Thorson, Reba, Brown
37
1 Workshop 79: Automated Controls through GRC: The Next Frontier
Transcript of Thorson, Reba, Brown
1
Workshop 79:
Automated Controls
through GRC:
The Next Frontier
2
Introduction
Simone RebaDefense Logistics Agency
Deputy Director, DLA Finance
Bob ThorsonAccenture Federal Services
Manager, Management
Consulting and GRC Solutions
Steve BrownUS Army/PEO EIS
Director, GFEBS Sustainment
Copyright © 2015 Accenture All rights reserved. 3
Governance, Risk, and Compliance
Oversight
Governance Risk Compliance
GRC Technology and Enablement Tools
Globally manage the GRC program and ensure synchronization between information and
activities
Ensure that critical
management information is
sufficiently complete,
accurate, and timely to enable
appropriate management
decision making, and provide
the control mechanisms and
policies to ensure that
strategies and directions from
management are carried out
systematically and effectively
Manage risks to the business
by assessing, evaluating and
responding appropriately to
risks that might adversely
affect realization of the
organization's business
objectives
Identify applicable
requirements (laws,
regulations, strategies and
policies), assess the state of
compliance and potential
costs of non-compliance
against the projected
expenses to achieve
compliance, and hence
prioritize, fund, and initiate
any corrective actions
deemed necessary
Implement GRC tools to automate GRC reporting and reduce labor required for compliance
4UNCLASSIFIED:
Army’s GFEBS GRC Journey
June 2016
5UNCLASSIFIED:
Agenda
■ GFEBS
■ Why GRC Was Chosen
■ GFEBS Journey to GRC Controls
■ Segregation of Duties Lessons Learned
■ Privileged Account Management (Firefighter)
■ Policies
■ In the Middle Came FISCAM
■ GRC in support of audit
5
6UNCLASSIFIED:
Why a General FundEnterprise Business System?
■ Congressional directives including:
– Federal Managers Financial Integrity Act of 1982
– Chief Financial Officers (CFO) Act of 1990
– Federal Financial Management Improvement Act (FFMIA) of 1996
– Other statues
■ US Army leadership needs:
– Leaders and managers need to make well-informed decisions
– Most decisions impact across many functions and organizations
– Well-informed decisions require analysis based on relevant, accurate,
integrated and timely data from many functional areas
• US Congress requires auditable financial documents
• Army leaders and managers require high-quality
decision support information
7UNCLASSIFIED:
Army’s General Fund Enterprise Business System
7
~150B obligated per year
53 appropriations (Army and DOD)
5,500 regulatory requirements,
standards, attributes and rules
51 partner systems and 151 unique
interfaces
33,000 active users
8,400 unique user roles
200,000 transactions/day and ~66
million transactions in FY14
215,000 civilian employees -- payroll
processed biweekly
Includes –
– 29 Army commands + 1 non-Army
Command with full functionality
(DHA/NCR MD)
200+ locations in 71 countries
■ Funds Management– Distribution of General Funds
– Budget management and execution
■ Spending Chain– Initiate purchase requisition, approve funds,
record obligation, manage receipts and process disbursements
– Includes Def. Medical Logistics Standard Support (DMLSS) interface
■ Reimbursables– Execute full order to cash life cycle
– Process accounts receivable
■ Property, Plant and Equipment– Real Property, Plant Maintenance,
Equipment and Assets, and Project Systems
■ Cost Management– Full cost capability and civilian payroll
■ Financials– General Ledger accounting (USSGL)
– Financial statement reporting to departmental level
– Month end/ Year end closing process
Enter & Distribute
Funds
Execute & Record
TransactionsConsolidate & Report
8UNCLASSIFIED:
Why was GRC selected?
