Oracle GRC Overview KPMG

IT ADVISORY SERVICES
Oracle Governance, Risk and Compliance (GRC) Overview

June 2008
KPMG LLP
Presenter Background Philip McGivney
Philip McGivney
Senior Manager Pittsburgh, PA 12+ years experience Representative Clients Campbell Soup HJ Heinz Estee Lauder SC Johnson Shell Chemical Duquesne Light Regeneron Independence Blue Cross
2008 KPMG LLP, a U.S. limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in the U.S.A. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. 19045PHL
Presenter Background Jason Lindsley
Jason Lindsley, CPA, CISA

Manager Philadelphia, PA Pennsylvania Oracle Product Champion National Oracle GRC PMO Lead 4+ years with KPMGs Advisory Services Representative Clients ARAMARK Corporation CROWN Holdings, Inc. IKON Office Solutions Subaru of America NRG Energy, Inc. Regeneron Pharmaceuticals Catalent Pharmaceuticals
Oracle GRC POV Discussion Outline
KPMG Overview
What is Governance, Risk and Compliance (GRC)? Broad Definition and Supporting Technology Oracle GRC Application Suite Why is Governance, Risk and Compliance (GRC) important? Oracle GRC and Approach
KPMGs Market Offering
What we do: The Global Services we offer:

Financial Statement Audit Statutory Audit Audit Related Services International Corporate Tax Business Tax Indirect Taxes Personal Tax Controls Integration and Optimization Project Execution Assistance IS Governance Change Management Sourcing Advice Security & Privacy Attestation Support Process Design Business Case Development Business and Risk Assessments Finance Transformation Business Integration Investigations (Fraud) Transaction Services
Our Global Lines of Business:

Financial Services Information, Communications & Entertainment Industrial Markets Consumer Markets Infrastructure, Government & Healthcare Private Equity
Who are our clients?

Global, National and aMiddle Market entitiesthe KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All 2008 KPMG LLP, U.S. limited liability partnership and a member firm of
rights reserved. Printed in the U.S.A. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. 19045PHL
Advisory Services Framework
Advisory Service Lines

Internal Audit, Regulatory & Compliance (IARCS) Financial Risk Management (FRM) Business Performance Services (BPS) Transaction Services (TS) Information Technology Advisory (ITA) Forensic Services
Skills & Competencies
Client Solutions Skill Bundling Client Solutions Skill Bundling
Advisory Foundation Methods Advisory Foundation Methods

One : Many
Service Line Fundamentals Service Line Fundamentals

One : Many
Technical Skill Specific Technical Skill Specific
Many : Many
6
KPMGs Global Reach
CIS sub region Armenia Kazakhstan Russia Ukraine Africa sub region Angola & Mozambique Botswana Ghana Kenya, Tanzania & Uganda Malawi Mauritius Namibia Nigeria Sierra Leone South Africa Swaziland Zambia Zimbabwe MESA sub region Afghanistan Bahrain Egypt India Iran Iraq Kuwait Lebanon Oman Pakistan Qatar Saudi Arabia Sri Lanka Syria UAE Yemen TOG sub region Anguilla Bahamas Bermuda Caricom Cayman Islands & BVIs Channel Islands Isle of Man Malta Turks and Caicos Islands
Americas ASPAC EMA No Member Firm
Americas
Argentina Brazil Canada Central America (KCA) Chile Colombia Ecuador Israel Mexico Netherlands Antilles Peru US Uruguay Venezuela
ASPAC
Australia Cambodia Hong Kong / China SAR Indonesia Japan Korea Laos Malaysia New Zealand Philippines Singapore Taiwan Thailand Vietnam
EMA
Africa Austria Belgium Cyprus Denmark Finland France Germany Greece Iceland Ireland Italy
Central America sub region Costa Rica Dominican Republic Guatemala Honduras Nicaragua Panama
Luxembourg Morocco Netherlands Norway Portugal Spain Sweden Switzerland Tunisia Turkey UK
CEE sub region Albania Bulgaria Croatia & Bosnia Czech Republic Estonia Hungary Latvia Lithuania Macedonia Poland Romania & Moldova Serbia and Montenegro Slovakia Slovenia
KPMG Overview
What is Governance, Risk and Compliance (GRC)? Broad Definition and Supporting Technology Oracle GRC Application Suite

