Life After ERP Go-Live: Navigating to Nirvana Learn how leading organizations are utilizing Advanced Controls to make systematic improvements in their ERP systems to achieve expected benefits of ERP systems July 19 th, 2013 Adil Khan Leverage T echnology: Move Your Business Forward Copyright. Fulcrum Information Technology, Inc.
Page 2 Agenda Life After ERP Go-Live: Navigating to Nirvana Introduction ERP Go-Live Opportunities and Risks Advanced Controls Overview Business Application Controls Access Controls Transaction Controls Configuration Controls Advanced Controls Examples Q&A
Page 3 Agenda Life After ERP Go-Live: Navigating to Nirvana Introduction ERP Go-Live Opportunities and Risks Advanced Controls Overview Business Application Controls Access Controls Transaction Controls Configuration Controls Advanced Controls Examples Q&A
Page 4 Introduction FulcrumWay Intelligent, Integrated Instant Risk Management FulcrumWay: is the #1 End-to-End Provider of Enterprise Risk Management Expertise, Solutions and Software Services for Oracle EBS, PeopleSoft and JDE customers with over 200 Fortune-500 to Middle Market clients. Since 2003, we have successfully assisted companies across all major industry segments. Expertise: Risk Advisory Services. Advanced Controls Design for Enterprise Business Applications. Best Practices for Risk Mitigation and Internal Controls Automation. Audit, Compliance, Financial, Enterprise and Operational Risk Assessments. Risk Remediation Services such as Segregation of Duties. Packaged Solutions: FulcrumWay is the #1 choice of Oracle customers for Oracle GRC Manager, GRC Controls and GRC Intelligence/OBIEE software implementation. Oracle has certified us as the only partner with Accelerators for Oracle GRC. We also provide Managed Services and Hosting for Oracle GRC applications. Software Services: Risk Management Tools: Enterprise Risk Manager, Financial Risk Manager, Risk Based Audit Manager, IT Risk Workbench, and Advanced Controls Catalog. Data Management Tools: Rules Repository, DataProbe and Data Hub for Intelligent, integrated, and Instant Risk Management USA Presence: Privately held Delaware Corporation with US offices in New York City, Dallas and San Francisco International Presence: in Chennai, Dubai, Kampala, London, Rome, Santiago, Singapore
Page 5 Our Experience FulcrumWay Clients Government Oil and Gas Financial Services Retail Communications Manufacturing Industrial Equipment Natural Resources Media and Entertainment Healthcare High Tech Life Sciences
Page 6 Our Experience FulcrumWay Insight Thought Leadership Co-Authored GRC Book: First book on GRC for Oracle Applications Executive Round Tables GRC Solutions for Energy Industry, Houston, November 2012 OAUG GRC Solution Lab - April 7 th 11 th Denver: GRC Case Studies and Best Practices IIA - Presentations - Top Five Reasons for Automating Application Controls Collaborate 13 GRC Client Appreciation Dinner April 9 th, 2013 Denver Webcasts GRC Best Practices, Trends and Expert Insight Oracle Open World Annual GRC Dinner on September 23 rd, 2013 W Hotel San Francisco LinkedIn FulcrumWay Risk, Compliance and Audit Software Group YouTube Podcasts FulcrumWay Instant Insight in 10 min or less
Intelligent Integrated Instant Copyright FulcrumWay Page 7 Overview FulcrumWay Enterprise Risk Management Services Enterprise Risk Monitors Risk Assessment Key Risk Indicators Enterprise Survey Compliance Certification Incident Monitor Financial Close Management Risk Based Operations Audit Management Task Monitor Enterprise Audit Manager Audit Planner Variance Analytics Reconciliation Analytics Controls Verification Control Analytics Financial Controls: (GL,AP,AR,FA,CM) Business Rules Repository - Advanced Application Controls HCM/HR Controls : (HR,PR) Distribution Controls: (OM,INV,WMS,PO) Supply Chain Controls : (ENG,QP,WIP,BOM) Access Monitor Configuration Monitor GRC Monitor Enterprise Data Security Incident Monitor Master Data Monitor Database Vulnerabilities FulcrumWay Core Technologies DataProbe DataHub Rules Repository Rules Engine Monitors Transmitters
Page 8 Agenda Life After ERP Go-Live: Navigating to Nirvana Introduction ERP Go-Live Opportunities and Risks Advanced Controls Overview Business Application Controls Access Controls Transaction Controls Configuration Controls Advanced Controls Examples Q&A
Page 9 ERP Go-Live Opportunities vs. Risks Source: The Conference Board Survey interviewed executives at 117 companies that attempted ERP implementations:
