Transcript GRC Solution Overview Template

Oracle GRC Application
Controls: A Layered Defense
How the Oracle GRC Suite Can Reduce
Business Costs and Improve IT Security
Atlanta Oracle Applications Users Group Meeting –
January 29, 2010
Inspiring Your Next Success!®
Company Confidential - Copyright 2010 Hitachi Consulting
Introduction to the GRC Team
> Kevin Mims, Senior Manager at Hitachi Consulting
> Andy Pope, Manager at Hitachi Consulting
> Paul Steffen, Manager at Hitachi Consulting
> Ryan Henderson, GRC Specialist at Hitachi Consulting
Inspiring Your Next Success!®
1
Company Confidential - Copyright 2010 Hitachi Consulting
Agenda
> Introductions
> Hitachi Consulting Oracle Practice Overview
> Why GRC? Business Challenges in the Client Space
> How the Oracle GRC Solution Can Help
> Focus on Oracle GRCC Suite
»
Oracle Application Access Controls Governor (AACG)
»
Oracle Transaction Controls Governor (TCG)
»
Oracle Preventive Controls Governor (PCG)
»
Oracle Configuration Controls Governor (CCG)
> Oracle ERP Implementation Overview – Where do GRC Applications fit in?
> Methodology and Planning
> Keys to Success
> Lessons Learned
> The Hitachi Consulting Solution
> Q&A
Inspiring Your Next Success!®
2
Company Confidential - Copyright 2010 Hitachi Consulting
Hitachi Consulting Background
Industrial
Products
25%
High Tech Manufacturing
& Software Providers
23%
Financial
Communications,
Healthcare &
Other
Services
Media &
Biotech
5%
4%
Entertainment
7%
Food & Beverage,
16%
Engineering &
Consumer Goods Mfg.
Construction
Energy &
& Retail
5%
Utilities
13%
2%
> Hitachi Consulting is the U.S.-based business and IT consulting division of Hitachi Ltd., and a
globally recognized leader delivering value-based business strategies and technology
solutions
» Revenues of approximately $450M globally
» 1200 employees in the US with offices also in Europe and Asia, 2500 employees globally
> With more than 25 years business process, vertical industry, and leading-edge technology
experience, our consultants are seasoned in a multitude of disciplines and work with clients to
transfer their knowledge and experience every step of the way
Inspiring Your Next Success!®
Company Confidential - Copyright 2010 Hitachi Consulting
3
Hitachi Consulting founded November 2000
> Hitachi made a strategic decision to enter the IT and business consulting services
market in the United States, as the outcome of a study by McKinsey
> With the acquisition of Grant Thornton’s consulting business in November 2000,
“Hitachi Consulting” was born
> The Company was re-branded to Hitachi Consulting in May 2003, as the “business
and IT consulting unit of Hitachi”
> Hitachi Consulting has grown organically and through a series of strategic acquisitions
2010
2000
Strategy
Foundation
Inspiring Your Next Success!®
Integration &
Globalization,
Profitability
Growth & Value
4
Company Confidential - Copyright 2010 Hitachi Consulting
Deep Oracle Expertise
Oracle is Hitachi’s #1 EA Practice (both revenue and headcount)
400+ Oracle Consultants (80% functional, 20% technical)
100+ completed or ongoing 11i implementations
15+ completed or ongoing R12 implementations
Oracle Titan Award Winner
2006 – EBS System Integrator
2007 & 2008 – Integration and SOA
2008 – Edge Applications
Global Certified Advantage Partner
Certified OnDemand Partner
Oracle Partner of the Year, 5 of last 8 years
Ranked # 3 Partner for Oracle Commercial
Hitachi Consulting ranked 6th
overall in Oracle’s NA Partner
Performance metrics
Internal Apps and Tech Labs support Biz Flow Accelerators
Member Oracle Field Advisory Board
Flow Manufacturing
Advanced Planning & Scheduling
Warehouse Management
