Streamline SoX Compliance &

Segregation of Duties (SoD)

using Oracle ERP Cloud [CAS 5818]

Didier Chabrerie, Orange

John O’Connell, Hudson Bay Corporation
Rick Hargarten, Oracle
Aman Desouza, Oracle
October 22, 2018

Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | Confidential – Oracle Internal/Restricted/Highly Restricted 1
Safe Harbor Statement
The preceding is intended to outline our general product direction. It is intended for
information purposes only, and may not be incorporated into any contract. It is not a
commitment to deliver any material, code, or functionality, and should not be relied upon
in making purchasing decisions. The development, release, and timing of any features or
functionality described for Oracle’s products remains at the sole discretion of Oracle.

Confidential – Oracle
Introductions
Get to know your panelists

Didier Chabrerie, John O’Connell Rick Hargarten

Chief Compliance Vice President, Finance Sr. Director, Financial
Officer for Finance Transformation & Systems Governance &
Orange HBC Compliance
Oracle

3
Program Agenda

1 Introduction
2 Oracle: Case Study
3 Orange: Case Study
4 Hudson Bay Company: Case Study
5 Q&A + Wrap-Up

Confidential – Oracle 4
 Built-in Risk Management for ERP & HCM Cloud

Financials Procurement Risk Human Capital Project Portfolio

Management Management Management

Continuous security, transaction & configuration analysis • Audit & compliance workflows

Common User Experience & Interface

Common User Security, Data Model, Application Administration, Updates & Patches

Common Extensibility Tools – Page Composer & Flex Fields

Copyright © 2018, Oracle and/or its affiliates. All rights reserved. 5

 Risk Management Solutions
Accelerate ERP & HCM deployments Continuous security & compliance monitoring
• Get started in hours • SOD, Security, Privacy and User Access Controls
• Eliminate manual analysis tasks • Fraud Detection – AP, expenses & payroll Controls
• Activate library of 100+ packaged rules • Configuration Change Tracking – suppliers, bank# etc.
• Certify users with sensitive access • SOX certifications & GDPR Compliance Management

Secure Role Dashboards &

Design Alerts

Deep SOD Compliance User Access

Analysis Workflows Certifications

Advanced Advanced Access Advanced

Certify Before Transaction
Configuration
Go-live Controls
Controls Controls
Copyright © 2018, Oracle and/or its affiliates. All6rights reserved.
 Built-In Risk Management Solutions

Who can get into your systems? SENSITIVE

SECURE ROLE DEEP SOD
ACCESS
What can they really do? DESIGN ANALYSIS
CERTIFICATION
Access & SOD Challenges
Getting to the Details

USER

JOB ROLE DATA ROLE

= Application User Access Points

OTHER IMPORTANT ATTRIBUTES: Abstract

Role Data
Business Unit Dimensions
Data Access Set DUTY ROLE
ERP/HCM Data Role
Functional Data
Privileges Dimensions
 Built-In Risk Management Solutions

What do people actually do? ADVANCED ADVANCED

CONFIGURATION TRANSACTION
Is it appropriate or unusual? CONTROLS CONTROLS

Who can get into your systems? SENSITIVE

SECURE ROLE DEEP SOD
ACCESS
What can they really do? DESIGN ANALYSIS
CERTIFICATION
 Built-In Risk Management Solutions

Streamline compliance [SoX, GDPR etc] COMPLIANCE

Engage Executives with Risk Dashboard. WORK FLOW
(SOX, GDPR ETC)

What do people actually do? ADVANCED ADVANCED

CONFIGURATION TRANSACTION
Is it appropriate or unusual? CONTROLS CONTROLS

Who can get into your systems? SENSITIVE

SECURE ROLE DEEP SOD
ACCESS
What can they really do? DESIGN ANALYSIS
CERTIFICATION
 Built-In Risk Management Solutions

Streamline compliance [SoX, GDPR etc] COMPLIANCE 2. ASAP: Continuous security &
Engage Executives with Risk Dashboard. WORK FLOW
(SOX, GDPR ETC) compliance monitoring
• SOD, Security, Privacy & Access Controls
• Fraud Detection – AP, expenses & payroll
• Configuration Change Tracking – suppliers,
bank# etc.
What do people actually do? ADVANCED ADVANCED
• SOX certifications & GDPR Compliance
CONFIGURATION TRANSACTION
Is it appropriate or unusual? CONTROLS CONTROLS

