OAUG / DOAG SIG DAY Vienna Sept 27th 2010Oracle Governance Risk and Compliance
OAUGAutomated Controls and ComplianceAutomated Controls and Compliance in Oracle E-Business Suitein Oracle E Business SuiteAugust 2010
FocusFocus
Show some hands-on examples of how technical solutions in Oracle’s GRC Suite can help with compliance and controls challenges in Oracle E-Business SuiteSuite.
ContentContent
The following areas frequently appear in our Controls & Compliance Audits and are sections in this presentation:
A) Restricted Access & Segregation Of Duties (SOD)A1) Frequent FindingsA2) Example for Oracle GRC “Access Controls”A3) Lessons learned form GRC Implementations
B) Lack of Control over Transactions and Master DataB1) F t Fi diB1) Frequent FindingsB2) Example for Oracle GRC “Transaction Controls”B3) Lessons learned form Implementations
Furthermore, we would like to show business value beside Compliance and Controls improvements:
C) Value proposition of Controls and Compliance automation) p p p
Overview of the Components of the Oracle GRC-SuiteOverview of the Components of the Oracle GRC Suite
The GRC Suite is Oracle’s answer to challenges arising from Compliance and Internal Control.
GRC Intelligence •Solution for effective and efficient reporting on compliance Activates
GRC Manager•Managment of Risks, Control Gaps and Compliance Gaps
•Efficient Documentation of Controls
GRC Controls•Access Controls•Configuration Controls•Transaction Controls
Today`s topic•Transaction Controls
Business Process
PricewaterhouseCoopersAugust 2010
Slide 4Automated Controls and Compliance in E-Business Suite
A1) Lack of Control Access and Segregation of DutiesA1) Lack of Control Access and Segregation of Duties
The System Administrator in a typical Oracle E-Business Suite vanilla implementation has rather limited means for evaluating the access rights granted:
- Check User to Responsibility/Roles assignments via Reports- Check Menu to Function Assignments via Reports- ...
By these means it is not possible to provide a precise answer to the question which users can execute a certain business function, such as posting an invoice.
(This is due to the complex hierarchical Form / Menu Structure of the Oracle EBS F ti S it C t)Function Security Concept).
Not surprisingly this leads to findings and compliance issues within our audits.
PricewaterhouseCoopersAutomated Controls and Compliance in E-Business Suite
A2) How GRC Controls can help to close the Controls andA2) How GRC Controls can help to close the Controls andCompliance Gaps - Examples
In the past 3rd party tools (such as PwC Oracle GATE) were used to analyse the access structure in Oracle EBS.
Now Administrators can use a solution which is seamlessly integrated into EBS and features functions for preventive controlEBS and features functions for preventive control.
“A C t l ” ithi GRC C t l=> “Access Controls” within GRC Controls.
PricewaterhouseCoopersAugust 2010
Slide 6Automated Controls and Compliance in E-Business Suite
A2) Access Controls Demo form our TestA2) Access Controls Demo form our Test
Segregation of Duties simulation:
In the following example we want to check up front the effect a change to aIn the following example we want to check up front the effect a change to a responsibility would have on our defined business policy.
Control Area Considerations Potential Pitfall with Oracle GRC Improvement OptionsControl Area Considerations Potential Pitfall with Oracle Implementation
GRC Improvement Options
Access control during implementation-
• Company XYZ designs menus and responsibilities based on business
• Potentially sensitive access (critical functions such as close periods or create vendors) and
• Leverage GRC SOD simulation feature during responsibility design phase to generateimplementation-
Including segregation of duties
based on business activities.
• Segregation of duties and restricted access issues
ft t id d t
periods or create vendors) and transaction combinations with a risk are not identified for segregation of duty purposes.
E i i b dd d
design phase to generate reports on SOD and restricted access issues
• Prevent and report on potential d ti f d tare often not considered at
the time of implementation• Excessive access is embedded
in the roles and responsibilities designed. All users will automatically violate the segregation of duty rules.
access and segregation of duty violations based on risks identified
PricewaterhouseCoopersAugust 2010
Slide 7Automated Controls and Compliance in E-Business Suite
g g y
A2) Access Controls Demo form our test systemA2) Access Controls Demo form our test system
The following demonstration will show
• How the simulation feature can be used to analyze the impact on SOD violations from a menu change
− Remove “Payments” function from selected Payables responsibilitiesRemove Payments function from selected Payables responsibilities.
