Case Study GRC Implementation - A User Perspective Wendy K. Roberts, CPA, CIA Adil Khan, GRC Client Director, FulcrumWay Hari Radhakrishnan, IT Consultant, Control Solutions January 21, 2009
Selection Process – Research and Approach About FulcrumWay Agenda Introduction GRC Objectives Selection Process – Research and Approach About FulcrumWay Controls Survey Controls Framework Application Controls Best Practices GRC Monitor Implementation Compliance Best Practices GRC Manager Implementation In this presentation “Top Five Reasons for Automating Application Controls” , my goal is to provide some practical advice that you can apply in your business to help improve your GRC process. I would like to start by learning about you through a show of hands. How many of you are Financial/Accounting background, IT/DBS/SysAdmin, Background, Any external auditors? Oracle enterprise applications: EBS, Hyperion, PS, JDE
About Our Company Harris Stratex Networks, Inc. is a leading provider in backhaul solutions for mobility and broadband networks. We serve all global markets, including mobile network operators, public safety agencies, private network operators, utility and transportation companies, government agencies and broadcasters. With customers in more than 135 countries, Harris Stratex Networks is recognized around the world for innovative, best-in-class wireless networking solutions and services. Company Presentation - How to use this template
Objective for a GRC Tool Obtain a versatile tool that could be used WW Move away from spreadsheets and word documents to a more automated environment. A product that could grow with the company. Be used for SOX 302 and 404 Certification. Supported Control Self Assessment testing. Used to enhance the testing and reporting for Internal Audit. Provide a central database for compliance use such as Code of Conduct and policy management. Incorporate other compliance programs such as ISO and EH&S. Company Presentation - How to use this template
Research and Approach Gartner Report - Magic Quadrant for Finance Governance, Risk and Compliance Management Software, 2007. Published February 1, 2007. Research for the tool began in July 2007. Developed an analysis matrix with 32 criteria points. Use of the magic quadrant to select vendors based on criteria and objectives of the company. Six vendors chosen which met the most criteria points. Demos performed with executive management. Top two vendors were asked for RFPs. Company Presentation - How to use this template
Decision for purchase of tool Research and Approach Decision for purchase of tool Top two vendors were presented to a steering committee. Recommendation was made for Oracle GRC Manager as the tool of choice. Presented to the Board of Directors for approval. Approval obtained in January 2008. Company Presentation - How to use this template
Implementation of GRC Monitor Tool used to analyze Segregation of Duties (SOD) violations in Oracle On-demand service commenced in February 2008. Developed over 400 business rules which represented best practices in the industry. Design of a risk matrix using High-Medium-Low risks for Oracle modules GL, AP, AR, FA. Remediation of violations for high risks completed in June 2008 (FY08 Year End). Medium and low risks violations being completed for FY09 by the end of January 2009. Company Presentation - How to use this template
Implementation of GRC Manager Tool used to address policy management, 302 quarterly certifications and 404 SOX compliance Implementation began mid-October with completion estimated to be March 2009. Policy management and 302 quarterly certification using Stellant Content Manager in GRC. Use of GRC Manager for SOX 404 Certification and Control Self Assessment and Internal Audit testing. Developing on-line training using Oracle User Productivity Kit (UPK). Company Presentation - How to use this template
About FulcrumWay www.fulcrumway.com FulcrumWay: is the #1 provider of Governance, Risk and Compliance Expertise, Solutions and Software Services for Oracle enterprise customers. Expertise: Risk Management, Compliance, IT Audit, Internal Controls, Financial Reporting and GRC Software implementation consulting services. Since 2003, we have successfully assisted over one hundred Fortune-500 to Middle Market companies across all major industry segments. Solutions: Oracle certified Systems Integrator and ISV member of the Oracle Partner Network. FulcrumWay solution are built on software technologies from Oracle Corporation. FulcrumWay GRC Solutions are the #1 choice of Oracle customers. Software Services: We enable organizations to assess Financial, Operational and Information Technology risks, monitor internal controls and optimize business processes. Auditors, Risk Managers and Business Process Owners can access a wide range of web based services over a secure internet connection to FulcrumWay GRCMONITOR® (https://www.grcmonitor.com) Software as a Service (SaaS) platform. Privately Held Delaware corporation with US presence in: New York, Texas and California International Presence in UK and India www.fulcrumway.com
Fulcrum Credentials Readers Digest Healthcare Financial Services Media and Entertainment Financial Services Life Sciences Retail Readers Digest Industrial Manufacturing Natural Resources High Technology Defense/ Aerospace Healthcare Construction Food
FulcrumPoint Insight Thought Leadership - Events Compliance Week Magazine - Healthcare Firm Aligns Compliance Efforts, Cuts Costs Economist Magazine –Compliance Guide for Enterprise Systems POD Cast – How Automating the Enterprise Risk Management Process helps organizations comply with regulations OAUG - Impact of AS5 for Oracle Enterprise Customers IIA – Top Five Reasons for Automating Application Controls Oracle Open World – Annual GRC Dinner, GE and Birds Eye Case Study Web casts – GRC Best Practices, Trends and Expert Insight.
