View
216
Download
1
Tags:
Embed Size (px)
Citation preview
Inspiring Your Next Success!® Company Confidential - Copyright 2010 Hitachi Consulting
Oracle GRC Application Controls: A Layered Defense
Atlanta Oracle Applications Users Group Meeting – January 29, 2010
How the Oracle GRC Suite Can Reduce Business Costs and Improve IT Security
Inspiring Your Next Success!® Company Confidential - Copyright 2010 Hitachi Consulting2
Introduction to the GRC Team> Kevin Mims, Senior Manager at Hitachi Consulting
> Andy Pope, Manager at Hitachi Consulting
> Paul Steffen, Manager at Hitachi Consulting
> Ryan Henderson, GRC Specialist at Hitachi Consulting
Inspiring Your Next Success!® Company Confidential - Copyright 2010 Hitachi Consulting3
Agenda> Introductions
> Hitachi Consulting Oracle Practice Overview
> Why GRC? Business Challenges in the Client Space
> How the Oracle GRC Solution Can Help
> Focus on Oracle GRCC Suite» Oracle Application Access Controls Governor (AACG)
» Oracle Transaction Controls Governor (TCG)
» Oracle Preventive Controls Governor (PCG)
» Oracle Configuration Controls Governor (CCG)
> Oracle ERP Implementation Overview – Where do GRC Applications fit in?
> Methodology and Planning
> Keys to Success
> Lessons Learned
> The Hitachi Consulting Solution
> Q&A
Inspiring Your Next Success!® Company Confidential - Copyright 2010 Hitachi Consulting
Hitachi Consulting Background
> Hitachi Consulting is the U.S.-based business and IT consulting division of Hitachi Ltd., and a globally recognized leader delivering value-based business strategies and technology solutions
» Revenues of approximately $450M globally
» 1200 employees in the US with offices also in Europe and Asia, 2500 employees globally
> With more than 25 years business process, vertical industry, and leading-edge technology experience, our consultants are seasoned in a multitude of disciplines and work with clients to transfer their knowledge and experience every step of the way
IndustrialProducts
25%
High Tech Manufacturing& Software Providers
23%
Communications, Media &
Entertainment16% Food & Beverage,
Consumer Goods Mfg.& Retail
13%
Healthcare &Biotech
7%
FinancialServices
4%
Other5%
Engineering &Construction
5%Energy
&Utilities
2%
4
Inspiring Your Next Success!® Company Confidential - Copyright 2010 Hitachi Consulting
Hitachi Consulting founded November 2000
> Hitachi made a strategic decision to enter the IT and business consulting services market in the United States, as the outcome of a study by McKinsey
> With the acquisition of Grant Thornton’s consulting business in November 2000, “Hitachi Consulting” was born
> The Company was re-branded to Hitachi Consulting in May 2003, as the “business and IT consulting unit of Hitachi”
> Hitachi Consulting has grown organically and through a series of strategic acquisitions
5
2000
Strategy Foundation Integration &
Profitability
Globalization,
Growth & Value
2010
Inspiring Your Next Success!® Company Confidential - Copyright 2010 Hitachi Consulting
Deep Oracle Expertise
Hitachi Consulting ranked 6th overall in Oracle’s NA Partner Performance metrics
6
Oracle is Hitachi’s #1 EA Practice (both revenue and headcount) 400+ Oracle Consultants (80% functional, 20% technical) 100+ completed or ongoing 11i implementations 15+ completed or ongoing R12 implementations
Oracle Titan Award Winner 2006 – EBS System Integrator 2007 & 2008 – Integration and SOA 2008 – Edge Applications
Global Certified Advantage PartnerCertified OnDemand PartnerOracle Partner of the Year, 5 of last 8 yearsRanked # 3 Partner for Oracle Commercial
Internal Apps and Tech Labs support Biz Flow Accelerators
Member Oracle Field Advisory Board Flow Manufacturing Advanced Planning & Scheduling Warehouse Management
Process ManufacturingEnterprise Asset Management
Member Oracle Industry Advisory Board Process Manufacturing Industrial Manufacturing
High Tech Manufacturing
Inspiring Your Next Success!® Company Confidential - Copyright 2010 Hitachi Consulting
Hitachi Consulting’s Oracle Practice> Global Reach with Local Focus
» Hitachi Ltd. – one of the top 15 Business and IT consultancies in the world» Hitachi Consulting was formed from the Grant Thornton and Arthur Andersen Business Consulting Practices.» Full service consultancy inclusive of IT infrastructure, Supply Chain, Change Management, and Enterprise Application Deployment.