■ Initially, GFEBS was using a manual provisioning process
– User role assignment process was ‘manual’ using MS Excel spreadsheets
– Provisioning authorization approvals were managed via email for: i.) Role eligibility, ii.) Security
Manager verification, and iii.) Training completion
– Segregation of Duty (SOD) conflict analysis was performed at the role level
– Updates to user role assignment were processed through Helpdesk tickets
■ GFEBS PMO realized the manual process was not sustainable
– Initial release to ~250 users was complex with management by spreadsheets
– Complexity was reinforced with the second deployment to 1,200 users
• Only 20% of users were provisioned before go-live
– Implemented GRC to facilitate deployment activities
• Automated the DD 2875 process through workflow approvals
• Automated an interface to the Army’s Learning Management System (ALMS) to confirm training
completion and auto-provision the user roles
8
Deployment Challenge: Manual provisioning was time intensive and
required extensive document management for auditability
Over 50,000 users have been processed through GRC
9UNCLASSIFIED:
Other GRC Benefits
■Manages routing to designated approvers and maintains all approvals including user ID,
date/time stamps, and action performed within an audit log
■Verifies Credentials: Integration with AKO LDAP to confirm user credentials
■Auto-approval of Training Coordinator requests in which training is complete in Army
Learning Management System (ALMS)
■Upon workflow completion, role assignment changes, including additions and deletions,
are automatically performed in SAP
■GRC Request are analyzed for SOD conflicts – only requests with approved ‘waiver’
recorded
9
10UNCLASSIFIED:
GFEBS Journey to GRC Controls
10
Initial GFEBS Program
Deployment
Full GFEBS Deployment
Additional System
Controls
Operations & Maintenance
• Manual collection
of 1,000s of users
and roles
• Collection and
storage of email-
based approvals
• Large volume of
manual interaction
Challenge Identified:
Documentation &
Large Volume
• Workflow based
solution to manage
access controls
• Central repository of
approvals for user
access to automate
DD- 2875
Solution Identified:
Implement Automated
GRC Access Control
• Implement solutions
for Segregation of
Duties (SODs)
• Manage critical
access through
restricted roles and
critical transaction
monitoring
Solution Expanded:
Leverage Additional
GRC Controls
• Enable role
assignment
changes
• Perform user
account
reaffirmation
• Utilize privileged
management
monitoring
Solution Maintained:
End User Self-Service
GRC SOD ApproverGRC Role
ApproverGRC Supervisor
Identify GFEBS
Users
Assign GFEBS
Roles to Users
Resolve SoD
ConflictsApprove
GFEBS Roles
Verify
Background
Investigation for
GFEBS Users
Validate
Training
Completions
Provision UserSAP Secuirty
GRC Security
Manager
GRC Training
Coordinator
System
Administrator
11UNCLASSIFIED:
Segregation of Duty (SOD):Lessons Learned and Process
11
Implementation Schedule
• Implemented system automation after
approximately 15,000 GFEBS Users
• Analyze standard SOD ruleset and
customize for Army business operations
• Implement multiple GRC Risks at ones
to prevent Site / Command re-work • Iteratively for ~2 years on GFEBS
• Use tools to accelerate remediation
(e.g., Role Conflict Matrix)
Flag User with SOD
Conflict
(Report or Workflow)
Site /
Command
Request SOD
Waiver
Apply
Mitigating
Control
Army
Approval
• Weekly Monitoring
• GRC Request
Workflow
Remove
Role
No
Yes
Monitor
Mitigating
Controls
Identify
System
Change
Yes
Confirm Role
Removal
Confirm
Conflict
Removed
Update GRC
Risk Ruleset
Update SAP
Role Design
• Review role design to determine if there
is risk to the business process
• Work closely with business process
stakeholders to confirm impact to
business operations
• Enforce strict process for approval and
management of SOD waivers • Requires Deputy Assistant Secretary of
the Army for Financial Operations
(DASA-FO) approval
Monitor
Remediation
(30-day Notice)
Define &
Implement
SOD Rule
Conflicts
Risk Approval & Mitigation
12UNCLASSIFIED:
Privileged Account Management (Firefighter)
12
GRC toolsets enable management of critical access defined by the Army
organization and monitoring for unauthorized activity
Firefighter Account Management
• Used for the execution of business activity and
system maintenance activity by GFEBS
Support Staff
• Logs activity performed during execution
of SAP T-Codes
• High risk transactions are managed in
Firefighter accounts and assigned with
GFEBS Project Manager approval
• Activity logs are pulled by the Service
Management team and sent to leadership for
review
• Note: Automated email logs are
recommended from an audit perspective
• GFEBS team members are assigned one
Firefighter ID (not typical practice)
Critical Access Review & Monitoring
• Define “Least Privilege” by creating separate
GRC risk rulesets for critical transactions based
on organizations
• System Administration
• Army Functional Owner
• Army Cost & Economics
• Review is identified as a detective control for the
GFEBS system, not preventative like SODs
• Tailor risks based on SAP Transactions and
Authorizations
• Process Payment Certification (F110) with
‘execute’ as opposed to ‘view’
• Execute analysis at a User and Role level
13UNCLASSIFIED:
Policies
13
Deploying a GRC framework requires more than “just a tool”
Policies & procedures must be deployed in parallel to provide instruction and
responsibilities to the user community.
