OAUG Automated Controls and ComplianceAutomated Controls

OAUG / DOAG SIG DAY Vienna Sept 27th 2010Oracle Governance Risk and Compliance

OAUGAutomated Controls and ComplianceAutomated Controls and Compliance in Oracle E-Business Suitein Oracle E Business SuiteAugust 2010

FocusFocus

Show some hands-on examples of how technical solutions in Oracle’s GRC Suite can help with compliance and controls challenges in Oracle E-Business SuiteSuite.

ContentContent

The following areas frequently appear in our Controls & Compliance Audits and are sections in this presentation:

A) Restricted Access & Segregation Of Duties (SOD)A1) Frequent FindingsA2) Example for Oracle GRC “Access Controls”A3) Lessons learned form GRC Implementations

B) Lack of Control over Transactions and Master DataB1) F t Fi diB1) Frequent FindingsB2) Example for Oracle GRC “Transaction Controls”B3) Lessons learned form Implementations

Furthermore, we would like to show business value beside Compliance and Controls improvements:

C) Value proposition of Controls and Compliance automation) p p p

Overview of the Components of the Oracle GRC-SuiteOverview of the Components of the Oracle GRC Suite

The GRC Suite is Oracle’s answer to challenges arising from Compliance and Internal Control.

GRC Intelligence •Solution for effective and efficient reporting on compliance Activates

GRC Manager•Managment of Risks, Control Gaps and Compliance Gaps

•Efficient Documentation of Controls

GRC Controls•Access Controls•Configuration Controls•Transaction Controls

Today`s topic•Transaction Controls

Business Process

PricewaterhouseCoopersAugust 2010

Slide 4Automated Controls and Compliance in E-Business Suite

A1) Lack of Control Access and Segregation of DutiesA1) Lack of Control Access and Segregation of Duties

The System Administrator in a typical Oracle E-Business Suite vanilla implementation has rather limited means for evaluating the access rights granted:

- Check User to Responsibility/Roles assignments via Reports- Check Menu to Function Assignments via Reports- ...

By these means it is not possible to provide a precise answer to the question which users can execute a certain business function, such as posting an invoice.

(This is due to the complex hierarchical Form / Menu Structure of the Oracle EBS F ti S it C t)Function Security Concept).

Not surprisingly this leads to findings and compliance issues within our audits.

PricewaterhouseCoopersAutomated Controls and Compliance in E-Business Suite

A2) How GRC Controls can help to close the Controls andA2) How GRC Controls can help to close the Controls andCompliance Gaps - Examples

In the past 3rd party tools (such as PwC Oracle GATE) were used to analyse the access structure in Oracle EBS.

Now Administrators can use a solution which is seamlessly integrated into EBS and features functions for preventive controlEBS and features functions for preventive control.

“A C t l ” ithi GRC C t l=> “Access Controls” within GRC Controls.



A2) Access Controls Demo form our TestA2) Access Controls Demo form our Test

Segregation of Duties simulation:

In the following example we want to check up front the effect a change to aIn the following example we want to check up front the effect a change to a responsibility would have on our defined business policy.

Control Area Considerations Potential Pitfall with Oracle GRC Improvement OptionsControl Area Considerations Potential Pitfall with Oracle Implementation

GRC Improvement Options

Access control during implementation-

• Company XYZ designs menus and responsibilities based on business

• Potentially sensitive access (critical functions such as close periods or create vendors) and

• Leverage GRC SOD simulation feature during responsibility design phase to generateimplementation-

Including segregation of duties

based on business activities.

• Segregation of duties and restricted access issues

ft t id d t

periods or create vendors) and transaction combinations with a risk are not identified for segregation of duty purposes.

E i i b dd d

design phase to generate reports on SOD and restricted access issues

• Prevent and report on potential d ti f d tare often not considered at

the time of implementation• Excessive access is embedded

in the roles and responsibilities designed. All users will automatically violate the segregation of duty rules.

access and segregation of duty violations based on risks identified



g g y

A2) Access Controls Demo form our test systemA2) Access Controls Demo form our test system

The following demonstration will show

• How the simulation feature can be used to analyze the impact on SOD violations from a menu change

− Remove “Payments” function from selected Payables responsibilitiesRemove Payments function from selected Payables responsibilities.

