You are on page 1of 38

Oracle GRC Application

Controls: A Layered Defense


How the Oracle GRC Suite Can Reduce
Business Costs and Improve IT Security

Atlanta Oracle Applications Users Group Meeting


January 29, 2010

Inspiring Your Next Success! Company Confidential - Copyright 2010 Hitachi Consulting
Introduction to the GRC Team
> Kevin Mims, Senior Manager at Hitachi Consulting
> Andy Pope, Manager at Hitachi Consulting
> Paul Steffen, Manager at Hitachi Consulting
> Ryan Henderson, GRC Specialist at Hitachi Consulting

Inspiring Your Next Success! 1 Company Confidential - Copyright 2010 Hitachi Consulting
Agenda
> Introductions
> Hitachi Consulting Oracle Practice Overview
> Why GRC? Business Challenges in the Client Space
> How the Oracle GRC Solution Can Help
> Focus on Oracle GRCC Suite
Oracle Application Access Controls Governor (AACG)
Oracle Transaction Controls Governor (TCG)
Oracle Preventive Controls Governor (PCG)
Oracle Configuration Controls Governor (CCG)

> Oracle ERP Implementation Overview Where do GRC Applications fit in?
> Methodology and Planning
> Keys to Success
> Lessons Learned
> The Hitachi Consulting Solution
> Q&A
Inspiring Your Next Success! 2 Company Confidential - Copyright 2010 Hitachi Consulting
Hitachi Consulting Background

Industrial High Tech Manufacturing Communications, Healthcare & Financial


Other
Products & Software Providers Media & Biotech Services
5%
25% 23% Entertainment 7% 4%
16% Food & Beverage,
Engineering &
Consumer Goods Mfg.
Construction Energy &
& Retail
5% Utilities
13%
2%
> Hitachi Consulting is the U.S.-based business and IT consulting division of Hitachi Ltd., and a
globally recognized leader delivering value-based business strategies and technology
solutions
Revenues of approximately $450M globally
1200 employees in the US with offices also in Europe and Asia, 2500 employees globally
> With more than 25 years business process, vertical industry, and leading-edge technology
experience, our consultants are seasoned in a multitude of disciplines and work with clients to
transfer their knowledge and experience every step of the way
Inspiring Your Next Success! Company Confidential - Copyright 2010 Hitachi Consulting
3
Hitachi Consulting founded November 2000
> Hitachi made a strategic decision to enter the IT and business consulting services
market in the United States, as the outcome of a study by McKinsey
> With the acquisition of Grant Thorntons consulting business in November 2000,
Hitachi Consulting was born
> The Company was re-branded to Hitachi Consulting in May 2003, as the business
and IT consulting unit of Hitachi
> Hitachi Consulting has grown organically and through a series of strategic acquisitions

2000 2010

Strategy Foundation Integration & Globalization,


Profitability Growth & Value

Inspiring Your Next Success! 4 Company Confidential - Copyright 2010 Hitachi Consulting
Deep Oracle Expertise
Oracle is Hitachis #1 EA Practice (both revenue and headcount)
400+ Oracle Consultants (80% functional, 20% technical)
100+ completed or ongoing 11i implementations
15+ completed or ongoing R12 implementations

Oracle Titan Award Winner


2006 EBS System Integrator
2007 & 2008 Integration and SOA
2008 Edge Applications
Hitachi Consulting ranked 6th
Global Certified Advantage Partner overall in Oracles NA Partner
Performance metrics
Certified OnDemand Partner
Oracle Partner of the Year, 5 of last 8 years
Ranked # 3 Partner for Oracle Commercial

Internal Apps and Tech Labs support Biz Flow Accelerators

Member Oracle Field Advisory Board


Flow Manufacturing
Advanced Planning & Scheduling
Warehouse Management
Process Manufacturing
Enterprise Asset Management

Member Oracle Industry Advisory Board


Process Manufacturing
Industrial Manufacturing
High Tech Manufacturing
5
Inspiring Your Next Success! Company Confidential - Copyright 2010 Hitachi Consulting
Hitachi Consultings Oracle Practice
> Global Reach with Local Focus
Hitachi Ltd. one of the top 15 Business and IT consultancies in the world
Hitachi Consulting was formed from the Grant Thornton and Arthur Andersen Business Consulting Practices.
Full service consultancy inclusive of IT infrastructure, Supply Chain, Change Management, and Enterprise Application Deployment.

