Kishore Anjur - GRC Value Proposition

Oracle GRC value proposition on
Segregation of Duties challenges

ADVISORY
Kishore Anjur
KPMG LLP
IT Advisory
August 21, 2009
Agenda
Segregation of Duties Overview
Understanding the Drivers
SoD Process
Mitigate the impact of a SoD risk
Requirement for Automated SoD Solution
Considerations of SoD
Oracle SoD Model
Overview of the tool
Oracle GRC solution
Key Success Factors
2009 KPMG LLP, a US member firm of the KPMG network of independent member firms affiliated with KPMG International,
a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative.
Topic: Oracle GRC value proposition on

Segregation of Duties challenges
Segregation of Duties (SoD) has become an increasingly important
risk--management requirement for todays CEOs and CFOs.
risk
Separating financial functions across individuals has always been good
business practice for reducing the risk of fraud and checking the
accuracy of financial transactions. However, as an enterprise's user
base grows, its financial systems become more complex and the
enterprise is forced to create an increasing number of manual controls,
maintaining effective SoD efficiently and at a reasonable cost is
becoming significantly more challenging.
What is Segregation of Duties?

The prevention of occupational fraud in the form of asset
misappropriation and intentional financial misstatement.
SoD Objective
A fundamental concept of internal control is the segregation of certain
key duties.
The basic idea underlying SoD is that no employee or group of
employees should be in a position both to perpetrate and to conceal
errors or fraud in the normal course of their duties.
The principal incompatible duties to be segregated are:
Initiate transaction
Approve transaction
Record transaction
Reconcile balances
Handle assets
Review reports
Understanding Drivers - Common SoD Risks

Management
SoD
Risks
Earnings
management
Improper
management
override
Improper
expense
capitalization
Excessive
management
override
Procurement
T&E
Fictitious Vendors
Fictitious/inflated
invoices
Duplicative
purchases (e.g., PCard)
Improper P-Card
purchases
Structured payments
Unauthorized /
unapproved
purchases
Conflicts of interest
False/inflated
reimbursement
requests
Purchases for personal
use
Duplicate purchasing
and reimbursement
schemes
Unauthorized vendors
Unauthorized
expenditures
Excessive spending
Payroll
Ghost employees
Inflated salaries
Inflated hours
Improper
supplemental
payments
Improper incentive
compensation
Excessive overtime
Excessive
supplemental
payments, bonuses,
incentive
compensation
Source for SoD conflicts

Potential sources for SoD conflicts
Production support team excessive access
Generic user names
No defined segregation of duties policies
Preventative or detective controls to enforce SoD principles
No standard reports to identify SoD conflicts
System Administrator accounts with seeded passwords
Relying on custom reports to address SoD issues
Turn off Auditing capture feature due to concern on database size
No defined exception reports for security exceptions or incidents
Source for ERP SoD conflicts

Oracle
Excessive access through seeded responsibilities
Workflow approvals not enforced
Manual 3way match by same user
PeopleSoft
Operator Preferences as extension of security features.
Access allowing Correction mode
JDE
User level permissions override at group level permissions
Users who enter Journal entry can also approve
SoD Analysis Process

Start
Identify Financially
significant business
SoD Analyst processes.
Sod Rules
Design the Sod rules based
on key responsibilities in
collaboration with business
process owner
Sod conflict matrix
Create a SoD conflict matrix
by application and by function
New project
Source Data
Stabilize the process
Obtain Source data with Users and
Establish policies and procedures to

continually monitor to detect
segregation of duties conflicts and
continue to perform SoD analysis
their security information
SoD Analysis Lifecycle
Change
locations,
roles, etc
Reports
Establish a process to analyze

the users and security data
against SoD rules
Reduce the risk

Identify compensating
controls
Oracle GRCC suite

Custom SoD tool
Forget
password
Identify mitigating
controls
Submit SoD reports to process

owner
Retest
Rerun the analysis by
effecting the
remediation
Remediation
Scale down excessive

access
Monitor new user access
By business process
By department
By Manager
If a new user in conflicts provide
with hire date/ access granted
date
TLS
LPS
Interest Rates
Individual Claims System(ICS)
Annuity Payout System(APS)
Death ClaimSystem
Ingenium
CAPSIL
Vantage One (Quincy)
Life70 (Quincy)
Life 70 (ISAand AML)
FASAT
Admin Server
AS/400 Homegrown
TAI
Pam-Mortgage
PAM-Security
Charles River
Triton
LifeMaster / Polysystems
ARCVal
Oracle/FDR
JDEdwards
In-Scope Applications Cross