Policies & Procedures
• Policy documents for internal program management and end users
• All GFEBS application provisioning is performed through the GRC tool
• Army Sites / Commands are instructed to use GRC tool to manage all access changes,
including responsibility for terminations and transfers
• Extensive procedure documents were created
• Training was provided on the use of the GRC tool and responsibilities of the user community
14UNCLASSIFIED:
Policy Related Controls
• Alternative workflow path identifies the Role Owner
and injects additional oversight into the end-to-end
provisioning process for critical access
• Example roles include• Payment Certifier (F110): DFAS
• General Ledger Data Master Maintainer: DASA-FO
• Funds Execution Controller: Army Budget Office (ABO)
• Control Accounts: DASA-CE
• Other roles as needed (PII, sensitive data, etc.)
• System Admin Roles: GFEBS PMO
• Clean-up was required because we didn’t implement
at the beginning
Restricted Role Approval
• Requires Site / Commands to reapprove
user role assignments on an annual
basis
• Required per FISCAM Guidelines
• Procedures may elect to expire role
assignments if not reapproved
Annual Role Re-Affirmation
15UNCLASSIFIED:
And in the Middle Came “Federal Information System Control Audit
Manual (FISCAM)”
■ Established by the Government Accountability Office (GAO) as a methodology for performing information systems
control audits of federal & other governmental entities in accordance with generally accepted governmental auditing
standards
■ Every system with a financial component will be subject to FISCAM
■ Categorized into General and Application level controls
General Controls Application ControlsControl activities that are applied across all IT systems
that the organization relies upon.
Control activities that ensure the completeness, accuracy
and validity of transaction data within a system.
Data Management• Storage
• Cryptography
• Data Reporting/
Extraction
System Interfaces• Data Exchanges
• Exception Reporting /
Handling
Business Process• Master Data
Setup/Maintenance
• Transaction Data
Application Security• User Authorization
• Audit Logging /
Monitoring
Access Controls• ID/Authentication
• Physical Security
• Incident Handling
Security Management• Policies / Procedures
• Risk Assessment
Contingency
Planning• Disaster Recovery
• Business Continuity
• Backups
Segregation of
Duties (SODs)• User Access
Provisioning
Configuration
Management• Change Management
• System Testing
Example FISCAM Control Activity
addressed with GRC tool
16UNCLASSIFIED:
GRC in Support of the Audit
■GFEBS worked closely with the Audit component (DASA-FOA) within ASA(FM&C) for conducting pre-
audit examinations
– Realized the value of GRC with regard to audit compliance, especially in the area of provisioning
– Identified gaps with Segregation of Duties and Critical Access which the program worked to resolve
■Pre-audit examinations identified additional actions to be performed using the GRC tool
– Implementation of SODs and Critical Access required refinement and documentation
• Authorizations were found in roles which were not expected
• SODs were identified through the unintended coupling of authorizations across roles
• Months were spent reducing access within individual roles to better align with least privilege
– Use of Firefighter module enabled the program to track critical activities performed by support staff
• Implemented “points system” for undocumented / unallowed use of privileged accounts
• Procedures outline the documentation requirements for use of elevated access
■To this day, GFEBS continues to perform ‘clean-up’ activities to further strengthen the security posture
of GFEBS
– Redesigning Firefighter access based on 2 years of usage history
– Continuing to refine the restrictions for System Administration access to remove ‘unnecessary’
access
– Further separate roles between teams and remove transaction codes that are rarely used or not part
of controlled business process
16
17
DEFENSE LOGISTICS AGENCYAMERICA’S COMBAT LOGISTICS SUPPORT AGENCY
WARFIGHTER SUPPORT ENHANCEMENT STEWARDSHIP EXCELLENCE WORKFORCE DEVELOPMENT
1818
DLA’s Mission, Vision, and Values
Mission
America’s Combat Logistics Support Agency, the Defense Logistics
Agency (DLA) provides effective and efficient worldwide support to
Warfighters and other customers
Vision
Warfighter-focused, globally responsive, and fiscally responsible supply
chain leadership
Values
– Warfighter’s needs guide DLA
– Integrity defines DLA
– Diversity strengthens DLA
– Excellence inspires DLA
1919
What is DLA?
