Upload
oracle
View
169
Download
2
Embed Size (px)
DESCRIPTION
The GRC panel “Doing Your ERP Implementation/Upgrade Right with Oracle Advanced Controls Solutions” Session ID: CON8210. Find out how they accelerated and improved their EBS and PeopleSoft implementations, upgrades, module rollouts and patching using Advanced Controls. This is a great opportunity to learn from some of the most experienced Advanced Controls owners around!
Citation preview
Doing Your ERP Implementation/Upgrade Right…with Oracle Advanced Controls Solutions Panel Discussion CON8203
William Compton Chief Information Officer, Integra LifeSciences
Patrick Gilroy Director - Financial System, Comcast
Travis Strong Lead Analyst - IS Risk Management, Smucker’s
Gloria Warrens Vice President - Financial Systems, LPL Financial
Moderator: Barry Greenhut, Director, Oracle GRC Product Development
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |
Safe Harbor Statement
The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.
3
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |
Agenda
4
Introduction
Panel Discussion
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |
There are many kinds of ERP projects
• Adopt ERP for first time
• Expand ERP scope– EXAMPLES: New module, process, business unit, ledger, account, etc.
• Upgrade ERP
• Patch ERP
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |
ERP Project Issues Encountered
Source: OAUG Research Line, “Moving to New ERP Environments: 2011 OAUG Governance, Risk, and Compliance Best Practices Survey”
48%
28%
26%
26%
21%
19%
12%
9%
7%
11%
Unexpected changes to application set ups
Disruption to business transactions or workflow
Other applications breaking/unable to interoperate
Rise in end-user training costs
Outdated controls
Data damaged/altered
Surge in segregation of duties conflicts
Data exposed
Missed product launches/slower time to market
Other
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |
Agenda
7
Introduction
Panel Discussion• William Compton Chief Information Officer, Integra LifeSciences
• Patrick Gilroy Director - Financial System, Comcast
• Travis Strong Lead Analyst - IS Risk Management, Smucker’s
• Gloria Warrens Vice President - Financial Systems, LPL Financial
• Moderator: Barry Greenhut, Director, Oracle GRC Product Development
• ASK QUESTIONS ANYTIME!
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |
10:00 am
ID # 8207Stop the Fraudster! Set the Tone at the Top and Prevent Fraud with Oracle Advanced Controls
OLYMPIC ROOM, Westin
WEDNESDAY: Oracle GRC Advanced Controls
8
SESS
ION
S:
2:45 pmWEDNESDAY
ID # 8200Do You Really Know What Your Users Can Do—or Maybe Have Done?
FRANCISCAN I ROOM, Westin
10:45 am
IOFM Workshop: How Your Vendor Master File is Critical to GRC and Compliance
Presenter: Jon CasherLength: 90 MinutesCPE Credits: 1.5
ZEUM ROOM 8th FLOOR, Palomar JON CASHER Ph.D.
IOFM WorkshopPresident, Casher Associates
Leading Industry Expert & Consultant
CPECREDITS
1.5
LOCATION: Hotel Palomar4th & Market
Contact: Dane Roberts [email protected]
SPEA
KER
S:
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |
10:15 am
ID # 8208Achieve a Quicker and Compliant Financial Close with Oracle Governance, Risk, Compliance
OLYMPIC ROOM, Westin
THURSDAY: Oracle GRC Advanced Controls
9
SPEA
KER
S:SE
SSIO
NS:
12:45 pm
ID # 8154Controlling for Multiple ERP Systems with Oracle Advanced Controls
OLYMPIC ROOM, Westin
2:45 pm
ID # 8213How Your Vendor Master File is Critical to Governance, Risk Management and Compliance
OLYMPIC ROOM, Westin
LOCATION: Westin3rd & Market
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |
5:00 pmWEDNESDAY
ID # MTE 8487Meet the Governance, Risk, and Compliance Experts
METROPOLITAN III ROOM
MEET EXPERTS & DEMO GROUNDS: Oracle GRC
10
HO
ST:
SESS
ION
S:
ID # 4250Demo Station: Oracle Fusion Governance, Risk, and Compliance Advanced Controls
MONDAY 9:45 – 6:00TUESDAY 9:45 – 6:00WEDNESDAY 9:30 – 3:45
LOCATION: Westin3rd & Market
HO
ST:
SESS
ION
S:
LOCATION: Moscone West
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |
DEMOgrounds: Moscone West Station ID WCL-003
11
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |
Follow Us & join the conversation .
