1. Case Study GRC Implementation - A User Perspective
Wendy K. Roberts, CPA, CIA
Adil Khan, GRC Client Director, FulcrumWay
Hari Radhakrishnan, IT Consultant, Control Solutions
January 21, 2009

2. Selection Process – Research and Approach About FulcrumWay
Agenda
Introduction
GRC Objectives
Selection Process – Research and Approach
About FulcrumWay
Controls Survey
Controls Framework
Application Controls Best Practices
GRC Monitor Implementation
Compliance Best Practices
GRC Manager Implementation
In this presentation “Top Five Reasons for Automating Application Controls” , my goal is to provide some practical advice that you can apply in your business to help improve your GRC process.
I would like to start by learning about you through a show of hands.
How many of you are Financial/Accounting background, IT/DBS/SysAdmin, Background, Any external auditors?
Oracle enterprise applications: EBS, Hyperion, PS, JDE

3. About Our Company
Harris Stratex Networks, Inc. is a leading provider in backhaul solutions for mobility and broadband networks. We serve all global markets, including mobile network operators, public safety agencies, private network operators, utility and transportation companies, government agencies and broadcasters. With customers in more than 135 countries, Harris Stratex Networks is recognized around the world for innovative, best-in-class wireless networking solutions and services.
Company Presentation - How to use this template

4. Objective for a GRC Tool
Obtain a versatile tool that could be used WW
Move away from spreadsheets and word documents to a more automated environment.
A product that could grow with the company.
Be used for SOX 302 and 404 Certification.
Supported Control Self Assessment testing.
Used to enhance the testing and reporting for Internal Audit.
Provide a central database for compliance use such as Code of Conduct and policy management.
Incorporate other compliance programs such as ISO and EH&S.
Company Presentation - How to use this template

5. Research and Approach
Gartner Report - Magic Quadrant for Finance Governance, Risk and Compliance Management Software, Published February 1, 2007.
Research for the tool began in July 2007.
Developed an analysis matrix with 32 criteria points.
Use of the magic quadrant to select vendors based on criteria and objectives of the company.
Six vendors chosen which met the most criteria points.
Demos performed with executive management.
Top two vendors were asked for RFPs.
Company Presentation - How to use this template

6. Decision for purchase of tool
Research and Approach
Decision for purchase of tool
Top two vendors were presented to a steering committee.
Recommendation was made for Oracle GRC Manager as the tool of choice.
Presented to the Board of Directors for approval.
Approval obtained in January 2008.
Company Presentation - How to use this template

7. Implementation of GRC Monitor
Tool used to analyze Segregation of Duties (SOD) violations in Oracle
On-demand service commenced in February 2008.
Developed over 400 business rules which represented best practices in the industry.
Design of a risk matrix using High-Medium-Low risks for Oracle modules GL, AP, AR, FA.
Remediation of violations for high risks completed in June 2008 (FY08 Year End).
Medium and low risks violations being completed for FY09 by the end of January 2009.
Company Presentation - How to use this template

8. Implementation of GRC Manager
Tool used to address policy management, 302 quarterly certifications and 404 SOX compliance
Implementation began mid-October with completion estimated to be March 2009.
Policy management and 302 quarterly certification using Stellant Content Manager in GRC.
Use of GRC Manager for SOX 404 Certification and Control Self Assessment and Internal Audit testing.
Developing on-line training using Oracle User Productivity Kit (UPK).
Company Presentation - How to use this template

9. About FulcrumWay www.fulcrumway.com
FulcrumWay: is the #1 provider of Governance, Risk and Compliance Expertise, Solutions and Software Services for Oracle enterprise customers.
Expertise: Risk Management, Compliance, IT Audit, Internal Controls, Financial Reporting and GRC Software implementation consulting services. Since 2003, we have successfully assisted over one hundred Fortune-500 to Middle Market companies across all major industry segments.
Solutions: Oracle certified Systems Integrator and ISV member of the Oracle Partner Network. FulcrumWay solution are built on software technologies from Oracle Corporation. FulcrumWay GRC Solutions are the #1 choice of Oracle customers.
Software Services: We enable organizations to assess Financial, Operational and Information Technology risks, monitor internal controls and optimize business processes. Auditors, Risk Managers and Business Process Owners can access a wide range of web based services over a secure internet connection to FulcrumWay GRCMONITOR® ( Software as a Service (SaaS) platform.
Privately Held Delaware corporation with US presence in:
New York, Texas and California
International Presence in UK and India

10. Fulcrum Credentials Readers Digest Healthcare Financial Services
Media and
Entertainment
Financial Services
Life Sciences
Retail
Readers Digest
Industrial
Manufacturing
Natural Resources
High Technology
Defense/ Aerospace
Healthcare
Construction
Food

11. FulcrumPoint Insight Thought Leadership - Events
Compliance Week Magazine - Healthcare Firm Aligns Compliance Efforts, Cuts Costs
Economist Magazine –Compliance Guide for Enterprise Systems
POD Cast – How Automating the Enterprise Risk Management Process helps organizations comply with regulations
OAUG - Impact of AS5 for Oracle Enterprise Customers
IIA – Top Five Reasons for Automating Application Controls
Oracle Open World – Annual GRC Dinner, GE and Birds Eye Case Study
Web casts – GRC Best Practices, Trends and Expert Insight.

