OAUG / DOAG SIG DAY Vienna Sept 27 th 2010 Oracle Governance Risk and Compliance OAUG Automated Controls and Compliance in Oracle E-Business Suite August 2010
Focus Show some hands-on examples of how technical solutions in Oracle s GRC Suite can help with compliance and controls challenges in Oracle E-Business Suite.
Content The following areas frequently appear in our Controls & Compliance Audits and are sections in this presentation: A) Restricted Access & Segregation Of Duties (SOD) A1) Frequent Findings A2) Example for Oracle GRC Access Controls A3) Lessons learned form GRC Implementations B) Lack of Control over Transactions and Master Data B1) Frequent Findings B2) Example for Oracle GRC Transaction Controls B3) Lessons learned form Implementations Furthermore, we would like to show business value beside Compliance and Controls improvements: C) Value proposition p of Controls and Compliance automation
Overview of the Components of the Oracle GRC-Suite The GRC Suite is Oracle s answer to challenges arising from Compliance and Internal Control. GRC Intelligence Solution for effective and efficient reporting on compliance Activates GRC Manager Managment of Risks, Control Gaps and Compliance Gaps Efficient Documentation of Controls GRC Controls Access Controls Configuration Controls Transaction Controls Today`s topic Business Process Automated Controls and Compliance in E-Business Suite PricewaterhouseCoopers August 2010 Slide 4
A1) Lack of Control Access and Segregation of Duties The System Administrator in a typical Oracle E-Business Suite vanilla implementation has rather limited means for evaluating the access rights granted: - Check User to Responsibility/Roles assignments via Reports - Check Menu to Function Assignments via Reports -... By these means it is not possible to provide a precise answer to the question which users can execute a certain business function, such as posting an invoice. (This is due to the complex hierarchical Form / Menu Structure of the Oracle EBS Function Security Concept). Not surprisingly this leads to findings and compliance issues within our audits. Automated Controls and Compliance in E-Business Suite PricewaterhouseCoopers
A2) How GRC Controls can help to close the Controls and Compliance Gaps - Examples In the past 3 rd party tools (such as PwC Oracle GATE) were used to analyse the access structure in Oracle EBS. Now Administrators can use a solution which is seamlessly integrated into EBS and features functions for preventive control. => Access Controls within GRC Controls. Automated Controls and Compliance in E-Business Suite PricewaterhouseCoopers August 2010 Slide 6
A2) Access Controls Demo form our Test Segregation of Duties simulation: In the following example we want to check up front the effect a change to a responsibility would have on our defined business policy. Control Area Considerations Potential Pitfall with Oracle GRC Improvement Options Implementation Access control during implementation- Including segregation of duties Company XYZ designs menus and responsibilities based on business activities. Segregation of duties and restricted access issues are often not considered d at the time of implementation Potentially sensitive access (critical functions such as close periods or create vendors) and transaction combinations with a risk are not identified for segregation of duty purposes. Excessive access is embedded d in the roles and responsibilities designed. All users will automatically violate the segregation g of duty rules. Leverage GRC SOD simulation feature during responsibility design phase to generate reports on SOD and restricted access issues Prevent and report on potential access and segregation of duty violations based on risks identified Automated Controls and Compliance in E-Business Suite PricewaterhouseCoopers August 2010 Slide 7
A2) Access Controls Demo form our test system The following demonstration will show How the simulation feature can be used to analyze the impact on SOD violations from a menu change Remove Payments function from selected Payables responsibilities. Analyze the overall impact on SOD environment Automated Controls and Compliance in E-Business Suite PricewaterhouseCoopers August 2010 Slide 8
Select REMEDIATION >> SIMULATION Navigation: Access Policies>Remediation>Simulation
Define simulation scenario details Action: Create a new scenario by clicking Action > Add
Action: Define the scenario details
Select SIMULATE and choose the snapshot data to use Action: Select Simulate
Review the impact of the simulation scenario Action: Review simulation result
Can drill down impact Policy > Responsibility > User You can drill down from Policy > Responsibility > User
A2) Not impressed yet? In addition it is possible to establish preventive control directly within Oracle EBS, to ensure the User Administrators follow your business rules. Control Area Considerations Potential Pitfall with Oracle GRC Improvement Options Implementation Access control after go-live + SOD Company XYZ assigns responsibilities to users after employment without considering restricted access and segregation of duties issues. Segregation Of Duties and restricted access rules are not enforced at the time of responsibility assignment Even after extensive clean-up effort, additional violations can be created without active enforcement Prevent and report on potential access and segregation of duty violations based on risks identified. Automated Controls and Compliance in E-Business Suite PricewaterhouseCoopers 15
Action: Remove the end date and hit Initiate Conflict Analysis
Action: Review the conflicts
A3) Lessons learned from Implementation Projects It may happen that: Business claims that access is an IT Problem? You got lost when managing 40,000 Functions by using standard reports? Guidelines from business on what functions are critical are missing? You might Consider: Focusing on Core Functions Less is more! Asking your business what they always wanted to know / restrict! Having a look at your last audit report. 18
B1) Lack of Control over Transactions and Master Data Override Override System Default Process Default (e.g. On organisation level or in transaction types) Value in Transaction Override of default values on transaction level is one of Oracle EBS characteristics. Also ex-post changes / amendments to transactions are possible Examples: Tax Codes override in invoices Asset Category defaults overrides Changes to a posted journals texts Amendment to posted invoices. Not surprisingly this leads to findings and compliance issues within our audits. PricewaterhouseCoopers
