acfe 110712 slides final3 - webinars, webcasts, lms...
TRANSCRIPT
Manage the Risk of Inefficiency and Occupational Fraud in Day-to-Day Business Processes
July 12 , 2011 2:00 – 3:00pm ET
Stephanie Maziol, Product Marketing Director, GRC Applications, Oracle
1
Agenda
• Welcome & Introductions
• Under-the-Radar Process Inefficiency and Vulnerability
• Inefficiency and Internal Fraud Reduction with Oracle Fusion GRC Applications
• Automated Controls Applied to Process Risks
2
3Copyright 2011 Oracle Corporation. All rights reserved.
<Insert Picture Here>
Under-the-Radar Process Inefficiency and Vulnerability
4Copyright 2011 Oracle Corporation. All rights reserved.
GLOBAL CORPORATE FRAUD REACHING GLOBAL CORPORATE FRAUD REACHING ALL TIME HIGHSALL TIME HIGHS
Organizations Suffering from Fraud Worldwide
Increasing Opportunity for Fraud, Waste and Errors
UNINTENTIONAL ERRORS AND LEAKAGE UNINTENTIONAL ERRORS AND LEAKAGE
Global, Fortune 500 Firm, High-Tech
Over 4 audit cycles, consultants found $17.5M in payment errors
Source: Kroll Global Fraud Report, Annual Edition 2010/2011
$0 $2.5M $5M Latin America 90%
Middle East/Africa 87%
Europe83%
North America 87%
20%
15
10
5%
Asia 92%
and Quarterly Corporate Fraud Index Network, Q1 2011
5Copyright 2011 Oracle Corporation. All rights reserved.
Multiple Financial Systems and Business Process Complexity Increase Risk of Errors
“Even ‘world-class’ firms average 27 different financial systems per $1B of revenue…”
- The Hackett Group
Multiple, and Heterogeneous ERP,
Legacy, Custom Systems
End-to-End Business Process
6Copyright 2011 Oracle Corporation. All rights reserved.
Cost of Errors is Underestimated
No Executive ConcernNo Executive Concern Dealt as OneDealt as One--Offs Offs by LOBby LOB Labor Intensive Labor Intensive
…Only 30% of companies consider error management to be a major business
problem
Handling errors is seen as the responsibility of
the line of business
Cost implications of managing exceptions are therefore hefty,
but ignored
Polling Question 1
7
8Copyright 2011 Oracle Corporation. All rights reserved.
Greatest Improvement Gains in Operational Processes
• Operational inefficiency and risk, often the least scrutinized and optimized
– Financial Processes• Ledger/Period Close• Payables/Receivables• Orders/Sales• Payroll/T&E
– HR Processes• Health & Safety• Hire-to-Retire
– Production Processes• Concept-to-Product
– Sales Processes• Market-to-Prospect
• Opportunity for transparency, automation and improv ement gains are the greatest
9Copyright 2011 Oracle Corporation. All rights reserved.
Mitigating Inefficiency and Risk
• Processes become too complex and unruly
• Controls are implemented reactively to comply with regulations and mandates
• Stakeholders too busy, not involved
• Manual control too cumbersome
• Haven’t found the right automation
• Controls are defined
• Automation enforces controls
• Controls support performance goals
• Process must complete in n hours
• Errors must occur in <n% of transactions
• Personnel must spend <n% of time performing redundant activities
• Financial loss due to error/waste/fraud/theft must be < n% of revenue
10Copyright 2011 Oracle Corporation. All rights reserved.
What Can Be Done?
Show Stakeholders What They Have To Gain
Increase Profit, Reduce Damage
11
Define Better Controls
Start with Low Effort, High Yield Controls
22
Enforce These Controls
Automate Where Pragmatic
33
Polling Question 2
11
12Copyright 2011 Oracle Corporation. All rights reserved.
<Insert Picture Here>
Inefficiency and Internal Fraud Reductionwith Oracle Fusion GRC Applications
13Copyright 2011 Oracle Corporation. All rights reserved.
Detect More and Faster with Continuous Monitoring and Advanced Pattern Analysis
Apply Advanced Forensic and Pattern Analysis
Continuous Monitoring of Controls and Transactions
Duplicate POs
Accounts Payables
Duplicate/ OverpaymentInvoice
Suppliers
Test integrity of transactions and controls across business processes
Identify anomalies missed by traditional audit and controls
Visually identify suspect transactions using Benford Pattern analysisMonitor 100% of transactions and
controls in real time
14Copyright 2011 Oracle Corporation. All rights reserved.
Business Users Easily Build Controls and Reports
Self-Service Dashboard Reports
Business users can create interactive dashboards and personalized reporting on the
fly.
Quickly Build and Adapt Controls
Business rules and a drag-and-drop workbench makes even the most complex rules easy to
build.
15Copyright 2011 Oracle Corporation. All rights reserved.
Remediate High Impact Violations with Integrated Risk Prioritization and Incident Management
Incident Management
Integrated workflow efficiently resolves identified incidents and tracks status.
Risk Prioritization
Consolidated controls mgmt. and dashboard reporting automatically maps higher impact
risks.
16Copyright 2011 Oracle Corporation. All rights reserved.
Embedded Controls Prevent Incidents and Escalation
• Real-time, automated controls and alerts prevent fraud and errors before it occurs
• Controls installed directly into applications and without technical expertise
• Risk of fraudulent data and application changes reduced with approval workflow and audit trails
Prevent Fraud and Errors Before it Occurs
17Copyright 2011 Oracle Corporation. All rights reserved.
