OIC SOD Assessments - Oracle Independent Consultants (OIC) LLC
Download
Report
Transcript OIC SOD Assessments - Oracle Independent Consultants (OIC) LLC
4/13/2015
1
Business Considerations
Example Approach to an SOD Program
Client Preparation
Sample SOD Controls
Sample Output from SOD Assessment
Cost Estimate for SOD Assessment
4/13/2015
2
Business Considerations
4/13/2015
3
Segregation of Duties (SOD) is the separation of incompatible duties that
could allow one person to commit and conceal fraud that may result in
financial loss or misstatement to the company. Segregation of duties may be
within an application or within the infrastructure.
• Represents a key internal control that ensures no single person
has too much influence over any business transaction or
operation
• Serves to prevent unintentional errors or fraud and ensure timely
detection of errors that may occur
• Provides a method of improving organizational, business process
and IT control alignment
Segregation of duties has always been an important
component of a properly functioning internal control
environment
4/13/2015
4
Control deficiencies, typically, stemmed from changes or actions taken outside of the
formal process
Limited mechanisms to consistently enforce policies at an enterprise level
Lack of strong executive-level support and insufficient alignment between IT and the
business
Lack of user education & awareness regarding SOD
Management’s preference to rely on mitigating controls in place of implementing proper
SOD
Inadequate policies and procedures for effectively changing or removing access when
users change jobs or leave the company
Limited automated reporting capabilities for IT controls
No monitoring tools/capability to periodically review “access rights”
Typically, leads to access creep, fraud risk, and failed user
management processes
4/13/2015
5
Drivers causing companies to consider use of Segregation of Duties (SOD) in
the management of their business
Regulatory Compliance - Sarbanes-Oxley and other regulatory issues are
forcing companies to increase their awareness and accountability of their
employees actions within the company
Security and Data Management – Recent privacy laws and prosecution of
security violations is bringing a new awareness to monitoring and controlling
security and access to data within the organization
Access Management – Provisioning and management of users access to
applications have not been enforced, resulting in access creep
Rapid Implementation of ERPs – Application Security was often overlooked
or implemented incompletely (Segregation of Duties was not addressed)
4/13/2015
6
Sarbanes-Oxley is now providing a compelling case for the
implementation and maintenance of appropriate segregation of duties
at the organizational, manual process and system Level.
Not only should business functions be separated departmentally, and
at an even more granular level within departments, companies now
find that they need to provide system enforcement of traditional
segregation of duties models
External auditors are insisting on evidence that proper segregation of
duties exists
4/13/2015
7
Recent privacy laws and prosecution of security violations is bringing a
new awareness to monitoring and controlling security and access to
data within the organization.
Lack of application specific Segregation of Duties are resulting in
Access Creep, Fraud Risk, Failed User Management Processes
Disclosure of sensitive information can have a negative impact on
shareholder value
Increased use of web services (online auctions and banking) has
brought increased risk of identity theft and fraud
Privacy laws and disclosure of violations is increasing the need for
proactive segregation and control over access to data
4/13/2015
8
Recent privacy laws and prosecution of security violations is bringing a
new awareness to monitoring and controlling security and access to
data within the organization.
Lack of application specific Segregation of Duties are resulting in
Access Creep, Fraud Risk, Failed User Management Processes
Disclosure of sensitive information can have a negative impact on
shareholder value
Increased use of web services (online auctions and banking) has
brought increased risk of identity theft and fraud
Privacy laws and disclosure of violations is increasing the need for
proactive segregation and control over access to data
4/13/2015
9
Implementation of identity management and ERP tools provides an
avenue to leverage technologies to enforce and regulate enterprise
level segregation of duties.
Established authoritative sources of information through ERP systems
(HRMS)
Leverage user lifecycle through role based access control and system
integration
Automated provisioning to lower operational costs
Greater visibility by management to monitor user activity
Centralization of user ID management for multiple applications
through the single sign-on concept
4/13/2015
10
Client Preparation
4/13/2015
11
Take a copy of Production Instance to create Test Instance
Provide OIC with System Administrator Access to Test Instance
Identify Business Owner (BPO) for each Business Process Flow who can
make decisions regarding access privileges to grant to users
Identify System Administrator who will modify Oracle Menus and/or
Responsibilities to Remediate SOD incidents
Provide Copy of Change Controls Policies so that we can revise the
Production Instance in accordance with Client Policy
Review SOD Rules with External Auditors
Finalize SOD Design with BPO
4/13/2015
12
Example Approach to Segregation of
Duties Assessment
4/13/2015
13
Establishing a process for defining SOD rules and policies, aligning organization
and process, establishing enforcement, mitigating controls and monitoring are
essential components of an SOD solution that helps meet business objectives.
