1
GRC Applications Overview
Jeff BreitkreitzApplications Technology, Public Sector Canada
2
Agenda
• GRC Solution Overview• GRC Intelligence
• GRC Manager
• GRC Demonstration Flow
• GRC Solution Overview continued…
• GRC Controls
3
Oracle GRC Applications Suite
GRC Controls
Access Controls
Configuration Controls
Transaction Controls
GRC ManagerRisks Assessments IssuesProcesses
PoliciesProcedures Remediation
GRC IntelligenceReportsDashboards Alerts
Key Risk & Control Indicators
Applications
Infrastructure Customers
Suppliers
Sales
Legal
R&D
Mfg
HR
Finance
Life Scie
nces
Financial C
ompliance
IT Gove
rnance
Regulatory Policy
Mgmt
Informatio
n Privacy
Environmental
Product Quality
& Safety
Global Trade M
gmt
Financial S
ervices
Retail
High Tech
Pre-integrated with Oracle applications and technology, supports heterogeneous environments
Purpose-built business solutions for key industries and GRC initiatives
Best-in-class GRC core solutions to support all mandates and regulations
Public Secto
r
4
Pre-built dashboards aggregateinformation from all sources
Combine performance & GRCinformation
Respond to KRI and issues
Produce attestations anddisclosures
Configure to meet your specificneeds
GRC Controls
Access Controls
Configuration Controls
Transaction Controls
GRC ManagerRisks Assessments IssuesProcesses
PoliciesProcedures Remediation
GRC IntelligenceReportsDashboards Alerts
Key Risk & Control Indicators
Applications
Infrastructure Customers
Suppliers
Sales
Legal
R&D
Mfg
HR
Finance
Oracle GRC Applications Suite
Life Scie
nces
Financial C
ompliance
IT Gove
rnance
Regulatory Policy
Mgmt
Informatio
n Privacy
Environmental
Product Quality
& Safety
Global Trade M
gmt
Financial S
ervices
Retail
High Tech
Public Secto
r
5
Intuitive, graphical risk and control analytics.
View by location, regulation, due date, etc.
6
Easy drill down to detailed information
2
7
Consolidated view of financial balances from Hyperion Financial Management and risk rating from
GRC Manager
8
GRC IntelligenceReview
• Challenge: - Unable to measure the effectiveness of
compliance and risk management programs
- Difficult to obtain consolidated view into status of compliance activities.
- Solution: - GRC Intelligence consolidates data from
different source systems and presents information via role-based dashboards for enterprise-wide GRC visibility
- Flexible display options and guided drill paths facilitate rapid analysis for timely response
FINANCE & AUDIT
9
GRC System of Record
End-to-End GRC ProcessManagement
Platform Independent
Integrated Control Management
Closed-loop Issue Remediation
GRC Controls
Access Controls
Configuration Controls
Transaction Controls
GRC ManagerRisks Assessments IssuesProcesses
PoliciesProcedures Remediation
GRC IntelligenceReportsDashboards Alerts
Key Risk & Control Indicators
Applications
Infrastructure Customers
Suppliers
Sales
Legal
R&D
Mfg
HR
Finance
Oracle GRC Applications Suite
Life Scie
nces
Financial C
ompliance
IT Gove
rnance
Regulatory Policy
Mgmt
Informatio
n Privacy
Environmental
Product Quality
& Safety
Global Trade M
gmt
Financial S
ervices
Retail
High Tech
Public Secto
r
10
Manage Regulations, Policies and ProceduresAlign Regulations to policies to best-practice frameworks
Frameworks align corporate policies and associated controls to standardsLink shared policies and controls in master libraries for easy maintenance
Manage Multiple Regulations/Standards
11
Manage Regulations, Policies and ProceduresAlign Regulations to policies to best-practice frameworks
Frameworks align corporate policies and associated controls to standardsLink shared policies and controls in master libraries for easy maintenance
Master Libraries of Policies & Controls
EmbeddedFrameworks
(COSO, COBIT)
12
GRC ManagerReview
• Challenge: Compliance information scattered in fragmented systems, hard copy binders, and spreadsheets
• Solution: One system of record for multiple compliance requirements based on leading content management technology to unify documentation and evidence
• Challenge: Labor and time-intensive manual processes to document, test, and certify controls
• Solution: Automated process management and workflow to streamline manual activities
FINANCE• Challenge: Need to demonstrate sound
control environment to external auditors and limit scope of audit
• Solution: Demonstrable alignment with best-practice control frameworks. Testing can be limited only to those controls that have changed since last audit.