> Oracle Practice


Our national Oracle practice grew at 60% last year while our Southeast Oracle practice grew by over 170%.
Experience working with Oracle Development by being first implementers of 11i Process Manufacturing (with Order Management,
iStore and Purchasing), Flow Manufacturing and WMS.
Member of Oracles Field Advisory Board for Flow Manufacturing, Advanced Planning and Scheduling, Warehouse Management, and
Process Manufacturing.
Full service Oracle 11i solution offering from audit through reimplementation.

> Tool Sets


Significant investment in Oracle-centric implementation tools and methods including the development of our AIM Plus methodology.
Collaborative approach working with customers, Oracle Sales and Oracle Development.

> Track Record


Current and completed Oracle implementations in the Southeast :
Ames True Temper World Fuel Services
Angelica Textile Services Manheim
Fidelity National Financial
Fidelity Information Services
Lender Processing Services
EMS Technologies
Equifax
Internet Security System (ISS)
Internap
Tekelec
Welding Services

Inspiring Your Next Success! Company Confidential - Copyright 2010 Hitachi Consulting
Abstract

> The Oracle Governance, Risk, and Compliance (GRC) Enterprise Solution is an
effective tool that business can use to improve IT security and help insure against
fraud, negligence, and other corporate vulnerabilities. Companies that implement a
GRC package will observe an enhancement of corporate governance, comprehensive
risk mitigation, and a significant reduction in audit and compliance costs.
> GRCC serves as the foundational core of Oracles GRC Enterprise Solution and
works with two higher level components, the GRC Manager and GRC Intelligence.
> The foundation for Oracles GRC Enterprise Solution is the GRC Controls Suite, an
embedded, linked set of modules that can be used to safeguard sensitive corporate
information. The modular components are organized around specific duties that can
be operated both independently and in conjunction with one another.

Inspiring Your Next Success! 7 Company Confidential - Copyright 2010 Hitachi Consulting
2010 Developments in the GRC Space
> 89% of risk professionals surveyed reported investments in GRC
technology will increase or stay the same in 2010 *
> 62% said the current financial crisis has increased the priority of
enterprise-wide risk management *
> AMR reports after a two-year period of decline, GRC spending
growth returns in 2010, by expanding to nearly $30B **
> In May 2008, Standard and Poors announced a plan to include
enterprise risk management (ERM) assessments into individual
corporate credit ratings of nonfinancial companies. These plans are
intended to be enacted in 2010 ***

* OpenPages 2009 Survey of over 50 strategic risk, governance and finance professionals. (marketwire.com)
** AMR November 2009 GRC in 2010: $29.8B in Spending Sparked by Risk, Visibility, and Efficiency
*** Standard & Poors, RatingsDirect, Progress Report: Integrating Enterprise Risk Management Analysis Into Corporate Credit Ratings

Inspiring Your Next Success! 8 Company Confidential - Copyright 2010 Hitachi Consulting
Why GRC?
> What Types of Problems are we solving?
> Example 1: Clerk at NYSE-traded food sector corporation was able
to change bank account info without cross-check; $10MM
transferred before fraud was discovered. *
> Consequences: $10MM frozen pending litigation; public
confidence shaken due to notoriety.
> Example 2: NYSE-traded energy sector corporation applied a
production patch that reset vendor tolerances, and didnt notice the
change for nine months. *
> Consequences: Their internal audit team had to do extensive
work to prove there were no abuses, and their external auditors
performed substantial transaction examination.

* Research per Oracle. Numbers are derived from Oracle customer testimonials and 3rd party studies, like those cited in
Compliance Weekly or PwC.

Inspiring Your Next Success! 9 Company Confidential - Copyright 2010 Hitachi Consulting
Common GRC Challenges in the Client Space
No Standardized Policies and Procedures
No appropriate standard framework for audit and compliance activities
Inconsistent audit plans, work paper methodologies, etc.

No Real Time Visibility and Communication w/Data


Transactions occurring daily within the business
Fields or configurations that are changed by Users

Non-Standard Information
Multiple legacy systems with disparate uses and different architectures
No common platform for reporting and consolidation

Cost of Compliance Activities


Cumbersome and manual process to audit
Many man hours chasing paper

No Clearly Defined Roles and Responsibilities


Roles within the business are unclear
Responsibility for audit and accountability for system functions are blurred

* Per Oracle.

