Oracle GRC General Session OpenWorld 2014

Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |

Safe Harbor Statement The following is intended to outline our general product direcGon. It is intended for informaGon purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or funcGonality, and should not be relied upon in making purchasing decisions. The development, release, and Gming of any features or funcGonality described for Oracle’s products remains at the sole discreGon of Oracle.

2

Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | 3

Follow Us & join the conversa/on .

Oracle GRC Advanced Controls Group _______________________________________________________________

OracleAdvControls @OracleAdvCntrls


GRC ApplicaGons Strategy Update & Case Studies (GEN8193) Sid Sinha, Oracle ApplicaGon Development John BudraiGs, Pennsylvania Treasury Patrick Ocana, Oracle Managed Cloud Services

4


PRESENTER:

John BudraiGs Assistant Director, Bureau of Fiscal Review Pennsylvania Treasury •  Over 20 years with Treasury Department •  Define Audit AnalyGcs, Controls and Procedures •  Lead Business Sponsor for GRC Requirements •  BS AccounGng, Pennsylvania State University


PRESENTER:

Patrick Ocana Senior Principal Security Architect Oracle Managed Cloud Services Over the last 5 years Patrick has lead various efforts to successfully deploy Oracle GRC products across mulGple lines-‐of-‐business and conGnues down the path of further leveraging GRC to help solve risk and compliance challenges for the Oracle Manage Cloud business. Patrick has over 20 years experience in security funcGon and compliance leadership for large global corporaGons and direct leadership experience in the deployment of large complex informaGon security systems and countermeasures. He also has in-‐depth experience in helping Federal Agencies and Department of Defense organizaGons comply with informaGon security and audit requirements. Specific knowledge in the areas of informaGon security, control reviews, enterprise systems development, NIST Standards and Federal informaGon security and privacy regulaGons. He is a CerGfied InformaGon Security Manager (CISM) and holds a B.S. in InformaGon Systems from Colorado Technical University.


Program Agenda

7

GRC Strategy Update

CASE STUDY: Pennsylvania Treasury Department

CASE STUDY: Oracle Managed Cloud Services

Wrap-‐up

1

2

3

4


MANAGE RISK

$ REDUCE COSTS

IMPROVE CONTROLS



0%

5%

10%

15%

20%

25%

30%

35%

40%

45%

50%

#1 #2

#3 #4

#5

Audit/Control of Procurement

Risk Analysis

Cash Flow

Payable Exposure Compliance

9

Strategic PrioriGes ________________ Finance ExecuGves

SURVEYED

263

Reaching New Heights: The Dividends of CollaboraGon between Finance and Procurement is published by CFO Publishing LLC, May 2012

Survey ques/on: Where does the procurement func0on need to get stronger?


Reality: Lack of Technology

OCEG SURVEY • 2014 GRC Technology Strategy Survey • www.OCEG.org HOW ORGANIZATIONS APPROACH AND ADAPT THEIR TECHNOLOGY STRATEGY FOR GRC

70%

SPREADSHEETS, DOCUMENTS, EMAIL & IN-‐HOUSE SOLUTIONS

30%

1 OR MORE COMMERCIAL GRC SOLUTIONS

The lack in modern technology makes achieving goals challenging

The impact on FTE’s is parGcularly significant

One financial services

organizaGon stated that 80%

of their GRC staff resources

were nothing more than

document reconciles for

reporGng. […] A mess they are

aggressively trying to correct.

of GRC professionals reported that they use Spreadsheets, Emails, Custom Reports Apps.

