Transcript Slide 1

Application Risks and
Controls Management Survey
Findings
July 15th, 2008
The surveys were conducted independently
by Jeffrey T. Hare, CPA CISA CIA of ERP
Seminars, reviewed by the board of Oracle
Applications Internal Controls and Security
SIG. Fulcrum is a Co-Sponsor of this
Survey
Disclaimer: The survey results, observations and findings included in this Webinar are not scientific. Our goal is to provide you
information on how Oracle customers are dealing with key issues in application risk and controls management
Leverage Information Technology:
Turn Corporate Governance into Business Performance™
Copyright ©. Fulcrum Information Technology, Inc.
AGENDA
Application Risks and Controls
Management
Introduction
Application Controls Survey Findings
Governance Risk and Compliance Trends
IT Controls Framework
Application Controls Overview
Auditing Challenges
Case Studies
www.fulcrumway.com
Page 2
To Join Webinar
Open the Webinar confirmation email and click the Join
Webinar link. Alternatively, you may be invited to a Webinar
that is already in session
If prompted, click Yes or Grant to accept the download.
No Webinar password is required
Download Presentation
Fulcrum Webinar Assistance Email: [email protected]
www.fulcrumway.com
Page 3
Panel Members
Jeff Hare, CPA, CISA, CIA
–
Jeff 's extensive background includes public accounting, industry, and Oracle applications implementation
experience. His sole focus is on the development of internal controls and security best practices for companies
running Oracle Applications. Jeff is a Certified Public Accountant (CPA), a Certified Information Systems
Auditor (CISA), and a Certified Internal Auditor (CIA). He is the founder of ERP Seminars and the Oracle Users
Best Practices Board and is widely published.
Lane Leskela
–
Vice President of Technology Programs at nonprofit think tank the Open Compliance & Ethics Group .Prior to his
role at OCEG, Lane served as the Senior Product Marketing Director for GRC applications at Oracle Corporation
.Prior to joining Oracle, Lane was a Research Vice President at technology research firm Gartner, Inc. At
Gartner, he managed software market research, analysis, reporting and client services for enterprise risk
management, regulatory compliance management and financial control and reporting.
Adil Khan
–
Senior Director at Fulcrum with over 15 years of experience in enterprise business systems. Adil also serves on
the board of the Oracle Applications Users Group Internal Controls and Security Interest Group (OAUGICSSIG). At Fulcrum, Adil has successfully designed and implemented internal controls management systems
for more than 50 global companies listed on NYSE and NASDAQ. His expertise includes streamlining and
automating Governance Risk and Compliance processes based on industry standards such as ERM-COSO and
COBit. Prior to Fulcrum, Adil served as a board member and Chief Executive Officer of ALTM - a public company
listed on the NASDAQ.
www.fulcrumway.com
Page 4
About Fulcrum
We are a Leading provider of Governance, Risk and Compliance solutions for
enterprise customers. Our solutions focus on:
Enterprise Application Controls Monitoring
GRC Process Management
GRC Intelligence
FulcrumWare GRC Tools include Content and On-line services to rapidly reduce
risks such as Segregation of Duty violations in Enterprise Systems such as
Oracle E-business Suite, PeopleSoft, JD Edwards, SAP and other Legacy Apps
FulcrumWay Professionals are leading experts with real world experience in
Internal Audit, Enterprise Systems and GRC Process Management.
FulcrumPoint Insight provides the latest trends, best practices and thought
leadership through regional and national conferences held by OAUG, IIA, ISACA
Privately Held Delaware corporation with US presence in:
New York, Texas and California
International Presence in UK and India
www.fulcrumway.com
Page 5
Fulcrum Credentials
Retail
Media and
Entertainment
Financial Services
Life Sciences
Retail
Readers Digest
Natural Resources
Defense/ Aerospace
High Technology
Industrial
Manufacturing
Healthcare
Construction
www.fulcrumway.com
Page 6
Food
FulcrumPoint Insight
Thought Leadership - Events
Compliance Week Magazine - Healthcare
Firm Aligns Compliance Efforts, Cuts
Costs
Economist Magazine –Compliance Guide
for Enterprise Systems
POD Cast – How Automating the
Enterprise Risk Management Process
helps organizations comply with
regulations
OAUG - Impact of AS5 for Oracle
Enterprise Customers
IIA – Top Five Reasons for Automating
Application Controls
Oracle Open World – Annual GRC Dinner,
GE and Birds Eye Case Study
Web casts – GRC Best Practices, Trends
and Expert Insight.