Oracle GRC Advanced Controls Group
@OracleAdvCntrls
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | 13
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |
Background and Supplemental Information
15
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | 16
Background and Supplemental Information: Smucker’s
Agenda
• Introduction
• Historical Perspective
• Smucker R12 Upgrade
• Continuous Improvement
IntroductionThe J.M. Smucker Company
• Headquartered in Orrville, Ohio
– $5.6 billion in net sales
– 4,800 employees
– SJM: publicly traded on the NYSE; S&P 500 company
IntroductionMe: Travis Strong
• BS degree in Accounting – The University of Akron
• Internal Audit, IT Audit, Accounting and IS Risk
• Audit background: key business processes, IT general controls,
mobile devices, data privacy, application security, application
upgrades, and others
• Managed Smucker's implementation of Oracle's Governance, Risk
and Compliance (GRC) suite of applications in 2012 and to this
day leads the operation of the tool set
• Certified Information Systems Auditor (CISA)
Historical PerspectiveOracle Internal Controls Manager (ICM)
• Used 2005-2012
• Implemented primarily for SOX purposes
• Monitor users with sensitive access (31 controls)
• Annual detective review of access
• Provided part of the picture – not the whole
• Reports were ugly
• Became an unsupported application
• Decision to move forward with the GRC suite
• Vision
– Foundational project
– Critical component of the Smucker Enterprise Risk & Security
Program
– Turning point in IT controls governance
• Shift from Internal Audit-driven to business-led control
• Shift from manual to automated controls
• Shift from point-in-time to continuous controls
Historical PerspectiveOracle GRC Implementation
• Implemented as R12 upgrade was in planning
• Scope
– Implementation of various controls for R12
• Access controls
• Configuration controls
• Transactions controls
– Replaced 11i ICM with an R12-aligned tool
– Provided new capability for configuration and transaction monitoring
– Strategically scoped to use software to test, validate and remediate as needed
Oracle R12 prior to go-live
Historical PerspectiveOracle GRC Implementation
Shift control environment
Manual, error-prone
Delayed, detective
Annual, point-in-time
Transactional sampling
Heavy remediation efforts
Unpredictable results
Financial reporting focused
Audit focused
Automated, reliable
Real-time, preventive
Near continuous
Near 100% evaluation
Cleaner data, pointed exception handling
Streamlined, predictable operations
More beneficial, wider focus
Business-centric
GRC and R12
• Responsibility over R12 security build
– Ensuring teams properly build security; prevent security issues at go-live
– Validate consistency in R12 development environments production
• Implement sensitive access controls
– Monitor environments for sensitive access violations
– Address security issues pre-production
• Monitoring at go-live
– Elevated access privileges at go-live
– Combination of transaction and configuration monitoring
Automated, reliable
Real-time, preventive
Near continuous
Near 100% evaluation
Cleaner data, pointed exception handling
Streamlined, predictable operations
More beneficial, wider focus
Business-centric
Benefits
Manual, error-prone
Delayed, detective
Annual, point-in-time
Transactional sampling
Heavy remediation efforts
Unpredictable results
Financial reporting focused
Audit focused
What did we learn?
• Get involved early
• Have a general knowledge of Oracle EBS security
• Know the upgrade timeline
• Know what’s important
• Monitor, detect, remediateBefore go-live!
What’s next?
• Drive business involvement and ownership
• Research and implement PCG
– Advanced controls within business processes
– User access certifications
• Integration with Oracle Identity Manager
• Continue to enhance and mature the process and overall security
posture
Thank You!