Inspiring Your Next Success! 10 Company Confidential - Copyright 2010 Hitachi Consulting
How GRC Simplifies Internal Controls

Single Source:
Multiple GRC GRC Intelligence
activities working Dashboards Reports Alerts
together Key Risk Indicators

GRC Manager
Controls
Processes Risks Assessments Issues
Automation: Procedures Remediation Policies
Proactive response
to mitigate risk
GRC Applications
Application
Embedded Access
Transaction Configuration
Controls Controls
Controls: Controls
Governor Governor
Governor
Provide real time
monitoring and
management Preventive Controls Governor

Seeded
Content: Applications
Out of the box
policies and
templates EBS Infrastructure
Inspiring Your Next Success! 11 Company Confidential - Copyright 2010 Hitachi Consulting
The GRCC Compliance Framework

Builds a values-driven culture that improves


worker productivity and resource management

Minimizes corporate risk by controlling access


to sensitive areas of business

Simplified and flexible responses to conflicts of


interest and other HR concerns

Establishes a companys reputation as a


compliance leader and empowers it to fulfill its
strategic vision

Inspiring Your Next Success! 12 Company Confidential - Copyright 2010 Hitachi Consulting
GRCC (Platform)

> Composed of two GRC Application Controls


modules:
Application Access Controls Governor (AACG)
Regulates access to duties assigned in Oracle E-
Business Suite

Transaction Controls Governor (TCG)


Detects and prevents erroneous and fraudulent
transactions

GRCC (Platform)
> Shared Administrative Functions:
Connects modules to E-Business Suite
AACG 8.5 TCG 8.5 Takes snapshots of transactional date
Integrates with other GRC applications
(PCG, GRCM, GRCI)

Inspiring Your Next Success! Company Confidential - Copyright 2010 Hitachi Consulting
AACG Enforcement Process

Define Access Policies, Access Points, and Entitlements


Define Ex. Enter supplier vs. payment

Use Conflict Analysis Tools to Identify Policy Violations


Detect Ex. SOD violations and undesired user access

Remediate Resolve Conflicts by Cleaning up the EBS


Ex. Removing a responsibility from a user in the EBS

Preventive Enforcement through User Provisioning Tool


Prevent Ex. Synchronization with PCG Form Rules

Inspiring Your Next Success! 14 Company Confidential - Copyright 2010 Hitachi Consulting
Access Policies Insuring Segregation of Duties

> Access policies identify responsibilities and Access


duties that conflict Points

> Policies are composed of: Access


Access points: Object that allows a user to Policy
do something (ex: roles, responsibilities, etc.) Entitlements

Entitlements: Groupings of access points

ERP Policies SOD Control Library


Effective Date
Oracle 11.5.1 216 Policies
Oracle R12 232 Policies

*Each policy is comprised of several sub-policies and controls based


Entitlements
on complexity, the sum total is over 3,000 per ERP

Inspiring Your Next Success! Company Confidential - Copyright 2010 Hitachi Consulting
Finding Conflicts

> Evaluate security protocols


> Identify policy violations
> Use the Visualization to The visualization tool
provides a graphic
analyze conflict paths representation of the
conflict spreadsheet
> See how users, menus, and
responsibilities all connect

Identify Conflicting Roles,


Responsibilities, & Users

Inspiring Your Next Success! 16 Company Confidential - Copyright 2010 Hitachi Consulting
Remediation

Graphic representation of a
firms operating structure

Accessible
Conflict Reporting Users can remove a privilege path
and find the remediation plan
Provides a what if analysis, which Heat
automatically Map
built by tables
AACGhelp
simulates a remediation plan identify key risk indicators

Builds a step-by-step
remediation plan to follow

Inspiring Your Next Success! Company Confidential - Copyright 2010 Hitachi Consulting
Preventive Enforcement - User Provisioning

> Automatically applies access policies to each user assigned responsibilities in the
EBS
> Activating responsibilities requires a Conflict Analysis to run to confirm that no
violations occur

New responsibility is
automatically end-dated

Inspiring Your Next Success! 18 Company Confidential - Copyright 2010 Hitachi Consulting
Transaction Controls Governor

> Models classify transactional risk Business


Objects
Key on specific tables that need to be monitored
Filters, patterns, and functions specify parameters
Drag and drop business objects to create models

Filters &
Identify filter types Patterns
and set thresholds

Models

Inspiring Your Next Success! Company Confidential - Copyright 2010 Hitachi Consulting
Model Workbench