− Analyze the overall impact on SOD environment



Select REMEDIATION >> SIMULATIONSelect REMEDIATION >> SIMULATION

Navigation:

Access Policies>Remediation>Simulation

Define simulation scenario detailsDefine simulation scenario details

Action:

C tCreate a new scenario by clicking Action > Add

Action:Action:

Define the scenario detailsscenario details

Select SIMULATE and choose the snapshot data to useSelect SIMULATE and choose the snapshot data to use

Action:Action:

Select Simulate

Review the impact of the simulation scenarioReview the impact of the simulation scenario

Action:Action:

Review simulation resultresult

Can drill down impact Policy > Responsibility > UserCan drill down impact Policy > Responsibility > User

You can drill down from Policy > Responsibility > UserUser

A2) Not impressed yet?A2) Not impressed yet?

In addition it is possible to establish preventive control directly within Oracle EBS, to ensure the User Administrators follow your business rules.

Control Area Considerations Potential Pitfall with Oracle GRC Improvement OptionsControl Area Considerations Potential Pitfall with Oracle Implementation


Access control after go-live + SOD

• Company XYZ assigns responsibilities to users after employment without

• Segregation Of Duties and restricted access rules are not enforced at the time of

• Prevent and report on potential access and segregation of duty violations based on risks p y

considering restricted access and segregation of duties issues.

responsibility assignment• Even after extensive clean-up

effort, additional violations can be created without active enforcement

identified.

enforcement

PricewaterhouseCoopers 15Automated Controls and Compliance in E-Business Suite

Action:

Remove the end date and hit Initiate Conflict Analysis

Action:

Review the conflicts

A3) Lessons learned from Implementation ProjectsA3) Lessons learned from Implementation Projects

It may happen that:

• Business claims that access is an IT Problem?Business claims that access is an IT Problem?

• You got lost when managing 40,000 Functions by using standard reports ?

• Guidelines from business on what functions are “critical” are missing?• Guidelines from business on what functions are critical are missing?

You might Consider:• Focusing on Core Functions – Less is more!

• Asking your business what they always wanted to know / restrict!

• Having a look at your last audit report.

18

B1) Lack of Control over Transactions and Master Data

S t

B1) Lack of Control over Transactions and Master Data

SystemDefault

Override of default values on transaction level is one of Oracle EBS characteristics.

Process Default(e.g. On organisation level or in

transaction types)

Also ex-post changes / amendments to transactions are possible

Override

yp )

Value in Transaction

Examples: Tax Codes override in invoices Asset Category defaults overridesOverride

Transaction Changes to a posted journals texts Amendment to posted invoices.

PricewaterhouseCoopers

Not surprisingly this leads to findings and compliance issues within our audits.

B2) How GRC Controls can help to close the Controls andB2) How GRC Controls can help to close the Controls andCompliance Gaps - Transaction Controls

In the past extensive forms customizations or manual controls were executed to ensure that defaults were not changed or non required fields of the EBS standard were filled consistentlystandard were filled consistently.

Now you can apply check rules which are stored in a central repository.



B2) How GRC Controls can help to close the Controls andB2) How GRC Controls can help to close the Controls andCompliance Gaps - Transaction Controls


How Form/ Flow Rules can do the following:

− Apply uppercase restriction on Vendor Name for data consistency

− Enforce supplier Tax ID field which is not a required field in Oracle

− Apply format mask (999-99-9999) to supplier Tax ID for data consistency

− Create custom LOV for field SIC Industry Code



Action:

Create new vendorCreate new vendor

UPPERCASE is enforced

Field “Taxpayer ID” is highlighted for p y g grequired field

18

Action:

Try to enter an invalid Tax ID formatTry to enter an invalid Tax ID format

Save message “Field must be of format ...” is triggered by “Transaction Controls”Controls

18

Action:

Enter required Tax ID

Form creates red lettering as ID is entered

18

Action:

From Rule applies formatting 999-99-From Rule applies formatting 999 999999

18

Action:

Setup Form Rule to require Tax ID field on Vendor record formatted correctlyVendor record, formatted correctly

UPPERCASE will be enforced on Vendor Name

18

18

18

Action:

Navigate to Classification TAB

View Custom LOV for SIC (Standard Industry Code)

18

Action:

Select a custom SIC

18

Setups:Setups:

Create custom LOV for SIC code field

18

18

18

B2) How GRC Controls can help to close the Controls andB2) How GRC Controls can help to close the Controls andCompliance Gaps - Transaction Controls with Approval Workflow.

Control Area

Considerations Potential Pitfall with Oracle Implementation


Inventory Items

• Company XYZ reviews new Inventory Items

• Creation/ update of items are not monitored

• Detective control: Notifications given of newItems new Inventory Items are not monitored.

• New inventory Items are not approved.