Process Manufacturing
Enterprise Asset Management
Member Oracle Industry Advisory Board
Process Manufacturing
Industrial Manufacturing
High Tech Manufacturing
Inspiring Your Next Success!®
5
Company Confidential - Copyright 2010 Hitachi Consulting
Hitachi Consulting’s Oracle Practice
> Global Reach with Local Focus
»
Hitachi Ltd. – one of the top 15 Business and IT consultancies in the world
»
Hitachi Consulting was formed from the Grant Thornton and Arthur Andersen Business Consulting Practices.
»
Full service consultancy inclusive of IT infrastructure, Supply Chain, Change Management, and Enterprise Application Deployment.
> Oracle Practice
»
Our national Oracle practice grew at 60% last year while our Southeast Oracle practice grew by over 170%.
»
Experience working with Oracle Development by being first implementers of 11i Process Manufacturing (with Order Management,
iStore and Purchasing), Flow Manufacturing and WMS.
»
Member of Oracle’s Field Advisory Board for Flow Manufacturing, Advanced Planning and Scheduling, Warehouse Management, and
Process Manufacturing.
»
Full service Oracle 11i solution offering from audit through reimplementation.
> Tool Sets
»
Significant investment in Oracle-centric implementation tools and methods including the development of our AIM Plus methodology.
»
Collaborative approach – working with customers, Oracle Sales and Oracle Development.
> Track Record
»
Current and completed Oracle implementations in the Southeast :
•
•
•
•
•
•
•
•
•
•
•
Ames True Temper
Angelica Textile Services
•
•
World Fuel Services
Manheim
Fidelity National Financial
Fidelity Information Services
Lender Processing Services
EMS Technologies
Equifax
Internet Security System (ISS)
Internap
Tekelec
Welding Services
Inspiring Your Next Success!®
Company Confidential - Copyright 2010 Hitachi Consulting
Abstract
> The Oracle Governance, Risk, and Compliance (GRC) Enterprise Solution is an
effective tool that business can use to improve IT security and help insure against
fraud, negligence, and other corporate vulnerabilities. Companies that implement a
GRC package will observe an enhancement of corporate governance, comprehensive
risk mitigation, and a significant reduction in audit and compliance costs.
> GRCC serves as the foundational core of Oracle’s GRC Enterprise Solution and
works with two higher level components, the GRC Manager and GRC Intelligence.
> The foundation for Oracle’s GRC Enterprise Solution is the GRC Controls Suite, an
embedded, linked set of modules that can be used to safeguard sensitive corporate
information. The modular components are organized around specific duties that can
be operated both independently and in conjunction with one another.
Inspiring Your Next Success!®
7
Company Confidential - Copyright 2010 Hitachi Consulting
2010 Developments in the GRC Space
> 89% of risk professionals surveyed reported investments in GRC
technology will increase or stay the same in 2010 *
> 62% said the current financial crisis has increased the priority of
enterprise-wide risk management *
> AMR reports after a two-year period of decline, GRC spending
growth returns in 2010, by expanding to nearly $30B **
> In May 2008, Standard and Poor’s announced a plan to include
enterprise risk management (ERM) assessments into individual
corporate credit ratings of nonfinancial companies. These plans are
intended to be enacted in 2010 ***
* OpenPages 2009 Survey of over 50 strategic risk, governance and finance professionals. (marketwire.com)
** AMR November 2009 “GRC in 2010: $29.8B in Spending Sparked by Risk, Visibility, and Efficiency”
*** Standard & Poors, RatingsDirect, “Progress Report: Integrating Enterprise Risk Management Analysis Into Corporate Credit Ratings”
Inspiring Your Next Success!®
