thousands of hours saved and risk reduced for ebs upgrades & implementations
DESCRIPTION
Hear how a major engineering company and healthcare providor have used Oracle GRC Advanced Controls to save thousands of hours security access provisioing, configuration change control, testing, project management and internal and external audit.TRANSCRIPT
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal 1
Graphic Section Divider
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal 2
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal 3
The following is intended to outline our general product
direction. It is intended for information purposes only,
and may not be incorporated into any contract.
It is not a commitment to deliver any material, code, or
functionality, and should not be relied upon in making
purchasing decisions. The development, release, and
timing of any features or functionality described for
Oracle’s products remains at the sole discretion of
Oracle.
Reducing Risk for Oracle EBS Upgrades & Implementations (CON8830)
Dane Roberts & Steve Dalton, Oracle
Stephen D’Arcy, PwC
Chuck Scheller, Harvard Pilgrim Health Care,
Dir Business Systems
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal 5
@OracleAdvCntrls
Oracle GRC Advanced Controls
Join Our Linkedin Group
Follow us on Twitter
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal 6
Program Agenda
Oracle Advanced Controls (OAC)
Upgrade Challenges
Case Study 1: CH2M
Case Study 2: Harvard Pilgrim Health Care
Realizing Value from OAC after Upgrade
Q&A
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal 7
GRC Advanced Controls One Enterprise Foundation
Enterprise Risk & Controls Foundation
Dashboards, Reports and Alerts
Notifications Worklists Email Perspectives Search
Risk, Controls & Compliance Management
Reviews Documentation Assessments Remediation Surveys
Continuous Controls & Risk Monitoring
Setups Access Master Data Audit Tests Transactions
User Authored Controls Data Connectors Fraud & Error Patterns
Ro
le B
as
ed
Ac
ce
ss
Se
cu
rity
We
b S
erv
ice
s &
AP
Is
Custom or Legacy Applications
Comprehensive Enterprise Risk Management
Financial Governance
Continuous Controls Monitoring
Flexible • Graphical Authoring
• Detect and Prevent
• Access, Transactions, Setups
Data Driven (Big Data)
100% of Transactions
Manage by Exception
Optimize Processes
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal 8
Technical Innovation Robust Types of Automated Controls
Preventive
What users
can do
How is the process
set up
How users execute
processes
What users
have done
What’s
changed in the
process
What are the
execution
patterns
Monitor Control Effectiveness
Enforce Policies in Context
Segregation of
Duties
Application
Configuration
Transaction
Monitoring
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal 9
Standard + Advanced Controls
User Roles
3-Way
Match
Approval
Hierarchies
Sentiment
Analysis
Split
Purchase
Orders Hide
Displays of
Sensitive
Data
Duplicate
Payments
Transaction
Threshold
Amounts
Duplicate
Vendors
Fine-
grained
User
Access
Configuration
Snapshots &
Audit Trial
Transaction
Pattern
Analysis
Fuzzy
Logic,
‘similar
values’
Advanced
Controls
Standard
Controls
Social
Media
Policy
E-learning
Ethics
Policy
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 10 Confidential – Oracle Internal
…by
Continuously
Monitoring
Your
ERP
Applications
Advanced Controls
Enables you to:
Improve Bottom-Line
Reduce Operational Risk
Increase Process Effectiveness
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 11 Confidential – Oracle Internal
Advanced Controls
Make Processes More Effective, Efficient
Reduce Operational Risk
Improve Bottom Line
Detect unwanted transactions
Detect settings that cause loss
Detect problematic exceptions
Automate policy management
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 12 Confidential – Oracle Internal
Program Agenda
Oracle Advanced Controls (OAC)
Upgrade Challenges
Case Study 1: CH2M
Case Study 2: Harvard Pilgrim Health Care
Realizing Value from OAC after Upgrade
Q&A
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 13 Confidential – Oracle Internal
Takes longer
than expected
Undetected
errors
Costs exceed
budget
Unforeseen
changes Processes negatively
impacted
Improve using advanced control solutions
ERP Project Concerns Implementation and Upgrades
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 14 Confidential – Oracle Internal
What Issues Were Encountered During Your Upgrade?
