Transcript
IT ADVISORY SERVICES
KPMG LLP
Oracle Governance, Risk and Oracle Governance, Risk and Compliance (GRC) OverviewCompliance (GRC) OverviewJune 2008June 2008
2
© 2008 KPMG LLP, a U.S. limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in the U.S.A. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. 19045PHL
Presenter Background – Philip McGivney
Philip McGivney
• Senior Manager – Pittsburgh, PA• 12+ years experience• Representative Clients
• Campbell Soup• HJ Heinz• Estee Lauder• SC Johnson• Shell Chemical• Duquesne Light• Regeneron• Independence Blue Cross
3
© 2008 KPMG LLP, a U.S. limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in the U.S.A. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. 19045PHL
Presenter Background – Jason Lindsley
Jason Lindsley, CPA, CISA
• Manager – Philadelphia, PA• Pennsylvania Oracle Product Champion• National Oracle GRC PMO Lead• 4+ years with KPMG’s Advisory Services• Representative Clients
• ARAMARK Corporation• CROWN Holdings, Inc.• IKON Office Solutions• Subaru of America• NRG Energy, Inc.• Regeneron Pharmaceuticals• Catalent Pharmaceuticals
4
© 2008 KPMG LLP, a U.S. limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in the U.S.A. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. 19045PHL
Oracle GRC POV Discussion Outline
KPMG Overview
• What is Governance, Risk and Compliance (GRC)?• Broad Definition and Supporting Technology• Oracle GRC Application Suite
• Why is Governance, Risk and Compliance (GRC) important?
• Oracle GRC and Approach
5
© 2008 KPMG LLP, a U.S. limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in the U.S.A. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. 19045PHL
KPMG’s Market Offering
What we do:
Our Global Lines of Business:
The Global Services we offer:
Who are our clients?Global, National and Middle Market entities
Controls Integration and OptimizationProject Execution AssistanceIS GovernanceChange ManagementSourcing AdviceSecurity & PrivacyAttestation SupportProcess Design
International Corporate TaxBusiness Tax Indirect TaxesPersonal Tax
Financial Statement AuditStatutory AuditAudit Related Services
Financial Services
Infrastructure, Government& Healthcare
Information, Communications& Entertainment
Consumer Markets
Industrial Markets
PrivateEquity
Business Case DevelopmentBusiness and Risk AssessmentsFinance TransformationBusiness IntegrationInvestigations (Fraud)Transaction Services
6
© 2008 KPMG LLP, a U.S. limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in the U.S.A. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. 19045PHL
Advisory Services Framework
Skills & CompetenciesSkills & Competencies
One : ManyOne : Many One : ManyOne : Many
Client Solutions – Skill B
undlingC
lient Solutions – Skill Bundling
Many : ManyMany : Many
Advisory Foundation M
ethodsA
dvisory Foundation Methods
Service Line Fundamentals
Service Line Fundamentals
Technical Skill SpecificTechnical Skill Specific
Internal Audit, RegulatoryInternal Audit, Regulatory& Compliance (IARCS)& Compliance (IARCS)
Financial RiskFinancial RiskManagement (FRM)Management (FRM)
Business PerformanceBusiness PerformanceServices (BPS)Services (BPS)
Transaction ServicesTransaction Services(TS)(TS)
Information TechnologyInformation TechnologyAdvisory (ITA)Advisory (ITA)
Forensic ServicesForensic Services
Advisory Service LinesAdvisory Service Lines
7
© 2008 KPMG LLP, a U.S. limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in the U.S.A. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. 19045PHL
KPMG’s Global Reach
EMAEMAAfricaAfricaAustriaAustriaBelgiumBelgiumCyprusCyprusDenmarkDenmarkFinlandFinlandFranceFranceGermanyGermanyGreeceGreeceIcelandIcelandIrelandIrelandItalyItaly
Luxembourg Luxembourg MoroccoMoroccoNetherlandsNetherlandsNorwayNorwayPortugalPortugalSpainSpainSwedenSwedenSwitzerlandSwitzerlandTunisiaTunisiaTurkeyTurkeyUKUK