• Required fields are not entered

Notifications given of new inventory items based on conditions.

• Preventive control: Field entered. entry can be enforced based on other conditions.

• Preventive control: Approval process for the creation ofprocess for the creation of new items.


B2) How GRC controls can help to close the controls andB2) How GRC controls can help to close the controls andcompliance Gaps - Approval workflow with flow rules


• How Form/ Flow Rules can notify Purchasing department that :

− A new inventory item is created as a “Buy” item, where the Buyer field is Null

− Notification must be completed before further approval of itemNotification must be completed before further approval of item


21

Action:

Leave Default Buyer field blank

21

Action:Action:

Inv Item with Buyer null generates an email

21

Action:

Email generated based on Flow rule process Selectrule process Select “Completed” button

21

Action:

Selecting the “Completed” button creates a C t i t F il d t t N ti th t t bConstraints Failed status Notice that cannot be cleared until the Buyer field is filled (not null)

21

Action:

Enter value Stock, Ms. Pat for BuyerBuyer

21

Action:

Reopen Constraints Failed notice

Select Completed to final clear the notice

21

Setup

Create a Flow Rule to control Workflow and notifications when Items creation is for a “Buy”

18

18

18

18

18

18

B3) What are the Advantages of Flow Rules compared to FormsB3) What are the Advantages of Flow Rules compared to Forms Customizations ?

Flow rules

No impact on the EBS Standard

Forms Customization

Some Customization changes theNo impact on the EBS Standard process Fewer issues when you upgrade

your release

Some Customization changes the Standard – Will you know which one in 5 years ?

your release.

All rules in one repository with ki d i ti

Oh! – Something was done to that form, let me see...

speaking descriptions. You know what you did and why.

You might print out, sign off, file, You can have approval workflows for almost whatever you want without loosing too much flexibility.

extract population, hand over to auditor for sampling, receive sample, search for signed printouts, have


g y g p ,exceptions....

49Automated Controls and Compliance in E-Business Suite

B3) Three good reasons to start with flow rules even if control isB3) Three good reasons to start with flow rules even if control is not your primary concern.

Flow rules

No impact on the EBS Standard

Solutions

Keep text fields from update whenNo impact on the EBS Standard process Fewer issues when you upgrade

your release

Keep text fields from update when Journal is posted.

Keep AR invoices distributions fromyour release.

All rules in one repository with ki d i ti

Keep AR invoices distributions from being changed after being posted to GL.

speaking descriptions. You know what you did and why. Restrict new Lines / Distributions to

the GL date if one line was already You can have approval workflows for almost whatever you want without loosing too much flexibility.

posted to GL.


g y

August 2010Slide 50

Automated Controls and Compliance in E-Business Suite

B3) Lessons learned from Implementation ProjectsB3) Lessons learned from Implementation Projects

It might happen that:

• Yes, now we can do it all!

• Followed by “Which Rule keeps me from working today?”

• I like my paper and my auditor requires it!

You might consider:• Ask your business what manual fixes are required on a daily basis – make quick y q y q

wins.

• Focus on core functions – Less might be more.g

• Have a look at your audit reports.

• Have an early and open discussion on legal requirements.


C) Overall Value PropositionC) Overall Value Proposition

AREA ORACLE GRC CAPABILITY BUSINESS VALUE

PROCESSAutomate more manual procedures Lower transaction cost

Lower transaction processing time Lower transaction cost

Improve transaction processing accuracy Lower transaction cost

PEOPLE

Refocus your people to higher value tasks Improved people experienceImproved customer experience

PEOPLEBusiness process ownership Restore business process

ownership

Tailor the system to your business needs without customizing the application

Low cost of developmentLower cost and risk with applying

TECHNOLOGYwithout customizing the application Lower cost and risk with applying

Oracle patches

Improve IT change management procedures Lower risk of IT changes

Automate more control procedures Lower cost of control executionCOMPLIANCE

Automate more control procedures Lower cost of control executionLower cost of control testing

Dashboard reporting Identify risks timely


Your Contacts at PwC in MunichYour Contacts at PwC in Munich

Alexander Götz: [email protected] Götz: [email protected]

Daniela Geretshuber: daniela geretshuber@de pwc comDaniela Geretshuber: [email protected]



Thank you for your time !

© 2010 PricewaterhouseCoopers. All rights reserved. “PricewaterhouseCoopers” refers to the network of member firms of PricewaterhouseCoopers International Limited, each of which is a separate and independent legal entity.

Documents

OAUG Automated Controls and ComplianceAutomated Controls