www.fulcrumway.com
Page 7
Recap of surveys
Two surveys conducted by ERP Seminars
Fulcrum is a Co-Sponsor of the Survey
Related to internal controls and security
issues for Oracle’s eBusiness Suite
www.fulcrumway.com
Page 8
Recap of surveys: Demographics
Cross representation of industries
Representing various sales levels from
Under $100 million to over $5 billion
Generally over 250 users ranging to many
respondents over 5000 users
Most common roles range from IT
management, business analysts, and
internal audit/corporate governance
www.fulcrumway.com
Page 9
Recap of surveys
There were 20 scenarios presented and each scenario included two questions:
Identify the awareness of the
Determine likelihood of implemented
deficiency:
if Oracle provided a solution:
My company was not aware of this risk
My company is aware of this risk, but has
chosen not to address it yet
My company is aware of this risk and has
chosen to accept the risk
Would likely not implement because we don't agree
with the risks
Would likely not implement because we already
addressed via a Customization
Would likely not implement because we have chosen
to accept the risks
My company is aware of this risk and has
addressed it via a manual control
Would likely implement it because we have not
addressed the issue
My company is aware of this risk and has
implemented a customization / extension
Would likely implement it because we would rather
replace our customization
I am not qualified to address this risk
I am not able to know what our company would do
My company does not use this functionality
Other
Other
www.fulcrumway.com
Page 10
My company was not aware of this risk
My company is aware of this risk, but has chosen not to
address it yet
My company is aware of this risk and has chosen to
accept the risk
My company is aware of this risk and has addressed it
via a manual control
My company is aware of this risk and has implemented a
customization / extension
I am not qualified to address this risk
My company does not use this functionality
Other
www.fulcrumway.com
Page 11
Overview of results
Lack of awareness of the risks - average 19%.
(varied from 6.3% to 39%)
Most of the deficiencies, if correctly by Oracle,
would be widely adopted – average 78.4%.
“Would likely implement it because we have
not addressed the issue” or “Would likely
implement it because we would rather replace
our customization.” (varied from 55% to 89%)
www.fulcrumway.com
Page 12
Specific results
Workflow history retention:
www.fulcrumway.com
Page 13
Specific results
Workflow history retention:
www.fulcrumway.com
Page 14
Specific results
Workflow history retention recommendations:
Remove purge program from all but one request
group (DBA or business analyst?) – tightly
control
Document process for retaining history
• Maintain history for 15 months, then purge after
404 audit
• Develop archive and purge process for approvals
separate from notifications
www.fulcrumway.com
Page 15
Specific results
Inquiry forms for support personnel / auditors – if
Oracle provided standard forms:
Question 7 on survey 1: Adjustment Approval Limits,
Journal Authorization Limits, PO and Req Approval
Limits, AME setups. 83% would implement.
Question 8 on survey 1: Foundational setups such as
Payables Options, Purchasing Options, Receiving
Options, and Value Set Values. 86% would implement.
Question 9 on survey 1: Menus, Functions, Request
Groups, Responsibilities, and Users. 75% would
implement.