Africa sub regionAfrica sub regionAngola & MozambiqueAngola & MozambiqueBotswanaBotswanaGhanaGhanaKenya, Tanzania & UgandaKenya, Tanzania & UgandaMalawiMalawiMauritiusMauritiusNamibiaNamibiaNigeriaNigeriaSierra LeoneSierra LeoneSouth AfricaSouth AfricaSwazilandSwazilandZambiaZambiaZimbabweZimbabwe
CEE sub regionCEE sub regionAlbaniaAlbaniaBulgariaBulgariaCroatia & BosniaCroatia & BosniaCzech RepublicCzech RepublicEstoniaEstoniaHungaryHungaryLatviaLatviaLithuaniaLithuaniaMacedoniaMacedoniaPolandPolandRomania & MoldovaRomania & MoldovaSerbia and MontenegroSerbia and MontenegroSlovakiaSlovakiaSloveniaSlovenia
CIS sub regionCIS sub regionArmeniaArmeniaKazakhstanKazakhstanRussia Russia UkraineUkraine
MESA sub regionMESA sub regionAfghanistanAfghanistanBahrainBahrainEgyptEgyptIndiaIndiaIranIranIraqIraqKuwaitKuwaitLebanonLebanonOmanOmanPakistanPakistanQatarQatarSaudi ArabiaSaudi ArabiaSri LankaSri LankaSyriaSyriaUAEUAEYemenYemen
TOG sub regionTOG sub regionAnguillaAnguillaBahamasBahamasBermudaBermudaCaricomCaricomCayman Islands & BVIsCayman Islands & BVIsChannel IslandsChannel IslandsIsle of ManIsle of ManMaltaMaltaTurks and Caicos Turks and Caicos IslandsIslands
AmericasAmericasArgentinaArgentinaBrazilBrazilCanadaCanadaCentral America (KCA)Central America (KCA)ChileChileColombiaColombiaEcuadorEcuadorIsraelIsraelMexicoMexicoNetherlands AntillesNetherlands AntillesPeruPeruUSUSUruguayUruguayVenezuelaVenezuela
ASPACASPACAustraliaAustraliaCambodiaCambodiaHong Kong / China SARHong Kong / China SARIndonesiaIndonesiaJapanJapanKoreaKoreaLaosLaosMalaysiaMalaysiaNew ZealandNew ZealandPhilippinesPhilippinesSingaporeSingaporeTaiwanTaiwanThailandThailandVietnamVietnam
Central America sub regionCentral America sub regionCosta RicaCosta RicaDominican RepublicDominican RepublicGuatemalaGuatemalaHondurasHondurasNicaraguaNicaraguaPanamaPanama
AmericasAmericas
ASPACASPAC
EMAEMA
No Member FirmNo Member Firm
8
© 2008 KPMG LLP, a U.S. limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in the U.S.A. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. 19045PHL
Oracle GRC POV Discussion Outline
KPMG Overview
• What is Governance, Risk and Compliance (GRC)?• Broad Definition and Supporting Technology• Oracle GRC Application Suite
• Why is Governance, Risk and Compliance (GRC) important?
• Oracle GRC and Approach
9
© 2008 KPMG LLP, a U.S. limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in the U.S.A. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. 19045PHL
Governance, Risk and Compliance (GRC)
• “Governance” is the management of strategic directives
• “Risk” is the effect of uncertainty on business objectives and risk management is the mechanism to improve performance while minimizing financial losses
• “Compliance” transcends focus on laws and regulations to encompass all facets that affect integrity, reputation and brand
• IT enabler - Oracle GRC fully deployed for maximum impact
• Other enablers include change management, performance and value measurement and management, and monitoring mechanisms
• GRC implementation is not about a single role in the organization that is responsible for everything related to governance, risk, and compliance
• GRC works best when multiple roles (e.g., corporate secretary, corporate compliance, enterprise risk, audit, IT, line-of-business, investigations, legal) work together in a common framework, collaboration, and architecture to bring an enterprise view across governance, risk, and compliance activities throughout the organization
10
© 2008 KPMG LLP, a U.S. limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in the U.S.A. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. 19045PHL
KPMG Governance, Risk and Compliance Framework
Business Activity
Process Embedded Controls (manual, auto)
Financial Operational Regulatory
Company Level Controls
EntityEnvironmental Managerial
Risk Assessment
Risk Measurement
Risk Strategy
Risk Monitoring
Enterprise (Board, Operating Committee)
Functional (IT, Finance, Sales, etc.)