• Challenge: Need to shift accountability for controls testing and documentation to business process owners
• Solution: Automated process management and testing plans guide business process owners through testing process – allowing internal audit to take oversight role
AUDIT
3
13
Agenda
• GRC Solution Overview• GRC Intelligence
• GRC Manager
• GRC Demonstration Flow
• GRC Solution Overview continued…
• GRC Controls
14
Demo Scenario 1: Notify and Analyze
15 16
17 18
4
19
BEFORE
20
21 22
AFTER
23
BEFORE
User can access Invoice
Screen and there are NO
controls to prevent them from creating
an invoice and approving it.
24
AFTER
User can still create the
invoice, but can no longer self-
approve invoices. The
Action button is disabled and a prompt informs the user of the
control rule.
5
25
BEFORE
User can access
Supplier Screen and
there are NO controls to
prevent them from changing the address.
26
AFTER
User can modify the supplier
address, but now that field is
a controlled field that requires
approval from a manager
before saving.
27 28
Agenda
• GRC Solution Overview• GRC Intelligence
• GRC Manager
• GRC Demonstration Flow
• GRC Solution Overview continued…
• GRC Controls
29
Preventive and detective controls
What-if risk simulation
Automated controls testing
GRC Controls
Access Controls
Configuration Controls
Transaction Controls
GRC ManagerRisks Assessments IssuesProcesses
PoliciesProcedures Remediation
GRC IntelligenceReportsDashboards Alerts
Key Risk & Control Indicators
Applications
Infrastructure Customers
Suppliers
Sales
Legal
R&D
Mfg
HR
Finance
Oracle GRC Applications Suite
Life Scie
nces
Financial C
ompliance
IT Gove
rnance
Regulatory Policy
Mgmt
Informatio
n Privacy
Environmental
Product Quality
& Safety
Global Trade M
gmt
Financial S
ervices
Retail
High Tech
Public Secto
r
30
Monitor Policy Effectiveness
Preventive ControlsPreventive Controls
What usersWhat userscan docan do
HowHowprocesses processes are setupare setup
How users How users execute execute
processesprocesses
Detective ControlsDetective Controls
AccessAccess ConfigurationConfiguration TransactionTransaction
What usersWhat usershave donehave done
WhatWhatprocesses processes
have changedhave changed
What are the What are the execution execution patternspatterns
GRC Controls
6
31
Preventive• Provide compliant user provisioning
• Enforce compensating controls
• What-if SOD risk simulation
• Hide sensitive information
• Disable inappropriate privileges
Detective• Analyze user roles and
responsibilities for SOD violations
• Identify/remediate SOD conflicts
• Audit activities of users granted sensitive access
• Validate users and user privileges
Companies need to know who has access to do what and ensure that someone isn’t given inappropriate
privileges – this is fundamental
Access ControlsProvide fine grained access control and segregation of duties
32
ConflictAnalysis
Compensating Policies
Define SOD conflict and restricted access business rules Ex. Enter Supplier vs. Payment
Execute access analysis engine that understands application’s detailed access architecture Ex. Oracle’s function level, exclusions, false-positives
Faster, easier remediation and analysis via pre-packaged reports and what-if simulationEx. Conflict impact of removing a function from a menu
Flexibility to handle exceptions through compensating process and transaction analysis policies Ex. Reason codes, Access Monitoring, Fine-grained Access Controls
Real-time enforcement of SOD controls during user provisioningEx. Prevent , Allow with Approval or Allow with Rules
Define AccessControls
Remediation(Clean-up)
PreventionProvisioning
Det
ectio
nP
reve
ntio
n
Access Control Lifecycle
33
Manage SOD PoliciesConflictAnalysis
Compensating Controls
Define Access Controls
Remediation(Clean-up)
PreventiveProvisioning
Pre-built best practice controls library
34
Manage SOD PoliciesConflictAnalysis
Compensating Controls
Define Access Controls
Remediation(Clean-up)
PreventiveProvisioning
Add new rules or customize existing ones
35
Conflict AnalysisConflictAnalysis
Compensating Controls
Define Access Controls
Remediation(Clean-up)
PreventiveProvisioning
Generate real-time SOD & user access reports
36
Conflict AnalysisConflictAnalysis
Compensating Controls
Define Access Controls
Remediation(Clean-up)
PreventiveProvisioning
View detailed conflict reports by various dimensions (e.g.
