FulcrumWay - Ed. Webinar - Identify and Eliminate False Positives from your Segregation of Duty Audit Report

Leverage T echnology: Move Your Business Forward™

Risk and Compliance Financial Reporting Internal Audit Controls Catalog Application Security Advanced Analytics

A Leader in Risk Based Enterprise Controls Management Solutions

Copyright ©. Fulcrum Information Technology, Inc. Give me a lever long enough and a fulcrum on which to place it, and I shall move the world - Archimedes

Learn to Iden+fy and Eliminate False Posi+ves from your Segrega+on of Duty Audit Report

Monthly Educational Webinar Series

Adil Khan, Managing Director

May 28th, 2015

www.fulcrumway.com Page 2 Copyright © FulcrumWay

Eliminate False Positives from your Segregation of Duty Audit Report

  Introductions   Inherent False Positives in Oracle EBS   Checklist of Global False Positives   Systematic Approach for Identifying False Positives   SOD Analytics for Remediation Analysis   Case Study   Q&A

Agenda




Agenda


A Leader in Risk Based Controls Management™

FulcrumWay: is the #1 End-to-End Provider of Risk Based Enterprise Controls Management Solutions for Oracle EBS, PeopleSoft and JDE customers with over 200 Fortune-500 to Middle Market clients. Since 2003, we have successfully assisted companies across all major industry segments.

Expertise: Risk Advisory Services. Advanced Controls Design for Enterprise Applications. Best Practices for Risk Mitigation and Internal Controls Automation. Audit, Compliance, Financial, Enterprise and Operational Risk Assessments. Risk Remediation Services.

Packaged Solutions: FulcrumWay is the #1 choice of Oracle customers for Oracle GRC Advanced Controls, GRC Manager, and GRC Intelligence/OBIEE software implementation. Oracle has certified us as the only partner with Accelerators for Oracle GRC. We also provide Managed Services

Software Services: Risk Assessment for ERP systems, Control Design and Management Tools, Controls Catalog, Enterprise Risk Manager, Financial Reporting Manager, Audit Manager

USA Presence: Privately held Delaware Corporation with US offices in New York City, Dallas and San Francisco

International Presence: in Auckland, Chennai, Dubai, Johannesburg, London, Mexico City

FulcrumWay


FulcrumWay Clients Successful Track Record

Government Oil and Gas

Healthcare

Communications

Financial Services

Transportation Natural Resources

Manufacturing

Retail

High Tech Media/Entertainment Life Sciences


FulcrumWay™ Insight Thought Leadership

Co-Authored GRC Book: First book on GRC for Oracle Applications SROAUG GRC Solution Lab - February 27th – Los Angels: GRC Case Studies and Best Practices

Innovate 15 – March 19th – Iselin, NJ -GRC Case Studies and Best Practices

Collaborate 15 – GRC Client Appreciation Dinner April 13th, 2015 Las Vegas IIA/ISACA GRC Conference – August 17th - 19th, 2015 - Presentations – GRC Case Studies and Best Practices

Educational Webcasts – Every 3rd Thursday of the Month – GRC Best Practices, Trends and Expert Insight

Oracle Open World – Annual GRC Dinner on October 26th, 2015 - San Francisco, CA

LinkedIn –FulcrumWay Risk, Compliance and Audit Software Group YouTube Podcasts – FulcrumWay Instant Insight in 10 min or less

Proven Expertise




Agenda


Is your Segregation of Duties Audit Accurate? Inherent False+


Responsibility

Form

Complicated Security Model Contains many overriding security attributes

Menu

Function

User Evaluate User Access •  Test by User •  Test by Privilege

Manage Segregation of Duties •  Identify incompatible Privileges •  Predefined & Extensible SOD Rule Sets

Inherent False+


What Are False Positives ? Users and Responsibilities

Inac&ve Users

Expired Users

Terminated Employees s&ll ac&ve in EBS

End-‐Dated Users

End-‐Dated Responsibility Assignments

Menus without Prompts

Inherent False+


Without Grant Flag user can not access the Sub-‐

Menu or Func&on

Menu without prompts disables user to see and

navigate

A menu is a hierarchical arrangement of application functions (forms). In the definition of a responsibility, the specified menu defines what is displayed in the navigator. The specified menu does not necessarily define the functions that can be accessed by the responsibility, which are granted.

What Are False Positives ? Oracle Menus Inherent False+


If you specify the parameter

QUERY_ONLY=YES, the form opens in query-‐only mode.

Inherent False+ What Are False Positives ? Oracle Functions


The Form Personaliza&on feature allows you to declara&vely alter the behavior of Forms-‐based screens, including changing proper&es, execu&ng buil&ns, displaying messages, and adding menu entries.

Inherent False+ What Are False Positives ? Oracle Form Personalization


A profile is a set of changeable op&ons that affect the way your applica&on looks and behaves. You can set user profile op&ons at different levels: site, applica&on,

responsibility, user, server, and organiza&on, depending on how the profile op&ons are defined.