70%


When looking for new GRC technology, organizaGons indicate that the primary goals they aim to achieve are:

Drivers: for AdopGng New GRC Technology

OCEG SURVEY • 2014 GRC Technology Strategy Survey • www.OCEG.org HOW ORGANIZATIONS APPROACH AND ADAPT THEIR TECHNOLOGY STRATEGY FOR GRC

INCREASE ANALYTICS & RAPID VISIBILITY OF RISK Complex risk and regulatory environments demand advanced capabiliGes of risk data integraGon and analyGcs to provide full situaGonal awareness of risk”

#1 IMPROVE CONSISTENCY OF INFORMATION OrganizaGons are realizing that good GRC requires good informaGon, there is increasing focus on the integrity and consistency of GRC informaGon”

#2 MEET NEW REGULATORY REQUIREMENTS Regulatory change has more than doubled in several industries over the past five years (e.g., banking, insurance, healthcare) and drives the organizaGon to GRC technologies that enable regulatory intelligence and agility”

#3 REDUCE COSTS & IMPROVE PERFORMANCE When deploying new GRC technologies the organizaGon is driven to reduce costs while increasing the performance of business operaGons”

#4


Enterprise-‐wide Risk & Controls

WORKFORCE RISK Health & Safety Corporate Policy Talent RetenGon

OPERATIONAL RISK Supply Chain Risk CompeGGve Risk Sourcing Risk Material & Hazard Risk Environmental Risk Product Quality

LEGAL RISK Legal & Regulatory LiGgaGon IP & Copyright Discovery Risk Contract Risk

IT RISK InformaGon Privacy IT Asset Risk Service Provider Risk Disaster Recovery Compliance Risk Service Level

FINANCIAL RISK Financial ReporGng CompensaGon Risk Fraud TransacGon Errors

CIO

CFO

CEO & Board of Directors



Comprehensive Risk & Controls Mgmt.

Detect & Fix Issues

ConGnuous Improvement & Monitoring

Assess Risk & Compliance

Close the LOOP

IdenGficaGon Analysis Evaluate

1. BUSINESS RISKS

Document Assessments Reviews

2. CONTROL OBJECTIVES

Author Execute InvesGgate

3. CONTINUOUS MONITORS


Custom or Legacy Applications

14

A Unified Plajorm Enterprise Risk and Controls FoundaGon

Flexible

•  Graphical Authoring •  Detect and Prevent •  Access, TransacGons, Setups

Data Driven

•  100% of TransacGons • Manage by ExcepGon •  Papern Analysis

Comprehensive

• MulGple GRC Projects •  From DocumentaGon to Test •  Closed Loop Approach

Enterprise Risk & Controls FoundaGon

Dashboards, Reports and Alerts NoGficaGons Worklists Email PerspecGves Search

Risk, Controls & Compliance Management Reviews DocumentaGon Assessments RemediaGon Surveys

ConGnuous Controls & Risk Monitoring

Setups Access Master Data Audit Tests TransacGons

User Authored Controls Data Connectors Fraud & Error Paperns

Role Based

Access S

ecurity

Web

Services &

APIs


MeeGng Mission CriGcal Goals with GRC

2

ADVANCED CONTROLS with Big Data AnalyGcs

DATA DRIVEN

3

ENFORCE POLICIES with Web Services

EMBEDDED

1

UNIFIED GRC FoundaGon

PLATFORM

15 Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |


Enterprise Data Graph _______________

ALL USERS __________ ALL SYSTEMS

_______________ ALL TRANSACTIONS

SECURITY | SETUP | MASTERDATA | TRANSACTIONS

16

____________________________________________________________________________________________________________________________________

___________________________________________________________________________________________________________________

BILLIONS OF NODES & RELATIONSHIPS


Big Data AnalyGcs CONNECTING THE DOTS


GRC Plasorm APIs

GRC Plasorm

Web

Services Duplicate Invoice Stop Payment

Split Purchase Order Put PO on hold

Expense Report ViolaGon NoGfy T&E Auditor

Vendor & Employee Collusion Alert Procurement Manager Vendor Master Duplicates

InacGvate Record

CRM _______ ERP _______ HCM _______ SCM

APPLICATIONS

PRIVATE CLOUD __________ PUBLIC CLOUD __________ GLOBAL DATA CENTER __________ LOCAL DATA CENTER

INSTANCES

HIRE TO RETIRE __________ ORDER TO CASH __________ PROCURE TO PAY __________ RECORD TO REPORT

PROCESS


Manager

APIs

19 Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | 19

RISK SERVICES Create Risk Update Risk Copy Risk Risk List Query Risk Query Add Risk Analysis Add Risk EvaluaGon Risk By PerspecGve Name Query

!

