1 Overview and Current Trends with Governance, Risk and Compliance Chris Martin Oracle GRC...
-
date post
21-Dec-2015 -
Category
Documents
-
view
219 -
download
1
Transcript of 1 Overview and Current Trends with Governance, Risk and Compliance Chris Martin Oracle GRC...
1
Overview and Current Trends with Governance, Risk and Compliance
Chris MartinOracle GRC SpecialistJanuary 19, 2010
2
Agenda• GRC Today
• Key Business Challenges
• GRC is Good Business•
• Strategies to Consider-Solutions Today
• Wrap Up
3
© OCEG
The Big Picture
ObjectivesStrategic, operational,
customer, compliance and reporting objectives cascaded throughout the organization
Business ModelStrategy, people, process, technology and infrastructure in place to drive toward objectives O
bst
acle
sO
bst
acle
s
Obstacles impede progress toward achieving
objectives
Mandated Boundary Boundary established by external forces including laws, government regulation and other mandates.
Voluntary Boundary Boundary defined by management including public commitments, organizational values, contractual obligations, and other voluntary policies
4
Governance, Risk, and Compliance (GRC) At-a-Glance
CultureCulture
GovernanceGovernance
Risk
Risk
Com
plia
nce
Com
plia
nce
Governance
• Set and evaluate performance against objectives
• Authorize business strategy & model to achieve objectives
Risk Management
• Identify, assess, and address potential obstacles to achieving objectives
• Identify / address violation of mandated and voluntary boundaries
Culture
• Establish an organizational climate and individual mindset that promotes trust, integrity, and accountability
Compliance
• Encourage / require compliance with established policies and boundaries
• Detect non-compliance and respond accordingly
Source: Open Compliance and Ethics Group
5
Governance, Risk, & Compliance Mgmt is more than just SOX
SOX = Section 404, 302
• Enterprise Risk Management
• Operational Risk Management
• IT Governance• Identity Mgmt• Database Security• Industry Regulations
• Environmental Regulations• Records & Retention Mgmt• Document and File
Protections• eMail Security• OSHA Compliance Risks
6
The Boundaries Constantly Changing
AMERICAS • HIPAA• FDA CFR 21 Part 11• OMB Circular A-123• SEC and DoD Records Retention• USA PATRIOT Act• Gramm-Leach-Bliley Act• Federal Sentencing Guidelines • Foreign Corrupt Practices Act• Market Instruments 52 (Canada)
EMEA• EU Privacy Directives• UK Companies Law• Restriction of Hazardous Substances
(ROHS/WEE)
APAC• J-SOX, C-SOX, K-S0X, C49, etc• CLERP 9: Audit Reform and Corporate
Disclosure Act (Australia)• Stock Exchange of Thailand Code on
Corporate Governance
GLOBAL• International Accounting Standards• Basel II (Global Banking)• OECD Guidelines on Corporate
Governance
7
While Cost of Compliance Continues to Rise
“Governance, risk management, and compliance (GRC) spending will exceed $32B for 2008, up 7.4% from 2007, as companies shift toward identifying, assessing, and managing risk across numerous business and IT areas.”
The Governance, Risk Management, and Compliance Spending Report, 2008–2009,-- AMR Research
“Governance, risk management, and compliance (GRC) spending will exceed $32B for 2008, up 7.4% from 2007, as companies shift toward identifying, assessing, and managing risk across numerous business and IT areas.”
The Governance, Risk Management, and Compliance Spending Report, 2008–2009,-- AMR Research
$29Billion
$32Billion
8
Practical Lessons from Sarbanes-OxleyMost organizations progress through maturity curve
DEFINE
AUTOMATE, MONITOR &
VERIFY
RATIONALIZE
Number of Controls
Year 1 & 2 Year 3 Year 4+
Cost EMBEDDED GRC & OPERATIONAL EXCELLENCE
REMEDIATION & STANDARDIZATION
MANUAL, REDUNDANT
EFFORTS
New AS5 Guidance:
• Top-down risk-based approach
• Tailor audit to specific company profile
• External auditors can use work of others as evidence
9
Agenda• GRC Today
• Key Business Challenges
• GRC is Good Business•
• Strategies to Consider-Solutions Today
• Wrap Up
10
Pain Points Our Clients are Facing
• No real-time visibility and communication to/from data, results, and status
• Duplication of efforts – silos of compliance/audit activity with limited collaboration across functional groups companywide
• Non-standard information architecture for audit/compliance activities
• Lack a sustainable platform for growth and change in business environment
Multiple Requirements, Fragmented Response
C1a C2a C3a
C5a C6a C7a
C9a C10a C11a
C1b C2b C3b
C5b C6b C7b
C9b C10b C11b
C1c C2c C3c
C5c C6c C7c
C9c C10c C11c
11
Pain Points Our Clients are Facing
• Cost of audit and compliance activities
• Not leveraging synergies of the broad spectrum of audit and compliance activities
• Cumbersome and manual processes – many man hours chasing and compiling paper
• Inconsistent audit plans, work paper methodologies, reporting, etc.