Why is Governance, Risk and Compliance (GRC) important? Oracle GRC and Approach
Governance, Risk and Compliance (GRC)
Governance is the management of strategic directives Risk is the effect of uncertainty on business objectives and risk management is the mechanism to improve performance while minimizing financial losses Compliance transcends focus on laws and regulations to encompass all facets that affect integrity, reputation and brand IT enabler - Oracle GRC fully deployed for maximum impact Other enablers include change management, performance and value measurement and management, and monitoring mechanisms GRC implementation is not about a single role in the organization that is responsible for everything related to governance, risk, and compliance GRC works best when multiple roles (e.g., corporate secretary, corporate compliance, enterprise risk, audit, IT, line-of-business, investigations, legal) work together in a common framework, collaboration, and architecture to bring an enterprise view across governance, risk, and compliance activities throughout the organization
KPMG Governance, Risk and Compliance Framework
Enterprise (Board, Operating Committee)
Governance
Functional (IT, Finance, Sales, etc.) Managerial (Line Management) Risk Assessment
Strategy & Policy
Information
Risk Measurement Risk Strategy Risk Monitoring Company Level Controls Environmental Entity Managerial
Risk Management
Compliance and Controls
Process Embedded Controls (manual, auto) Financial Operational Regulatory
Business Activity
10
Oracle GRC Application Solution provides the infrastructure to automate end-to-end GRC processes, including corporate governance and oversight, risk management, and compliance management and reporting
Retail & Consumer Goods Financial Services Risk Management Utilities & Energy Communications
IT Governance
Environmental Health
Corporate Responsibility
Financial Compliance
CxO
Dashboards
Oracle GRC Intelligence

Indicators Attestations Alerts
Life Sciences
Visibility to enterprise GRC status Role-tailored analysis Flexible ad hoc reporting Data repository
Event & Loss Management
Oracle GRC Manager

Audit
Management Assessment Issues & Remediation
GRC system of record End-to-end GRC process mgmt Continuous monitoring of access, policies and controls
Risk and Control Frameworks
Oracle GRC Controls

Access Controls Configuration Controls Transaction Controls
Preventive and detective controls Controls risk monitoring Information security
GRC Technology Enablers IT Manager

Identity Management Information Security Records & Digital Rights Configuration Management
Enterprise access provisioning IT configuration management
Source: Oracle Corporation

