Why Oracle GRC with every E-Business Suite Upgrade Kate Coughlin Principal Solution Consultant
Why Preventive. Oracle Confidential - Do Not Distribute
Why GRC for Every EBS Upgrade? Be compliant on Day 1 Sustainability Continuous Compliance Reduce the risk and maximize i the ERP ROI Reduce the cost of Compliance associated with the ERP Implementation Modify the behavior of Oracle EBS quickly & with fewer customizations Accelerate the design of segregation of duties around role design Remove the wildcard of segregation of duties as a potential for material weakness and a bottleneck of go live Embedded real time enforcement and prevention allows limited staff to meet security compliance requirements do more with less Automate and Error-proof the set-up of: Items, Customers, Suppliers Ensure that critical setups conform to best practices and follow robust change management procedures
Automate Internal Controls Oracle GRC Controls Suite Monitor Control Effectiveness What users have done Detective Controls What s changed in the process What are the execution patterns ACCESS Controls CONFIGURATION Controls TRANSACTION Controls What users can do How is the process setup Preventive Controls Enforce Policies in Context How users execute processes
EBS Doesn t Address Segregation of Duties No automated, continuous way to detect, remediate and prevent SOD violations. No auditable evidentiary reports to support the controls environment. Not sustainable - point and time audits are expensive and not reliable. Can t prevent SOD violations at the point of access. Time consuming and costly to implement form customizations to detect, mitigate and prevent SOD Violations. Managing false positives is difficult because proprietary detection engines don t pick up preventative forms customization controls.
Oracle Application Access Controls Governor Enforce proper segregation of duties Policy Library Conflict Paths Simplify segregation of duties enforcement with simulation and remediation Mitigate risk of privileged user access to enterprise applications with approval workflow and audit trails Accelerate deployment and time to value with pre-delivered controls library Detection Prevention Define Access Controls Access Analysis Remediation (Clean-up) Preventive Provisioning Compensating Policies
Manual SOD
E Business Suite Access & SOD Challenges User Responsibility Evaluate User Access Test by Responsibility and User Test by Function Menu SbM Sub-Menu Manage Segregation of Duties Identify incompatible Privileges (i.e. Function) Function Form Function
ERP Oracle GRC is a true cross-platform solution allowing cross platform or instance SOD analysis. SOD Control It provides Library a single point of reference for all SOD 216 policies* i and controls throughout the organization. Oracle 11.5.10 10 216 li i * Oracle R12 232 policies* *N t E h li i i d f l b li i d t l *Note: Each policy is comprised of several sub-policies and controls based on its complexity, the sum total of these sub-policies and controls is over 3,000, per ERP
Online Conflict Analysis Use visualization feature to view conflict paths in a graphical format and easily identify inter- and intra- role conflicts
Contextual reporting with full-path conflict details.
Multi-Platform and Cross-Platform Support Multi-Platform Support Cross-Platform Support User3 User1 User2 User1 User2 3 rd Party App FIN User access within different, multiple platforms ltf User access across different instances, platforms, ltf applications, etc.
EBS does NOT Address Configuration Change Management Don t have the desired level of visibility into the management of the critical set-ups that drive the Oracle EBS environment. Don t have an automated t way to detect t or record changes to sensitive set up data across instances, locations, or points in time. Difficult to prevent changes to critical set ups from occurring repeatedly Need a better way to enforce change control, insure data integrity, identify fraud. No automated way to document and compare setups in business terms Difficult and time consuming to generate reports that provide the auditable evidentiary support of your controls environment that supports your critical set-ups that auditors demand. Data privacy and protection of sensitive data requires extensive application customization
Stronger Application Controls Ensure integrity of critical application setups Achieve consistent application setup and operating standards across multiple instances Track complete audit trails for changes to key configurations Tightly control change management to accelerate development and test time Detection Prevention Define Configuration Controls Document or Compare Configurations Monitor Configuration Changes Enforce Change Control Manage Data Integrity
Example of Setups and Key Key Controls Controls Setup Data Application Security Document Approvals Chart of Accounts Profile Options Users Application Setups MRP rules Operational Data Customers Suppliers Employees Setups = Key Controls Buyers y Items Chart of Account Values Category Codes 3-way matching of PO, Invoice and Receipt Document spending limits (authorization of PO) Security rules access to sensitive transactions o Employee salaries o Chart of account values o Financial i statement reports (FSGs) o Price lists o Inventory attributes Action for late delivery of goods Inventory stocking rules Rules to create tax on sales orders Depreciation methods
Monitor Configuration Changes When? Who? Where? What?
Oracle Configuration Controls Governor Enforce integrity of critical application setups Standard Oracle With Preventive Controls Who last updated and when No defendable audit trail No preventive change controls Who/what/when/why/who authorized Preventive AND Detective Change Controls Reports w/ Reason Codes and Approvals Seeded Content for at-risk setups
Oracle Transaction Controls Governor Identify inaccurate or fraudulent transactions Pre-delivered Transaction Controls Suspect Transactions Continuously monitor accuracy of transactions and mitigate exposure to fraud Test against thresholds Search for anomalies Perform transaction sampling Detection Prevention Define Transaction Controls Perform Transaction Analysis Review and Address Suspects Preventive Transaction Controls
Project Manager REQ Limit $200K Jan1 Transaction Monitoring Controls: Split PO Example Native Oracle Controls Requisitions $180K Jan8 $195K Submitted Transaction Monitoring Multiple REQ over $200k limit to same vendor! in 15 days Financial Controller PO Limit Buyer $2M Jan2 $180K Purchase Orders Jan9 $195K Approved $180K $375K Order To Supplier
Transaction Real World Examples: Test against Material Thresholds JE > $ threshold Employee Checks (individual & sum) > $ threshold Search for Anomalies PO terms differ from vendor Sales orders > acceptable $ range Detect Fraudulent Behavior PO changes after approval Duplicate suppliers with same address Embed Preventive / Automated Compensating Controls Alert on customer transactions ti over $ threshold h Prevent journals from being entered and posted by same individual