Governance Risk and Compliance in JD Edwards …journeeutilisateurs.free.fr/cariboost_files/719_20WP_20GRC_20v2_0.pdfin JD Edwards EnterpriseOne & JD Edwards World February 2008 3

Governance Risk and Compliance in

JD Edwards EnterpriseOne JD Edwards World

Version 2.0

February 2008

Governance, Risk and Compliance in JD Edwards EnterpriseOne & JD Edwards World

February 2008 2

1. BACKGROUND..........................................................................................................................3 1.1 PROTECT, EXTEND, EVOLVE..................................................................................................3 1.2 THIS PAPER............................................................................................................................3

2. THE GRC MARKET..................................................................................................................4 2.1 GRC STRATEGY ....................................................................................................................4 2.2 GOVERNANCE........................................................................................................................4 2.3 RISK.......................................................................................................................................5 2.4 COMPLIANCE .........................................................................................................................7

3. GRC SOLUTIONS......................................................................................................................8 3.1 THE GRC MARKET................................................................................................................8 3.2 COSO POSITIONING FOR JD EDWARDS..................................................................................9 3.3 ADDRESSING AUDIT ............................................................................................................10 3.4 CLOSED LOOP COMPLIANCE MANAGEMENT IN JD EDWARDS .............................................11 3.5 COMPLIANCE SUMMARY – JD EDWARDS ENTERPRISEONE 8.12..........................................13 3.6 COMPLIANCE SUMMARY - JD EDWARDS WORLD A9.1 .......................................................14

4. RECOMMENDED BY ORACLE............................................................................................15 5. ACKNOWLEDGEMENTS ......................................................................................................15 6. ABOUT Q SOFTWARE...........................................................................................................16


February 2008 3

1. Background

1.1 Protect, Extend, Evolve Whether you are a division of a large corporation, a branch manufacturing plant, a food or beverage producer, a mid-market distributor or a homebuilder, JD Edwards ERP solutions provides you with a broad base of ERP, SCM and CRM functionality as well as industry specific capabilities.

Oracle Corporation is a technology partner dedicated to supporting and protecting your enterprise software investment. In addition, the JD Edwards solutions are being extended to reward customers with new levels of capability - allowing you to take advantage of strategic opportunities when they make business sense.

Oracle’s goals are to increase the quality of customers’ total ownership experience, support the complexities of managing for business success, and reduce overall information technology costs.

Protect Oracle will continue to help protect customer’s investments in JD Edwards software by continuing to enhance its capabilities and committing to supporting JD Edwards World and JD Edwards EnterpriseOne as per the recent Applications Unlimited announcement.

Extend Oracle has recently released new versions of both JD Edwards World (release A9.1) and JD Edwards EnterpriseOne (release 8.12). Both these releases contain significant enhancements to assist with compliance initiatives. Oracle has signalled its ongoing commitment for further releases through its Applications Unlimited program.

Evolve JD Edwards customers have more options than ever before to continuously evolve system capabilities, including planned direct conversions to Oracle’s future ultimate evolution, Fusion.

1.2 This Paper This paper will review the evolving Governance, Risk and Compliance (GRC) market as a whole, then focus on the JD Edwards community in order to identify;

How Oracle's GRC strategy may address the needs of JD Edwards customers

The gaps in the Oracle GRC solutions for JD Edwards customers

How Q Software complements Oracle’s GRC strategy to plug the gaps

With the revitalisation of the JD Edwards market through new releases of JD Edwards World A9.1 and JD Edwards EnterpriseOne 8.12 many customers will review their security compliance and overall GRC strategy with the view to enhancing business performance and driving down costs.


February 2008 4

2. The GRC Market

2.1 GRC Strategy According to PriceWaterhouseCoopers:

“The compliance and risk landscape is continually changing. To remain competitive, companies must have in place a governance, risk management and compliance strategy that keeps pace with new laws, regulations and stakeholder expectations. An effective strategy can positively impact shareholder value and empower organizations to:

Improve strategic business decisions by clearly defining associated risks and opportunities

Minimize operational surprises with more proactive and effective monitoring Protect and enhance reputation and brand by capitalizing on business

opportunities while reducing the likelihood of negative events Increase organizational efficiency Avoid fines, penalties and damage to reputation”

In simple terms the three components of GRC comprise:

Governance: Set objectives and measure achievement. Risk Management: Identify, measure, report and appropriately manage risks to

achieve governance objectives. Compliance: Execute governance objectives with integrity and confidence.

