Upload
sid-sinha
View
233
Download
6
Embed Size (px)
DESCRIPTION
Oracle GRC General Session OpenWorld 2014
Citation preview
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |
Safe Harbor Statement The following is intended to outline our general product direcGon. It is intended for informaGon purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or funcGonality, and should not be relied upon in making purchasing decisions. The development, release, and Gming of any features or funcGonality described for Oracle’s products remains at the sole discreGon of Oracle.
2
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | 3
Follow Us & join the conversa/on .
Oracle GRC Advanced Controls Group _______________________________________________________________
OracleAdvControls @OracleAdvCntrls
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |
GRC ApplicaGons Strategy Update & Case Studies (GEN8193) Sid Sinha, Oracle ApplicaGon Development John BudraiGs, Pennsylvania Treasury Patrick Ocana, Oracle Managed Cloud Services
4
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | 5
PRESENTER:
John BudraiGs Assistant Director, Bureau of Fiscal Review Pennsylvania Treasury • Over 20 years with Treasury Department • Define Audit AnalyGcs, Controls and Procedures • Lead Business Sponsor for GRC Requirements • BS AccounGng, Pennsylvania State University
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | 6
PRESENTER:
Patrick Ocana Senior Principal Security Architect Oracle Managed Cloud Services Over the last 5 years Patrick has lead various efforts to successfully deploy Oracle GRC products across mulGple lines-‐of-‐business and conGnues down the path of further leveraging GRC to help solve risk and compliance challenges for the Oracle Manage Cloud business. Patrick has over 20 years experience in security funcGon and compliance leadership for large global corporaGons and direct leadership experience in the deployment of large complex informaGon security systems and countermeasures. He also has in-‐depth experience in helping Federal Agencies and Department of Defense organizaGons comply with informaGon security and audit requirements. Specific knowledge in the areas of informaGon security, control reviews, enterprise systems development, NIST Standards and Federal informaGon security and privacy regulaGons. He is a CerGfied InformaGon Security Manager (CISM) and holds a B.S. in InformaGon Systems from Colorado Technical University.
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |
Program Agenda
7
GRC Strategy Update
CASE STUDY: Pennsylvania Treasury Department
CASE STUDY: Oracle Managed Cloud Services
Wrap-‐up
1
2
3
4
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | 8
MANAGE RISK
$ REDUCE COSTS
IMPROVE CONTROLS
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |
0%
5%
10%
15%
20%
25%
30%
35%
40%
45%
50%
#1 #2
#3 #4
#5
Audit/Control of Procurement
Risk Analysis
Cash Flow
Payable Exposure Compliance
9
Strategic PrioriGes ________________ Finance ExecuGves
SURVEYED
263
Reaching New Heights: The Dividends of CollaboraGon between Finance and Procurement is published by CFO Publishing LLC, May 2012
Survey ques/on: Where does the procurement func0on need to get stronger?
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | 10
Reality: Lack of Technology
OCEG SURVEY • 2014 GRC Technology Strategy Survey • www.OCEG.org HOW ORGANIZATIONS APPROACH AND ADAPT THEIR TECHNOLOGY STRATEGY FOR GRC
70%
SPREADSHEETS, DOCUMENTS, EMAIL & IN-‐HOUSE SOLUTIONS
30%
1 OR MORE COMMERCIAL GRC SOLUTIONS
The lack in modern technology makes achieving goals challenging
The impact on FTE’s is parGcularly significant
One financial services
organizaGon stated that 80%
of their GRC staff resources
were nothing more than
document reconciles for
reporGng. […] A mess they are
aggressively trying to correct.
of GRC professionals reported that they use Spreadsheets, Emails, Custom Reports Apps.