Managerial (Line Management)
Governance
Risk Management
Compliance and Controls
Info
rmat
ion
Strategy & Policy
11
© 2008 KPMG LLP, a U.S. limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in the U.S.A. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. 19045PHL
CxO Visibility to enterprise GRC status Role-tailored analysis Flexible ad hoc reporting
Oracle GRC Intelligence
Indicators Attestations AlertsDashboards
Data repository GRC system of record End-to-end GRC process mgmt
Oracle GRC Manager
Audit Management Assessment
Issues & Remediation
Event & Loss Management
Risk and Control Frameworks
Configuration Controls
Transaction Controls
Continuous monitoring of access, policies and controls
Preventive and detective controls Controls risk monitoring
Oracle GRC ControlsAccess Controls
IT Manager
Information security Enterprise access provisioning IT configuration management
GRC Technology Enablers
InformationSecurity
Records & Digital Rights
ConfigurationManagement
Identity Management
Fina
ncia
l C
ompl
ianc
e
IT G
over
nanc
e
Envi
ronm
enta
l H
ealth
Ris
k M
anag
emen
t
Util
ities
& E
nerg
y
Com
mun
icat
ions
Ret
ail &
Con
sum
er
Goo
ds
Cor
pora
te
Res
pons
ibili
ty
Life
Sci
ence
s
Fina
ncia
l Ser
vice
s
Source: Oracle Corporation
Oracle GRC Application Solution provides the infrastructure to automate end-to-end GRC processes, including corporate governance and oversight, risk management, and compliance management and reporting
12
© 2008 KPMG LLP, a U.S. limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in the U.S.A. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. 19045PHL
Oracle GRC POV Discussion Outline
KPMG Overview
• What is Governance, Risk and Compliance (GRC)?• Broad Definition and Supporting Technology• Oracle GRC Application Suite
• Why is Governance, Risk and Compliance (GRC) important?
• Oracle GRC and Approach
13
© 2008 KPMG LLP, a U.S. limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in the U.S.A. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. 19045PHL
Sarbanes Oxley changes the scope and magnitude of the Oracle Implementation Process
Sarbanes Oxley (SOX)
• SOX makes appropriate controls and security a business imperative
• SOX 404 mandates that controls be designed and operating effectively the year in which system and process changes occur. If not, significant deficiencies or perhaps an adverse audit opinion may result
• SOX created a greater focus on tax and new tax reporting requirements, i.e. FIN 48
• Companies are no longer willing to accept the risk.
Before Sarbanes Oxley, GRC integration would be postponed or ignored, as many companies chose to “accept the risk” on an interim basis.
Compliance
14
© 2008 KPMG LLP, a U.S. limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in the U.S.A. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. 19045PHL
Controls Transformation
Targeted Benefits
• Centered on migration from a mostly manual, detective control-based paradigm to one of a more automated and preventive nature
• Tax also adds value in this type of project by identifying complementary tax planning opportunities that may add additional value to the client
Objectives
• Drive both a “bottoms up” and “top-down” approach to analyze, evaluate, and design controls at the process level transformation across the enterprise and eliminate redundant processes, controls and data environments
• Seamless integration with a challenging organization
“Parallel path” project goal : Controls Transformation
Many companies still rely primarily on manual controls, which are generally detective in nature (i.e. after the transaction). Transformed companies maximize the use of automated controls, substantially reducing the cost of control. Automated controls are frequently detective controls (i.e. during the transaction) which yield better control assurance. The objective is to move from the lower left quadrant to the upper right quadrant.
Approach, Techniques and Process
Sustained Value and Confidence
Automated
Manual
Detective Preventative
Typical company controls
Improved company controls
15
© 2008 KPMG LLP, a U.S. limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in the U.S.A. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. 19045PHL
Pain Points addressed by GRC: Additional critical aspects supporting the need to integrate stronger controls in an ERP Implementation
Process-driven ERP systems require controls to be applied throughout business processes. Poorly designed controls or misplaced controls result in redundancy and higher costs.
