Inspiring Your Next Success! ® Company Confidential - Copyright 2010 Hitachi Consulting Oracle GRC Application Controls: A Layered Defense Atlanta Oracle.

Inspiring Your Next Success!® Company Confidential - Copyright 2010 Hitachi Consulting

Oracle GRC Application Controls: A Layered Defense

Atlanta Oracle Applications Users Group Meeting – January 29, 2010

How the Oracle GRC Suite Can Reduce Business Costs and Improve IT Security

Inspiring Your Next Success!® Company Confidential - Copyright 2010 Hitachi Consulting2

Introduction to the GRC Team> Kevin Mims, Senior Manager at Hitachi Consulting

> Andy Pope, Manager at Hitachi Consulting

> Paul Steffen, Manager at Hitachi Consulting

> Ryan Henderson, GRC Specialist at Hitachi Consulting


Agenda> Introductions

> Hitachi Consulting Oracle Practice Overview

> Why GRC? Business Challenges in the Client Space

> How the Oracle GRC Solution Can Help

> Focus on Oracle GRCC Suite» Oracle Application Access Controls Governor (AACG)

» Oracle Transaction Controls Governor (TCG)

» Oracle Preventive Controls Governor (PCG)

» Oracle Configuration Controls Governor (CCG)

> Oracle ERP Implementation Overview – Where do GRC Applications fit in?

> Methodology and Planning

> Keys to Success

> Lessons Learned

> The Hitachi Consulting Solution

> Q&A


Hitachi Consulting Background

> Hitachi Consulting is the U.S.-based business and IT consulting division of Hitachi Ltd., and a globally recognized leader delivering value-based business strategies and technology solutions

» Revenues of approximately $450M globally

» 1200 employees in the US with offices also in Europe and Asia, 2500 employees globally

> With more than 25 years business process, vertical industry, and leading-edge technology experience, our consultants are seasoned in a multitude of disciplines and work with clients to transfer their knowledge and experience every step of the way

IndustrialProducts

25%

High Tech Manufacturing& Software Providers

23%

Communications, Media &

Entertainment16% Food & Beverage,

Consumer Goods Mfg.& Retail

13%

Healthcare &Biotech

7%

FinancialServices

4%

Other5%

Engineering &Construction

5%Energy

&Utilities

2%

4


Hitachi Consulting founded November 2000

> Hitachi made a strategic decision to enter the IT and business consulting services market in the United States, as the outcome of a study by McKinsey

> With the acquisition of Grant Thornton’s consulting business in November 2000, “Hitachi Consulting” was born

> The Company was re-branded to Hitachi Consulting in May 2003, as the “business and IT consulting unit of Hitachi”

> Hitachi Consulting has grown organically and through a series of strategic acquisitions

5

2000

Strategy Foundation Integration &

Profitability

Globalization,

Growth & Value

2010


Deep Oracle Expertise

Hitachi Consulting ranked 6th overall in Oracle’s NA Partner Performance metrics

6

Oracle is Hitachi’s #1 EA Practice (both revenue and headcount) 400+ Oracle Consultants (80% functional, 20% technical) 100+ completed or ongoing 11i implementations 15+ completed or ongoing R12 implementations

Oracle Titan Award Winner 2006 – EBS System Integrator 2007 & 2008 – Integration and SOA 2008 – Edge Applications

Global Certified Advantage PartnerCertified OnDemand PartnerOracle Partner of the Year, 5 of last 8 yearsRanked # 3 Partner for Oracle Commercial

Internal Apps and Tech Labs support Biz Flow Accelerators

Member Oracle Field Advisory Board Flow Manufacturing Advanced Planning & Scheduling Warehouse Management

Process ManufacturingEnterprise Asset Management

Member Oracle Industry Advisory Board Process Manufacturing Industrial Manufacturing

High Tech Manufacturing


Hitachi Consulting’s Oracle Practice> Global Reach with Local Focus

» Hitachi Ltd. – one of the top 15 Business and IT consultancies in the world» Hitachi Consulting was formed from the Grant Thornton and Arthur Andersen Business Consulting Practices.» Full service consultancy inclusive of IT infrastructure, Supply Chain, Change Management, and Enterprise Application Deployment.

