OAUG / DOAG SIG DAY Vienna Sept 27 th 2010 Oracle Governance Risk and Compliance OAUG. August 2010

Similar documents
DOAG 2012 Applications. Using a KPI driven approach

SAP GRC Risk Identification and Remediation

Why Oracle GRC with every E-Business Suite Upgrade

Secure Your ERP Environment with Automated Controls Naomi Iseri,Sr. GRC Solution Consultant

Leverage T echnology: July 19 th, 2013 Adil Khan. Move Your Business Forward. Copyright. Fulcrum Information Technology, Inc.

Welcome to the course on the working process across branch companies.

Enhancements in Spectrum Last Updated: April 5, 2018

Rapidly Reduce Segregation of Duty Violations in Oracle EBS R12 Responsibilities Session ID#: 15042

CHAPTER 1: FINANCIAL MANAGEMENT SETUP

Oracle Enterprise Governance, Risk and Compliance. Release Notes Release Part No. E

The Next Level of Controls Automation: How you can fully automate controls testing in financial systems by combining MetricStream and IRC

Purchase Invoice Overview

1z0-334.exam. Oracle. 1z Oracle Financials Cloud: Payables 2016 Implementation Essentials. Version 1.

White Paper. The simpro Accounting Link integration

Billing distribution on Jobs will now default from the Excel Estimate upload

HIDDEN BENEFITS OF ORACLE GRC

SEC302 Umoja Security GRC Analysis. Umoja Security GRC Analysis Version 8 1

HOW INTEGRATION WORKS...

At the end of this module, you will be able to:

Oracle Risk Management Cloud. Release 13 (updates 18A 18C) What s New

Real-Life Examples: Oracle Advanced Controls (OAC) Benefits in Oracle EBS R12 Upgrades/Implementations

Demo Script. Procure-to-Pay - Stock Classification: Internal and for Partners. SAP Business ByDesign Reference Systems.

Compass 9.2 Changes by Module

Brunswick Access Control System Business Owner and Manager Guidelines

USING QUANTIFY WITH QUICKBOOKS

Welcome to the introduction of the Intercompany Integration Solution for SAP Business One. In this course, we present the highlights of the basic

Aviation Specialties Unlimited 1. Contract (Fixed Price Contract)

Audit Logging and Reporting

CHAPTER 2: WORKING WITH GENERAL LEDGER ACCOUNTS

ConnectWise-Sage 50 Accounts User Guide

JD Edwards EnterpriseOne Financial Management Overview

Media AP Approval and Reconciliation Users Guide

Global car and heavy equipment rental company, improves employee productivity with ERP Role Designer/Monitor

BillQuick MYOB Integration

Purchase Order, Requisitions, Inventory Hands On. Workshop: Purchase Order, Requisitions, Inventory Hands On

BA 302: Microsoft Dynamics NAV ERP Exercise/Walkthrough

Contents OVERVIEW... 3

BillQuick MYOB Integration

Prepayment Receipt Creation Setup and process steps

Oracle Financials Open Interfaces Manual Release

Recognition of Receivables also governs when taxes, freight, and late charges are recognized.

END-USER GUIDE. The Procure-to-Pay Process

Oracle Stores User Training Manual Version of 123. Oracle Stores User Manual Version 1.0

SAMPLE - Not to be Reproduced. designed by Regina Rexrode

PeopleSoft Purchasing / Payables Accelerated Rel 9.2

Leverage T echnology: Move Your Business Forward

SEGREGATION OF DUTIES for SAP

TRAINING DOCUMENT Internet Expenses Administrator

1099 Processing Users Guide

Purchasing. Section 10 Purchase Orders. Purchase Orders can be entered directly into the PO Entry pages without using LDS emarket.

CONTINUOUS AUDITING - UPDATE. Travis S. Moser, CISA

NATIONAL E-PROCUREMENT PROJECT GUIDANCE NOTES

Sage Peachtree Product Overview. New! Sage Peachtree 2012

SVAP 2.0 Onboarding Workbook. Updated: February 2018

FileBound AP Demo Overview

Financials for Office 365 LANDED COST HOW-TO PAPER VERSION 3.0. Christopher Mackenzie 23 August Financials for Office 365

Summit A/P Voucher Process

Contents OVERVIEW... 3

ORACLE ADVANCED ACCESS CONTROLS CLOUD SERVICE

File. Audit. City Auditor

SAP BusinessObjects Access Control 5.3 Support Pack 9. Functional Overview SAP BusinessObjects Access Control Solution Management September 30, 2009

SAP Business One designed for all your small and midsize company s needs

BillQuick-QuickBooks Advanced Integration Guide 2016

LowesLink Spend Management (SM)