> Oracle Practice» Our national Oracle practice grew at 60% last year while our Southeast Oracle practice grew by over 170%.» Experience working with Oracle Development by being first implementers of 11i Process Manufacturing (with Order Management,
iStore and Purchasing), Flow Manufacturing and WMS.» Member of Oracle’s Field Advisory Board for Flow Manufacturing, Advanced Planning and Scheduling, Warehouse Management, and
Process Manufacturing.» Full service Oracle 11i solution offering from audit through reimplementation.
> Tool Sets» Significant investment in Oracle-centric implementation tools and methods including the development of our AIM Plus methodology. » Collaborative approach – working with customers, Oracle Sales and Oracle Development.
> Track Record» Current and completed Oracle implementations in the Southeast :
• Ames True Temper• Angelica Textile Services • Fidelity National Financial• Fidelity Information Services• Lender Processing Services• EMS Technologies • Equifax• Internet Security System (ISS)• Internap• Tekelec• Welding Services
• World Fuel Services• Manheim
Inspiring Your Next Success!® Company Confidential - Copyright 2010 Hitachi Consulting8
Abstract
> The Oracle Governance, Risk, and Compliance (GRC) Enterprise Solution is an effective tool that business can use to improve IT security and help insure against fraud, negligence, and other corporate vulnerabilities. Companies that implement a GRC package will observe an enhancement of corporate governance, comprehensive risk mitigation, and a significant reduction in audit and compliance costs.
> GRCC serves as the foundational core of Oracle’s GRC Enterprise Solution and works with two higher level components, the GRC Manager and GRC Intelligence.
> The foundation for Oracle’s GRC Enterprise Solution is the GRC Controls Suite, an embedded, linked set of modules that can be used to safeguard sensitive corporate information. The modular components are organized around specific duties that can be operated both independently and in conjunction with one another.
Inspiring Your Next Success!® Company Confidential - Copyright 2010 Hitachi Consulting9
2010 Developments in the GRC Space
> 89% of risk professionals surveyed reported investments in GRC technology will increase or stay the same in 2010 *
> 62% said the current financial crisis has increased the priority of enterprise-wide risk management *
> AMR reports after a two-year period of decline, GRC spending growth returns in 2010, by expanding to nearly $30B **
> In May 2008, Standard and Poor’s announced a plan to include enterprise risk management (ERM) assessments into individual corporate credit ratings of nonfinancial companies. These plans are intended to be enacted in 2010 ***
* OpenPages 2009 Survey of over 50 strategic risk, governance and finance professionals. (marketwire.com)** AMR November 2009 “GRC in 2010: $29.8B in Spending Sparked by Risk, Visibility, and Efficiency”*** Standard & Poors, RatingsDirect, “Progress Report: Integrating Enterprise Risk Management Analysis Into Corporate Credit Ratings”
Inspiring Your Next Success!® Company Confidential - Copyright 2010 Hitachi Consulting
> What Types of Problems are we solving?
> Example 1: Clerk at NYSE-traded food sector corporation was able to change bank account info without cross-check; $10MM transferred before fraud was discovered. *
> Consequences: $10MM frozen pending litigation; public confidence shaken due to notoriety.
> Example 2: NYSE-traded energy sector corporation applied a production patch that reset vendor tolerances, and didn’t notice the change for nine months. *
> Consequences: Their internal audit team had to do extensive work to prove there were no abuses, and their external auditors performed substantial transaction examination.
10
Why GRC?
* Research per Oracle. Numbers are derived from Oracle customer testimonials and 3rd party studies, like those cited in Compliance Weekly or PwC.
Inspiring Your Next Success!® Company Confidential - Copyright 2010 Hitachi Consulting11
Common GRC Challenges in the Client Space
No Standardized Policies and Procedures• No appropriate standard framework for audit and compliance activities• Inconsistent audit plans, work paper methodologies, etc.
No Real Time Visibility and Communication w/Data• Transactions occurring daily within the business• Fields or configurations that are changed by Users
Non-Standard Information• Multiple legacy systems with disparate uses and different architectures• No common platform for reporting and consolidation
Cost of Compliance Activities• Cumbersome and manual process to audit• Many man hours ‘chasing paper’
No Clearly Defined Roles and Responsibilities• Roles within the business are unclear• Responsibility for audit and accountability for system functions are blurred
* Per Oracle.
