ORACLE FINANCIAL AUDIT SCOPING TOOL BLUEPRINT FOR … · Oracle Financial Audit Scoping Tool Blueprint for Oracle GRC Applications User & Install Guide 3 . 2. Gett. ing Started

ORACLE® FINANCIAL AUDIT SCOPING TOOL BLUEPRINT FOR ORACLE GRC APPLICATIONS USER & INSTALL GUIDE Last Updated: Monday, June 28, 2010

Version: 1.0

Copyright © 2010 Oracle Corporation All Rights Reserved

Oracle Financial Audit Scoping Tool Blueprint for Oracle GRC Applications User & Install Guide ii

Oracle Financial Audit Scoping Tool Blueprint for Oracle GRC Applications User & Install Guide Copyright © 2010, Oracle and/or its affiliates. All rights reserved. Primary Author: Denise Fairbanks Simpson Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners. This documentation is protected by intellectual property laws. Except as expressly permitted in your license agreement or allowed by law, you may not use, copy, reproduce, translate, broadcast, modify, license, transmit, distribute, exhibit, perform, publish or display any part, in any form, or by any means. The software provided with this documentation is provided "as-is"; Oracle disclaims all express and implied warranties, including, the implied warranties of merchantability or fitness for a particular use. Oracle shall not be liable for any damages, including, direct, indirect, incidental, special or consequential damages for loss of profits, revenue, data or data use, incurred by you or any third party in connection with the use of these materials. This software and documentation may provide access to or information on content, products and services from third parties. Oracle Corporation and its affiliates are not responsible for and expressly disclaim all warranties of any kind with respect to third party content, products and services. Oracle Corporation and its affiliates will not be responsible for any loss, costs, or damages incurred due to your access to or use of third party content, products or services.

Oracle Financial Audit Scoping Tool Blueprint for Oracle GRC Applications User & Install Guide iii

Table of Contents

1. Oracle Financial Audit Scoping Tool Overview 1 1.1. Oracle Financial Audit Scoping Tool Blueprint Overview 1

1.2. Blueprints for Oracle GRC Applications Overview 1

1.3. Oracle Enterprise Governance, Risk and Compliance Manager Overview 1

1.4. Oracle Hyperion Financial Manager, Fusion Edition Overview 2 1.4.1. HFM Extended Analytics 2

2. Getting Started 3 2.1. Basic Procedure 3

2.2. Associations in EGRCM 3

3. Managing Sources 4 3.1. Overview 4

3.2. Defining a Financial Source 4

3.3. Defining a Source Point of View 5

3.4. Key Definitions 6

4. Scoping Workbench 7 4.1. Overview 7

4.2. Scoping Procedure 7

4.3. Filtering by Perspectives 10

4.4. Filtering by Financial Profile 10

4.5. Filtering by Risks 11

4.6. Account Results 11 4.6.1. Account Results Table Columns 11

4.7. Scope Tab 12 4.7.1. In-Scope Controls Cart Columns 12

4.8. Insights Tab 13

5. Installing the Financial Audit Scoping Tool 15 5.1. Prerequisites 15

5.2. File List 15

5.3. Installation Procedure 15

6. Manual Integration with HFM 17

Oracle Financial Audit Scoping Tool Blueprint for Oracle GRC Applications User & Install Guide iv

6.1. Overview 17

6.2. Configure an HFM-EA Data Source 17

6.3. Configure a Hyperion User with Access to HFM-EA 19

6.4. Use HFM-EA to Extract Financial Dimensions and Values 20

7. Glossary 24

Oracle Financial Audit Scoping Tool Blueprint for Oracle GRC Applications User & Install Guide 1

1. Oracle Financial Audit Scoping Tool Overview

1.1. Oracle Financial Audit Scoping Tool Blueprint Overview The Financial Audit Scoping Tool (FAST) Blueprint helps mitigate financial reporting risk by facilitating both a top-down risk-based approach and a bottoms-up controls-coverage approach to audit scoping.

The blueprint integrates Oracle Enterprise GRC Manager (EGRCM) with Hyperion Financial Management (HFM) to allow auditors and managers to evaluate business process risks based on their impact on financial balances. This capability helps organizations to better plan for focused audits that deliver improved assurance without increasing the resources needed to perform the audit.