> Oracle Practice» Our national Oracle practice grew at 60% last year while our Southeast Oracle practice grew by over 170%.» Experience working with Oracle Development by being first implementers of 11i Process Manufacturing (with Order Management,

iStore and Purchasing), Flow Manufacturing and WMS.» Member of Oracle’s Field Advisory Board for Flow Manufacturing, Advanced Planning and Scheduling, Warehouse Management, and

Process Manufacturing.» Full service Oracle 11i solution offering from audit through reimplementation.

> Tool Sets» Significant investment in Oracle-centric implementation tools and methods including the development of our AIM Plus methodology. » Collaborative approach – working with customers, Oracle Sales and Oracle Development.

> Track Record» Current and completed Oracle implementations in the Southeast :

• Ames True Temper• Angelica Textile Services • Fidelity National Financial• Fidelity Information Services• Lender Processing Services• EMS Technologies • Equifax• Internet Security System (ISS)• Internap• Tekelec• Welding Services

• World Fuel Services• Manheim


Abstract

> The Oracle Governance, Risk, and Compliance (GRC) Enterprise Solution is an effective tool that business can use to improve IT security and help insure against fraud, negligence, and other corporate vulnerabilities. Companies that implement a GRC package will observe an enhancement of corporate governance, comprehensive risk mitigation, and a significant reduction in audit and compliance costs.

> GRCC serves as the foundational core of Oracle’s GRC Enterprise Solution and works with two higher level components, the GRC Manager and GRC Intelligence.

> The foundation for Oracle’s GRC Enterprise Solution is the GRC Controls Suite, an embedded, linked set of modules that can be used to safeguard sensitive corporate information. The modular components are organized around specific duties that can be operated both independently and in conjunction with one another.


2010 Developments in the GRC Space

> 89% of risk professionals surveyed reported investments in GRC technology will increase or stay the same in 2010 *

> 62% said the current financial crisis has increased the priority of enterprise-wide risk management *

> AMR reports after a two-year period of decline, GRC spending growth returns in 2010, by expanding to nearly $30B **

> In May 2008, Standard and Poor’s announced a plan to include enterprise risk management (ERM) assessments into individual corporate credit ratings of nonfinancial companies. These plans are intended to be enacted in 2010 ***

* OpenPages 2009 Survey of over 50 strategic risk, governance and finance professionals. (marketwire.com)** AMR November 2009 “GRC in 2010: $29.8B in Spending Sparked by Risk, Visibility, and Efficiency”*** Standard & Poors, RatingsDirect, “Progress Report: Integrating Enterprise Risk Management Analysis Into Corporate Credit Ratings”


> What Types of Problems are we solving?

> Example 1: Clerk at NYSE-traded food sector corporation was able to change bank account info without cross-check; $10MM transferred before fraud was discovered. *

> Consequences: $10MM frozen pending litigation; public confidence shaken due to notoriety.

> Example 2: NYSE-traded energy sector corporation applied a production patch that reset vendor tolerances, and didn’t notice the change for nine months. *

> Consequences: Their internal audit team had to do extensive work to prove there were no abuses, and their external auditors performed substantial transaction examination.

10

Why GRC?

* Research per Oracle. Numbers are derived from Oracle customer testimonials and 3rd party studies, like those cited in Compliance Weekly or PwC.


Common GRC Challenges in the Client Space

No Standardized Policies and Procedures• No appropriate standard framework for audit and compliance activities• Inconsistent audit plans, work paper methodologies, etc.