Comply with the regulatory requirements, example Sarbanes- Oxley legislation
Improve company-wide internal control structure
Mitigate the risk of intentional fraud or unintentional error to the organization
Align functions organizationally with common best practices
Gain a level of comfort that the financial statements are free from misstatement
Improve financial data, thereby improving management reporting
Satisfy increasing customer and investor demands for sound internal controls
4/13/2015
14
Component
Tasks
Comments
Rules and Policies
•
•
•
•
•
•
Confirm SOD requirements (including regulatory compliance
requirements)
Develop segregation of duties rules
Develop restricted access rules
Eliminate false positives from rule set
Define manual segregation of duties components
We have several hundred SOD Rules developed
by Oracle and the Big 4 Accounting Firms that
we use to evaluate SOD Controls.
Organizational and
Process Alignment
•
•
•
•
•
These are best practices that every
organization should implement
•
•
Perform risk assessments to identify requirements and strategies
Identify key stakeholders and establish a communication plan
Understand and adapt standards (including policies and procedures)
Build and maintain support within initiative and within organization
Align processes to effect the proper balance between control value
and operational efficiency (cost vs. benefit analysis)
Identify appropriate segregation points within relevant processes
Obtain buy-in to SOD solution from process owners
•
•
•
•
•
•
•
Assist in selecting the appropriate technology solution
Pilot the implementation to validate the solution
Implement the solution; deliver in phases (highest value first)
Test performance and functionality
Assist in selecting the appropriate technology solution
Pilot the implementation to validate the solution
Implement the solution;
We recommend that you use Oracle
Application Access Controls Governor (AACG)
to facilitate enforcement of SOD Controls. You
can establish preventive enforcement by
integrating Oracle AACG with Oracle
Preventive Controls Governor (PCG)
Establish Enforcement
4/13/2015
15
Component
Tasks
Comments
Remediating Controls
•
•
Revise security model to eliminate SOD control violations
Eliminate false positives from rule set
We review the GRC reports with your Business
Process Owners (BPO) and System
Administrators to help you revise your Oracle
Application Security Model to resolve SOD
Control violations.
Mitigating Controls
•
Develop compensating controls to address functions, which cannot be
adequately segregated.
We help you define, document and implement
(if necessary) compensating controls for
functions that cannot be adequately
segregated.
Monitoring and
Governance
•
•
Adhere to business policies and procedures after initial deployment
Perform periodic SOD assessments to validate adherence to policies
and rules
Adapt solution as the business changes (e.g. M&A, reorganizations,
upgrades, implement new Oracle applications, etc.)
This process would be very difficult to complete
without installing and deploying the Oracle
GRC Controls, which includes Oracle
Application Access Controls (AACG) for
Restricted Access and SOD, and Oracle
Transaction Controls.
•
The OIC offers periodic SOD Assessment
Services.
4/13/2015
16
The ability to fine-tune user access—and to track that access—is key to complying with
regulatory requirements and ensuring corporate security. Oracle Application Access
Controls Governor provides real-time monitoring and proactive enforcement of crucial
access policies, such as those that support segregation of duties (SOD). The system
anticipates potential SOD conflicts before they arise, and even prevents any assignment
of roles or responsibilities within an application that would compromise proper
segregation of duties. Application Access Controls Governor also extends key access
controls to "super-users" and temporary or contract workers.
Real-time monitoring and enforcement of SOD controls, including prevention
of access provisioning that would jeopardize SOD
Graphical simulation to look into access points, detect SOD conflicts, and
evaluate treatment options
Comprehensive library of best practice SOD controls
4/13/2015
17
4/13/2015
18
Task #
In
Scope
1
Yes
Extract Data from Client EBS Test or Production
instance
Client
We recommend that you take a copy of your
Production to perform this step. We provide you
with a script that extracts the information that we
need to complete an analysis of your SOD Controls
2
Yes
Create a Database for Client Data
OIC
We create a Database on the server that hosts our
instance of Oracle Application Access Controls
Governor (AACG). We will use this Database to
import the data that we extract from your EBS
Instance.
