leverage informationtechnology: turn risk into reward ™ copyright ©. fulcrum information...
TRANSCRIPT
Leverage Information Technology:
Turn Risk into Reward ™
Copyright ©. Fulcrum Information Technology, Inc.
Top Five Reasons for Automating Application
Controls
Application Controls Monitoring Best Practices
Adil Khan, Sr. Client DirectorFulcrum Information Technology, Inc.
www.fulcrumway.com
Top 5 Reasons for Automating Application Controls
IntroductionIT Governance Risk and Compliance NeedsFulcrum-IIA Controls SurveyIT Controls Framework Application Controls OverviewAuditing Challenges Automation ApproachAccess Controls Automation Example Case Studies Top Five Reasons
AGENDA
www.fulcrumway.com
About Fulcrum
We are a Leading provider of Governance, Risk and Compliance solutions for enterprise customers. Our solutions focus on:
Enterprise Application Controls Monitoring
GRC Process Management
GRC Intelligence
FulcrumWare GRC Tools include Content and On-line services to rapidly reduce risks such as Segregation of Duty violations in Enterprise Systems such as Oracle E-business Suite, PeopleSoft, JD Edwards, SAP and other Legacy Apps
FulcrumWay Professionals are leading experts with real world experience in Internal Audit, Enterprise Systems and GRC Process Management.
FulcrumPoint Insight provides the latest trends, best practices and thought leadership through regional and national conferences held by OAUG, IIA, ISACA
Privately Held Delaware corporation with US presence in:New York, Texas and California
International Presence in UK and India
www.fulcrumway.com
Fulcrum Credentials
Media and Entertainment
Financial Services
Healthcare
Natural Resources
Life Sciences
Industrial Manufacturing
Defense/ Aerospace
Retail
Construction
High Technology
Readers Digest
Retail
Food
www.fulcrumway.com
FulcrumPoint Insight
Thought Leadership - Events
Compliance Week Magazine - Healthcare Firm Aligns Compliance Efforts, Cuts Costs
Economist Magazine –Compliance Guide for Enterprise Systems
POD Cast – How Automating the Enterprise Risk Management Process helps organizations comply with regulations
OAUG - Impact of AS5 for Oracle Enterprise Customers
IIA – Top Five Reasons for Automating Application Controls
Oracle Open World – Annual GRC Dinner, GE and Birds Eye Case Study
Web casts – GRC Best Practices, Trends and Expert Insight.
www.fulcrumway.com
IT Governance, Risk and Compliance Needs
Common Compliance NeedsCommon Compliance Needs
MandateMandateProcesses and Processes and
Risk Risk ManagementManagement
Enterprise Enterprise Content Content
ManagementManagement
Security and Security and Identity Identity
ManagementManagement
Learning Learning ManagementManagement
Cross IndustryCross Industry
Sarbanes-Oxley ActSarbanes-Oxley Act XX XX XX XX
HIPAAHIPAA XX XX XX
California Senate Bill 1386California Senate Bill 1386 XX XX XX
International Accounting StandardsInternational Accounting Standards XX XX
EU Data Privacy DirectiveEU Data Privacy Directive XX XX XX
Federal Sentencing GuidelinesFederal Sentencing Guidelines XX
Industry-SpecificIndustry-Specific
Basel IIBasel II XX XX XX XX
Gramm-Leach BlileyGramm-Leach Bliley XX XX XX
Payment Card Industry Data SecurityPayment Card Industry Data Security XX XX XX XX
FDA 21 CFR Part 11FDA 21 CFR Part 11 XX XX XX
Freedom of Information ActFreedom of Information Act XX XX
USA PATRIOT ActUSA PATRIOT Act XX XX XX
Multiple Compliance Needs
www.fulcrumway.com
DemographicsFulcrum Survey
www.fulcrumway.com
Results – Financial Reporting Process
Fulcrum Survey
www.fulcrumway.com
Results – Internal ControlsFulcrum Survey
www.fulcrumway.com
IT Controls Framework
IT organizations should consider the nature and extent of theiroperations in determining which, if not all, of the following control objectives need to be included in internal control program:
PLAN AND ORGANIZE
ACQUIRE AND IMPLEMENT
DELIVER AND SUPPORT
MONITOR AND EVALUATE
IT Controls
www.fulcrumway.com
What are Application Controls?