70%
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | 11
When looking for new GRC technology, organizaGons indicate that the primary goals they aim to achieve are:
Drivers: for AdopGng New GRC Technology
OCEG SURVEY • 2014 GRC Technology Strategy Survey • www.OCEG.org HOW ORGANIZATIONS APPROACH AND ADAPT THEIR TECHNOLOGY STRATEGY FOR GRC
INCREASE ANALYTICS & RAPID VISIBILITY OF RISK Complex risk and regulatory environments demand advanced capabiliGes of risk data integraGon and analyGcs to provide full situaGonal awareness of risk”
#1 IMPROVE CONSISTENCY OF INFORMATION OrganizaGons are realizing that good GRC requires good informaGon, there is increasing focus on the integrity and consistency of GRC informaGon”
#2 MEET NEW REGULATORY REQUIREMENTS Regulatory change has more than doubled in several industries over the past five years (e.g., banking, insurance, healthcare) and drives the organizaGon to GRC technologies that enable regulatory intelligence and agility”
#3 REDUCE COSTS & IMPROVE PERFORMANCE When deploying new GRC technologies the organizaGon is driven to reduce costs while increasing the performance of business operaGons”
#4
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | 12
Enterprise-‐wide Risk & Controls
WORKFORCE RISK Health & Safety Corporate Policy Talent RetenGon
OPERATIONAL RISK Supply Chain Risk CompeGGve Risk Sourcing Risk Material & Hazard Risk Environmental Risk Product Quality
LEGAL RISK Legal & Regulatory LiGgaGon IP & Copyright Discovery Risk Contract Risk
IT RISK InformaGon Privacy IT Asset Risk Service Provider Risk Disaster Recovery Compliance Risk Service Level
FINANCIAL RISK Financial ReporGng CompensaGon Risk Fraud TransacGon Errors
CIO
CFO
CEO & Board of Directors
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | 13
Comprehensive Risk & Controls Mgmt.
Detect & Fix Issues
ConGnuous Improvement & Monitoring
Assess Risk & Compliance
Close the LOOP
IdenGficaGon Analysis Evaluate
1. BUSINESS RISKS
Document Assessments Reviews
2. CONTROL OBJECTIVES
Author Execute InvesGgate
3. CONTINUOUS MONITORS
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |
Custom or Legacy Applications
14
A Unified Plajorm Enterprise Risk and Controls FoundaGon
Flexible
• Graphical Authoring • Detect and Prevent • Access, TransacGons, Setups
Data Driven
• 100% of TransacGons • Manage by ExcepGon • Papern Analysis
Comprehensive
• MulGple GRC Projects • From DocumentaGon to Test • Closed Loop Approach
Enterprise Risk & Controls FoundaGon
Dashboards, Reports and Alerts NoGficaGons Worklists Email PerspecGves Search
Risk, Controls & Compliance Management Reviews DocumentaGon Assessments RemediaGon Surveys
ConGnuous Controls & Risk Monitoring
Setups Access Master Data Audit Tests TransacGons
User Authored Controls Data Connectors Fraud & Error Paperns
Role Based
Access S
ecurity
Web
Services &
APIs
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |
MeeGng Mission CriGcal Goals with GRC
2
ADVANCED CONTROLS with Big Data AnalyGcs
DATA DRIVEN
3
ENFORCE POLICIES with Web Services
EMBEDDED
1
UNIFIED GRC FoundaGon
PLATFORM
15 Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |
Enterprise Data Graph _______________
ALL USERS __________ ALL SYSTEMS
_______________ ALL TRANSACTIONS
SECURITY | SETUP | MASTERDATA | TRANSACTIONS
16
____________________________________________________________________________________________________________________________________
___________________________________________________________________________________________________________________
BILLIONS OF NODES & RELATIONSHIPS
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | 17
Big Data AnalyGcs CONNECTING THE DOTS
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | 18
GRC Plasorm APIs
GRC Plasorm
Web
Services Duplicate Invoice Stop Payment
Split Purchase Order Put PO on hold
Expense Report ViolaGon NoGfy T&E Auditor
Vendor & Employee Collusion Alert Procurement Manager Vendor Master Duplicates
InacGvate Record
CRM _______ ERP _______ HCM _______ SCM
APPLICATIONS
PRIVATE CLOUD __________ PUBLIC CLOUD __________ GLOBAL DATA CENTER __________ LOCAL DATA CENTER
INSTANCES
HIRE TO RETIRE __________ ORDER TO CASH __________ PROCURE TO PAY __________ RECORD TO REPORT
PROCESS
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |
Manager
APIs
19 Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | 19
RISK SERVICES Create Risk Update Risk Copy Risk Risk List Query Risk Query Add Risk Analysis Add Risk EvaluaGon Risk By PerspecGve Name Query
!