No Real Time Visibility and Communication w/Data• Transactions occurring daily within the business• Fields or configurations that are changed by Users

Non-Standard Information• Multiple legacy systems with disparate uses and different architectures• No common platform for reporting and consolidation

Cost of Compliance Activities• Cumbersome and manual process to audit• Many man hours ‘chasing paper’

No Clearly Defined Roles and Responsibilities• Roles within the business are unclear• Responsibility for audit and accountability for system functions are blurred

* Per Oracle.


How GRC Simplifies Internal Controls

12

Single Source: Multiple GRC

activities working together

Controls Automation:

Proactive response to mitigate risk

Embedded Controls:

Provide real time monitoring and management

Seeded Content:

Out of the box policies and templates

GRC IntelligenceDashboards Reports Alerts

Key Risk Indicators

GRC ManagerProcesses Risks Assessments Issues

Procedures Remediation Policies

GRC ApplicationsApplication

Access Controls Governor

TransactionControlsGovernor

ConfigurationControlsGovernor

Preventive Controls Governor

Applications

EBS Infrastructure


The GRCC Compliance Framework

Builds a values-driven culture that improves worker productivity and resource management

Minimizes corporate risk by controlling access to sensitive areas of business

Simplified and flexible responses to conflicts of interest and other HR concerns

Establishes a company’s reputation as a compliance leader and empowers it to fulfill its strategic vision

13


GRCC (Platform)

> Composed of two GRC Application Controls modules:

» Application Access Controls Governor (AACG)• Regulates access to duties assigned in Oracle E-

Business Suite

» Transaction Controls Governor (TCG)• Detects and prevents erroneous and fraudulent

transactions

GRCC (Platform)

AACG 8.5 TCG 8.5

> Shared Administrative Functions:

» Connects modules to E-Business Suite

» Takes “snapshots” of transactional date

» Integrates with other GRC applications (PCG, GRCM, GRCI)


AACG Enforcement Process

15

Define

Detect

Remediate

Prevent

Define Access Policies, Access Points, and Entitlements

Ex. Enter supplier vs. payment

Use Conflict Analysis Tools to Identify Policy ViolationsEx. SOD violations and undesired user access

Resolve Conflicts by Cleaning up the EBSEx. Removing a responsibility from a user in the EBS

Preventive Enforcement through User Provisioning ToolEx. Synchronization with PCG Form Rules


Access Policies – Insuring Segregation of Duties

> Access policies identify responsibilities and duties that conflict

> Policies are composed of:

» Access points: Object that allows a user to do something (ex: roles, responsibilities, etc.)

» Entitlements: Groupings of access points

Access Points

Entitlements

Access Policy

ERP SOD Control Library

Oracle 11.5.1 216 Policies

Oracle R12 232 Policies

*Each policy is comprised of several sub-policies and controls based on complexity, the sum total is over 3,000 per ERPEntitlements

PoliciesEffective Date


Finding Conflicts

> Evaluate security protocols

> Identify policy violations

> Use the Visualization to analyze conflict paths

> See how users, menus, and responsibilities all connect

17

Identify Conflicting Roles, Responsibilities,

& Users

The visualization tool provides a graphic

representation of the conflict spreadsheet


Remediation

Graphic representation of a firm’s operating structure

Builds a step-by-step remediation plan to

follow

Accessible Conflict

Reporting

Heat Map tables help identify key risk

indicators

Users can remove a privilege path and find the remediation

plan automatically built by AACGProvides a “what if analysis”, which simulates a remediation plan


Preventive Enforcement - User Provisioning

> Automatically applies access policies to each user assigned responsibilities in the EBS

> Activating responsibilities requires a Conflict Analysis to run to confirm that no violations occur