Application controls apply to the business processes they support. These controls are designed within the application to prevent or detect unauthorized transactions. When combined with manual controls, as necessary, application controls ensure completeness, accuracy, authorization and validity of processing transactions
Control objectives can be supported with automated application controls. They are most effective in integrated ERP environments, such as SAP, PeopleSoft, Oracle, JD Edwards and others.
Examples:Orders are processed only within approved customer credit limits.Orders are approved by management as to prices and terms of sale.Purchase orders are placed only for approved requisitions. Purchase orders are accurately entered. All purchase orders issued are input and processed. All recorded production costs are consistent with actual direct and indirect expenses associated with production.All direct and indirect expenses associated with production are recorded as production costs.
Application Controls Overview
www.fulcrumway.com
Risk Assessment
The IT organization has an entity- and activity-level risk assessment framework, which is used periodically to assess information risk to achieving business objectives.Management’s risk assessment framework focuses on the examination of the essential elements of risk and the cause and effect relationship among them.A risk assessment framework exists and considers the risk assessment probability and likelihood of threats.The IT organization’s risk assessment framework measures the impact of risks according to qualitative and quantitative criteria.The IT organization’s risk assessment framework is designed to support cost-effective controls to mitigate exposure to risks on a continuing basis, including risk avoidance, mitigation or acceptance.A comprehensive security assessment is performed for critical systems and locations based on their relative priority.
Application Controls Overview
www.fulcrumway.com
Control Activities
An organization has and does the following : A system development life cycle methodology that considers security, availability and processing integrity requirements of the organization. This ensures that information systems are designed to include application controls that support complete, accurate, authorized and valid transaction processing.An acquisition and planning process that aligns with its overall strategic direction.Acquires software in accordance with its acquisition and planning process.Procedures ensure that system software is installed and maintained in accordance with the organization’s requirements.Procedures ensure that system software changes are controlled in line with the organization’s change management procedures.Ensures that the implementation of system software do not jeopardize the security of the data.
Application Controls Overview
www.fulcrumway.com
Control Monitoring
Changes to IT systems and applications are performed and designed to meet the expectations of users.IT management monitors its delivery of services to identify shortfalls and responds with actionable plans to improve.IT management monitors the effectiveness of internal controls Monitoring in the normal course of operations through management and supervisory activities, comparisons and benchmarks.Serious deviations in the operation of internal control, Monitoring including major security, availability and processing integrity events, are reported to senior management.Internal control assessments are performed periodically, using Monitoring self-assessment or independent audit, to examine whether internal controls are operating satisfactorily.
Application Controls Overview
www.fulcrumway.com
Stages of Application Controls Implementation
Automation Approach
Define: Define Audit Units, Application Environments, and Controls in-scope for Audit Testing
Detect: Analyze Control Violations based on risk, impact. Eliminate false-positives, exceptions
Remediate: Resolve Control Violations
Prevent: Automated Controls deny unauthorized access, transactions and system changes in real-time
Monitor: Analytics to notify management of all control violations
www.fulcrumway.com
Establish Rules
RepositoryDetect
ViolationsAnalyzeIssues
RemediateIssues
ImplementChanges
MonitorApplication
Environment
DetermineScope
by Application
Extract ERP Data
ManageExceptions
SetupPreventiveControls
Application Control TeamsCorporate Access
Controls
Business Process Teams
IT Management
Establish Test
Environment
Application Controls Management Best Practices
Automation Approach
www.fulcrumway.com
Achieving regulatory compliance requires more than IT policies and process documentation
Effective application audit planning requires mapping controls over application test environments, audit units and significant business processes based on risk likelihood and impact to thousands of functions and activities accessible through many roles, menus and functions. Detecting users that have unauthorized access to one or more critical business functions such as purchase to pay requires business analytics based on application control rules.Compensating controls are needed for certain users and transactions where business constraints require exceptions. Remediation effort requires strong collaboration among Audit, IT and Business stakeholders to reconfigure security, reassign users, prevent configuration changes, monitor transaction thresholds. ERP Access Provisioning and Configurations must be approved in “real time” to keep up with business needs.