1. Before Go-Live:
Who can get into your systems? DEEP SOD
SENSITIVE Accelerate deployments
SECURE ROLE ACCESS
What can they really do? DESIGN ANALYSIS
CERTIFICATION
• Get started in hours
• Eliminate manual analysis tasks
• Activate library of 100+ rules
• Certify users with sensitive access
Program Agenda

1 Introduction
2 Oracle: Case Study
3 Orange: Case Study
4 Hudson Bay Company: Case Study
5 Q&A + Wrap-Up

Confidential – Oracle Internal/Restricted/Highly Restricted 12

Rick Hargarten
Senior Director, Financial Governance & Compliance, Oracle
• Rick Hargarten heads Financial Governance and Compliance at Oracle. He leads a global team that
assesses financial reporting risks, partners with business units to develop control processes, continuously
evaluates the scope and effectiveness of compliance programs, monitors strategies to remedy control
deficiencies, and reports status to the Board and executive management. He provides leadership and
technical guidance for Oracle's compliance with PCAOB, Sarbanes-Oxley (SOX), and other country
financial control requirements.
• Prior to joining Oracle, Rick gained diverse experience in a number of financial and risk management
roles in industry, including financial system implementation, financial planning and analysis, technical
accounting and financial reporting, business assessment and audit, as well as assurance services with
Ernst and Young.
• Rick is a Certified Public Accountant and holds Master in Professional Accounting and Bachelor of
Business Administration degrees from the University of Texas at Austin.

Confidential – Oracle Internal/Restricted/Highly Restricted 13

Oracle Corporation
Business Background

Public / Global / Multinational

Over 430,000 customers in 175 countries

FY18 annual revenue of $40 billion

Financial Governance and Compliance team collaborates with over 350 Global
Process Owners supporting 37 global processes

14
 t c
i
Financial
F
i
Reporting (SOX) Compliance a
M
il
Good
n Corporate Governance t
a iR
n e
g
c
Transparent Financial ap
Internal control
i
Reporting
enhances the reliability o
t
a of financial reporting and r
e
l helps to ensure that td
financial statements are i
R free from major n
R
e misstatements. ig
p This is important because s
o stakeholders such as kC
r business owners, o
t investors and lenders all n
o
i rely on financial reports ft
n to make decisions. r
g Fo
il
s
n
a 15
Oracle Financial Governance and Compliance Strategy
A Holistic Risk Management Solution
Define Perspectives,
Automate User Access /
Deploy Risks,
Risk Controls,
Segregation of Duties
ManagementAssessments
Cloud Analysis
Automate
Financial
concurrently with Reporting
Advanced Access Financial
Transaction Analysis
Compliance Controls
Financials Cloud Advanced Financial
Risk Management Cloud
Controls
is part of the Oracle ERP
Cloud

16
Drivers for Change
Greater Efficiency, Better Information, More Influence
Single data repository replaces
dozens of Excel workbooks
maintained by multiple
governance teams in disparate
folders
Consistent platform facilitates
collaboration and information
sharing among control owners
and governance teams,
supporting centralized risk
management
Standardized approach
supports global assessment of
common controls, specific
country controls, and acquired
company controls
Unlike cumbersome, manual
compliance processes, an
automated solution is scalable
for new lines of business, data
analytics, and user access and
segregation of duties analysis
17
Next Step
Streamlining Segregation of Duties Analysis

Integrated with user access

Selectable pre-built
privileges granted in ERP
segregation of duties
Cloud – no external
controls and visualization of
interface needed to access
access conflicts
user entitlements

Automated solution provides

Integrated analysis to
greater efficiency,
identify potentially improper
effectiveness, and scalability
transactions from users with
over manual processes to
conflicting duties
identify conflicting duties

18
Program Agenda

1 Introduction
2 Oracle: Case Study
3 Orange: Case Study
4 Hudson Bay Company: Case Study
5 Q&A + Wrap-Up

Confidential – Oracle Internal/Restricted/Highly Restricted 19

Didier Chabrerie
Directeur Contrôle Interne Comptable, Orange
Advanced experience in accounting, notably management of people, implementation of
organization, processes and systems. Highly focused on delivery of results and change
management. Close to operations. International context, as well as requirements of listed
company and M&A projects. Also, in charge of finance for holding with operational
support. Anticipation of future accounting jobline environment : organization (SSC,
BPO...), methods (automation...), system (ERP such as Oracle ERP cloud) and performance
oriented. Design of internal control framework, both ITGC and accounting area, in
Sarbanes-Oxley environment. Pioneer for SaaS solutions such as Oracle's Financial
Reporting Compliance Cloud Service (FRC)

