1 Overview and Current Trends with Governance, Risk and Compliance Chris Martin Oracle GRC Specialist January 19, 2010

1

Overview and Current Trends with Governance, Risk and Compliance

Chris MartinOracle GRC SpecialistJanuary 19, 2010

2

Agenda• GRC Today

• Key Business Challenges

• GRC is Good Business•

• Strategies to Consider-Solutions Today

• Wrap Up

3

© OCEG

The Big Picture

ObjectivesStrategic, operational,

customer, compliance and reporting objectives cascaded throughout the organization

Business ModelStrategy, people, process, technology and infrastructure in place to drive toward objectives O

bst

acle

sO

bst

acle

s

Obstacles impede progress toward achieving

objectives

Mandated Boundary Boundary established by external forces including laws, government regulation and other mandates.

Voluntary Boundary Boundary defined by management including public commitments, organizational values, contractual obligations, and other voluntary policies

4

Governance, Risk, and Compliance (GRC) At-a-Glance

CultureCulture

GovernanceGovernance

Risk

Risk

Com

plia

nce

Com

plia

nce

Governance

• Set and evaluate performance against objectives

• Authorize business strategy & model to achieve objectives

Risk Management

• Identify, assess, and address potential obstacles to achieving objectives

• Identify / address violation of mandated and voluntary boundaries

Culture

• Establish an organizational climate and individual mindset that promotes trust, integrity, and accountability

Compliance

• Encourage / require compliance with established policies and boundaries

• Detect non-compliance and respond accordingly

Source: Open Compliance and Ethics Group

5

Governance, Risk, & Compliance Mgmt is more than just SOX

SOX = Section 404, 302

• Enterprise Risk Management

• Operational Risk Management

• IT Governance• Identity Mgmt• Database Security• Industry Regulations

• Environmental Regulations• Records & Retention Mgmt• Document and File

Protections• eMail Security• OSHA Compliance Risks

6

The Boundaries Constantly Changing

AMERICAS • HIPAA• FDA CFR 21 Part 11• OMB Circular A-123• SEC and DoD Records Retention• USA PATRIOT Act• Gramm-Leach-Bliley Act• Federal Sentencing Guidelines • Foreign Corrupt Practices Act• Market Instruments 52 (Canada)

EMEA• EU Privacy Directives• UK Companies Law• Restriction of Hazardous Substances

(ROHS/WEE)

APAC• J-SOX, C-SOX, K-S0X, C49, etc• CLERP 9: Audit Reform and Corporate

Disclosure Act (Australia)• Stock Exchange of Thailand Code on

Corporate Governance

GLOBAL• International Accounting Standards• Basel II (Global Banking)• OECD Guidelines on Corporate

Governance

7

While Cost of Compliance Continues to Rise

“Governance, risk management, and compliance (GRC) spending will exceed $32B for 2008, up 7.4% from 2007, as companies shift toward identifying, assessing, and managing risk across numerous business and IT areas.”

The Governance, Risk Management, and Compliance Spending Report, 2008–2009,-- AMR Research

“Governance, risk management, and compliance (GRC) spending will exceed $32B for 2008, up 7.4% from 2007, as companies shift toward identifying, assessing, and managing risk across numerous business and IT areas.”

The Governance, Risk Management, and Compliance Spending Report, 2008–2009,-- AMR Research

$29Billion

$32Billion

8

Practical Lessons from Sarbanes-OxleyMost organizations progress through maturity curve

DEFINE

AUTOMATE, MONITOR &

VERIFY

RATIONALIZE

Number of Controls

Year 1 & 2 Year 3 Year 4+

Cost EMBEDDED GRC & OPERATIONAL EXCELLENCE

REMEDIATION & STANDARDIZATION

MANUAL, REDUNDANT

EFFORTS

New AS5 Guidance:

• Top-down risk-based approach

• Tailor audit to specific company profile

• External auditors can use work of others as evidence

9

Agenda• GRC Today




• Wrap Up

10

Pain Points Our Clients are Facing

• No real-time visibility and communication to/from data, results, and status

• Duplication of efforts – silos of compliance/audit activity with limited collaboration across functional groups companywide

• Non-standard information architecture for audit/compliance activities

• Lack a sustainable platform for growth and change in business environment

Multiple Requirements, Fragmented Response

C1a C2a C3a

C5a C6a C7a

C9a C10a C11a

C1b C2b C3b

C5b C6b C7b

C9b C10b C11b

C1c C2c C3c

C5c C6c C7c

C9c C10c C11c

11


• Cost of audit and compliance activities

• Not leveraging synergies of the broad spectrum of audit and compliance activities

• Cumbersome and manual processes – many man hours chasing and compiling paper

• Inconsistent audit plans, work paper methodologies, reporting, etc.

• No clearly defined roles and responsibilities holding individuals accountable for audit and compliance activities

Insufficient Resources, Manual Efforts

12


• No automated(preventive or mitigating) controls embedded into business processes

• Limited Enterprise Value Management – compliance activities not built into the DNA of business process

• Paradigm shift for external auditors and other outside auditors to leverage technology

GRC as an Afterthought, Holding Up the Business

Business Processes

GRC GRCGRC

13

Agenda• GRC Today




• Wrap Up

14

GRC Drives Value

Reduced control deployment time by 80%

Reduced time for normal audit from 2 months to 2 days

Reduced controls testing by 67%, reduced 55% time savings among internal teams & 42% reduction in external auditor time

Improved control pass rate by 27% in first year(0% before)

Reduced consulting fees by $1,000,000

Reduced transaction time from 3-4 days to minutes

Resolved 85% of SOD issues across ERP

Reduced compliance turnaround time by 28%

Reduce compliance costs by 30%

15

Intuit Achieves Payback in Less Than Five Months

COMPANY OVERVIEW• Industry leading software & financial services

company with popular products like TurboTax and QuickBooks

• Employees: 7,500

• Annual Revenue: $2.4 Billion

CUSTOMER PERSPECTIVE

“We’ve been able to realize significant returns on our investment in the Oracle GRC Controls Suite to date. The 8.0 release of Oracle Application Access Controls Governor should help us continue our efforts to deliver well-controlled and efficient business processes, not only across the E-Business Suite, but also in our PeopleSoft and Siebel applications.”

- Rob Singleton, ManagerControls Advisory Office

CHALLENGES / OPPORTUNITIES• Inappropriate responsibilities granted to

employees without review and approval

• Oracle application configurations being modified without notification to SOX Compliance Team

• Inefficient manual controls associated with SOX Compliance

RESULTS

• Saved 55% time for internal departments

• Reduced 65% in controls testing

• Cut 42% in external auditor engagement

• Payback in less than 5 months

SOLUTIONS

• Oracle GRC Controls Suite

16

ROI Impact

14 weeks 8

weeks

Access & Configuration Controls TestingExternal Audit Level of Effort

External Audit Testing Requirements

2005 2006 2007 2008

Access Controls 100% of controls

100% of controls

33% of controls

?% of controls

Configuration Controls

100% of controls

100% of controls

65% of controls

?% controls

4 auditors

?

FY05 FY 06 FY 07 FY 08

350 hrs / monthReview

Time

90 hrs / month

Access Controls Review by CAO

50 hrs / month

External Audit Impact Internal Controls Advisory Office Impact

2005 2006 2007 2008

Testing Time

# of Auditors

6 auditors

350 hrs / month

6 auditors

?

14 weeks

Since 2006, the Controls Advisory Office only tests new or modified configuration controls.