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | 29
Background and Supplemental Information: Comcast
Pat Gilroy
• Director, Financial System at Comcast responsible for the EBusiness Suite
• Bachelor of Science degree in Business Administration from Villanova University
• Career experience within Oracle Applications since Release 8 – General Ledger
• Managed numerous Upgrades as an employee and Consultant
• Technical lead for the implementation of Oracle's Governance, Risk and Compliance (GRC) suite of applications at Comcast
• The R12 Re-Implementation Project went live in July, 2014
R12 Re-Implementation Project
• Oracle R12 Re-Implementation Project
• Chart of Accounts re-design
• Security re-design
• Process re-design
• New modules implemented
• Incorporated GRC as part of the R12 project
• New reporting solutions
• Expansion of OBIEE footprint with Analytics
• 350 RICEFW Elements
Comcast – Advanced Controls Story
Multiple enhancements to tailor the Oracle experience
Transaction Analytics to monitor process efficiencies
Snapshots allowing comparison of setups across environments
Change Trackers monitoring critical configurations
100+ Rules to manage security and segregation of duties
Multiple rules to monitor and control GL Activity
GL Period Status Restriction, remove
Permanently Closed status
Who can enter or
post journals?
Monitor Journal
Source changes
Detect duplicate suppliersIdentify dormant users
Prevent user approving
their own cycle count
Notify if approval workflow
is changed
Notify if period is closed with Unposted
journals
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | 33
Background and Supplemental Information: LPL Financial
LPL Financial Member FINRA/SIPC 34
LPL Financial
Offices in Boston, San Diego and Charlotte
– Approximately $4 billion in revenue
– 3,300 employees
– Publicly traded on the NASDAQ – LPLA
– http://lplfinancial.lpl.com/about_lpl.htm
Hosted by Oracle Managed Cloud Services (OMCS) since 2010
– Oracle EBS R12.1.3 (GL, AP, AR, FA, PA, CE)
– Advanced Controls v 8.6.4 (ACG, CCG, PCG, TCG)
Gloria Warrens, Vice President Finance Systems
– Manages hosted / support relationship with OMCS
– Team provides level 1 support to LPL business users
– LPL lead on Advanced Control upgrade
Source text is Arial 8, sentence case
LPL Financial Member FINRA/SIPC 35
Project Timeline
Oct-13 – project kick off, application overview, detailed requirements created
Nov-13 – prioritization for in scope rules, development of rules
Dec-13 to Jan-14 – 1st round of testing of rules for PCG & TCG, ACG/TCG upgrade test and production instances
Jan-14 to Feb-14 – 2nd round of PCG & TCG testing, review of access incidents identified from models in ACG
Mar-14 – Go live. ACG, TCG, PCG, CCG training
Remainder of 2014 - continued work on new rules, coordination with Internal Audit
Source text is Arial 8, sentence case
LPL Financial Member FINRA/SIPC 36
LPL Financial by Module – ACG & CCG
ACG
– Utilized since 2011 for application access approval in Oracle R12
– Used to define, maintain and manage specific SOD policies
– Used to quickly detect and remediate access policy violations
CCG
– Originally utilized for access change tracking reporting. Expanded utilization as a result of this project.
– Monitor key setups for any change, track Who, What, Where and When
– Receive email notification for specific field level changes that matter
Source text is Arial 8, sentence case
LPL Financial Member FINRA/SIPC 37
LPL Financial by Module – TCG
Continuous monitoring of transactional activity
− Monitor 100% of transactional activity instead of samples of data
− Notification to process owner of at risk transaction activity based on policy
− Transaction reviews and remediation activity is captured and tracked in the application
− Transaction monitors run near real time, covering a more complete set of transactions as compared to sampling methodologies that occur only during the audit review period
Out of the box rules implemented
Dormant users User last login New account set up
Duplicate AP vendors Duplicate payments Invoices over $ amt.