− Analyze the overall impact on SOD environment
PricewaterhouseCoopersAugust 2010
Slide 8Automated Controls and Compliance in E-Business Suite
Select REMEDIATION >> SIMULATIONSelect REMEDIATION >> SIMULATION
Navigation:
Access Policies>Remediation>Simulation
Define simulation scenario detailsDefine simulation scenario details
Action:
C tCreate a new scenario by clicking Action > Add
Action:Action:
Define the scenario detailsscenario details
Select SIMULATE and choose the snapshot data to useSelect SIMULATE and choose the snapshot data to use
Action:Action:
Select Simulate
Review the impact of the simulation scenarioReview the impact of the simulation scenario
Action:Action:
Review simulation resultresult
Can drill down impact Policy > Responsibility > UserCan drill down impact Policy > Responsibility > User
You can drill down from Policy > Responsibility > UserUser
A2) Not impressed yet?A2) Not impressed yet?
In addition it is possible to establish preventive control directly within Oracle EBS, to ensure the User Administrators follow your business rules.
Control Area Considerations Potential Pitfall with Oracle GRC Improvement OptionsControl Area Considerations Potential Pitfall with Oracle Implementation
GRC Improvement Options
Access control after go-live + SOD
• Company XYZ assigns responsibilities to users after employment without
• Segregation Of Duties and restricted access rules are not enforced at the time of
• Prevent and report on potential access and segregation of duty violations based on risks p y
considering restricted access and segregation of duties issues.
responsibility assignment• Even after extensive clean-up
effort, additional violations can be created without active enforcement
identified.
enforcement
PricewaterhouseCoopers 15Automated Controls and Compliance in E-Business Suite
Action:
Remove the end date and hit Initiate Conflict Analysis
Action:
Review the conflicts
A3) Lessons learned from Implementation ProjectsA3) Lessons learned from Implementation Projects
It may happen that:
• Business claims that access is an IT Problem?Business claims that access is an IT Problem?
• You got lost when managing 40,000 Functions by using standard reports ?
• Guidelines from business on what functions are “critical” are missing?• Guidelines from business on what functions are critical are missing?
You might Consider:• Focusing on Core Functions – Less is more!
• Asking your business what they always wanted to know / restrict!
• Having a look at your last audit report.
18
B1) Lack of Control over Transactions and Master Data
S t
B1) Lack of Control over Transactions and Master Data
SystemDefault
Override of default values on transaction level is one of Oracle EBS characteristics.
Process Default(e.g. On organisation level or in
transaction types)
Also ex-post changes / amendments to transactions are possible
Override
yp )
Value in Transaction
Examples: Tax Codes override in invoices Asset Category defaults overridesOverride
Transaction Changes to a posted journals texts Amendment to posted invoices.
PricewaterhouseCoopers
Not surprisingly this leads to findings and compliance issues within our audits.
B2) How GRC Controls can help to close the Controls andB2) How GRC Controls can help to close the Controls andCompliance Gaps - Transaction Controls
In the past extensive forms customizations or manual controls were executed to ensure that defaults were not changed or non required fields of the EBS standard were filled consistentlystandard were filled consistently.
Now you can apply check rules which are stored in a central repository.
PricewaterhouseCoopersAugust 2010
Slide 20Automated Controls and Compliance in E-Business Suite
B2) How GRC Controls can help to close the Controls andB2) How GRC Controls can help to close the Controls andCompliance Gaps - Transaction Controls
The following demonstration will show
How Form/ Flow Rules can do the following:
− Apply uppercase restriction on Vendor Name for data consistency
− Enforce supplier Tax ID field which is not a required field in Oracle
− Apply format mask (999-99-9999) to supplier Tax ID for data consistency
− Create custom LOV for field SIC Industry Code
PricewaterhouseCoopersAugust 2010
Slide 21Automated Controls and Compliance in E-Business Suite
Action:
Create new vendorCreate new vendor
UPPERCASE is enforced
Field “Taxpayer ID” is highlighted for p y g grequired field
18
Action:
Try to enter an invalid Tax ID formatTry to enter an invalid Tax ID format
Save message “Field must be of format ...” is triggered by “Transaction Controls”Controls
18
Action:
Enter required Tax ID
Form creates red lettering as ID is entered
18
Action:
From Rule applies formatting 999-99-From Rule applies formatting 999 999999
18
Action:
Setup Form Rule to require Tax ID field on Vendor record formatted correctlyVendor record, formatted correctly
UPPERCASE will be enforced on Vendor Name
18
18
18
Action:
Navigate to Classification TAB
View Custom LOV for SIC (Standard Industry Code)
18
Action:
Select a custom SIC
18
Setups:Setups:
Create custom LOV for SIC code field
18
18
18
B2) How GRC Controls can help to close the Controls andB2) How GRC Controls can help to close the Controls andCompliance Gaps - Transaction Controls with Approval Workflow.
Control Area
Considerations Potential Pitfall with Oracle Implementation
GRC Improvement Options
Inventory Items
• Company XYZ reviews new Inventory Items
• Creation/ update of items are not monitored
• Detective control: Notifications given of newItems new Inventory Items are not monitored.
• New inventory Items are not approved.
• Required fields are not entered
Notifications given of new inventory items based on conditions.
• Preventive control: Field entered. entry can be enforced based on other conditions.
