Académique Documents
Professionnel Documents
Culture Documents
Inspiring Your Next Success! Company Confidential - Copyright 2010 Hitachi Consulting
Introduction to the GRC Team
> Kevin Mims, Senior Manager at Hitachi Consulting
> Andy Pope, Manager at Hitachi Consulting
> Paul Steffen, Manager at Hitachi Consulting
> Ryan Henderson, GRC Specialist at Hitachi Consulting
Inspiring Your Next Success! 1 Company Confidential - Copyright 2010 Hitachi Consulting
Agenda
> Introductions
> Hitachi Consulting Oracle Practice Overview
> Why GRC? Business Challenges in the Client Space
> How the Oracle GRC Solution Can Help
> Focus on Oracle GRCC Suite
Oracle Application Access Controls Governor (AACG)
Oracle Transaction Controls Governor (TCG)
Oracle Preventive Controls Governor (PCG)
Oracle Configuration Controls Governor (CCG)
> Oracle ERP Implementation Overview Where do GRC Applications fit in?
> Methodology and Planning
> Keys to Success
> Lessons Learned
> The Hitachi Consulting Solution
> Q&A
Inspiring Your Next Success! 2 Company Confidential - Copyright 2010 Hitachi Consulting
Hitachi Consulting Background
2000 2010
Inspiring Your Next Success! 4 Company Confidential - Copyright 2010 Hitachi Consulting
Deep Oracle Expertise
Oracle is Hitachis #1 EA Practice (both revenue and headcount)
400+ Oracle Consultants (80% functional, 20% technical)
100+ completed or ongoing 11i implementations
15+ completed or ongoing R12 implementations
Inspiring Your Next Success! Company Confidential - Copyright 2010 Hitachi Consulting
Abstract
> The Oracle Governance, Risk, and Compliance (GRC) Enterprise Solution is an
effective tool that business can use to improve IT security and help insure against
fraud, negligence, and other corporate vulnerabilities. Companies that implement a
GRC package will observe an enhancement of corporate governance, comprehensive
risk mitigation, and a significant reduction in audit and compliance costs.
> GRCC serves as the foundational core of Oracles GRC Enterprise Solution and
works with two higher level components, the GRC Manager and GRC Intelligence.
> The foundation for Oracles GRC Enterprise Solution is the GRC Controls Suite, an
embedded, linked set of modules that can be used to safeguard sensitive corporate
information. The modular components are organized around specific duties that can
be operated both independently and in conjunction with one another.
Inspiring Your Next Success! 7 Company Confidential - Copyright 2010 Hitachi Consulting
2010 Developments in the GRC Space
> 89% of risk professionals surveyed reported investments in GRC
technology will increase or stay the same in 2010 *
> 62% said the current financial crisis has increased the priority of
enterprise-wide risk management *
> AMR reports after a two-year period of decline, GRC spending
growth returns in 2010, by expanding to nearly $30B **
> In May 2008, Standard and Poors announced a plan to include
enterprise risk management (ERM) assessments into individual
corporate credit ratings of nonfinancial companies. These plans are
intended to be enacted in 2010 ***
* OpenPages 2009 Survey of over 50 strategic risk, governance and finance professionals. (marketwire.com)
** AMR November 2009 GRC in 2010: $29.8B in Spending Sparked by Risk, Visibility, and Efficiency
*** Standard & Poors, RatingsDirect, Progress Report: Integrating Enterprise Risk Management Analysis Into Corporate Credit Ratings
Inspiring Your Next Success! 8 Company Confidential - Copyright 2010 Hitachi Consulting
Why GRC?
> What Types of Problems are we solving?
> Example 1: Clerk at NYSE-traded food sector corporation was able
to change bank account info without cross-check; $10MM
transferred before fraud was discovered. *
> Consequences: $10MM frozen pending litigation; public
confidence shaken due to notoriety.
> Example 2: NYSE-traded energy sector corporation applied a
production patch that reset vendor tolerances, and didnt notice the
change for nine months. *
> Consequences: Their internal audit team had to do extensive
work to prove there were no abuses, and their external auditors
performed substantial transaction examination.
* Research per Oracle. Numbers are derived from Oracle customer testimonials and 3rd party studies, like those cited in
Compliance Weekly or PwC.
Inspiring Your Next Success! 9 Company Confidential - Copyright 2010 Hitachi Consulting
Common GRC Challenges in the Client Space
No Standardized Policies and Procedures
No appropriate standard framework for audit and compliance activities
Inconsistent audit plans, work paper methodologies, etc.
