Professional Documents
Culture Documents
Kishore Anjur
KPMG LLP
IT Advisory
August 21, 2009
Agenda
Segregation of Duties Overview
Understanding the Drivers
SoD Process
Mitigate the impact of a SoD risk
Requirement for Automated SoD Solution
Considerations of SoD
Oracle SoD Model
Overview of the tool
Oracle GRC solution
Key Success Factors
2009 KPMG LLP, a US member firm of the KPMG network of independent member firms affiliated with KPMG International,
a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative.
2009 KPMG LLP, a US member firm of the KPMG network of independent member firms affiliated with KPMG International,
a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative.
2009 KPMG LLP, a US member firm of the KPMG network of independent member firms affiliated with KPMG International,
a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative.
SoD Objective
A fundamental concept of internal control is the segregation of certain
key duties.
The basic idea underlying SoD is that no employee or group of
employees should be in a position both to perpetrate and to conceal
errors or fraud in the normal course of their duties.
The principal incompatible duties to be segregated are:
Initiate transaction
Approve transaction
Record transaction
Reconcile balances
Handle assets
Review reports
2009 KPMG LLP, a US member firm of the KPMG network of independent member firms affiliated with KPMG International,
a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative.
SoD
Risks
Earnings
management
Improper
management
override
Improper
expense
capitalization
Excessive
management
override
Procurement
T&E
Fictitious Vendors
Fictitious/inflated
invoices
Duplicative
purchases (e.g., PCard)
Improper P-Card
purchases
Structured payments
Unauthorized /
unapproved
purchases
Conflicts of interest
False/inflated
reimbursement
requests
Purchases for personal
use
Duplicate purchasing
and reimbursement
schemes
Unauthorized vendors
Unauthorized
expenditures
Excessive spending
Payroll
Ghost employees
Inflated salaries
Inflated hours
Improper
supplemental
payments
Improper incentive
compensation
Excessive overtime
Excessive
supplemental
payments, bonuses,
incentive
compensation
2009 KPMG LLP, a US member firm of the KPMG network of independent member firms affiliated with KPMG International,
a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative.
2009 KPMG LLP, a US member firm of the KPMG network of independent member firms affiliated with KPMG International,
a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative.
2009 KPMG LLP, a US member firm of the KPMG network of independent member firms affiliated with KPMG International,
a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative.
Identify Financially
significant business
SoD Analyst processes.
Sod Rules
Design the Sod rules based
on key responsibilities in
collaboration with business
process owner
Sod conflict matrix
Create a SoD conflict matrix
by application and by function
New project
Source Data
Change
locations,
roles, etc
Reports
Forget
password
Identify mitigating
controls
Retest
Rerun the analysis by
effecting the
remediation
Remediation
By business process
By department
By Manager
If a new user in conflicts provide
with hire date/ access granted
date
2009 KPMG LLP, a US member firm of the KPMG network of independent member firms affiliated with KPMG International,
a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative.
TLS
LPS
Interest Rates
Death ClaimSystem
Ingenium
CAPSIL
Life70 (Quincy)
FASAT
Admin Server
AS/400 Homegrown
TAI
Pam-Mortgage
PAM-Security
Charles River
Triton
LifeMaster / Polysystems
ARCVal
Oracle/FDR
JDEdwards
MGALFA
JD Edwards
Oracle/FDR
MG ALFA
ARC Val
LifeMaster / Polysystems
Triton
Charles River
PAM-Security
Pam-Mortgage
TAI
AS/400 Homegrown
Admin Server
FASAT
Life70 (Quincy)
N/A
N/A
CAPSIL
n/a
Ingenium
n/a
N/A
Interest Rates
LPS
TLS
Y
Y
N
N
N
N
N
N
N
N
N
N
N
N
N
N
N
N
N
N
N
N
N
N
N
N
Legend
Y
N
N/A
N
N
2009 KPMG LLP, a US member firm of the KPMG network of independent member firms affiliated with KPMG International,
a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative.
10
2009 KPMG LLP, a US member firm of the KPMG network of independent member firms affiliated with KPMG International,
a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative.
11
2009 KPMG LLP, a US member firm of the KPMG network of independent member firms affiliated with KPMG International,
a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative.
12
What
analytical
functionality is
required?
Where will
data come
from?
What
exception
handling is
required?
How will
analysis be
performed?
What
reporting do
we need?
Dashboards?
2009 KPMG LLP, a US member firm of the KPMG network of independent member firms affiliated with KPMG International,
a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative.
13
2009 KPMG LLP, a US member firm of the KPMG network of independent member firms affiliated with KPMG International,
a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative.