Inspiring Your Next Success!® Company Confidential - Copyright 2010 Hitachi Consulting
How GRC Simplifies Internal Controls
12
Single Source: Multiple GRC
activities working together
Controls Automation:
Proactive response to mitigate risk
Embedded Controls:
Provide real time monitoring and management
Seeded Content:
Out of the box policies and templates
GRC IntelligenceDashboards Reports Alerts
Key Risk Indicators
GRC ManagerProcesses Risks Assessments Issues
Procedures Remediation Policies
GRC ApplicationsApplication
Access Controls Governor
TransactionControlsGovernor
ConfigurationControlsGovernor
Preventive Controls Governor
Applications
EBS Infrastructure
Inspiring Your Next Success!® Company Confidential - Copyright 2010 Hitachi Consulting
The GRCC Compliance Framework
Builds a values-driven culture that improves worker productivity and resource management
Minimizes corporate risk by controlling access to sensitive areas of business
Simplified and flexible responses to conflicts of interest and other HR concerns
Establishes a company’s reputation as a compliance leader and empowers it to fulfill its strategic vision
13
Inspiring Your Next Success!® Company Confidential - Copyright 2010 Hitachi Consulting
GRCC (Platform)
> Composed of two GRC Application Controls modules:
» Application Access Controls Governor (AACG)• Regulates access to duties assigned in Oracle E-
Business Suite
» Transaction Controls Governor (TCG)• Detects and prevents erroneous and fraudulent
transactions
GRCC (Platform)
AACG 8.5 TCG 8.5
> Shared Administrative Functions:
» Connects modules to E-Business Suite
» Takes “snapshots” of transactional date
» Integrates with other GRC applications (PCG, GRCM, GRCI)
Inspiring Your Next Success!® Company Confidential - Copyright 2010 Hitachi Consulting
AACG Enforcement Process
15
Define
Detect
Remediate
Prevent
Define Access Policies, Access Points, and Entitlements
Ex. Enter supplier vs. payment
Use Conflict Analysis Tools to Identify Policy ViolationsEx. SOD violations and undesired user access
Resolve Conflicts by Cleaning up the EBSEx. Removing a responsibility from a user in the EBS
Preventive Enforcement through User Provisioning ToolEx. Synchronization with PCG Form Rules
Inspiring Your Next Success!® Company Confidential - Copyright 2010 Hitachi Consulting
Access Policies – Insuring Segregation of Duties
> Access policies identify responsibilities and duties that conflict
> Policies are composed of:
» Access points: Object that allows a user to do something (ex: roles, responsibilities, etc.)
» Entitlements: Groupings of access points
Access Points
Entitlements
Access Policy
ERP SOD Control Library
Oracle 11.5.1 216 Policies
Oracle R12 232 Policies
*Each policy is comprised of several sub-policies and controls based on complexity, the sum total is over 3,000 per ERPEntitlements
PoliciesEffective Date
Inspiring Your Next Success!® Company Confidential - Copyright 2010 Hitachi Consulting
Finding Conflicts
> Evaluate security protocols
> Identify policy violations
> Use the Visualization to analyze conflict paths
> See how users, menus, and responsibilities all connect
17
Identify Conflicting Roles, Responsibilities,
& Users
The visualization tool provides a graphic
representation of the conflict spreadsheet
Inspiring Your Next Success!® Company Confidential - Copyright 2010 Hitachi Consulting
Remediation
Graphic representation of a firm’s operating structure
Builds a step-by-step remediation plan to
follow
Accessible Conflict
Reporting
Heat Map tables help identify key risk
indicators
Users can remove a privilege path and find the remediation
plan automatically built by AACGProvides a “what if analysis”, which simulates a remediation plan
Inspiring Your Next Success!® Company Confidential - Copyright 2010 Hitachi Consulting
Preventive Enforcement - User Provisioning
> Automatically applies access policies to each user assigned responsibilities in the EBS
> Activating responsibilities requires a Conflict Analysis to run to confirm that no violations occur
19
New responsibility is automatically end-
dated
Inspiring Your Next Success!® Company Confidential - Copyright 2010 Hitachi Consulting
Transaction Controls Governor
> “Models” classify transactional risk
» Key on specific tables that need to be monitored
» Filters, patterns, and functions specify parameters
» Drag and drop business objects to create models
Filters & Patterns
Models
Business Objects
Identify filter types and set thresholds
Inspiring Your Next Success!® Company Confidential - Copyright 2010 Hitachi Consulting
Model Workbench
21
Manage multiple models from the Model Workbench
Schedule synchronization jobs to
insure accuracy
Reports identify Who, What, When and Where
a violation occurred
Inspiring Your Next Success!® Company Confidential - Copyright 2010 Hitachi Consulting
Transaction Real World Examples
> Test against Material Thresholds» JE > $ threshold
» Employee Checks (individual & sum) > $ threshold
> Search for Anomalies» PO terms differ from vendor
» Sales orders > acceptable $ range
> Sampling of Transactions» 4th quarter invoices
» Days sales outstanding balances
> Detect Fraudulent Behavior » PO changes after approval
» Duplicate suppliers with same address
> Embed Preventive / Automated Compensating Controls» Alert on customer transactions over $ threshold
» Prevent journals from being entered and posted by same individual
22
* Per Oracle.
