Embed Size (px)
Citation preview
RISK MANAGEMENT FROM ON PREMISE TO THE CLOUD – A FOCUS ON CONTROLS
03/01/2017
PRESENTERS
Lewis Hopkins
Snr Applications Consultant
Smart ERP Solutions
Security and Risk Management since 2003.
Board member – OAUG GRC Customer Group.
AGENDA
• About Smart ERP Solutions, Inc. • Review of Risks • Technologies • Q&A
ABOUT SMART ERP SOLUTIONS, INC
Innovative solutions and services to automate, streamline and simplify ERP applications.
Achieve Best-In-Class Performance Our mission is to provide innovative, configurable, flexible, cost-effective solutions
to common business challenges, enabling our clients to save time, increase productivity, minimize costs, and maximize their return on investment.
Solutions Business applications that
offer organizations an end-to-end solution providing the
right design and implementation from start to
finish.
Services A 24/7 seasoned and experienced staff of experts to help you
implement your business solutions efficiently and effectively at a cost-
effective rate.
Cloud Cloud applications provide
solutions built on proven enterprise class architecture
that enable high configurability and ease of
monitoring.
SMARTERP & ORACLE Embracing Partnerships with Oracle / PeopleSoft and Our Clients
CURRENT RISKS Finance Student Finance HR
US Fraud averages $150,000, 22% exceed $1m
The average time to finding Fraudulent activity is 18 months
41% of Fraud committed Internally – KPMG Securing the ERP 2016 See: http://www.fraudweek.com/uploadedFiles/Fraudweek/content/documents/cost-of-
complacency.pdf
SECURITY AND FRAUD
THE IMPACT OF TIME
$75k loss at <7 months $150k at 19 months $965k at 61 months +
0
200000
400000
600000
800000
1000000
1200000
7 19 61
Loss in $
Time: 7 to 61 months
Loss over Time
PROACTIVE VS REACTIVE MEASURES
“PROACTIVE MEASURES catch fraud sooner and minimize losses. Frauds that are caught by reactive measures last longer and cause more harm.”
Surveillance / Monitoring, IT Controls:
$59k
Tip or Confession:
$184k
Notification by Law Enforcement:
$1.25m
GRAMM-LEACH-BLILEY ACT & THE DEPARTMENT FOR HIGHER EDUCATION
GLBA requires institutions to ensure, among other things:
• Develop, implement, and maintain a written information security program.
• Designate the employee(s) responsible for coordinating the program.
• Identify and assess risks to student information.
• Design and implement an information safeguards program.
• Select appropriate service providers that are capable of maintaining appropriate safeguards.
• Periodically evaluate and update the security program.
ED plans to incorporate the GLBA security controls into the Annual Audit Guide and will look at GLBA compliance as part of institutions' annual student aid compliance audits.
NIST 800-17, OMB UNIFORM GUIDANCE AND MORE… Designed to build a SOX like framework for non Federal Organizations sharing Federal Data. Controls include:
• Access Controls
• Security Assessment
• Risk Assessment
http://www.nacubo.org/Business_and_Policy_Areas/Student_Financial_Services/Student_Financial_Services_News/ED_Reminds_Schools_about_Protecting_Student_Information.html
https://library.educause.edu/~/media/files/library/2016/4/nist800.pdf
MANAGING CONTROLS AND RISKS IN ERP
1
No Segregation of Duties out of the box
2
Difficult to answer who has access to what
3
Reports in ERP technically orientated
4
No way to document Risks and Controls
‘inside ERP’
Today we use spreadsheets, but with spreadsheets….
No workflow No audit trail Difficult to create attachments Purely acts a data store, cannot take actions within spreadsheets No segregation of duties or data Too much effort to manage users and get them to carry out their tasks If someone did something they were not supposed to do, we have to manually track and fix it Difficult to track progress of actions Too much effort to provide executive snapshot
Financial Controller Vision Corp
MANAGING CONTROLS AND RISKS OUTSIDE OF ERP
TECHNOLOGIES Cloud
FINANCIAL RISK CLOUD
Risk Management Cloud service that:
Streamlines internal control assessments Automates labor-intensive tasks required to complete external certifications for SOX/NIST or similar legislation
BENEFITS
• Replace Spreadsheets • Does not depend on the ERP Platform, no integration • Detail Risks and their impact • Provide workflow approval for process owners
• Sample Risks:
• “Potential fraud may occur in payroll due to inappropriate access and transactions”
• “Changes to master data information that is not authorized or incorrectly entered which causes errors to sales, credit, or payment related transactions.”
• Sample Controls:
• “Ensure SoD within payroll functions”
• “Review changes to master data information, including change owner”
Assessments distribute tasks to process owners along with the Test Plan.
Instructions included:
Issues are raised
Status of Issue recorded
Risk Reports help identify Controls that have issues
or failures to help assess the Organization’s overall Risk
Management position.
TECHNOLOGIES On Premises
SMART SEGREGATION OF DUTIES
Embedded within PeopleSoft
•Detective and Proactive SoD scanning
•Interactive Reports and Dashboards
•Mitigations/Exceptions •Rules stored in PeopleSoft •Read Only
ABILITIES
•Abilities contain the Security required to perform a task or duty
RULES
Ability 1 – Create Vendor
Component 1 OR Component 2 OR Component 3 OR Component 4 OR
Ability 2 – Approve Vendor
Component 1 OR Component 2 OR Component 3 OR Component 4 OR
AND
Rule: Create Vendor & Approve vendor
STRUCTURED REPORTING
STRUCTURED REPORTING
Ability 1 – Create Vendor
Component 1 OR Component 2 OR Component 3 OR Component 4 OR
A: “Should we have 200 Users who can Create a Vendor?” B: “There should only be 5 people who can do this!”
SUMMARY
Risk Management Cloud
PRESENTERS
Lewis Hopkins
Snr Applications Consultant
Smart ERP Solutions
Security and Risk Management since 2003.
Board member – OAUG GRC Customer Group
THANK YOU!