ISSUE WEBSERVICES Create Issue Update Issue Issue Query Issue List Query

PROCESS WEBSERVICES Create Process Update Process Copy Process Process Query Process List Query

PERSPECTIVE WEBSERVICES PerspecGve List Query PerspecGve Query

USER-‐DEFINED ATTRIBUTE WEBSERVICES User Defined Apribute Query

MANAGER CONTROL WEBSERVICES Create Manager Control Update Manager Control Copy Manager Control Manager Control Query Manager Control List Query

ASSESSMENT WEBSERVICES Assessment Result Query Update Assessment Result

ü 

IMPORT / EXPORT WEBSERVICES EGRCM Import EGRCM Export


Controls

APIs

20

CONTROL DEFINITIONS Control List Query Request Control Query Request EnGtlement List Query Request EnGtlement Query Request

AUTHENTICATION Digest Access AuthenGcaGon Basic AuthenGcaGon

SYSTEM SOURCE DATA Data Source List Request User List Query Request User Query Request

GRC ANALYSIS SERVICES Conflict Analysis Request Analysis Summary Query Conflict List Query Request Model Analysis Request Model Suspect Query Control Incident Query Update Control Incident User Provision Request Provisioning Approvals Query Provisioning Approval ConfirmaGon Issue Override Update Data AnalyGcs Schema Request IniGalise ETL Request



ORACLE GRC InnovaGon Award:

21

Winner 2014 Pennsylvania Treasury Highlights

•  Preven/ve -‐ Expected Savings of $100 million •  Comprehensive -‐ Largest Payment Graph •  Integrated – Seamless within ERP


Program Agenda

GRC Strategy Update

Case Study 1: Pennsylvania Treasury Department

Case Study 2: Oracle Managed Cloud Services

Wrap-‐up

1

2

3

4


PENNSYLVANIA TREASURY: !Treasury Transformation !with GRC Advanced Controls!

John Budraitis, CPA Assistant Director, Bureau of Fiscal Review

23


PENNSYLVANIA TREASURY: Organization Overview

24

Rob McCord State Treasurer

30M Payments worth more than $75Bn last fiscal year.

$15B In State Assets Managed by IT Systems

Unclaimed Property Collected $265 million and returned over $116 million, generating nearly $148 million for the General Fund in FY 13-14

New Records PA 529 College Savings Program reaches nearly $3 billion in assets, serving 186,000 accounts as of June 30, 2014

$100M Average annual savings by preventing erroneous payments !

24


FISCAL REVIEW Background !

50 60

25

Employees Commonwealth Agencies

Source Systems Many TIME SENSITIVE payments with less than 10 days to review & process.

over

section1501

of the fiscal code requires all agencies to submit payment request to State Treasury.

of the fiscal code requires payment requests to be audited in accordance with GAAS, and if they appear lawful and correct, Treasury will issue warrant for payment.

section1502

25


FISCAL REVIEW Objectives!

ü  All payments by the Commonwealth of PA reviewed by Fiscal Review!

Detect duplicate and incorrect payments

$! 30 Million Transactions, $75 Billion in spending per year!

____ •  •  •  ___ ___ ___ Maintain audit checklists!

i Accumulate audit error & savings information

26


STRATEGIC PRIORITIES For Fiscal Review Team !

①  Replace Aging Legacy System

②  Modernize Technology Platform For Continuous Improvements

③  Implement Additional Audit Controls

④  Increase Savings For PA Taxpayers

⑤  Prevent Error, Waste & Fraud

27


BEFORE Treasury Transformation Project !

28

Various Submission Formats

•  Electronic with payment details (i.e., vendor number, invoice number etc.) •  Electronic with only payee information •  Paper – Manually entered by Treasury to create payments

•  Randomly selected based on dollar thresholds •  Review of external reports to manually select •  Manual review of paper documentation

Audit Methodology


BEFORE Treasury Transformation Project !

29

Payment Requests

Fiscal Review Team Agencies Payment Requests Payment System

•  Sampling •  Threshold Base Audit

LEGACY PAYMENT SYSTEM

_____________ _________ L E G A C Y

60 AGEN

CIES

25 SYSTEMS

29


TREASURY TRANSFORMATION Objectives!