3
Yes
Import Data into Database
4
Yes
Define Client’s Database as a Datasource in AACG
4/13/2015
Task
Responsibility
Comments
Import Data that we extracted from your EBS
instance into the Database that we created to store
that data.
OIC
Our DBA will create a Datasource in Oracle AACG so
we can generate Access Synchronization to
synchronize the Oracle GRC Schema data in AACG
with the same data that we imported into the
Database that we created for you.
19
Task #
In
Scope
5
Yes
Create SOD Controls for Client
OIC
We use the Oracle predefined SOD Models to create
the SOD Controls that we use to assess your SOD
Controls. We provide you with a report that lists
these DOD Controls and we recommend that you
review them with your internal
and external auditors to finalize the list of controls.
6
Yes
Define Global Access Conditions
Client
We define Global Access Conditions for your
organization to eliminate false positives including
Oracle Responsibilities that have been end-dated,
Oracle Responsibilities assigned to Users that have
been end-dated and other instances where a true
SOD incident does not exist.
7
Yes
Create a Database for Client Data
OIC
We create a Database on the server that hosts our
instance of Oracle Application Access Controls
Governor (AACG). We will use this Database to
import the data that we extract from your EBS
Instance.
8
Yes
Generate Access Synchronization
4/13/2015
Task
Responsibility
Comments
We generate Access Synchronization for the
Datasource we created for your organization. This
process updates the GRC Schema tables in Oracle
AACG with the most current data contained in the
Database that we defined to import the data that we
extracted from your EBS Instance
20
Task #
In
Scope
9
Yes
General SOD Control Analysis
OIC
We generate SOD Control Analysis to record the
SOD Incidents (i.e. Conflicts) associated with your
EBS instance.
10
Yes
Generate and Review Incident Reports
OIC
Upon completion of the SOD Control Analysis, we
generate several SOD Incident Reports for Intra-Role
and Inter-Role SOD Conflicts. We review these
reports with you and make high level recommends to
remediate or mitigate these SOD Incidents.
11
Remediate SOD Incidents
Client
We work with your Business Process Owners (BPO)
and System Administrator to Remediate (i.e.
Resolve) any SOD incidents that you have not
Mitigated. This includes identifying the
responsibilities, menus or functions that we need to
remove from a user. Similarly, we work with your
System Administrator to make the necessary
revisions in your EBS instance.
12
Mitigate SOD Incidents
Client
At times, organizations simply do not have sufficient
resources to strictly enforcement one or more SOD
Controls. In these instances, we work with you to
help you document the compensating controls you
have in place to mitigate the risk associated with
these SOD Incidents.
4/13/2015
Task
Responsibility
Comments
21
Task #
In
Scope
Task
Responsibility
Comments
13
Repeat steps 1 through 12 for the EBS Test Instance
until you have remediated or mitigated the SOD
Incidents you wish to resolve.
OIC and Client
14
In EBS Production Instance, replicate the revisions
you made in the EBS Test instance to remediate SOD
Incidents
Client
Using your change control procedures, your System
Administrator will revise your security model to
reflect the revisions he or she made to your EBS Test
instance to resolve your SOD incidents.
15
Repeat steps 1 through 12 for the EBS Production
Instance until you have remediated or mitigated the
SOD Incidents you wish to resolve.
OIC and Client
We generate SOD Control Analysis to record the
SOD Incidents (i.e. Conflicts) associated with your
EBS instance.
4/13/2015
22
Sample SOD Controls
4/13/2015
23
Working with the Big 4 accounting firms, Oracle has predefined
approximately 150 SOD Controls. We imported these controls into our
instance of Oracle AACG. We have supplemented these SOD Controls with
additional SOD controls as well as Access Controls that we defined in
conjunction with E&Y and our customers.