by Application)
7
37
Remediation (Automatic & Simulations)ConflictAnalysis
Compensating Controls
Define Access Controls
Remediation(Clean-up)
PreventiveProvisioning
Run what-if simulation to test proposed access change before remediation in ERP application
38
Preventive ProvisioningConflictAnalysis
Compensating Controls
Define Access Controls
Remediation(Clean-up)
PreventiveProvisioning
Responsibility is granted
39
Compensating ControlsConflictAnalysis
Compensating Controls
Define Access Controls
Remediation(Clean-up)
PreventiveProvisioning
Payment tab is removed
40
Access ControlReview
• Challenge: Unsatisfied with current state of application data access and security
• Solution: Automate SOD/Access lifecycle -detection, analysis, remediation, deployment of preventive control and compensating control to accommodate dynamic business requirements
• Challenge: High percentage of IT budget devoted to compliance, and away from innovation
• Solution: Preventive controls and audit reports frees up IT resources
IT / SYSTEM ANALYSTS• Challenge: Audit data and reports difficult to
generate – require significant IT and LOB support
• Solution: Audit reports are available for every control, by various dimensions, with no dependence on IT support
• Challenge: Need to decrease reliance on manual controls
• Solution: Automate entire SOD/Access lifecycle - detection, analysis, remediation, deployment of preventive control and compensating control to accommodate dynamic business requirements
AUDIT / FINANCE / PROCESS OWNER
41
Preventive• Validate that setups and data
updates conform to valid values
• Require conditional approval cycles (e.g., exceed threshold)
• Enforce data consistency; (e.g. force data to upper case)
Detective• Detect and record changes to
sensitive setup data
• Compare before and after values for changes
• Monitor for setup inconsistencies across multiple instances
Ensure that critical setups conform to best practices and follow robust change management procedures
Configuration ControlsEnforce best-practice setups and reduce configuration drift
42
Document/Compare
Configurations
Manage Data Integrity
Define configurations that impact key controls, business processes, and/or financial reporting Ex. Profile Options, Matching Tolerances, Document Approvals. etc.
Baseline documentation for configuration key controls and comparisons against best practices.Ex. Across SOBs, OUs, Journals, Points in Time, Instances, etc.
Continuously monitor configurations for changes Ex. Track changes to key configuration controls, generate reports & dashboards
Apply data integrity and privacy controls to granular configuration and transaction controls. Ex. Data validation, hide fields, enforce processes, etc.
Require approvals and reason codes when key configurations changeEx. Approval workflows, automated reason codes
DefineConfiguration
Controls
Monitor Configuration
Changes
Enforce Change Control
Det
ectio
nP
reve
ntio
n
Configuration Controls Lifecycle
8
43
ConfigurationsConfigurations
3000+ SetupsBaseline Configs.
InstancesSets of BooksOperating UnitsVersions
MonitoringReportingAlerting
Auto PropagateSetups
Automated Documentation
Comparisons
Change Tracking
Migration
CodeCode
Oracle Binaries:Forms, Reports,Libraries, Menus
EnvironmentsOracle VersionsCode Versions
VersioningReportingAlerting
Code Promotion
Configuration and Code Management
44
• Key Controls• 3-way matching of PO, Invoice and
Receipt• Document spending limits (authorization
of PO)• Security rules – access to sensitive
transactionso Employee salarieso Chart of account valueso Financial statement reports
(FSGs)o Price listso Inventory attributes
• Action for late delivery of goods• Inventory stocking rules• Rules to create tax on sales orders• Depreciation methods
Setups = Key
Controls
Example of Setups and Key Controls
• Setup Data• Application Security• Document Approvals• Chart of Accounts• Profile Options• Users• Application Setups• MRP rules
• Operational Data• Customers• Suppliers• Employees• Buyers• Items• Chart of Account Values• Category Codes
45
Document Configurations
46
Compare Configurations
Differences
47
Monitor Configuration Changes
Who?
What?
When?
Where?
48
Monitor Configuration Changes On-line
9
49
PRODDatabase
Setup Migration: What is it?
An automated solution for a manual activity that all Oracle Apps customers are doing.