GRC is defined by Gartner as

“the use of content management, compliance reporting, workflow and controls automation…….to be used in the support of audit, financial management, operational risk management (including compliance risks) and reporting processes”.

“GRC requirements are determined by regulations such as SOX in the US and related regulations in other countries, or by other non-regulatory compliance” “by 2008, more than 75% of large and midsize companies will purchase new compliance management, monitoring and automation solutions”.

We will now look in more detail at the component elements of GRC.

2.2 Governance GOVERNANCE is the system by which organizations are directed and controlled. The governance structure specifies the distribution of rights and responsibilities among different participants in the corporation, such as, the board, managers, shareholders and other stakeholders, and spells out the rules and procedures (mandated and voluntary) for making decisions on corporate affairs. By doing this, it also provides the structure through which the company’s objectives are set, and the means of attaining those objectives and monitoring performance. Management Boards, individual directors and senior executives are experiencing unprecedented pressure and visibility as to how they perform their oversight roles. Executives have to keep management boards informed about matters related to


February 2008 5

performance, compliance and risk. Directors want and need to know more about the company’s situation with respect to operations, employees, customers, vendors, strategic partners, government and regulatory agencies, analysts, investors and the general public. In other words, both boards and management need better information. Information Governance can and should lead to establishing new projects and priorities for IT. PriceWaterhouseCoopers talk about “Integrity-Driven Performance” for which organizations need to get the four fundamental enablers right:

Address and effectively manage the change to a culture of business integrity and ethical values.

Embed an integrated GRC approach into core business processes. Deploy the capability to measure performance and calculate value through the right

metrics and dashboards. Leverage technology to enable effectiveness and efficiency.

In essence, Governance activities include setting business strategy and objectives, determining risk appetite, establishing culture and values, developing internal policies and monitoring performance.

2.3 Risk The Gartner report of November 2006 focuses on Finance and Audit GRC, but there are other areas, such as IT, and Enterprise Risk Management. RISK MANAGEMENT covers all the processes involved in identifying, assessing and judging risks, assigning ownership, taking actions to mitigate or anticipate them through systematic application of policies, practices, and monitoring/reviewing progress. Risk and cost/benefit analysis are used to support development of risk reduction options, program objectives, and prioritization of issues and resources. A critical role of the risk manager is to identify activities involving significant risk and to assist in establishing acceptable levels of risk. Good risk management helps reduce costs or hazards, and builds confidence to innovate. RISK is the combination of the likelihood and the consequence of a specified hazard being realized. It is a measure of potential or actual harm or loss associated with an activity. For many people, effective governance is all about Risk Management. The leading audit practices offer various services aimed at Enterprise Risk Management. Deloitte encourages organisations to become more “risk aware” and sets out a series of questions senior management should ask themselves, such as:

1. How much could we lose if we don’t manage this risk intelligently? 2. What is the likelihood of the risk occurring? 3. Is the risk correlated with other risk exposures? 4. What is our vulnerability to this risk? 5. Does this risk represent a concentration of risk that may cause problems in risk

management or mitigation? 6. If I hedge / mitigate this risk, how does this change the likelihood and impact? 7. Does our risk management / mitigation strategy introduce other risks? 8. How much can we gain if we accept this risk, provided we managed it properly? 9. How can we get assured our confidence is justified?


February 2008 6

10. How much is it (will it) cost to manage this risk? 11. What is the reputational impact from this risk? 12. Who is responsible for managing this risk, end-to-end?

Questions 1 and 2 are pretty obvious questions to ask, but are too often overlooked or even ignored. With the per incident cost of unauthorised access to data often running to hundreds of thousands of dollars, organisations ignore putting a valuation on risk at their peril. Question 11 is another question often ignored on the basis of “it couldn’t happen to us”. Unfortunately it does! This is supported by KPMG when it talks about managing risks by controls. Regulatory compliance is only one of several areas where risk prevention controls are applicable.

Managing Risk by Controls

In the diagram above, KPMG draws our attention to three other key areas of risk that need to be addressed:

Financial: Managing and protecting the business finances and cash. Operational: Mapping your ERP controls to fit the business needs and processes. Reputational: if your customers lose confidence in your product for whatever

reason, this could have a far greater impact on your business than any legislative governance requirement.

It is important to protect against these risks by implementing:

Preventive controls – to stop the risk from occurring. Detective controls – to identify risks before they impact the business.