<Insert Picture Here> JD Edwards EnterpriseOne Financial Management

TN QuickBooks US Versions Direct Link Integration

Fast track your financial reporting with pre-configured BI Publisher templates

Welcome to the topic on customers and customer groups.

efinance Plus Instructions

Triniti Workflow Engine 2018

Public Sector. Dynamics 365 for Finance and Operations

A Financial Executive s Guide to Internal Controls & Fraud Prevention in the Cloud

JD Edwards EnterpriseOne Applications

MAY 16 & 17, 2018 CLEVELAND PUBLIC AUDITORIUM, CLEVELAND, OHIO

Utilizing EBS to Streamline Chargebacks for Internally Provided Services

TABLE OF CONTENTS DOCUMENT HISTORY

International Institute of Tropical Agriculture

Professional Software, Inc. MAS 90 / MAS 200 VERSION 4.4 CLASS OUTLINE April 20, 2010

2. Which of the following statements is true when configuring a group chart of accounts?

Version Countries: US, CA. Setup and User Manual (include user demo scenarios in red) For Microsoft Dynamics 365 Business Central

Vendor: Oracle. Exam Code: 1Z Exam Name: JD Edwards EnterpriseOne Financial Management 9.0 Essentials. Version: Demo

ORACLE FUSION FINANCIALS

LowesLink Spend Management (SM)

Welcome to the topic on purchasing items.

Sage ERP Accpac 6.0A. SageCRM 7.0 I Integration Update Notice

MUNIS REQUISITION ENTRY

Current Attractions: Get in the Know on Sage BusinessVision v7.2

Greentree. Workflow and Business Process Management

What s New Guide. Sage Pastel Version 14

Electronic Requisition Approval and Workflow System for XA Users

Oracle Exam 1z0-470 Oracle Fusion Procurement 2014 Essentials Version: 6.0 [ Total Questions: 70 ]

Agenda. Manage the Risk of Inefficiency and Occupational Fraud in Day-to-Day Business Processes

STP359: Supply Network Inventory in SNC

BillQuick-Sage 50 Integration Guide 2017

Invoice Manager Admin Guide Basware P2P 17.3

White Paper June Automated Commercial Transactions through Triniti Commercial Flow

Customers and Sales Part I

Towards continuous monitoring of segregation of duties

Keys to Planning Your Microsoft Dynamics SL 2018 Upgrade. Session 512 Kevin Kueny

Multi Vendor Marketplace

Transcription:

OAUG / DOAG SIG DAY Vienna Sept 27 th 2010 Oracle Governance Risk and Compliance OAUG Automated Controls and Compliance in Oracle E-Business Suite August 2010

Focus Show some hands-on examples of how technical solutions in Oracle s GRC Suite can help with compliance and controls challenges in Oracle E-Business Suite.

Content The following areas frequently appear in our Controls & Compliance Audits and are sections in this presentation: A) Restricted Access & Segregation Of Duties (SOD) A1) Frequent Findings A2) Example for Oracle GRC Access Controls A3) Lessons learned form GRC Implementations B) Lack of Control over Transactions and Master Data B1) Frequent Findings B2) Example for Oracle GRC Transaction Controls B3) Lessons learned form Implementations Furthermore, we would like to show business value beside Compliance and Controls improvements: C) Value proposition p of Controls and Compliance automation

Overview of the Components of the Oracle GRC-Suite The GRC Suite is Oracle s answer to challenges arising from Compliance and Internal Control. GRC Intelligence Solution for effective and efficient reporting on compliance Activates GRC Manager Managment of Risks, Control Gaps and Compliance Gaps Efficient Documentation of Controls GRC Controls Access Controls Configuration Controls Transaction Controls Today`s topic Business Process Automated Controls and Compliance in E-Business Suite PricewaterhouseCoopers August 2010 Slide 4

A1) Lack of Control Access and Segregation of Duties The System Administrator in a typical Oracle E-Business Suite vanilla implementation has rather limited means for evaluating the access rights granted: - Check User to Responsibility/Roles assignments via Reports - Check Menu to Function Assignments via Reports -... By these means it is not possible to provide a precise answer to the question which users can execute a certain business function, such as posting an invoice. (This is due to the complex hierarchical Form / Menu Structure of the Oracle EBS Function Security Concept). Not surprisingly this leads to findings and compliance issues within our audits. Automated Controls and Compliance in E-Business Suite PricewaterhouseCoopers