1. Eliminate Redundancy and Reduce Cost
3. Retrofitting Controls is Cost Prohibitive
2. Manual Controls are Expensive and Inefficient
Existing key controls have deteriorated and are too manual. Organizations are experiencing high cost of controls and are looking to eliminate manual and redundant controls to reduce costs and improve process efficiency
The cost of rework for poor controls is exorbitant and can lead to a complete reimplementation of an ERP system that lacks controls. Improving financial controls in an ERP system must have controls designed and integrated throughout the organization. Given system configuration and employee training redundancies, redesigning controls at the end of an ERP implementation is inefficient, expensive and could result in reportable material weaknesses or deficiencies.
Controls
16
© 2008 KPMG LLP, a U.S. limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in the U.S.A. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. 19045PHL
Pain Points addressed by GRC: Additional Benefits of GRC Integration
Automation is driving ERP technology integration initiatives and helping to optimize controls within key processes, resulting in improved process efficiency, cost reductions and effective compliance management.
4. Automated and Preventive Controls
5. Complete and Accurate Financial Information
Organizations have long recognized the value of an efficient control structure and its role in driving complete and accurate financial information. When a new ERP system is implemented, along with the customary process changes, controls (including security) must be revised to support the new business and system functions.
Controls
We believe GRC Integration is critical and should to be addressed and integrated into an ERP implementation
17
© 2008 KPMG LLP, a U.S. limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in the U.S.A. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. 19045PHL
Key Lessons Learned and Leading Practices
• GRC integration is an area that is often poorly performed by project teams. Appoint a Security and Controls Lead on the project to create and maintain visibility of controls and security requirements throughout the duration of the project. Plan for the need to continuously educate the project team and stress the importance of the security and controls aspects of the system throughout the project lifecycle.
• Start early with Security and Controls…it is a lot of work. Involve your security and controls team in the early design stage of the project, and maintain their involvement through the entire project lifecycle.
• Security and Controls is a collaborative process that requires all parties to be engaged early including Business Process Owners (BPOs), IT and security teams, Internal Audit and your External Auditors.
• A key area that is often overlooked during an ERP implementation is tax. Incorporating the tax perspective into the project can help avoid costly rework and degradation in tax reporting needs.
• Determining the balance between preventive and detective controls can be challenging. Security, SOD and configuration controls are mostly preventive in nature. Manual controls can be more costly to operate/perform and are generally less reliable than automated controls. If correctly configured and managed, your new ERP system will provide numerous opportunities for organizations to have a highly automated control environment.
18
© 2008 KPMG LLP, a U.S. limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in the U.S.A. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. 19045PHL
Oracle GRC POV Discussion Outline
KPMG Overview
• What is Governance, Risk and Compliance (GRC)?• Broad Definition and Supporting Technology• Oracle GRC Application Suite
• Why is Governance, Risk and Compliance (GRC) important?
• Oracle GRC and Approach
19
© 2008 KPMG LLP, a U.S. limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in the U.S.A. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. 19045PHL
CxO Visibility to enterprise GRC status Role-tailored analysis Flexible ad hoc reporting
Oracle GRC Intelligence
Indicators Attestations AlertsDashboards
Data repository GRC system of record End-to-end GRC process mgmt
Oracle GRC Manager
Audit Management Assessment
Issues & Remediation
Event & Loss Management
Risk and Control Frameworks
Configuration Controls
Transaction Controls
Continuous monitoring of access, policies, and controls
Preventive and detective controls Controls risk monitoring
Oracle GRC ControlsAccess Controls
IT Manager
Information security Enterprise access provisioning IT configuration management
GRC Technology Enablers
InformationSecurity
Records & Digital Rights
ConfigurationManagement
Identity Management
Fina
ncia
l C
ompl
ianc
e
IT G
over
nanc
e
Envi
ronm
enta
l H
ealth
Ris
k M
anag
emen
t
Util
ities
& E
nerg
y
Com
mun
icat
ions
Ret
ail &
Con
sum
er
Goo
ds
Cor
pora
te
Res
pons
ibili
ty
Life
Sci
ence
s
Fina
ncia
l Ser
vice
s
Source: Oracle Corporation
Oracle GRC Suite
20
© 2008 KPMG LLP, a U.S. limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in the U.S.A. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. 19045PHL
Oracle GRC Controls – Access Controls
•Provide compliant user provisioning•Enforce compensating controls •What-if SOD risk simulation