11
KPMG Overview
What is Governance, Risk and Compliance (GRC)?
Broad Definition and Supporting Technology Oracle GRC Application Suite
Why is Governance, Risk and Compliance (GRC) important?
Oracle GRC and Approach
12
Sarbanes Oxley changes the scope and magnitude of the Oracle Implementation Process
Sarbanes Oxley (SOX)
Compliance
SOX makes appropriate controls and security a business imperative SOX 404 mandates that controls be designed and operating effectively the year in which system and process changes occur. If not, significant deficiencies or perhaps an adverse audit opinion may result SOX created a greater focus on tax and new tax reporting requirements, i.e. FIN 48 Companies are no longer willing to accept the risk.
Before Sarbanes Oxley, GRC integration would be postponed or ignored, as many companies chose to accept the risk on an interim basis.
13
Controls Transformation
Objectives Drive both a bottoms up and top-down approach to analyze, evaluate, and design controls at the process level transformation across the enterprise and eliminate redundant processes, controls and data environments Seamless integration with a challenging organization Targeted Benefits Centered on migration from a mostly manual, detective control-based paradigm to one of a more automated and preventive nature Tax also adds value in this type of project by identifying complementary tax planning opportunities that may add additional value to the client Parallel path project goal : Controls Transformation
Manual Automated
Approach, Techniques and Process
Sustained Value and Confidence
Detective
Preventative
Typical company controls Improved company controls
Many companies still rely primarily on manual controls, which are generally detective in nature (i.e. after the transaction). Transformed companies maximize the use of automated controls, substantially reducing the cost of control. Automated controls are frequently detective controls (i.e. during the transaction) which yield better control assurance. The objective is to move from the lower left quadrant to the upper right quadrant.
14
Pain Points addressed by GRC: Additional critical aspects supporting the need to integrate stronger controls in an ERP Implementation
1. Eliminate Redundancy and Reduce Cost
Process-driven ERP systems require controls to be applied throughout business processes. Poorly designed controls or misplaced controls result in redundancy and higher costs. Existing key controls have deteriorated and are too manual. Organizations are experiencing high cost of controls and are looking to eliminate manual and redundant controls to reduce costs and improve process efficiency
Controls
2. Manual Controls are Expensive and Inefficient
3. Retrofitting Controls is Cost Prohibitive
The cost of rework for poor controls is exorbitant and can lead to a complete reimplementation of an ERP system that lacks controls. Improving financial controls in an ERP system must have controls designed and integrated throughout the organization. Given system configuration and employee training redundancies, redesigning controls at the end of an ERP implementation is inefficient, expensive and could result in reportable material weaknesses or deficiencies.
15
Pain Points addressed by GRC: Additional Benefits of GRC Integration
4. Automated and Preventive Controls
Automation is driving ERP technology integration initiatives and helping to optimize controls within key processes, resulting in improved process efficiency, cost reductions and effective compliance management. Organizations have long recognized the value of an efficient control structure and its role in driving complete and accurate financial information. When a new ERP system is implemented, along with the customary process changes, controls (including security) must be revised to support the new business and system functions.
Controls
5. Complete and Accurate Financial Information
We believe GRC Integration is critical and should to be addressed and integrated into an ERP implementation
16
Key Lessons Learned and Leading Practices
GRC integration is an area that is often poorly performed by project teams. Appoint a Security and Controls Lead on the project to create and maintain visibility of controls and security requirements throughout the duration of the project. Plan for the need to continuously educate the project team and stress the importance of the security and controls aspects of the system throughout the project lifecycle. Start early with Security and Controlsit is a lot of work. Involve your security and controls team in the early design stage of the project, and maintain their involvement through the entire project lifecycle. Security and Controls is a collaborative process that requires all parties to be engaged early including Business Process Owners (BPOs), IT and security teams, Internal Audit and your External Auditors. A key area that is often overlooked during an ERP implementation is tax. Incorporating the tax perspective into the project can help avoid costly rework and degradation in tax reporting needs. Determining the balance between preventive and detective controls can be challenging. Security, SOD and configuration controls are mostly preventive in nature. Manual controls can be more costly to operate/perform and are generally less reliable than automated controls. If correctly configured and managed, your new ERP system will provide numerous opportunities for organizations to have a highly automated control environment.
17
KPMG Overview
What is Governance, Risk and Compliance (GRC)? Broad Definition and Supporting Technology Oracle GRC Application Suite Why is Governance, Risk and Compliance (GRC) important?
Oracle GRC and Approach
18
Oracle GRC Suite
Retail & Consumer Goods
Financial Services
Risk Management
Utilities & Energy
Communications
IT Governance
Environmental Health
Corporate Responsibility
Financial Compliance
Life Sciences
CxO
Dashboards

Indicators Attestations Alerts
Visibility to enterprise GRC status Role-tailored analysis Flexible ad hoc reporting Data repository
Event & Loss Management
Oracle GRC Manager