Oracle’s Governance, Risk, & Compliance Solutions
GRC IntelligenceGRC Intelligence
Executive Executive DashboardsDashboards KRIs and KPIsKRIs and KPIs AdAd --Hoc AnalysisHoc Analysis
GRC ManagerGRC Manager
Enterprise Risk Enterprise Risk ManagementManagement
Compliance Compliance ManagementManagement
Remediation Remediation ManagementManagement
GRC ControlsGRC Controls
Custom or Legacy Applications
Embedded Controls• Detective, Preventive, Contextual• Automated controls testing• Pre-built controls library
Centralized GRC Oversight • Common Repository for GRC• Audit and Assessment of Controls• Integrated remediation management
360º Visibility• Single source of GRC Information• Pre-built dashboards • Respond to KRI and issues
SOD & AccessSOD & Access Application Application ConfigurationConfiguration
Transaction Transaction MonitoringMonitoring
Preventive ControlsPreventive Controls
18Copyright 2011 Oracle Corporation. All rights reserved.
<Insert Picture Here>
Automated Controls Applied to Process Risks
Polling Question 3
19
20Copyright 2011 Oracle Corporation. All rights reserved.
Key Processes Vulnerable to Abuse & Inadvertent Err or
Source: “2011 OAUG Governance, Risk & Compliance Best Practices Survey”, Unisphere Research, Feb 2011
21Copyright 2011 Oracle Corporation. All rights reserved.
Cut Procure to Pay Inefficiency & Risk
• Determine if supplier master data has changed
• Find & remediate users with privileges to enter & modify supplier master data
• Add data entry rules approving certain changes to supplier data
• Identify cash disbursements not processed but completed
• Validate supplier invoice aging, thresholds, lost discounts
Results
• Identified riskiest policies and conflicts. 25-40 controls and SOD rules were implemented.
• Automated OFAC compliance by tracking transactions against SDN listing.
• Eliminated cash payment comparisons
• Improved P2P process health and confidence
Leading global bio/pharmaceutical services organization with revenues of $1.3 B and 9,700 employees[, S&P 600 with 71 locations around 52 countries
Parexel
Requirements
• Needed solutions to expose inter-role conflicts and enforce access security
• SOD monitoring done manually thru documentation & check lists
• Ensure OFAC compliance and validate suppliers against watchlist.
• Monitor P2P transactions more effectively than looking at cash payments comparisons
Key Processes Vulnerable to Abuse & Inadvertent Err or
Source: “2011 OAUG Governance, Risk & Compliance Best Practices Survey”, Unisphere Research, Feb 2011
24Copyright 2011 Oracle Corporation. All rights reserved.
Cut Order to Cash Ineffciency & Risk
• Determine if product master data is accurate
• Find & remediate users with privileges to enter & modify master data
• Add data entry rules to validate sales order ship-to destination against localized product configuration
• Find sales order transaction exceptions
• Find revenue and COGS mismatches
• Validate customer invoice aging, thresholds
Results
• Reduced order entry time by 20%• Automated audits/reports of order
entry issues• Automated exception e-mails to
notify Sales of order issue• Removed errors causing
invoice/shipping issues• Improved the overall order system
health & end user confidence
A.M. Castle, metal distributor with 55 offices in US, Europe andAsia, revenues of $1.5 B and 1,500 employees. Growth through acquisition and global expansion.
A.M. Castle
Requirements
• Inefficient, error prone quote & order entry process causing service issues
• Extensive exception reporting to correct order entry exceptions
• Numerous manual and custom audits were required to catch errors
• Many fields required additional keystrokes and navigation
Key Processes Vulnerable to Abuse & Inadvertent Err or
Source: “2011 OAUG Governance, Risk & Compliance Best Practices Survey”, Unisphere Research, Feb 2011
27Copyright 2011 Oracle Corporation. All rights reserved.
Cut Financial Close Inefficiency & Risk
• Control access to ledger, ERP, consolidation, disclosure applications
• Prevent journal entries for which debit does not equal credit
• Validate that transactions are recorded according to GAAP/IFRS
• Identify changes to master data with significant impact to financial accounting or reporting implications
• Prompt users to add notes after work item is completed
Results
• Close 92 legal entities, centrally, in less than a day
• All existing controls are maintained or strengthened
• Allow for status monitoring from a single workbench
• Build better notifications and alerts
FedEx, the world's #1 express transportation provider with 200,000 employees and $37 billion in revenues, offers access to the global marketplace through a network of supply chain, transportation, business and related information services.
FedEx
Requirements
• 6 ledgers currently close in 6-7 hrs but are moving to 92 ledgers
• Going from 175 to 400 users• Are expanding from US-centric
close to one involving Canada and other regions
• Need to maintain an auditable yet efficient close
29Copyright 2011 Oracle Corporation. All rights reserved.
What Can Be Done?
Show Stakeholders What They Have To Gain
Increase Profit, Reduce Damage
11
Define Better Controls
Start with Low Effort, High Yield Controls
22
Enforce These Controls
Automate Where Pragmatic
33
Oracle Fusion GRC Applications Suite
• Proactively prevent transaction & processing errors
• Improve cash management & reduce AP violations
• Identify exceptions missed by traditional controls and audit
• Detect frauds faster to minimize duration & impact
• Deter fraudsters with continuous monitoring & audit trails
• Identify and remediate key control deficiencies across systems and business processes
• Analyze 100% of transactions for improved confidence and reporting
• Maximize ROI of continuous monitoring by eliminating false positives and risk prioritization
• Reduce post audit recovery and collections costs
Improve Audit Efficiency
Improve Audit Efficiency
Minimize Fraud and Abuse
Minimize Fraud and Abuse
Reduce Errors and Leakage
Reduce Errors and Leakage
30
Additional Resources
Virtual Briefing Center: www.oracle.com/goto/vbc
Oracle GRC Applications:www.oracle.com/grc
31
32