Upload
duongbao
View
218
Download
1
Embed Size (px)
Citation preview
Why Oracle GRC with every E-Business Suite Upgrade
Kate Coughlin Principal Solution Consultant
Why Preventive….
Oracle Confidential - Do Not Distribute
Why GRC for Every EBS Upgrade?
• Be compliant on Day 1 • Sustainability – Continuous Compliance
R d th i k d i i th ERP ROI R d th t f• Reduce the risk and maximize the ERP ROI – Reduce the cost of Compliance associated with the ERP Implementation
• Modify the behavior of Oracle EBS quickly & with fewer customizationscustomizations
• Accelerate the design of segregation of duties around role design• Remove the wildcard of segregation of duties as a potential for
material weakness and a bottleneck of go livematerial weakness and a bottleneck of go –live• Embedded real time enforcement and prevention allows limited
staff to meet security compliance requirements – “do more with less”less
• Automate and Error-proof the set-up of: Items, Customers, Suppliers
• Ensure that critical setups conform to best practices and followEnsure that critical setups conform to best practices and follow robust change management procedures
Automate Internal ControlsOracle GRC Controls Suite
Monitor Control Effectiveness
What usershave done
What’s changed in the
process
What are the execution patterns
Detective Controls
process patterns
ACCESSControlsACCESSControls
CONFIGURATIONControls
CONFIGURATIONControls
TRANSACTIONControls
TRANSACTIONControls
What userscan do
How is the process setup
How users execute
processesprocesses
Preventive Controls
Enforce Policies in ContextEnforce Policies in Context
EBS Doesn’t Address Segregation of Duties
• No automated, continuous way to detect, remediate and prevent SOD violations.p
• No auditable evidentiary reports to support the controls environment.Not sustainable point and time audits are• Not sustainable - point and time audits are expensive and not reliable.
• Can’t prevent SOD violations at the point of access.• Time consuming and costly to implement form
customizations to detect, mitigate and prevent SOD Violations.Violations.
• Managing false positives is difficult because proprietary detection engines don’t pick up preventative forms customization controlspreventative forms customization controls.
Oracle Application Access Controls GovernorEnforce proper segregation of duties
Simplify segregation of duties enforcement with simulation and remediation
Mitigate risk of privileged user access to enterprise applications
ith l kfl d dit
• Policy Library • Conflict Paths• Policy Library • Conflict Paths
with approval workflow and audit trails
Accelerate deployment and time to value with pre-delivered controls plibrary
Detection PreventionDetection
Access Analysis
CompensatingPolicies
Define Access
Controls
Remediation(Clean-up)
PreventiveProvisioning
Prevention
Manual SOD
E Business Suite Access & SOD Challenges
UserEvaluateEvaluate User AccessUser Access•• Test by Responsibility and UserTest by Responsibility and User•• Test by FunctionTest by Function
Responsibility•• Test by FunctionTest by Function
Menu
S b MSub-Menu
Manage Manage Function
Form Function
ggSegregation of DutiesSegregation of Duties•• Identify incompatible Privileges Identify incompatible Privileges
(i.e. Function)(i.e. Function)(i.e. Function)(i.e. Function)
Oracle GRC is a true cross-platform solution
allowing cross platform or allowing cross platform or instance SOD analysis.
It provides a single point of reference for all SOD
li i d t l
ERP SOD Control Library
O l 11 5 10 216 li i *policies and controls throughout the organization.
Oracle 11.5.10 216 policies*Oracle R12 232 policies*
*N t E h li i i d f l b li i d t l *Note: Each policy is comprised of several sub-policies and controls based on its complexity, the sum total of these sub-policies and controls is over 3,000, per ERP
Online Conflict Analysis
Use visualization feature to view conflict paths in a graphical format and easily identify inter- and intra-
role conflictsrole conflicts
Contextual reporting with full path conflict detailsfull-path conflict details.
Multi-Platform and Cross-Platform SupportMulti-Platform and Cross-Platform Support
Multi-Platform Support Cross-Platform Support
U 1 U 2User3
U 1 U 2User1 User2 User1 User2
FIN3rd Party App
• User access within different, multiple l tf
• User access across different instances, l tf li ti tplatforms platforms, applications, etc.