8
Company Confidential - Copyright 2010 Hitachi Consulting
Why GRC?
> What Types of Problems are we solving?
> Example 1: Clerk at NYSE-traded food sector corporation was able
to change bank account info without cross-check; $10MM
transferred before fraud was discovered. *
> Consequences: $10MM frozen pending litigation; public
confidence shaken due to notoriety.
> Example 2: NYSE-traded energy sector corporation applied a
production patch that reset vendor tolerances, and didn’t notice the
change for nine months. *
> Consequences: Their internal audit team had to do extensive
work to prove there were no abuses, and their external auditors
performed substantial transaction examination.
* Research per Oracle. Numbers are derived from Oracle customer testimonials and 3rd party studies, like those cited in
Compliance Weekly or PwC.
Inspiring Your Next Success!®
9
Company Confidential - Copyright 2010 Hitachi Consulting
Common GRC Challenges in the Client Space
No Standardized Policies and Procedures
• No appropriate standard framework for audit and compliance activities
• Inconsistent audit plans, work paper methodologies, etc.
No Real Time Visibility and Communication w/Data
• Transactions occurring daily within the business
• Fields or configurations that are changed by Users
Non-Standard Information
• Multiple legacy systems with disparate uses and different architectures
• No common platform for reporting and consolidation
Cost of Compliance Activities
• Cumbersome and manual process to audit
• Many man hours ‘chasing paper’
No Clearly Defined Roles and Responsibilities
• Roles within the business are unclear
• Responsibility for audit and accountability for system functions are blurred
* Per Oracle.
Inspiring Your Next Success!®
10
Company Confidential - Copyright 2010 Hitachi Consulting
How GRC Simplifies Internal Controls
Single Source:
GRC Intelligence
Multiple GRC
activities working
together
Dashboards Reports Alerts
Key Risk Indicators
GRC Manager
Controls
Automation:
Processes Risks Assessments Issues
Procedures Remediation Policies
Proactive response
to mitigate risk
GRC Applications
Application
Access
Controls
Governor
Embedded
Controls:
Provide real time
monitoring and
management
Transaction
Controls
Governor
Configuration
Controls
Governor
Preventive Controls Governor
Seeded
Content:
Applications
Out of the box
policies and
templates
EBS Infrastructure
Inspiring Your Next Success!®
11
Company Confidential - Copyright 2010 Hitachi Consulting
The GRCC Compliance Framework
 Builds a values-driven culture that improves
worker productivity and resource management
 Minimizes corporate risk by controlling access
to sensitive areas of business
 Simplified and flexible responses to conflicts of
interest and other HR concerns
 Establishes a company’s reputation as a
compliance leader and empowers it to fulfill its
strategic vision
Inspiring Your Next Success!®
12
Company Confidential - Copyright 2010 Hitachi Consulting
GRCC (Platform)
> Composed of two GRC Application Controls
modules:
» Application Access Controls Governor (AACG)
• Regulates access to duties assigned in Oracle EBusiness Suite
» Transaction Controls Governor (TCG)
• Detects and prevents erroneous and fraudulent
transactions
GRCC (Platform)
AACG 8.5
TCG 8.5
> Shared Administrative Functions:
» Connects modules to E-Business Suite
» Takes “snapshots” of transactional date
» Integrates with other GRC applications
(PCG, GRCM, GRCI)
Inspiring Your Next Success!®
Company Confidential - Copyright 2010 Hitachi Consulting
AACG Enforcement Process
Define