EGRCM enables customers to manage GRC-related business processes across the enterprise and HFM enables customers to centralize financial reporting and enterprise consolidations. FAST enables Auditors to scope controls for assessment and testing by bringing together Financial Management accounts, entities and balances along with associated risks and mitigating controls from EGRCM into a single workbench view to design the controls assessment using both advanced filtering and ad-hoc selections.

The blueprint delivers:

• A unified workbench that brings HFM and EGRCM data together into a single workspace

• Consolidated significant accounts in HFM that are mapped to controls in EGRCM are readily identified, as well as associated risks

• Controls that are identified as in-scope are easily assigned to testers in an assessment plan

• Executive dashboards with the financial coverage of the assessment plan, as well as the type and nature of the controls that are in scope

1.2. Blueprints for Oracle GRC Applications Overview Oracle Blueprints for Oracle GRC Applications solve pressing business problems by extending Oracle GRC applications with ready-to-use best practice content, and by integrating Oracle GRC applications with other Oracle and non-Oracle products. Each blueprint helps customers and partners accelerate implementation timelines, extend the value of existing investments in Oracle GRC applications, and enable the Oracle GRC ecosystem to share thousands of hours of collective experience.

All blueprints for Oracle GRC applications are available for download from the Oracle Technology Network at oracle.com/technology/grc and can include pre-defined content, pre-packaged integrations, sample code, source code, and application configurations. Oracle authored blueprints are available for deployment at no cost and are distributed as-is in an open-source format. Oracle Blueprints for Oracle GRC Applications are not covered under Oracle licensing and lifetime support obligations.

1.3. Oracle Enterprise Governance, Risk and Compliance Manager Overview Worldwide, legislators, regulators and investors are placing increasing mandates on businesses to improve transparency and controls over financial and compliance reporting. Laws such as the U.S. Sarbanes Oxley Act, Canadian Bill 198, OMB Circular 123A, and Japanese SOX (J-SOX), are forcing organizations to adopt rigorous approaches to


documenting and testing internal processes and controls. Oracle's Enterprise Governance, Risk and Compliance Manager provides the solution to these requirements.

Enterprise Governance, Risk and Compliance Manager (EGRCM) helps reduce the cost and complexity of compliance and help leverage compliance efforts to create new process efficiencies. A set of self-contained, loosely coupled functional modules called Application Modules collectively provide an integrated system of components necessary to manage Governance, Risk, and Compliance objectives. Application modules in EGRCM include a GRC Framework Application Module and a Financial Governance Module.

1.4. Oracle Hyperion Financial Manager, Fusion Edition Overview Oracle Hyperion Financial Management, Fusion Edition (HFM) is a comprehensive, Web-based application that delivers global collection, financial consolidation, reporting, and analysis in one highly scalable solution.

Financial Management includes the following features:

• One unified view of enterprise financial information consolidates key performance and operating metrics from global sources in a scalable, Web-based application.

• "Virtual close" features trim days and weeks off your close cycle using Web-based intercompany reconciliations and a consistent set of data and business measures.

• Powerful multidimensional analysis identifies and reports new sources of profitability and cash flow at corporate, cost center, product, brand, customer, and channel levels.

• Flexible "what if" scenario management feature dynamically consolidates and reports all financial budgets, forecasts and plans, producing new statements as assumptions and facts change.

• High-volume, pre-formatted reports deliver timely, accurate financial information for internal management and external regulatory and government bodies from the same application.

• Prepackaged features are deployed out-of-the-box, quickly and cost-effectively, including features such as world-class allocations, multi-currency translations, and robust data integration with legacy applications, ERP, and CRM systems.

• Customizable and extensible application solves your issues quickly and cost-effectively, using industry standard tools.

1.4.1. HFM Extended Analytics The HFM Extended Analytics module is the means by which this blueprint solution calls, extracts and stores certain HFM metadata and consolidated financial amounts. HFM Extended Analytics supports multiple output formats, but this blueprint solution uses the Standard Relational Start Schema format. The Extended Analytics module enables you to create multiple star schemas per application.

Note: To use Extended Analytics, you must be assigned the security role of Administrator or Extended Analytics.

Refer to the Oracle HFM, Fusion Edition Administrators Guide for more information on the HFM Extended Analytics Module.