ERP Go-Live Opportunities vs. Risks ERP collects, manages and distributes information across functional boundaries and helps break down information silos those barriers that stand in the way of full cooperation between production, materials, planning, engineering, finance and sales/marketing. The ERP application was implemented successfully. Unfortunately, desired benefits are not being realized! The resulting higher quality, reduced time-tomarket, shortened lead times, higher productivity and lowered costs can help improve customer service and increase sales and market share as well as margins. Inventory and expenses are increasing while customer service and productivity are dropping due to new bottlenecks. Too many work-arounds. Users not fully trained and working outside the system. Auditors Findings on Segregation-of-Duties and Application Controls require a remediation plan. We don t have the resources for it. Need to build custom BI dashboard and reports to alert management of master data changes and transactions outside the tolerance levels. Top management wants to see the ROI promised to the board. Copyright FulcrumWay Page 10 Source: APICS The Association for Operations Management, 2011
Page 11 ERP Go-Live Opportunities vs. Risks Reality of ERP Implementation: Get it In Get it Working Get Alignment Change the Game
Page 12 Agenda Life After ERP Go-Live: Navigating to Nirvana Introduction ERP Go-Live Opportunities and Risks Advanced Controls Overview Business Application Controls Access Controls Transaction Controls Configuration Controls Advanced Controls Examples Q&A
Page 13 ERP Go-Live Mitigate and Control Risks GRC Intelligence GRC Manager GRC Controls Preventive SOD & Access Application Configuration Transaction Monitoring Monitor Control Effectiveness What users can do How is the process set up How users execute processes Preventive SOD & Access Application Configuration Transaction Monitoring What users have done What s changed in the process What are the execution patterns Enforce Policies in Context
Page 14 Agenda Life After ERP Go-Live: Navigating to Nirvana Introduction ERP Go-Live Opportunities and Risks Advanced Controls Overview Business Application Controls Access Controls Transaction Controls Configuration Controls Advanced Controls Examples Q&A
Page 15 Preventive Controls Embed Controls Natively in Enterprise Apps GRC Intelligence GRC Manager GRC Controls Preventive SOD & Access Application Configuration Transaction Monitoring Enforce preventive controls for specific users and events natively within enterprise application Initiate appropriate approval workflow in response to proposed modifications Produce audit trail of change and approval history Prevention Define Preventive Controls Prevent Read or Write Access Initiate Approval Workflow Enforce Field Validation Review Audit Reports
Page 16 Agenda Life After ERP Go-Live: Navigating to Nirvana Introduction ERP Go-Live Opportunities and Risks Advanced Controls Overview Business Application Controls Access Controls Transaction Controls Configuration Controls Advanced Controls Examples Q&A
Page 17 Access Controls Enforce Proper Segregation of Duties in Applications GRC Intelligence GRC Manager GRC Controls Preventive SOD & Access Application Configuration Transaction Monitoring Simplify segregation of duties enforcement with simulation and remediation Mitigate risk of privileged user access to enterprise applications with approval workflow and audit trails Accelerate deployment and time to value with pre-delivered controls library Detection Prevention Define Access Controls Access Analysis Remediation (Clean-up) Preventive Provisioning Compensating Policies
Page 18 Agenda Life After ERP Go-Live: Navigating to Nirvana Introduction ERP Go-Live Opportunities and Risks Advanced Controls Overview Business Application Controls Access Controls Transaction Controls Configuration Controls Advanced Controls Examples Q&A
Page 19 Transaction Controls Test integrity of transactions and controls across business processes GRC Intelligence GRC Manager GRC Controls Preventive SOD & Access Application Configuration Transaction Monitoring Continuous Monitoring of Controls and Transactions Apply Advanced Forensic and Pattern Analysis Identify anomalies missed by traditional audit and controls Detection Prevention Define Transaction Controls Transaction Analytics Investigate Incidents Enforce Transaction Controls Prevent Suspicious Transactions
