Why Oracle GRC with every E-Business Suite Upgrade

Kate Coughlin Principal Solution Consultant

Why Preventive….

Oracle Confidential - Do Not Distribute

Why GRC for Every EBS Upgrade?

• Be compliant on Day 1 • Sustainability – Continuous Compliance

R d th i k d i i th ERP ROI R d th t f• Reduce the risk and maximize the ERP ROI – Reduce the cost of Compliance associated with the ERP Implementation

• Modify the behavior of Oracle EBS quickly & with fewer customizationscustomizations

• Accelerate the design of segregation of duties around role design• Remove the wildcard of segregation of duties as a potential for

material weakness and a bottleneck of go livematerial weakness and a bottleneck of go –live• Embedded real time enforcement and prevention allows limited

staff to meet security compliance requirements – “do more with less”less

• Automate and Error-proof the set-up of: Items, Customers, Suppliers

• Ensure that critical setups conform to best practices and followEnsure that critical setups conform to best practices and follow robust change management procedures

Automate Internal ControlsOracle GRC Controls Suite

Monitor Control Effectiveness

What usershave done

What’s changed in the

process

What are the execution patterns

Detective Controls

process patterns

ACCESSControlsACCESSControls

CONFIGURATIONControls

CONFIGURATIONControls

TRANSACTIONControls

TRANSACTIONControls

What userscan do

How is the process setup

How users execute

processesprocesses

Preventive Controls

Enforce Policies in ContextEnforce Policies in Context

EBS Doesn’t Address Segregation of Duties

• No automated, continuous way to detect, remediate and prevent SOD violations.p

• No auditable evidentiary reports to support the controls environment.Not sustainable point and time audits are• Not sustainable - point and time audits are expensive and not reliable.

• Can’t prevent SOD violations at the point of access.• Time consuming and costly to implement form

customizations to detect, mitigate and prevent SOD Violations.Violations.

• Managing false positives is difficult because proprietary detection engines don’t pick up preventative forms customization controlspreventative forms customization controls.

Oracle Application Access Controls GovernorEnforce proper segregation of duties

Simplify segregation of duties enforcement with simulation and remediation

Mitigate risk of privileged user access to enterprise applications

ith l kfl d dit

• Policy Library • Conflict Paths• Policy Library • Conflict Paths

with approval workflow and audit trails

Accelerate deployment and time to value with pre-delivered controls plibrary

Detection PreventionDetection

Access Analysis

CompensatingPolicies

Define Access

Controls

Remediation(Clean-up)

PreventiveProvisioning

Prevention

Manual SOD

E Business Suite Access & SOD Challenges

UserEvaluateEvaluate User AccessUser Access•• Test by Responsibility and UserTest by Responsibility and User•• Test by FunctionTest by Function

Responsibility•• Test by FunctionTest by Function

Menu

S b MSub-Menu

Manage Manage Function

Form Function

ggSegregation of DutiesSegregation of Duties•• Identify incompatible Privileges Identify incompatible Privileges

(i.e. Function)(i.e. Function)(i.e. Function)(i.e. Function)

Oracle GRC is a true cross-platform solution

allowing cross platform or allowing cross platform or instance SOD analysis.

It provides a single point of reference for all SOD

li i d t l

ERP SOD Control Library

O l 11 5 10 216 li i *policies and controls throughout the organization.

Oracle 11.5.10 216 policies*Oracle R12 232 policies*

*N t E h li i i d f l b li i d t l *Note: Each policy is comprised of several sub-policies and controls based on its complexity, the sum total of these sub-policies and controls is over 3,000, per ERP

Online Conflict Analysis

Use visualization feature to view conflict paths in a graphical format and easily identify inter- and intra-

role conflictsrole conflicts

Contextual reporting with full path conflict detailsfull-path conflict details.

Multi-Platform and Cross-Platform SupportMulti-Platform and Cross-Platform Support

Multi-Platform Support Cross-Platform Support

U 1 U 2User3

U 1 U 2User1 User2 User1 User2

FIN3rd Party App

• User access within different, multiple l tf

• User access across different instances, l tf li ti tplatforms platforms, applications, etc.