17

•Eliminated SOD conflicts to meet SOX

compliance and improve financial close process

• Time to close each month – 2 days

• Time to file 10Q – 25 days

• Time to file 10k – 37 days

CHALLENGES / OPPORTUNITIES

• Accelerate Financial close process

• SOX compliance and SOD and streamline

complex interactions across business units

• Eliminate bottlenecks

• Validate reporting accuracy and fast

SOLUTIONS

• Oracle GRC Controls Suite

CUSTOMER PERSPECTIVE

“By using the embedded controls and workflows, we have been able to streamline complex interactions across multiple operating units, eliminate bottlenecks and validate accuracy much faster.”

Jeffrey Flecker, Snr VP & Corp Controller,

Qualcomm

RESULTS

COMPANY OVERVIEW

• World's premier wireless communications company

• Top 100 operational & strategic excellence

– CIO magazine

• Revenue > $7.5 Billion

• 19 Operating Units

Qualcomm

18

• reduced our issue & remediation tracking time by 30%” • reduced our reporting efforts by 20%”• reduced our control and document aggregation efforts by 25%”• reduced our year-over-year audit fees by 18%”• resulted in a payback period of just over 1 year”

“Oracle’s GRC technology…

Customer Proof Points

19

Agenda• GRC Today



• Strategies to Consider- Oracle Solutions

• Wrap Up

20

Multiple Requirements,Fragmented Response1

Insufficient Resources,Manual Efforts2

GRC as an Afterthought, Holding Up the Business3

Summary of Key Business Challenges

Sources: Adapted from Deloitte Consulting, Open Compliance and Ethics Group, and IDC

C1a C2a C3a

C5a C6a C7a

C9a C10a C11a

C1b C2b C3b

C5b C6b C7b

C9b C10b C11b

C1c C2c C3c

C5c C6c C7c

C9c C10c C11c

Business Processes

GRC GRCGRC

21

Strategies to Manage Risk and ComplianceActions You Can Take Immediately

Oracle GRC ControlsOracle GRC Controls

Oracle GRC ManagerOracle GRC Manager

Oracle GRC IntelligenceOracle GRC Intelligence

Oracle GRC ApplicationsConsolidate: Multiple GRC

Activities and ProvideReal-time Visibility

Automate: Critical GRC Tasks

Embed: Automated Controls into Business Processes

22









23









24









25

Embedded Controls• Detective, Preventive, Contextual• Automated controls testing• Pre-built controls library

Centralized GRC Oversight • Common Repository for GRC• Audit and Assessment of Controls• Integrated remediation management

360º Visibility• Single source of GRC Information• Pre-built dashboards • Respond to KRI and issues

GRC Application Suite – A la Carte

GRC ControlsConfiguration

Controls Governor

Transaction Controls

GRC Manager

Risks Assessments IssuesProcesses

PoliciesProcedures Remediation

GRC Intelligence

ReportsDashboards Alerts

Key Risk & Control Indicators

Applications

InfrastructureCustomers

Suppliers

Sales

Legal

R&D

Mfg

HR

Finance

TransactionControls Governor

Application Access Controls

Governor

Preventive Controls Governor

26

Governance, Risk & Compliance Controls Enforce Compliance with Access, Configuration &

Transactional Controls

ProcessControl


Configuration & Change

Management Controls

Access Controls

Preventive Controls

27

Preventive versus Detective Controls

• Detective controls based on monitoring or scanning databases for predefined conditions.• Value is in “finding violations faster”…after the fact.• Still have to remediate every violation.

• Preventive controls come in two flavors:• Basic prevention affects provisioning of user rights.• Contextual prevention affects user behavior in real-time.

• Preventive controls eliminate remediation.• Value increases as you refine policies and processes.