Any residual risk that is neither preventable nor detectable is regarded as “acceptable” to the management and stakeholders. Risks that are not deemed “acceptable” need to be prevented from happening or harming the business through the imposition of appropriate controls. Q Software’s SEC-Qure™ preventive solutions are your first line of defence.


February 2008 7

2.4 Compliance COMPLIANCE MANAGEMENT is the definition and implementation of processes designed to control any type of risk and meet voluntary or mandated expectations of performance to ensure adherence with laws and regulations, internal policies and procedures, and stakeholder commitments. COMPLIANCE is whether the processes in place to control risk are in fact being followed and to what extent they are being performed at one point in time or over a period of time. Companies need to understand their approach to minimizing the risks they have identified, having agreed their risk profile. This will then lead to the next step, which is choosing a relevant GRC solution, which meets their needs, and is relevant to the technical architecture of the ERP system. The next section looks at the relevance of the available GRC solutions.


February 2008 8

3. GRC Solutions

3.1 The GRC Market Looking at the broader picture, the Gartner report breaks down this segment of the market, bearing in mind that no one vendor addresses all these areas. We can simply position what the major vendors (i.e. SAP and Oracle) cover, and where the emerging niche players have filled in the gaps –

GRC Market

GRC Niche Business View Software Vendors

1 Finance Management Management, workflow, documentation and reporting associated with financial controls

IBM, Oracle/Stellent, SAP, Paisley (and several others)

2 Business Rule Management

Monitoring transactional data in accordance with business rules established as controls

170 systems, Infogix, webMethods

3 Audit Management Internal audit documentation

Paisley, Q Software

4 Audit data extraction and Analysis

Tools for extracting data from business applications and running ad-hoc analysis or standard queries

ACL, IDEA, Q Software

5 Segregation of Duties (SoD) Reporting

Ensuring that personnel do not have access to data in a way that creates the potential for fraud

Approva, Virsa/SAP, Q Software

According to Oracle: “To keep costs down, you need a comprehensive, integrated approach to governance, risk and compliance.”

This is supported by Deloitte, who see a move away from disjointed and fragmented compliance projects and towards an integrated and cohesive strategy to gain maximum returns from these projects, whilst reducing costs. KPMG adds to this by stating that in order to reduce compliance costs, organisations should:

Align controls to the ERP process Implement effective Segregation of Duties controls Keep processes simple Apply process control monitoring

These first two areas fall into the area of “preventive controls”, whilst the latter two fall into the “detective controls” area.


February 2008 9

3.2 COSO positioning for JD Edwards Oracle, like many organisations providing GRC solutions, recommends working with “best practice control framework such as COBIT and COSO.” Oracle provides a selection of highly relevant tools, and is acquiring new technologies to fill in the gaps. The most relevant parts of the Oracle family are –

Internal Controls Enforcer (ICE) – developed by PeopleSoft, ICE provides tools to provide real-time visibility into the internal controls to business units, internal audit and external audit using desktop dashboards. ICE is largely unproven in the JD Edwards community.

Stellent – The Stellent GRC framework manages risk and compliance across the organization, creating a centralized hub of risk and compliance documentation, assessments, analysis and loss information from all related parts of the business. Again, this tool is yet to be proven in the JD Edwards community.

LogicalApps - embeds user access controls within the Oracle E-Business Suite, providing real-time monitoring and proactive enforcement of crucial access policies, such as those which support SOD (segregation of duties). ACTIVE Access Governor anticipates potential SOD conflicts before they arise, and even prevents any assignment of responsibilities within an application which would compromise the proper segregation of duties. However, at the time of writing, LogicalApps has no GRC offering for the JD Edwards market.

From here we need to understand how these technologies address user GRC needs, and how Q Software, in particular, can address the gap that is left in Application Security. How Oracle and Q Software address the COSO Framework for JD Edwards products.


February 2008 10

On first sight there would appear to be an overlap of capability between the Q Software SEC-Qure™ family of security compliance solutions and that provided by a combination of the Oracle Internal Controls Enforcer (ICE) and the Stellent solutions acquired by Oracle. There are, however, serious gaps in the current Oracle offering for the JD Edwards market. The ICE and Stellent solutions do not address the following questions:

Who can access which critical programs? Which programs can an individual user access? How can a user access a program? Which users have the potential to breach Segregation of Duties rules? Which roles contain a breach of Segregation of Duties rules? Which multiple roles, when assigned to the same user, constitute a breach of

Segregation of Duties rules? What security will apply when a user is assigned multiple roles?