① Provide 100% audit coverage

② Target high-risk areas

③ Quickly analyze large volume of data

④ Greater audit selection capability as audit issues arise

30


DEPLOYMENT CHALLENGES !

31

DIFFERENT DATA TYPES

provided by each source system

Multiple SOURCE SYSTEMS

ERP Few sources are ��ERP SYSTEMS

VARIED REQUIREMENTS as to when payments

must be made

$


TREASURY TRANSFORMATION With GRC + PeopleSoft !

32

•  Graph-‐updates • Map Reduce Enabled – 4+ dedicated machines

•  Control Analysis •  Linux •  Oracle DB

GRC Advanced Controls -‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐

FISCAL REVIEW TEAM -‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐

ß GRC CONNECTOR à

for PeopleSou

RELEASE

PEOPLESOFT FINANCIALS (New Payment System) -‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐

GRC

HOLD -‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐ Auto Payments

PEOPLESOFT

DAILY Graph Update

_________ L E G A C Y

AGENCY PAYMENT REQUESTS -‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐

60 AGEN

CIES

25 SOURC

E SYSTEM

S


KEY CONTROLS: Examples!

33

Duplicate Invoice !

Similar Invoice Numbers, Same Vendor

#A Invoices Ending In An Alpha Character!

First Time Payments For Contract / Purchase Order!

Resubmission Of Previously Rejected Payments

### 1st


First Time Payment !Contract or Purchase Order!

34


FUTURE EXPANSION PLANS !

35

①  Split Payments

②  Payment Requests Already Paid Via pCard

③  Payments To Debarred Vendors

④  A/P Payments To Commonwealth Employees

⑤  Payments To Prisons / High-risk Addresses

⑥  Payments To Vendors, No Procurement In Place

⑦  Unallowable Expenses (Gifts, Donations, Etc.)

35


SUMMARY !

§  GRC Advanced Controls is ‘Mission Critical’ for Treasury !§  $75 billion spend & 30 million transactions mandated to be

reviewed

§  Enable continuous improvements for upstream agency processes

36

We are a fiscal watchdog that ensures tens of billions of dollars in payments are lawful and correct.

36

Rob McCord State Treasurer


Program Agenda

37

GRC Strategy Update

Case Study 1: Pennsylvania Treasury Department

Case Study 2: Oracle Managed Cloud Services

Wrap-‐up

1

2

3

4


Oracle Managed Cloud Services Case Study

38


Agenda

②  AUDIT AND COMPLIANCE [Project 1] __________________________________________

③  DELIVERY ASSURANCE [Project 2] ________________________________________

①  ABOUT MANAGED CLOUD SERVICES __________________________________


About Oracle Managed Cloud Services

_____________________________

SubscripGon-‐based, enterprise-‐grade Cloud Services

•  550+ global customers

•  5.34 billion database transacGons per hour

•  41+ petabytes of managed storage

_____________________________

Oracle personnel manage the environment including execuGon of key IT controls in collaboraGon with the customer


IT Risk PrioriGes

§  STANDARDIZE the management internal assessments of Oracle’s Managed Cloud Services using a centralized system to facilitate consistent process and work flow.

§  REPOSITORY for all controls, risks and frameworks to facilitate reporGng and idenGficaGon of common controls and leverage points. !

Example Frameworks: !SOX, HIPPA, ISO 27001, ISO 27002, SOC 1, SOC 2, PCI, etc.

§  MAINTAIN a history of informaGon and changes throughout the life of the assessments

§  Provide control owners with a consistent interface and list of open items that need acGon

§  Provide business users a streamlined approach for managing issues and their remediaGon through compleGon.

§  REDUCE overall audiGng COST!


CONTROLS LOADED: !SOX, HIPPA, ISO 27001,

ISO 27002, SOC 1, SOC 2, PCI, etc.

42

Control Management Flow

Audit Field Work

Record Audit Results Audit Test Assessment

Manage Control Owner Verifies Control CerGfy Assessment

Request Evidence OperaGonal Assessment

Resolve Issues

IniGate Audit Cycle


CONTROL MANAGEMENT _____________________ – The Audit and Compliance GRC is built around the control object.

