case study grc implementation - a user perspective wendy k. roberts, cpa, cia adil khan, grc client...
Post on 19-Dec-2015
215 views
TRANSCRIPT
Case Study GRC Implementation - A User Perspective
Wendy K. Roberts, CPA, CIA
Adil Khan, GRC Client Director, FulcrumWay
Hari Radhakrishnan, IT Consultant, Control Solutions
January 21, 2009
Agenda
• Introduction• GRC Objectives• Selection Process – Research and Approach• About FulcrumWay• Controls Survey• Controls Framework • Application Controls Best Practices• GRC Monitor Implementation • Compliance Best Practices• GRC Manager Implementation
Company Presentation - How to use this template 3
About Our Company
• Harris Stratex Networks, Inc. is a leading provider in backhaul solutions for mobility and broadband networks. We serve all global markets, including mobile network operators, public safety agencies, private network operators, utility and transportation companies, government agencies and broadcasters. With customers in more than 135 countries, Harris Stratex Networks is recognized around the world for innovative, best-in-class wireless networking solutions and services.
Company Presentation - How to use this template 4
Objective for a GRC Tool
• Obtain a versatile tool that could be used WW
–Move away from spreadsheets and word documents to a more automated environment.
–A product that could grow with the company.
–Be used for SOX 302 and 404 Certification.
–Supported Control Self Assessment testing.
–Used to enhance the testing and reporting for Internal Audit.
–Provide a central database for compliance use such as Code of Conduct and policy management.
– Incorporate other compliance programs such as ISO and EH&S.
Company Presentation - How to use this template 5
Research and Approach
• Gartner Report - Magic Quadrant for Finance Governance, Risk and Compliance Management Software, 2007. Published February 1, 2007.
–Research for the tool began in July 2007.
–Developed an analysis matrix with 32 criteria points.
–Use of the magic quadrant to select vendors based on criteria and objectives of the company.
–Six vendors chosen which met the most criteria points.
–Demos performed with executive management.
–Top two vendors were asked for RFPs.
Company Presentation - How to use this template 6
Research and Approach
• Decision for purchase of tool
–Top two vendors were presented to a steering committee.
–Recommendation was made for Oracle GRC Manager as the tool of choice.
–Presented to the Board of Directors for approval.
–Approval obtained in January 2008.
Company Presentation - How to use this template 7
Implementation of GRC Monitor
• Tool used to analyze Segregation of Duties (SOD) violations in Oracle–On-demand service commenced in February 2008.
–Developed over 400 business rules which represented best practices in the industry.
–Design of a risk matrix using High-Medium-Low risks for Oracle modules GL, AP, AR, FA.
–Remediation of violations for high risks completed in June 2008 (FY08 Year End).
–Medium and low risks violations being completed for FY09 by the end of January 2009.
Company Presentation - How to use this template 8
Implementation of GRC Manager
• Tool used to address policy management, 302 quarterly certifications and 404 SOX compliance
– Implementation began mid-October with completion estimated to be March 2009.
–Policy management and 302 quarterly certification using Stellant Content Manager in GRC.
–Use of GRC Manager for SOX 404 Certification and Control Self Assessment and Internal Audit testing.
–Developing on-line training using Oracle User Productivity Kit (UPK).
About FulcrumWay
FulcrumWay: is the #1 provider of Governance, Risk and Compliance Expertise, Solutions and Software Services for Oracle enterprise customers.
Expertise: Risk Management, Compliance, IT Audit, Internal Controls, Financial Reporting and GRC Software implementation consulting services. Since 2003, we have successfully assisted over one hundred Fortune-500 to Middle Market companies across all major industry segments.
Solutions: Oracle certified Systems Integrator and ISV member of the Oracle Partner Network. FulcrumWay solution are built on software technologies from Oracle Corporation. FulcrumWay GRC Solutions are the #1 choice of Oracle customers.
Software Services: We enable organizations to assess Financial, Operational and Information Technology risks, monitor internal controls and optimize business processes. Auditors, Risk Managers and Business Process Owners can access a wide range of web based services over a secure internet connection to FulcrumWay GRCMONITOR® (https://www.grcmonitor.com) Software as a Service (SaaS) platform.
Privately Held Delaware corporation with US presence in:
New York, Texas and California
International Presence in UK and India
www.fulcrumway.com
Fulcrum Credentials
Media and
EntertainmentFinancial Services
Healthcare
Natural Resources
Life Sciences
Industrial
Manufacturing
Defense/ Aerospace Construction
High Technology
Readers Digest
Retail
Food
FulcrumPoint Insight
Thought Leadership - Events
• Compliance Week Magazine - Healthcare Firm Aligns Compliance Efforts, Cuts Costs
• Economist Magazine –Compliance Guide for Enterprise Systems
• POD Cast – How Automating the Enterprise Risk Management Process helps organizations comply with regulations
• OAUG - Impact of AS5 for Oracle Enterprise Customers
• IIA – Top Five Reasons for Automating Application Controls
• Oracle Open World – Annual GRC Dinner, GE and Birds Eye Case Study
• Web casts – GRC Best Practices, Trends and Expert Insight.