19

New responsibility is automatically end-

dated


Transaction Controls Governor

> “Models” classify transactional risk

» Key on specific tables that need to be monitored

» Filters, patterns, and functions specify parameters

» Drag and drop business objects to create models

Filters & Patterns

Models

Business Objects

Identify filter types and set thresholds


Model Workbench

21

Manage multiple models from the Model Workbench

Schedule synchronization jobs to

insure accuracy

Reports identify Who, What, When and Where

a violation occurred


Transaction Real World Examples

> Test against Material Thresholds» JE > $ threshold

» Employee Checks (individual & sum) > $ threshold

> Search for Anomalies» PO terms differ from vendor

» Sales orders > acceptable $ range

> Sampling of Transactions» 4th quarter invoices

» Days sales outstanding balances

> Detect Fraudulent Behavior » PO changes after approval

» Duplicate suppliers with same address

> Embed Preventive / Automated Compensating Controls» Alert on customer transactions over $ threshold

» Prevent journals from being entered and posted by same individual

22

* Per Oracle.


Preventive Controls Governor

> Set of applications that run within Oracle EBS as a component of the GRC Application Suite

> Four set of rules:

23

• Modifies security, navigation, field and data propertiesForm Rules

• Defines & implements business processesFlow Rules

• Tracks changes to the values of fields in database tablesAudit Rules

• Regulates changes to the values of fields in EBS forms.

Change Control


Form Rule Capabilities

24

Modify SecuritySettings

Create Messages

Edit Field Properties

Hidden Field

Field Required

Edit Background

Edit PromptHide Field Data

Edit Messages


Audit Rules

>Document changes to database field values

» Old vs. New Values

» Transaction Type (Insert, Update or Delete)

» User Responsible for Change

» Timestamp

25


Change Control

> Ensure Data Integrity

> Regulate changes to fields in EBS forms

> Set approval and reason code requirements for enforced management

26

Enable visual attributes to

identify controlled fields

Build reason codes to clarify why a change

occurred


Configuration Controls Governor (CCG)

> Monitor setup data in Oracle EBS

» Identify differences between ERP instances.

» Maintain Data Consistency

» Standardize and resolve any problems before a rollout

Reports available in PDF, HMTL, & Excel

Formats

Compare across multiple instances and different points in time


CCG Content Libraries

> CCG comes with seeded content libraries for EBS R12

> Monitors over 550+ setup configurations

> Organized around three Oracle EBS Applications:

28

BASE ENGINE FINANCIALS PROCUREMENT

Common ModulesAlertApplication Object LibrarySystem Administration

PayablesReceivablesGeneral LedgerSubledger AccountingLegal Entity ConfiguratorE-Business Tax

iProcurementPurchasing


Change Tracking Reports

29

> Change Tracking Reports are presented in an easily accessible format

> Users and administrators can monitor before-and-after values, responsible user, and time stamps

Who?

What?

Where?

When?


GRC Application Controls

>Who’s accessing your apps?

» Application Access Controls Governor

>What have they changed?

» Preventive Controls Governor

» Configuration Controls Governor

>Am I financially safe?

» Transaction Controls Governor

30

* Per Oracle.


Existing Hitachi Consulting GRC Client> $9M Oracle R12 Financials and Process and Manufacturing implementation

spanning 18 countries

> 60+ Legal Entities

> 40+ Consultants

> Modules Include:

» Financials: General Ledger, SLAM, Accounts Payables, Accounts Receivables, eBTax, Project Accounting, Cash Management, Treasury, Fixed Assets, Advanced Collections

» Manufacturing: Inventory, OPM Costing, Bill of Material, WIP, Quality

» Procurement: Purchasing, Purchasing Contracts, AME

» Order Management: Order Management, Advanced Pricing, Shipping, Sales Contracts

» Supply Chain Mgmt: ASCP

» Governance, Risk and Compliance: AACG, TCG, PCG, CCG


Hitachi Consulting Client - GRC Pain Points

32

GRC Pain Points Hitachi GRC Solution

1 Lack of Compliance Framework• ‘Tone at the Top’ epitomized a ‘lack of focus’ toward compliance• No formal consistent ‘across the board’ set of policies• No structured Audit Committee

2 Poor Tech Integration • Disparate Legacy Systems • Inadequate monitoring and testing of technology systems• No controls automation