– Use Navigator à Manage Control to view or edit exisGng controls

43


CONTROL MANAGEMENT / Managing Revisions

Complete History of Changes Change Authors IdenGfied | Timestamp | Details About The Changes

Version Review & Comparison Select “Compare from Versions” to view differences in documents

44


____________________ Key PerspecGves: -  Compliance Framework -  Owner

________________________ Control RelaGonships Established in a Hierarchy * It is important that they are assigned correctly as it is the main driver for security

PERSPECTIVES


PERSPECTIVES __________________ Framework PerspecGves – HIPAA – ISO – SOC 1 – SOC 2

46


Assessment Flow

Audit Field Work

Record Audit Results

Audit Test Assessment

Manage Control Owner Verifies

Control CerGfy Assessment

Request Evidence OperaGonal Assessment

Resolve Issues

IniGate Audit Cycle


ASSESSMENTS: Types _____________________ Batch: -  Used for selecGng all or some

of the controls in a framework -  Assessment plans used to

define specific controls for the assessment

-  Controls can be excluded manually prior to iniGaGon if needed

_____________________ Ad-‐hoc: -  IniGated from within the

control -  Good to handle retest of single

request such as new evidence request from auditors

48


ASSESSMENTS: AcGviGes PREDEFINED TO GRC: ____________________________________ Audit Test: Record 3rd Party Audit Results ____________________________________ CerGfy: Control owner verifies control is correct and operaGng ____________________________________ OperaGonal Assessment: -  Tasks for evidence and populaGon request

assigned and completed by control owner -  Test plans used as method to record specific

evidence requirements

49


ASSESSMENTS: _________________________

Sample screen of what Control Owner sees when logging into GRC

Showing that there is a CerGfy assessment that needs compleGon

50


Issue Management Flow

Audit field work

Record audit results Audit test assessment

Manage control Owner Verifies Control CerGfy Assessment

Request Evidence OperaGonal assessment

Resolve issues

IniGate Audit Cycle


ISSUE MANAGEMENT: ________________________ An issue can be raised from various places in the applicaGon

In this case, it is being raised from an assessment.

52


ISSUE MANAGEMENT: ________________________ Issue will appear under the control in the issue tab as shown here.

All issues also available through Issue Management and will show in control owner worklist upon creaGon.


ISSUE MANAGEMENT: ______________________ Upon closure, issue requires a reason and comment may also be entered show what was done.

54


DELIVERY ASSURANCE -‐ Business ObjecGves

________________________

HEALTHCHECKS Assess individual engagements to idenGfy unmiGgated risk

Recommend acGons to miGgate these risks

Report these findings & recommendaGons to OMCS senior management

Track recommended acGons to compleGon

ü  _______________________________

CONTINUOUS IMPROVEMENTS IdenGfy systemic issues impacGng profitability or customer saGsfacGon

Develop & shepherd iniGaGves to address these systemic issues

Track progress of iniGaGves to compleGon

²  _____________________________

MAINTAIN & LEVERAGE DATA Maintain repository or Healthcheck & ConGnuous Improvement IniGaGve acGviGes

Leverage repository to: • IdenGfy systemic issues • Improve oversight of remediaGon acGviGes