DLA is the largest agency within the DoD
Provides technical and logistics services to military services and several
agencies
Supplies almost every consumable item military services need to
operate, from food to fuel
FY15 DLA Statistics
Military and civilian personnel (48 states and 28 countries) ~25,500
Items managed in 9 supply chains ~6M
Requisitions per day ~98,000
Contract actions per day (new awards and mods) >9,000
Annual Revenue $38B
Weapon systems supported ~2,400
Distribution centers managed worldwide 25
Support items annually for 110 nations $2B
2020
Enterprise Business System (EBS)
EBS is DLA’s enterprise approach utilizing necessary leading edge technology, to allow DLA to focus on its core business
• Re-engineered and transformed
how DLA does business
• Enables DLA to consistently
deliver new capabilities,
minimizes transition risk to DLA
and the warfighter
• Integrates all enterprise system
capabilities
• Financial system of record
• Single face to customers, suppliers,
and external stakeholders
SAP HANA
SidecarSAP BW SAP CRM SAP SRMSAP SCM
EBS
Encl
ave
Greenlight/Laserfocus
JDA ManuSAP ECC
Enterprise Portal (Internal) - SAP Enterprise Portal , Role, Navigation
Web/Application Services/SOANetweaver/WAS, SAP PI WS, BEA Web Logic,Tomcat
Terminal ServicesCitrix (SAPGUI, BEX)
Smart FormsAdobe
External Portal Direct
Web ServicesMicrosoft IIS
Access Controls
Process Controls
Risk Management
GRC
2121
• Eliminate or mitigate Segregation of Duties violations within the System Access Profiles (Job Role)
• Establish enterprise process to prevent recurrence of violations with future access profile maintenance or creation
• Guard against employee fraud, abuse, mistakes, and mistake cover-ups
• Implement a tool to manage risk, reduce costs, and minimize complexity to support day-to-day management efforts across DLA
• Pass FISCAM and Internal Controls A-123 audit
GRC Audit Readiness Goals
2222
GRC Implementation Timeline
June 2013: Established enterprise access control processes & procedures
March 2014: SAP GRC Access Controls identifies and monitors risks for enterprise systems based on enterprise SoD ruleset
June 2014: Implemented Emergency Access Management (EAM) for IT Production Support users
June 2015: Redesigned end user system access to remove or mitigate SoD violations
July 2015: Established ongoing monitoring of critical roles with SoD violations using Access Violation Management (AVM)
In Process: Implement SAP GRC Process Controls
and Risk Management
23
SoD Rule Set and Violations Analysis
SoD Violations Analysis
High RisksMed. Risks
Low Risks Total Risks
Critical Transactions
Order Fulfillment 2,825 1,033 0 3,858 261
Procurement 2,973 3,436 16 6,425 198
Tech Quality 510 1,543 42 2,095 190
Planning 376 444 0 820 17
Real Property 15 57 0 72 66
Finance 4,633 8,060 31 12,724 794
CRM 2 50 0 52 29
Total – User JDs 11,334 14,623 89 26,046 1,555
CRM0%
Real Property
0%
Planning3%
Tech Quality
8%
Order Fulfillment
15%
Procurement25%Finance
49%
SoD Violations Analysis
High RisksMed. Risks
Low Risks Total Risks
Critical Transactions
Sustainment 24,736 33,098 21 57,849 772
DLA’s Segregation of Duties (SoD) Enterprise Rule Set
• Defined 268 Business function risks defined in the rule set (approximately 65,000
transaction level risks)
• Identified 237 Critical transactions. These transactions, by themselves, provide a user with
extra-ordinary or high-risk access
24
Decision Tree for End User SoD Conflict
Cleanup/Mitigation
Access conflict identified
Can the conflict be eliminated by removing access to one of the conflicting transactions?
Can the Job/Role be broken up into multiple Roles to eliminate the conflict?
If BPA, can access to the conflicting transaction be removed from the Job/Role and accessed via a designated Firefighter on an emergency/infrequent basis?