Source: OAUG Research Line, “Moving to New ERP Environments: 2011 OAUG Governance, Risk, and Compliance Best
Practices Survey”
48%
28%
26%
26%
21%
19%
12%
9%
7%
11%
Unexpected changes to application set ups
Disruption to business transactions or workflow
Other applications breaking/unable to interoperate
Rise in end-user training costs
Outdated controls
Data damaged/altered
Surge in segregation of duties conflicts
Data exposed
Missed product launches/slower time to market
Other
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 15 Confidential – Oracle Internal
Advanced Access Controls Value for ERP Projects
>Comply with access policies from day one
>Design compliant roles
>Automate the creation of BR-100s
>Ensure instances are synchronized (ex: Test vs. Prod)
>Avoid customizations with configurations and the creation of controls
> Automate compliant user access provisioning
>Reduce testing/debug time - identify changes
>Reduce risk, time and cost of identifying, and correcting errant transactions that violate control policies
>Define and manage complex multi-instance global access policies
>Reduce and eliminate vulnerabilities due to undocumented/unknown configuration settings
>Reduce internal and external costs where key control changes are necessary due to changed functionality
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 16 Confidential – Oracle Internal
Program Agenda
Oracle Advanced Controls (OAC)
Upgrade Challenges
Case Study 1: CH2M
Case Study 2: Harvard Pilgrim Health Care
Realizing Value from OAC after Upgrade
Q&A
Leveraging Oracle Advanced Controls to accelerate your R12 project “A story of two different Oracle Advanced Controls implementation strategies for Oracle R12 projects”
The CH2M HILL Story
“Implementing Oracle Advanced Controls during a global R12 re-implementation”
PwC
Overview 1. Project Background & Scope
2. Implementation Approach - Stakeholders
3. Improving the bottom line for CH2M HILL
4. Examples of the Advanced Controls Solutions implemented
5. Keys to success
6. Benefits of implementing Oracle Advanced Controls during the R12 project
19
PwC
Project Background & Scope
20
Applications Tools
Financials
Security
Procurement
GRC
Human Capital
Mgmt.
Plans &
Methodologies
Training
Oracle Unified
Method
Industry Best
Practices
Oracle Applications
Experience
Projects
Business
Intelligence
Standard Process
98+ Prim ledgers, 10 Sec Ledgers, 170 OU’s, 50+ countries, 30,000 + end users
PwC
Implementation Approach - Stakeholders
Oracle Advanced Controls
Process Design
Workshops
CEMLI/ RICEFW
Internal Audit
Government Compliance
Dept
Security Officers
Business Process Owners
21
PwC
Implementation Approach - Stakeholders
Oracle Advanced Controls
Process Design
Workshops
CEMLI/ RICEFW
Internal Audit
Government Compliance
Dept
Security Officers
Business Process Owners
22
PwC
Improving the bottom line for CH2M HILL
• Replaced approximately 15% of the clients 400+ Customizations
Saved approximately 2000 developer hours
On average it took 15-20 hours to build a PCG solution
On average it was taking the EBS implementation partner 60-70 hours
• Facilitating the Shared Services model for a global organization
Centralized assessment of security and segregation of duties violations – Estimated Savings – approximately 500 hrs per year – 130 SOD Rules built in
More detailed visibility into which users can perform critical functions within Oracle – especially in foreign locations.
• Transaction Controls Implemented – saving time & benefiting the bottom line
Already identified a number of duplicate payments for investigation and future recovery
Monitoring for compliance exceptions (Enter vs Post Journals)
23
PwC
Improving the bottom line for CH2M HILL
• Over 100+ critical setups and configurations now being monitored
Reduced time spent testing patches, troubleshooting EBS & validation automated controls
• Over 130 security & segregation of duties rules built
Accelerated security re-design evaluation & identified conflicts prior to go-live
Will reduce Internal & External Audit testing time significantly going forward
• Accelerating multiple Federal Compliance requirements and building many of the solutions into the EBS environment vs more manual time consuming manual effort outside of a system
24
PwC
Examples of the Advanced Controls Solutions built
25
Duplicate Payments
Journals posted by the same user
Prevent re-opening of projects assigned to inactive Organizations
Notification on chart of accounts changes
Alert when super-user responsibilities are used
Preventing changes to own pay elements
Identification of federal-related invoices where a variance exists between the invoice amount and the cash amount applied.
Identification of employees in the federal entities who have a salary outside of their defined salary range for their job grade.
PwC
Keys to Success
• Business led implementation of Oracle Advanced Controls
What do you need?
Why do you need it?
What value will it bring you?
Compared to other business requirements what is the priority?
Are you prepared to own and operate the output post implementation?
• CEMLI Assessment
Worked with IT and the business to identify customization candidates that could be replaced with Oracle Advanced Controls
Determined those CEMLI’s where it would be truly more efficient
• Looking at things from a Shared Services perspective
Leveraged to monitor activity across the global EBS footprint
Duplicate payments, entering and posting journals, security/sod etc
26
PwC
Benefits of implementing as part of the R12 project • Oracle Advanced controls viewed as an additional tool or accelerator by the project team
• Ability to use PCG to address unique business requirements real time
• Embed controls into the to-be processes as opposed to a more expensive retro-fit post go-live
• Project ran in parallel with the overall EBS R12 re-implementation (did not impact or slow-down the critical path)
• Tools were available to monitor activity during the project (e.g. configuration changes)
• Helped the security re-design team understand where the potential conflicts sat prior to go-live as opposed to expensive re-design post go-live.