A2) How GRC Controls can help to close the Controls and Compliance Gaps - Examples In the past 3 rd party tools (such as PwC Oracle GATE) were used to analyse the access structure in Oracle EBS. Now Administrators can use a solution which is seamlessly integrated into EBS and features functions for preventive control. => Access Controls within GRC Controls. Automated Controls and Compliance in E-Business Suite PricewaterhouseCoopers August 2010 Slide 6

A2) Access Controls Demo form our Test Segregation of Duties simulation: In the following example we want to check up front the effect a change to a responsibility would have on our defined business policy. Control Area Considerations Potential Pitfall with Oracle GRC Improvement Options Implementation Access control during implementation- Including segregation of duties Company XYZ designs menus and responsibilities based on business activities. Segregation of duties and restricted access issues are often not considered d at the time of implementation Potentially sensitive access (critical functions such as close periods or create vendors) and transaction combinations with a risk are not identified for segregation of duty purposes. Excessive access is embedded d in the roles and responsibilities designed. All users will automatically violate the segregation g of duty rules. Leverage GRC SOD simulation feature during responsibility design phase to generate reports on SOD and restricted access issues Prevent and report on potential access and segregation of duty violations based on risks identified Automated Controls and Compliance in E-Business Suite PricewaterhouseCoopers August 2010 Slide 7

A2) Access Controls Demo form our test system The following demonstration will show How the simulation feature can be used to analyze the impact on SOD violations from a menu change Remove Payments function from selected Payables responsibilities. Analyze the overall impact on SOD environment Automated Controls and Compliance in E-Business Suite PricewaterhouseCoopers August 2010 Slide 8

Select REMEDIATION >> SIMULATION Navigation: Access Policies>Remediation>Simulation

Define simulation scenario details Action: Create a new scenario by clicking Action > Add

Action: Define the scenario details

Select SIMULATE and choose the snapshot data to use Action: Select Simulate

Review the impact of the simulation scenario Action: Review simulation result

Can drill down impact Policy > Responsibility > User You can drill down from Policy > Responsibility > User

A2) Not impressed yet? In addition it is possible to establish preventive control directly within Oracle EBS, to ensure the User Administrators follow your business rules. Control Area Considerations Potential Pitfall with Oracle GRC Improvement Options Implementation Access control after go-live + SOD Company XYZ assigns responsibilities to users after employment without considering restricted access and segregation of duties issues. Segregation Of Duties and restricted access rules are not enforced at the time of responsibility assignment Even after extensive clean-up effort, additional violations can be created without active enforcement Prevent and report on potential access and segregation of duty violations based on risks identified. Automated Controls and Compliance in E-Business Suite PricewaterhouseCoopers 15

Action: Remove the end date and hit Initiate Conflict Analysis

Action: Review the conflicts

A3) Lessons learned from Implementation Projects It may happen that: Business claims that access is an IT Problem? You got lost when managing 40,000 Functions by using standard reports? Guidelines from business on what functions are critical are missing? You might Consider: Focusing on Core Functions Less is more! Asking your business what they always wanted to know / restrict! Having a look at your last audit report. 18

B1) Lack of Control over Transactions and Master Data Override Override System Default Process Default (e.g. On organisation level or in transaction types) Value in Transaction Override of default values on transaction level is one of Oracle EBS characteristics. Also ex-post changes / amendments to transactions are possible Examples: Tax Codes override in invoices Asset Category defaults overrides Changes to a posted journals texts Amendment to posted invoices. Not surprisingly this leads to findings and compliance issues within our audits. PricewaterhouseCoopers

B2) How GRC Controls can help to close the Controls and Compliance Gaps - Transaction Controls In the past extensive forms customizations or manual controls were executed to ensure that defaults were not changed or non required fields of the EBS standard were filled consistently. Now you can apply check rules which are stored in a central repository. Automated Controls and Compliance in E-Business Suite PricewaterhouseCoopers August 2010 Slide 20

B2) How GRC Controls can help to close the Controls and Compliance Gaps - Transaction Controls The following demonstration will show How Form/ Flow Rules can do the following: Apply uppercase restriction on Vendor Name for data consistency Enforce supplier Tax ID field which is not a required field in Oracle Apply format mask (999-99-9999) to supplier Tax ID for data consistency Create custom LOV for field SIC Industry Code Automated Controls and Compliance in E-Business Suite PricewaterhouseCoopers August 2010 Slide 21

Action: Create new vendor UPPERCASE is enforced Field Taxpayer ID is highlighted g for required field 18

Action: Try to enter an invalid Tax ID format Save message Field must be of format... is triggered by Transaction Controls 18

Action: Enter required Tax ID Form creates red lettering as ID is entered 18

Action: From Rule applies formatting 999-99- 9999 18

Action: Setup Form Rule to require Tax ID field on Vendor record, formatted correctly UPPERCASE will be enforced on Vendor Name 18

