Copyright © 2015, Oracle and/or its affiliates. All rights reserved. | Oracle Risk Management (GRC) Product Strategy Update GEN7982 Sid Sinha Oracle Application Development Oct 27, 2015 Presented with
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |
Oracle Risk Management (GRC) Product Strategy Update GEN7982
Sid Sinha Oracle Application Development Oct 27, 2015
Presented with
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |
Safe Harbor Statement
The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.
2
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |
• Chuck Scheller – Director of Business Systems, Harvard Pilgrim HealthCare. Chuck
manages the application lifecycle of HPHC’s Oracle eBusiness Suite. This work includes: solutions knowledge, planning and feasibility, projects and execution, maintenance and support, and infrastructure and training. Chuck has been with HPHC since 1984 and was Program Director responsible for selecting and implementing Oracle as HPHC’s financial application solution in 2001.
Introductions
Oracle Confidential – Internal/Restricted/Highly Restricted 3
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |
Agenda
Oracle GRC Product Strategy Update
Case Study: Skechers
Case Study: Harvard Pilgrim HealthCare
KPMG Best Practice Update
Wrap-up
1
2
3
4
5
4
Leveraging Oracle GRC Advanced Controls
Agenda
1. Background
2. Project Approach
3. Key Benefits for Harvard Pilgrim
4. ROI Framework
5. AIM to AACG Integration
6. Questions
5
Background
About Harvard Pilgrim Health Care
Harvard Pilgrim Health Care is a not-for-profit health services
company serving more than one million members in New
England. Founded in 1969, the health plan has built its
reputation on pragmatic innovation with a goal of lowering
costs, improving care and enhancing the overall member
experience. Harvard Pilgrim is known for its excellent clinical
programs, customer service, health improvement strategies
and innovative tools that offer consumers greater
transparency and empower them to make better decisions
about their health care.
6
Background (continued)
As Director of Business Systems, my role is to manage the
application lifecycle of HPHC’s Oracle eBusiness Suite. This
work includes: solutions knowledge, planning and feasibility,
projects and execution, maintenance and support, and
infrastructure and training. I’ve been with HPHC since 1984
and was Program Director responsible for selecting and
implementing Oracle as HPHC’s financial application solution
in 2001.
HPHC runs over 30 V12.2.4 eBS apps on 11G Db as a single
instance in a Linux RAC environment.
7
Project Approach – Oracle GRC Manager (2010)
Harvard Pilgrim engaged with PwC in late 2010 to implement
Oracle Governance Risk and Compliance Manager solution
for Model Audit Rule (MAR) and SSAE16 compliance activities
and reporting
As a part of this initiative, PwC team members worked closely
with HPHC’s Financial Controls Manager to design and
implement data repository for compliance content and
automate periodic assessment activities and reporting for MAR
and SSAE16.
8
Project Approach – Oracle GRC Manager (2010)
Highlights of HPHC’s GRC Manager Program
– Which part of HPHC business owns the Financial Audit process?
(Internal Audit, Controller, Compliance office.. ) - Finance via Controller
owns this process
– Are external auditors involved in the process? - Yes we have an external
audit of our financial statements annually as well as an SSAE 16 audit
annually. Model Audit Rule work is done only via internal audit.
– Was there a single driver for adopting GRC Manager? - We wanted to
have one place to document all of our controls that could be easily
updated and accessed for audit support.
– What was the method used before GRC Manager (spreadsheets.
emails?) - Mainly spreadsheets
9
Project Approach – Oracle GRC Manager (2010)
Highlights of HPHC’s GRC Manager Program (continued)
– How many controls are documented? - Approximately 150
– How often are assessments done? - For Model Audit Rule we do an
annual and a mid-year assessment update of controls - just to see if
anything material is new.
– How are results reported? - Results are reported to senior management
and Audit Committee annually but more often with an internal group who
is responsible for model audit rule - that is done at least twice a year.
– How are issues handled? - Issues are discussed with the control owners
and reported from internal audit to the group in finance which is
responsible for Model Audit Rule program.
10
Project Approach – Oracle GRC Manager (2010)
Highlights of HPHC’s GRC Manager Program (continued)
– Is it important to link documented financials controls (GRC Manager)
with automated controls testing results (Access Controls, Transactions
controls) in the long run? - Yes and hopefully in the long run when the
automated controls are documented and assessed, it would be easier to
reduce reliance on non-automated controls.
11
Project Approach – Oracle GRC Manager (2010)
“Harvard Pilgrim selected Oracle Fusion Advanced Controls to
help improve controls through automation, improve efficiencies
in the audit and testing process and to ultimately help the
Company reduce costs while still maintaining a robust system
of internal controls,” said Michelle Clayman, corporate
controller at Harvard Pilgrim Health Care.