Yes, one transaction not
needed to perform roleRemove transaction from Role
No, both conflicting transactions
are needed to perform role
Yes, multiple roles can be
created to separate
conflicting transactions
among users
No, same user needs to be
able to perform these
conflicting transactions
Yes, access to one of the
conflicting transactions is
infrequent (<5/month)
* No, not BPA or user will access both of
the conflicting transactions frequently
(>5/month)
Create LaserFocus monitoring report to monitor user access or other mitigation action
Break up Job/Role into multiple Job/Roles
Have access to the transaction via Firefighter
Jobs, Training, Communications updates
25
SoD Role Redesign
EBS Production Support Role Redesign
• Production Support redesign created a 70% reduction in primary roles
• SAP’s Emergency Access Management (aka Firefighter) was
implemented to manage and monitor emergency access needed to
perform extra-ordinary system maintenance and/or data updates in the
EBS Production environment
• 38 Firefighter roles set up by business function to reduce SoD
violations and limit access to sensitive data (SSNs, for example)
EBS End User Role Redesign
• Over 200 End User job roles for Finance, Procurement, and Order
Fulfillment were redesigned
• All SoD violations were removed or had a mitigation strategy designed
2626
ECRT (Front Door)
Insert Audit Readiness Role(s)
Insert Audit Readiness
User Role(s)
Posting Logic Library
ARIS/ERwin Model Mart
DLA Audit Sustainment Operational Concept
(AS-IS)
GLACs, Controls
Functions, Interfaces, Systems, System Exchanges, Organizations,
Activities, Capabilities
ACLR
Evidential Matter
Repository
DACS-RM
ProSight
Portfolio Management
Registry
Visualization
(does not exist)
Visual Analysis and Discovery
EA Tool Suite
(Manual) CAPS/SCR Data
Evidential Matter
Controls Database CAPS/SCR Database
Controls, Processes
Controls, PCMs
PCM Content Database
Control Data, Deficiencies , PCMs
1) Enterprise Architecture
Repository
2) Process Models
Track progress of SCRs,
Deficiencies and CAPs
Manage Controls and
Testing
Relates Controls, PCMs
and Systems
Controls, Processes, Activities, Data
Capabilities, Systems, Mission Area
EBS
Official Repository of
Evidential Matter
Roles and Responsibilities
(SOD)
LEGENDPotential , not consistent
Relationship Identified, Process Established (automated, manual or combination)
Business Rules, Functions, System Exchanges, Tables, Controls, GLACs
*EA Metadata includes a variety of “all” architecture objects
Cost Centers, Fund
Centers, Controls, EA Metadata*
2727
Process Controls and Risk Management
• The objective is to implement a tool to manage risk, reduce costs, and
minimize complexity in its management and compliance functions by
collecting, aggregating, analyzing, and reporting a wide variety of management
information
• The objective is risk management and internal control reporting supported by
use of day-to-day management efforts across DLA through an enterprise-
wide automated solution that provides:
• A strategic capability to improve and enhance risk management, internal
controls assessment, management review, and assurance reporting activities
• A decision support tool to enable more informed leadership decision making via
use of integrated information
• A means to reduce the cost & effort of compliance activities and increase the
confidence in internal controls
• A mechanism to facilitate collaboration across functional silos
2828
Here’s How We Identify Risk
Hire, develop, and retain a high-performing, valued, resilient, and
accountable workforce that delivers sustained mission – Goal 2Hire, develop, and retain a high-performing, valued, resilient, and
accountable workforce that delivers sustained mission – Goal 2
Hire, develop, and retain a high-performing, valued, resilient, and
accountable workforce that delivers sustained mission – Goal 2
High
Low High
IMP
AC
T
LIKELIHOOD
1,
14
2, 3, 4,
6, 10,
13,
5, 9, 11
1 3 5 7 9
3
5
7
9
1
8
7
12
Enterprise Risks
1Inability to adapt to constantly and evolving mission threat environment
2 Industrial Base Degradation
3 Degraded Network Availability
4Improper handling or release of controlled materials
5 Scarcity of Raw Materials
6Disruption of capabilities due to contract/contractor transition
7 Loss of Auditability
8 Loss of positive cash flow
9 Sub optimization of Resources
10Inability to recruit, retain, develop “the right” workforce to support DLA mission
11 Focus Change MGT and Culture
12
Inability to adapt to constantly and evolving personnel and physical infrastructure threat environment
13 Natural Disasters
14 Customers do not see DLA as the first choice
28
Enterprise Risk Profile Heat Map
2929
End-to-End Compliance Process Management
Perform Self-
Assessments
Test Automated Controls Test Manual Controls
Do
cu
men
tT
est
Mo
nit
or
Cert
ify