Page 20 Agenda Life After ERP Go-Live: Navigating to Nirvana Introduction ERP Go-Live Opportunities and Risks Advanced Controls Overview Business Application Controls Access Controls Transaction Controls Configuration Controls Advanced Controls Examples Q&A
Page 21 Configuration Controls Ensure Integrity of Critical Application Setups GRC Intelligence GRC Manager GRC Controls Preventive SOD & Access Application Configuration Transaction Monitoring Achieve consistent application setup and operating standards across multiple instances Track complete audit trails for changes to key configurations Tightly control change management to accelerate development and test time Detection Prevention Define Configuration Controls Document or Compare Configurations Monitor Configuration Changes Enforce Change Control Manage Data Integrity
Page 22 Agenda Life After ERP Go-Live: Navigating to Nirvana Introduction ERP Go-Live Opportunities and Risks Advanced Controls Overview Business Application Controls Access Controls Transaction Controls Configuration Controls Advanced Controls Examples Q&A
Select ERP Controls Copyright FulcrumWay FW Controls Catalog with over 1,000 advance controls Page 23 Select SOD, Master Data, Setup, and Transaction Controls Risk Assessment Detect control weaknesses across ERP system to identify business process optimization opportunities
Establish Test Environment Copyright FulcrumWay ERP Test environment consists of ERP configurations and data objects Page 24 Selected security, setup and data objects are included in the environment ERP Configuration such as 3-way match in payable options, master data such as Users, Responsibilities, Customers, Invoices, Suppliers, Assets and Payments records are analyzed for control failure risks
Advanced Controls Example - Oracle Procure-to-Pay Procure-to Pay Controls are Required Page 25 Spend Categories Corporate Performance Management Collaboration Control Points Settlement Strategic Sourcing & Contract Mgmt Indirect & MRO Banks Requisition Purchase Goods / Services Receive Goods / Services Invoice Issue Payments Direct Materials Payment Processors Supplier Collaboration Services SWIFTNet Business Process Models Service Oriented Architecture
Page 26 Advanced Controls Spend Categories Example - Oracle Procure-to-Pay Automated Controls for Strategic Sourcing & Contract Mgmt Corporate Performance Management Collaboration Settlement Indirect & MRO Are there inappropriate associations between Requisi- a vendor and an employee? tion Direct Materials Strategic Sourcing & Contract Mgmt Purchase Goods / Services CONTROLS Receive Goods / Services Invoice Banks Are there frequent changes to Supplier Issue information? Payments Payment Processors Do you have duplicate suppliers? Services Business Process Models Are your vendors compliant with trade regulations? Supplier Collaboration Are the vendors blacklisted? Service Oriented Architecture Are you missing critical supplier information? Is the information valid? SWIFTNet
Advanced Controls Building an Optimized Control Environment Preventive Controls Set of applications that run within Oracle EBS as a component of the GRC Application Suite Prevent Out of Policy activity from occurring, notify & alert key personnel with variances Form Rules Modifies security, navigation, field and data properties Flow Rules Defines & implements business processes Audit Rules Tracks changes to the values of fields in database tables Change Control Regulates changes to the values of fields in EBS forms. Copyright FulcrumWay Page 27
Advanced Controls EBS Form Rule Capabilities Defines what actions the element performs Empowers the user to make changes to EBS forms and processes Set security attributes Establish navigation paths Display messages Define default values for fields Compile lists of values (LOV) Set field attributes Run SQL statements Execute Flow Rule process 28 Copyright FulcrumWay Page 28
Page 30 Advanced Controls Audit Rules Highlights Document changes to database field values Old vs. New Values Transaction Type (Insert, Update or Delete) User Responsible for Change Timestamp Audit Report
Advanced Controls Change Control Highlights Ensure Data Integrity Regulate changes to fields in EBS forms Set approval and reason code requirements for enforced management Enable visual attributes to identify controlled fields Build reason codes to clarify why a change occurred Copyright FulcrumWay Page 31