14
The Oracle GRC Solution is relatively new and developed in the past few
years. It is based upon the acquisitions of Stellent and LogicalApps. It is
comprised of the following modules:
GRC Intelligence
GRC Manager (Previous Stellent Solution)
GRC Controls Suite (Previous Logical Apps Solution)
Technical
architecture
Technical
requirements
Application and database server for Stellent, Integra and GRC suite
2009 KPMG LLP, a US member firm of the KPMG network of independent member firms affiliated with KPMG International,
a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative.
15
Case studies
Oracle provides two case studies from their Governance, Risk and Compliance
Solution Space:
Unum Provident
Centro Properties Group
http://launch.oracle.com/?GRC5
2009 KPMG LLP, a US member firm of the KPMG network of independent member firms affiliated with KPMG International,
a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative.
16
GRC Intelligence:
Prebuilt, role-based Dashboards and KRIs
Tailored GRC diagnostics for business processes and roles
Heterogeneous data integration
Leverage single source of GRC information across organizations,
departments and locations
Library of OOTB Reports spanning the overall GRC process GRC Manager
Reduce cost and complexity by managing multiple global mandates with one
system
Rely on tamper-proof chain of evidence for all financial compliance processes
Align policies and processes with better practice risk and control frameworks
GRC Manager
Perform control automation configuration and administration
Manage control automation for business processes
Use test plans and report control effectiveness
GRC Control Suite Briefed in next slides
2009 KPMG LLP, a US member firm of the KPMG network of independent member firms affiliated with KPMG International,
a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative.
17
GRCC Overview
Configuration
Controls Governor (CCG)
(Integra Apps)
Transaction
Controls Governor (TCG)
2009 KPMG LLP, a US member firm of the KPMG network of independent member firms affiliated with KPMG International,
a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative.
18
2009 KPMG LLP, a US member firm of the KPMG network of independent member firms affiliated with KPMG International,
a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative.
19
SoD Analyst
AACG
Design new SoD rules
Upload SoD rules from excel
Enable GRC default Sod rules
Define work flow rules
Process Reports
Ad-hoc reports
Schedule reports
New project
Retest
Change
locations,
roles, etc
Define elements
Define attributes
Define workflow process
access
Forget
password
GRC Intelligence
Ad-hoc reports
Schedule reports
CCG
Who
What
When
TCG
PCG
Form rules
Flow rules
Audit rules
Change control rules
2009 KPMG LLP, a US member firm of the KPMG network of independent member firms affiliated with KPMG International,
a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative.
20
2009 KPMG LLP, a US member firm of the KPMG network of independent member firms affiliated with KPMG International,
a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative.
21
2009 KPMG LLP, a US member firm of the KPMG network of independent member firms affiliated with KPMG International,
a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative.
22
2009 KPMG LLP, a US member firm of the KPMG network of independent member firms affiliated with KPMG International,
a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative.
23
2009 KPMG LLP, a US member firm of the KPMG network of independent member firms affiliated with KPMG International,
a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative.
24
2009 KPMG LLP, a US member firm of the KPMG network of independent member firms affiliated with KPMG International,
a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative.
25
Senior executive
support
Technology tools
and experienced
resources
Established
approach to GRC
Well planned
approach
Organizational
alignment
Executive involvement at all stages of the project including opportunity identification, selection,
prioritization and signsign-off
Clear GRC leadership roles to drive cultural change
Identification of control owners to report failures, escalate issues, etc.
2009 KPMG LLP, a US member firm of the KPMG network of independent member firms affiliated with KPMG International,
a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative.
26
Security
Strategic
Attestation
Enterprise
Application Strategy
Systems
Implementation
Review
Configurable Control
Assessment
Access and SOD
assessment
Business
Process/Systems
Optimization Review
Master Data
Management
Security Strategy
Information
Governance and
Privacy
Identity and Access
Management
Security Vulnerability
Management
Enterprise Resiliency
and Business
Continuity
Payment Card
Industry (PCI)
IT Project
Management Office
(PMO)
IT Strategy,
Governance, and
Performance
Sourcing (off/onshore)
and Shared Services
PostPost-Merger IT
Integration
Business Intelligence
Vendor and systems
selection
Audits of third
third--party
services providers
(SAS 70)
IT internal audit
WebTrust/ SysTrust
FISAP (Financial
Institutions Shared
Assessments
Program)
2009 KPMG LLP, a US member firm of the KPMG network of independent member firms affiliated with KPMG International,
a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative.
27
Q&A
2009 KPMG LLP, a US member firm of the KPMG network of independent member firms affiliated with KPMG International,
a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative.
28
The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we
endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue
to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation.
2008 KPMG LLP, a U.S. limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved.
29