ISSUE WEBSERVICES Create Issue Update Issue Issue Query Issue List Query
PROCESS WEBSERVICES Create Process Update Process Copy Process Process Query Process List Query
PERSPECTIVE WEBSERVICES PerspecGve List Query PerspecGve Query
USER-‐DEFINED ATTRIBUTE WEBSERVICES User Defined Apribute Query
MANAGER CONTROL WEBSERVICES Create Manager Control Update Manager Control Copy Manager Control Manager Control Query Manager Control List Query
ASSESSMENT WEBSERVICES Assessment Result Query Update Assessment Result
ü
IMPORT / EXPORT WEBSERVICES EGRCM Import EGRCM Export
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |
Controls
APIs
20
CONTROL DEFINITIONS Control List Query Request Control Query Request EnGtlement List Query Request EnGtlement Query Request
AUTHENTICATION Digest Access AuthenGcaGon Basic AuthenGcaGon
SYSTEM SOURCE DATA Data Source List Request User List Query Request User Query Request
GRC ANALYSIS SERVICES Conflict Analysis Request Analysis Summary Query Conflict List Query Request Model Analysis Request Model Suspect Query Control Incident Query Update Control Incident User Provision Request Provisioning Approvals Query Provisioning Approval ConfirmaGon Issue Override Update Data AnalyGcs Schema Request IniGalise ETL Request
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |
ORACLE GRC InnovaGon Award:
21
Winner 2014 Pennsylvania Treasury Highlights
• Preven/ve -‐ Expected Savings of $100 million • Comprehensive -‐ Largest Payment Graph • Integrated – Seamless within ERP
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | 22
Program Agenda
GRC Strategy Update
Case Study 1: Pennsylvania Treasury Department
Case Study 2: Oracle Managed Cloud Services
Wrap-‐up
1
2
3
4
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |
PENNSYLVANIA TREASURY: !Treasury Transformation !with GRC Advanced Controls!
John Budraitis, CPA Assistant Director, Bureau of Fiscal Review
23
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |
PENNSYLVANIA TREASURY: Organization Overview
24
Rob McCord State Treasurer
30M Payments worth more than $75Bn last fiscal year.
$15B In State Assets Managed by IT Systems
Unclaimed Property Collected $265 million and returned over $116 million, generating nearly $148 million for the General Fund in FY 13-14
New Records PA 529 College Savings Program reaches nearly $3 billion in assets, serving 186,000 accounts as of June 30, 2014
$100M Average annual savings by preventing erroneous payments !
24
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |
FISCAL REVIEW Background !
50 60
25
Employees Commonwealth Agencies
Source Systems Many TIME SENSITIVE payments with less than 10 days to review & process.
over
section1501
of the fiscal code requires all agencies to submit payment request to State Treasury.
of the fiscal code requires payment requests to be audited in accordance with GAAS, and if they appear lawful and correct, Treasury will issue warrant for payment.
section1502
25
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |
FISCAL REVIEW Objectives!
ü All payments by the Commonwealth of PA reviewed by Fiscal Review!
Detect duplicate and incorrect payments
$! 30 Million Transactions, $75 Billion in spending per year!
____ • • • ___ ___ ___ Maintain audit checklists!
i Accumulate audit error & savings information
26
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |
STRATEGIC PRIORITIES For Fiscal Review Team !
① Replace Aging Legacy System
② Modernize Technology Platform For Continuous Improvements
③ Implement Additional Audit Controls
④ Increase Savings For PA Taxpayers
⑤ Prevent Error, Waste & Fraud
27
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |
BEFORE Treasury Transformation Project !
28
Various Submission Formats
• Electronic with payment details (i.e., vendor number, invoice number etc.) • Electronic with only payee information • Paper – Manually entered by Treasury to create payments
• Randomly selected based on dollar thresholds • Review of external reports to manually select • Manual review of paper documentation
Audit Methodology
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |
BEFORE Treasury Transformation Project !
29
Payment Requests
Fiscal Review Team Agencies Payment Requests Payment System
• Sampling • Threshold Base Audit
LEGACY PAYMENT SYSTEM
_____________ _________ L E G A C Y
60 AGEN
CIES
25 SYSTEMS
29
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |
TREASURY TRANSFORMATION Objectives!