• Need both detective and preventive controls to:• Balance risk with business continuity• Verify that controls are consistently effective

28

Know who has access to do what and ensure that someone isn’t given inappropriate privileges

Access Analysis

Compensating Policies

Define AccessControls

Remediation(Clean-up)

PreventiveProvisioning

PreventionDetection

Define SOD conflict & business rules and policies

Execute access analysis engine that understands application’s detailed access architecture

Remediation and analysis via pre-packaged reports & what-if simulation

Real-time enforcement of SOD controls during user provisioning

Handle exceptions with compensating process & transaction analysis policies

Access Controls Provide Fine Grained Access Control and Segregation of Duties

29

ERP SOD Control Library

Oracle 11.5.10 216 policies*

Oracle R12 232 policies*

PeopleSoft 266 policies*

*Note: Best practice policy libraries deliver content from years of hands-on customer implementations. Each policy is comprised of several sub-policies and controls based on its complexity, the sum total of these sub-policies and controls is over 3,000, per ERP

*Note: Best practice policy libraries deliver content from years of hands-on customer implementations. Each policy is comprised of several sub-policies and controls based on its complexity, the sum total of these sub-policies and controls is over 3,000, per ERP

Best Practice Policy Library

30

Use Entitlements to group access points that correspond to a common privilege (e.g. several different pages allow you to enter a journal entry…)

Entitlements = Groups of Access Points

31

Manage False-positives with Exception Conditions

Use Global and Policy-level conditions to exclude false-positives from analysis and

reporting.

32

LawsonLawson-1275

•Policy Library

• Policy Library• Conflict Paths

• Policy Library• Conflict Paths

33

Ensure that critical setups conform to best practices and follow robust change

management procedures

Application Configuration Controls Detect and prevent configuration control failure

Document orCompare

Configurations

Manage Data

Integrity

Define Configuration

Controls

Monitor Configuration

Changes

EnforceChange Control

PreventionDetection

Define best practice policies & operating rules

Record changes to sensitive setup data. Compare before and after values for changes

Monitor for setup inconsistencies across multiple instances

Require conditional approval cycles (e.g., exceed threshold)

Validate that setups and data updates conform to valid values

34

• Key Controls

• Vendor tolerances• 3-way matching of PO, Invoice and

Receipt• Document spending limits

(authorization of PO)• Security rules – access to sensitive

transactionso Employee salarieso Chart of account valueso Financial statement reports (FSGs)o Price listso Inventory attributes

• Action for late delivery of goods• Inventory stocking rules• Rules to create tax on sales orders• Depreciation methods

Setups = Key

Controls

Example of Setups and Key Controls

• Setup Data

• Application Security• Document Approvals• Chart of Accounts• Profile Options• Users• Application Setups• MRP rules

• Operational Data

• Customers• Suppliers• Employees• Buyers• Items• Chart of Account Values• Category Codes

35

Document Configurations

36

Compare Configurations

Differences

37

Monitor Configuration Changes

Who?

What?

When?

Where?

38

Monitor transactions to detect business policy violations or unacceptable levels

of risk or inefficiency

Transaction Controls Detect and prevent erroneous and fraudulent transactions

Perform Transaction

Analysis

Define Transaction

Controls

Review and AddressSuspects

PreventiveTransaction

Control

PreventionDetection

Identify transactions violating policy (e.g. un-approved vendor)

Detect patterns representing aggregate risk (e.g. micro-payments)

Initiate review / approval cycle based on automated policies

Approvals based on transaction data thresholds

39

• Test against Material Thresholds• Journal Entry > $ threshold• Employee Checks (individual & sum) > $ threshold

• Search for Anomalies

• PO terms differ from vendor• Sales orders > acceptable $ range

• Sampling of Transactions

• 4th quarter invoices • Days sales outstanding balances

• Detect Fraudulent Behavior

• PO changes after approval• Duplicate suppliers with same address

• Embed Contextual / Automated Compensating Controls• Alert on customer transactions over $ threshold• Prevent journals from being entered and posted by same

individual

Comprehensive Transaction Monitors Detect patterns of heightened risk in business activity