20
 • CAS5818
• Streamline SOX
compliance and
Oracle Open segregation of duties
using Oracle ERP cloud

World 2018
Didier Chabrerie
Orange, an international telecommunication company for B2C and B2B
Our fixed and 29 million
Our Essentials2020 strategy mobile networks Orange Money
customers in
14 countries
Offer customers an unmatched
experience

450,000 km 3.3 million

Fibre to the Home
Orange operates in 29 countries and provides end-to-end connectivity services to 220 countries of submarine customers
through Orange Business Services
cables
Our people Our brand Our Our customers
innovation
4G
155,000 employees in 18
(including 96,000 in 6,844 patents countries
The world’s 51st held
France)
most valuable
263 million
Streamline SOX compliance and segregation of duties using
Oracle ERP cloud : why ?
Monitoring of risk and compliance through a Risks
better exploitation of data

Moving from detection to prevention:

 Governance
Data
 Control
 Alert

Show the evidence that risks are under control

(GRC must embed analytics)
Events

Orange Restricted
Streamline SOX compliance and segregation of duties using
Oracle ERP cloud : where are we know ?
done

H2 2017 FRC implementation for AP and FA processes in French SSC

on-
Use cases on Advanced for AP process (test only, 18c in going
H2 2018
November)
on-
going
Q4 2018 FRC implementation for GL process in French SSC

Sarbanes-Oxley certification in FRC environment for French

2019
SSC

2019 Automation of controls using Advanced Financial Controls

Streamline SOX compliance and segregation of duties using
Oracle ERP cloud : experience and lessons learnt

• On premise vs cloud • Quick vs slow

• Forget the past • Step by step
• Question the way you are working • End-to-end approach

Next step : real time framework

• Change vs success how the machine will help, learning from
• Field commitment data ?
• Show results
Merci
Program Agenda

1 Introduction
2 Oracle: Case Study
3 Orange: Case Study
4 Hudson Bay Company: Case Study
5 Q&A + Wrap-Up

Confidential – Oracle Internal/Restricted/Highly Restricted 27

John O’Connell
Vice President, Finance Transformation & Systems, HBC
• John O’Connell leads the Finance transformation strategy and the execution of organization, process and
systems renewal across Hudson’s Bay Company. Initiatives under the Finance strategy span all areas of
Finance and range from the tactical to the strategic.
• In the context of today’s session, John’s responsibilities around GRC are twofold:
1. GRC design & implementation - as the Finance executive responsible for the roll-out of Fusion ERP
across HBC’s businesses, John leads the enterprise design of all modules, including GRC, and ensures
realization of business objectives (e.g. strategic alignment, compliance and cost reduction); and
2. Business owner for GRC – John leads the team that has operational responsibility for Fusion,,
including access; roles/SOD; reporting and quarterly Audit attestations.
• Prior to joining HBC, John gained diverse experience in a number of industries and financial roles,
including shared services, outsourcing, financial system implementation, analytics & reporting, etc.
• Rick
• Focuses:
Confidential – Oracle Internal/Restricted/Highly Restricted 28
HBC’s Fusion Cloud Journey
• HBC is moving from 4 legacy ERP ‘eco-systems’ to a single Cloud ERP
 GL (incl. new common Chart of Accounts); Cash Management; AR; and AP/Portal (incl. new common
vendor master, new vendor portal);
 GRC implementation in tandem with the other Finance modules;
 We are half way through (went live with our Canadian businesses in September).
• GRC is a key component of our design & North American implementation
 Advanced Access Controls
 Advanced Financial Controls
 Financial Reporting Compliance
• Our design and focus on GRC also encompasses two upcoming streams:
 HCM & Payroll (Payroll is a Finance function in HBC); and
 Fixed Assets and Capital Projects

