kishore anjur - grc value proposition

Oracle GRC value proposition on Oracle GRC value proposition on Segregation of Duties challengesSegregation of Duties challenges

Kishore AnjurKPMG LLPIT Advisory

Kishore AnjurKPMG LLPIT Advisory

A D V I S O R Y

August 21, 2009August 21, 2009

AgendaAgenda

Segregation of Duties Overview

Understanding the Drivers

SoD Process

Mitigate the impact of a SoD risk

Requirement for Automated SoD Solution

2 2009 KPMG LLP, a US member firm of the KPMG network of independent member firms affiliated with KPMG International,

a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative.

Requirement for Automated SoD Solution

Considerations of SoD

Oracle SoD Model

Overview of the tool

Oracle GRC solution

Key Success Factors

Topic: Oracle GRC value proposition on Segregation of Duties challenges Topic: Oracle GRC value proposition on Segregation of Duties challenges

Segregation of Duties (SoD)Segregation of Duties (SoD) has become an increasingly important has become an increasingly important riskrisk--management requirement for todays CEOs and CFOs. management requirement for todays CEOs and CFOs. Separating financial functions across individuals has always been good Separating financial functions across individuals has always been good business practicebusiness practice for reducing the risk of fraud and checking the for reducing the risk of fraud and checking the accuracy of financial transactions.accuracy of financial transactions. However, as an enterprise's user However, as an enterprise's user base grows, its financial systems become more complex and the base grows, its financial systems become more complex and the enterprise is forced to createenterprise is forced to create an increasing number ofan increasing number of manual controls, manual controls,



enterprise is forced to createenterprise is forced to create an increasing number ofan increasing number of manual controls, manual controls, maintaining effective SoD efficiently and at a reasonable cost is maintaining effective SoD efficiently and at a reasonable cost is becoming significantly more challenging.becoming significantly more challenging.

What is Segregation of Duties?What is Segregation of Duties?

The prevention of occupational fraud in the form of asset misappropriation and intentional financial misstatement.



SoD ObjectiveSoD Objective

A fundamental concept of internal control is the segregation of certain A fundamental concept of internal control is the segregation of certain key duties. key duties. The The basic idea underlying SoD is that no employee or group of idea underlying SoD is that no employee or group of employees should be in a position both to perpetrate and to conceal employees should be in a position both to perpetrate and to conceal errors or fraud in the normal course of their duties. errors or fraud in the normal course of their duties. The principal incompatible duties to be segregated are:The principal incompatible duties to be segregated are:

Initiate transaction Initiate transaction



Initiate transaction Initiate transaction Approve transaction Approve transaction Record transaction Record transaction Reconcile balancesReconcile balancesHandle assets Handle assets Review reports Review reports

Understanding Drivers - Common SoD RisksUnderstanding Drivers - Common SoD Risks

ManagementManagement ProcurementProcurement T&ET&E PayrollPayroll

SoDSoDRisks Risks

Earnings management

Improper management override

Improper expense

Fictitious Vendors Fictitious/inflated

invoices Duplicative

purchases (e.g., P-Card)

Improper P-Card

False/inflated reimbursement requests

Purchases for personal use

Duplicate purchasing and reimbursement

Ghost employees Inflated salaries Inflated hours Improper

supplemental payments

Improper incentive



expense capitalization

Excessive management override

Improper P-Card purchases

Structured payments Unauthorized /

unapproved purchases

Conflicts of interest

and reimbursement schemes

Unauthorized vendors Unauthorized

expenditures Excessive spending

Improper incentive compensation

Excessive overtime Excessive

supplemental payments, bonuses, incentive compensation

Source for SoD conflictsSource for SoD conflicts

Potential sources for SoD conflictsProduction support team excessive access Generic user namesNo defined segregation of duties policiesPreventative or detective controls to enforce SoD principles



No standard reports to identify SoD conflictsSystem Administrator accounts with seeded passwordsRelying on custom reports to address SoD issuesTurn off Auditing capture feature due to concern on database sizeNo defined exception reports for security exceptions or incidents

Source for ERP SoD conflictsSource for ERP SoD conflicts

OracleOracleExcessive access through seeded responsibilitiesExcessive access through seeded responsibilitiesWorkflow approvals not enforcedWorkflow approvals not enforcedManual 3way match by same userManual 3way match by same user

PeopleSoftPeopleSoft



Operator Preferences as extension of security features.Operator Preferences as extension of security features.Access allowing Correction modeAccess allowing Correction mode

JDEJDEUser level permissions override at group level permissionsUser level permissions override at group level permissionsUsers who enter Journal entry can also approveUsers who enter Journal entry can also approve

SoD Analysis ProcessSoD Analysis Process

SoD Analyst

New project

Start Identify Financially

significant business processes.