Duplicate AR customers New / updated AR customers
Source text is Arial 8, sentence case
LPL Financial Member FINRA/SIPC 38
LPL Financial by Module – PCG
Create systems based controls for existing manual controls
Rules can be a notification or require approval before process can continue
Issues addressed
– Offshore monitoring
– Manual Control
– Replace a detective control
– Remediate a deficiency
Source text is Arial 8, sentence case
LPL Financial Member FINRA/SIPC 39
LPL Financial by Module – PCG Implemented
Module Rule Name Issue Addressed
AR Invoice Approval Offshore monitoring & manual control
AR Cash Receipt Approval Offshore monitoring & manual control
AR Adjustment Notification Manual control
AP Vendor Set Up/Change Offshore monitoring & manual control
AP Invoice Coding Approval Replaces detective GL control
FA Asset Addition / Update Remediate deficiency placed in service date
PA Task & Phase Exceptions Replaces detective control in high risk area
PA PA Calendar Loader Replaces detective control in high risk area
PA PA Calendar Validation Replaces detective control in high risk area
Source text is Arial 8, sentence case
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | 40
Background and Supplemental Information: Integra LifeSciences
Background - Integra Life Sciences
World leader in medical technology
Founded in 1989, headquartered in Plainsboro, New Jersey
In the US, Integra is a leading provider of surgical instruments to hospitals, surgery
centers & alternate care sites
Over 3,300 employees worldwide
Orthopedic solutions for extremity, spine, reconstructive surgery,
neurosurgery, reconstructive & general surgery
41
Oracle EBS R12 Implementation- Overview
The project was nicknamed “Project Delphi” with a unique organization of team members under 7 different tracks, including:
Live in 7 locations, planning to complete rollouts by Summer of 2015
Global Oracle E-Business Suite (EBS) Release 12 Implementation/upgrade - started in 2011
Product Lifecycle Management Market to Customer
Order to Cash Plan to Manufacture
Procure to Pay Hire to Retire Record to Report
42
Project Delphi – Control and Compliance Directives
1. Global standardization of compliance
2. Endorsement from SOX, Controllers, Compliance & Internal Audit
3. Compliance requirements for sensitive restricted data (HIPAA, GxP, Safe Harbor, SOX)
1. Automation of periodic assessments (External / Internal Auditors)
2. Implement automated management of potential security issues (volume)
3. Extend standardization of controls to future roll-outs, locations, business units & countries
4. Extend native application controls with minimal customization
Strategic Management Direction Required Efficiencies
43
Project Delphi - Control Design and Optimization Goals
Enterprise Structures, Business Processes, Data Access and Reports
70 – 80% Common Global Design
Legal requirements, local RICEF, unique local processes
20 – 30 % Bus Unit / Geo Specific
Current and future into this single Common Global Design
Rapid Integration of new business units
Optimize design and role assignment
Standardize Security
44
Controls and Security Optimization RoadmapHow to Embed Proper Security and Controls in Our New System?
Security
Controls
1. Establish a Baseline
Define SOD Policies and Framework
Maximize Native Application (automated) Configurable Controls in
EBS
2. Improve / Optimize
Design Conflict-free Roles, and Conflict-free
User-to-Role assignment
Implement Defined Native Application Controls
3. Automate Compliance
Implement Oracle Application Access
Control Governor (AACG)
Implement Oracle Preventive Controls
Governor (PCG)
45
Security Optimization - RoadmapApplication Access Control Governor (AACG)
Define SoD and Access Policies
Match Policies to Business Practices
Enable Automated User Provisioning
On-Going Monitoring of SoD in R12
Analyze and Mitigate SoDConflicts
1. Establish Security
Baseline2. Improve Security Design
3. Automate Security
Compliance - AACG
Design Conflict-Free Roles
Create Roles in Oracle R12
Implement processes for SoD Rule Set check
Assign Users to Roles
46
Control Optimization - RoadmapPreventive Controls Governor (PCG)
Define Universe of Native Application Configurable
Controls
Define Global / Local Controls
Determine additional PCG Business Case (Form /
Flow Rules)
Proof of Concept
Track progress and Expand
1. Establish Control
Baseline2. Improve Control Design
3. Automate Control
Compliance
Implement updated EBS configuration parameters
Test and deploy Controls in subsequent rollouts
Enable Audit Trails (MDM and Application Controls)
Define Audit Trails to setup in PCG
47
Optimization Business Benefits
Quick Wins
