Governance, Risk und Compliance Application Suite · PDF file• Herausforderungen • Positionierung GRC Application Suite • Oracle GRC-Application Suite AGENDA 3 •...

Governance, Risk und Compliance Application Suite

Klaus NiemannPrincipal Sales Consultant NOG & CH Financials & Projects

The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be

Safe Harbor Statement

2

material, code, or functionality, and should not be relied upon in making purchasing decision. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.

• Herausforderungen

• Positionierung GRC Application Suite

• Oracle GRC-Application Suite

AGENDA

3

• Zusammenfassung

36%

28%

Public trust in 2006Public trust in 2002, Peak of corporate scandal

Erosion of Public Trust,Call for Greater Transparency

Source: Mckinsey, 2007

Increasing Number & Complexity of Regulations

Sarbanes-Oxley Act

Fair Credit Reporting Act

Family Education Rights

Privacy Protection Act

Federal Rules of Civil Procedure

Title 21 CFR Part 11

Computer Fraud & Abuse Act

Health Insurance Portability & Accountability Act

Children’s Online Privacy Protection Act

Gramm-Leach Bliley Act

Patriot Act

Domestic Security Enhancement Act

… and many more

BELASTUNG durch “Compliance”

4

Unabated Spending on Compliance

Source: AMR Research, Feb 2007

Technology$9.8B

Services$7.3B Headcount

$12.6B

High Stakes for Brand and Reputation

Source: BusinessWeek, 2007

=Brand Value$15B$15B

Regulation A

Standard C

Risk B

C1b C2b C3b

C5b C6b C7b

C9b C10b C11b

R1 R2 R3 R1 R2 R3 R1 R2 R3

C1c C2c C3c

C5c C6c C7c

C9c C10c C11c

C1a C2a C3a

C5a C6a C7a

C9a C10a C11a

Challenge:

Multiple Requirements, Fragmented Response

Challenge:

AUSWIRKUNGEN durch “Compliance”

5Sources: Adapted from Deloitte Consulting, Open Compliance and Ethics Group, and IDC

Challenge:

Manual Processes and Controls

Challenge:

GRC as an Afterthought, Holding Up the Business Business Processes

GRC

Solution:

Consolidate

Solution:

Regulation A

Standard C

Risk B

R1 R2 R3

C1 C2 C3

C5 C6 C7

C9 C10 C11

PolicyRisk

OPTIMIERUNG durch GRC Lösungen

6Sources: Adapted from Deloitte Consulting, Open Compliance and Ethics Group, and IDC

Solution:

Automate

Solution:

Embed

Business Process

GRC

Process

Policy

Assessment

Detective Control

PreventiveControl

Issues

Remediation

Reporting &Diagnostics

• COSO und Internal Controls

• Gewährleistung der Wirksamkeit und Effizienz betrieblicher Abläufe

• Verlässlichkeit der finanziellen Berichterstattung

Komponenten der Unternehmensüber-wachung

7

• Einhaltung relevanter Gesetze und Vorschriften

• Risikomanagement und Überwachung

• Integration von Controlling

• Risikofrüherkennungssystem




AGENDA

8

• Zusammenfassung

GRC Application Controls

Reporting KRI & AlertsDashboards

GRC Reporting & Analytics

GRC Process Management

Audit Management Assessment

Purpose-built business solutions for key industries and GRC initiatives

�

Best-in-class GRC core solutions to support all mandates and regulations

�Issue &

RemediationEvent &

Loss Mgmt

Oracle Lösungen für GRC Anforderungen

9


TransactionMonitoring

SOD & Access

Application Configuration

Custom or Legacy Applications

GRC Infrastructure Controls

ChangeMgmt

Digital Rights

Data Security

Identity Mgmt

Records Mgmt

Pre-integrated with Oracle applications and technology, supports heterogeneous environments

mandates and regulations

�




GRC Reporting & AnalyticsPurpose-built business solutions for key industries and GRC initiatives

�

GRC Manager solutions to support all mandates and regulations

�Issue & Remediation

Event & Loss Mgmt


10



SOD & Access




ChangeMgmt

Digital Rights

Data Security

Identity Mgmt

Records Mgmt


�

Policy, Process, Event

Cycle AccountOrganization

A

Master LibrariesObjectives,Risks,Controls,Tests,Docs

TransactionsAA

Beispiel: COSO – Internal Control Frame im GRC- Manager

11

Policy, Process, Event

Risks

Control Tests

Controls IssuesObjectives AA

AA

AA

AA

Organisationselement und zugeordnete Prozesse / Subprozesse

12

Subprozesse: Cash Disbursement

13

Risiken (Risks)

14

Kontrollen (Controls)

15

Beispiel: Prozesse und Zuordnung

16

Beispiel: Mixed Approach im SSC

17






�



Event & Loss Mgmt


18



SOD & Access




ChangeMgmt

Digital Rights

Data Security

Identity Mgmt

Records Mgmt


�

• Reporting (Standard)

• Predefined ”out-of-the-box” reports

• Grouped by: Project, Audit, Exception, Scheduling, Matrix, Library

• Reports can provided in MS-Excel, GRC-Intelligence and 3rd

Reporting / Intelligence

19

• Reports can provided in MS-Excel, GRC-Intelligence and 3rd

Party Applications

• Analytics / Dashboards / Answers

• Predefined Dashboards, KPI / KRI, Reports, Analytics

• Answers (create reports by drag and drop)