2. Getting Started

2.1. Basic Procedure To begin using the Financial Audit Scoping Tool:

1. Navigate to the Financial Audit Scoping Tool using the URL provided to you by your system administrator.

2. From the Navigation menu, choose Manage Sources.

a. Set up a connection to source data.

b. Create a Source Point of View: This is a slice of data that uses multidimensional selection criteria from the HFM data source. The slice can consist of, for example, accounts, time periods and an organization.

c. Run the synchronization process to populate and update dimension and fact data values between the data source and AS5 Scoping Module.

3. From the Navigation menu, choose Scoping Workbench. The Scoping Workbench is used by Internal Auditors to define the scope of Controls Assessments

2.2. Associations in EGRCM After you have run the Scoping Tool, Hyperion dimensions are created as perspectives in EGRCM. You can create the following associations with these perspectives:

• Controls can be associated with the Organization and Accounts perspectives at any level

• Processes can be associated with the Account perspective. Risks can be associated to Processes. Controls can be associated to risks.


3. Managing Sources

3.1. Overview To manage sources, you must:

• Define a Financial Source. This is the HFM instance. You can either select a source that has already been defined, or create a new one.

• Create a Source Point of View: This is a saved slice of data that was created using multidimensional selection criteria from the HFM data source. The slice can consist of, for example, accounts, time periods and an organization. The point of view provides dimension mapping between the source data and the target Scoping Module.

3.2. Defining a Financial Source You must either choose an existing Financial Source or enter values in the following fields to establish a connection between EGRCM and the source data:

• Source Name: Enter a user defined name for the connection.

• Source Type: Enter Hyperion, Oracle or Peoplesoft

• Entity Mapping

• Account Mapping

• Connection Interface: Choose either Manual or Extended Analytics.

o When you set the connection interface to Manual, FAST uses the existing star-schema. Both types of connection interfaces create the EGRCM perspectives and UDA values from the data source.

o If you choose Extended Analytics, a standard star-schema of HFM dimension and fact data is generated and FAST calls HFM via extended analytics and creates the data source. If you choose Extended Analytics, you must also enter the following details:

HFM User Name

HFM Password

Hyperion Application: Enter the Hyperion Application that the connection will connect to. This field only appears when you select Hyperion as the type.

HFM URL: Enter the URL that is used to invoke the Hyperion Web Services wrapper to extract the Extended Analytics data. This field is only enabled only for the Hyperion type.

• DB Username: Enter the username for the database connection.

• DB Password: Enter the password for the database connection.

• Schema Prefix

• DB URL

Once you have entered the information, click the Test Connection button to validate that the connection is established with the source data.

Upon successfully testing the connection, click Save to keep the connection information.

3.3. Defining a Source Point of View Create a Source Point of View to specify the slice of data (the "point of view") that you want to analyze and scope. To create a source point of view:

1. Select a value for each of the following HFM dimensions:

a. Name

b. View

c. Value

d. Period

e. Year

f. Scenario

g. ICP

The HFM dimensions are mapped to an EGRCM UDA string value. HFM Accounts are mapped to the EGRCM Account perspective, and HFM Entities are mapped to the EGRCM Organization perspective.

2. Click the Synchronize button to generate a new standard star-schema database file that is read into the EGRCM Scoping Module.

This data includes:

• The EGRCM perspectives and perspective items



• Associated UDAs for Organization and Accounts including financial values

• A Scoping Perspective that is used only in the AS5 Scoping Module and is exposed in the Workbench. This is explained in the Scoping Workbench section of this guide.

Note: The process is run on demand. Allow sufficient time for the process to complete before proceeding to the Scoping Workbench. The time to complete this process varies depending on the amount of data processed. The pop-up closes when the synchronization process is complete and the perspectives are created. If you close the browser before the synchronization is complete, you can verify that the process completed by checking if the Organization and Account perspectives are created in EGRCM.

3.4. Key Definitions The following are key definitions for HFM and EGRCM used in the Scoping Module. Refer to the HFM Users Guide and EGRCM Users Guide for additional information.

• HFM Dimensions: Dimensions describe an organization's data and usually contain groups of related members. Examples of dimensions are Account, Entity, and Period. Financial Management supplies eight system-defined dimensions and enables you to populate up to four custom dimensions that you can apply to accounts.