12. IT Governance, Risk and Compliance Needs
Common Compliance Needs
Mandate
Processes and Risk Management
Enterprise Content Management
Security and Identity Management
Learning Management
Cross Industry
Sarbanes-Oxley Act X
HIPAA
California Senate Bill 1386
International Accounting Standards
EU Data Privacy Directive
Federal Sentencing Guidelines
Industry-Specific
Basel II
Gramm-Leach Bliley
Payment Card Industry Data Security
FDA 21 CFR Part 11
Freedom of Information Act
USA PATRIOT Act
Today corporate boards and management are facing growing governance responsibilities as companies around the globe continue to face emerging business risks, challenging economic conditions, as well as increasing pressure from government regulators and investors for timely and accurate financial disclosure.
Staying focused on the critical matters of risk management and compliance, without losing sight of the big strategic picture is a constant challenge in the increasingly global corporate environment.
Many companies are facing multiple governmental and industry-specific regulations.
How many here work of company’s that are complying with one or more of these compliances frameworks.

13. OAUG Survey Demographics

14. OAUG Survey Demographics

15. Application Survey Questions
There were 20 scenarios presented and each scenario included two questions:
Identify the awareness of the
deficiency:
My company was not aware of this risk
My company is aware of this risk, but has chosen not to address it yet
My company is aware of this risk and has chosen to accept the risk
My company is aware of this risk and has addressed it via a manual control
My company is aware of this risk and has implemented a customization / extension
I am not qualified to address this risk
My company does not use this functionality
Other
Determine likelihood of implemented
if Oracle provided a solution:
Would likely not implement because we don't agree with the risks
Would likely not implement because we already addressed via a Customization
Would likely not implement because we have chosen to accept the risks
Would likely implement it because we have not addressed the issue
Would likely implement it because we would rather replace our customization
I am not able to know what our company would do
Other

16. Customer Master

17. Order Forms: Transaction Entry vs. Approval

18. Workflows

19. Controls Framework
IT organizations should consider the nature and extent of their
operations in determining which, if not all, of the following control objectives need to be included in internal control program:
PLAN AND ORGANIZE
ACQUIRE AND IMPLEMENT
DELIVER AND SUPPORT
MONITOR AND EVALUATE
Most widely used compliance frameworks are COSO for Financial Controls and CoBIT for IT Controls.
Many companies have implemented Internal Controls Programs for Enterprise Applications such as Oracle EBS, …based on such frame work that includes
Plan – New implementation / Upgrades should have Project Controls Cost & Budgets & Scope
Acquire / Implement - License Compliance / Experienced / Deliverables
Deliver and Support – “Super User” Access, Configurable Controls
Monitor & Evaluate – User Provisioning, TRX are approved and authorized
De – RDA uses COSO framework

20. What are Application Controls?
Orders are processed only within approved customer credit limits.
Orders are approved by management as to prices and terms of sale.
Purchase orders are placed only for approved requisitions.
Purchase orders are accurately entered.
All purchase orders issued are input and processed.
All recorded production costs are consistent with actual direct and indirect expenses associated with production.
All direct and indirect expenses associated with production are recorded as production costs.
Application controls apply to the business processes they support. These controls are designed within the application to prevent or detect unauthorized transactions. When combined with manual controls, as necessary, application controls ensure completeness, accuracy, authorization and validity of processing transactions
Control objectives can be supported with automated application controls. They are most effective in integrated ERP environments, such as SAP, PeopleSoft, Oracle, JD Edwards and others.
Lets take a look at some example of Application Controls
PCAOB – Under AS5 guideline states that a company make effective use of application controls in ERP systems such oracle to reduce reliance on manual controls
Examples here are for Revenue, Expense and Financial Reporting Cycle
What are some key processes in Scope for RDA:
De: Example of Process – Procure to Pay, etc….
Next I will share best practices in Risk Assessment, Control Activities and Monitoring for Oracle Applications.

