Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |
Safe Harbor Statement
The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.
2
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |
Controlling for Multiple ERP Systems with Oracle Advanced Controls CON8154
Eugene Hugh - InterContinental Exchange Dane Roberts – Oracle GRC Strategy Stephen D’Arcy - PWC October 2, 2014
Presented with
@OracleAdvCntrls
Oracle GRC Advanced Controls
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |
Agenda What are Oracle GRC Advanced Controls?
Case Study:
•Background
•ICE Requirements
•Challenges
•Solutions
•Project Summary
•What’s Next?
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | 5
Reality: Document/Email Approaches Challenge GRC
OCEG SURVEY • 2014 GRC Technology Strategy Survey • www.OCEG.org HOW ORGANIZATIONS APPROACH AND ADAPT THEIR TECHNOLOGY STRATEGY FOR GRC
70%
SPREADSHEETS, DOCUMENTS, EMAIL & IN-HOUSE SOLUTIONS
30%
1 OR MORE COMMERCIAL GRC SOLUTIONS
The lack in modern technology makes achieving goals challenging
The impact on FTE’s is particularly significant
One financial services
organization stated that 80%
of their GRC staff resources
were nothing more than
document reconciles for
reporting. […] A mess they are
aggressively trying to correct.
of GRC professionals reported that they use Spreadsheets, Emails, Custom Reports Apps.
70%
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | 6
When looking for new GRC technology, organizations indicate that the primary goals they aim to achieve are:
Drivers: for Adopting New GRC Technology
OCEG SURVEY • 2014 GRC Technology Strategy Survey • www.OCEG.org HOW ORGANIZATIONS APPROACH AND ADAPT THEIR TECHNOLOGY STRATEGY FOR GRC
INCREASE ANALYTICS & RAPID VISIBILITY OF RISK Complex risk and regulatory environments demand advanced capabilities of risk data integration and analytics to provide full situational awareness of risk”
#1 IMPROVE CONSISTENCY OF INFORMATION Organizations are realizing that good GRC requires good information, there is increasing focus on the integrity and consistency of GRC information”
#2 MEET NEW REGULATORY REQUIREMENTS Regulatory change has more than doubled in several industries over the past five years (e.g., banking, insurance, healthcare) and drives the organization to GRC technologies that enable regulatory intelligence and agility”
#3 REDUCE COSTS & IMPROVE PERFORMANCE When deploying new GRC technologies the organization is driven to reduce costs while increasing the performance of business operations”
#4
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |
Comprehensive Risk & Controls Management
Detect and Fix Issues
Continuous Improvement and Monitoring
Assess Risk & Compliance
Close the
LOOP
Identification
Analysis
Evaluate
1. BUSINESS RISKS
Document
Assessments
Reviews
2. CONTROL OBJECTIVES
Author
Execute
Investigate
3. CONTINUOUS MONITORS
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |
Custom or Legacy Applications
Enterprise Risk and Controls Foundation One Unified Platform
Flexible
• Graphical Authoring • Detect and Prevent • Access, Transactions, Setups
Data Driven
• 100% of Transactions • Manage by Exception • Pattern Analysis
Comprehensive
• Multiple GRC Projects • From Documentation to Test • Closed Loop Approach
Enterprise Risk & Controls Foundation
Dashboards, Reports and Alerts
Notifications Worklists Email Perspectives Search
Risk, Controls & Compliance Management
Reviews Documentation Assessments Remediation Surveys
Continuous Controls & Risk Monitoring
Setups Access Master Data Audit Tests Transactions
User Authored Controls Data Connectors Fraud & Error Patterns
Ro
le B
ased
Acc
ess
Secu
rity
Web
Se
rvic
es
& A
PIs
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |
Specialized Partners Increase your Return On Investment
• Get more from Advanced Controls Specialists address more of your needs with Advanced Controls’ many capabilities
• Increase your organization’s effectiveness Specialists help you embed Advanced Controls in your business processes
• Accelerate your implementation Specialists guide and support you during planning, implementation and go-live
Oracle Confidential – Internal/Restricted/Highly Restricted 10
Intercontinental Exchange, Inc. (ICE)
Oracle Advanced Controls Implementation “One AC instance connected to two different ERP’s”
www.pwc.com
“Any trademarks included are trademarks of their respective owners and are not affiliated with, nor endorsed by, PricewaterhouseCoopers LLP.”
About ICE
Background
13
Client Background
• ICE (runs PeopleSoft) located in Atlanta
• PeopleSoft is hosted off-premise by a Hosting Provider
• ICE recently acquired NYSE, (run Oracle EBS)
• EBS is hosted on premise in New York
Oracle Advanced Controls
• Needed a solution to address operational and compliance needs
• Goal to implement by summer 2014
• Needed a partner to navigate their complex IT environment and implement a right-sized, sustainable, scalable solution
• Decided to implement an on premise Advanced Controls Environment
Requirements
14
EBS Visibility
Having recently acquired NYSE, ICE wanted to gain visibility into the risks, controls and transactions within their EBS environment.
