life after erp go-live - · pdf filelife after erp go-live: ... solutions and software...
TRANSCRIPT
Leverage T echnology:
Move Your Business Forward™
July 19th, 2013
Adil Khan
Copyright ©. Fulcrum Information Technology, Inc.
Life After ERP Go-Live: Navigating to Nirvana
Learn how leading organizations are utilizing
Advanced Controls to make systematic
improvements in their ERP systems to
achieve expected benefits of ERP systems
www.fulcrumway.com Page 2 Copyright © FulcrumWay
Life After ERP Go-Live:
Navigating to Nirvana
Introduction
ERP Go-Live Opportunities and Risks
Advanced Controls Overview
Business Application Controls
Access Controls
Transaction Controls
Configuration Controls
Advanced Controls Examples
Q&A
Agenda
www.fulcrumway.com Page 3 Copyright © FulcrumWay
Life After ERP Go-Live:
Navigating to Nirvana
Introduction
ERP Go-Live Opportunities and Risks
Advanced Controls Overview
Business Application Controls
Access Controls
Transaction Controls
Configuration Controls
Advanced Controls Examples
Q&A
Agenda
www.fulcrumway.com Page 4 Copyright © FulcrumWay
FulcrumWay Intelligent, Integrated Instant Risk Management™
FulcrumWay: is the #1 End-to-End Provider of Enterprise Risk Management Expertise,
Solutions and Software Services for Oracle EBS, PeopleSoft and JDE customers with
over 200 Fortune-500 to Middle Market clients. Since 2003, we have successfully
assisted companies across all major industry segments.
Expertise: Risk Advisory Services. Advanced Controls Design for Enterprise Business
Applications. Best Practices for Risk Mitigation and Internal Controls Automation.
Audit, Compliance, Financial, Enterprise and Operational Risk Assessments. Risk
Remediation Services such as Segregation of Duties.
Packaged Solutions: FulcrumWay is the #1 choice of Oracle customers for Oracle GRC
Manager, GRC Controls and GRC Intelligence/OBIEE software implementation. Oracle
has certified us as the only partner with Accelerators for Oracle GRC. We also provide
Managed Services and Hosting for Oracle GRC applications.
Software Services: Risk Management Tools: Enterprise Risk Manager, Financial Risk
Manager, Risk Based Audit Manager, IT Risk Workbench, and Advanced Controls
Catalog. Data Management Tools: Rules Repository, DataProbe and Data Hub for
Intelligent, integrated, and Instant Risk Management
USA Presence: Privately held Delaware Corporation with US offices in New York City,
Dallas and San Francisco
International Presence: in Chennai, Dubai, Kampala, London, Rome, Santiago, Singapore
Introduction
www.fulcrumway.com Page 5 Copyright © FulcrumWay
Government Oil and Gas
Healthcare
Communications
Financial Services
Industrial
Equipment
Natural
Resources
Manufacturing
Retail
FulcrumWay Clients
High Tech
Our Experience
Media and
Entertainment Life Sciences
www.fulcrumway.com Page 6 Copyright © FulcrumWay
FulcrumWay™ Insight
Thought Leadership
Our Experience
Co-Authored GRC Book: First book on GRC for Oracle Applications
Executive Round Tables – GRC Solutions for Energy Industry, Houston, November 2012
OAUG GRC Solution Lab - April 7th – 11th Denver: GRC Case Studies and Best Practices
IIA - Presentations - Top Five Reasons for Automating Application Controls
Collaborate 13 – GRC Client Appreciation Dinner April 9th , 2013 Denver
Webcasts – GRC Best Practices, Trends and Expert Insight
Oracle Open World – Annual GRC Dinner on September 23rd , 2013 W Hotel San Francisco
LinkedIn –FulcrumWay Risk, Compliance and Audit Software Group
YouTube Podcasts – FulcrumWay Instant Insight in 10 min or less
www.fulcrumway.com Page 7 Copyright © FulcrumWay
Business Rules Repository - Advanced Application Controls
Financial Close Management Operations Management
Enterprise Risk Monitors
FulcrumWay Enterprise Risk Management Services
Risk Assessment Enterprise Survey Key Risk Indicators
Task Monitor
Variance Analytics Reconciliation Analytics