DuplicatedEffort
AutomaticallyMigrate Setups
EnterSetupsBenefits:
• Save time• Reduce manual effort• Avoid errors
DEV, TEST, QA, CRPDatabase
EnterSetups
50
Data Migration
Extract w/FNDLOAD
• Uses Oracle Generic Loader• Automatically extracts/loads setups• Optionally edit/modify data• Select one row or many
Load w/FNDLOAD
EditDataFile
Extract & Load with FNDLOAD
SourceDatabase
TargetDatabase
51
Setup Migration
52
Data Configuration ManagementScenario: Changing a field value
53
Data Privacy and Data Integrity Mask sensitive data, disable buttons, validate data input
• Granular user interface restrictions• Restrict access to data or actions• Embedded control enforcement
John Doe
123 Main StCenter City, NY 12345
$ 53,000.00
CancelOK
Name
Address
Salary
Employee Update
XXX-XXX-XXXSIN
Supervisor Mary Smith
John JonesPhil JohnsonSue ThompsonSally StruthersBill Seibel
Conceal SIN number if User is NOT from HR dept
Employees can only view the Salary field (can’t update) Disable Invoice action button
for Invoices created by same user
54
Configuration ControlsReview
• Challenge: Unable to enforce best-practices for configuration and change management
• Solution: Field level value changes are managed based on best practice protocol and documented for audit purposes
• Challenge: Data privacy and protection of sensitive data requires extensive application customization
• Solution: Policy based access to any field data within the application can be easily restricted without any application downtime
IT / SYSTEM ANALYSTS
• Challenge: Critical application setups are changed without proper authorization
• Solution: Embedded testing of application controls and proper validation through approval workflow ensures policy adherence and proactive issue identification
• Challenge: Ineffective controls for system integrity and security
• Solution: Application configuration controls are available on field value changes, action buttons and sensitive data based on company policy and risk appetite
AUDIT / FINANCE / PROCESS OWNER
10
55
Preventive• Validation of transaction data (e.g. valid
product code)
• Approvals based on transaction data thresholds
• Initiate review / approval cycle based on automated policies
Detective• Identify transactions that violate policy (e.g. un-
approved vendor)
• Show patterns representing aggregate risk (e.g. micro-payments)
• Detect correlation risk (e.g. same user creates and pays vendor)
• Detect erroneous transactions (duplicate payments)
Monitor transactions to detect activities that violate business policies or represent unacceptable
risks or inefficiency
Transaction Controls Detect and prevent erroneous and fraudulent transactions
56
Perform Transaction
Analysis
DefineTransaction
Controls
Review and Address Suspects
Preventive Transaction
Control
Det
ectio
nP
reve
ntio
n
Transaction Controls Lifecycle
Determine relevant risk areas where transaction analysis is neededEx. Risks, materiality, timing, data source, etc.
Generate automated transaction monitors to test for exceptions Ex. Identify exceptions, transaction sampling, anomaly testing,search for fraudulent behavior
Facilitate transaction exception review, testing, and sign-offEx. Workflow routing of transaction exceptions for review
Apply preventive transaction controls to sensitive, material, or high risk areas with embedded process controls Ex. Embedded business logic to transaction process, remove transaction privileges under specific conditions, etc.
57
Transaction Control Monitoring
AP Clerk 1
AP Clerk 2
InvoicesInvoices
EnterEnterInvoicesInvoices
InvoicesInvoices
ApproveApproveInvoicesInvoices
Approved Approved InvoicesInvoices
Financial Controller
ApproveApproveInvoicesInvoices
EnterEnterInvoicesInvoices
Invoice Entry: Same user should not Enter and Approve Invoices
!!
Automatically route exceptions for
review
58
Transaction Control Monitoring
Automated control identifies a list of suspects (exceptions)
59
Transaction Control Monitoring
Review transaction exceptions periodically,
get notified of exceptions through workflow, or….
60
Transaction Control EnforcementDeploy preventive embedded transaction control
Deploy Preventive Control: Disable Actions button for Invoices created by same
user
11
61
Transaction Real World Examples:
• Test against Material Thresholds• JE > $ threshold• Employee Checks (individual & sum) > $ threshold
• Search for Anomalies• PO terms differ from vendor• Sales orders > acceptable $ range
• Sampling of Transactions• 4th quarter invoices • Days sales outstanding balances
• Detect Fraudulent Behavior• PO changes after approval• Duplicate suppliers with same address
• Embed Preventive / Automated Compensating Controls• Alert on customer transactions over $ threshold• Prevent journals from being entered and posted by same individual
62
Transaction ControlsReview
• Challenge: IT is asked repeatedly to create new reports/queries for the business to perform transaction analysis
• Solution: Easy to use interface lets business administrators manage threshold values and generate parameterized reports as required
• Challenge: IT is asked to design compensating or programmatic controls
• Solution: Transaction control library provides readily available audit reports of suspicious activities in the system and distributes them to key personnel for necessary action
IT / SYSTEM ANALYSTS
• Challenge: Continuously monitor controls to prevent error and fraud from happening
• Solution: Automated transaction controls will validate application and systems control effectiveness, identify suspect transactions, and route to process owners for visibility before material issues arise
• Challenge: Presence of unauthorized user access makes the system vulnerable and warrants additional testing and scrutiny by external auditors
• Solution: Automatic transaction validation and testing can compensate for areas where duties cannot be segregated or forensic analysis is warranted
AUDIT / FINANCE / PROCESS OWNER
63
AQ&64
More Information
• Promotes use of Oracle GRC in Auditing practice• Will be holding a workshop in Calgary in October
• Oracle Governance, Risk, and Compliance Controls Suite webcast: Click here to view the Webcast. ( http://www.oracle-webinar.com/grc.html?msgid=6976569 )
• http://www.oracle.com/solutions/corporate_governance/index.html
66
High-level Architecture
TEST11.5.10
USERAPPSERVER
GRCControls
Suite
DEV10.7
PROD 111.0.3
PROD 211.5.9