Source Data Obtain Source data with Users and

their security information

Sod Rules Design the Sod rules based

on key responsibilities in collaboration with business process owner

Sod conflict matrix Create a SoD conflict matrix

by application and by function

Stabilize the processEstablish policies and procedures to continually monitor to detect



Remediation Scale down excessive

access

Monitor new user access

SoD Analysis LifecycleChange

locations, roles, etc

Forget password

Reports Establish a process to analyze

the users and security data against SoD rules

Oracle GRCC suite Custom SoD tool

Submit SoD reports to process owner

By business process By department By Manager If a new user in conflicts provide

with hire date/ access granted date

RetestRerun the analysis by effecting the remediation

Reduce the risk Identify compensating controls

Identify mitigating controls

continually monitor to detect segregation of duties conflicts and continue to perform SoD analysis

SoD Conflict MatrixSoD Conflict Matrix

Example of SoD conflict matrix for cross applicationsExample of SoD conflict matrix for cross applications

In-Scope Applications Cross Application considerations

J

D

E

d

w

a

r

d

s

O

r

a

c

l

e

/

F

D

R

M

G

A

L

F

A

A

R

C

V

a

l

L

i

f

e

M

a

s

t

e

r

/

P

o

l

y

s

y

s

t

e

m

s

T

r

i

t

o

n

C

h

a

r

l

e

s

R

i

v

e

r

P

A

M

-

S

e

c

u

r

i

t

y

P

a

m

-

M

o

r

t

g

a

g

e

T

A

I

A

S

/

4

0

0

H

o

m

e

g

r

o

w

n

A

d

m

i

n

S

e

r

v

e

r

F

A

S

A

T

L

i

f

e

7

0

(

I

S

A

a

n

d

A

M

L

)

L

i

f

e

7

0

(

Q

u

i

n

c

y

)

V

a

n

t

a

g

e

O

n

e

(

Q

u

i

n

c

y

)

C

A

P

S

I

L

I

n

g

e

n

i

u

m

D

e

a

t

h

C

l

a

i

m

S

y

s

t

e

m

C

e

r

i

d

i

a

n

-

H

R

I

S

a

n

d

P

a

y

r

o

l

l

A

n

n

u

i

t

y

P

a

y

o

u

t

S

y

s

t

e

m

(

A

P

S

)

I

n

d

i

v

i

d

u

a

l

C

l

a

i

m

s

S

y

s

t

e

m

(

I

C

S

)

I

n

t

e

r

e

s

t

R

a

t

e

s

L

P

S

T

L

S

JD EdwardsOracle/FDR NMG ALFAARC ValLifeMaster / PolysystemsTritonCharles River



Charles RiverPAM-SecurityPam-Mortgage YTAIAS/400 Homegrown YAdmin Server N NFASAT Y N NLife 70 (Des Moines) Y N N NLife70 (Quincy) N N N N N/A `Vantage One (Quincy) N N N N N N/ACAPSIL Y n/a N N N N NIngenium Y n/a N N N N N NDeath Claim System Y N N N N N N N NCeridian - HRIS and Payroll Y N N N N N N N N NAnnuity Payout System (APS) N Y N N N N N N N N N/AIndividual Claims System (ICS) N Y N N N N N N N N N NInterest Rates N N N N N N N N N N N N NLPS Y N N N N N N N N N N N N NTLS Y N N N N N N N N N N N N N N

LegendYNN/A

Valid cross application Not a valid cross application combinationCross Application conflcit is not possible

Reduce Residual SoD RiskReduce Residual SoD Risk

CompensatingCompensating controlscontrols OperatesOperates atat samesame levellevel ofof KeyKey controlcontrolandand eliminateseliminates completecomplete riskrisk

Ex: On a daily basis the A/P Manager compares all payment Ex: On a daily basis the A/P Manager compares all payment requests to ensure an appropriate cost center manager has requests to ensure an appropriate cost center manager has approved the invoice and that the approver is within his/her approved the invoice and that the approver is within his/her established limits. established limits.