Application considerations
MGALFA
Example of SoD conflict matrix for cross applications
Ceridian - HRIS and Payroll
SoD Conflict Matrix
JD Edwards
Oracle/FDR
MG ALFA
ARC Val
LifeMaster / Polysystems
Triton
Charles River
PAM-Security
Pam-Mortgage
TAI
AS/400 Homegrown
Admin Server
FASAT
Life 70 (Des Moines)
Life70 (Quincy)
N/A
Vantage One (Quincy)
N/A
CAPSIL
n/a
Ingenium
n/a
Death Claim System
Ceridian - HRIS and Payroll
Annuity Payout System (APS)
N/A
Individual Claims System (ICS)
Interest Rates
LPS
TLS
Y
Y
N
N
N
N
N
N
N
N
N
N
N
N
N
N
N
N
N
N
N
N
N
N
N
N
Legend
Y
N
N/A
Valid cross application

Not a valid cross application combination
Cross Application conflcit is not possible
N
N
10
Reduce Residual SoD Risk

Compensating controls Operates at same level of Key control
and eliminates complete risk
Ex: On a daily basis the A/P Manager compares all payment
requests to ensure an appropriate cost center manager has
approved the invoice and that the approver is within his/her
established limits.
Mitigating Controls
Controls-- Reduce the impact of the risk partially
Ex
Ex:: Suspense account balances are analyzed and reviewed by
appropriate personnel for large, old, or unusual items
items..
Scale down excessive access
Create common profiles by considering Sod conflicts
11
Requirement for Automated SoD (GRC)

Solutions
In the current complex business environment, there is an
increased focus on adopting innovative ways of assessing and
managing Segregation of Duties (SoD) risk while enhancing
performance
Advances in technology have paved the way for increased use of
GRC on organizational processes, transactions, systems and
controls
Organizations are leveraging technologies to change how they
evaluate the effectiveness of controls and monitor performance
Integrated GRC approach
Real--time transaction analysis
Real
Continuous control monitoring
Fraud detection
12
Considerations for SoD
What are the

Objectives?
What
analytical
functionality is
required?
Where will
data come
from?
What are the

Focus Areas?
What
exception
handling is
required?
What are our

infrastructure
requirements
?
How will
analysis be
performed?
What
reporting do
we need?
Dashboards?
How are endendusers

impacted?
13
Oracle SoD (GRC) Overview
14
Overview of the Oracle SoD tool

Tool
background
The Oracle GRC Solution is relatively new and developed in the past few
years. It is based upon the acquisitions of Stellent and LogicalApps. It is
comprised of the following modules:
GRC Intelligence
GRC Manager (Previous Stellent Solution)
GRC Controls Suite (Previous Logical Apps Solution)
Technical
architecture
Oracle GRC is designed to work on an integrated basis within the Oracle

stable of products. It operates from an application server attached to the
target ERP system, monitoring data at source. Reporting is through email
alerts or dashboards. It is designed to integrate with Oracle Applications (EBS,
People soft, JDE, Siebel ) as well as other non-Oracle ERP applications
(such as SAP, Lawson, etc.).
Technical
requirements
Application and database server for Stellent, Integra and GRC suite
15
Overview of the Oracle SoD tool

Recommend
ed use
Environments where the target ERP is Oracle E-Business Suite or PeopleSoft