Define Access Policies, Access Points, and Entitlements
Detect

Use Conflict Analysis Tools to Identify Policy Violations
Remediate

Resolve Conflicts by Cleaning up the EBS
Prevent

Preventive Enforcement through User Provisioning Tool
Inspiring Your Next Success!®
Ex. Enter supplier vs. payment
Ex. SOD violations and undesired user access
Ex. Removing a responsibility from a user in the EBS
Ex. Synchronization with PCG Form Rules
14
Company Confidential - Copyright 2010 Hitachi Consulting
Access Policies – Insuring Segregation of Duties
> Access policies identify responsibilities and
duties that conflict
Access
Points
Access
Policy
> Policies are composed of:
» Access points: Object that allows a user to
do something (ex: roles, responsibilities, etc.)
Entitlements
» Entitlements: Groupings of access points
ERP
Policies
SOD Control
Library
Effective
Date
Oracle 11.5.1
216 Policies
Oracle R12
232 Policies
*Each policy is comprised of several sub-policies and controls based
Entitlements
on complexity, the sum
total is over 3,000 per ERP
Inspiring Your Next Success!®
Company Confidential - Copyright 2010 Hitachi Consulting
Finding Conflicts
> Evaluate security protocols
> Identify policy violations
> Use the Visualization to
analyze conflict paths
The visualization tool
provides a graphic
representation of the
conflict spreadsheet
> See how users, menus, and
responsibilities all connect
Identify Conflicting Roles,
Responsibilities, & Users
Inspiring Your Next Success!®
16
Company Confidential - Copyright 2010 Hitachi Consulting
Remediation
Graphic representation of a
firm’s operating structure
Accessible
Conflict Reporting
Provides a “what if analysis”, which
simulates a remediation plan
Users can remove a privilege path
and find the remediation plan
Heat
Map
automatically
built
by tables
AACGhelp
identify key risk indicators
Builds a step-by-step
remediation plan to follow
Inspiring Your Next Success!®
Company Confidential - Copyright 2010 Hitachi Consulting
Preventive Enforcement - User Provisioning
> Automatically applies access policies to each user assigned responsibilities in the
EBS
> Activating responsibilities requires a Conflict Analysis to run to confirm that no
violations occur
New responsibility is
automatically end-dated
Inspiring Your Next Success!®
18
Company Confidential - Copyright 2010 Hitachi Consulting
Transaction Controls Governor
> “Models” classify transactional risk
Business
Objects
» Key on specific tables that need to be monitored
» Filters, patterns, and functions specify parameters
» Drag and drop business objects to create models
Identify filter types
and set thresholds
Filters &
Patterns
Models
Inspiring Your Next Success!®
Company Confidential - Copyright 2010 Hitachi Consulting
Model Workbench
Reports identify Who,
What, When and Where
a violation occurred
Manage multiple models
from the Model Workbench
Schedule synchronization
jobs to insure accuracy
Inspiring Your Next Success!®
20
Company Confidential - Copyright 2010 Hitachi Consulting
Transaction Real World Examples
> Test against Material Thresholds
» JE > $ threshold
» Employee Checks (individual & sum) > $ threshold
>
Search for Anomalies
» PO terms differ from vendor
» Sales orders > acceptable $ range
> Sampling of Transactions
» 4th quarter invoices
» Days sales outstanding balances
>
Detect Fraudulent Behavior
» PO changes after approval
» Duplicate suppliers with same address
> Embed Preventive / Automated Compensating Controls
» Alert on customer transactions over $ threshold
» Prevent journals from being entered and posted by same individual
* Per Oracle.
Inspiring Your Next Success!®
21
Company Confidential - Copyright 2010 Hitachi Consulting
Preventive Controls Governor
> Set of applications that run within Oracle EBS as a component of the
GRC Application Suite
> Four set of rules:
Form Rules
• Modifies security, navigation,
field and data properties
Flow Rules
• Defines & implements
business processes
Audit Rules
• Tracks changes to the values
of fields in database tables
Change
Control
• Regulates changes to the
values of fields in EBS forms.
Inspiring Your Next Success!®
22
Company Confidential - Copyright 2010 Hitachi Consulting