We have predefined SOD Rules for the following Business Process Flows:
Procure to Pay
Order to Cash
Accounting to Reporting
Hire to Terminate
Acquire to Retire
4/13/2015
24
Procure to Pay
Order to Cash
Accounting to Reporting
Hire to Terminate
Approve & Create Invoices
Control Budgets & Create Sales
Order
Asset Workbench & Asset
Depreciation
Modify Employee Information &
Define Payroll Information
Approve Invoices & Create
Payments
Control Budgets & Enter Customer
Receipts
Asset Workbench & Mass
Transactions
Modify Employee Position & Define
Payroll Information
Approve Invoices & Print Checks
Control Budgets & Release Sales
Order
Asset Workbench & Physical
Inventory
Modify Employee Salary & Define
Payroll Information
Approve Invoices & Void Payments
Control Budgets & Remittances
Enter Journal Entry & Assets
Depreciation
Modify Employee Information &
Define Payroll Information
Approve Purchase Orders &
Approval Authorization Controls
Control Budgets & Ship Customer
Goods
Enter Journal Entry & Assets
Workbench
Approve Purchase Orders &
Approve Invoices
Create Customer & Create Sales
Order
Enter Journal Entry & Capitalizing
Assets
Approve Purchase Orders & Create
Invoices
Create Customer & Customer
Credit Information
Enter Journal Entry & Mass
Transactions
Approve Purchase Orders & Create
Purchase Orders
Create Customer & Enter Accounts
Receivable Invoice
Entry Journal Entry & Physical
Inventory
Approve Purchase Orders &
Received Goods and Services
Create Customer & Enter Customer
Receipts
Enter Journal Entry & Post Journal
Entry
4/13/2015
25
Procure to Pay
Order to Cash
Accounting to Reporting
Control Budgets & Approve
Invoices
Create Customer & Release Sales
Order
Enter Journal Entry & Setup
General Ledger
Control Budgets & Approve
Purchase Orders
Create Customer & Remittances
Mass Allocate Journal Entries &
Enter Journal Entries
Control Budgets & Create Invoices
Create Customer & Ship Customer
Goods
Perform Cash Reconciliation &
Bank Account Reconciliation
Control Budgets & Create
Payments
Create Items & Cycle Counting
Physical Inventory & Receive
Goods & Services
Control Budgets & Create Purchase
Orders
Create Items & Inventory
Transactions
Post Journal Entry & Assets
Depreciation
Create Invoices & Create Payments
Create Sales Order & Inventory
Transactions
Post Journal Entry & Assets
Workbench
Create Invoices & Print Checks
Post Journal Entry & Capitalizing
Assets
Create Invoices & Void Payments
Post Journal Entry & Mass
Transactions
Create Purchase Orders & Approval
Authorization Controls
Post Journal Entry & Physical
Inventory
4/13/2015
Hire to Terminate
26
Procure to Pay
Create Purchase Orders and
Approve Invoices
Order to Cash
Accounting to Reporting
Hire to Terminate
Post Journal Entry & Setup GL
Create Purchase Orders & Create
Invoices
Create Purchase Orders & Receive
Goods and Services
Create Requisition & Approve
Purchase Order
Create Requisition & Create
Invoices
Create Requisition & Create Items
Create Requisition & Create
Payments
Create Requisition & Create
Purchase Order
Create Requisition & Create
Suppliers
4/13/2015
27
Procure to Pay
Order to Cash
Accounting to Reporting
Hire to Terminate
Create Requisition & Setup Auto
Create Purchase Orders
Create Suppliers & Approve
Invoices
Create Suppliers & Approve
Purchase Orders
Create Suppliers and Create
Invoices
Create Suppliers & Create
Payments
Create Requisition & Create Items
Create Requisition & Create
Payments
Create Requisition & Create
Purchase Order
Create Requisition & Create
Suppliers
4/13/2015
28
Oracle AACG enables you to maintain Restricted Access Controls , which enable you to maintain access to
privileged functions such as those listed in the following table. Each of these functions should be “restricted”
and assigned to very few users who need access to perform their job tasks.
Restricted Access Controls
Restricted Access Controls
Restricted Access Controls
AP Invoice
Item Master
Transaction Batches
Approve Payroll
Maintain Assets
Vendor Master
AR Open/Close Accounting Periods
Maintain Employee
Vendor Payments
Customer Master
Maintain Periods
Edit Pay Element
OTC Configuration
FA Configuration
Post Journals
GL Configuration
Price List
INV Configuration
P2P Configuration
AR Billing
4/13/2015
29
Sample Output from SOD Controls Assessment
4/13/2015
30
Control Detail Extract Report
Incident Summary Extract Report
Incident by Control Summary Extract Report
Access Incident Details Extract Report
Access Point Report
Access Violations by User Report
Access Violations Within a Single Role Report
Intra-Role Violations by Control Report
Users with Access Violations by Control Report
Conditions Report
Global Users Report
4/13/2015
31
A Control Detail Extract Report provides information about controls configured in EGRCC. For each control, the data includes
name, description and comments, type (Access or Transaction), priority, the users who created and most recently updated the
control, the dates on which they did so, and status (Active or Inactive), as well as the number of pending incidents it has
generated. The report also lists tag values assigned to the control, its participants, and related controls. Finally, it displays the
processing logic of the control and, for an access control, any conditions defined for it and entitlements that belong to it.