• Enhance management view of OMCS risks

q 


DELIVERY ASSURANCE -‐ GRC ImplementaGon

APPROACH: Bopom-‐Up Vs. Top-‐Down

_____________________ Risks & MiGgaGons accumulated at engagement level

Consolidate detailed data & analyze to idenGfy systemic Issues / Risks

_____________________ Customer = Process Object

Healthcheck Results = Ad Hoc Assessment

Healthcheck Findings = Issue Object

Healthcheck RecommendaGons = RemediaGon Object

CONFIGURE GRC: to meet our needs

_____________________ Repository for CSDA / GRM Healthcheck data

ReporGng capabiliGes

AcGon Item tracking

ConGnuous Improvement IniGaGves

IMPLEMENTATION: Phased


Customer Object


Healthcheck Results – Ad Hoc Assessment


Healthcheck Findings – Issue Object


Healthcheck RecommendaGons – RemediaGon


GRC is Mission CriGcal for ORACLE Cloud

Key DifferenGator for Oracle Cloud

Maintains High levels of security and reliability

Meets mulGple compliance mandates

Results used relied on by hundreds of customers


Program Agenda

62

GRC Strategy Update

CASE STUDY: Pennsylvania Treasury Department

CASE STUDY: Oracle Managed Cloud Services

Wrap-‐up

1

2

3

4


MeeGng Mission CriGcal Goals with GRC

2

ADVANCED CONTROLS with Big Data AnalyGcs

DATA DRIVEN

3

ENFORCE POLICIES with Web Services

EMBEDDED

1

UNIFIED GRC FoundaGon

PLATFORM

63 Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |


GROWING Customer Base Across All Sectors

HEALTHCARE SERVICES COMMUNICATIONS ENERGY MINING /

EXPLORATION

RETAIL

LOGISTICS

GOVERNMENT / EXUCATION INDUSTRIAL TECHNOLOGY

SERVICES


4:45 pm ID # 8210 Doing Your ERP ImplementaGon / Upgrade Right with Oracle Advanced Controls SoluGons OLYMPIC ROOM, WesGn

TUESDAY: Oracle GRC Advanced Controls

65

CHRIS DOXEY – IOFM Seminar CAPP, CCSA, CICA, CPC ExecuGve Director, IOFM Author and Leading Industry Expert

LOCATION: Hotel Palomar 4th & Market

9:45 am IOFM Workshop: The Top Twenty Internal Controls for Accounts Payable: Presenter: Chris Doxey, CAPP, CCSA, CICA, CPC Length: 90 Minutes CPE Credits: 1.5 ZEUM ROOM 8th FLOOR, Palomar ZEUM ROOM 8th FLOOR

Contact: Dane Roberts [email protected]

CPE CREDITS

1.5

SPEA

KERS

: SESSIONS:

11:30 am ID # 8203 Stop the Financial Leakage and Cure the Drought in Profits OLYMPIC ROOM, WesGn


10:00 am ID # 8207 Stop the Fraudster! Set the Tone at the Top and Prevent Fraud with Oracle Advanced Controls OLYMPIC ROOM, WesGn

WEDNESDAY: Oracle GRC Advanced Controls

66

SESSIONS:

2:45 pm WEDNESDAY ID # 8200 Do You Really Know What Your Users Can Do—or Maybe Have Done? FRANCISCAN I ROOM, WesGn

10:45 am IOFM Workshop: How Your Vendor Master File is CriGcal to GRC and Compliance Presenter: Jon Casher Length: 90 Minutes CPE Credits: 1.5 ZEUM ROOM 8th FLOOR, Palomar

JON CASHER Ph.D. IOFM Workshop President, Casher Associates Leading Industry Expert & Consultant

CPE CREDITS

1.5

LOCATION: Hotel Palomar 4th & Market

Contact: Dane Roberts [email protected]

SPEA

KERS

:


10:15 am ID # 8208 Achieve a Quicker and Compliant Financial Close with Oracle Governance, Risk, Compliance OLYMPIC ROOM, WesGn

THURSDAY: Oracle GRC Advanced Controls

67

SPEA

KERS

: SESSIONS:

12:45 pm ID # 8154 Controlling for MulGple ERP Systems with Oracle Advanced Controls OLYMPIC ROOM, WesGn

2:45 pm ID # 8213 How Your Vendor Master File is CriGcal to Governance, Risk Management and Compliance OLYMPIC ROOM, WesGn

LOCATION:

WesGn 3rd & Market


5:00 pm WEDNESDAY ID # MTE 8487 Meet the Governance, Risk, and Compliance Experts METROPOLITAN III ROOM

MEET EXPERTS & DEMO GROUNDS: Oracle GRC

68

HOST:

SESSIONS:

ID # 4250 Demo StaGon: Oracle Fusion Governance, Risk, and Compliance Advanced Controls MONDAY 9:45 – 6:00 TUESDAY 9:45 – 6:00 WEDNESDAY 9:30 – 3:45