Form Rule Capabilities
Hidden Field
Modify Security
Settings
Create
Messages
Field Required
Edit Messages
Edit Background
Edit Field
Properties
Hide Field Data
Inspiring Your Next Success!®
23
Edit Prompt
Company Confidential - Copyright 2010 Hitachi Consulting
Audit Rules
> Document changes to database field values
» Old vs. New Values
» Transaction Type (Insert, Update or Delete)
» User Responsible for Change
» Timestamp
Inspiring Your Next Success!®
24
Company Confidential - Copyright 2010 Hitachi Consulting
Change Control
> Ensure Data Integrity
> Regulate changes to fields in EBS forms
> Set approval and reason code requirements for enforced management
Enable visual
attributes to identify
controlled fields
Build reason codes to clarify
why a change occurred
Inspiring Your Next Success!®
25
Company Confidential - Copyright 2010 Hitachi Consulting
Configuration Controls Governor (CCG)
> Monitor setup data in Oracle EBS
» Identify differences between ERP instances.
Compare across
multiple instances and
different points in time
» Maintain Data Consistency
» Standardize and resolve any problems before a rollout
Reports available in
PDF, HMTL, & Excel
Formats
Inspiring Your Next Success!®
Company Confidential - Copyright 2010 Hitachi Consulting
CCG Content Libraries
> CCG comes with seeded content libraries for EBS R12
> Monitors over 550+ setup configurations
> Organized around three Oracle EBS Applications:
BASE ENGINE
FINANCIALS
PROCUREMENT
Common Modules
Alert
Application Object Library
System Administration
Payables
Receivables
General Ledger
Subledger Accounting
Legal Entity Configurator
E-Business Tax
iProcurement
Purchasing
Inspiring Your Next Success!®
27
Company Confidential - Copyright 2010 Hitachi Consulting
Change Tracking Reports
> Change Tracking Reports are presented in an easily accessible format
> Users and administrators can monitor before-and-after values,
responsible user, and time stamps
Where?
Who?
What?
When?
Inspiring Your Next Success!®
28
Company Confidential - Copyright 2010 Hitachi Consulting
GRC Application Controls
> Who’s accessing your apps?
» Application Access Controls Governor
> What have they changed?
» Preventive Controls Governor
» Configuration Controls Governor
> Am I financially safe?
» Transaction Controls Governor
* Per Oracle.
Inspiring Your Next Success!®
29
Company Confidential - Copyright 2010 Hitachi Consulting
Existing Hitachi Consulting GRC Client
> $9M Oracle R12 Financials and Process and Manufacturing implementation
spanning 18 countries
> 60+ Legal Entities
> 40+ Consultants
> Modules Include:
» Financials: General Ledger, SLAM, Accounts Payables, Accounts
Receivables, eBTax, Project Accounting, Cash Management, Treasury,
Fixed Assets, Advanced Collections
» Manufacturing: Inventory, OPM Costing, Bill of Material, WIP, Quality
» Procurement: Purchasing, Purchasing Contracts, AME
» Order Management: Order Management, Advanced Pricing, Shipping,
Sales Contracts
» Supply Chain Mgmt: ASCP
» Governance, Risk and Compliance: AACG, TCG, PCG, CCG
Inspiring Your Next Success!®
30
Company Confidential - Copyright 2010 Hitachi Consulting
Hitachi Consulting Client - GRC Pain Points
GRC Pain Points
1
Lack of Compliance Framework
2
Poor Tech Integration
3
Weak Internal Controls
4
Stove Piping
5
Inability to Audit Daily Transactions
Hitachi GRC Solution
• ‘Tone at the Top’ epitomized a ‘lack of focus’ toward compliance
• No formal consistent ‘across the board’ set of policies
• No structured Audit Committee
• Disparate Legacy Systems
• Inadequate monitoring and testing of technology systems
• No controls automation
• Lack of formal roles and responsibilities
• No Segregation of Duties
• Lax IT security
• Information Silos across different Legal Entities/Operating Units
• No global remediation procedure
• Lack of compliance reporting
• No continuous controls monitoring
• No Audit Trail
• No view of configuration changes
Inspiring Your Next Success!®
Company Confidential - Copyright 2010 Hitachi Consulting
31
GRC Methodology and Planning
Inspiring Your Next Success!®
32
Company Confidential - Copyright 2010 Hitachi Consulting
GRC Methodology and Planning
Implementation Activities