Non-Standard Information
Multiple legacy systems with disparate uses and different architectures
No common platform for reporting and consolidation
* Per Oracle.
Inspiring Your Next Success! 10 Company Confidential - Copyright 2010 Hitachi Consulting
How GRC Simplifies Internal Controls
Single Source:
Multiple GRC GRC Intelligence
activities working Dashboards Reports Alerts
together Key Risk Indicators
GRC Manager
Controls
Processes Risks Assessments Issues
Automation: Procedures Remediation Policies
Proactive response
to mitigate risk
GRC Applications
Application
Embedded Access
Transaction Configuration
Controls Controls
Controls: Controls
Governor Governor
Governor
Provide real time
monitoring and
management Preventive Controls Governor
Seeded
Content: Applications
Out of the box
policies and
templates EBS Infrastructure
Inspiring Your Next Success! 11 Company Confidential - Copyright 2010 Hitachi Consulting
The GRCC Compliance Framework
Inspiring Your Next Success! 12 Company Confidential - Copyright 2010 Hitachi Consulting
GRCC (Platform)
GRCC (Platform)
> Shared Administrative Functions:
Connects modules to E-Business Suite
AACG 8.5 TCG 8.5 Takes snapshots of transactional date
Integrates with other GRC applications
(PCG, GRCM, GRCI)
Inspiring Your Next Success! Company Confidential - Copyright 2010 Hitachi Consulting
AACG Enforcement Process
Inspiring Your Next Success! 14 Company Confidential - Copyright 2010 Hitachi Consulting
Access Policies Insuring Segregation of Duties
Inspiring Your Next Success! Company Confidential - Copyright 2010 Hitachi Consulting
Finding Conflicts
Inspiring Your Next Success! 16 Company Confidential - Copyright 2010 Hitachi Consulting
Remediation
Graphic representation of a
firms operating structure
Accessible
Conflict Reporting Users can remove a privilege path
and find the remediation plan
Provides a what if analysis, which Heat
automatically Map
built by tables
AACGhelp
simulates a remediation plan identify key risk indicators
Builds a step-by-step
remediation plan to follow
Inspiring Your Next Success! Company Confidential - Copyright 2010 Hitachi Consulting
Preventive Enforcement - User Provisioning
> Automatically applies access policies to each user assigned responsibilities in the
EBS
> Activating responsibilities requires a Conflict Analysis to run to confirm that no
violations occur
New responsibility is
automatically end-dated
Inspiring Your Next Success! 18 Company Confidential - Copyright 2010 Hitachi Consulting
Transaction Controls Governor
Filters &
Identify filter types Patterns
and set thresholds
Models
Inspiring Your Next Success! Company Confidential - Copyright 2010 Hitachi Consulting
Model Workbench
Schedule synchronization
jobs to insure accuracy
Inspiring Your Next Success! 20 Company Confidential - Copyright 2010 Hitachi Consulting
Transaction Real World Examples
> Test against Material Thresholds
JE > $ threshold
Employee Checks (individual & sum) > $ threshold
> Search for Anomalies
PO terms differ from vendor
Sales orders > acceptable $ range
> Sampling of Transactions
4th quarter invoices
Days sales outstanding balances
> Detect Fraudulent Behavior
PO changes after approval
Duplicate suppliers with same address
> Embed Preventive / Automated Compensating Controls
Alert on customer transactions over $ threshold
Prevent journals from being entered and posted by same individual
* Per Oracle.
Inspiring Your Next Success! 21 Company Confidential - Copyright 2010 Hitachi Consulting
Preventive Controls Governor
> Set of applications that run within Oracle EBS as a component of the
GRC Application Suite
> Four set of rules:
Inspiring Your Next Success! 22 Company Confidential - Copyright 2010 Hitachi Consulting
Form Rule Capabilities
Hidden Field
Modify Security
Settings
Field Required
Create
Messages Edit Messages
Edit Background
Edit Field
Properties Edit Prompt
Hide Field Data
Inspiring Your Next Success! 23 Company Confidential - Copyright 2010 Hitachi Consulting
Audit Rules
Inspiring Your Next Success! 24 Company Confidential - Copyright 2010 Hitachi Consulting
Change Control
Enable visual
attributes to identify
controlled fields
Inspiring Your Next Success! 25 Company Confidential - Copyright 2010 Hitachi Consulting
Configuration Controls Governor (CCG)
Compare across
> Monitor setup data in Oracle EBS multiple instances and
different points in time
Identify differences between ERP instances.