• HFM Accounts: The Account dimension represents a hierarchy of natural accounts. Accounts store financial data for entities and scenarios in an application.

• HFM Entities: The Entity dimension represents the organizational structure of the company, such as the management and legal reporting structures. Entities can represent divisions, subsidiaries, plants, regions, countries, legal entities, business units, departments, or any organizational unit. You can define any number of entities. The Entity dimension is the consolidation dimension of the system.

• EGRCM Perspectives: Perspectives provide hierarchical shape, structure and organization for core business components such as risks, controls and GRC components. They also support key user activities such as analytics and reporting. Perspective management provides a centralized interface for users to define different views into the GRC data.

• EGRCM Accounts: Financial Governance Accounts is a delivered hierarchy, but it does not contain any Pre-seeded perspective items (i.e., detailed accounts). You can add accounts to fit your business needs.

• EGRCM Organizations: Organization is a delivered perspective type that has additional features that are not available to other perspective types. The relationship to the organization perspective item is propagated down to the other related business components. The business component within the information model that will be the focal point for the organization propagation is defined in the module configuration. For example, in the Financial Governance module, business process objects must have an associated Organization perspective.

• EGRCM User Defined Attributes: User customizations that provide additional classification or other clarifying information to an object (i.e., Account Perspectives).

4. Scoping Workbench

4.1. Overview The Scoping Workbench is where you (as the Auditor) determine the scope of the Controls Assessment. The workbench is organized into several sections that facilitate an iterative scoping process by utilizing embedded analysis, key indicators, tables and graphs. Not all sections of the workbench are required.

The Scope tab accumulates the various controls that have been selected into a shopping cart. The cart and the controls contained within it are programmatically setup as a formal Controls Assessment Plan that is managed in EGRCM.

4.2. Scoping Procedure The general procedure for scoping is:

1. Choose a Financial Source, then click the Connect icon. This is the HFM data source that was created using Manage Sources.

2. In the Perspective Profile region, click the Add icon to add the EGRCM

perspectives for HFM Accounts and HFM organizations.

3. The Financial Profile region refines the criteria based on financial amounts using methods such as threshold amount or percentage threshold or organization and accounts. The amounts shown are pulled from HFM and read into the FAST workbench from the star-schema data source.

4. The Risk Profile region integrates with EGRCM and enables selecting controls by their related risk characteristics. Controls can include controls that are related directly to risks or controls that are indirectly related to risks and controls via EGRCM perspective mappings and component associations (that is, the relationships are derived from the EGRCM information model setup). You can filter by tolerance, which is based on risk context. You can also extend the risk criteria by selecting a risk class, risk likelihood level, impact level, or control stratification value.

5. Click the Search button to find Accounts and Organizations that meet the selection criteria and all other related data (see the Account Detail table).


6. Click the Refresh button to see you search results. In this example, the Balance Threshold is set to 1000000:

7. Select appropriate organizations and accounts from the search results.

8. Click the Scope Mapped Controls button to see the mapped control details for your selected accounts and organizations.

9. Click the Save and Continue button.

10. Click the Add Selected to Scope button to add the controls to the list of In-Scope Controls for Assessment.

11. In the Scope panel, click the Refresh icon to refresh the list of in-scope controls.


12. Select a control from the list to view the In-Scope Control Details such as control type, method, related risks and associated perspectives.

13. Click the Insights tab to graphically display details of the In-Scope Controls.


14. On the Scope tab, choose Create Assessment from the Actions menu to create a new assessment plan for the in-scope controls. The assessment will be managed in EGRCM. In addition to creating the assessment, you can also choose to initiate the assessment.

15. To view the assessment in EGRCM:

a. Log in to EGRCM.

b. Choose GRC Tools from the Navigator.

c. Choose Manage Assessments from the Tasks list.

d. The Assessment plan that was created for the In-Scope Controls that you identified and selected in the Scoping workbench for each Assessment Activity are displayed.