LOCATION: WesGn 3rd & Market

HOST:

SESSIONS:

LOCATION: Moscone West


Description: The integrity of AP results are directly influenced by the functions of securing and qualifying sources of supply; initiating requests for materials, equipment, merchandise, supplies, or services; obtaining information as to availability and pricing from approved suppliers; placing orders for goods or services; receiving and inspecting or otherwise accepting the material or merchandise; accounting for the proper amounts due to suppliers; and processing payments in a controlled and efficient manner. This workshop will provide the Top Twenty Controls that can be implemented to protect the integrity of your AP process. Agenda

•  Your Internal Controls and Fraud Prevention Primer •  Internal Controls and Risk Models •  Everything You Need to Know About Fraud •  Three Critical Corporate Controls •  Identifying the Flags that Indicate Accounts Payable Risk •  The Top Twenty Internal Controls for Your Accounts Payable Process •  Standards of Internal Control •  When Internal Controls Are Not Enough •  Trends in Internal Control Processes •  What To Do If You Suspect A Fraud •  Case Study •  Q&A

IOFM Workshop -‐ The Top Twenty Controls for Accounts Payable: The FoundaGon for GRC Speaker: Chris Doxey, CAPP, CCSA, CICA, CPC

Chris has held senior finance and controller positions at Digital Equipment Corporation, Compaq Computer Corporation, Hewlett Packard, MCI, APEX Analytix, and BSI Healthcare. She has a bachelor's degree in English, a bachelor's in accounting, a master's in business administration, and a graduate certificate in project management. Chris is currently a management consultant in the areas of compliance, auditing, internal controls, and fraud prevention. Chris also serves as the Executive Director of the IOFM Controller Certification Program

Chris is a Certified Accounts Payable Professional (CAPP), holds a Certification in Controls Self Assessment (CSA), and is Certified Internal Controls Auditor (CICA). She has also written a controller’s best practices guide, numerous articles, and several whitepapers. Chris has published two handbooks: AP Leadership Skills and Implementing a Controls Self Assessment Program for Accounts Payable. She presents at several conferences and provides a multitude of webinars each year. Chris is a member of the Institute of Internal Auditors (IIA), the Institute of Internal Controls (The IIC), and the Institute of Financial Operations (IFO). She is a member of the advisory board for The IIC and is president of the Washington DC area chapter for The IIC.

When: Tuesday, September 30 from 9:45 to 11:15 AM LocaGon: Zeum Room, Hotel Palomar, 4th & Market St

Sponsored by Oracle GRC : contact [email protected] for invitaGon

CPE CREDITS

1.5

69


Description: Your vendor master file is a strategic resource. Managing it is key to many governance, risk management, policy and regulatory compliance issues. The need for complete and accurate vendor information is usually understood. However, the requirements, costs and benefits are often not well known. When done properly, collecting and maintaining accurate vendor information saves money, reduces fraud and helps leverage vendor relationships. Agenda:

•  Key ownership issues •  Appropriate restrictions and controls •  Federal, state and international laws and regulations that need to be addressed •  The costs of bad or incomplete data •  Standards and guidelines you should use •  How to verify and authenticate vendors and vendor information •  How to set up new vendors and manage changes •  Review, triggers and controls to enhance regulatory compliance and minimize

fraud •  Specific resources that you should draw on •  Metrics that you should implement as part of your vendor management process •  Q&A

Jon Casher is a serial entrepreneur. He founded Casher Associates in 1976 to design and develop custom financial systems and back office automation. He co-founded CM Associates, provider of financial industry software products, in 1985. Jon then co-founded RECAP, an A/P Audit firm, in 1988. He was director of NASDAQ company from 2000-2006 and head of the audit committee from 2002-2006.

Jon’s current focus is to provide consulting and subject matter expertise to the following clients. •  Finance, AP, AR and Procure-to-Pay (P2P) organizations •  Providers of AP, AR and P2P automation products and services Jon works with his clients to deliver educational content, webinars, workshops, and whitepapers focused on financial transaction automation and best practices.