Enterprise Audit Manager Audit Planner
Controls Verification
HCM/HR Controls : (HR,PR)
Inte
llig
en
t In
teg
rate
d In
sta
nt
Compliance Certification
Risk Based Audit Management
Financial Controls: (GL,AP,AR,FA,CM)
Distribution Controls: (OM,INV,WMS,PO)
Supply Chain Controls : (ENG,QP,WIP,BOM)
Access Monitor Configuration
Monitor Incident Monitor
Database Vulnerabilities
GRC Monitor – Enterprise Data Security
Master Data Monitor
Control Analytics
Incident Monitor
Overview
FulcrumWay Core Technologies
DataProbe DataHub Monitors Rules Repository Rules Engine Transmitters
www.fulcrumway.com Page 8 Copyright © FulcrumWay
Life After ERP Go-Live:
Navigating to Nirvana
Introduction
ERP Go-Live Opportunities and Risks
Advanced Controls Overview
Business Application Controls
Access Controls
Transaction Controls
Configuration Controls
Advanced Controls Examples
Q&A
Agenda
www.fulcrumway.com Page 9 Copyright © FulcrumWay
Opportunities vs. Risks
ERP Go-Live
Source: The Conference Board Survey
interviewed executives at 117 companies that
attempted ERP implementations:
www.fulcrumway.com Page 10 Copyright © FulcrumWay
Opportunities vs. Risks
ERP Go-Live
Source: APICS The Association for Operations
Management, 2011
The ERP application was implemented successfully. Unfortunately, desired benefits are
not being realized!
Inventory and expenses are increasing while customer service and productivity are
dropping due to new bottlenecks.
Too many “work-arounds”. Users not fully trained and working outside the system.
Auditors Findings on Segregation-of-Duties and Application Controls require a remediation
plan. We don’t have the resources for it.
Need to build custom BI dashboard and reports to alert management of master data
changes and transactions outside the tolerance levels.
Top management wants to see the ROI promised to the board.
ERP collects, manages
and distributes
information across
functional boundaries and
helps break down
information “silos”—
those barriers that stand
in the way of full
cooperation between
production, materials,
planning, engineering,
finance and
sales/marketing.
The resulting higher
quality, reduced time-to-
market, shortened lead
times, higher productivity
and lowered costs can
help improve customer
service and increase
sales and market share
as well as margins.
www.fulcrumway.com Page 11 Copyright © FulcrumWay
Opportunities vs. Risks
ERP Go-Live
Reality of ERP
Implementation:
Get it In
Get it Working
Get Alignment
Change the Game
www.fulcrumway.com Page 12 Copyright © FulcrumWay
Life After ERP Go-Live:
Navigating to Nirvana
Introduction
ERP Go-Live Opportunities and Risks
Advanced Controls Overview
Business Application Controls
Access Controls
Transaction Controls
Configuration Controls
Advanced Controls Examples
Q&A
Agenda
www.fulcrumway.com Page 13 Copyright © FulcrumWay
Mitigate and Control Risks
Monitor Control Effectiveness
Enforce Policies in Context
What users can do
How is the process set up
How users execute processes
What users have done
What’s changed in the process
What are the execution patterns
SOD & Access Application
Configuration Transaction Monitoring
Preventive
GRC Manager
SOD & Access
Application Configuration
Transaction Monitoring
GRC Intelligence
GRC Controls
Preventive
ERP Go-Live
www.fulcrumway.com Page 14 Copyright © FulcrumWay
Life After ERP Go-Live:
Navigating to Nirvana
Introduction
ERP Go-Live Opportunities and Risks
Advanced Controls Overview
Business Application Controls
Access Controls
Transaction Controls
Configuration Controls
Advanced Controls Examples
Q&A
Agenda
www.fulcrumway.com Page 15 Copyright © FulcrumWay
Review Audit Reports
Enforce Field
Validation
Initiate Approval Workflow
Prevent Read or Write Access
Preventive
Controls
• Produce audit trail of change and approval history
• Initiate appropriate approval workflow in response to proposed modifications