① Provide 100% audit coverage
② Target high-risk areas
③ Quickly analyze large volume of data
④ Greater audit selection capability as audit issues arise
30
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |
DEPLOYMENT CHALLENGES !
31
DIFFERENT DATA TYPES
provided by each source system
Multiple SOURCE SYSTEMS
ERP Few sources are ���ERP SYSTEMS
VARIED REQUIREMENTS as to when payments
must be made
$
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |
TREASURY TRANSFORMATION With GRC + PeopleSoft !
32
• Graph-‐updates • Map Reduce Enabled – 4+ dedicated machines
• Control Analysis • Linux • Oracle DB
GRC Advanced Controls -‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐
FISCAL REVIEW TEAM -‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐
ß GRC CONNECTOR à
for PeopleSou
RELEASE
PEOPLESOFT FINANCIALS (New Payment System) -‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐
GRC
HOLD -‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐ Auto Payments
PEOPLESOFT
DAILY Graph Update
_________ L E G A C Y
AGENCY PAYMENT REQUESTS -‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐
60 AGEN
CIES
25 SOURC
E SYSTEM
S
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |
KEY CONTROLS: Examples!
33
Duplicate Invoice !
Similar Invoice Numbers, Same Vendor
#A Invoices Ending In An Alpha Character!
First Time Payments For Contract / Purchase Order!
Resubmission Of Previously Rejected Payments
### 1st
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |
First Time Payment !Contract or Purchase Order!
34
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |
FUTURE EXPANSION PLANS !
35
① Split Payments
② Payment Requests Already Paid Via pCard
③ Payments To Debarred Vendors
④ A/P Payments To Commonwealth Employees
⑤ Payments To Prisons / High-risk Addresses
⑥ Payments To Vendors, No Procurement In Place
⑦ Unallowable Expenses (Gifts, Donations, Etc.)
35
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |
SUMMARY !
§ GRC Advanced Controls is ‘Mission Critical’ for Treasury !§ $75 billion spend & 30 million transactions mandated to be
reviewed
§ Enable continuous improvements for upstream agency processes
36
We are a fiscal watchdog that ensures tens of billions of dollars in payments are lawful and correct.
36
Rob McCord State Treasurer
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |
Program Agenda
37
GRC Strategy Update
Case Study 1: Pennsylvania Treasury Department
Case Study 2: Oracle Managed Cloud Services
Wrap-‐up
1
2
3
4
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |
Oracle Managed Cloud Services Case Study
38
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | 39
Agenda
② AUDIT AND COMPLIANCE [Project 1] __________________________________________
③ DELIVERY ASSURANCE [Project 2] ________________________________________
① ABOUT MANAGED CLOUD SERVICES __________________________________
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | 40
About Oracle Managed Cloud Services
_____________________________
SubscripGon-‐based, enterprise-‐grade Cloud Services
• 550+ global customers
• 5.34 billion database transacGons per hour
• 41+ petabytes of managed storage
_____________________________
Oracle personnel manage the environment including execuGon of key IT controls in collaboraGon with the customer
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | 41
IT Risk PrioriGes
§ STANDARDIZE the management internal assessments of Oracle’s Managed Cloud Services using a centralized system to facilitate consistent process and work flow.
§ REPOSITORY for all controls, risks and frameworks to facilitate reporGng and idenGficaGon of common controls and leverage points. !
Example Frameworks: !SOX, HIPPA, ISO 27001, ISO 27002, SOC 1, SOC 2, PCI, etc.
§ MAINTAIN a history of informaGon and changes throughout the life of the assessments
§ Provide control owners with a consistent interface and list of open items that need acGon
§ Provide business users a streamlined approach for managing issues and their remediaGon through compleGon.
§ REDUCE overall audiGng COST!
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |
CONTROLS LOADED: !SOX, HIPPA, ISO 27001,
ISO 27002, SOC 1, SOC 2, PCI, etc.