MitigatingMitigating ControlsControls-- ReduceReduce thethe impactimpact ofof thethe riskrisk partiallypartially



MitigatingMitigating ControlsControls-- ReduceReduce thethe impactimpact ofof thethe riskrisk partiallypartiallyExEx:: SuspenseSuspense accountaccount balancesbalances areare analyzedanalyzed andand reviewedreviewed bybyappropriateappropriate personnelpersonnel forfor large,large, old,old, oror unusualunusual itemsitems..

Scale down excessive accessScale down excessive accessCreate common profiles by considering Sod conflictsCreate common profiles by considering Sod conflicts

Requirement for Automated SoD (GRC) Requirement for Automated SoD (GRC) SolutionsSolutionsRequirement for Automated SoD (GRC) Requirement for Automated SoD (GRC) SolutionsSolutions

In the current complex business environment, there is an In the current complex business environment, there is an increased focus on adopting innovative ways of assessing and increased focus on adopting innovative ways of assessing and managing Segregation of Duties (SoD) risk while enhancing managing Segregation of Duties (SoD) risk while enhancing performanceperformance

Advances in technology have paved the way for increased use of Advances in technology have paved the way for increased use of GRC on organizational processes, transactions, systems and GRC on organizational processes, transactions, systems and



GRC on organizational processes, transactions, systems and GRC on organizational processes, transactions, systems and controlscontrols

Organizations are leveraging technologies to change how they Organizations are leveraging technologies to change how they evaluate the effectiveness of controls and monitor performanceevaluate the effectiveness of controls and monitor performance

Integrated GRC approach Integrated GRC approach RealReal--time transaction analysis time transaction analysis Continuous control monitoring Continuous control monitoring Fraud detection Fraud detection

Considerations for SoDConsiderations for SoD

What are the What are the Objectives?Objectives?

What What analytical analytical

functionality is functionality is required?required?

What What

Where will Where will data come data come

from?from?

What are our What are our



What are the What are the Focus Areas?Focus Areas?

How will How will analysis be analysis be performed?performed?

What What exception exception handling is handling is required?required?

What What reporting do reporting do we need? we need?

Dashboards?Dashboards?

What are our What are our infrastructure infrastructure requirementsrequirements

??

How are endHow are end--users users

impacted?impacted?

Oracle SoD (GRC) OverviewOracle SoD (GRC) Overview



Overview of the Oracle SoD toolOverview of the Oracle SoD tool

Tool background

The Oracle GRC Solution is relatively new and developed in the past few years. It is based upon the acquisitions of Stellent and LogicalApps. It is comprised of the following modules:

GRC IntelligenceGRC Manager (Previous Stellent Solution)GRC Controls Suite (Previous Logical Apps Solution)



Technical architecture

Oracle GRC is designed to work on an integrated basis within the Oracle stable of products. It operates from an application server attached to the target ERP system, monitoring data at source. Reporting is through email alerts or dashboards. It is designed to integrate with Oracle Applications (EBS, People soft, JDE, Siebel ) as well as other non-Oracle ERP applications (such as SAP, Lawson, etc.).

Technical requirements

Application and database server for Stellent, Integra and GRC suite

Overview of the Oracle SoD toolOverview of the Oracle SoD tool

Recommended use

Environments where the target ERP is Oracle E-Business Suite or PeopleSoftReal time, preventative controls for segregation of duties (SoD), data change

management and configuration managementContinuous monitoring and continuous audit rather than point in time

snapshots; monitoring occurs in real time, not using data extractsWhere removing data from the client site causes security problemsLarger companies



Case studies Oracle provides two case studies from their Governance, Risk and Compliance Solution Space:

Unum ProvidentCentro Properties Group

http://launch.oracle.com/?GRC5

Functionality of the Oracle SoD tool componentsFunctionality of the Oracle SoD tool components

Functionality GRC Intelligence:Prebuilt, role-based Dashboards and KRIs Tailored GRC diagnostics for business processes and rolesHeterogeneous data integrationLeverage single source of GRC information across organizations, departments and locationsLibrary of OOTB Reports spanning the overall GRC process GRC Manager