When: Wednesday, October 1 from 10:45 to 12:15 LocaGon: Zeum Room, Hotel Palomar, 4th & Market St

Sponsored by Oracle GRC : contact [email protected] for invitaGon

IOFM Workshop -‐ How Your Vendor Master File is CriGcal to GRC Speaker: Jon Casher, PhD

CPE CREDITS

1.5

70


Follow Us & join the conversa/on .

Oracle GRC Advanced Controls Group _______________________________________________________________

OracleAdvControls @OracleAdvCntrls


SOLUTION SHOWCASE: GRC IntegraGon with IDM & MDM

72

Customers now have the ability to link their GRC strategy & processes with their MDM process and security requirements in one integrated approach. OneGlobe is the first global Oracle partner to develop an integrated soluGon/extensible plasorm to link Oracle Advanced Controls (OAC) to both, Oracle’s IdenGty Management (IDM) and Master Data Management (MDM) soluGons for the Oracle EBS environment.

During this one hour session OneGlobe will discuss the underlying soluGon architecture and demonstrate three Use Cases which highlight the value that can be achieved through the soluGon. Use Case 1 will highlight the direct linkage of IDM to OAC providing value through the reducGon of manual effort required to determine the appropriate user access rights through IDM. Use Case 2 will demonstrate process automaGon of customer master data. Sales , credit and finance funcGons which usually require a lot of manual intervenGon in se�ng up and maintaining a customer. We will show how this can be automated thus decreasing labor and errors in the process. Use Case 3 will show how companies can also insGtute granular access and authorizaGon controls on the customer creaGon process through our soluGon.

About OneGlobe: OneGlobe is one of six global cerGfied OAC partners and the first to develop an OAC to IDM as well as MDM soluGon. As Gme permits we will also discuss how some of our clients are achieving increased value from their OAC implementaGon.

Oracle Open World 2014 Tuesday, September 30, 2014 | 2:30 p.m.–3:30 p.m. Hotel Palomar Zeum Room


Reducing Retail Shrink Through the Use of Advanced Controls

Featured Speakers

Ivor O’Neill Director, KPMG LLP

Brad Straw Director, KPMG LLP

73

Join two of KPMG’s industry leaders to learn more about how leading organizaGons are leveraging Advanced Controls to address the operaGonal and financial challenges associated with Retail Shrink.

Inventory Shrinkage (or shrink) is the loss of products between point of manufacture or purchase from supplier and point of sale. Shrink is an ongoing issue for retailers, cosGng them billions of dollars each year. Minimally decreasing the percentage of shrink year over year will have a substanGal impact on a retailer’s bopom line.

With the onset of advanced data analyGcs capabiliGes, the ability to more accurately detect, predict and minimize shrink is greatly improved. On an upcoming Oracle webcast, KPMG LLP will review ways to use data analyGcs plasorms, such as Oracle Advanced Controls Suite, to idenGfy and quanGfy shrink risks in your organizaGon.

Oracle Advanced Controls Suite can be leveraged to:

•  track manual changes to inventory levels

•  idenGfy transacGons where ERP inventory controls are overridden

•  tag duplicate, potenGally fraudulent master data irregulariGes for addiGonal review

•  idenGfy irregulariGes with dummy SKU’s

•  monitor interstore transfer

•  require addiGonal approvals for accounGng changes impacGng shrink

Oracle Open World 2014 Tuesday, September 30, 2014 | 12:30 p.m.–2:00 p.m.


DEMOgrounds: Moscone West StaGon ID WCL-‐003

74


Specialized Partners

•  Get more from Advanced Controls Specialists address more of your needs with Advanced Controls’ many capabiliGes

•  Increase your organizaGon’s effecGveness Specialists help you embed Advanced Controls in your business processes

•  Accelerate your implementaGon Specialists guide and support you during planning, implementaGon and go-‐live

75

Increase your Return On Investment



Safe Harbor Statement The preceding is intended to outline our general product direcGon. It is intended for informaGon purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or funcGonality, and should not be relied upon in making purchasing decisions. The development, release, and Gming of any features or funcGonality described for Oracle’s products remains at the sole discreGon of Oracle.

77

Data & Analytics

Oracle GRC General Session OpenWorld 2014