Confidential – Oracle Internal/Restricted/Highly Restricted 29

Segregation of Duties Approach
• Leverage the process flows & narratives, incl. key controls, by process area;
• Early review with functional owners of their organization models / teams – understand
current SoD & identify opportunities to drive change;
• Building block approach – work from the ground up (functional & data):
 Privileges + Aggregate Privileges
 Duty Roles
 Job Roles / Data Roles
• Test & Re-Test – do they work as designed / any unintended consequences?
• GRC Reporting – dashboards, reports, audit testing (ongoing Compliance);
• Evolve – new quarterly releases are key to improving SoD (data/reporting)

Confidential – Oracle Internal/Restricted/Highly Restricted 30

Segregation of Duties – the Journey
• Our rolling approach to go-lives is enabling us to build on the basics
• Includes not only next ERP wave, but HCM-Payroll and Capital as well;
• Over the course of the next 6 months we will continue to expand on AFC and AAC to
enhance SoD and compliance monitoring/management:
 Expand data access controls as more business objects are available (e.g. GL);
 Leverage new seeded AP roles (18C) to reduce customization;
 Expand visual dashboards, reports and use of Access Model playground
• Have a governance process with the Business – engage early in potential Org redesigns/
process improvements to include SoD/roles review/build;
• Drive is proactive monitoring and engagement- not reactive to Audit.

Confidential – Oracle Internal/Restricted/Highly Restricted 31

Program Agenda

1 Introduction
2 Oracle: Case Study
3 Orange: Case Study
4 Hudson Bay Company: Case Study
5 Q&A + Wrap-Up

Confidential – Oracle Internal/Restricted/Highly Restricted 32

Oracle Risk Management Customers

….and more!

34
 Oracle Risk Management User Forums
conference presentations, product updates, training materials, Q&A etc.

cloudcustomerconnect.oracle.com
 Oracle Risk Management – Learn More
Get started, documentation, release notes, training.

Guided Tours Path to Success Training Personal Guidance

User Documentation Release Readiness Forum

 Secure Role Design
• Run analysis as you configure custom roles
• Speed up ERP implementations
• Start using analysis in hours
• Choose from 100+ pre-built security rules
• Build Job Roles without inherent risk
• Minimize intra-role SOD risk
• Poorly designed roles are the #1 reason
for audit findings after go-live

Copyright © 2018, Oracle and/or its affiliates. All rights reserved. 38

 Deep SOD Analysis
• Meet SoD and SOX testing requirements
for AP, AR, GL, Payroll, Compensation, etc.
• Minimize ability to commit fraud
• Monitor access to sensitive or private data
• Choose from 100+ pre-built security rules
• Configure custom rules quickly
• Deep privilege level analysis
• Simulation impact of possible fixes
• Manage exceptions to closure

Copyright © 2018, Oracle and/or its affiliates. All rights reserved. 39

 Sensitive Access Certification
• Meet SOX certification requirement
• Simple workflow to certify users that have
access to sensitive functions
• Replace spreadsheet and emails based
compliance tasks
• Scope sensitive ERP Roles and users for
approval by process owners
• Approve, remove or investigate users with
high-risk access

Copyright © 2018, Oracle and/or its affiliates. All rights reserved. 40

 Advanced Configuration Controls
• Continuously monitor ERP configurations
• Track ERP master data changes
• Automate risk-based change-tracking
– Multiple changes to a Bank Account in 24 hours
– Multiple changes to a sensitive role in a single day
– Changes to GL intercompany rules
• Filter based thresholds like frequency and
amount
• Configure 200+ setups across AP, AR, GL
etc.
• Manage exceptions using simple
workflows

Copyright © 2018, Oracle and/or its affiliates. All rights reserved. 41

 Advanced Transaction Controls
• Continuously monitor ERP transactions
• Audit 100% of transactions
– POs, Invoices, Expense Line Items,
Compensation, Payroll etc.
• Detect high-risk scenarios like Duplicate
Invoices, ghost employees etc.
• Compose new algorithms using a visual
workbench
• Use statistical techniques like clustering,
anomaly, Benford uncover risk
• Manage exceptions using simple
workflows

Copyright © 2018, Oracle and/or its affiliates. All rights reserved. 42

 SOX Certifications

• Document controls & test steps

• Scope assessments based on risk
• Automate periodic or ad-hoc control
assessments
• Capture test results, evidence &
comments
• Send automatic email notification to
issue owners and approvers

Copyright © 2018, Oracle and/or its affiliates. All rights reserved. 43