Inspiring Your Next Success!® Company Confidential - Copyright 2010 Hitachi Consulting
Preventive Controls Governor
> Set of applications that run within Oracle EBS as a component of the GRC Application Suite
> Four set of rules:
23
• Modifies security, navigation, field and data propertiesForm Rules
• Defines & implements business processesFlow Rules
• Tracks changes to the values of fields in database tablesAudit Rules
• Regulates changes to the values of fields in EBS forms.
Change Control
Inspiring Your Next Success!® Company Confidential - Copyright 2010 Hitachi Consulting
Form Rule Capabilities
24
Modify SecuritySettings
Create Messages
Edit Field Properties
Hidden Field
Field Required
Edit Background
Edit PromptHide Field Data
Edit Messages
Inspiring Your Next Success!® Company Confidential - Copyright 2010 Hitachi Consulting
Audit Rules
>Document changes to database field values
» Old vs. New Values
» Transaction Type (Insert, Update or Delete)
» User Responsible for Change
» Timestamp
25
Inspiring Your Next Success!® Company Confidential - Copyright 2010 Hitachi Consulting
Change Control
> Ensure Data Integrity
> Regulate changes to fields in EBS forms
> Set approval and reason code requirements for enforced management
26
Enable visual attributes to
identify controlled fields
Build reason codes to clarify why a change
occurred
Inspiring Your Next Success!® Company Confidential - Copyright 2010 Hitachi Consulting
Configuration Controls Governor (CCG)
> Monitor setup data in Oracle EBS
» Identify differences between ERP instances.
» Maintain Data Consistency
» Standardize and resolve any problems before a rollout
Reports available in PDF, HMTL, & Excel
Formats
Compare across multiple instances and different points in time
Inspiring Your Next Success!® Company Confidential - Copyright 2010 Hitachi Consulting
CCG Content Libraries
> CCG comes with seeded content libraries for EBS R12
> Monitors over 550+ setup configurations
> Organized around three Oracle EBS Applications:
28
BASE ENGINE FINANCIALS PROCUREMENT
Common ModulesAlertApplication Object LibrarySystem Administration
PayablesReceivablesGeneral LedgerSubledger AccountingLegal Entity ConfiguratorE-Business Tax
iProcurementPurchasing
Inspiring Your Next Success!® Company Confidential - Copyright 2010 Hitachi Consulting
Change Tracking Reports
29
> Change Tracking Reports are presented in an easily accessible format
> Users and administrators can monitor before-and-after values, responsible user, and time stamps
Who?
What?
Where?
When?
Inspiring Your Next Success!® Company Confidential - Copyright 2010 Hitachi Consulting
GRC Application Controls
>Who’s accessing your apps?
» Application Access Controls Governor
>What have they changed?
» Preventive Controls Governor
» Configuration Controls Governor
>Am I financially safe?
» Transaction Controls Governor
30
* Per Oracle.