www.fulcrumway.com
Page 16
Specific results
Inquiry forms recommendations:
Take risk with access in Prod – not
recommended
Grant selected access to super users –
recommended if proper controls are in place to
monitor their activity
Frequent cloning to non-prod instance
Third party solution for inquiry forms
www.fulcrumway.com
Page 17
Specific results
Change management – lack of audit trails for
security, setups, DDL, & development don’t
allow for best practices audit
Adoption rate for trigger or log-based auditing
solution is low
Companies general not following change
management best practice guidance (IIA)
www.fulcrumway.com
Page 18
Specific results
Change management recommendations:
Use a risk-based approach to identify critical
audits to implement
– SQL forms, development, security, high-risk setups
and transactions
Look at choices in log-based and trigger-based
space – understand full scope before
determining choice
Look for companies with pre-seeded audits
www.fulcrumway.com
Page 19
Specific results
Manual controls to mitigate form/function
deficiencies – examples:
Order entry versus order approval
AR Transaction entry versus approval
Lack of credit checking in AR
Override of matching level at PO level
Monitoring of multiple adjustments entered in
AR
www.fulcrumway.com
Page 20
Specific results
Form/function deficiencies recommendations:
Look at using custom forms, forms
personalization, or custom.pll to automate
controls
Analyze as part of risk-based approach access
control risks / Segregation of Duties issues
www.fulcrumway.com
Page 21
Fraud: Revenue Recognition
The Deloitte Forensic
Center reports large
numbers of offenders
with multiple fraud
schemes:
• Seventy-four percent of
the SEC enforcement
releases described at least
two fraud schemes
• Twenty-five percent
described at least five
schemes
• Seven percent described
more than 10 alleged
fraud schemes
• One percent alleged
over 20 schemes
(c) Deloitte Consulting LLP, 2008
www.fulcrumway.com
Page 22
Instead of This Mayhem…
Discrete
Regulations
& Standards
Regulation A
Regulation B
Standard C
Discrete
Requirements
Discrete
Controls
& Activities
A1
A2
A3
B1
B2
B3
C1
C2
C3
C1 C2
C1 C2
C1 C2
C1 C2
C1 C2
C1 C2
C1 C2
C1 C2
C1 C2
C3 C4
C3 C4
C3 C4
C3 C4
C3 C4
C3 C4
C3 C4
C3 C4
C3 C4
C5 C6
C5 C6
C5 C6
C5 C6
C5 C6
C5 C6
C5 C6
C5 C6
C5 C6
Siloed
Functions
& Departments
IT
No Linkage
Business
Integration
IT
Business
Weak Linkage
Integration
IT
www.fulcrumway.com
Page 23
(c) OCEG
Business
Integration
IT
Adapted from Deloitte Consulting Graphic
7/17/2015
IT
IT
AS5 also Supports This…
Discrete
Regulations
& Standards
Common
Regulation A
A1
Regulation B
A2
A3
Requirements
B1
Standard C
B2
B3
C1
C2
C3
AB1
Common
C1 C2
C1 C2
C1 C2C1 C2 C1 C2
C1 C2
C1 C2C1 C2C1 C2
C1 C2
C1 C2
Controls
& Activities
C3 C4
C3 C4
C3 C4C3 C4 C3 C4
C3 C4
C3 C4C3 C4C3 C4
C3 C4
C3 C4
C5 C6
C5 C6
C5 C6C5 C6 C5 C6
C5 C6
C5 C6C5 C6C5 C6
C5 C6
C5 C6
Integrated
Functions
& Departments
IT
Business
Full Linkage
Integration
IT
Business
Integration
IT
IT
www.fulcrumway.com
Page 24
Stronger
Linkage
IT
Business
(c) OCEG
Integration
IT
The Integration Imperative
Current State
Future State
•
Managed in silos
•
Enterprise approach
•
Mostly reactionary
•
Integrated controls and processes
•
More projects than programs
•
Program based approach
•
Handled separately from mainstream
processes and decision-making
•
Embedded within mainstream processes
and decision-making
•
People used as middleware
•
Effective use of information technology
•
Limited and fragmented use of technology
•
Architected solutions
GRC Program
Management
(c) OCEG, 2008
www.fulcrumway.com
Page 25
The OCEG Capability Model
CONTEXT & CULTURE
MONITOR & MEASURE
M1 – Risk Monitoring
M2 – Performance Monitoring
M3 – Systemic Improvement
M4 – Audit & Assurance
C1 – External Context
C2 – Internal Context
C3 – Culture
C4 – Values & Objectives
ORGANIZE & OVERSEE
O1 – Purpose & Commitment
O2 – Roles & Responsibilities
O3 – Approach & Authorization
ASSESS & ALIGN
O
RESPOND & RESOLVE
R1 – Inquiry & Investigation
R2 – Third-Party Investigation
R3 – Crisis Response
R4 – Remediation
M
A
I
R
P
D
INFORM & INTEGRATE
I1 – Information Management
I2 – Information Flows & Triggers
I3 – Technology & Infrastructure
(c) OCEG, 2008
DETECT & DISCERN
D1 – Notification & Alerts
D2 – Inquiry & Survey
D3 – Detective Controls
D4 – Aggregation & Analysis
www.fulcrumway.com
Page 26
A1 – Risk Identification
A2 – Risk Analysis
A3 – Risk Evaluation
A4 – Risk Planning
PREVENT & PROMOTE
P1 – Codes of Conduct
P2 – Policies & Procedures
P3 – Awareness & Education
P4 – Human Capital Incentives
P5 – Human Capital Controls
P6 – Process Controls
P7 – Technology Controls
P8 – Physical Controls
P9 – Risk Sharing, Transfer, Financing
The GRC Technology Model
Industry Specific Requirements (PR)
Industry Process Applications (P)
GRC Process Requirements (GR)
Internal and External
Content Specialists
(e.g., law firms,
consultants, departmental
staff, management)
Role and Context
Applications
(e.g., compliance
processes, risk, quality,
audit, legal, contracts)
GRC Core Applications (G)
Organizational
Functionality
(e.g., ECM, BPM, BI,
LMS, ERP)
Business Applications (B)
IT infrastructure
(e.g., identity management,
Databases, Information
Security)
Infrastructure (I)
(c) OCEG, 2008
www.fulcrumway.com
Page 27
Performance-Based Control
EFFECTIVE
• Design Effectiveness – Is the system
logically designed to meet all legal and
other defined requirements?