4.3. Filtering by Perspectives The HFM dimensions that were mapped and synchronized on the Manage Sources page are displayed in the Scoping Workbench as Perspectives that include the Perspective Items. You can use one or more Perspectives and associated Perspective items to begin scoping the Controls Assessment at high-level, typically by a combination of Organization and Financial Account. In addition to the Organization and Account perspectives, the AS5 Scoping Module generates an AS5 Scoping Perspective that facilitates the selection and analysis of significant organizations and accounts combinations that includes HFM financial values by Scenario, Year, Period and View. In the examples in this chapter, the AS5 Scoping Perspective is used as an example of the selection made in the AS5 Scoping Workbench.

You can select from one or more Perspectives using selection criteria. Selections can be made at the detail or the node level. Perspectives can be added or deleted from the selection table using the Add or Delete icons in the table menu bar.

4.4. Filtering by Financial Profile Financial Profile filters can be used to further specify the selections made on the Perspective. Methods for filtering returned results based on the Financial Values are:

• Threshold (Threshold Amounts): For example, accounts $200,000 (or greater)

• Balance Percentage: You can filter financial balances as a percentage of Organization and Account at either node or detail levels.



You can also select an Organization and Account for the profile.

4.5. Filtering by Risks Risk Filters:

• Leverage the information in the EGRCM Risk Management Component

• Enable you to create refined rules that target Controls that are of significant Risk for AS5 Audit or other top-down risk-based scoping process.

• Are optional

• Will not apply if the EGRCM Risk Management Component has not been implemented

EGRCM enables you to relate controls directly to one or more risks and to map Controls to Accounts and Organizations. You can select a Risk Class so that the risk levels are measured using the same model and methodology, including qualitative, quantitative and semi-quantitative model types. Similarly, the Risk Rating can have difference Significance Model for each risk. Select the Risk Context to ensure the consistent filtering of Risk Ratings.

Controls Stratification refers to the assignment of a Control to a particular risk. Because controls are frequently shared to mitigate multiple risks, the value of the control stratification can vary depending on to which risk it is related. Values for Control Stratifications are: Key, Compensating, Monitoring and Redundant.

4.6. Account Results The Accounts results table displays rows of Organization and Account combinations based on previous selection and filtering criteria. You can configure the columns from the View menu. The Table can be detached and expanded as necessary. All columns can be sorted in ascending or descending order.

Selecting rows in the account table populates the Scoped Mapped Controls Table with the Controls that are mapped to the Accounts and meet the Risk and Control Stratification criteria. If you make any changes to your selection criteria, click the Search button and then the Refresh button to update the information shown in the Accounts table.

4.6.1. Account Results Table Columns The Account table is comprised of the following columns:

• Organization: Displays the organization perspective with the top, intermediate nodes and detail items that are concatenated into a string.

• Account: Displays the detail account level.

• Balance: Displays the financial values extracted from HFM and processes during the Synchronization Process. If Balance account filters were applied, the amounts column displays those rows that meet the account filtering methods

• Control Cost: Displays the control cost field from EGRCM control management component. Cost can be expressed in any unit of measure including US dollars, hours or other units of work.

• Perspective Items: This is an aggregate value of the number of perspective items mapped to the control. It excludes the account and organization perspective items which are displayed in their own columns.


• Mapped Controls: Displays the number of controls that are mapped to a particular organization-account combination. The control count varies depending on the applied risk filters in the selection step. For example, if the Control Stratification filter is set to show only Key Controls, the control count shows only Key Controls, instead of all controls.

• Related Risks: Displays a count of risks. There is a configuration option in FAST where you can specify if direct risks or both direct and indirect risks are counted. Indirect risks are determined by the EGRCM setup and perspective mapping.

4.7. Scope Tab The In-Scope Controls Cart is used as a staging area for creating a controls assessment plan. The data in the table provides information for you to determine which specific controls should be included in any particular assessment plan. Graphs with key indicators for coverage and controls information assist you in finalizing the set of controls to be included in the control assessment plan.

4.7.1. In-Scope Controls Cart Columns You can view the following In-Scope Controls Cart columns:

• Control: A short name that describes the nature of the control.

• Frequency: A property of the control that indicates how often the control should be run.

• Cost: The control cost field from EGRCM control management component. Cost can be expressed in any unit of measure including US dollars, hours or other units of work.

• Control Type: The type of control. Types of controls are Preventive, Corrective, and Detective.

• Control Method: The control method, which can be Manual or Automatic.