Reports identify Who,


What, When and Where
a violation occurred

Manage multiple models


from the Model Workbench

Schedule synchronization
jobs to insure accuracy

Inspiring Your Next Success! 20 Company Confidential - Copyright 2010 Hitachi Consulting
Transaction Real World Examples
> Test against Material Thresholds
JE > $ threshold
Employee Checks (individual & sum) > $ threshold
> Search for Anomalies
PO terms differ from vendor
Sales orders > acceptable $ range
> Sampling of Transactions
4th quarter invoices
Days sales outstanding balances
> Detect Fraudulent Behavior
PO changes after approval
Duplicate suppliers with same address
> Embed Preventive / Automated Compensating Controls
Alert on customer transactions over $ threshold
Prevent journals from being entered and posted by same individual

* Per Oracle.
Inspiring Your Next Success! 21 Company Confidential - Copyright 2010 Hitachi Consulting
Preventive Controls Governor
> Set of applications that run within Oracle EBS as a component of the
GRC Application Suite
> Four set of rules:

Modifies security, navigation,


Form Rules field and data properties

Defines & implements business


Flow Rules processes

Tracks changes to the values of


Audit Rules fields in database tables

Change Regulates changes to the values


Control of fields in EBS forms.

Inspiring Your Next Success! 22 Company Confidential - Copyright 2010 Hitachi Consulting
Form Rule Capabilities

Hidden Field

Modify Security
Settings
Field Required

Create
Messages Edit Messages

Edit Background

Edit Field
Properties Edit Prompt
Hide Field Data

Inspiring Your Next Success! 23 Company Confidential - Copyright 2010 Hitachi Consulting
Audit Rules

> Document changes to database field values


Old vs. New Values
Transaction Type (Insert, Update or Delete)
User Responsible for Change
Timestamp

Inspiring Your Next Success! 24 Company Confidential - Copyright 2010 Hitachi Consulting
Change Control

> Ensure Data Integrity


> Regulate changes to fields in EBS forms
> Set approval and reason code requirements for enforced management

Enable visual
attributes to identify
controlled fields

Build reason codes to clarify


why a change occurred

Inspiring Your Next Success! 25 Company Confidential - Copyright 2010 Hitachi Consulting
Configuration Controls Governor (CCG)
Compare across
> Monitor setup data in Oracle EBS multiple instances and
different points in time
Identify differences between ERP instances.
Maintain Data Consistency
Standardize and resolve any problems before a rollout

Reports available in
PDF, HMTL, & Excel
Formats

Inspiring Your Next Success! Company Confidential - Copyright 2010 Hitachi Consulting
CCG Content Libraries

> CCG comes with seeded content libraries for EBS R12
> Monitors over 550+ setup configurations
> Organized around three Oracle EBS Applications:

BASE ENGINE FINANCIALS PROCUREMENT


Common Modules Payables iProcurement
Alert Receivables Purchasing
Application Object Library General Ledger
System Administration Subledger Accounting
Legal Entity Configurator
E-Business Tax

Inspiring Your Next Success! 27 Company Confidential - Copyright 2010 Hitachi Consulting
Change Tracking Reports

> Change Tracking Reports are presented in an easily accessible format


> Users and administrators can monitor before-and-after values,
responsible user, and time stamps

Where?
Who?

What?
When?

Inspiring Your Next Success! 28 Company Confidential - Copyright 2010 Hitachi Consulting
GRC Application Controls

> Whos accessing your apps?


Application Access Controls Governor

> What have they changed?


Preventive Controls Governor
Configuration Controls Governor

> Am I financially safe?


Transaction Controls Governor
* Per Oracle.

Inspiring Your Next Success! 29 Company Confidential - Copyright 2010 Hitachi Consulting
Existing Hitachi Consulting GRC Client
> $9M Oracle R12 Financials and Process and Manufacturing implementation
spanning 18 countries
> 60+ Legal Entities
> 40+ Consultants
> Modules Include:
Financials: General Ledger, SLAM, Accounts Payables, Accounts
Receivables, eBTax, Project Accounting, Cash Management, Treasury,
Fixed Assets, Advanced Collections
Manufacturing: Inventory, OPM Costing, Bill of Material, WIP, Quality
Procurement: Purchasing, Purchasing Contracts, AME
Order Management: Order Management, Advanced Pricing, Shipping,
Sales Contracts
Supply Chain Mgmt: ASCP
Governance, Risk and Compliance: AACG, TCG, PCG, CCG
Inspiring Your Next Success! 30 Company Confidential - Copyright 2010 Hitachi Consulting
Hitachi Consulting Client - GRC Pain Points

GRC Pain Points Hitachi GRC Solution


1 Lack of Compliance Framework
Tone at the Top epitomized a lack of focus toward compliance
No formal consistent across the board set of policies
No structured Audit Committee