Real time, preventative controls for segregation of duties (SoD), data change
management and configuration management
Continuous monitoring and continuous audit rather than point in time
snapshots; monitoring occurs in real time, not using data extracts
Where removing data from the client site causes security problems
Larger companies
Case studies
Oracle provides two case studies from their Governance, Risk and Compliance
Solution Space:
Unum Provident
Centro Properties Group
http://launch.oracle.com/?GRC5
16
Functionality of the Oracle SoD tool

components
Functionality
GRC Intelligence:
Prebuilt, role-based Dashboards and KRIs
Tailored GRC diagnostics for business processes and roles
Heterogeneous data integration
Leverage single source of GRC information across organizations,
departments and locations
Library of OOTB Reports spanning the overall GRC process GRC Manager
Reduce cost and complexity by managing multiple global mandates with one
system
Rely on tamper-proof chain of evidence for all financial compliance processes
Align policies and processes with better practice risk and control frameworks
GRC Manager
Perform control automation configuration and administration
Manage control automation for business processes
Use test plans and report control effectiveness
GRC Control Suite Briefed in next slides
17
GRCC Overview
GRC Controls Suite

GRC Platform
Application Access
GRC
Controls Suite
Controls Governor (AACG)
Configuration
Controls Governor (CCG)
(Integra Apps)
Transaction
Controls Governor (TCG)
Oracle EE-Business Suite

Preventive
Controls Governor (PCG)
18
Oracle GRC Controls (GRCC) components

GRCC Platform - GRC Controls Management Features
Reduce risk of fraud with continuous monitoring of automated controls
Enforce effective preventive and detective controls across all systems
Control user access and enforce segregation of duties with business
driven rules
AACG Application Access control Governor

SoD solution
TCG Transactional Control Governor

Suspect tracing on Key transactions
CCG Configuration Control Governor

Setup changes tracing
PCG Preventive Control Governor

Compensating control for AACG
19
How to Enable the GRCC SoD process

Start - Create GRC users
SoD Analyst
Admin - SoD super user

View only - Auditor
Approver SoD approver
AACG
Design new SoD rules
Upload SoD rules from excel
Enable GRC default Sod rules
Define work flow rules
Process Reports
Ad-hoc reports
Schedule reports
New project
Identify SoD focus area
Retest
Rerun the analysis by effecting

the remediation and continue to
perform SoD analysis
SoD Analysis Lifecycle

Remediation
Change
locations,
roles, etc
Define elements
Define attributes
Define workflow process
access
Forget
password
GRC Intelligence
Ad-hoc reports
Schedule reports
CCG
Who
What
When
Finalize conflict rules
Configure Control Library
Scale down excessive

Monitor new user access
Analyze the reports
TCG
Define transaction controls (SQL)

Define task approval
Define Suspects
PCG
Form rules
Flow rules
Audit rules
Change control rules
20
GRC Intelligence Interactive Dashboard

(Sample output)
21
GRC Intelligence Controls Summary

(Sample output)
22
GRC Intelligence Risk Mitigation

(Sample output)
23
GRC Intelligence SoD Analysis

(Sample output)
24
Oracle GRC Potential benefits

Incorporated within the Oracle ebusiness Suite/PeopleSoft/JD Edwards/Siebel
stable of products
Leverages a single source of GRC information across departments, locations,
and business units
Improves risk responsiveness with timely control and performance diagnostics
Tailor GRC dashboards to specific needs of a role or organization
Designed to prevent, rather than detect
Reduce cost and complexity by managing multiple regulatory mandates with
one system
Rely on tampertamper-proof chain of evidence for all compliance processes
Control user access and enforce segregation of duties with businessbusiness-driven
rules
Reduce risk of fraud with continuous monitoring of automated controls
Provides deeper insight into SoD areas of risk and opportunity, while
strengthening governance structures
25
Key Success Factors of GRC project
Senior executive
support
Technology tools
and experienced
resources
Established
approach to GRC
Fact-based approach to identification, quantification and prioritization of GRC opportunities