42
Control Management Flow
Audit Field Work
Record Audit Results Audit Test Assessment
Manage Control Owner Verifies Control CerGfy Assessment
Request Evidence OperaGonal Assessment
Resolve Issues
IniGate Audit Cycle
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |
CONTROL MANAGEMENT _____________________ – The Audit and Compliance GRC is built around the control object.
– Use Navigator à Manage Control to view or edit exisGng controls
43
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |
CONTROL MANAGEMENT / Managing Revisions
Complete History of Changes Change Authors IdenGfied | Timestamp | Details About The Changes
Version Review & Comparison Select “Compare from Versions” to view differences in documents
44
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | 45
____________________ Key PerspecGves: - Compliance Framework - Owner
________________________ Control RelaGonships Established in a Hierarchy * It is important that they are assigned correctly as it is the main driver for security
PERSPECTIVES
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |
PERSPECTIVES __________________ Framework PerspecGves – HIPAA – ISO – SOC 1 – SOC 2
46
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | 47
Assessment Flow
Audit Field Work
Record Audit Results
Audit Test Assessment
Manage Control Owner Verifies
Control CerGfy Assessment
Request Evidence OperaGonal Assessment
Resolve Issues
IniGate Audit Cycle
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |
ASSESSMENTS: Types _____________________ Batch: - Used for selecGng all or some
of the controls in a framework - Assessment plans used to
define specific controls for the assessment
- Controls can be excluded manually prior to iniGaGon if needed
_____________________ Ad-‐hoc: - IniGated from within the
control - Good to handle retest of single
request such as new evidence request from auditors
48
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |
ASSESSMENTS: AcGviGes PREDEFINED TO GRC: ____________________________________ Audit Test: Record 3rd Party Audit Results ____________________________________ CerGfy: Control owner verifies control is correct and operaGng ____________________________________ OperaGonal Assessment: - Tasks for evidence and populaGon request
assigned and completed by control owner - Test plans used as method to record specific
evidence requirements
49
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |
ASSESSMENTS: _________________________
Sample screen of what Control Owner sees when logging into GRC
Showing that there is a CerGfy assessment that needs compleGon
50
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | 51
Issue Management Flow
Audit field work
Record audit results Audit test assessment
Manage control Owner Verifies Control CerGfy Assessment
Request Evidence OperaGonal assessment
Resolve issues
IniGate Audit Cycle
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |
ISSUE MANAGEMENT: ________________________ An issue can be raised from various places in the applicaGon
In this case, it is being raised from an assessment.
52
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | 53
ISSUE MANAGEMENT: ________________________ Issue will appear under the control in the issue tab as shown here.
All issues also available through Issue Management and will show in control owner worklist upon creaGon.
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |
ISSUE MANAGEMENT: ______________________ Upon closure, issue requires a reason and comment may also be entered show what was done.
54
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | 55
DELIVERY ASSURANCE -‐ Business ObjecGves
________________________
HEALTHCHECKS Assess individual engagements to idenGfy unmiGgated risk
Recommend acGons to miGgate these risks
Report these findings & recommendaGons to OMCS senior management
Track recommended acGons to compleGon
ü _______________________________
CONTINUOUS IMPROVEMENTS IdenGfy systemic issues impacGng profitability or customer saGsfacGon
Develop & shepherd iniGaGves to address these systemic issues
Track progress of iniGaGves to compleGon
² _____________________________
MAINTAIN & LEVERAGE DATA Maintain repository or Healthcheck & ConGnuous Improvement IniGaGve acGviGes
Leverage repository to: • IdenGfy systemic issues • Improve oversight of remediaGon acGviGes
• Enhance management view of OMCS risks
q
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | 56