User Provisioning Process
Review Oracle Seeded Content
Load (Out-of-Box Policies)
SOD Detection and
Remediation
Run User Conflict Reports and
Heat Maps
Finalize ERP Responsibilities
Implementation Activities




Review Future State Business
Processes
Define Models Using Business
Objects
Identify Potential Suspects
Reporting reviewed by Audit
Team
Inspiring Your Next Success!®
Implementation Activities


Review Future State Business
Processes
Review each Oracle module
with Client SME and Audit
Manager for key fields
Set subscribers
Control spreadsheet with
seeded content (1500 Rules)
Segregation of Duties i.e.
Policy Load
User Provisioning i.e.
Detection and remediation
of SODs
Conflict Reports i.e.
Report on Intra and Inter
Responsibility conflicts
Form Rules i.e. limiting

access to a field

Flow Rules i.e. approval rule
informational message on
trigger
Audit Rules i.e. track changes
Change Control Rules i.e. reason
code as to why a field is changed
Business Objects i.e.
Tables and fields within
EBS Suite
Parameters i.e. Filters,
Patterns and Functions
TCG Models i.e. string of
business objects that
generate suspects
Snapshots i.e. capturing specific
setup/configuration info
Comparisons i.e. comparing
Implementation Activities
snapshots between ledgers,
Review all EBS configurations
operating units, instances 

Decide what key configuration
Change Tracking i.e.
setups to snapshot
monitor any change

EBS seeded content libraries
to configuration
33



Define comparisons
Track changes
Schedule all CCG activities
(daily, weekly, monthly)
Company Confidential - Copyright 2010 Hitachi Consulting
A Layered Defense
> Social Security Number field
» AACG – Enforce Segregation of Duties to limit access to HR Responsibility
» TCG – Automated Suspect Report identifying all HR violations
» CCG – Track Changes to HR Configuration (Who, What, Where, When)
» PCG – Hide SS # field and Alert Compliance Department to any changes
AACG
TCG
CCG
PCG
Inspiring Your Next Success!®
34
Company Confidential - Copyright 2010 Hitachi Consulting
Lessons Learned
> Ensure Audit Director/Manager is empowered by the business to make the
important decisions
> A deep understanding of Oracle eBusiness Suite is vital to guarantee GRCC
success
> Promote a cooperative relationship between the Client Teams to encourage
the free flow of ideas
> Plan for dedicated DBA Time for GRC Installations
> Accurate Test Data and Accurate Responsibilities are required for AACG,
TCG, and PCG to be successful test events
> SQL skills are required for the comprehensive implementation of PCG
> Operating Units, Ledgers, Legal Entities, and Responsibilities have to be in
a fit state to make GRC design effective and accurate
Inspiring Your Next Success!®
35
Company Confidential - Copyright 2010 Hitachi Consulting
Lessons Learned - GRC Architecture
Inspiring Your Next Success!®
36
Company Confidential - Copyright 2010 Hitachi Consulting
Questions?
Andy Pope
Kevin Mims
Manager
Hitachi Consulting
www.hitachiconsulting.com
Mobile: 678.463.9622
[email protected]
Inspiring your next success
Senior Manager
Hitachi Consulting
www.hitachiconsulting.com
Mobile: 404.664.8122
[email protected]
Inspiring your next success
Ryan Henderson
Paul Steffen
GRC Specialist
Hitachi Consulting
www.hitachiconsulting.com
Mobile: 512.771.3361
[email protected]
Inspiring your next success
Manager
Hitachi Consulting
www.hitachiconsulting.com
Mobile: 678.665.3389
Office: 678.627.4940
[email protected]
Inspiring your next success
Inspiring Your Next Success!®
37
Company Confidential - Copyright 2010 Hitachi Consulting