4/13/2015
32
Use this report to identify conflicting functions defined for a single Oracle Responsibility. In our example, the responsibility is
OIC General Ledger Super User. The Control is “Enter Journal Entry & Post Journal Entry”. Only one user,
HAROLD_SCHMITT is currently assigned this responsibility, which enables Harold to enter and post journal entries. The
Grouping identifies the path that provide access to each Conflicting Access Point. Harold should be able to Post Journals and
AutoPost Criteria or Enter Encumbrances and Enter Journals; however it should not be able to Enter an Encumbrance or Enter
Journals AND Post Journals or AutoPost Criteria.
4/13/2015
33
Use this report to list the controls with SOD Incidents and the Roles (i.e. Oracle Responsibilities) that provide access to the
incompatible functions identified in the SOD Control. In our example, the first control is “Create Customer & Create Sales
Order”, which is used to identify Roles that enable a user to perform both of theses tasks. As you can see, the Roles Order
Management Super User and Order Management User enable a user to create a customer and create a sales order.
4/13/2015
34
Incident by Control Summary Extract Report
Intra-Role Violations by Control Report
Access Violations within a Single Role Report
Users with Access Violations by Control
Report
4/13/2015
35
Estimated Cost of SOD Assessment with
Remediation and Mitigation of SOD Control
Violations
4/13/2015
36
Task
Comments
Responsibility
Complete SOD
Assessment in Test
Instance
Complete Assessment of SOD Controls in Test Instance and
Generate SOD Incident Reports. Includes Tasks 1 through 10
for SOD Assessment Tasks.
OIC
Fixed Fee per
Assessment
Test GRC Incident Reports
Perform random tests to ensure that GRC incident reports are
accurate.
OIC
4
$125
$ 500
Remediate / Mitigate SOD
Conflicts Test Instance
Resolve Conflicts in Test Instance and Document Mitigating
Controls. Also, train System Administrator to remediate SOD
incidents
OIC/Client
40
$125
$5,000
Perform SOD Controls
Assessment Again in Test
Instance
Complete Assessment of SOD Controls in Test Instance again
and Generate SOD Incident Reports to ensure that outstanding
SOD incidents have been remediated or mitigated. Includes
Tasks 1 through 10 for SOD Assessment Tasks.
OIC
Revise Security Model in
Production to Remediate /
Mitigate SOD Conflicts in
Production Instance
Replicate Revisions made to Responsibilities in the Test
Instance in accordance with Client’s Change Controls Policies
Client
Complete SOD Controls
Assessment in EBS
Production Instance
Complete Assessment of SOD Controls in Production Instance
and Generate SOD Incident Reports. . Includes Tasks 1 through
10 for SOD Assessment Tasks..
OIC
Estimated Cost
4/13/2015
Note: This is an iterative process and we may have to
generate the SOD Assessment more than once to
remediate/mitigate SOD Incidents. Cost is $2,500 per
Assessment.
Estimate
Hours
Fixed Fee per
Assessment
40 (non
billable)
Fixed Fee per
Assessment
Rate
Cost
$2,500
$2,500
$
0
$2,500
$13,000
37
Oracle Independent Consultants LLC (OIC) is a leading provider of Risk Advisory
and Oracle Fusion Governance, Risk, and Compliance (GRC)-based solutions. OIC
GRC Express is an approved Oracle Accelerate program for Oracle GRC Controls
and provides fixed scope methodologies for the rapid deployment of Oracle GRC
Controls. The solutions are designed to make Oracle GRC Controls applications
more affordable for midsize organizations. OIC’s Oracle Accelerate solution
significantly reduces implementation costs and timeframes and lowers the total
cost of ownership of Oracle GRC Controls.
Contact Us to Learn More.
4/13/2015
38