Advanced Controls Embedded Controls Prevent Incidents and Escalation Page 32 Real-time, automated controls and alerts prevent fraud and errors before it occurs Controls installed directly into applications and without technical expertise Prevent Fraud and Errors Before it Occurs Risk of fraudulent data and application changes reduced with approval workflow and audit trails
ERP Roles Manager Overview Eliminate Root Cause of Access Control Violations in ERP: Improve Segregation of Duty controls within mission critical applications Reduce ERP implementation and upgrade costs with pre-configured roles Lower ERP Total Cost of Ownership by assigning pre-approved Roles We enable ERP Administrators: Select pre-configured ERP roles from a roles catalog Update, Review and Approve Role design changes. Identify SOD conflicts before the Roles are assigned to Users. Copyright FulcrumWay Page 34
ERP Roles Manager Features Role Manager is an ERP security design tool Contains a pre-configured catalog of roles which comply with segregation of duty (SOD) policies. Roles by ERP module and typical access requirements for those modules such as Manager, Supervisor, Clerk, Inquiry, Business Setup and IT Setup. You can use this tool to view existing role templates and design new roles by easily selecting or deselecting ERP functions/transaction. Once you complete the roles design, you can send it, using workflows, to pre-assigned reviewers and approvers to finalize the roles. The role preparers, reviewers and approvers can also assess the SOD control risks before finalizing the roles. Leverage FW DataProbe/Scripts to load current Roles Secure Access from fulcrumway.com portal Copyright FulcrumWay Page 35
Page 36 Roles Manager Access to Roles Manager Sign in at fulcrumway.com
Page 37 Roles Manager Access to Roles Manager Select the Access Monitor Icon. Then click on the Maintain Access Roles Tab
Page 38 Roles Manager Access to Roles Manager Use a source role to create a new target role. View existing SOD issues with the source role. Assign Reviewers and Approvers for the role
Page 39 Business Case Comprehensive Transaction Monitors Detect patterns of heightened risk in business activity Test against Material Thresholds Journal Entry > $ threshold Employee Checks (individual & sum) > $ threshold Search for Anomalies PO terms differ from vendor Sales orders > acceptable $ range Test Segregation of Duties at Transaction Level Find invoices and POs entered by same user Find Invoices entered & approved by same user Sampling of Transactions 4th quarter invoices Days sales outstanding balances Detect Fraudulent Behavior PO changes after approval Duplicate suppliers with same address Stop Cash Leakage Find duplicate payments Payments against cancelled invoices Embed Contextual / Automated Compensating Controls Alert on customer transactions over $ threshold Prevent journals from being entered and posted by same individual
Page 40 Business Rules, written in Plain English, by Business People No Coding/Scripting
Advanced Controls Configuration Controls Functionality Snapshots What it does for us: Automate time-stamped documentation of key controls across all Oracle Applications modules. Comparison Difference Analysis: determine what s different when problems occur, verify what s changed after project activity. Monitor consistency of controls across Instances, Versions, Points in Time, Operating Units, and Sets of Books. Change Tracking Automate real-time monitoring of key controls in Oracle. Ensure visibility and integrity of controls over a period of time. Copyright FulcrumWay Page 41
Advanced Controls Snapshots Take Snapshots of Configuration Setups Data is pulled from Oracle Application Tables Retrieve Configuration Setup Data Specify constraints to focus on certain tables Export Values into HTML, PDF, or Excel Formats Copyright FulcrumWay Page 42 42
Advanced Controls Page 43 Comparison
Page 44 Advanced Controls Change Tracking Query a change tracker to identify changes across multiple instances. Select multiple applications to monitor Query requires Change Tracking Transfer program to run before any data can be collected. (This program transfers change tracking data from the ERP instances to CCG.)
DataProbe Copyright FulcrumWay Next Steps: Assess ERP Risks with Analytics Page 46
Page 47 Summary and Q&A Thank You! Join us on LinkedIn to view webinar and discussion