Reduce cost and complexity by managing multiple global mandates with one system

Rely on tamper-proof chain of evidence for all financial compliance processes Align policies and processes with better practice risk and control frameworks

GRC ManagerPerform control automation configuration and administrationManage control automation for business processesUse test plans and report control effectiveness

GRC Control Suite Briefed in next slides

GRCC OverviewGRCC Overview

GRC Controls SuiteGRC Controls Suite

GRC Controls SuiteGRC Controls SuiteApplication AccessControls Governor (AACG)Configuration

Controls Governor (CCG)(Integra Apps)

GRC PlatformGRC Platform



Controls Governor (AACG)

TransactionControls Governor (TCG)

(Integra Apps)

Oracle EOracle E--Business SuiteBusiness SuitePreventive

Controls Governor (PCG)

Oracle GRC Controls (GRCC) componentsOracle GRC Controls (GRCC) components

GRCC Platform GRCC Platform -- GRC Controls Management FeaturesReduce risk of fraud with continuous monitoring of automated controlsEnforce effective preventive and detective controls across all systemsControl user access and enforce segregation of duties with business driven rules

AACG AACG Application Access control Governor Application Access control Governor



SoD solutionSoD solutionTCG TCG Transactional Control GovernorTransactional Control Governor

Suspect tracing on Key transactionsSuspect tracing on Key transactionsCCG CCG Configuration Control GovernorConfiguration Control Governor

Setup changes tracingSetup changes tracingPCG PCG Preventive Control GovernorPreventive Control Governor

Compensating control for AACG Compensating control for AACG

How to Enable the GRCC SoD processHow to Enable the GRCC SoD process

SoD Analyst

New project

Start - Create GRC users Admin - SoD super user View only - Auditor Approver SoD approver

RetestRerun the analysis by effecting the remediation and continue to

AACG Design new SoD rules Upload SoD rules from excel Enable GRC default Sod rules Define work flow rules

Identify SoD focus area Analyze the reports Finalize conflict rules

Process Reports Ad-hoc reports Schedule reports



Remediation Scale down excessive

access

Monitor new user access

SoD Analysis LifecycleChange

locations, roles, etc

Forget password

Configure Control Library Define elements Define attributes Define workflow process

the remediation and continue to perform SoD analysis

Finalize conflict rules

TCG Define transaction controls (SQL) Define task approval Define Suspects

PCG Form rules Flow rules Audit rules Change control rules

CCG Who What When

GRC Intelligence Ad-hoc reports Schedule reports

GRC Intelligence Interactive Dashboard (Sample output)GRC Intelligence Interactive Dashboard (Sample output)



GRC Intelligence Controls Summary (Sample output)GRC Intelligence Controls Summary (Sample output)



GRC Intelligence Risk Mitigation (Sample output)GRC Intelligence Risk Mitigation (Sample output)



GRC Intelligence SoD Analysis (Sample output)GRC Intelligence SoD Analysis (Sample output)



Oracle GRC Potential benefitsOracle GRC Potential benefits

Incorporated within the Oracle ebusiness Suite/PeopleSoft/JD Edwards/Siebel Incorporated within the Oracle ebusiness Suite/PeopleSoft/JD Edwards/Siebel stable of productsstable of productsLeverages a single source of GRC information across departments, locations, Leverages a single source of GRC information across departments, locations, and business unitsand business unitsImproves risk responsiveness with timely control and performance diagnosticsImproves risk responsiveness with timely control and performance diagnosticsTailor GRC dashboards to specific needs of a role or organizationTailor GRC dashboards to specific needs of a role or organizationDesigned to prevent, rather than detectDesigned to prevent, rather than detectReduce cost and complexity by managing multiple regulatory mandates with Reduce cost and complexity by managing multiple regulatory mandates with



Reduce cost and complexity by managing multiple regulatory mandates with Reduce cost and complexity by managing multiple regulatory mandates with one systemone systemRely on tamperRely on tamper--proof chain of evidence for all compliance processesproof chain of evidence for all compliance processesControl user access and enforce segregation of duties with businessControl user access and enforce segregation of duties with business--driven driven rules rules Reduce risk of fraud with continuous monitoring of automated controls Reduce risk of fraud with continuous monitoring of automated controls Provides deeper insight into SoD areas of risk and opportunity, while Provides deeper insight into SoD areas of risk and opportunity, while strengthening governance structuresstrengthening governance structures