• No clearly defined roles and responsibilities holding individuals accountable for audit and compliance activities
Insufficient Resources, Manual Efforts
12
Pain Points Our Clients are Facing
• No automated(preventive or mitigating) controls embedded into business processes
• Limited Enterprise Value Management – compliance activities not built into the DNA of business process
• Paradigm shift for external auditors and other outside auditors to leverage technology
GRC as an Afterthought, Holding Up the Business
Business Processes
GRC GRCGRC
13
Agenda• GRC Today
• Key Business Challenges
• GRC is Good Business•
• Strategies to Consider-Solutions Today
• Wrap Up
14
GRC Drives Value
Reduced control deployment time by 80%
Reduced time for normal audit from 2 months to 2 days
Reduced controls testing by 67%, reduced 55% time savings among internal teams & 42% reduction in external auditor time
Improved control pass rate by 27% in first year(0% before)
Reduced consulting fees by $1,000,000
Reduced transaction time from 3-4 days to minutes
Resolved 85% of SOD issues across ERP
Reduced compliance turnaround time by 28%
Reduce compliance costs by 30%
15
Intuit Achieves Payback in Less Than Five Months
COMPANY OVERVIEW• Industry leading software & financial services
company with popular products like TurboTax and QuickBooks
• Employees: 7,500
• Annual Revenue: $2.4 Billion
CUSTOMER PERSPECTIVE
“We’ve been able to realize significant returns on our investment in the Oracle GRC Controls Suite to date. The 8.0 release of Oracle Application Access Controls Governor should help us continue our efforts to deliver well-controlled and efficient business processes, not only across the E-Business Suite, but also in our PeopleSoft and Siebel applications.”
- Rob Singleton, ManagerControls Advisory Office
CHALLENGES / OPPORTUNITIES• Inappropriate responsibilities granted to
employees without review and approval
• Oracle application configurations being modified without notification to SOX Compliance Team
• Inefficient manual controls associated with SOX Compliance
RESULTS
• Saved 55% time for internal departments
• Reduced 65% in controls testing
• Cut 42% in external auditor engagement
• Payback in less than 5 months
SOLUTIONS
• Oracle GRC Controls Suite
16
ROI Impact
14 weeks 8
weeks
Access & Configuration Controls TestingExternal Audit Level of Effort
External Audit Testing Requirements
2005 2006 2007 2008
Access Controls 100% of controls
100% of controls
33% of controls
?% of controls
Configuration Controls
100% of controls
100% of controls
65% of controls
?% controls
4 auditors
?
FY05 FY 06 FY 07 FY 08
350 hrs / monthReview
Time
90 hrs / month
Access Controls Review by CAO
50 hrs / month
External Audit Impact Internal Controls Advisory Office Impact
2005 2006 2007 2008
Testing Time
# of Auditors
6 auditors
350 hrs / month
6 auditors
?
14 weeks
Since 2006, the Controls Advisory Office only tests new or modified configuration controls.
17
•Eliminated SOD conflicts to meet SOX
compliance and improve financial close process
• Time to close each month – 2 days
• Time to file 10Q – 25 days
• Time to file 10k – 37 days
CHALLENGES / OPPORTUNITIES
• Accelerate Financial close process
• SOX compliance and SOD and streamline
complex interactions across business units
• Eliminate bottlenecks
• Validate reporting accuracy and fast
SOLUTIONS
• Oracle GRC Controls Suite
CUSTOMER PERSPECTIVE
“By using the embedded controls and workflows, we have been able to streamline complex interactions across multiple operating units, eliminate bottlenecks and validate accuracy much faster.”