Auditing Challenges
www.fulcrumway.com
Rules Library is the master repository that contains all SOD Rules stored in Access Control
www.fulcrumway.com
User can create multiple access control tests to detect SOD violations. Violation Results are stored in the database for analysis and change management
www.fulcrumway.com
Security Managers can assign remediation requests and monitor progress to ensure “Closed-Loop” detection to remediation cycle
www.fulcrumway.com
Access provision requests is key financial systems can be process quickly while complying with SOD Policies
www.fulcrumway.com
Analytics to monitor SOD violations and notify management
www.fulcrumway.com
A. Case Study – Improve User Provisioning
Company OverviewWholly owned subsidiary of Fortune 500 focused on communication and information technologies for security, safety and lifestyle enhancements.Operations in more than 30 countriesOracle E Business Suite
GRC Challenges/OpportunitiesComply with SOX Needed to automate a manual and labor-intensive process to define and approve user access.Segregation of Duties ConcernsOracle E-Business Environment
– 40 Modules – 2500 Users, 100 + user
responsibilities
GRC Solutions Automate User Access Provisioning Compliant with SOD Policies
Results
Implemented access provisioning solution to identify users violations and allow auditable override capability for authorized access.
Security provisioning time reduction
Management Commitment to GRC
SOD Rules Content jump started the process
Detected over 5,000 violations
Reduced access provisioning time from 14 days to 4 hours
Trained Process Owners through online self-service portal
www.fulcrumway.com
B. Case Study – Remediate Access Control Deficiency
Company OverviewLeading manufacturer of electrical and mechanical motion control productsGrowing Rapidly through acquisitions Manufacturing and service facilities are located worldwideMultiple Enterprise Applications
GRC Challenges/OpportunitiesRemediate Significant Deficiency identified by external AuditorNeeded a central system to detect over 5000 user access violations and implement new roles across multiple systems within 90 daysLimited IT Audit Resources – One Full Time Equivalent (FTE)
GRC Solutions Risk Analytics Service Access PoliciesDetection and Remediation Service
Results
Completed First Test in 24 hours
No time or resources wasted on additional IT Infrastructure with the On Demand Web Service
Setup Compensating Controls for Waived Users
Preventive Controls Functions reduced the risk of security violations in real time.
Fully Compatible with all Enterprise Systems
Access Controls Content helped management define risk likelihood and impact
Faster Remediation through Analytical Reports and Filters
What-if Analysis Improved Self-Service User Provisioning Process
www.fulcrumway.com
C. Case Study – Reduce Expense through Configurable Controls
Company Overview
World’s pre-eminent gold producer, with a portfolio of 27 operating minesMany advanced exploration and development projects located across five continentsThe largest gold reserves in the industry
GRC Challenges/OpportunitiesNeed to reduce SOX Compliance Audit expenseImplement continuous controls monitoringBaseline ERP Configurable Controls for AS5
GRC Solutions Identify Controls for full or partial automation. Benchmark ERP ConfigurationsSetup audit logs on all configuration changes.
Results
Analyzed over 1,000 controls
Application Audit Portal provides audit trail on all configuration changes in ERP Systems
Track changes to key application setup data and code.
Approval workflows and notifications facilitate change management without negatively impacting core business operations.
Increase visibility into the actual operations of the controls environment
Reduced Testing Time by 30%
www.fulcrumway.com
Scope application control rules based on IT/Business Risk Likelihood and Impact.
Create application test environment based on a central Master Control Content Library.
Maintains Change Controls over Test Plans to manage changes in application environments.
Top 5 Reasons to Automate Controls
Reason #5: Build Effective Test Plan
www.fulcrumway.com
Top 5 Reasons to Automate Controls
Remove false-positives e.g. view-only, hidden or excluded functions.
Exclude control violations where business constraints require “waivers”. Track exception justifications and test compensating controls.
Analyze direct violations within user/role and indirect violations across multiple roles assigned to user.
Reason #4: Detect Control Violations Accurately
www.fulcrumway.com
Top 5 Reason to Automate Controls
Document and assign remediation tasks to Application and Process Owners.
Perform “what-if” analysis to identify business impact of control operation.
Promote successfully tested application controls to production application environment without error prone
manual entries .
Reason #3: Faster Remediation Time Reduces Business Risk
www.fulcrumway.com
Top 5 Reason to Automate Controls
Identify Control Violations based on pre-defined IT Policies to prevent Segregation of Duties Violations, Unapproved Configuration Changes and Erroneous Transactions.
Improve Application Change Management Process through electronic approval workflow.
Restrict Access to Sensitive Data.
Reason #2: Achieve Sustainable Compliance with Preventive Monitoring
www.fulcrumway.com
Reduce Internal and External Application Testing effort by auditing changes to Application Baseline.
Improve Detection to Remediation Cycle through electronic workflow management of control violations.
Reduce Cost of Compliance by replacing manual detection, remediation and prevention activities with streamlined and automated processes.
Reason #1: reduce Auditing Time and Expense
Top 5 Reasons to Automate Controls