PeopleSoft Visibility
Access, configurations and transactions were difficult to manage with standard PeopleSoft functionality alone.
Operational Efficiency
The business needed to analyze certain risky transactions on a periodic basis, and was stuck with ad-hoc queries written by IT and manual investigation in the ERP systems.
Controls Automation
ICE was looking to drive automated control over access and configurations to improve the efficiency of their internal and external audits.
Scalability
Given the extent of integration and expansion that is and will be going on at ICE over the next several years, the solution had to be scalable to accommodate future change.
Audit Support
Build a sustainable automated solution that could evaluate security, segregation of duties, automated controls and transactional activity to support Internal and External Audits.
Solutions
15
The right Collaboration PwC worked with ICE to help create a tailored, right-sized solution to their operational and compliance needs.
Business, internal audit, and IT stakeholder involvement was a key success factor from requirements gathering through implementation.
Transactions Led by the business, the stakeholders identified 22 ways they could use TCG to improve exception-based transaction reporting.
This was narrowed down to 18 key requirements for Phase I across 5 business and IT processes.
Security & Segregation of Duties The stakeholders identified 98 ways they could use AACG to address existing operational and compliance concerns.
This was narrowed down to 61 key requirements for Phase I across 8 business and IT processes.
Configuration Mgmt. In a discussion driven by IT, the stakeholders identified 141 opportunities for continuous configuration monitoring using CCG.
This was narrowed down to 130 key requirements for Phase I across 7 business and IT processes.
Systems Diagram
AACG & TCG CCG
Project Scope/Summary/Benefits
17
Delivered Scope
Approximately 90-120 Security and SOD controls in AACG Approximately 90-120 Configuration Change Trackers in CCG Approximately 15-25 Transaction Analytic controls in TCG PCG considered for NYSE but not included
Timeline
Phase I: February – August 2014 Initial go-live for NYSE AACG and CCG given audit requirements (June 2014) Final go-live for NYSE TCG and ICE AACG, CCG and TCG (Aug 2014)
ICE business process control owners for key processes ICE and NYSE system administrators ICE internal audit team
Increased automation in the quarterly access review process Increased visibility into risks in the EBS and PeopleSoft environments Resulting changes made to improve security, configurations & processes. Automation of various audit activities
Stakeholder Groups
Benefits
Advanced Controls Examples
• GL Entries not posted at month end
• AR Entries without GL entries
• Duplicate Employees
• Duplicate Invoice Payments
• Refunds over specific threshold
• Unusual Journals – Debit Rev, Credit Expenses
• Inactive users
Business Solutions beyond Compliance and Internal Audit
Advanced Controls Examples (cont’d)
• Custom Content/Objects for PeopleSoft
• Change trackers to monitor changes to automated controls
• Impact assessment during patch application
• Ability to compare setup changes during integration of NYSE (EBS) on to ICE PeopleSoft environment
Main Project Challenges
20
Stakeholder Availability 01
Stakeholder Availability
02
Standardizing processes during
acquisition
03
Educating Stakeholders
04
Technology Delays
What’s Next?
21
Controls Operation
RMB Integration
EBS Migration
Future Expansion
Business process control owners have already began operating their monthly and quarterly access and transaction controls, and system administrators are continuing to investigate configuration changes as they occur.
PwC is implementing Oracle Revenue Management and billing as ICE’s optimized billing solution, and will build custom connectors to allow RMB to interface with billing rules that will be implemented into Advanced Controls.
In 2015, ICE will begin to migrate NYSE from EBS into ICE’s PeopleSoft environment. This will require consideration of the impact to Advanced Controls and may require changes to existing rules.
As ICE becomes more comfortable with Advanced Controls capabilities and their existing solution, there will be opportunities to expand their use of the applications and increase the value they derive from it.
Questions?
Copyright:
© 2014 PricewaterhouseCoopers LLP, a Delaware limited liability partnership. All rights
reserved.
Definition:
PwC refers to the US member firm, and may sometimes refer to the PwC network. Each
member firm is a separate legal entity. Please see www.pwc.com/structure for further details.
Contact Information: Stephen D'Arcy - Director (PwC) [email protected] Ph: 856.577.0022
Copyright:
© 2014 PricewaterhouseCoopers LLP, a Delaware limited liability partnership. All rights
reserved.
Definition:
PwC refers to the US member firm, and may sometimes refer to the PwC network. Each
member firm is a separate legal entity. Please see www.pwc.com/structure for further details.
Follow Us & join the conversation .
Oracle GRC Advanced
Controls Group
@OracleAdvCntrls
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | 25
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |
Safe Harbor Statement
The preceding is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.
26