Audit
Management Assessment Issues & Remediation
GRC system of record End-to-end GRC process mgmt Continuous monitoring of access, policies, and controls Preventive and detective controls Controls risk monitoring Information security Enterprise access provisioning IT configuration management
Risk and Control Frameworks
Oracle GRC Controls

Access Controls Configuration Controls Transaction Controls
GRC Technology Enablers IT Manager

Identity Management Information Security Records & Digital Rights Configuration Management

19
Oracle GRC Controls Access Controls
Control Type Oracle GRC Controls Module

Access Controls Detective
Analyze user roles and responsibilities for SOD violations Identify and remediate SOD violations Monitor activities of users granted access to sensitive areas
Preventive
Provide compliant user provisioning Enforce compensating controls What-if SOD risk simulation
20
Oracle GRC Controls Access Controls
N access point definitions Simple Operand Combinations X to Y Complex Operand Combinations X to Y to Z to N Inter-Operand hierarchy Seeded Entitlement based policies Oracle (11.5.10 and R12) PeopleSoft (8.8/9) Entitlement - Grouping of access points
(similar to Entity Groups)
21
Oracle GRC Controls Transactional Controls

Transaction Controls Detective
Identify transactions violating policy (e.g. un-approved vendor) Detect patterns representing aggregate risk (e.g. micro-payments) Detect correlation risk (e.g. same user creates and pays vendor)
Preventive
Validation of transaction data (e.g. valid product code) Approvals based on transaction data thresholds
22
Oracle GRC Controls Transactional Controls
Updates > Threshold Require Manager Approval
Preventive Policy Control
Exception Remediation
Post
Financial Supervisor
Entry
POST Bad-Debt Approval
> $25K
No
Yes
Approved
General Manager (P&L)
Preventive SOD
Control Monitors
Bad Debt Ledger
Exception Reporting
Post Entry
Financial Clerk
ENTER Bad-Debt Account

Preventive Access Control
Excessive Debt
!
Unable to modify account numbers
Reportable Event Risk

Controller
23
Oracle GRC Controls Configurable Controls

Configuration Controls Detective
Detect and record changes to sensitive setup data Compare before and after values for changes Monitor for setup inconsistencies across multiple instances
Preventive
Validate that setups and data updates conform to valid values Require conditional approval cycles (e.g., exceed threshold) Enforce data consistency; (e.g. force data to upper case)
24
Oracle GRC Manager
Single system of record End-to-end GRC process management Platform independent Integrated control management Closed-loop issue remediation
Certify
Respond
Analyze
Assess
Document
25
Pre-built dashboards aggregate information from all sources Combine performance and GRC information Respond to KRI and issues Produce attestations and disclosures Configure to meet your specific needs
26
Below is a list of typical key activities reflected in a Risk and Controls Framework
Evaluation
Preparation and Analysis
Design
Build
Test
Sustain
Key Activities
Key Activities
Key Activities
Key Activities
Key Activities
Planning Activities Controls Cutover Strategy accountability and Controls Portfolio monitoring and accountability for activities and responsibilities
Key Activities
Support
Planning and
and Risk Assessment
Project Initiation
Initial Project
Risk Strategy Portfolio Analysis Qualitative

Analysis
Planning and Project Organizational Structure Documentation Standards
Project Planning
Activities
Project Management
Planning Activities Procedures
Project Management Project Monitoring Security and Project Project

Organizational Structure Support Documentation Standards Stakeholders
Establish
Project
Organizational Alignment Design Definition Standards
Business Process Configuration Data Quality

Element Documentation Documentation Documentation
Business Process
SOX compliance Compliance
Project Project
Communication Plan Evaluation Checkpoint with Stakeholders
Business Process Project Kickoff Flow Standards Quality Check with Data Quality Stakeholders
Standards
Quality Check with
Security Integration Quality Check

with Stakeholders
Security Approach
and Standards
Quality Check
with Stakeholders
Security Role Design Quality Check with