DELIVERY ASSURANCE -‐ GRC ImplementaGon
APPROACH: Bopom-‐Up Vs. Top-‐Down
_____________________ Risks & MiGgaGons accumulated at engagement level
Consolidate detailed data & analyze to idenGfy systemic Issues / Risks
_____________________ Customer = Process Object
Healthcheck Results = Ad Hoc Assessment
Healthcheck Findings = Issue Object
Healthcheck RecommendaGons = RemediaGon Object
CONFIGURE GRC: to meet our needs
_____________________ Repository for CSDA / GRM Healthcheck data
ReporGng capabiliGes
AcGon Item tracking
ConGnuous Improvement IniGaGves
IMPLEMENTATION: Phased
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | 57
Customer Object
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | 58
Healthcheck Results – Ad Hoc Assessment
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | 59
Healthcheck Findings – Issue Object
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | 60
Healthcheck RecommendaGons – RemediaGon
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | 61
GRC is Mission CriGcal for ORACLE Cloud
Key DifferenGator for Oracle Cloud
Maintains High levels of security and reliability
Meets mulGple compliance mandates
Results used relied on by hundreds of customers
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |
Program Agenda
62
GRC Strategy Update
CASE STUDY: Pennsylvania Treasury Department
CASE STUDY: Oracle Managed Cloud Services
Wrap-‐up
1
2
3
4
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |
MeeGng Mission CriGcal Goals with GRC
2
ADVANCED CONTROLS with Big Data AnalyGcs
DATA DRIVEN
3
ENFORCE POLICIES with Web Services
EMBEDDED
1
UNIFIED GRC FoundaGon
PLATFORM
63 Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | 64
GROWING Customer Base Across All Sectors
HEALTHCARE SERVICES COMMUNICATIONS ENERGY MINING /
EXPLORATION
RETAIL
LOGISTICS
GOVERNMENT / EXUCATION INDUSTRIAL TECHNOLOGY
SERVICES
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |
4:45 pm ID # 8210 Doing Your ERP ImplementaGon / Upgrade Right with Oracle Advanced Controls SoluGons OLYMPIC ROOM, WesGn
TUESDAY: Oracle GRC Advanced Controls
65
CHRIS DOXEY – IOFM Seminar CAPP, CCSA, CICA, CPC ExecuGve Director, IOFM Author and Leading Industry Expert
LOCATION: Hotel Palomar 4th & Market
9:45 am IOFM Workshop: The Top Twenty Internal Controls for Accounts Payable: Presenter: Chris Doxey, CAPP, CCSA, CICA, CPC Length: 90 Minutes CPE Credits: 1.5 ZEUM ROOM 8th FLOOR, Palomar ZEUM ROOM 8th FLOOR
Contact: Dane Roberts [email protected]
CPE CREDITS
1.5
SPEA
KERS
: SESSIONS:
11:30 am ID # 8203 Stop the Financial Leakage and Cure the Drought in Profits OLYMPIC ROOM, WesGn
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |
10:00 am ID # 8207 Stop the Fraudster! Set the Tone at the Top and Prevent Fraud with Oracle Advanced Controls OLYMPIC ROOM, WesGn
WEDNESDAY: Oracle GRC Advanced Controls
66
SESSIONS:
2:45 pm WEDNESDAY ID # 8200 Do You Really Know What Your Users Can Do—or Maybe Have Done? FRANCISCAN I ROOM, WesGn
10:45 am IOFM Workshop: How Your Vendor Master File is CriGcal to GRC and Compliance Presenter: Jon Casher Length: 90 Minutes CPE Credits: 1.5 ZEUM ROOM 8th FLOOR, Palomar
JON CASHER Ph.D. IOFM Workshop President, Casher Associates Leading Industry Expert & Consultant
CPE CREDITS
1.5
LOCATION: Hotel Palomar 4th & Market
Contact: Dane Roberts [email protected]
SPEA
KERS
:
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |
10:15 am ID # 8208 Achieve a Quicker and Compliant Financial Close with Oracle Governance, Risk, Compliance OLYMPIC ROOM, WesGn
THURSDAY: Oracle GRC Advanced Controls
67
SPEA
KERS
: SESSIONS:
12:45 pm ID # 8154 Controlling for MulGple ERP Systems with Oracle Advanced Controls OLYMPIC ROOM, WesGn
2:45 pm ID # 8213 How Your Vendor Master File is CriGcal to Governance, Risk Management and Compliance OLYMPIC ROOM, WesGn
LOCATION:
WesGn 3rd & Market
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |
5:00 pm WEDNESDAY ID # MTE 8487 Meet the Governance, Risk, and Compliance Experts METROPOLITAN III ROOM
MEET EXPERTS & DEMO GROUNDS: Oracle GRC
68
HOST:
SESSIONS:
ID # 4250 Demo StaGon: Oracle Fusion Governance, Risk, and Compliance Advanced Controls MONDAY 9:45 – 6:00 TUESDAY 9:45 – 6:00 WEDNESDAY 9:30 – 3:45
LOCATION: WesGn 3rd & Market
HOST:
SESSIONS:
LOCATION: Moscone West
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |
Description: The integrity of AP results are directly influenced by the functions of securing and qualifying sources of supply; initiating requests for materials, equipment, merchandise, supplies, or services; obtaining information as to availability and pricing from approved suppliers; placing orders for goods or services; receiving and inspecting or otherwise accepting the material or merchandise; accounting for the proper amounts due to suppliers; and processing payments in a controlled and efficient manner. This workshop will provide the Top Twenty Controls that can be implemented to protect the integrity of your AP process. Agenda
• Your Internal Controls and Fraud Prevention Primer • Internal Controls and Risk Models • Everything You Need to Know About Fraud • Three Critical Corporate Controls • Identifying the Flags that Indicate Accounts Payable Risk • The Top Twenty Internal Controls for Your Accounts Payable Process • Standards of Internal Control • When Internal Controls Are Not Enough • Trends in Internal Control Processes • What To Do If You Suspect A Fraud • Case Study • Q&A
IOFM Workshop -‐ The Top Twenty Controls for Accounts Payable: The FoundaGon for GRC Speaker: Chris Doxey, CAPP, CCSA, CICA, CPC
Chris has held senior finance and controller positions at Digital Equipment Corporation, Compaq Computer Corporation, Hewlett Packard, MCI, APEX Analytix, and BSI Healthcare. She has a bachelor's degree in English, a bachelor's in accounting, a master's in business administration, and a graduate certificate in project management. Chris is currently a management consultant in the areas of compliance, auditing, internal controls, and fraud prevention. Chris also serves as the Executive Director of the IOFM Controller Certification Program
Chris is a Certified Accounts Payable Professional (CAPP), holds a Certification in Controls Self Assessment (CSA), and is Certified Internal Controls Auditor (CICA). She has also written a controller’s best practices guide, numerous articles, and several whitepapers. Chris has published two handbooks: AP Leadership Skills and Implementing a Controls Self Assessment Program for Accounts Payable. She presents at several conferences and provides a multitude of webinars each year. Chris is a member of the Institute of Internal Auditors (IIA), the Institute of Internal Controls (The IIC), and the Institute of Financial Operations (IFO). She is a member of the advisory board for The IIC and is president of the Washington DC area chapter for The IIC.
When: Tuesday, September 30 from 9:45 to 11:15 AM LocaGon: Zeum Room, Hotel Palomar, 4th & Market St
Sponsored by Oracle GRC : contact [email protected] for invitaGon
CPE CREDITS
1.5
69
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |
Description: Your vendor master file is a strategic resource. Managing it is key to many governance, risk management, policy and regulatory compliance issues. The need for complete and accurate vendor information is usually understood. However, the requirements, costs and benefits are often not well known. When done properly, collecting and maintaining accurate vendor information saves money, reduces fraud and helps leverage vendor relationships. Agenda:
• Key ownership issues • Appropriate restrictions and controls • Federal, state and international laws and regulations that need to be addressed • The costs of bad or incomplete data • Standards and guidelines you should use • How to verify and authenticate vendors and vendor information • How to set up new vendors and manage changes • Review, triggers and controls to enhance regulatory compliance and minimize
fraud • Specific resources that you should draw on • Metrics that you should implement as part of your vendor management process • Q&A
Jon Casher is a serial entrepreneur. He founded Casher Associates in 1976 to design and develop custom financial systems and back office automation. He co-founded CM Associates, provider of financial industry software products, in 1985. Jon then co-founded RECAP, an A/P Audit firm, in 1988. He was director of NASDAQ company from 2000-2006 and head of the audit committee from 2002-2006.
Jon’s current focus is to provide consulting and subject matter expertise to the following clients. • Finance, AP, AR and Procure-to-Pay (P2P) organizations • Providers of AP, AR and P2P automation products and services Jon works with his clients to deliver educational content, webinars, workshops, and whitepapers focused on financial transaction automation and best practices.