• Analyze user roles and responsibilities for SOD violations
• Identify and remediate SOD violations
• Monitor activities of users granted access to sensitive areas
Access Controls
PreventiveDetective
Control Type
Oracle GRC Controls Module
21
© 2008 KPMG LLP, a U.S. limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in the U.S.A. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. 19045PHL
Oracle GRC Controls – Access Controls
• ‘N’ access point definitions
• Simple Operand Combinations – ‘X’ to ‘Y’
• Complex Operand Combinations –
• ‘X’ to ‘Y’ to ‘Z’ to ‘N’
• Inter-Operand hierarchy
• Seeded Entitlement based policies
• Oracle (11.5.10 and R12)
• PeopleSoft (8.8/9)
• Entitlement - Grouping of access points (similar to Entity Groups)
22
© 2008 KPMG LLP, a U.S. limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in the U.S.A. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. 19045PHL
Oracle GRC Controls – Transactional Controls
•Validation of transaction data (e.g. valid product code)•Approvals based on transaction data thresholds
• Identify transactions violating policy (e.g. un-approved vendor)
• Detect patterns representing aggregate risk (e.g. micro-payments)
• Detect correlation risk (e.g. same user creates and pays vendor)
Transaction Controls
PreventiveDetective
Control Type
Oracle GRC Controls Module
23
© 2008 KPMG LLP, a U.S. limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in the U.S.A. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. 19045PHL
Oracle GRC Controls – Transactional Controls
ENTERBad-DebtAccount
FinancialClerk
FinancialSupervisor
Bad DebtLedger
POSTBad-DebtApproval
Entry
Post
Post
Entry
GeneralManager
(P&L)
Yes
PreventivePolicy Control
Updates > ThresholdRequire Manager Approval
> $25K
NoApproved
Preventive Access Control
Unable to modify account numbers
! Reportable Event Risk
Excessive Debt
Control Monitors
PreventiveSOD
Controller
Exception Reporting
ExceptionRemediation
Source: Oracle Corporation
24
© 2008 KPMG LLP, a U.S. limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in the U.S.A. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. 19045PHL
Oracle GRC Controls – Configurable Controls
•Validate that setups and data updates conform to valid values•Require conditional approval cycles (e.g., exceed threshold)•Enforce data consistency; (e.g. force data to upper case)
• Detect and record changes to sensitive setup data
• Compare before and after values for changes
• Monitor for setup inconsistencies across multiple instances
Configuration Controls
PreventiveDetective
Control Type
Oracle GRC Controls Module
25
© 2008 KPMG LLP, a U.S. limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in the U.S.A. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. 19045PHL
Oracle GRC Manager
• Single system of record• End-to-end GRC process
management• Platform independent• Integrated control management• Closed-loop issue remediation
Certify
Respond
Analyze
Assess
Document
26
© 2008 KPMG LLP, a U.S. limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in the U.S.A. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. 19045PHL
Oracle GRC Intelligence
• Pre-built dashboardsaggregate informationfrom all sources
• Combine performanceand GRC information
• Respond to KRI and issues• Produce attestations
and disclosures• Configure to meet your
specific needs
27
© 2008 KPMG LLP, a U.S. limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in the U.S.A. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. 19045PHL
Preparationand Analysis
Design Build Test SustainEvaluation
Below is a list of typical key activities reflected in a Risk and Controls Framework
Key Activities• Project Management
Planning Activities
• Security and Controls Cutover Strategy
• SOX compliance accountability and Controls Portfolio
• Compliance monitoring and accountability for activities and responsibilities
• Security Role Design
• Quality Check with Stakeholders
Key Activities• Project Management
Planning Activities
• Business Process Procedures
• Configuration Element Documentation
• Data Quality Documentation
• Security Integration Documentation
• Quality Check with Stakeholders
Key Activities• Project Planning
Activities
• Establish Organizational Alignment Design
• Business Process Definition Standards
• Business Process Flow Standards
• Data Quality Standards
• Security Approach and Standards
• Quality Check with Stakeholders
Key Activities• Initial Project
Planning and Project Organizational Structure
• Project Documentation Standards
• Project Kickoff
• Quality Check with Stakeholders
Key Activities• Planning and
Project Initiation
• Risk Strategy and Risk Assessment
• Portfolio Analysis
• Qualitative Analysis
• Project Communication Plan
• Project Evaluation Checkpoint with Stakeholders
Key Activities• Project Monitoring
Support
• Project Organizational Structure Support
• Project Documentation Standards
• Quality Check with Stakeholders
28
© 2008 KPMG LLP, a U.S. limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in the U.S.A. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. 19045PHL
Oracle GRC Accelerators
KPMG's proven risk-oriented tools and controls integration methodologies identify, design, and standardize controls as part of the implementation process.