• Enforce preventive controls for specific users and events natively within enterprise application
Define Preventive
Controls
Prevention
GRC Manager
SOD & Access
Application Configuration
Transaction Monitoring
GRC Intelligence
GRC Controls
Preventive
Embed Controls Natively in Enterprise Apps
www.fulcrumway.com Page 16 Copyright © FulcrumWay
Life After ERP Go-Live:
Navigating to Nirvana
Introduction
ERP Go-Live Opportunities and Risks
Advanced Controls Overview
Business Application Controls
Access Controls
Transaction Controls
Configuration Controls
Advanced Controls Examples
Q&A
Agenda
www.fulcrumway.com Page 17 Copyright © FulcrumWay
Compensating Policies
Preventive Provisioning
Remediation (Clean-up)
Access Analysis
• Accelerate deployment and time to value with pre-delivered controls library
• Mitigate risk of privileged user access to enterprise applications with approval workflow and audit trails
• Simplify segregation of duties enforcement with simulation and remediation
Define Access Controls
Detection Prevention
GRC Manager
SOD & Access
Application Configuration
Transaction Monitoring
GRC Intelligence
GRC Controls
Preventive
Enforce Proper Segregation of Duties in
Applications
Access
Controls
www.fulcrumway.com Page 18 Copyright © FulcrumWay
Life After ERP Go-Live:
Navigating to Nirvana
Introduction
ERP Go-Live Opportunities and Risks
Advanced Controls Overview
Business Application Controls
Access Controls
Transaction Controls
Configuration Controls
Advanced Controls Examples
Q&A
Agenda
www.fulcrumway.com Page 19 Copyright © FulcrumWay
Prevent Suspicious
Transactions
Enforce Transaction
Controls
Investigate Incidents
Transaction Analytics
• Identify anomalies missed by traditional audit and controls
• Apply Advanced Forensic and Pattern Analysis
• Continuous Monitoring of Controls and Transactions
Define Transaction
Controls
Detection Prevention
GRC Manager
SOD & Access
Application Configuration
Transaction Monitoring
GRC Intelligence
GRC Controls
Preventive
Test integrity of transactions and controls
across business processes
Transaction
Controls
www.fulcrumway.com Page 20 Copyright © FulcrumWay
Life After ERP Go-Live:
Navigating to Nirvana
Introduction
ERP Go-Live Opportunities and Risks
Advanced Controls Overview
Business Application Controls
Access Controls
Transaction Controls
Configuration Controls
Advanced Controls Examples
Q&A
Agenda
www.fulcrumway.com Page 21 Copyright © FulcrumWay
Manage Data Integrity
Enforce Change Control
Monitor Configuration
Changes
Document or Compare
Configurations
• Tightly control change management to accelerate development and test time
• Track complete audit trails for changes to key configurations
• Achieve consistent application setup and operating standards across multiple instances
Define Configuration
Controls
Detection Prevention
GRC Manager
SOD & Access
Application Configuration
Transaction Monitoring
GRC Intelligence
GRC Controls
Preventive
Ensure Integrity of Critical Application
Setups
Configuration
Controls
www.fulcrumway.com Page 22 Copyright © FulcrumWay
Life After ERP Go-Live:
Navigating to Nirvana
Introduction
ERP Go-Live Opportunities and Risks
Advanced Controls Overview
Business Application Controls
Access Controls
Transaction Controls
Configuration Controls
Advanced Controls Examples
Q&A
Agenda
www.fulcrumway.com Page 23 Copyright © FulcrumWay
FW Controls Catalog with over 1,000
advance controls Select ERP
Controls
Select SOD, Master Data, Setup, and Transaction Controls Risk Assessment
Detect control weaknesses across ERP system to identify business process optimization opportunities
www.fulcrumway.com Page 24 Copyright © FulcrumWay
ERP Test environment consists of ERP
configurations and data objects Establish Test
Environment
Selected security, setup and data objects are included in the environment