Certify and Sign-off(A-123, Designs,…)
Process-Control-Objective-Risk
IT Infrastructure
Business Processes
…
Review Exceptions Remediate Issues
1
13
45
6
910
11 12
1516
1718 19
78
1314
2223
24 2526
2021
2930
2728
2
Integrated Compliance
One system for end-to-end
financial compliance process
Flexible, configurable set-up with
complete audit trails
Enterprise-wide visibility into risks
and controls
3030
EA Tool Suite
DLA Audit Sustainment Operational Concept (with GRC)
GRC
ECRT (Front Door)
Controls, Processes, Activities, Data
Functions, Interfaces, Systems, System Exchanges, Organizations, Activities, Capabilities
GLACs, ControlsPosting Logic Library
Business Rules, Functions, System Exchanges, Tables, Controls, GLACs
Controls, Processes, Activities, Data
1) Enterprise Architecture
Repository
2) Process Models
2) Portfolio Management Registry
3) Visual Analysis
Manage Risks, PCMs,
Controls, Testing and
Evidential Matter, Track
progress of SCRs,
Deficiencies and CAPs
Evidential Matter
Repository
DACS-RM
EBS
Official Repository of
Evidential Matter
Evidential Matter
Controls, Risk Management Data
Roles and Responsibilities (SOD)
Cost Centers, Fund
Centers, Controls, EA Metadata*
*EA Metadata includes a variety of “all” architecture objects
Processes, Controls, Organizations, Relationships, Functions, Activities, Models
LEGENDPotential , not consistent
Relationship Identified, Process Established (automated, manual or combination)
31
GRC-Process Controls/Risk Management
- Organization View
Significant
Account
CAP
(Remediation)Test Plans
(ToD/ToE)
Controls
Risk/Control
Objectives
DLA Director
J5/J8
Assessable
Unit/
EBCO
Organizational View
(Certification)Account Hierarchy Process / Risk / Control Hierarchy
Assessments
J Code/ PLFA
Dir/Comm
Process
Sub-process
Account
Groups
Deficiency
(Issue)
Business Process end-to-end view:
A-123 Attestation (Sign-off)
Enterprise view:
The DLA Organization GRC-PC/RM
DLA Director
J5/J8
J Code/ PLFA
Dir/Comm
MICASub Assessable
Unit
32
Continuous Controls Monitoring (CCM)
Continuous Controls Monitoring allows automated testing of system based
controls
- Exceptions reported automatically and continuously
- Reduces labor required for audit compliance
- Provides transaction, master data, SoD, and configuration monitoring
33
Questions?
34UNCLASSIFIED:
What issues did GRC uncover
within your business?
■Excessive Access within Roles
–Required roles to be ‘split’ in order to pass Segregation of Duties
–Required the GFEBS Operations & Support Team to limit access
–Roles has authorizations which were excessive or unused for the intended
activities of the role
■Management of Roles within Production Landscape
–Review and clean-up of roles migrated to production was required
–Confirm that development roles did not exist within Production
■Developed Reaffirmation requirement
–Policy is for annual review of roles
6/21/2016 34
35UNCLASSIFIED:
What are some of the biggest challenges
implementing Access Control?
■Initial deployment of the system roles had minimum SODs controls in place
–Developed plan to bring in SOD controls over time
–As SODs were identified, we created an approach to eliminate the SODs for
the deployed users
•Two year process - 10k users at a time to remediate new role changes
•Allowed 90 days for existing users to eliminate SODs once new SODs
implanted in the system
•Implemented SODs prior to the next roll out for the next wave
■Segregating out the firefighter access and internal roles
–Change in approach for operations for break fix and emergency fixes
•Separated roles into teams to eliminate SODs
•Created check out roles and review processes by use
–Critical roles have time limits for use and greater oversight
6/21/2016 35
36UNCLASSIFIED:
How did you combat pushback
from the business?
■Really translates into running the business
■Initially– OP ORD from the Chief of Staff of the Army
– ASA(FM&C) support
• SOD approvals by DASA-FO - Strictly enforced
– Functional forums
– News letters
– Management Briefings at the two star level
■On-going– Joint Review Program
– Tier II direct support – moved after deployment to ASA(FM&C)
• Included audit needs
• Included GRC role approvals
– ASA(FM&C) policies on IDOC error resolution and turn around time
– Putting in recycle programs to reduce site manual efforts
– Secretary of the Army is making audit one of his top priorities
6/21/2016 36
37UNCLASSIFIED:
What do you most look forward to in the solution?
■GFEBS is currently working closely with another PEO/EIS Program,
AESIP, to develop a joint use GRC 10.1 upgrade
–One instance for these ERP systems
–Could enable verification across Army ERPs for SODs
■GRC 10.1
–Has out of the box solutions for reporting and remediation
–ABAP code allows for more flexibility
–Will enable a better user experience – easier to maneuver through the system
–More auditable for GRC 10.1 itself
6/21/2016 37