Jeffrey Flecker, Snr VP & Corp Controller,
Qualcomm
RESULTS
COMPANY OVERVIEW
• World's premier wireless communications company
• Top 100 operational & strategic excellence
– CIO magazine
• Revenue > $7.5 Billion
• 19 Operating Units
Qualcomm
18
• reduced our issue & remediation tracking time by 30%” • reduced our reporting efforts by 20%”• reduced our control and document aggregation efforts by 25%”• reduced our year-over-year audit fees by 18%”• resulted in a payback period of just over 1 year”
“Oracle’s GRC technology…
Customer Proof Points
19
Agenda• GRC Today
• Key Business Challenges
• GRC is Good Business•
• Strategies to Consider- Oracle Solutions
• Wrap Up
20
Multiple Requirements,Fragmented Response1
Insufficient Resources,Manual Efforts2
GRC as an Afterthought, Holding Up the Business3
Summary of Key Business Challenges
Sources: Adapted from Deloitte Consulting, Open Compliance and Ethics Group, and IDC
C1a C2a C3a
C5a C6a C7a
C9a C10a C11a
C1b C2b C3b
C5b C6b C7b
C9b C10b C11b
C1c C2c C3c
C5c C6c C7c
C9c C10c C11c
Business Processes
GRC GRCGRC
21
Strategies to Manage Risk and ComplianceActions You Can Take Immediately
Oracle GRC ControlsOracle GRC Controls
Oracle GRC ManagerOracle GRC Manager
Oracle GRC IntelligenceOracle GRC Intelligence
Oracle GRC ApplicationsConsolidate: Multiple GRC
Activities and ProvideReal-time Visibility
Automate: Critical GRC Tasks
Embed: Automated Controls into Business Processes
22
Oracle GRC ControlsOracle GRC Controls
Oracle GRC ManagerOracle GRC Manager
Oracle GRC IntelligenceOracle GRC Intelligence
Oracle GRC ApplicationsConsolidate: Multiple GRC
Activities and ProvideReal-time Visibility
Automate: Critical GRC Tasks
Embed: Automated Controls into Business Processes
Strategies to Manage Risk and ComplianceActions You Can Take Immediately
23
Oracle GRC ControlsOracle GRC Controls
Oracle GRC ManagerOracle GRC Manager
Oracle GRC IntelligenceOracle GRC Intelligence
Oracle GRC ApplicationsConsolidate: Multiple GRC
Activities and ProvideReal-time Visibility
Automate: Critical GRC Tasks
Embed: Automated Controls into Business Processes
Strategies to Manage Risk and ComplianceActions You Can Take Immediately
24
Oracle GRC ControlsOracle GRC Controls
Oracle GRC ManagerOracle GRC Manager
Oracle GRC IntelligenceOracle GRC Intelligence
Oracle GRC ApplicationsConsolidate: Multiple GRC
Activities and ProvideReal-time Visibility
Automate: Critical GRC Tasks
Embed: Automated Controls into Business Processes
Strategies to Manage Risk and ComplianceActions You Can Take Immediately
25
Embedded Controls• Detective, Preventive, Contextual• Automated controls testing• Pre-built controls library
Centralized GRC Oversight • Common Repository for GRC• Audit and Assessment of Controls• Integrated remediation management
360º Visibility• Single source of GRC Information• Pre-built dashboards • Respond to KRI and issues
GRC Application Suite – A la Carte
GRC ControlsConfiguration
Controls Governor
Transaction Controls
GRC Manager
Risks Assessments IssuesProcesses
PoliciesProcedures Remediation
GRC Intelligence
ReportsDashboards Alerts
Key Risk & Control Indicators
Applications
InfrastructureCustomers
Suppliers
Sales
Legal
R&D
Mfg
HR
Finance
TransactionControls Governor
Application Access Controls
Governor
Preventive Controls Governor
26
Governance, Risk & Compliance Controls Enforce Compliance with Access, Configuration &
Transactional Controls
ProcessControl
Transaction Controls
Configuration & Change
Management Controls
Access Controls
Preventive Controls
27
Preventive versus Detective Controls
• Detective controls based on monitoring or scanning databases for predefined conditions.• Value is in “finding violations faster”…after the fact.• Still have to remediate every violation.
• Preventive controls come in two flavors:• Basic prevention affects provisioning of user rights.• Contextual prevention affects user behavior in real-time.
• Preventive controls eliminate remediation.• Value increases as you refine policies and processes.