• Operating Effectiveness – Does the
system operate as designed for all users?
O U T C O M E S
(c) OCEG, 2008
(c) OCEG
ACTIVITIES
EFFECTIVE
EFFICIENT
EFFICIENT
• Financial Efficiency – How much capital
investments is required to maintain it?
• Human Capital Efficiency – What level of
individual(s) are required to use it?
RESPONSIVE
• Cycle Time – How much time does it take
to implement and upgrade?
• Flexibility / Adaptability – Can the
system adapt to the changing
environment including new Audit
requirements and/or new business units?
RESPONSIVE
www.fulcrumway.com
7/17/2015
Page 28
IT Controls
IT Controls Framework
IT organizations should consider the
nature and extent of their
operations in determining which, if not
all, of the following control objectives
need to be included in internal control
program:
PLAN AND ORGANIZE
ACQUIRE AND IMPLEMENT
DELIVER AND SUPPORT
MONITOR AND EVALUATE
www.fulcrumway.com
Page 29
Application
Controls Overview
What are Application Controls?
Application controls apply to the
business processes they support.
These controls are designed within
the application to prevent or detect
unauthorized transactions. When
combined with manual controls, as
necessary, application controls
ensure completeness, accuracy,
authorization and validity of
processing transactions
Control objectives can be supported
with automated application controls.
They are most effective in
integrated ERP environments, such
as SAP, PeopleSoft, Oracle, JD
Edwards and others.
Examples:
Orders are processed only within
approved customer credit limits.
Orders are approved by management
as to prices and terms of sale.
Purchase orders are placed only for
approved requisitions.
Purchase orders are accurately
entered.
All purchase orders issued are input
and processed.
All recorded production costs are
consistent with actual direct and indirect
expenses associated with production.
All direct and indirect expenses
associated with production are recorded
as production costs.
www.fulcrumway.com
Page 30
Application
Controls Overview
Risk Assessment
The IT organization has an entity- and activity-level risk assessment
framework, which is used periodically to assess information risk to
achieving business objectives.
Management’s risk assessment framework focuses on the
examination of the essential elements of risk and the cause and
effect relationship among them.
A risk assessment framework exists and considers the risk
assessment probability and likelihood of threats.
The IT organization’s risk assessment framework measures the
impact of risks according to qualitative and quantitative criteria.
The IT organization’s risk assessment framework is designed to
support cost-effective controls to mitigate exposure to risks on a
continuing basis, including risk avoidance, mitigation or acceptance.
A comprehensive security assessment is performed for critical
systems and locations based on their relative priority.
www.fulcrumway.com
Page 31
Application
Controls Overview
Control Monitoring
Changes to IT systems and applications are performed and
designed to meet the expectations of users.
IT management monitors its delivery of services to identify shortfalls
and responds with actionable plans to improve.
IT management monitors the effectiveness of internal controls
Monitoring in the normal course of operations through management
and supervisory activities, comparisons and benchmarks.
Serious deviations in the operation of internal control, Monitoring
including major security, availability and processing integrity events,
are reported to senior management.