EBS does NOT Address Configuration Change g gManagement

• Don’t have the desired level of visibility into the management of the critical set-ups that drive the Oracle EBS environment.D ’t h t t d t d t t d h t• Don’t have an automated way to detect or record changes to sensitive set up data across instances, locations, or points in time.

• Difficult to prevent changes to critical set ups from occurringDifficult to prevent changes to critical set ups from occurring repeatedly

• Need a better way to enforce change control, insure data integrity, identify fraud.

• No automated way to document and compare setups in business terms

• Difficult and time consuming to generate reports that provide the auditable evidentiary support of your controls environmentthe auditable evidentiary support of your controls environment that supports your critical set-ups that auditors demand.

• Data privacy and protection of sensitive data requires extensive application customization

Stronger Application ControlsStronger Application ControlsEnsure integrity of critical application setups

Achieve consistent application setup and operating standards across multiple instances

Track complete audit trails for changes to key configurationschanges to key configurations

Tightly control change management to accelerate development and test time

Detection PreventionDetectionDocument or

CompareConfigurations

Manage Data

Integrity

Define Configuration

Controls

Monitor Configuration

Changes

EnforceChange Control

Prevention

• Key Controls

• 3 way matching of PO Invoice and

Example of Setups and Key Controls• Setup Data

• 3-way matching of PO, Invoice and Receipt

• Document spending limits (authorization of PO)

• Security rules access to sensitive

• Application Security• Document Approvals• Chart of Accounts• Profile Options• Users • Security rules – access to sensitive

transactionso Employee salarieso Chart of account values

Fi i l

Setups = Key

Controls

• Users• Application Setups• MRP rules

• Operational Data o Financial statement reports (FSGs)

o Price listso Inventory attributes

• Operational Data– Customers– Suppliers– Employees– Buyers y

• Action for late delivery of goods• Inventory stocking rules• Rules to create tax on sales orders• Depreciation methods

Buyers– Items– Chart of Account Values– Category Codes

p

Monitor Configuration ChangesMonitor Configuration Changes

hWhen Who?

When?

WhatWhere??

Oracle Configuration Controls GovernorEnforce integrity of critical application setups• Standard Oracle • With Preventive Controls

Enforce integrity of critical application setups

•Who/what/when/why/who authorized•Preventive AND Detective Change Controls•Reports w/ Reason Codes and Approvals

•Who last updated and when•No defendable audit trail•No preventive change controls •Seeded Content for at-risk setups•No preventive change controls

Oracle Transaction Controls GovernorOracle Transaction Controls GovernorIdentify inaccurate or fraudulent transactions

Continuously monitor accuracy of transactions and mitigate exposure to fraud

•Test against thresholdsPre-delivered Transaction Controls

Pre-delivered Transaction Controls

•Search for anomalies

•Perform transaction samplingSuspect

TransactionsSuspect

Transactions

Detection PreventionDetectionPerform

TransactionAnalysis

Define Transaction

Controls

Review and Address Suspects

Preventive Transaction

Controls

Prevention

Transaction Monitoring Controls: Split PO Example

REQ Limit

Project Manager

RequisitionsRequisitions

Native Oracle Controls Transaction Monitoring

Multiple REQ REQ Limit$200K Jan1Jan1

$180K$180K

Financial

Jan8Jan8$195K$195K

Multiple REQ over $200k limit to same vendor

in 15 days !!SubmittedSubmitted

Buyer Purchase OrdersPurchase Orders

Controller

PO Limit$2M Jan2Jan2

$180K$180KJan9Jan9$195K$195K

ApprovedApproved

$180K$180K Order To SupplierOrder To Supplier$375K$375K Order To SupplierOrder To Supplier$$ pppp$$ pppp

Transaction Real World Examples:

• Test against Material Thresholds• Test against Material Thresholds– JE > $ threshold– Employee Checks (individual & sum) > $

thresholdthreshold • Search for Anomalies

– PO terms differ from vendorSales orders > acceptable $ range– Sales orders > acceptable $ range

• Detect Fraudulent Behavior– PO changes after approval

Duplicate suppliers with same address– Duplicate suppliers with same address • Embed Preventive / Automated

Compensating ControlsAl t t t ti $ th h ld– Alert on customer transactions over $ threshold

– Prevent journals from being entered and posted by same individual