2 Poor Tech Integration


Disparate Legacy Systems
Inadequate monitoring and testing of technology systems
No controls automation

3 Weak Internal Controls


Lack of formal roles and responsibilities
No Segregation of Duties
Lax IT security

4 Stove Piping
Information Silos across different Legal Entities/Operating Units
No global remediation procedure
Lack of compliance reporting

5 Inability to Audit Daily Transactions


No continuous controls monitoring
No Audit Trail
No view of configuration changes

Inspiring Your Next Success! Company Confidential - Copyright 2010 Hitachi Consulting
31
GRC Methodology and Planning

Inspiring Your Next Success! 32 Company Confidential - Copyright 2010 Hitachi Consulting
GRC Methodology and Planning
Implementation Activities Implementation Activities
User Provisioning Process Review Future State Business
Review Oracle Seeded Content Processes
Load (Out-of-Box Policies) Review each Oracle module
SOD Detection and with Client SME and Audit
Remediation Manager for key fields
Run User Conflict Reports and Segregation of Duties i.e. Form Rules i.e. limiting Set subscribers
Heat Maps Policy Load access to a field Control spreadsheet with
Finalize ERP Responsibilities User Provisioning i.e. Flow Rules i.e. approval rule seeded content (1500 Rules)
Detection and remediation informational message on
of SODs trigger
Conflict Reports i.e. Audit Rules i.e. track changes
Report on Intra and Inter Change Control Rules i.e. reason
Responsibility conflicts code as to why a field is changed

Business Objects i.e. Snapshots i.e. capturing specific


Tables and fields within setup/configuration info
EBS Suite Comparisons i.e. comparing
Implementation Activities snapshots between ledgers,
Implementation Activities
Parameters i.e. Filters,
Review Future State Business operating units, instances Review all EBS configurations
Patterns and Functions
Processes Change Tracking i.e. Decide what key configuration
Define Models Using Business TCG Models i.e. string of setups to snapshot
monitor any change
Objects business objects that EBS seeded content libraries
to configuration
Identify Potential Suspects generate suspects Define comparisons
Reporting reviewed by Audit Track changes
Team Schedule all CCG activities
(daily, weekly, monthly)

Inspiring Your Next Success! 33 Company Confidential - Copyright 2010 Hitachi Consulting
A Layered Defense
> Social Security Number field
AACG Enforce Segregation of Duties to limit access to HR Responsibility
TCG Automated Suspect Report identifying all HR violations
CCG Track Changes to HR Configuration (Who, What, Where, When)
PCG Hide SS # field and Alert Compliance Department to any changes

AACG

TCG

CCG

PCG

Inspiring Your Next Success! 34 Company Confidential - Copyright 2010 Hitachi Consulting
Lessons Learned
> Ensure Audit Director/Manager is empowered by the business to make the
important decisions
> A deep understanding of Oracle eBusiness Suite is vital to guarantee GRCC
success
> Promote a cooperative relationship between the Client Teams to encourage
the free flow of ideas
> Plan for dedicated DBA Time for GRC Installations
> Accurate Test Data and Accurate Responsibilities are required for AACG,
TCG, and PCG to be successful test events
> SQL skills are required for the comprehensive implementation of PCG
> Operating Units, Ledgers, Legal Entities, and Responsibilities have to be in
a fit state to make GRC design effective and accurate

Inspiring Your Next Success! 35 Company Confidential - Copyright 2010 Hitachi Consulting
Lessons Learned - GRC Architecture

Inspiring Your Next Success! 36 Company Confidential - Copyright 2010 Hitachi Consulting
Questions?
Andy Pope Kevin Mims
Manager Senior Manager
Hitachi Consulting Hitachi Consulting
www.hitachiconsulting.com www.hitachiconsulting.com
Mobile: 678.463.9622 Mobile: 404.664.8122
apope@hitachiconsulting.com kmims@hitachiconsulting.com
Inspiring your next success Inspiring your next success

Ryan Henderson Paul Steffen


GRC Specialist Manager
Hitachi Consulting Hitachi Consulting
www.hitachiconsulting.com www.hitachiconsulting.com
Mobile: 512.771.3361 Mobile: 678.665.3389
rchenderson@hitachiconsulting.com Office: 678.627.4940
Inspiring your next success psteffen@hitachiconsulting.com
Inspiring your next success

Inspiring Your Next Success! 37 Company Confidential - Copyright 2010 Hitachi Consulting