40

Efficient, Flexible Risk and Compliance Mgmt


Controls Governor


GRC Manager



GRC IntelligenceReportsDashboards Alerts


Applications


Suppliers

Sales

Legal

R&D

Mfg

HR

Finance



Governor


Improved Scoping / Audit Testing Processes – efficiencies in AS5

End-to-end Certification Mgmt

Linking risks and controls to multiple regulations / processes

Integrated control management

Closed-loop issue remediation and reporting

Workflow reassignment

41

• Enterprise GRC System of Record for Process / Policy and Compliance Documentation Mgmt

• Integrated Control Management

• Integrated, Centralized Survey Management

• Closed-loop Issue Remediation & Reporting

• Supports all Enterprise functional groups/users: Internal Audit, SOX, Corp Compliance and Risk Mgmt

GRC Orchestration Unifies risk and compliance documentation with automated monitoring & notification

Document

- COSO/COBIT Frameworks- Risk-Control Matrix- Policies and Procedures- Evidence & Records Retention

Assess

PerformRisk

Assessment

TestManualControls

Scope Audits

MonitorAutomated

Controls

AnalyzeReceive Alerts Review Reports Investigate

Exceptions

Respond

Remediate Retest Optimize

Certify

Sign-off and Publish

42

Central Repository

Secure Enterprise SearchDate Effective

Chain of Custody

Content Management is the CornerstoneSingle System of Record for Compliance Information

Link policies and procedures to laws, regulations, and standards as evidence of compliance

Link shared policies and controls across laws, regulations, and standards Apply and track permission-based access to policy and procedure

documents Leverage advanced search function with familiar look and feel

All Content Types

Search

Single Source of Information

43

GRC Manager Provides single repository for Regulatory Objectives, Risks, Controls

44

A single control can be shared

across the organization’s

separate business units

A single control can be shared

across the organization’s

separate business units

GRC Manager - Entity Level ControlsProvides library to share controls and reduce testing

45

Multiple hierarchies exist to represent

regulations, business units and financial

structures.

GRC Manager – user defined Hierarchies Provides many-to-many linkage for Objectives, Risks, Controls

46

A full version history is maintained for all changes to all compliance elements in

GRC Manager. You can always “go back in time” to view the state of your

compliance environment as of “XX/YY/ZZ” date, by simply clicking on the history tab,

and selecting the earlier version.

47

No Surprises


Controls Governor


GRC Manager



GRC IntelligenceReportsDashboards Alerts


Applications


Suppliers

Sales

Legal

R&D

Mfg

HR

Finance



Governor


Pre-built dashboards aggregate information from all sources

Combine GRC information from the entire stack

Role tailored Analytics

Produce attestations and disclosures

Briefing Books – segmenting critical data to diverse groups

Email alerts

48

No Surprises: Enterprise Visibility to GRCSecured and targeted delivery of role-based dashboards

Oracle GRC Manager

This is to notify you of Regulatory alerts requiring your attention. The Executive Dashboard is awaiting your review.

Please use the following link to access your reports

Go To “Executive Dashboard”

Easy to use Transparency across

ALL GRC initiatives Summarized view of key

information, highlighting potential trouble areas

Graphical, Tabular, Drill down and integrated…

49

Open issue identification by

business cycle and who originated it.

Identify which business units are having the most control issues.

See which process is failing and which regulations are

impacted

50

Perform top-down risk based scoping by tying risks, control

status, and issues to the consolidated financial picture.

51

SAFEGUARDREPUTATIONSAFEGUARDREPUTATION

BEST BUSINESS PRACTICE

BEST BUSINESS PRACTICE

COMPLIANCECOMPLIANCE

Why GRC?

• GRC has become best business practice for efficiency

• Control user access and reduce risk of fraud

• Automation reduces cost of compliance

• Inappropriate use of Finances

• Purchasing Policy Violations

• Data Security Leaks

• Accounting Standards, SAS-112, Privacy Laws, Other Federal and State regulations

• BOARD MEMBERS – from industry – now expect Sarbanes-Oxley type controls and reports

52

Documents

1 Overview and Current Trends with Governance, Risk and Compliance Chris Martin Oracle GRC Specialist January 19, 2010