Furthermore, the ICE / Stellent combination do not:

Provide a simple and effective methodology for user based access control. Provide a simple and effective methodology for multi-role based access control. Enable the integration and enforcement of Segregation of Duties rules for users. Enable the integration and enforcement of Segregation of Duties rules across

multiple roles assigned to a user. Report on role assignments and take up.

The SEC-Qure™ family of security compliance solutions from Q Software address all these issues and much more. It plugs the gaps in Oracle’s GRC strategy for JD Edwards and is complementary to ICE and Stellent. The ICE / Stellent combination fall into the KPMG category of Detective Controls, whilst the Q Software SEC-Qure™ solutions address the preventive controls requirement and also provide extensive security compliance audit reporting.

3.3 Addressing Audit It is clear that the majority of the current spend in this market falls into the first 2 categories above, i.e. Finance and Business Rule Management. These are the areas which companies have focused on to build their compliance models, to assess risk, and to build mitigating controls. However, there is a smaller but critically important role in the provision of functionality for audit, covering the niches from 3 to 5 in the GRC Market table above (audit management, audit data extraction & analysis, and Segregation of Duties). These areas are, in some ways, more difficult to address, since they require more direct intrusion to the ERP application suite at the heart of the enterprise. But this is the area that the ERP vendor needs to take care, and needs to offer an integrated solution in order for the compliance to be in a “tight loop”. We can simply draw out this user requirement as follows:


February 2008 11

But this representation is over simplistic, since to make the controls work effectively, we need to take two further issues into consideration. To create a “closed loop” control system, there needs to be a feedback method from audit to the ERP system, and, in addition, we need to consider the needs of the external auditor. This last element is very important if the user is going to ensure he can reduce compliance costs, by providing easy extract and reporting for the external auditor, and can prove the existence of tight closed loop Segregation of Duties and compliance control, thus:

3.4 Closed Loop Compliance Management in JD Edwards To implement a closed loop compliance management infrastructure; organizations should map organizational structure, job functions, risks, controls, policies/procedures, training and a variety of other types of information important to a healthy GRC program. Then map or relate these various components of the GRC ecosystem and create a functioning operational process that can stand up to scrutiny by various parties. This will help identify sequential tasks or duties in a process that should be separated and hence, help identify a Segregation of Duties (SoD) model appropriate for that organization.


February 2008 12

Q Software uniquely provides a closed loop compliance solution for both the JD Edwards EnterpriseOne and JD Edwards World ERP systems to address all aspects of the compliance lifecycle as shown in the diagram below.

Security Compliance Life-Cycle

The table below summarizes which Q Software SEC-Qure™ solutions address each element of the lifecycle. LifeCycle Element

JD Edwards World JD Edwards EnterpriseOne

Analysis

WorldAnalyser E1Config

Security Management (Multiple Roles Based Access Control)

WorldConfig E1Config

SoD Reporting

WorldSoD E1SoD

SoD Management

WorldConfig E1Config

Compliance Reporting (on and off box)

WorldAnalyser + ComplianceManager

E1SoD + ComplianceManager

Auditing (on and off box)

WorldAnalyser + ComplianceManager

E1SoD + ComplianceManager

The products WorldAnalyser, WorldConfig, WorldSoD, E1Config, and ComplianceManager all belong to Q Software’s SEC-Qure™ family of security compliance solutions. Oracle has introduced many new features in its recent releases of JD Edwards World A9.1 and JD Edwards EnterpriseOne 8.12 that go some way to address GRC requirements. These predominantly address GRC at the ERP application level.


February 2008 13

Q Software has enhanced its security compliance solutions to complement the JD Edwards solutions to provide comprehensive and effective compliance capabilities. These are summarised at overview level below.

3.5 Compliance Summary – JD Edwards EnterpriseOne 8.12

JD Edwards EnterpriseOne 8.12 Q Software SEC-Qure™ E1 (E1Config & E1SoD)

Systems-based internal controls Automated Processes

o Process Modeler o Workflow o Foundation Calendar o Data Change Tracker

GL Enhancements Additional Internal Controls Compliance Console *

Security Compliance Life-cycle Multiple Roles Management

o Removes Sequence Manager issues

Re-usable Components o From Q Software library o Create from existing security o Build from Solution Explorer

Segregation of Duties Reporting o At program / object level o At Duties level o At Roles level

Segregation of Duties Management

o Across multiple roles Powerful audit reporting

o Both on and off the box.