Maintain Data Consistency
Standardize and resolve any problems before a rollout
Reports available in
PDF, HMTL, & Excel
Formats
Inspiring Your Next Success! Company Confidential - Copyright 2010 Hitachi Consulting
CCG Content Libraries
> CCG comes with seeded content libraries for EBS R12
> Monitors over 550+ setup configurations
> Organized around three Oracle EBS Applications:
Inspiring Your Next Success! 27 Company Confidential - Copyright 2010 Hitachi Consulting
Change Tracking Reports
Where?
Who?
What?
When?
Inspiring Your Next Success! 28 Company Confidential - Copyright 2010 Hitachi Consulting
GRC Application Controls
Inspiring Your Next Success! 29 Company Confidential - Copyright 2010 Hitachi Consulting
Existing Hitachi Consulting GRC Client
> $9M Oracle R12 Financials and Process and Manufacturing implementation
spanning 18 countries
> 60+ Legal Entities
> 40+ Consultants
> Modules Include:
Financials: General Ledger, SLAM, Accounts Payables, Accounts
Receivables, eBTax, Project Accounting, Cash Management, Treasury,
Fixed Assets, Advanced Collections
Manufacturing: Inventory, OPM Costing, Bill of Material, WIP, Quality
Procurement: Purchasing, Purchasing Contracts, AME
Order Management: Order Management, Advanced Pricing, Shipping,
Sales Contracts
Supply Chain Mgmt: ASCP
Governance, Risk and Compliance: AACG, TCG, PCG, CCG
Inspiring Your Next Success! 30 Company Confidential - Copyright 2010 Hitachi Consulting
Hitachi Consulting Client - GRC Pain Points
4 Stove Piping
Information Silos across different Legal Entities/Operating Units
No global remediation procedure
Lack of compliance reporting
Inspiring Your Next Success! Company Confidential - Copyright 2010 Hitachi Consulting
31
GRC Methodology and Planning
Inspiring Your Next Success! 32 Company Confidential - Copyright 2010 Hitachi Consulting
GRC Methodology and Planning
Implementation Activities Implementation Activities
User Provisioning Process Review Future State Business
Review Oracle Seeded Content Processes
Load (Out-of-Box Policies) Review each Oracle module
SOD Detection and with Client SME and Audit
Remediation Manager for key fields
Run User Conflict Reports and Segregation of Duties i.e. Form Rules i.e. limiting Set subscribers
Heat Maps Policy Load access to a field Control spreadsheet with
Finalize ERP Responsibilities User Provisioning i.e. Flow Rules i.e. approval rule seeded content (1500 Rules)
Detection and remediation informational message on
of SODs trigger
Conflict Reports i.e. Audit Rules i.e. track changes
Report on Intra and Inter Change Control Rules i.e. reason
Responsibility conflicts code as to why a field is changed
Inspiring Your Next Success! 33 Company Confidential - Copyright 2010 Hitachi Consulting
A Layered Defense
> Social Security Number field
AACG Enforce Segregation of Duties to limit access to HR Responsibility
TCG Automated Suspect Report identifying all HR violations
CCG Track Changes to HR Configuration (Who, What, Where, When)
PCG Hide SS # field and Alert Compliance Department to any changes
AACG
TCG
CCG
PCG
Inspiring Your Next Success! 34 Company Confidential - Copyright 2010 Hitachi Consulting
Lessons Learned
> Ensure Audit Director/Manager is empowered by the business to make the
important decisions
> A deep understanding of Oracle eBusiness Suite is vital to guarantee GRCC
success
> Promote a cooperative relationship between the Client Teams to encourage
the free flow of ideas
> Plan for dedicated DBA Time for GRC Installations
> Accurate Test Data and Accurate Responsibilities are required for AACG,
TCG, and PCG to be successful test events
> SQL skills are required for the comprehensive implementation of PCG
> Operating Units, Ledgers, Legal Entities, and Responsibilities have to be in
a fit state to make GRC design effective and accurate
Inspiring Your Next Success! 35 Company Confidential - Copyright 2010 Hitachi Consulting
Lessons Learned - GRC Architecture
Inspiring Your Next Success! 36 Company Confidential - Copyright 2010 Hitachi Consulting
Questions?
Andy Pope Kevin Mims
Manager Senior Manager
Hitachi Consulting Hitachi Consulting
www.hitachiconsulting.com www.hitachiconsulting.com
Mobile: 678.463.9622 Mobile: 404.664.8122
apope@hitachiconsulting.com kmims@hitachiconsulting.com
Inspiring your next success Inspiring your next success
Inspiring Your Next Success! 37 Company Confidential - Copyright 2010 Hitachi Consulting