• Related Risks: Displays a count of risks. There is a configuration option in FAST where you can specify if direct risks or both direct and indirect risks are counted. Indirect risks are determined by the EGRCM setup and perspective mapping.

• Associated Perspective: The perspective is shown with the top, intermediate nodes and detail items concatenated into a string.

From the Actions menu, you can choose:

• Remove Selected: Removes the selected control(s) from the cart and set the Scope Setting to not In-Scope.

• Clear Scope: Removes all items from the current cart.

• Save Scope: Saves the current cart for either re-use (for example, when creating a new for a similar controls assessment plan) or to save the work in progress and return to it for additional changes before finalizing and creating an assessment plan

• Load Scope: Replaces the current contents of the cart with the content of a previously saved cart. The loaded cart can be modified and saved as either a new or existing name.

• Create Assessment: Once the In-Scope Controls Cart is complete, select the create assessment button to generate the control assessment plan and template in EGRCM. Once created in EGRCM, you can manage the assessment plan using the EGRCM functionality. Refer to the EGRCM Users Guide for information on Managing Assessments.

• Generate Scope Spreadsheet: Generates a spreadsheet that shows all accounts for a given Point of View and specifies whether or not they are in scope.

4.8. Insights Tab Use the Coverage Charts for coverage and controls information to assist in finalizing the set of controls to be included in the control assessment plan. The charts are rendered based on the controls that are currently in the In Scope Control Cart. There are two categories of charts:

• Coverage

o Financial Coverage: Displays the total financial value of the accounts and organizations brought into EGRCM AS5 Scoping Module during the synchronization setup process. Accounts and Organizations that are mapped to Controls display the relative financial values that have at least one control flagged as in scope, compared to the financial values that currently do not have any in-scope controls (including financial accounts and organization that may not have any controls setup).

o Count of Controls, Accounts, Risks, Standards: Displays the total

number of active controls, accounts, risk and mapped standards in EGRCM compared to what is currently in the In Scope Control Cart.

• In-Scope

o In-Scope: Controls by Stratification: Displays the categorization of controls by their risk-related controls stratification value. Because a control can be shared across more than one risk it may also have multiple stratification values for each related risk. Each occurrence of a control's stratification value is included in the chart total (thus, shared control


counts may be duplicated).

o In-Scope: Controls by Controls by Scope Type: Displays the

categorization of controls by their scope type such as Audit Testing, Assessment, Design, Operating, and Certify.

o In-Scope: Controls by Type: Displays the categorization of controls by

type such as Detective, Preventive, or Corrective.

o In-Scope: Controls by Method: Displays the categorization of controls by

their methods such as Manual and Automatic.



5. Installing the Financial Audit Scoping Tool

5.1. Prerequisites The following must be installed before you can install the Financial Audit Scoping Tool:

• Oracle 11g database

• Weblogic 11g with ADF runtime libraries

• Oracle's Enterprise Governance Risk and Compliance Manager Release 8.0.1. For additional information, refer to the Enterprise Governance Risk and Compliance Manger Implementation Guide.

• Oracle's Hyperion Financial Management Release 11.1.1. For additional information, refer to the Hyperion Financial Management Implementation Guide.

This integration uses the EGRCM JNDI data source to database interaction.

5.2. File List Ensure that the delivered Zip file contains the following files:

• The Application EAR file – EgrcmHfmIntg_application1.ear

• SQL Scripts:

• HfmApplDatabaseScript.sql

• Demo_data.sql

• eGRCMHfmIntSeed_AssTempPlan.sql

• eGRCMHfmIntSeed_TreeUpdate.sql

• eGRCMHfmIntSeed_UDTUDA.sql

• eGRCMHfmIntSeed_OrgAccTree.sql

• eGRCMHfmOptionSeed.sql

• install_fast.sql

• create_fast_synonyms_proc.sql

• create_fast_synonyms_tbl.sql

• create_fast_synonyms_seq.sql

5.3. Installation Procedure Follow these steps to install the Financial Audit Scoping Tool. Note that these are the basic steps. Refer to the README file that is packaged with the install script for additional details.