3 Weak Internal Controls• Lack of formal roles and responsibilities• No Segregation of Duties• Lax IT security

4 Stove Piping• Information Silos across different Legal Entities/Operating Units• No global remediation procedure• Lack of compliance reporting

5 Inability to Audit Daily Transactions • No continuous controls monitoring• No Audit Trail• No view of configuration changes


GRC Methodology and Planning

33


GRC Methodology and Planning

Form Rules i.e. limiting

access to a field

Flow Rules i.e. approval rule informational message on

trigger

Audit Rules i.e. track changes

Change Control Rules i.e. reason

code as to why a field is changed

PCG Review Future State Business

Processes Review each Oracle module

with Client SME and Audit Manager for key fields

Set subscribers Control spreadsheet with

seeded content (1500 Rules)

Implementation Activities

Snapshots i.e. capturing specific setup/configuration info

Comparisons i.e. comparing snapshots between ledgers, operating units, instances

Change Tracking i.e.

monitor any change

to configuration

CCG

Review all EBS configurations Decide what key configuration

setups to snapshot EBS seeded content libraries Define comparisons Track changes Schedule all CCG activities

(daily, weekly, monthly)


Segregation of Duties i.e.

Policy Load

User Provisioning i.e.

Detection and remediation

of SODs

Conflict Reports i.e.

Report on Intra and Inter

Responsibility conflicts

AACG User Provisioning Process Review Oracle Seeded Content

Load (Out-of-Box Policies) SOD Detection and

Remediation Run User Conflict Reports and

Heat Maps Finalize ERP Responsibilities


Review Future State Business Processes

Define Models Using Business Objects

Identify Potential Suspects Reporting reviewed by Audit

Team


Business Objects i.e.

Tables and fields within

EBS Suite

Parameters i.e. Filters,

Patterns and Functions

TCG Models i.e. string of

business objects that

generate suspects

TCG


A Layered Defense> Social Security Number field

» AACG – Enforce Segregation of Duties to limit access to HR Responsibility

» TCG – Automated Suspect Report identifying all HR violations

» CCG – Track Changes to HR Configuration (Who, What, Where, When)

» PCG – Hide SS # field and Alert Compliance Department to any changes

AACG

TCG

CCG

PCG


Lessons Learned> Ensure Audit Director/Manager is empowered by the business to make the

important decisions

> A deep understanding of Oracle eBusiness Suite is vital to guarantee GRCC success

> Promote a cooperative relationship between the Client Teams to encourage the free flow of ideas

> Plan for dedicated DBA Time for GRC Installations

> Accurate Test Data and Accurate Responsibilities are required for AACG, TCG, and PCG to be successful test events

> SQL skills are required for the comprehensive implementation of PCG

> Operating Units, Ledgers, Legal Entities, and Responsibilities have to be in a fit state to make GRC design effective and accurate


Lessons Learned - GRC Architecture

37


Questions?

38

Andy PopeManagerHitachi Consultingwww.hitachiconsulting.com Mobile: [email protected] Inspiring your next success

Ryan Henderson GRC SpecialistHitachi Consultingwww.hitachiconsulting.com Mobile: [email protected] Inspiring your next success

Kevin MimsSenior ManagerHitachi Consultingwww.hitachiconsulting.com Mobile: [email protected] Inspiring your next success

Paul SteffenManagerHitachi Consultingwww.hitachiconsulting.com Mobile: 678.665.3389Office: [email protected] Inspiring your next success

outbind://32-00000000EBD8FDE19339FE4FA36EC6B399B83CB2441F2000/exchweb/bin/redir.asp?URL=http://www.hitachiconsulting.com/

mailto:[email protected]











Inspiring Your Next Success! ® Company Confidential - Copyright 2010 Hitachi Consulting Oracle GRC Application Controls: A Layered Defense Atlanta Oracle.

Documents

hitachi consulting slide

consulting division

hitachi consulting andy

oracle consultants

oracle grc suite

oracle grc solution

grc applications

business costs