IT Governance, Risk and Compliance Needs Common Compliance Needs Mandate Processes and Risk Management Enterprise Content Management Security and Identity Management Learning Management Cross Industry Sarbanes-Oxley Act X HIPAA California Senate Bill 1386 International Accounting Standards EU Data Privacy Directive Federal Sentencing Guidelines Industry-Specific Basel II Gramm-Leach Bliley Payment Card Industry Data Security FDA 21 CFR Part 11 Freedom of Information Act USA PATRIOT Act Today corporate boards and management are facing growing governance responsibilities as companies around the globe continue to face emerging business risks, challenging economic conditions, as well as increasing pressure from government regulators and investors for timely and accurate financial disclosure. Staying focused on the critical matters of risk management and compliance, without losing sight of the big strategic picture is a constant challenge in the increasingly global corporate environment. Many companies are facing multiple governmental and industry-specific regulations. How many here work of company’s that are complying with one or more of these compliances frameworks.
OAUG Survey Demographics
OAUG Survey Demographics
Application Survey Questions There were 20 scenarios presented and each scenario included two questions: Identify the awareness of the deficiency: My company was not aware of this risk My company is aware of this risk, but has chosen not to address it yet My company is aware of this risk and has chosen to accept the risk My company is aware of this risk and has addressed it via a manual control My company is aware of this risk and has implemented a customization / extension I am not qualified to address this risk My company does not use this functionality Other Determine likelihood of implemented if Oracle provided a solution: Would likely not implement because we don't agree with the risks Would likely not implement because we already addressed via a Customization Would likely not implement because we have chosen to accept the risks Would likely implement it because we have not addressed the issue Would likely implement it because we would rather replace our customization I am not able to know what our company would do Other
Customer Master
Order Forms: Transaction Entry vs. Approval
Workflows
Controls Framework IT organizations should consider the nature and extent of their operations in determining which, if not all, of the following control objectives need to be included in internal control program: PLAN AND ORGANIZE ACQUIRE AND IMPLEMENT DELIVER AND SUPPORT MONITOR AND EVALUATE Most widely used compliance frameworks are COSO for Financial Controls and CoBIT for IT Controls. Many companies have implemented Internal Controls Programs for Enterprise Applications such as Oracle EBS, …based on such frame work that includes Plan – New implementation / Upgrades should have Project Controls Cost & Budgets & Scope Acquire / Implement - License Compliance / Experienced / Deliverables Deliver and Support – “Super User” Access, Configurable Controls Monitor & Evaluate – User Provisioning, TRX are approved and authorized De – RDA uses COSO framework
What are Application Controls? Orders are processed only within approved customer credit limits. Orders are approved by management as to prices and terms of sale. Purchase orders are placed only for approved requisitions. Purchase orders are accurately entered. All purchase orders issued are input and processed. All recorded production costs are consistent with actual direct and indirect expenses associated with production. All direct and indirect expenses associated with production are recorded as production costs. Application controls apply to the business processes they support. These controls are designed within the application to prevent or detect unauthorized transactions. When combined with manual controls, as necessary, application controls ensure completeness, accuracy, authorization and validity of processing transactions Control objectives can be supported with automated application controls. They are most effective in integrated ERP environments, such as SAP, PeopleSoft, Oracle, JD Edwards and others. Lets take a look at some example of Application Controls PCAOB – Under AS5 guideline states that a company make effective use of application controls in ERP systems such oracle to reduce reliance on manual controls Examples here are for Revenue, Expense and Financial Reporting Cycle What are some key processes in Scope for RDA: De: Example of Process – Procure to Pay, etc…. Next I will share best practices in Risk Assessment, Control Activities and Monitoring for Oracle Applications.