• Need both detective and preventive controls to:• Balance risk with business continuity• Verify that controls are consistently effective
28
Know who has access to do what and ensure that someone isn’t given inappropriate privileges
Access Analysis
Compensating Policies
Define AccessControls
Remediation(Clean-up)
PreventiveProvisioning
PreventionDetection
Define SOD conflict & business rules and policies
Execute access analysis engine that understands application’s detailed access architecture
Remediation and analysis via pre-packaged reports & what-if simulation
Real-time enforcement of SOD controls during user provisioning
Handle exceptions with compensating process & transaction analysis policies
Access Controls Provide Fine Grained Access Control and Segregation of Duties
29
ERP SOD Control Library
Oracle 11.5.10 216 policies*
Oracle R12 232 policies*
PeopleSoft 266 policies*
*Note: Best practice policy libraries deliver content from years of hands-on customer implementations. Each policy is comprised of several sub-policies and controls based on its complexity, the sum total of these sub-policies and controls is over 3,000, per ERP
*Note: Best practice policy libraries deliver content from years of hands-on customer implementations. Each policy is comprised of several sub-policies and controls based on its complexity, the sum total of these sub-policies and controls is over 3,000, per ERP
Best Practice Policy Library
30
Use Entitlements to group access points that correspond to a common privilege (e.g. several different pages allow you to enter a journal entry…)
Entitlements = Groups of Access Points
31
Manage False-positives with Exception Conditions
Use Global and Policy-level conditions to exclude false-positives from analysis and
reporting.
32
LawsonLawson-1275
•Policy Library
• Policy Library• Conflict Paths
• Policy Library• Conflict Paths
33
Ensure that critical setups conform to best practices and follow robust change
management procedures
Application Configuration Controls Detect and prevent configuration control failure
Document orCompare
Configurations
Manage Data
Integrity
Define Configuration
Controls
Monitor Configuration
Changes
EnforceChange Control
PreventionDetection
Define best practice policies & operating rules
Record changes to sensitive setup data. Compare before and after values for changes
Monitor for setup inconsistencies across multiple instances
Require conditional approval cycles (e.g., exceed threshold)
Validate that setups and data updates conform to valid values
34
• Key Controls
• Vendor tolerances• 3-way matching of PO, Invoice and
Receipt• Document spending limits
(authorization of PO)• Security rules – access to sensitive
transactionso Employee salarieso Chart of account valueso Financial statement reports (FSGs)o Price listso Inventory attributes
• Action for late delivery of goods• Inventory stocking rules• Rules to create tax on sales orders• Depreciation methods
Setups = Key
Controls
Example of Setups and Key Controls
• Setup Data
• Application Security• Document Approvals• Chart of Accounts• Profile Options• Users• Application Setups• MRP rules
• Operational Data
• Customers• Suppliers• Employees• Buyers• Items• Chart of Account Values• Category Codes
35
Document Configurations
36
Compare Configurations
Differences
37
Monitor Configuration Changes
Who?
What?
When?
Where?
38
Monitor transactions to detect business policy violations or unacceptable levels
of risk or inefficiency
Transaction Controls Detect and prevent erroneous and fraudulent transactions
Perform Transaction
Analysis
Define Transaction
Controls
Review and AddressSuspects
PreventiveTransaction
Control
PreventionDetection
Identify transactions violating policy (e.g. un-approved vendor)
Detect patterns representing aggregate risk (e.g. micro-payments)
Initiate review / approval cycle based on automated policies
Approvals based on transaction data thresholds
39
• Test against Material Thresholds• Journal Entry > $ threshold• Employee Checks (individual & sum) > $ threshold
• Search for Anomalies
• PO terms differ from vendor• Sales orders > acceptable $ range
• Sampling of Transactions
• 4th quarter invoices • Days sales outstanding balances
• Detect Fraudulent Behavior
• PO changes after approval• Duplicate suppliers with same address
• Embed Contextual / Automated Compensating Controls• Alert on customer transactions over $ threshold• Prevent journals from being entered and posted by same
individual
Comprehensive Transaction Monitors Detect patterns of heightened risk in business activity
40
Efficient, Flexible Risk and Compliance Mgmt
GRC ControlsConfiguration