* The Compliance Console in JD Edwards EnterpriseOne will provide information on relevant financial data such as cash flow, unposted transactions, accounts payable and accounts receivable. It will also provide for alerts for such things as segregation of duties violations. However, it should be noted that this does not allow for action code settings, so high volumes of false violations are likely to be reported on. For more comprehensive and more effective segregation of duties management we recommend the use of the Q Software E1SoD tool.

For more detailed information on how JD Edwards EnterpriseOne enables effective compliance when used in conjunction with Q Software’s SEC-Qure™ E1 family of security compliance solutions, please refer to the white paper below, which is available from Q Software.

Achieving Compliance with JD Edwards EnterpriseOne (A white paper written by Oracle in conjunction with Q Software.)


February 2008 14

3.6 Compliance Summary - JD Edwards World A9.1 JD Edwards World A9.1 Q Software SEC-Qure™ World

Approvals Address Book Enhancements Advanced Lot Control Audit Reporting

o Segregation of Duties o Diversity o Review User Security o Database Audit Manager

Country-specific

Security Compliance Life-cycle User Based Access Control

o Analysis of Exposures o Back-door access o “Find & Fix”

Multiple Roles Based Access Control

o Map security to the business process

User Security Workbench o Security Management from

a single screen. Segregation of Duties Reporting

o Including potential violations via back-door access

Segregation of Duties Enforcement

o Across multiple roles

For more detailed information on how JD Edwards World enables effective compliance when used in conjunction with Q Software’s SEC-Qure™ World family of security compliance solutions, please refer to the white papers below, which are available from Q Software.

Achieving Effective Compliance in JD Edwards World A9.1

(A white paper written by Q Software in conjunction with Oracle.)

Aligning World Security to the Business

(Explains how you can apply multiple Roles Based Access Control within JD Edwards World for the maximum security with minimum effort)


February 2008 15

4. Recommended by Oracle

Q Software is Oracle's only Certified Partner providing security compliance solutions for JD Edwards World and JD Edwards EnterpriseOne. Q Software's SEC-Qure™ family of products has evolved over more than ten years. Each product can be implemented independently or in any combination.

“We evaluated the Q Software security solutions and believe they can help JD Edwards EnterpriseOne customers address security and compliance initiatives.” Gary Grieshaber, Senior Director Tools & Technology Product Strategy JD Edwards EnterpriseOne Please ask Q Software for the Oracle white paper: Achieving Compliance with JD Edwards EnterpriseOne.

"Q Software is a long-term JD Edwards World business partner and they have been providing security solutions for our customers for over 10 years. They thoroughly understand World security and continue to offer comprehensive security solutions which methodically complement ours." John Schiff, VP & GM JD Edwards World

Please ask Q Software for the Oracle white paper: Achieving Effective Compliance in JD Edwards World A9.1.

5. Acknowledgements

PriceWaterhouseCoopers – How to Execute an Integrated, Sustainable Governance, Risk Management and Compliance Strategy Gartner Inc: Research Reports - Finance and Audit GRC Software Market is Expanding; Magic Quadrant for Finance Governance, Risk and Compliance Management Software, 2007 Deloitte: The Risk Intelligent Enterprise KPMG: Reducing the Cost of Controls Oracle: Solutions for Governance, Risk, and Compliance Stellent: Governance, Risk and Compliance Axentis: Governance, Risk and Compliance


February 2008 16

6. About Q Software

Q Software is the only Oracle Certified Partner providing security and compliance solutions for J D Edwards customers. Q Software is also a member of the Oracle Security and GRC Initiative. Oracle and leading audit firms recommend Q Software’s solutions, which are trusted in well over 200 customers worldwide. Q Software provides a holistic view to security and Segregation of Duties, eases the maintenance effort, and reduces the cost and time of compliance by up to 80%. Q Software supports Cost Centre / Company security and a decentralised security model. If any of this is of interest to you, please contact Q Software to find out more about our products and how they can benefit you.

Q Software Global Limited Ranmore Manor, Ranmore Common

Dorking, Surrey RH5 6SX United Kingdom

Tel: + 44 (0) 1483 280 400 Fax: + 44 (0) 1483 280 401 Email: [email protected] Web: www.qsoftware.com

Documents

Governance Risk and Compliance in JD Edwards …journeeutilisateurs.free.fr/cariboost_files/719_20WP_20GRC_20v2_0.pdfin JD Edwards EnterpriseOne & JD Edwards World February 2008 3