IT Governance, Risk and Compliance Needs
Common Compliance NeedsCommon Compliance Needs
MandateMandateProcesses and Processes and
Risk Risk ManagementManagement
Enterprise Enterprise Content Content
ManagementManagement
Security and Security and Identity Identity
ManagementManagement
Learning Learning ManagementManagement
Cross IndustryCross Industry
Sarbanes-Oxley ActSarbanes-Oxley Act XX XX XX XX
HIPAAHIPAA XX XX XX
California Senate Bill 1386California Senate Bill 1386 XX XX XX
International Accounting StandardsInternational Accounting Standards XX XX
EU Data Privacy DirectiveEU Data Privacy Directive XX XX XX
Federal Sentencing GuidelinesFederal Sentencing Guidelines XX
Industry-SpecificIndustry-Specific
Basel IIBasel II XX XX XX XX
Gramm-Leach BlileyGramm-Leach Bliley XX XX XX
Payment Card Industry Data SecurityPayment Card Industry Data Security XX XX XX XX
FDA 21 CFR Part 11FDA 21 CFR Part 11 XX XX XX
Freedom of Information ActFreedom of Information Act XX XX
USA PATRIOT ActUSA PATRIOT Act XX XX XX
OAUG Survey Demographics
OAUG Survey Demographics
Application Survey Questions
Identify the awareness of the
deficiency:My company was not aware of this risk
My company is aware of this risk, but has chosen not to address it yet
My company is aware of this risk and has chosen to accept the risk
My company is aware of this risk and has addressed it via a manual control
My company is aware of this risk and has implemented a customization / extension
I am not qualified to address this risk
My company does not use this functionality
Other
There were 20 scenarios presented and each scenario included two questions:
Determine likelihood of implemented
if Oracle provided a solution:
Would likely not implement because we don't agree with the risks
Would likely not implement because we already addressed via a Customization
Would likely not implement because we have chosen to accept the risks
Would likely implement it because we have not addressed the issue
Would likely implement it because we would rather replace our customization
I am not able to know what our company would do
Other
Customer Master
Order Forms: Transaction Entry vs. Approval
Workflows
Controls Framework
IT organizations should consider the nature and extent of their
operations in determining which, if not all, of the following control objectives need to be included in internal control program:
PLAN AND ORGANIZE
ACQUIRE AND IMPLEMENT
DELIVER AND SUPPORT
MONITOR AND EVALUATE
What are Application Controls?
• Application controls apply to the business processes they support. These controls are designed within the application to prevent or detect unauthorized transactions. When combined with manual controls, as necessary, application controls ensure completeness, accuracy, authorization and validity of processing transactions
• Control objectives can be supported with automated application controls. They are most effective in integrated ERP environments, such as SAP, PeopleSoft, Oracle, JD Edwards and others.
Orders are processed only within approved customer credit limits.
Orders are approved by management as to prices and terms of sale.
Purchase orders are placed only for approved requisitions.
Purchase orders are accurately entered.
All purchase orders issued are input and processed.
All recorded production costs are consistent with actual direct and indirect expenses associated with production.
All direct and indirect expenses associated with production are recorded as production costs.
Risk Assessment
• The IT organization has an entity-level and activity-level risk assessment framework, which is used periodically to assess information risk to achieving business objectives.
• Management’s risk assessment framework focuses on the examination of the essential elements of risk and the cause and effect relationship among them.
• A risk assessment framework exists and considers the risk assessment probability and likelihood of threats.
• The IT organization’s risk assessment framework measures the impact of risks according to qualitative and quantitative criteria.
• The IT organization’s risk assessment framework is designed to support cost-effective controls to mitigate exposure to risks on a continuing basis, including risk avoidance, mitigation or acceptance.
• A comprehensive security assessment is performed for critical systems and locations based on their relative priority.
Control Activities
An organization has and does the following:• A system development life cycle methodology that considers
security, availability and processing integrity requirements of the organization. This ensures that information systems are designed to include application controls that support complete, accurate, authorized and valid transaction processing.
• An acquisition and planning process that aligns with its overall strategic direction.
• Acquires software in accordance with its acquisition and planning process.
• Procedures ensure that system software is installed and maintained in accordance with the organization’s requirements.
• Procedures ensure that system software changes are controlled in line with the organization’s change management procedures.
• Ensures that the implementation of system software do not jeopardize the security of the data.
Control Monitoring
• Changes to IT systems and applications are performed and designed to meet the expectations of users.
• IT management monitors its delivery of services to identify shortfalls and responds with actionable plans to improve.
• IT management monitors the effectiveness of internal controls Monitoring in the normal course of operations through management and supervisory activities, comparisons and benchmarks.
• Serious deviations in the operation of internal control, Monitoring including major security, availability and processing integrity events, are reported to senior management.
• Internal control assessments are performed periodically, using Monitoring self-assessment or independent audit, to examine whether internal controls are operating satisfactorily.
Stages of Application Controls Implementation Define: Define Audit Units, Application Environments, and Controls in-scope for Audit Testing
Detect: Analyze Control Violations based on risk, impact. Eliminate false-positives, exceptions
Remediate: Resolve Control Violations
Prevent: Automated Controls deny unauthorized access, transactions and system changes in real-time
Monitor: Analytics to notify management of all control violations
Establish
Rules
Repository
Detect
Violations
Analyze
Issues
Remediate
Issues
Implement
Changes
Monitor
Application
Environment
Determine
Scope
by
Application
Extract
ERP
Data
Manage
Exceptions
Setup
Preventive
Controls
Application Control TeamsCorporate Access
Controls
Business Process Teams
IT Management
Establish
Test
Environment
Application Controls Management Best Practices
Rules Library is the master repository that contains all SOD Rules stored in Access Control
GRC Management Process
Assess
Risk
Top
Down
Conduct
Assessments
Scope
Audit
Projects
Test
Internal
Controls
Certify
Business
Processes
Certify
Financial
Statements
Gather
GRC
Data
Establish
Risk &
Controls
Library
Document
Findings
Implement
Changes
ManagementBusiness Process Owner
Signing Officer
Compliance Manager
Establish
Enterprise
Structure
Compliance Manager
28
RCM Hierarchy in GRC Manager
Create Business Process
29
30
Controls Interface
Business Process Lifecycle
Questions
Questions?