•Optimized/customized SoD risk
framework
•Detailed SoD and Sensitive
Access risk reporting
•Reduced testing time on SoD
and access controls
•Managed controls (both manual
and automated)
•Greater reliance on testing
(automated controls typically
have a higher ‘pass’ rate)
Mid-Term benefits
•Change Management for Users
and/or Roles
•Better controls around Super
User Access
•Automated Access Review
•Notification / validation around
modification of configuration
settings
• Improved reporting
Expected Long Term Benefits
•Streamlined access
management
•Automated Provision / de-
provision process
•Greater reliance on security
certification metrics
•Mitigate Risks with automated
controls
•Continuous controls monitoring
48
Secu
rity
Co
ntr
ols
Control and Security Optimization - Lessons Learned
• Work on quick wins and build on
successes to expand
One Module at a Time
• Delivered rule sets are not one
size fits all
• Results are highly dependent on
the quality of your rule-sets
Proper AACG / PCG Configuration
• Address SoD - Role and User
Level
• Do not underestimate efforts for
remediation
Address ‘Root Causes’ around Security Issues
• Business Process Owners
involvement is essential
• Internal Audit, Controller &
Compliance demo
Sponsorship and “buy-in”
• User testing is critical to ensure
requirements have been met
Involvement from GRC end-users
49
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | 50
Background and Supplemental Information: Oracle
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |
Oracle GRC Advanced Controls CanAccelerate ERP Projects and Reduce Risk
• Do your ERP projects require design, review or testing of:– ERP security?
– ERP configuration and behavior?
• If “yes” to either, then Advanced Controls can:– Accelerate these tasks
– Reduce risks of costly errors
• Advanced Controls also offer: – Pre- and post-project benefits that surpass the in-project benefits
– Demonstrable ROI
51
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |
Advanced Controls Solutions
ERP security and configuration/behavior design/review/test
business rules and policies
design quality and change management
52
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |
During ERP Project
Streamline Security Design/Review/Test
ConflictAnalysis
Collaborate with process owners
Evaluate access to identify conflicts
Run what-if simulations
Establish go-live security, compensating policies
Define AccessPolicies
Remediation(Clean-up)
Deploy
53
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |
After ERP Go-Live
Immediate Feedback on Security Issues
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |
During ERP Project
Improve Change Management during Project
CRP1 UATCRP2
Payment Terms:
30 days
Payment Terms:
30 days
Payment Terms:
30 days
Payment Terms:
45 days
PROD
55
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |
After ERP Go-Live
Ensure Authorized Setup Changes Made
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |
During ERP Project
Embed Automated Rules
INCREASE AUTOMATION AND EMBEDDED RULES
REDUCE MANUAL CONTROLS AND CUSTOMIZATIONS
57
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |
After ERP Go-Live
Embedded Rules Reduce Operational Risk
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |
• Upgraded to EBS R12.1, adopted Advanced Controls
• Used Advanced Controls to detect existing and potential SOD violations, addressed them during process of provisioning user responsibilities
• Advanced Controls replaced manual SOD process which could no longer keep pace with expanding ERP environment and complexity
• Potential unauthorized and unnecessary access now flagged by Advanced Controls
• Cut internal/external audit costs by detecting & remediating violations with Advanced Controls
Due to the sensitive nature of the financial information we work with, [we take] data security very seriously. Oracle’s GRC solutions play an important role through the careful management of segregation of duties controls. – Senior Software Manager
Case Study: Information Services $3.9B annual revenue
59
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |
Annual Time Reductions
• 20% reduction in time spent designing/testing role security
• 75% reduction in time spent testing approval authorizations
• 55% reduction in time spent on SOD testing
Annual Cost Reductions
• 28% reduction in Help Desk, IT resources to provision security/resets
• 40% reduction in internal, external audit costs related to security, SOD
• 80% reduction in configuration change mgmt EBS, PSFT, others
• 60% reduction in consultant fees for customization works EBS
Savings Observed at Our Customers Include…
60