ERP Control Catalogs
Controls Portfolio Analysis Model
(CPAM)
Opportunity Analysis Model
(OAM)
Security/ Segregation of
Duties (SOD) tools
System Integration Controls Methods
Advisory Delivery Tool (ADT)
Tax User Requirements
Library
Tax Data Elements Library
Accelerators for Tax Provision
Non-proprietary tools
Enable the detail design of automated controls for
financial applications so that less efficient manual controls can be eliminated. Catalogs include testing guidance & procedures to support SOX
404 preparation & compliance
Help organizations to view and evaluate their controls portfolio. The model assists
companies in identifying opportunities to decrease costs, improve process
efficiency and evaluate the organization’s controls
portfolio holistically
Enables organizations to qualitatively assess process improvement
opportunities, based on a prioritization
framework, and a series of questions
KPMG use Oracle GRC or Oracle security development and
monitoring, and we leverage KPMG’s proprietary
Segregation of Duties Catalogs
and Templates
Primary business systems controls methodology,
guidance and supporting tools and templates used
by our joint teams in the execution of
controls integration
Methodology and Documentation Tool –
facilitates KPMG Advisory services execution, documentation and deliverables on an automated basis
Tax User Requirements
Library for each area of tax in
support KPMG GRC GTS
Tax Data Elements Library
for each area of tax
Accelerators for Tax Provision process redesign
KPMG can also utilize other automated security software and tools to support Oracle
GRC implementations
Oracle GRC Implementation Tools
29© 2008 KPMG LLP, a U.S. limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in the U.S.A. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. 19045PHL
Presenter’s contact detailsPresenter’s contact details
Philip McGivneyPhilip McGivneyKPMG LLPKPMG LLP
(412) 576-7298(412) 576-7298pmcgivney@kpmg.compmcgivney@kpmg.com
Jason LindsleyJason LindsleyKPMG LLPKPMG LLP
(856) 373-0853(856) 373-0853jlindsley@kpmg.comjlindsley@kpmg.com
30
© 2008 KPMG LLP, a U.S. limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in the U.S.A. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. 19045PHL
Appendices
31
© 2008 KPMG LLP, a U.S. limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in the U.S.A. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. 19045PHL
KPMG Advisory Services – System Design and Implementation
Scope and Plan Perform detailed scoping and planning of the project to identify activities, deliverables, project plan, milestones, and desired outcome (s).
DetectAssist in the validation of the compliance tool installation, review of segregation of duties controls, develop a customized set of prevention/detection rules (SOD rules, critical transactions, etc.) in your compliance tool and develop operational compliance and security provisioning processes.
Remediate Assist in the review and design of current security and automated control environment to develop and help execute strategy to remediate SOD conflicts and other control deficiencies.
MitigateAssist in the design and identification of mitigating controls for SOD conflicts and other control weaknesses deemed necessary, develop and execute strategy to configure mitigating controls in compliance tool and recommend a monitoring process.
Continuous Compliance Implement governance, control, and reporting process to maintain continuous compliance.
32
© 2008 KPMG LLP, a U.S. limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in the U.S.A. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. 19045PHL
Scope and Plan Phase
• Project Plan• Responsibility Matrix• Business Application System Security
and GRC presentation
Key Deliverables
• Not applicable for this phase• Secure project resources and contacts• Finalize and Develop Project Plan• Develop Project Responsibility Matrix• Deliver initial business system security
and GRC education• Hold steering committee project kick-off
Key Technology EnablersKey Activities
Purpose: This phase covers conducting detailed scoping and planning of the project against the signed LOE and its key deliverables, milestones, and desired outcome(s). It also includes securing and educating team resources (client + KPMG), outlining roles and responsibilities, and formally starting the project.