ERP Configuration such as 3-way match in payable options, master data such as Users, Responsibilities, Customers, Invoices, Suppliers, Assets and Payments records are analyzed for control failure risks
www.fulcrumway.com Page 25 Copyright © FulcrumWay
Business Process Models Service Oriented Architecture
Corporate Performance Management Collaboration
Strategic Sourcing & Contract Mgmt
Supplier Collaboration
Spend Categories
Indirect & MRO
Direct
Materials
Services SWIFTNet
Settlement
Payment
Processors
Requisition
Purchase
Goods /
Services
Receive
Goods /
Services
Invoice Issue
Payments
Banks
Example - Oracle Procure-to-Pay Procure-to Pay Controls are Required
Control Points
Advanced
Controls
www.fulcrumway.com Page 26 Copyright © FulcrumWay
Business Process Models Service Oriented Architecture
Corporate Performance Management Collaboration
Supplier Collaboration
Spend Categories
Indirect & MRO
Direct
Materials
Services SWIFTNet
Settlement
Payment
Processors
Requisi-
tion
Purchase
Goods /
Services
Receive
Goods /
Services Invoice
Issue
Payments
Banks
Example - Oracle Procure-to-Pay
Are your vendors compliant with trade regulations? Are the vendors
blacklisted?
Do you have duplicate suppliers?
Are there inappropriate associations between a
vendor and an employee?
Are there frequent changes to Supplier
information?
Are you missing critical supplier information?
Is the information valid?
Strategic Sourcing & Contract Mgmt
CONTROLS
Automated Controls for Strategic Sourcing & Contract Mgmt
Advanced
Controls
www.fulcrumway.com Page 27 Copyright © FulcrumWay
Building an Optimized Control Environment
Preventive Controls
Set of applications that run within Oracle EBS as a component of the GRC
Application Suite
Prevent ‘Out of Policy’ activity from occurring, notify & alert key personnel with
variances
• Modifies security, navigation, field and data properties Form Rules
• Defines & implements business processes Flow Rules
• Tracks changes to the values of fields in database tables Audit Rules
• Regulates changes to the values of fields in EBS forms.
Change Control
Advanced
Controls
www.fulcrumway.com Page 28 Copyright © FulcrumWay
EBS Form Rule Capabilities
Set security attributes Compile lists of values (LOV)
Establish navigation paths Set field attributes
Display messages Run SQL statements
Define default values for fields Execute Flow Rule process
28
• Defines what actions the element performs
• Empowers the user to make changes to EBS forms and processes
Advanced
Controls
www.fulcrumway.com Page 30 Copyright © FulcrumWay
Audit Rules Highlights
Document changes to database field values
– Old vs. New Values
– Transaction Type (Insert, Update or Delete)
– User Responsible for Change
– Timestamp
– Audit Report
Advanced
Controls
www.fulcrumway.com Page 31 Copyright © FulcrumWay
Change Control Highlights
Ensure Data Integrity
Regulate changes to fields in EBS forms
Set approval and reason code requirements for enforced management
Enable visual attributes to identify
controlled fields
Build reason codes to clarify why a change occurred
Advanced
Controls
www.fulcrumway.com Page 32 Copyright © FulcrumWay
Embedded Controls Prevent
Incidents and Escalation
• Real-time, automated controls and
alerts prevent fraud and errors
before it occurs
• Controls installed directly into
applications and without technical
expertise
• Risk of fraudulent data and
application changes reduced with
approval workflow and audit trails Prevent Fraud and Errors
Before it Occurs
Advanced
Controls
www.fulcrumway.com Page 34 Copyright © FulcrumWay
ERP Roles Manager
Overview
Eliminate Root Cause of Access Control Violations in ERP:
Improve Segregation of Duty controls within mission critical
applications
Reduce ERP implementation and upgrade costs with pre-configured
roles
Lower ERP Total Cost of Ownership by assigning pre-approved
Roles
We enable ERP Administrators:
Select pre-configured ERP roles from a roles catalog
Update, Review and Approve Role design changes.