• Preventive control: Approval process for the creation ofprocess for the creation of new items.
PricewaterhouseCoopers 34Automated Controls and Compliance in E-Business Suite
B2) How GRC controls can help to close the controls andB2) How GRC controls can help to close the controls andcompliance Gaps - Approval workflow with flow rules
The following demonstration will show
• How Form/ Flow Rules can notify Purchasing department that :
− A new inventory item is created as a “Buy” item, where the Buyer field is Null
− Notification must be completed before further approval of itemNotification must be completed before further approval of item
PricewaterhouseCoopers 35Automated Controls and Compliance in E-Business Suite
21
Action:
Leave Default Buyer field blank
21
Action:Action:
Inv Item with Buyer null generates an email
21
Action:
Email generated based on Flow rule process Selectrule process Select “Completed” button
21
Action:
Selecting the “Completed” button creates a C t i t F il d t t N ti th t t bConstraints Failed status Notice that cannot be cleared until the Buyer field is filled (not null)
21
Action:
Enter value Stock, Ms. Pat for BuyerBuyer
21
Action:
Reopen Constraints Failed notice
Select Completed to final clear the notice
21
Setup
Create a Flow Rule to control Workflow and notifications when Items creation is for a “Buy”
18
18
18
18
18
18
B3) What are the Advantages of Flow Rules compared to FormsB3) What are the Advantages of Flow Rules compared to Forms Customizations ?
Flow rules
No impact on the EBS Standard
Forms Customization
Some Customization changes theNo impact on the EBS Standard process Fewer issues when you upgrade
your release
Some Customization changes the Standard – Will you know which one in 5 years ?
your release.
All rules in one repository with ki d i ti
Oh! – Something was done to that form, let me see...
speaking descriptions. You know what you did and why.
You might print out, sign off, file, You can have approval workflows for almost whatever you want without loosing too much flexibility.
extract population, hand over to auditor for sampling, receive sample, search for signed printouts, have
PricewaterhouseCoopers
g y g p ,exceptions....
49Automated Controls and Compliance in E-Business Suite
B3) Three good reasons to start with flow rules even if control isB3) Three good reasons to start with flow rules even if control is not your primary concern.
Flow rules
No impact on the EBS Standard
Solutions
Keep text fields from update whenNo impact on the EBS Standard process Fewer issues when you upgrade
your release
Keep text fields from update when Journal is posted.
Keep AR invoices distributions fromyour release.
All rules in one repository with ki d i ti
Keep AR invoices distributions from being changed after being posted to GL.
speaking descriptions. You know what you did and why. Restrict new Lines / Distributions to
the GL date if one line was already You can have approval workflows for almost whatever you want without loosing too much flexibility.
posted to GL.
PricewaterhouseCoopers
g y
August 2010Slide 50
Automated Controls and Compliance in E-Business Suite
B3) Lessons learned from Implementation ProjectsB3) Lessons learned from Implementation Projects
It might happen that:
• Yes, now we can do it all!
• Followed by “Which Rule keeps me from working today?”
• I like my paper and my auditor requires it!
You might consider:• Ask your business what manual fixes are required on a daily basis – make quick y q y q
wins.
• Focus on core functions – Less might be more.g
• Have a look at your audit reports.
• Have an early and open discussion on legal requirements.
PricewaterhouseCoopers 51Automated Controls and Compliance in E-Business Suite
C) Overall Value PropositionC) Overall Value Proposition
AREA ORACLE GRC CAPABILITY BUSINESS VALUE
PROCESSAutomate more manual procedures Lower transaction cost
Lower transaction processing time Lower transaction cost
Improve transaction processing accuracy Lower transaction cost
PEOPLE
Refocus your people to higher value tasks Improved people experienceImproved customer experience
PEOPLEBusiness process ownership Restore business process
ownership
Tailor the system to your business needs without customizing the application
Low cost of developmentLower cost and risk with applying
TECHNOLOGYwithout customizing the application Lower cost and risk with applying
Oracle patches
Improve IT change management procedures Lower risk of IT changes
Automate more control procedures Lower cost of control executionCOMPLIANCE
Automate more control procedures Lower cost of control executionLower cost of control testing
Dashboard reporting Identify risks timely
PricewaterhouseCoopers 52Automated Controls and Compliance in E-Business Suite
Your Contacts at PwC in MunichYour Contacts at PwC in Munich
Alexander Götz: [email protected] Götz: [email protected]
Daniela Geretshuber: daniela geretshuber@de pwc comDaniela Geretshuber: [email protected]
PricewaterhouseCoopersAugust 2010
Slide 53Automated Controls and Compliance in E-Business Suite
Thank you for your time !
© 2010 PricewaterhouseCoopers. All rights reserved. “PricewaterhouseCoopers” refers to the network of member firms of PricewaterhouseCoopers International Limited, each of which is a separate and independent legal entity.