When: Wednesday, October 1 from 10:45 to 12:15 LocaGon: Zeum Room, Hotel Palomar, 4th & Market St
Sponsored by Oracle GRC : contact [email protected] for invitaGon
IOFM Workshop -‐ How Your Vendor Master File is CriGcal to GRC Speaker: Jon Casher, PhD
CPE CREDITS
1.5
70
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | 71
Follow Us & join the conversa/on .
Oracle GRC Advanced Controls Group _______________________________________________________________
OracleAdvControls @OracleAdvCntrls
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |
SOLUTION SHOWCASE: GRC IntegraGon with IDM & MDM
72
Customers now have the ability to link their GRC strategy & processes with their MDM process and security requirements in one integrated approach. OneGlobe is the first global Oracle partner to develop an integrated soluGon/extensible plasorm to link Oracle Advanced Controls (OAC) to both, Oracle’s IdenGty Management (IDM) and Master Data Management (MDM) soluGons for the Oracle EBS environment.
During this one hour session OneGlobe will discuss the underlying soluGon architecture and demonstrate three Use Cases which highlight the value that can be achieved through the soluGon. Use Case 1 will highlight the direct linkage of IDM to OAC providing value through the reducGon of manual effort required to determine the appropriate user access rights through IDM. Use Case 2 will demonstrate process automaGon of customer master data. Sales , credit and finance funcGons which usually require a lot of manual intervenGon in se�ng up and maintaining a customer. We will show how this can be automated thus decreasing labor and errors in the process. Use Case 3 will show how companies can also insGtute granular access and authorizaGon controls on the customer creaGon process through our soluGon.
About OneGlobe: OneGlobe is one of six global cerGfied OAC partners and the first to develop an OAC to IDM as well as MDM soluGon. As Gme permits we will also discuss how some of our clients are achieving increased value from their OAC implementaGon.
Oracle Open World 2014 Tuesday, September 30, 2014 | 2:30 p.m.–3:30 p.m. Hotel Palomar Zeum Room
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |
Reducing Retail Shrink Through the Use of Advanced Controls
Featured Speakers
Ivor O’Neill Director, KPMG LLP
Brad Straw Director, KPMG LLP
73
Join two of KPMG’s industry leaders to learn more about how leading organizaGons are leveraging Advanced Controls to address the operaGonal and financial challenges associated with Retail Shrink.
Inventory Shrinkage (or shrink) is the loss of products between point of manufacture or purchase from supplier and point of sale. Shrink is an ongoing issue for retailers, cosGng them billions of dollars each year. Minimally decreasing the percentage of shrink year over year will have a substanGal impact on a retailer’s bopom line.
With the onset of advanced data analyGcs capabiliGes, the ability to more accurately detect, predict and minimize shrink is greatly improved. On an upcoming Oracle webcast, KPMG LLP will review ways to use data analyGcs plasorms, such as Oracle Advanced Controls Suite, to idenGfy and quanGfy shrink risks in your organizaGon.
Oracle Advanced Controls Suite can be leveraged to:
• track manual changes to inventory levels
• idenGfy transacGons where ERP inventory controls are overridden
• tag duplicate, potenGally fraudulent master data irregulariGes for addiGonal review
• idenGfy irregulariGes with dummy SKU’s
• monitor interstore transfer
• require addiGonal approvals for accounGng changes impacGng shrink
Oracle Open World 2014 Tuesday, September 30, 2014 | 12:30 p.m.–2:00 p.m.
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |
DEMOgrounds: Moscone West StaGon ID WCL-‐003
74
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |
Specialized Partners
• Get more from Advanced Controls Specialists address more of your needs with Advanced Controls’ many capabiliGes
• Increase your organizaGon’s effecGveness Specialists help you embed Advanced Controls in your business processes
• Accelerate your implementaGon Specialists guide and support you during planning, implementaGon and go-‐live
75
Increase your Return On Investment
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | 76
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |
Safe Harbor Statement The preceding is intended to outline our general product direcGon. It is intended for informaGon purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or funcGonality, and should not be relied upon in making purchasing decisions. The development, release, and Gming of any features or funcGonality described for Oracle’s products remains at the sole discreGon of Oracle.
77