Identify SOD conflicts before the Roles are assigned to Users.
www.fulcrumway.com Page 35 Copyright © FulcrumWay
ERP Roles Manager Features
Role Manager is an ERP security design tool
Contains a pre-configured catalog of roles which comply with
segregation of duty (SOD) policies.
Roles by ERP module and typical access requirements for those
modules such as Manager, Supervisor, Clerk, Inquiry, Business
Setup and IT Setup.
You can use this tool to view existing role templates and design new
roles by easily selecting or deselecting ERP functions/transaction.
Once you complete the roles design, you can send it, using
workflows, to pre-assigned reviewers and approvers to finalize the
roles.
The role preparers, reviewers and approvers can also assess the
SOD control risks before finalizing the roles.
Leverage FW DataProbe/Scripts to load current Roles
Secure Access from fulcrumway.com portal
www.fulcrumway.com Page 36 Copyright © FulcrumWay
Access to Roles Manager Roles Manager
Sign in at fulcrumway.com
www.fulcrumway.com Page 37 Copyright © FulcrumWay
Access to Roles Manager Roles Manager
Select the Access Monitor Icon. Then click on the Maintain Access Roles Tab
www.fulcrumway.com Page 38 Copyright © FulcrumWay
Access to Roles Manager Roles Manager
Use a “source” role to create a new “target” role. View existing SOD issues with the “source” role. Assign Reviewers and Approvers for the role
www.fulcrumway.com Page 39 Copyright © FulcrumWay
Test against Material Thresholds Journal Entry > $ threshold
Employee Checks (individual & sum) > $ threshold
Search for Anomalies PO terms differ from vendor
Sales orders > acceptable $ range
Test Segregation of Duties at Transaction Level Find invoices and POs entered by same user
Find Invoices entered & approved by same user
Sampling of Transactions 4th quarter invoices
Days sales outstanding balances
Detect Fraudulent Behavior PO changes after approval
Duplicate suppliers with same address
Stop Cash Leakage Find duplicate payments
Payments against cancelled invoices
Embed Contextual / Automated Compensating Controls Alert on customer transactions over $ threshold
Prevent journals from being entered and posted by same individual
Business Case Comprehensive Transaction Monitors Detect patterns of heightened risk in business activity
www.fulcrumway.com Page 40 Copyright © FulcrumWay
Business Rules, written in “Plain English”, by Business People – No Coding/Scripting
www.fulcrumway.com Page 41 Copyright © FulcrumWay
Configuration Controls
Functionality What it does for us:
Snapshots Automate time-stamped documentation of key controls
across all Oracle Applications modules.
Comparison Difference Analysis: determine what’s different when
problems occur, verify what’s changed after project activity.
Monitor consistency of controls across Instances, Versions,
Points in Time, Operating Units, and Sets of Books.
Change Tracking Automate real-time monitoring of key controls in Oracle.
Ensure visibility and integrity of controls over a period of time.
Advanced
Controls
www.fulcrumway.com Page 42 Copyright © FulcrumWay
Snapshots
Take Snapshots of
Configuration Setups
Data is pulled from
Oracle Application
Tables
Specify constraints
to focus on certain
tables
Export Values into
HTML, PDF,
or Excel Formats
42
Retrieve Configuration Setup Data
Advanced
Controls
www.fulcrumway.com Page 43 Copyright © FulcrumWay
Comparison Advanced
Controls
www.fulcrumway.com Page 44 Copyright © FulcrumWay
Change Tracking
Query a change tracker to identify changes across multiple instances.
Select multiple applications to monitor
Query requires Change Tracking Transfer program to run before any data can be collected. (This program transfers change tracking data from the ERP instances to CCG.)
Advanced
Controls
www.fulcrumway.com Page 46 Copyright © FulcrumWay
Next Steps: Assess ERP Risks with Analytics
DataProbe™
www.fulcrumway.com Page 47 Copyright © FulcrumWay
Thank You! Join us on LinkedIn to view
webinar and discussion Summary and Q&A