18

18

Action: Navigate to Classification TAB View Custom LOV for SIC (Standard Industry Code) 18

Action: Select a custom SIC 18

Setups: Create custom LOV for SIC code field 18

18

18

B2) How GRC Controls can help to close the Controls and Compliance Gaps - Transaction Controls with Approval Workflow. Control Area Considerations Potential Pitfall with Oracle Implementation Inventory Company XYZ reviews Creation/ update of items Items new Inventory Items are not monitored. New inventory Items are not approved. Required fields are not entered. GRC Improvement Options Detective control: Notifications given of new inventory items based on conditions. Preventive control: Field entry can be enforced based on other conditions. Preventive control: Approval process for the creation of new items. Automated Controls and Compliance in E-Business Suite PricewaterhouseCoopers 34

B2) How GRC controls can help to close the controls and compliance Gaps - Approval workflow with flow rules The following demonstration will show How Form/ Flow Rules can notify Purchasing department that : A new inventory item is created as a Buy item, where the Buyer field is Null Notification must be completed before further approval of item Automated Controls and Compliance in E-Business Suite PricewaterhouseCoopers 35

21

Action: Leave Default Buyer field blank 21

Action: Inv Item with Buyer null generates an email 21

Action: Email generated based on Flow rule process Select Completed button 21

Action: Selecting the Completed button creates a Constraints t Failed status t Notice that t cannot be cleared until the Buyer field is filled (not null) 21

Action: Enter value Stock, Ms. Pat for Buyer 21

Action: Reopen Constraints Failed notice Select Completed to final clear the notice 21

Setup Create a Flow Rule to control Workflow and notifications when Items creation is for a Buy 18

18

18

18

18

18

B3) What are the Advantages of Flow Rules compared to Forms Customizations? Flow rules Forms Customization No impact on the EBS Standard process Fewer issues when you upgrade your release. Some Customization changes the Standard Will you know which one in 5 years? Oh! Something was done to that form, let me see... All rules in one repository with speaking descriptions. You know what you did and why. You might print out, sign off, file, You can have approval workflows for extract population, hand over to almost whatever you want without auditor for sampling, receive sample, loosing too much flexibility. search for signed printouts, have exceptions... Automated Controls and Compliance in E-Business Suite PricewaterhouseCoopers 49

B3) Three good reasons to start with flow rules even if control is not your primary concern. Flow rules No impact on the EBS Standard process Fewer issues when you upgrade your release. All rules in one repository with speaking descriptions. You know what you did and why. You can have approval workflows for almost whatever you want without loosing too much flexibility. Solutions Keep text fields from update when Journal is posted. Keep AR invoices distributions from being changed after being posted to GL. Restrict new Lines / Distributions to the GL date if one line was already posted to GL. Automated Controls and Compliance in E-Business Suite PricewaterhouseCoopers August 2010 Slide 50

B3) Lessons learned from Implementation Projects It might happen that: Yes, now we can do it all! Followed by Which Rule keeps me from working today? I like my paper and my auditor requires it! You might consider: Ask your business what manual fixes are required on a daily basis make quick wins. Focus on core functions Less might be more. Have a look at your audit reports. Have an early and open discussion on legal requirements. Automated Controls and Compliance in E-Business Suite PricewaterhouseCoopers 51

C) Overall Value Proposition AREA ORACLE GRC CAPABILITY BUSINESS VALUE PROCESS PEOPLE TECHNOLOGY COMPLIANCE Automate more manual procedures Lower transaction processing time Improve transaction processing accuracy Refocus your people to higher value tasks Business process ownership Tailor the system to your business needs without customizing the application Improve IT change management procedures Automate more control procedures Dashboard reporting Lower transaction cost Lower transaction cost Lower transaction cost Improved people experience Improved customer experience Restore business process ownership Low cost of development Lower cost and risk with applying Oracle patches Lower risk of IT changes Lower cost of control execution Lower cost of control testing Identify risks timely Automated Controls and Compliance in E-Business Suite PricewaterhouseCoopers 52

Your Contacts at PwC in Munich Alexander Götz: alexander.goetz@de.pwc.com Daniela Geretshuber: daniela.geretshuber@de.pwc.com com Automated Controls and Compliance in E-Business Suite PricewaterhouseCoopers August 2010 Slide 53

Thank you for your time! 2010 PricewaterhouseCoopers. All rights reserved. PricewaterhouseCoopers refers to the network of member firms of PricewaterhouseCoopers International Limited, each of which is a separate and independent legal entity.

2024 © businessdocbox.com Privacy Policy | Terms of Service | Feedback