Inherent False+ What Are False Positives ? Oracle Profile Options




Agenda


Application Access Controls Governor False+ Checklist Filter False+

Form Extensions

Table Audit

Condi&onal Func&on Access

Data Access

Func&on Access

Read-‐Only Access

Func&on Limits

Filter False+

Menu Access

Menu / Sub-‐Menu / Grants / Prompts

Data / Func&on Access

Disabled Oracle Responsibility Access

Enabled Oracle Responsibility Access

Read-‐Only RBAC Access

RBAC (Role Based Access Control)

Filter False+

Func&on Limits

Ledger Data Access

Custom Forms/Pages

Ledger Set Access

Mul&-‐Org Access

IT Support Access

Menu Grant Flag


Application Access Controls Governor False+ Checklist Filter False+

User Access to Sub-‐Menu

Inac&ve Users

Privileged User (Interface, etc)

User Responsibility Access Inac&ve

User Responsibility Access Ac&ve

User Access enabled

Form Customiza&on

Filter False+

Data Access Group (Shared Services)

GL Access Limit

Opera&ng Unit Access

Oracle security Profile




Agenda


Risk Based Access Management

Detect/ Analyze Findings

Implement Corrective

Actions

Monitor Controls

Scope

Application Controls

Sample ERP Data

Manage Exceptions

Implement Controls

Risk Advisors/ ERP Managers/ Control Owners

Risk Advisors/ Control Owners

Control Owners/

ERP Managers

Establish Test

Environment Assess Risk Identify Risk

Design Controls

Advanced Controls Experts/

ERP Managers

Approach

Residual False Posi&ves

Inherent False Posi&ves


Application Access Controls Governor

User Global Condi&ons to filter “inherent” False Posi&ves like:

Inac&ve Users Inac&ve Responsibili&es

Read-‐only Access

Approach



Filter Condi&ons can be setup to exclude SOD viola&ons from

results

Approach



Local “Path” Condi&ons can be used to manage special cases such as privileged/IT users

Approach


System Filters

False+ Filters

Data Security

Read-‐Only

Custom

INV INV

User OU

Form Profile

Role

Filters Type Condi+ons Results Excluded

Inac&ve User Global End-‐Date Users

Inac&ve Role Global End-‐Date Roles

Business Unit Global Org Name Organiza&on

View Only Local Func&on Path Func&ons

Data Security Local Data Group Groups

Personaliza&on Local Form/Page Forms

Approach

Role User OU




Agenda


Advanced Analytics to Identify False+

Pre-‐built Risk Analy+cs. Risk Reports available for client review

Risk Advisors identifies controls violations and has the capability to analyze issues, remove false positives to prepare the findings report

SOD Analytics


Advanced Analytics to Identify False+ SOD Analytics


Advanced Analytics to Identify False+ SOD Analytics




Agenda


Fortune 500 Global Manufacturer Improves

Segregation of Duty Controls across multiple ERP instances Our Client   Fortune 500 company, manufactures and distributes

coa+ngs, specialty materials, and glass products.   Business Runs on mul+ple Oracle EBS, SAP systems   Over 40,000 employees world-‐wide

Challenges   Replace mul+ple legacy systems with one ERP

solu+on   Improved Segrega+on of Duty controls within

mission cri+cal applica+ons   Maintain consistent ERP system access roles

across the subsidiaries leveraging the shared services model

  Increase external auditor’s reliance on ERP Access Controls Monitoring

Solu+ons Oracle Access Controls Governor FulcrumWay Advanced Access Analy+cs

Results:   Reduce ERP SOD Remedia+on +me by iden+fying and

elimina+ng 80% False Posi+ves resul+ng in over $50,000 annual cost savings in Audit and Remedia+on Costs

  Created over 100 Segrega+on of Duty compliant Roles by business segment with two weeks from FulcrumWay Role Templates within the controls catalog.

  Lowered ERP Total Cost of Ownership by reducing SoD remedia+on +me and costs by ensuring that all users a assigned only the pre-‐approved Roles

  Improve SoD and Access Controls tes+ng +me by providing auditors the access log reports showing all Update, Review and Approve Role design changes.

  Accelerated ERP Access Approval +me by iden+fying valid SOD conflicts before the Roles are assigned to Users.

Case Study


Enterprise Controls Platform

Compensating Policies

Preventive Provisioning

Remediation (Clean-up)

Access Analysis

•  Accelerate deployment and time to value with ready-made controls library

•  Mitigate risk of inappropriate user access with approval workflow and audit trails

•  Simplify segregation of duties enforcement with simulation and remediation

Define Access Controls

Detection Prevention

GRC Manager

SOD & Access

Application Configuration

Transaction Monitoring

GRC Intelligence

Advanced Controls

Application Access Controls Embed Controls Natively in Enterprise Apps

Case Study


Leader in Risk Based Management Controls Q & A

Visit Resources to get started with Security Assessment and Role Design

FulcrumWay - Ed. Webinar - Identify and Eliminate False Positives from your Segregation of Duty Audit Report

Software

grc manager

oracle grc advanced

controls management

grc book

enterprise risk manager

risk remediation services

risk mitigation

provider of risk