1. Create the FAST Schema, assigning the following privileges to it:

• Create public synonym

• Drop Public Synonym

• Resource


• Connect For example: create user fast identified by fast; grant resource, connect, create public synonym, drop public synonym to fast;

2. If you are using the Manual Interface (that is, if you are not using the HFM Extended Analytics Interface), ensure that the star schema is imported into the FAST schema.

3. Unzip the file on the same machine where the WLS is installed under a separate directory. For example, scoping_tool.

4. Deploy the EAR file manually using the WLS Console as follows:

i. Log in to the WLS Console and navigate to the Deployments screen.

ii. Click on Install button and select the Ear file from the scoping_tool directory.

iii. Click Next until finished.

5. Run the Install_fast.sql Sql Script from the sql prompt. You will need access to FAST and GRC schema.

6. Install Demo Data (optional) This is an optional step. If you need the delivered Process, Risks and Controls then you must run this sql script. To run this script:

i. Login to sqlplus as the GRC user.

ii. At the sql prompt , run @demo_data

7. To verify the installation, navigate to the home page of the Scoping Tool application. For example: http://<server_name>:<port_no>/EgrcmHfmIntg-EgrcmHfmIntgUI-context-root/faces/oracle/apps/grc/framework/egrcmhfmintg/page/ScopingWorkBenchPG.jspx Replace the server_name and port_no with appropriate values.


6. Manual Integration with HFM

6.1. Overview The standard-out-of-the-box HFM Extended Analytics (HFM-EA) feature is used for creating an external star schema of the HFM financial management dimensions and values. The star schema is then used by the Oracle GRC applications for scoping and tracking financial audits.

This chapter describes the manual method of using HFM-EA. The basic steps are:

1. Configure an HFM-EA data source.

2. Configure a Hyperion user with access to HFM-EA.

3. Use HFM-EA to extract financial dimensions and values.

6.2. Configure an HFM-EA Data Source This section describes how to create an HFM-EA data source that resolves to the Oracle Enterprise GRC Manager (EGRCM) database schema. To use the HFM-EA module, you must set up an OLAP data source name (DSN) for the database that will store the star schema, and then configure the DSN with the Hyperion Financial Management configuration utility.

Note: Do not use the relational database and UDL file for Extended Analytics that you use for your Financial Management applications. Create a database for the exported star schema data, and a UDL file that points to the database.

The data source and UDL file must point to the Oracle EGRCM database because it will be used to store the extract produced by the HFM-EA engine.

The target schema on the EGRCM database must have CONNECT and RESOURCE grants, can be an empty/new schema, and can be named as desired (for example, grc_audit_scoping).

For detailed configuration instructions, refer to the Oracle Hyperion Enterprise Performance Management System Installation and Configuration Guide, including the Configure Financial Management Data Source for Extended Analytics section.

You must install OLE DB Provider. If it is not installed by default, you must also install the Oracle ODBC driver on the HFM system because the destination database that will be used for HFM-EA is an Oracle database.

To create a new connection:

1. Run EPM System Configurator and select Foundation Services -> Create Connection:

2. Enter the connection details for the Oracle EGRCM database:

3. Create a new UDL file for the data source inside the HFM products directory:

If required, the UDL file can be encrypted to protect the destination schema password. Refer to “Encrypting UDL File” in the Oracle Hyperion Enterprise Performance Management System Installation and Configuration Guide for details.


4. Rerun EPM System Configurator. Select “Configure Financial Management for Extended Analytics,” and specify the new DSN and the UDL file created in the previous step.

6.3. Configure a Hyperion User with Access to HFM-EA If security classes are being used with HFM for fine-grained user access to one of the twelve HFM dimensions, you must:

1. Verify that your HFM-EA user account has the role Extended Analytics associated with it. This role is required in order to access the Extended Analytics administrative function.

2. Verify that your HFM-EA user account is a member of each security class in HFM that is required to access the data you want to extract. You can only extract data that you have access to via the HFM Security Classes.

Security classes are used for data striping in a typical HFM deployment. For example, if you want User A to only see financial data in business unit B, you would define an HFM security class called "Business Unit B", and assign User A to that class.

The default Hyperion Administrator account includes the Extended Analytics permission.



6.4. Use HFM-EA to Extract Financial Dimensions and Values Follow this procedure to configure a template HFM-EA to generate an HFM data extract for use by Oracle GRC applications

1. Log in as an HFM user with the Extended Analytics permission.

2. Navigate to the Extended Analytics module using the HFM Administration toolbar within EPM Workspace for the relevant HFM Application.

