Review, and Approve Role design changes Identify SOD Conflicts before the Roles are assigned to Users

23 FulcrumWay Roles Manager Features Role Manager is an ERP security design tool Contains a pre-configured catalog of roles which comply with segregation of duty (SOD) policies. Roles by ERP module and typical access requirements for those modules such as Manager, Supervisor, Clerk, Inquiry, Business Setup and IT Setup. You can use this tool to view existing role templates and design new roles by easily selecting or deselecting ERP functions/transaction. Once you complete the roles design, you can send it, using workflows, to pre-assigned reviewers and approvers to finalize the roles. The role preparers, reviewers and approvers can also assess the SOD control risks before finalizing the roles. Leverage FW DataProbe /Scripts to load current Roles Secure Access from fulcrumway.com portal

24 Access to Roles Manager

25 Search and Browse through catalog of Roles for Oracle EBS R12

26 Access to Roles Manager

27 Access to Roles Manager

28 Access to Roles Manager

29 Access to Roles Manager

30 Access to Roles Manager

31 Access to Roles Manager

32 Case Study: Reduce SOD Access Violations with effective roles management techniques This is a subtitle or bulleted list

33 FulcrumWay Roles Manager Overview: Our Client Leader in the car and equipment rental businesses worldwide Providing quality car rental service for over 90 years Over 30,000 employees Challenges Replace multiple legacy systems with one ERP solution Improved Segregation of Duty controls within mission critical applications Maintain consistent ERP system access roles across the subsidiaries leveraging the shared services model Increase external auditor s reliance on ERP Access Controls Monitoring Solutions Results Reduce ERP Role design, build, testing and implementation time by 80% resulting in over $200,000 cost savings during ERP system implementation and global roll-out. Created over 100 Segregation of Duty compliant Roles by business segment with two weeks from FulcrumWay Role Templates within the controls catalog. Lowered ERP Total Cost of Ownership by reducing SoD remediation time and costs by ensuring that all users a assigned only the pre- approved Roles Improve SoD and Access Controls testing time by providing auditors the access log reports showing all Update, Review and Approve Role design changes. Accelerated ERP testing and deploying time by identifying SOD conflicts before the Roles are assigned to Users. GRC DataProbe ERP Controls Catalog ERP Roles Monitor

34 Q & A This is a subtitle or bulleted list

35 Summary and Q&A

36 Please complete the session evaluation We appreciate your feedback and insight You may complete the session evaluation either on paper or online via the mobile app