27
The Harvard Pilgrim Story
“Implementing Oracle Advanced Controls prior to a R12 implementation”
Private and confidential
PwC
Agenda 1. Project Background
2. Project Approach
3. Key Benefits for Harvard Pilgrim
4. ROI Framework
29
PwC
Project Background – Oracle GRC Manager (2010)
• Harvard Pilgrim engaged with PwC in late 2010 to implement Oracle Governance Risk and Compliance Manager solution for Model Audit Rule (MAR) and SAS70 compliance activities and reporting
• As a part of this initiative, PwC team members worked closely with HPHC’s Financial Controls Manager to design and implement data repository for compliance content and automate periodic assessment activities and reporting for MAR and SAS70
30
PwC
Project Background – Oracle Insight (2012)
31
In 2012, PwC and Oracle Insight team conducted a week-long discovery session to identify opportunity for Harvard Pilgrim to leverage Oracle GRC Controls solution in advance of Oracle R12 upgrade. The team identified and recommended three phase iterative implementation project to build incremental value for Harvard Pilgrim;
Phase 1 – Quick Wins (Current Scope) • Review, prioritize and identify key corporate-wide and division-specific controls for potential automation using Oracle GRC
Controls • Maintain focus on acquiring value and decreasing manual effort by the audit teams in executing Segregation of Duties (SOD)
testing, access reviews, and configuration change management • Implement SOD access controls (AACG) and configurations monitoring (CCG)
Phase 2 – Facilitate R12 Upgrade and Implement Transaction Controls • Maximize usage of AACG and CCG to facilitate R12 upgrade efforts • Conduct workshops with business process owners to identify high risk transactional controls • Evaluate opportunity to implement transaction controls (TCG) to address key transactional level risk exposures in Oracle EBS
Phase 3 – GRC Optimization Assessment • Evaluate opportunity to implement preventive/approval based SOD controls • Evaluate opportunity to implement approval based change control for key EBS configurations • Evaluate integration between GRC Control and GRC Manager to automate Model Audit Rules testing • Assess and provide scope for OHI integration to GRC Controls
PwC
Key Benefits for Harvard Pilgrim • Reduce manual efforts to compile reporting packages for periodic access reviews and
configuration change controls
• Maintain integrity of system configurations and provide the ability to track unintended changes from periodic maintenance and patching activities
• Establish Segregation of Duties policies to reduce the cost of R12 upgrade and prevent remediation of access violations post go-live
• Reduce the level of effort to document and manage system configuration changes during R12 upgrade
• Automate the continuous monitoring of key financial controls to reduce the risk of fraudulent transactions
• Expected reduction in external audit scope and fees through the use of automated tool
32
PwC
HPHC ROI
33
Tangible Cost Savings (Total ROI 6 years)
• Access Management – Leverage AACG to reduce the level of effort to provision, monitor, and remediate access risk exposures
• Estimated reduction of 2,298 hours across IT, Internal and External Audit
• Controls Management – Leverage CCG to reduce the level of effort to manage and test Oracle configuration change controls
• Estimated reduction of 5,815 hours across IT, HPHC Business, Internal and External Audit
• R12 Upgrade – Leverage AACG and CCG to facilitate R12 upgrade activities such as instance comparison and new responsibility design
• Estimated reduction of 2,278 hours during R12 upgrade and subsequent periods
PwC
HPHC ROI
Risk Reduction
• Reduce risk of Fraud, Waste and Abuse by leveraging continuous auditing of access and configuration change control
• Reduce access risk exposure by defining and reviewing SOD and Restricted Access controls at the user and function level
• Reduce risk of inappropriate changes to Oracle configuration by enhanced ability to test configuration change controls by producing system record of changes and audit trail evidence
• Pushes controls testing responsibility & compliance ownership to business area owners. Frees internal audit hours to pursue other IA initiatives versus access and configuration controls testing
• Preventive User Access Administration (automated SOD Policies via AIM)
34
Learn More
PwC GRC Whitepaper
“Leveraging advanced controls with E-Business suite implementation and upgrade projects”
http://www.oracle.com/us/products/applications/ebusiness/optimizing-erp-projects-1855138.pdf
Optimize your ERP Projects leveraging Oracle Advanced Controls
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal 36
Program Agenda
Oracle Advanced Controls (OAC)
Upgrade Challenges
Case Study 1: CH2M
Case Study 2: Harvard Pilgrim Healthcare
Realizing Value from OAC after Upgrade
Q&A
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 37 Confidential – Oracle Internal
The Opportunity
Any Time Transform your business processes