Risk Assessment The IT organization has an entity-level and activity-level risk assessment framework, which is used periodically to assess information risk to achieving business objectives. Management’s risk assessment framework focuses on the examination of the essential elements of risk and the cause and effect relationship among them. A risk assessment framework exists and considers the risk assessment probability and likelihood of threats. The IT organization’s risk assessment framework measures the impact of risks according to qualitative and quantitative criteria. The IT organization’s risk assessment framework is designed to support cost-effective controls to mitigate exposure to risks on a continuing basis, including risk avoidance, mitigation or acceptance. A comprehensive security assessment is performed for critical systems and locations based on their relative priority. Application Risks can include IT Infrastructure as well as application specific risk such as Access, Configuration, Transactional This is generally done once a year qualitatively and quantativly and includes a review of Application Risk-Control Matrix contains likelihood and impact Interview Process Owners and impact on Business Process Risk. For example, risk of entering and posting a journal entry without approval. Sub-Inventory Transafer. Fulcrum content includes over 600 risks. We can generally provide results in 24 hours. De, RDA uses top down risk assessment process
Control Activities An organization has and does the following: A system development life cycle methodology that considers security, availability and processing integrity requirements of the organization. This ensures that information systems are designed to include application controls that support complete, accurate, authorized and valid transaction processing. An acquisition and planning process that aligns with its overall strategic direction. Acquires software in accordance with its acquisition and planning process. Procedures ensure that system software is installed and maintained in accordance with the organization’s requirements. Procedures ensure that system software changes are controlled in line with the organization’s change management procedures. Ensures that the implementation of system software do not jeopardize the security of the data. Common Application Control Activities include audit of a companies SDLC methodology. For example, New module implementation - Seeded Responsibilities or Roles are disabled and Custom Responsibilities are clean. Transaction Controls are in place: Approval of Journal Entries, Customer & Supplier Setups. Applications are installed and maintained by qualified staff – configurable parameters are locked down. De Examples of Access Controls, SOD Controls , Change Control “Clone of Production” can jeopardize data security
Control Monitoring Changes to IT systems and applications are performed and designed to meet the expectations of users. IT management monitors its delivery of services to identify shortfalls and responds with actionable plans to improve. IT management monitors the effectiveness of internal controls Monitoring in the normal course of operations through management and supervisory activities, comparisons and benchmarks. Serious deviations in the operation of internal control, Monitoring including major security, availability and processing integrity events, are reported to senior management. Internal control assessments are performed periodically, using Monitoring self-assessment or independent audit, to examine whether internal controls are operating satisfactorily. Controls Monitoring makes Application Controls Management process sustainable, cost effective and reduces the unpleasant financial, operational and IT surprises. De, Examples of Controls Monitoring – quarterly SOD report.
Stages of Application Controls Implementation Define: Define Audit Units, Application Environments, and Controls in-scope for Audit Testing Detect: Analyze Control Violations based on risk, impact. Eliminate false-positives, exceptions Remediate: Resolve Control Violations Prevent: Automated Controls deny unauthorized access, transactions and system changes in real-time Monitor: Analytics to notify management of all control violations Here is an approach based on our real-world experience in helping company’s automate and streamline controls. The AC maturity model shows the stages to optimization.
Application Controls Management Best Practices Exceptions Setup Preventive Controls Determine Scope by Application Establish Rules Repository Establish Test Environment Detect Violations Analyze Issues Remediate Issues Implement Changes Monitor Application Environment Extract ERP Data Business Process Teams IT Management Application Control Teams Corporate Access Controls
Rules Library is the master repository that contains all SOD Rules stored in Access Control
GRC Management Process Document Findings Gather GRC Data Assess Risk Top Down Establish Enterprise Structure Conduct Assessments Scope Audit Projects Test Internal Controls Certify Business Processes Certify Financial Statements Establish Risk & Controls Library Implement Changes Management Compliance Manager Compliance Manager Business Process Owner Signing Officer
RCM Hierarchy in GRC Manager
Create Business Process
Controls Interface
Business Process Lifecycle Importing Processes Using Oracle Tutor During the import of processes written in Oracle Tutor, only "First Level" sub processes or tasks in the Tutor document are uploaded to OICM. You need to upload a subsequent level of sub-processes/sub-tasks under the prior level by selecting the appropriate parent process/task before executing the next import. This can be a disadvantage if you have several organizations with multiple levels of sub-processes/sub-tasks under a parent process or task. In a large and complex environment, it is conceivable that a large number of imports will be necessary to fully import your organization's processes.
Questions Questions?