FactSelection of appropriate GRC tools to contain costs and speed up communication
Experienced staff who can commence fieldwork immediately
Global continuous monitoring framework and approach

Identification of key control check points
Methodology emphasizes SoD risk and continuous improvement
Detailed project initiation and work plan documents

Knowledge of linkage to enterprise risk exposures
Organizations risk profile is fundamental to the assessment and design of the GRC solution
Well planned
approach
Organizational
alignment
Executive involvement at all stages of the project including opportunity identification, selection,
prioritization and signsign-off
Clear GRC leadership roles to drive cultural change
Identification of control owners to report failures, escalate issues, etc.
Incorporation of key line management within the GRC project

Partnering with team members to help enable knowledge transfer
Senior industry and functional practitioners
26
KPMG IT Advisory Service Overview

Business Systems
Security
Strategic
Attestation
Enterprise
Application Strategy
Systems
Implementation
Review
Configurable Control
Assessment
Access and SOD
assessment
Business
Process/Systems
Optimization Review
Master Data
Management
Security Strategy
Information
Governance and
Privacy
Identity and Access
Management
Security Vulnerability
Management
Enterprise Resiliency
and Business
Continuity
Payment Card
Industry (PCI)
IT Project
Management Office
(PMO)
IT Strategy,
Governance, and
Performance
Sourcing (off/onshore)
and Shared Services
PostPost-Merger IT
Integration
Business Intelligence
Vendor and systems
selection
Audits of third
third--party
services providers
(SAS 70)
IT internal audit
WebTrust/ SysTrust
FISAP (Financial
Institutions Shared
Assessments
Program)
27
Q&A
28
Presenter contact details

Kishore Anjur
KPMG LLP
(847) 749749-5234
kanjur@kpmg.com
www.kpmg.com
Additional Contributions: Chris Hambach and Tim Gavin
The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we
endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue
to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation.
2008 KPMG LLP, a U.S. limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved.
29

Kishore Anjur - GRC Value Proposition

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Kishore Anjur - GRC Value Proposition

Uploaded by

Copyright:

Available Formats

Oracle GRC value proposition on

Segregation of Duties challenges

Topic: Oracle GRC value proposition on

What is Segregation of Duties?

Understanding Drivers - Common SoD Risks

Source for SoD conflicts

Source for ERP SoD conflicts

SoD Analysis Process

Stabilize the process

Obtain Source data with Users and

Establish policies and procedures to

their security information

SoD Analysis Lifecycle

Establish a process to analyze

Reduce the risk

Oracle GRCC suite

Submit SoD reports to process

Scale down excessive

Monitor new user access

Individual Claims System(ICS)

Annuity Payout System(APS)

Vantage One (Quincy)

Life 70 (ISAand AML)

In-Scope Applications Cross

Example of SoD conflict matrix for cross applications

Ceridian - HRIS and Payroll

SoD Conflict Matrix

Life 70 (Des Moines)

Vantage One (Quincy)

Death Claim System

Ceridian - HRIS and Payroll

Annuity Payout System (APS)

Individual Claims System (ICS)

Valid cross application

Reduce Residual SoD Risk

Requirement for Automated SoD (GRC)

Considerations for SoD

What are the

What are the

What are our

How are endendusers

Oracle SoD (GRC) Overview

Overview of the Oracle SoD tool

Oracle GRC is designed to work on an integrated basis within the Oracle

Overview of the Oracle SoD tool

Environments where the target ERP is Oracle E-Business Suite or PeopleSoft

Functionality of the Oracle SoD tool

GRC Controls Suite

Oracle EE-Business Suite

Oracle GRC Controls (GRCC) components

AACG Application Access control Governor

TCG Transactional Control Governor

CCG Configuration Control Governor

PCG Preventive Control Governor

How to Enable the GRCC SoD process

Admin - SoD super user

Identify SoD focus area

Rerun the analysis by effecting

SoD Analysis Lifecycle

Finalize conflict rules

Configure Control Library

Scale down excessive

Analyze the reports

Define transaction controls (SQL)