Inspiring Your Next Success!® Company Confidential - Copyright 2010 Hitachi Consulting31
Existing Hitachi Consulting GRC Client> $9M Oracle R12 Financials and Process and Manufacturing implementation
spanning 18 countries
> 60+ Legal Entities
> 40+ Consultants
> Modules Include:
» Financials: General Ledger, SLAM, Accounts Payables, Accounts Receivables, eBTax, Project Accounting, Cash Management, Treasury, Fixed Assets, Advanced Collections
» Manufacturing: Inventory, OPM Costing, Bill of Material, WIP, Quality
» Procurement: Purchasing, Purchasing Contracts, AME
» Order Management: Order Management, Advanced Pricing, Shipping, Sales Contracts
» Supply Chain Mgmt: ASCP
» Governance, Risk and Compliance: AACG, TCG, PCG, CCG
Inspiring Your Next Success!® Company Confidential - Copyright 2010 Hitachi Consulting
Hitachi Consulting Client - GRC Pain Points
32
GRC Pain Points Hitachi GRC Solution
1 Lack of Compliance Framework• ‘Tone at the Top’ epitomized a ‘lack of focus’ toward compliance• No formal consistent ‘across the board’ set of policies• No structured Audit Committee
2 Poor Tech Integration • Disparate Legacy Systems • Inadequate monitoring and testing of technology systems• No controls automation
3 Weak Internal Controls• Lack of formal roles and responsibilities• No Segregation of Duties• Lax IT security
4 Stove Piping• Information Silos across different Legal Entities/Operating Units• No global remediation procedure• Lack of compliance reporting
5 Inability to Audit Daily Transactions • No continuous controls monitoring• No Audit Trail• No view of configuration changes
Inspiring Your Next Success!® Company Confidential - Copyright 2010 Hitachi Consulting
GRC Methodology and Planning
33
Inspiring Your Next Success!® Company Confidential - Copyright 2010 Hitachi Consulting34
GRC Methodology and Planning
Form Rules i.e. limiting
access to a field
Flow Rules i.e. approval rule informational message on
trigger
Audit Rules i.e. track changes
Change Control Rules i.e. reason
code as to why a field is changed
PCG Review Future State Business
Processes Review each Oracle module
with Client SME and Audit Manager for key fields
Set subscribers Control spreadsheet with
seeded content (1500 Rules)
Implementation Activities
Snapshots i.e. capturing specific setup/configuration info
Comparisons i.e. comparing snapshots between ledgers, operating units, instances
Change Tracking i.e.
monitor any change
to configuration
CCG
Review all EBS configurations Decide what key configuration
setups to snapshot EBS seeded content libraries Define comparisons Track changes Schedule all CCG activities
(daily, weekly, monthly)
Implementation Activities
Segregation of Duties i.e.
Policy Load
User Provisioning i.e.
Detection and remediation
of SODs
Conflict Reports i.e.
Report on Intra and Inter
Responsibility conflicts
AACG User Provisioning Process Review Oracle Seeded Content
Load (Out-of-Box Policies) SOD Detection and
Remediation Run User Conflict Reports and
Heat Maps Finalize ERP Responsibilities
Implementation Activities
Review Future State Business Processes
Define Models Using Business Objects
Identify Potential Suspects Reporting reviewed by Audit
Team
Implementation Activities
Business Objects i.e.
Tables and fields within
EBS Suite
Parameters i.e. Filters,
Patterns and Functions
TCG Models i.e. string of
business objects that
generate suspects
TCG
Inspiring Your Next Success!® Company Confidential - Copyright 2010 Hitachi Consulting35
A Layered Defense> Social Security Number field
» AACG – Enforce Segregation of Duties to limit access to HR Responsibility
» TCG – Automated Suspect Report identifying all HR violations
» CCG – Track Changes to HR Configuration (Who, What, Where, When)
» PCG – Hide SS # field and Alert Compliance Department to any changes
AACG
TCG
CCG
PCG
Inspiring Your Next Success!® Company Confidential - Copyright 2010 Hitachi Consulting36
Lessons Learned> Ensure Audit Director/Manager is empowered by the business to make the
important decisions
> A deep understanding of Oracle eBusiness Suite is vital to guarantee GRCC success
> Promote a cooperative relationship between the Client Teams to encourage the free flow of ideas
> Plan for dedicated DBA Time for GRC Installations
> Accurate Test Data and Accurate Responsibilities are required for AACG, TCG, and PCG to be successful test events
> SQL skills are required for the comprehensive implementation of PCG
> Operating Units, Ledgers, Legal Entities, and Responsibilities have to be in a fit state to make GRC design effective and accurate
Inspiring Your Next Success!® Company Confidential - Copyright 2010 Hitachi Consulting
Lessons Learned - GRC Architecture
37
Inspiring Your Next Success!® Company Confidential - Copyright 2010 Hitachi Consulting
Questions?
38
Andy PopeManagerHitachi Consultingwww.hitachiconsulting.com Mobile: [email protected] Inspiring your next success
Ryan Henderson GRC SpecialistHitachi Consultingwww.hitachiconsulting.com Mobile: [email protected] Inspiring your next success
Kevin MimsSenior ManagerHitachi Consultingwww.hitachiconsulting.com Mobile: [email protected] Inspiring your next success
Paul SteffenManagerHitachi Consultingwww.hitachiconsulting.com Mobile: 678.665.3389Office: [email protected] Inspiring your next success