ERP Implementation Provide optimal control solutions from day 1
ERP Upgrade Add advanced controls to monitor and enhance ERP controls
Utilize Project Solutions Post-Production
Prevent inappropriate
activities with security
rules
Improve data
integrity by
monitoring
setup changes
Uncover
unauthorized
changes with
embedded rules
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal 39
Change in Internal Control Requirements
0
50
100
150
200
250
Year 1 Year 2 Year 3 Year 4
Re
qu
ire
me
nts
Functional Compliance Levels
• Manual
Processes
• Customizations
• Change Control
• More Audits
Challenges: • Multiple ERPs
• New Regulations
• More Legal Entities
• New Contracts GAP
Social Media Monitoring
New Markets & Regions
Processes Outsourced
Acquisitions
Optimize Processes with Advanced Controls
policies are followed
for high-risk events
cash leakage
Fix Cash Leakage
On Every:
Protiviti 2010 - Procurement Assessment and AP Recovery
Solutions
Amount of Cash Leakage:
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal 42
Prevent viewing of
sensitive data
Control extended
customer terms
Restrict large sales
discounts
Revise account
rec’s risk ratings
Stop split
purchase orders
Scrutinize PO price variances
Check unapproved
vendors
Limit entertainment expenses
Tighten user access
Require approval
of large credit
memos
Review manual
journal entries
Monitor POs entered
on receiving day
Policies Evolve Over Time
Result is Challenges to Ensure
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal 43
Ensure Policies are Followed
Controls
Purchase orders
not split?
User access
appropriate?
Extended customer terms
result in no write-offs?
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 44
Continuously Monitor for High-Risk Events
45 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal
Customers (Sample)
Public Sector
Technology/Services
Retail
Energy
Communication
Industrial
Logistics
Healthcare/Life Sciences
Mining/Exploration
PRESENTING
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal 46
Oracle Advance Controls OOW2013 Sessions & Demo Pod Slides
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal 47
Specialized Advanced Controls Partners
New Benefit for Advanced Controls owners
Specialized Partners:
– Trained by Oracle:
Designing and delivering OAC solutions
– Demonstrated ability to deliver reliable OAC
solutions
Coming soon
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal 48
Demo Workstation Moscone West 1st Floor #W-013
Monday Tuesday Wednesday
Demo ID 3532
Workstation #: W--013 9:45 – 6:00 9:45 – 6:00 9:45 – 4:00
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal 49
Demo Workstation Moscone West 1st Floor #W-013
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal 50
General Session: Empowering Modern Governance, Risk, and Compliance
12:15PM Moscone West – 2006/2008
GEN8812
Automate Robust User Access and Security Controls for PeopleSoft
10:45AM Moscone West - 2009
CON8820
Panel Discussion: Intelligent Controls for Key Business Processes & Upgrades in PeopleSoft
3:15PM Moscone West - 3020
CON8822
Deloitte: Leveraging Oracle GRC Technology to Reduce Revenue Loss, Cost Leakage & Fraud
3:15PM Moscone West - 2000
CON8822
Learn More About Oracle Advance Controls Monday
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal 51
Top 10 Advanced Controls for Procure-to-Pay to Improve the Bottom Line
10:30AM Moscone West – 2003
CON8814
Center for Medicare & Medicaid Services Automates Internal Controls with Oracle GRC
3:45PM St Francis – Elizabethan C/D
CON9346
Enforce Segregation of Duties with Identity Management and Oracle Advanced Controls
5:15PM Moscone West – 3018
CON8827
Learn More About Oracle Advance Controls Tuesday
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal 52
Optimizing Order-to-Cash with Oracle Advanced Controls for Oracle E-Business Suite
10:15AM Moscone West – 3018
CON8816
Reducing Risk for Oracle E-Business Suite Upgrades and Implementations
1:15PM Moscone West – 3018
CON8830
Panel Discussion: Intelligent Controls for Key Business Processes and Upgrades
3:30PM Moscone West – 2002 / 2004
CON8832
Learn More About Oracle Advance Controls Wednesday
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal 53
Advanced Access and User Security for Oracle E-Business Suite and Fusion Applications
2:00PM Moscone West – 3018
CON8824
Meet the Governance, Risk, and Compliance Experts
12:30PM Moscone West 2001A
MTE9412
Learn More About Oracle Advance Controls Thursday
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal 54
The preceding is intended to outline our general product direction. It is
intended for information purposes only, and may not be incorporated into
any contract.
It is not a commitment to deliver any material, code, or functionality, and
should not be relied upon in making purchasing decisions. The
development, release, and timing of any features or functionality
described for Oracle’s products remains at the sole discretion of Oracle.
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal 55