EBS does NOT Address Configuration Change g gManagement
• Don’t have the desired level of visibility into the management of the critical set-ups that drive the Oracle EBS environment.D ’t h t t d t d t t d h t• Don’t have an automated way to detect or record changes to sensitive set up data across instances, locations, or points in time.
• Difficult to prevent changes to critical set ups from occurringDifficult to prevent changes to critical set ups from occurring repeatedly
• Need a better way to enforce change control, insure data integrity, identify fraud.
• No automated way to document and compare setups in business terms
• Difficult and time consuming to generate reports that provide the auditable evidentiary support of your controls environmentthe auditable evidentiary support of your controls environment that supports your critical set-ups that auditors demand.
• Data privacy and protection of sensitive data requires extensive application customization
Stronger Application ControlsStronger Application ControlsEnsure integrity of critical application setups
Achieve consistent application setup and operating standards across multiple instances
Track complete audit trails for changes to key configurationschanges to key configurations
Tightly control change management to accelerate development and test time
Detection PreventionDetectionDocument or
CompareConfigurations
Manage Data
Integrity
Define Configuration
Controls
Monitor Configuration
Changes
EnforceChange Control
Prevention
• Key Controls
• 3 way matching of PO Invoice and
Example of Setups and Key Controls• Setup Data
• 3-way matching of PO, Invoice and Receipt
• Document spending limits (authorization of PO)
• Security rules access to sensitive
• Application Security• Document Approvals• Chart of Accounts• Profile Options• Users • Security rules – access to sensitive
transactionso Employee salarieso Chart of account values
Fi i l
Setups = Key
Controls
• Users• Application Setups• MRP rules
• Operational Data o Financial statement reports (FSGs)
o Price listso Inventory attributes
• Operational Data– Customers– Suppliers– Employees– Buyers y
• Action for late delivery of goods• Inventory stocking rules• Rules to create tax on sales orders• Depreciation methods
Buyers– Items– Chart of Account Values– Category Codes
p
Monitor Configuration ChangesMonitor Configuration Changes
hWhen Who?
When?
WhatWhere??
Oracle Configuration Controls GovernorEnforce integrity of critical application setups• Standard Oracle • With Preventive Controls
Enforce integrity of critical application setups
•Who/what/when/why/who authorized•Preventive AND Detective Change Controls•Reports w/ Reason Codes and Approvals
•Who last updated and when•No defendable audit trail•No preventive change controls •Seeded Content for at-risk setups•No preventive change controls
Oracle Transaction Controls GovernorOracle Transaction Controls GovernorIdentify inaccurate or fraudulent transactions
Continuously monitor accuracy of transactions and mitigate exposure to fraud
•Test against thresholdsPre-delivered Transaction Controls
Pre-delivered Transaction Controls
•Search for anomalies
•Perform transaction samplingSuspect
TransactionsSuspect
Transactions
Detection PreventionDetectionPerform
TransactionAnalysis
Define Transaction
Controls
Review and Address Suspects
Preventive Transaction
Controls
Prevention
Transaction Monitoring Controls: Split PO Example
REQ Limit
Project Manager
RequisitionsRequisitions
Native Oracle Controls Transaction Monitoring
Multiple REQ REQ Limit$200K Jan1Jan1
$180K$180K
Financial
Jan8Jan8$195K$195K
Multiple REQ over $200k limit to same vendor
in 15 days !!SubmittedSubmitted
Buyer Purchase OrdersPurchase Orders
Controller
PO Limit$2M Jan2Jan2
$180K$180KJan9Jan9$195K$195K
ApprovedApproved
$180K$180K Order To SupplierOrder To Supplier$375K$375K Order To SupplierOrder To Supplier$$ pppp$$ pppp
Transaction Real World Examples:
• Test against Material Thresholds• Test against Material Thresholds– JE > $ threshold– Employee Checks (individual & sum) > $
thresholdthreshold • Search for Anomalies
– PO terms differ from vendorSales orders > acceptable $ range– Sales orders > acceptable $ range
• Detect Fraudulent Behavior– PO changes after approval
Duplicate suppliers with same address– Duplicate suppliers with same address • Embed Preventive / Automated
Compensating ControlsAl t t t ti $ th h ld– Alert on customer transactions over $ threshold
– Prevent journals from being entered and posted by same individual