33
© 2008 KPMG LLP, a U.S. limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in the U.S.A. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. 19045PHL
Detect Phase
Purpose: This phase covers 1) finalizing the rule set to be used for Segregation of Duties (SOD) analysis and performing the baseline analysis, 2) modifying the SOD analysis system configuration settings, and 3) redesigning the access administration and compliance processes.
• Identification of Rule Set customizations• Design specification Document• Customized GRC Rule Files • Rule set maintenance procedure• Final custom Rule Sets• Updated business processes
and procedures• User guide and training documents• Management reports and preliminary
assessment of security environment
Key Deliverables
• 3rd Party controls software for segregation of duties
• 3rd Party controls software; Process controls functionality
• Determine to-be roles/responsibilities and processes and procedures for managing SOD conflicts
• Design and build company-specific SOD and Process Control Rule Sets
• Test SOD and Process Control Rule Set for completeness, accuracy
• Transport tested SOD and Process Control Rule Sets to production system
• Analyze SOD conflict baseline metrics, if applicable
• Conduct training for end users
Key Technology EnablersKey Activities
34
© 2008 KPMG LLP, a U.S. limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in the U.S.A. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. 19045PHL
Remediate Phase
Purpose: This phase covers remediating the SOD conflicts via security access and authorization changes in the Business Application system.
• Management and team phase kick-off presentations
• User access requirements• Remediation and security
design approach• Security design specifications• QA test scripts and test results• End-user training presentation• Cutover SOD conflict report• List of users with SOD conflicts
requiring mitigation• Incident tickets and tracking lists
Key Deliverables
• 3rd Party controls software for Segregation of Duties
• 3rd Party controls software; Process controls functionality
• Business Application System security features
• Identify users in scope and their reporting relationships
• Determine security design approach to remediate SOD conflicts
• Gather user access requirements• Convert requirements to security
design specifications• Remediate SOD conflicts through
building to-be user access• QA test to-be user access• Cutover to production system
with to-be user access• Train end-users• Hold go-live and support users
Key Technology EnablersKey Activities
35
© 2008 KPMG LLP, a U.S. limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in the U.S.A. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. 19045PHL
Mitigate Phase
Purpose: This phase covers mitigating remaining operational risks posed by remaining SOD conflicts. Determining and mapping the proper controls to mitigate these risks, as well as, configuring and maintaining the mitigating control records are performed in this phase.
• Management and team phase kick-off presentations
• List of users and SOD conflicts targeted for Mitigating Control
• Mitigating Control record mapping to users and SOD conflicts
• List of Mitigating Control monitors and approvers
• New business processes and procedures for managing MCs
• QA test scripts• End-user training presentation• Cutover SOD conflict report showing users
and risks marked by mitigating controls• Incident tickets and tracking lists
Key Deliverables
• 3rd Party Controls Software for Segregation of Duties
• 3rd Party Controls Software; Process Controls functionality
• Business Application System Security features
• Determine to-be roles/responsibilities
and processes and procedures for managing mitigating controls (MC)
• Document remaining SOD conflicts and users requiring mitigation
• Determine if underlying controls are sufficient and operate effectively
• Design and Build Mitigating Controls and map to users and SOD conflicts
• Test Mitigating Control records and their associations
• Cutover to production system• Train end-users• Deliver final SOD report
Key Technology EnablersKey Activities
36
© 2008 KPMG LLP, a U.S. limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in the U.S.A. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. 19045PHL
Continuous Compliance Phase
Purpose: This phase covers execution and monitoring of operational processes and policies to help ensure continuous compliance. Knowledge transfer is also performed in this phase between the project team and identified customer stakeholders.
• Knowledge Transfer Checklist• Security and Compliance Policies and
Procedures• Periodic review results appropriately
signed-off
Key Deliverables
• 3rd Party Controls Software• Business Application System
Security Features• Business Application System
embedded controls
• Perform additional knowledge transfer as necessary
• Refine and maintain policies and procedures
• Perform periodic review of security and compliance processes and user access
• Update Rule Set as Necessary• Periodically review mitigating control
effectiveness• Update mitigating controls content
and markings in SOD tool• Remediate or mitigate SOD conflicts
as required
Key Technology EnablersKey Activities
top related