21. Risk Assessment
The IT organization has an entity-level and activity-level risk assessment framework, which is used periodically to assess information risk to achieving business objectives.
Management’s risk assessment framework focuses on the examination of the essential elements of risk and the cause and effect relationship among them.
A risk assessment framework exists and considers the risk assessment probability and likelihood of threats.
The IT organization’s risk assessment framework measures the impact of risks according to qualitative and quantitative criteria.
The IT organization’s risk assessment framework is designed to support cost-effective controls to mitigate exposure to risks on a continuing basis, including risk avoidance, mitigation or acceptance.
A comprehensive security assessment is performed for critical systems and locations based on their relative priority.
Application Risks can include IT Infrastructure as well as application specific risk such as Access, Configuration, Transactional
This is generally done once a year qualitatively and quantativly and includes a review of Application Risk-Control Matrix contains likelihood and impact
Interview Process Owners and impact on Business Process Risk. For example, risk of entering and posting a journal entry without approval. Sub-Inventory Transafer.
Fulcrum content includes over 600 risks. We can generally provide results in 24 hours.
De, RDA uses top down risk assessment process

22. Control Activities An organization has and does the following:
A system development life cycle methodology that considers security, availability and processing integrity requirements of the organization. This ensures that information systems are designed to include application controls that support complete, accurate, authorized and valid transaction processing.
An acquisition and planning process that aligns with its overall strategic direction.
Acquires software in accordance with its acquisition and planning process.
Procedures ensure that system software is installed and maintained in accordance with the organization’s requirements.
Procedures ensure that system software changes are controlled in line with the organization’s change management procedures.
Ensures that the implementation of system software do not jeopardize the security of the data.
Common Application Control Activities include audit of a companies SDLC methodology. For example, New module implementation - Seeded Responsibilities or Roles are disabled and Custom Responsibilities are clean. Transaction Controls are in place: Approval of Journal Entries, Customer & Supplier Setups.
Applications are installed and maintained by qualified staff – configurable parameters are locked down.
De Examples of Access Controls, SOD Controls , Change Control
“Clone of Production” can jeopardize data security

23. Control Monitoring
Changes to IT systems and applications are performed and designed to meet the expectations of users.
IT management monitors its delivery of services to identify shortfalls and responds with actionable plans to improve.
IT management monitors the effectiveness of internal controls Monitoring in the normal course of operations through management and supervisory activities, comparisons and benchmarks.
Serious deviations in the operation of internal control, Monitoring including major security, availability and processing integrity events, are reported to senior management.
Internal control assessments are performed periodically, using Monitoring self-assessment or independent audit, to examine whether internal controls are operating satisfactorily.
Controls Monitoring makes Application Controls Management process sustainable, cost effective and reduces the unpleasant financial, operational and IT surprises.
De, Examples of Controls Monitoring – quarterly SOD report.

24. Stages of Application Controls Implementation
Define: Define Audit Units, Application Environments, and Controls in-scope for Audit Testing
Detect: Analyze Control Violations based on risk, impact. Eliminate false-positives, exceptions
Remediate: Resolve Control Violations
Prevent: Automated Controls deny unauthorized access, transactions and system changes in real-time
Monitor: Analytics to notify management of all control violations
Here is an approach based on our real-world experience in helping company’s automate and streamline controls.
The AC maturity model shows the stages to optimization.

25. Application Controls Management Best Practices
Exceptions
Setup
Preventive
Controls
Determine
Scope by
Application
Establish
Rules
Repository
Establish
Test
Environment
Detect
Violations
Analyze
Issues
Remediate
Issues
Implement
Changes
Monitor
Application
Environment
Extract
ERP
Data
Business Process Teams
IT Management
Application Control Teams
Corporate Access Controls

26. Rules Library is the master repository that contains all SOD Rules stored in Access Control

27. GRC Management Process
Document
Findings
Gather
GRC
Data
Assess
Risk
Top
Down
Establish
Enterprise
Structure
Conduct
Assessments
Scope
Audit
Projects
Test
Internal
Controls
Certify
Business
Processes
Certify
Financial
Statements
Establish
Risk &
Controls
Library
Implement
Changes
Management
Compliance Manager
Compliance Manager
Business Process Owner
Signing Officer

28. RCM Hierarchy in GRC Manager

29. Create Business Process

30. Controls Interface

31. Business Process Lifecycle
Importing Processes Using Oracle Tutor
During the import of processes written in Oracle Tutor, only "First Level" sub processes or tasks in the Tutor document are uploaded to OICM. You need to upload a subsequent level of sub-processes/sub-tasks under the prior level by selecting the appropriate parent process/task before executing the next import.
This can be a disadvantage if you have several organizations with multiple levels of sub-processes/sub-tasks under a parent process or task. In a large and complex environment, it is conceivable that a large number of imports will be necessary to fully import your organization's processes.

32. Questions
Questions?