12
Project Approach – Oracle Insight (2012)
In 2012, PwC and Oracle Insight team conducted a week-long discovery session to identify opportunity for
Harvard Pilgrim to leverage Oracle GRC Controls solution in advance of Oracle R12 upgrade. The team
identified and recommended a three phase iterative implementation project to build incremental value for
Harvard Pilgrim;
Phase 1 – Quick Wins
– Review, prioritize and identify key corporate-wide and division-specific controls for potential automation using Oracle GRC
Controls
– Maintain focus on acquiring value and decreasing manual effort by the audit teams in executing Segregation of Duties (SOD)
testing, access reviews, and configuration change management
– Implement SOD access controls (AACG) and configurations monitoring (CCG)
Phase 2 – Facilitate R12 Upgrade and Implement Transaction Controls (current stage)
– Maximize usage of AACG and CCG to facilitate R12 upgrade efforts
– Conduct workshops with business process owners to identify high risk transactional controls
– Evaluate opportunity to implement transaction controls (TCG) to address key transactional level risk exposures in Oracle EBS
Phase 3 – GRC Optimization Assessment
– Evaluate opportunity to implement preventive/approval based SOD controls
– Evaluate opportunity to implement approval based change control for key EBS configurations
– Evaluate integration between GRC Control and GRC Manager to automate Model Audit Rules testing
– Assess and provide scope for Oracle Health Insurance integration to GRC Controls
13
Key Benefits for Harvard Pilgrim
Reduce manual efforts to compile reporting packages for periodic access
reviews and configuration change controls
Maintain integrity of system configurations and provide the ability to track
unintended changes from periodic maintenance and patching activities
Establish Segregation of Duties policies to reduce the cost of R12 upgrade
and prevent remediation of access violations post go-live
Reduce the level of effort to document and manage system configuration
changes during R12 upgrade
Automate the continuous monitoring of key financial controls to reduce the
risk of fraudulent transactions
Expected reduction in external audit scope and fees through the use of
automated tool
14
HPHC ROI
Tangible Cost Savings (Total ROI 6 years)
Access Management – Leverage AACG to reduce the level of effort to
provision, monitor, and remediate access risk exposures across IT, Internal
and External Audit
Controls Management – Leverage CCG to reduce the level of effort to
manage and test Oracle configuration change controls across IT, HPHC
Business, Internal and External Audit
R12 Upgrade – Leverage AACG and CCG to facilitate R12 upgrade
activities such as instance comparison and new responsibility design
during R12 upgrade and subsequent periods
15
HPHC ROI (continued)
Risk Reduction
Reduce risk of Fraud, Waste and Abuse by leveraging continuous auditing
of access and configuration change control
- Reduce access risk exposure by defining and reviewing SOD and
Restricted Access controls at the user and function level
- Reduce risk of inappropriate changes to Oracle configuration by
enhanced ability to test configuration change controls by producing
system record of changes and audit trail evidence
Pushes controls testing responsibility & compliance ownership to business
area owners. Frees internal audit hours to pursue other IA initiatives versus
access and configuration controls testing
Preventive User Access Administration (automated SOD Policies via AIM)
16
AIM to AACG Interface
17
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |
Proposed Agenda
GRC Product Update
Case Study: Harvard Pilgrim HealthCare
Case Study: Skechers
KPMG Best Practice Update
Wrap-up
1
2
3
4
5
18
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. | Copyright © 2015, Oracle and/or its affiliates. All rights reserved. Oracle Confidential –
Update Documentation Import Spreadsheets Update Process, Control & Risks Test Plans, Review, Approvals
Automate Assessments Select Controls based on Risk Conduct Surveys Design, Operating & Audit
Resolve Issues Set Priority and Due Dates Remediation Plans Notifications
Manage Incidents Assign Owners, Attach evidence
Remembers decisions for next control run (self-learning)
Graphical Authoring User Defined Controls
Eliminate False Positives Uncover Data Patterns
Detect Suspicious Transactions Pre-built Library of Controls
1350 Data Elements P2P & Expense Controls
19
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |
Case Studies and Speakers at OpenWorld 2015
Oracle Confidential – Internal/Restricted/Highly Restricted 20
_________________
Source-to-Settle
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. | 21
Follow Us & join the conversation .
Oracle GRC Advanced Controls Group _______________________________________________________________
OracleAdvControls @OracleAdvCntrls
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |
Risk Management Cloud Resources
22
cloud.oracle.com
Release 10 Readiness
Documentation
Customer Connect
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. | 23
Classroom Training
Learning Subscription
Live Virtual Class
Training On Demand
Keep Learning with Oracle University
education.oracle.com
Cloud
Technology
Applications
Industries
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |
Safe Harbor Statement
The preceding is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.
24