3. Define the point of view (POV) for the template.

The data combinations in the star schema are created based on the dimension members that you select to export. The more dimension members selected, the more possible data combinations that need to be created in the star schema, and the more time needed to complete the export process. You can calculate the number of data combinations by multiplying the number of members selected for each dimension. Caution! Do not select to export all members from every dimension; select segments of data to export. Depending on the application size, the number of data combinations, and the amount of time to complete the export time could be excessive. For example, you can export this data: * Scenario – Actual * Year – 2009 * Period – July * View – Periodic * Entity - Regional, United States, Florida, Connecticut * Value – USD * Account - Gross Margin, Sales, Total Costs * ICP - [None] * C1 - Balls, Tennis Balls, Golf Balls * C2 - All Customers, Customer2, Customer3, Customer4, Customer5 * C3 - [None] * C4 - [None]


4. Select the data source and save the template.

5. Follow these steps to create an HFM-EA template, which enables you to name

and save POVs so that you can use them again. To save the template complete these steps:

a. From Destination Database (DSN), select the database to which you are exporting the star schema. This should be the DSN you created in step “Configure an HFM-EA data source.”

b. For Relational Table Prefix, you must enter “IFRS” or the Oracle GRC Audit Scoping tool will not recognize the extract.

c. Confirm the Extract Format is set to Standard.

d. Confirm the Exclude Dynamic Accounts is checked.

e. Click Save .

f. Enter a template name.

g. Optional: To overwrite a template, select Overwrite.

h. Click Save.

i. Click OK.

6. Verify that the application data is consolidated.

7. Perform the Create Schema action and track the progress as follows:

a. Click on the Create Star Schema action


b. Monitor the schema creation progress

8. The extract will create the following tables in the destination database:

• HFM_EA_EXTRACT

• HFM_LOCK_ACCESS

• IFRS_ACCOUNT

• IFRS CUSTOM1

• IFRS _CUSTOM2

• IFRS _CUSTOM3

• IFRS_CUSTOM4

• IFRS_ENTITY

• IFRS_FACT

• IFRS_ICP

• IFRS_PARENT

• IFRS_PERIOD

• IFRS_SCENARIO

• IFRS_VALUE

• IFRS_VIEW

• IFRS_YEAR



7. Glossary

• Assessment: A business process and its risks and controls require periodic review of how they are defined and implemented to ensure that the appropriate level of documentation and control is in place. An assessment is used to evaluate the validity and effectiveness of controls, risks, and the business process to find out if any element is missing, out of place, or has changed. You can perform assessments on a single or multiple risks, controls and a combination of risk and controls.

• Control: A control is an existing process, policy, device, practice or other action that acts to minimize negative risk or enhance positive opportunities.

• Risk: A risk is defined as the chance of an event occurring that will have a positive or negative impact on the objectives of the organization or a division.

• Risk Analysis: Understanding the nature of and deducing the level of the risk.

• Risk Assessment: Appraising the risk definition and evaluating the systems and business processes they support. Assessment types include certification and audit.

• Risk Context: The risk context defines the general parameters for how risks must be managed and the scope for the enterprise risk management process. The Risk Context should include the organization's external and internal environment and the purpose of the risk management activities. For example, when an organization is defining their Risk Context, they should establish their overall strategies, objectives, goals, scope, and the understanding of the parameters for the risk activities

• Risk Evaluation: Comparing the level of the risk against risk criteria. The risk criteria are the terms of reference by which the significance of risk is assessed. Risk criteria can include associated cost and benefits, legal and statutory requirements, socioeconomic and environmental aspects, the concerns of stakeholders, priorities and other inputs to the assessment. The risk context is used when evaluating the risk.

• Risk Identification: Determining risk classification and associations

• Risk Treatment: Selecting and implementing a method of addressing the risk with a goal of minimizing the risk's negative consequences

Documents

ORACLE FINANCIAL AUDIT SCOPING TOOL BLUEPRINT FOR … · Oracle Financial Audit Scoping Tool Blueprint for Oracle GRC Applications User & Install Guide 3 . 2. Gett. ing Started