Internal control assessments are performed periodically, using
Monitoring self-assessment or independent audit, to examine
whether internal controls are operating satisfactorily.
www.fulcrumway.com
Page 32
Application Controls Management
Best Practices
Automation
Approach
Determine
Scope
by
Application
Establish
Rules
Repository
Establish
Test
Environment
Setup
Preventive
Controls
Manage
Exceptions
Detect
Violations
Analyze
Issues
Remediate
Issues
Implement
Changes
Monitor
Application
Environment
Business
Process
Teams
IT
Management
Extract
ERP
Data
Corporate Access
Controls
Application
Control Teams
www.fulcrumway.com
Page 33
Auditing
Challenges
Achieving regulatory compliance requires more than
IT policies and process documentation
Effective application audit planning requires mapping controls
over application test environments, audit units and significant
business processes based on risk likelihood and impact to
thousands of functions and activities accessible through many
roles, menus and functions.
Detecting users that have unauthorized access to one or more
critical business functions such as purchase to pay requires
business analytics based on application control rules.
Compensating controls are needed for certain users and
transactions where business constraints require exceptions.
Remediation effort requires strong collaboration among Audit, IT
and Business stakeholders to reconfigure security, reassign
users, prevent configuration changes, monitor transaction
thresholds.
ERP Access Provisioning and Configurations must be approved in
“real time” to keep up with business needs.
www.fulcrumway.com
Page 34
A. Case Study – Improve User
Provisioning
Company Overview
Wholly owned subsidiary of Fortune 500
focused on communication and
information technologies for security,
safety and lifestyle enhancements.
Operations in more than 30 countries
Oracle E Business Suite
GRC Challenges/Opportunities
Comply with SOX
Needed to automate a manual and laborintensive process to define and approve
user access.
Segregation of Duties Concerns
Oracle E-Business Environment
– 40 Modules
– 2500 Users, 100 + user
responsibilities
Results
Implemented access provisioning
solution to identify users violations
and allow auditable override
capability for authorized access.
Security provisioning time reduction
Management Commitment to GRC
SOD Rules Content jump started the
process
Detected over 5,000 violations
Reduced access provisioning time
from 14 days to 4 hours
Trained Process Owners through
online self-service portal
GRC Solutions
Automate User Access Provisioning
Compliant with SOD Policies
www.fulcrumway.com
Page 35
B. Case Study – Remediate Access
Control Deficiency
Company Overview
Leading manufacturer of electrical and
mechanical motion control products
Growing Rapidly through acquisitions
Manufacturing and service facilities are
located worldwide
Multiple Enterprise Applications
GRC Challenges/Opportunities
Remediate Significant Deficiency
identified by external Auditor
Needed a central system to detect over
5000 user access violations and
implement new roles across multiple
systems within 90 days
Limited IT Audit Resources – One Full
Time Equivalent (FTE)
GRC Solutions
Risk Analytics Service
Access Policies
Detection and Remediation Service
Results
Completed First Test in 24 hours
No time or resources wasted on
additional IT Infrastructure with the
On Demand Web Service
Setup Compensating Controls for
Waived Users
Preventive Controls Functions
reduced the risk of security
violations in real time.
Fully Compatible with all Enterprise
Systems
Access Controls Content helped
management define risk likelihood
and impact
Faster Remediation through
Analytical Reports and Filters
What-if Analysis Improved SelfService User Provisioning Process
www.fulcrumway.com
Page 36
C. Case Study – Reduce Expense
through Configurable Controls
Company Overview
World’s pre-eminent gold producer, with
a portfolio of 27 operating mines
Many advanced exploration and
development projects located across five
continents
The largest gold reserves in the industry
GRC Challenges/Opportunities
Need to reduce SOX Compliance Audit
expense
Implement continuous controls
monitoring
Baseline ERP Configurable Controls for
AS5
GRC Solutions
Identify Controls for full or partial
automation.
Benchmark ERP Configurations
Setup audit logs on all configuration
changes.
Results
Analyzed over 1,000 controls
Application Audit Portal provides
audit trail on all configuration
changes in ERP Systems
Track changes to key application
setup data and code.
Approval workflows and
notifications facilitate change
management without negatively
impacting core business operations.
Increase visibility into the actual
operations of the controls
environment
Reduced Testing Time by 30%
www.fulcrumway.com
Page 37
Closing Comments
Download Full Survey Results at:
http://www.fulcrumway.com/documents/ERP_RisksControlsSurvey.pdf
Speaker Email Contacts:
Jane Jones
Jeffrey Hare
Lane Laskela
Adil Khan
[email protected]
[email protected]
[email protected]
[email protected]
www.fulcrumway.com
Page 38