B2) How GRC Controls can help to close the Controls and Compliance Gaps - Transaction Controls In the past extensive forms customizations or manual controls were executed to ensure that defaults were not changed or non required fields of the EBS standard were filled consistently. Now you can apply check rules which are stored in a central repository. Automated Controls and Compliance in E-Business Suite PricewaterhouseCoopers August 2010 Slide 20
B2) How GRC Controls can help to close the Controls and Compliance Gaps - Transaction Controls The following demonstration will show How Form/ Flow Rules can do the following: Apply uppercase restriction on Vendor Name for data consistency Enforce supplier Tax ID field which is not a required field in Oracle Apply format mask (999-99-9999) to supplier Tax ID for data consistency Create custom LOV for field SIC Industry Code Automated Controls and Compliance in E-Business Suite PricewaterhouseCoopers August 2010 Slide 21
Action: Create new vendor UPPERCASE is enforced Field Taxpayer ID is highlighted g for required field 18
Action: Try to enter an invalid Tax ID format Save message Field must be of format... is triggered by Transaction Controls 18
Action: Enter required Tax ID Form creates red lettering as ID is entered 18
Action: From Rule applies formatting 999-99- 9999 18
Action: Setup Form Rule to require Tax ID field on Vendor record, formatted correctly UPPERCASE will be enforced on Vendor Name 18
18
18
Action: Navigate to Classification TAB View Custom LOV for SIC (Standard Industry Code) 18
Action: Select a custom SIC 18
Setups: Create custom LOV for SIC code field 18
18
18
B2) How GRC Controls can help to close the Controls and Compliance Gaps - Transaction Controls with Approval Workflow. Control Area Considerations Potential Pitfall with Oracle Implementation Inventory Company XYZ reviews Creation/ update of items Items new Inventory Items are not monitored. New inventory Items are not approved. Required fields are not entered. GRC Improvement Options Detective control: Notifications given of new inventory items based on conditions. Preventive control: Field entry can be enforced based on other conditions. Preventive control: Approval process for the creation of new items. Automated Controls and Compliance in E-Business Suite PricewaterhouseCoopers 34
B2) How GRC controls can help to close the controls and compliance Gaps - Approval workflow with flow rules The following demonstration will show How Form/ Flow Rules can notify Purchasing department that : A new inventory item is created as a Buy item, where the Buyer field is Null Notification must be completed before further approval of item Automated Controls and Compliance in E-Business Suite PricewaterhouseCoopers 35
21
Action: Leave Default Buyer field blank 21
Action: Inv Item with Buyer null generates an email 21
Action: Email generated based on Flow rule process Select Completed button 21
Action: Selecting the Completed button creates a Constraints t Failed status t Notice that t cannot be cleared until the Buyer field is filled (not null) 21
Action: Enter value Stock, Ms. Pat for Buyer 21
Action: Reopen Constraints Failed notice Select Completed to final clear the notice 21
Setup Create a Flow Rule to control Workflow and notifications when Items creation is for a Buy 18
18
18
18
18
18
B3) What are the Advantages of Flow Rules compared to Forms Customizations? Flow rules Forms Customization No impact on the EBS Standard process Fewer issues when you upgrade your release. Some Customization changes the Standard Will you know which one in 5 years? Oh! Something was done to that form, let me see... All rules in one repository with speaking descriptions. You know what you did and why. You might print out, sign off, file, You can have approval workflows for extract population, hand over to almost whatever you want without auditor for sampling, receive sample, loosing too much flexibility. search for signed printouts, have exceptions... Automated Controls and Compliance in E-Business Suite PricewaterhouseCoopers 49
B3) Three good reasons to start with flow rules even if control is not your primary concern. Flow rules No impact on the EBS Standard process Fewer issues when you upgrade your release. All rules in one repository with speaking descriptions. You know what you did and why. You can have approval workflows for almost whatever you want without loosing too much flexibility. Solutions Keep text fields from update when Journal is posted. Keep AR invoices distributions from being changed after being posted to GL. Restrict new Lines / Distributions to the GL date if one line was already posted to GL. Automated Controls and Compliance in E-Business Suite PricewaterhouseCoopers August 2010 Slide 50
B3) Lessons learned from Implementation Projects It might happen that: Yes, now we can do it all! Followed by Which Rule keeps me from working today? I like my paper and my auditor requires it! You might consider: Ask your business what manual fixes are required on a daily basis make quick wins. Focus on core functions Less might be more. Have a look at your audit reports. Have an early and open discussion on legal requirements. Automated Controls and Compliance in E-Business Suite PricewaterhouseCoopers 51
C) Overall Value Proposition AREA ORACLE GRC CAPABILITY BUSINESS VALUE PROCESS PEOPLE TECHNOLOGY COMPLIANCE Automate more manual procedures Lower transaction processing time Improve transaction processing accuracy Refocus your people to higher value tasks Business process ownership Tailor the system to your business needs without customizing the application Improve IT change management procedures Automate more control procedures Dashboard reporting Lower transaction cost Lower transaction cost Lower transaction cost Improved people experience Improved customer experience Restore business process ownership Low cost of development Lower cost and risk with applying Oracle patches Lower risk of IT changes Lower cost of control execution Lower cost of control testing Identify risks timely Automated Controls and Compliance in E-Business Suite PricewaterhouseCoopers 52
Your Contacts at PwC in Munich Alexander Götz: alexander.goetz@de.pwc.com Daniela Geretshuber: daniela.geretshuber@de.pwc.com com Automated Controls and Compliance in E-Business Suite PricewaterhouseCoopers August 2010 Slide 53
Thank you for your time! 2010 PricewaterhouseCoopers. All rights reserved. PricewaterhouseCoopers refers to the network of member firms of PricewaterhouseCoopers International Limited, each of which is a separate and independent legal entity.