Key Success Factors of GRC projectKey Success Factors of GRC project

Senior executive support

Executive involvement at all stages of the project including opportunity identification, selection, Executive involvement at all stages of the project including opportunity identification, selection, prioritization and signprioritization and sign--offoff

Clear GRC leadership roles to drive cultural changeClear GRC leadership roles to drive cultural change Identification of control owners to report failures, escalate issues, etc.Identification of control owners to report failures, escalate issues, etc.

Technology toolsand experienced resources

FactFact--based approach to identification, quantification and prioritization of GRC opportunities based approach to identification, quantification and prioritization of GRC opportunities Selection of appropriate GRC tools to contain costs and speed up communicationSelection of appropriate GRC tools to contain costs and speed up communication Experienced staff who can commence fieldwork immediately Experienced staff who can commence fieldwork immediately



Establishedapproach to GRC

Global continuous monitoring framework and approachGlobal continuous monitoring framework and approach Identification of key control check pointsIdentification of key control check points Methodology emphasizes SoD risk and continuous improvementMethodology emphasizes SoD risk and continuous improvement

Well planned approach

Detailed project initiation and work plan documentsDetailed project initiation and work plan documents Knowledge of linkage to enterprise risk exposuresKnowledge of linkage to enterprise risk exposures Organizations risk profile is fundamental to the assessment and design of the GRC solutionOrganizations risk profile is fundamental to the assessment and design of the GRC solution

Organizational alignment

Incorporation of key line management within the GRC projectIncorporation of key line management within the GRC project Partnering with team members to help enable knowledge transferPartnering with team members to help enable knowledge transfer Senior industry and functional practitionersSenior industry and functional practitioners

Business SystemsBusiness Systems SecuritySecurity StrategicStrategic AttestationAttestation Enterprise Enterprise

Application StrategyApplication Strategy Systems Systems

Implementation Implementation ReviewReview

Configurable Control Configurable Control

Security Strategy Security Strategy Information Information

Governance and Governance and PrivacyPrivacy

Identity and Access Identity and Access ManagementManagement

IT Project IT Project Management Office Management Office (PMO)(PMO)

IT Strategy, IT Strategy, Governance, and Governance, and PerformancePerformance

Audits of thirdAudits of third--party party services providers services providers (SAS 70)(SAS 70)

IT internal auditIT internal audit WebTrust/ SysTrustWebTrust/ SysTrust FISAP (Financial FISAP (Financial

KPMG IT Advisory Service OverviewKPMG IT Advisory Service Overview



AssessmentAssessment Access and SOD Access and SOD

assessmentassessment Business Business

Process/Systems Process/Systems Optimization ReviewOptimization Review

Master Data Master Data ManagementManagement

Security Vulnerability Security Vulnerability ManagementManagement

Enterprise Resiliency Enterprise Resiliency and Business and Business ContinuityContinuity

Payment Card Payment Card Industry (PCI)Industry (PCI)

Sourcing (off/onshore) Sourcing (off/onshore) and Shared Servicesand Shared Services

PostPost--Merger IT Merger IT IntegrationIntegration

Business IntelligenceBusiness Intelligence Vendor and systems Vendor and systems

selectionselection

FISAP (Financial FISAP (Financial Institutions Shared Institutions Shared Assessments Assessments ProgramProgram))

Q&AQ&A



Q&AQ&A

Presenter contact detailsPresenter contact detailsKishore AnjurKishore Anjur

KPMG LLPKPMG LLP(847) 749(847) 749--52345234

[email protected]@kpmg.com

29

[email protected]@kpmg.comwww.kpmg.comwww.kpmg.com

Additional Contributions: Chris Hambach and Tim GavinAdditional Contributions: Chris Hambach and Tim Gavin

The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although weendeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continueto be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation.

2008 KPMG LLP, a U.S. limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved.

kishore anjur - grc value proposition

Documents

kpmg logo

effective sod

swiss cooperative

sod riskrequirement

financial systems

automated sod solution2

oracle grc value proposition

number of manual controls