Intelligence > Control Issue > Details > Drill Down into GRC-Manager

20






�



Event & Loss Mgmt


21



SOD & Access




ChangeMgmt

Digital Rights

Data Security

Identity Mgmt

Records Mgmt


�

What usershave done

What’s changed in the

process

What are the execution patterns

Detective Controls

Monitor Control Effectiveness

GRC Application Controls ManagementDetect and prevent control failure

ACCESSACCESS

22

What userscan do

How is the process setup

How users execute

processes

Preventive Controls

CONFIGURATIONControls


TRANSACTIONControls

TRANSACTIONControls

Enforce Policies in Context

ACCESSControlsACCESSControls

Access Controls (Zugang)Provide fine grained access control and segregation of duties

Know who has access to do what and ensure that someone isn’t given inappropriate privileges

23

AccessAnalysis

Compensating Policies

Define AccessControls

Remediation(Clean-up)

PreventiveProvisioning

PreventionDetection

Define SOD conflict & business rules and policies

Execute access analysis engine that understands application’s detailed access architecture

Remediation and analysis via pre-packaged reports & what-if simulation

Real-time enforcement of SOD controls during user provisioning

Handle exceptions with compensating process & transaction analysis policies

DRAG & DROP: Plattformübergreifende “Policy”- Definition

24

Policies can be created using access points

from various business platforms, applications and data sources by

drag and drop

PRODDatabase

DEV, TEST, QA, CRPDatabase

Automatically

Migrate Setups

An automated solution for a manual activity that all

Oracle Apps customers are doing.

Benefits:Benefits:

•• Save TimeSave Time

•• Reduce Manual EffortReduce Manual Effort

•• Avoid ErrorAvoid Error

SETUP Migration Support

25

Database

DuplicatedEffort

Migrate Setups

Enter

SetupsEnter

Setups

What usershave done


process


Detective Controls

CONFIGURATIONCONFIGURATION



26

What userscan do


How users execute

processes

Preventive Controls



TRANSACTIONControls

TRANSACTIONControls



Ensure that critical setups conform to best practices and follow robust change

management procedures

Configuration Controls (Konfiguration) Detect and prevent configuration control failure

PreventionDetection

27

Document orCompare

Configurations

Manage Data

Integrity

Define Configuration

Controls

Monitor Configuration

Changes

EnforceChange Control

PreventionDetection

Define best practice policies & operating rules

Record changes to sensitive setup data. Compare before and after values for changes

Monitor for setup inconsistencies across multiple instances

Require conditional approval cycles (e.g., exceed threshold)

Validate that setups and data updates conform to valid values

John Doe

123 Main StCenter City, NY 12345

Name

Address

Employee Update

“Data Privacy” und “Data Integrity” Mask sensitive data, restrict access to actions

Embedded preventive controls restrict access to sensitive data and critical actions proactively using native EBS

interface and workflow technology

28

Center City, NY 12345

$ 53,000.00

CancelOK

Salary

XXX-XX-XXXXXSSN

Supervisor Mary Smith

Conceal SSN number if User is NOT from HR dept

Employees can only view the salary field (can’t update) Disable Invoice Approval for

Invoices created by same user

Who?When?

MONITORING

29

What?Where?

What usershave done


process


Detective Controls

TRANSACTIONTRANSACTION



30

What userscan do


How users execute

processes

Preventive Controls



TRANSACTIONControls

TRANSACTIONControls



Monitor transactions to detect business policy violations or unacceptable levels

of risk or inefficiency

Transaction Controls (Transaktion)Detect and prevent erroneous and fraudulent transactions

31

Perform Transaction

Analysis

Define Transaction

Controls

Review and AddressSuspects

PreventiveTransaction

Control

PreventionDetection

Identify transactions violating policy (e.g. un-approved vendor)

Detect patterns representing aggregate risk (e.g. micro-payments)

Initiate review / approval cycle based on automated policies

Approvals based on transaction data thresholds

Transaction Controls (Transaktion)Wide range of predefined controls that notify when violations occurs

Case Managerto Investigate

MONITORING DECISION-MAKING

POLICY

BusinessProcess

ControlMonitor

!!Control

Violation

32

to Investigate & Approve

Library of Transaction

Monitors

DataViolation Detected

� Integrated library of transaction monitors provides characterization and procedures for handling suspec ts

� Continuous monitoring identifies suspects � Seamless approval workflow facilitate decision-maki ng

Categorized into three functional groups:

• Operational controls (basic transactions)• Risk management controls (cash, credit, asset)• Reportable event controls (any material that impact s

financial health)

Controls can be categorized from a business & financ ial view

Umfassendes Transaktions-”Monitoring” Detect patterns of heightened risk in business activity

33

Controls can be categorized from a business & financ ial view

• Purchasing controls • PO over a given threshold

• Inventory controls • PPV rise above given threshold

• Revenue Recognition controls • Invoice or Sales amount is over a given threshold

• Account Receivables controls• Fluctuation of the DSO

• General Computer controls




AGENDA

34

• Zusammenfassung

InformalReactive

ProactiveOptimized

Mat

urity

• Adhoc approach

• Compliant but at a high cost to business

• Manual control

• No best practices

• Tactical approach

• Risks are documented

• Manual risk assessment and reporting

• After the fact reporting

• Unified, standardized & strategic approach

• Policies are enforced

• Automated process

• Prevent policy violation

• GRC objectives embedded throughout the organization

• Analyze and trend

• Automated risk mitigation / Predictive risk assessments

COMPLIANCE Umsetzung mit Oracle

35

Time

Mat

urity

Oracle GRC provides solutions for each of these stages based on your objectives and helps you mature to the next


GRC Manager

GRC Intelligence


For More Information

http://www.oracle.com/grc

36

37

Governance, Risk und Compliance Application Suite · PDF file• Herausforderungen • Positionierung GRC Application Suite • Oracle GRC-Application Suite AGENDA 3 •...

Documents