Controls Governor
Transaction Controls
GRC Manager
Risks Assessments IssuesProcesses
PoliciesProcedures Remediation
GRC IntelligenceReportsDashboards Alerts
Key Risk & Control Indicators
Applications
InfrastructureCustomers
Suppliers
Sales
Legal
R&D
Mfg
HR
Finance
TransactionControls Governor
Application Access Controls
Governor
Preventive Controls Governor
Improved Scoping / Audit Testing Processes – efficiencies in AS5
End-to-end Certification Mgmt
Linking risks and controls to multiple regulations / processes
Integrated control management
Closed-loop issue remediation and reporting
Workflow reassignment
41
• Enterprise GRC System of Record for Process / Policy and Compliance Documentation Mgmt
• Integrated Control Management
• Integrated, Centralized Survey Management
• Closed-loop Issue Remediation & Reporting
• Supports all Enterprise functional groups/users: Internal Audit, SOX, Corp Compliance and Risk Mgmt
GRC Orchestration Unifies risk and compliance documentation with automated monitoring & notification
Document
- COSO/COBIT Frameworks- Risk-Control Matrix- Policies and Procedures- Evidence & Records Retention
Assess
PerformRisk
Assessment
TestManualControls
Scope Audits
MonitorAutomated
Controls
AnalyzeReceive Alerts Review Reports Investigate
Exceptions
Respond
Remediate Retest Optimize
Certify
Sign-off and Publish
42
Central Repository
Secure Enterprise SearchDate Effective
Chain of Custody
Content Management is the CornerstoneSingle System of Record for Compliance Information
Link policies and procedures to laws, regulations, and standards as evidence of compliance
Link shared policies and controls across laws, regulations, and standards Apply and track permission-based access to policy and procedure
documents Leverage advanced search function with familiar look and feel
All Content Types
Search
Single Source of Information
43
GRC Manager Provides single repository for Regulatory Objectives, Risks, Controls
44
A single control can be shared
across the organization’s
separate business units
A single control can be shared
across the organization’s
separate business units
GRC Manager - Entity Level ControlsProvides library to share controls and reduce testing
45
Multiple hierarchies exist to represent
regulations, business units and financial
structures.
GRC Manager – user defined Hierarchies Provides many-to-many linkage for Objectives, Risks, Controls
46
A full version history is maintained for all changes to all compliance elements in
GRC Manager. You can always “go back in time” to view the state of your
compliance environment as of “XX/YY/ZZ” date, by simply clicking on the history tab,
and selecting the earlier version.
47
No Surprises
GRC ControlsConfiguration
Controls Governor
Transaction Controls
GRC Manager
Risks Assessments IssuesProcesses
PoliciesProcedures Remediation
GRC IntelligenceReportsDashboards Alerts
Key Risk & Control Indicators
Applications
InfrastructureCustomers
Suppliers
Sales
Legal
R&D
Mfg
HR
Finance
TransactionControls Governor
Application Access Controls
Governor
Preventive Controls Governor
Pre-built dashboards aggregate information from all sources
Combine GRC information from the entire stack
Role tailored Analytics
Produce attestations and disclosures
Briefing Books – segmenting critical data to diverse groups
Email alerts
48
No Surprises: Enterprise Visibility to GRCSecured and targeted delivery of role-based dashboards
Oracle GRC Manager
This is to notify you of Regulatory alerts requiring your attention. The Executive Dashboard is awaiting your review.
Please use the following link to access your reports
Go To “Executive Dashboard”
Easy to use Transparency across
ALL GRC initiatives Summarized view of key
information, highlighting potential trouble areas
Graphical, Tabular, Drill down and integrated…
49
Open issue identification by
business cycle and who originated it.
Identify which business units are having the most control issues.
See which process is failing and which regulations are
impacted
50
Perform top-down risk based scoping by tying risks, control
status, and issues to the consolidated financial picture.
51
SAFEGUARDREPUTATIONSAFEGUARDREPUTATION
BEST BUSINESS PRACTICE
BEST BUSINESS PRACTICE
COMPLIANCECOMPLIANCE
Why GRC?
• GRC has become best business practice for efficiency
• Control user access and reduce risk of fraud
• Automation reduces cost of compliance
• Inappropriate use of Finances
• Purchasing Policy Violations
• Data Security Leaks
• Accounting Standards, SAS-112, Privacy Laws, Other Federal and State regulations
• BOARD MEMBERS – from industry – now expect Sarbanes-Oxley type controls and reports
52