Stakeholders
27
Oracle GRC Accelerators
Oracle GRC Implementation Tools

KPMG's proven risk-oriented tools and controls integration methodologies identify, design, and standardize controls as part of the implementation process.
ERP Control Catalogs Controls Portfolio Analysis Model (CPAM) Opportunity Analysis Model (OAM)
Enables organizations to qualitatively assess process improvement opportunities, based on a prioritization framework, and a series of questions
Security/ Segregation of Duties (SOD) tools

KPMG use Oracle GRC or Oracle security development and monitoring, and we leverage KPMGs proprietary Segregation of Duties Catalogs and Templates
System Integration Controls Methods

Primary business systems controls methodology, guidance and supporting tools and templates used by our joint teams in the execution of controls integration
Help organizations to view Enable the detail design and evaluate their controls of automated controls for portfolio. The model assists financial applications so that companies in identifying less efficient manual controls opportunities to decrease can be eliminated. Catalogs costs, improve process include testing guidance & efficiency and evaluate the procedures to support SOX organizations controls 404 preparation & compliance portfolio holistically
Advisory Delivery Tool (ADT)

Methodology and Documentation Tool facilitates KPMG Advisory services execution, documentation and deliverables on an automated basis
Tax User Requirements Library

Tax User Requirements Library for each area of tax in support KPMG GRC GTS
Tax Data Elements Library

Tax Data Elements Library for each area of tax
Accelerators for Tax Provision

Accelerators for Tax Provision process redesign
Non-proprietary tools
KPMG can also utilize other automated security software and tools to support Oracle GRC implementations
28
Presenters contact details Philip McGivney KPMG LLP (412) 576-7298 pmcgivney@kpmg.com Jason Lindsley KPMG LLP (856) 373-0853 jlindsley@kpmg.com
29
Appendices
30
KPMG Advisory Services System Design and Implementation
Scope and Plan
Perform detailed scoping and planning of the project to identify activities, deliverables, project plan, milestones, and desired outcome (s). Assist in the validation of the compliance tool installation, review of segregation of duties controls, develop a customized set of prevention/detection rules (SOD rules, critical transactions, etc.) in your compliance tool and develop operational compliance and security provisioning processes. Assist in the review and design of current security and automated control environment to develop and help execute strategy to remediate SOD conflicts and other control deficiencies. Assist in the design and identification of mitigating controls for SOD conflicts and other control weaknesses deemed necessary, develop and execute strategy to configure mitigating controls in compliance tool and recommend a monitoring process. Implement governance, control, and reporting process to maintain continuous compliance.
Detect
Remediate
Mitigate Continuous Compliance
31
Scope and Plan Phase
Purpose: This phase covers conducting detailed scoping and planning of the project against the signed LOE and its key deliverables, milestones, and desired outcome(s). It also includes securing and educating team resources (client + KPMG), outlining roles and responsibilities, and formally starting the project. Key Activities Key Deliverables Key Technology Enablers
Secure project resources and contacts Finalize and Develop Project Plan Develop Project Responsibility Matrix Deliver initial business system security and GRC education
Project Plan Responsibility Matrix Business Application System Security

and GRC presentation
Not applicable for this phase
Hold steering committee project kick-off
32
Detect Phase
Purpose: This phase covers 1) finalizing the rule set to be used for Segregation of Duties (SOD) analysis and performing the baseline analysis, 2) modifying the SOD analysis system configuration settings, and 3) redesigning the access administration and compliance processes. Key Activities Key Deliverables Key Technology Enablers
Determine to-be roles/responsibilities

and processes and procedures for managing SOD conflicts
Design and build company-specific

for completeness, accuracy
SOD and Process Control Rule Sets
Test SOD and Process Control Rule Set Transport tested SOD and Process
Control Rule Sets to production system Analyze SOD conflict baseline metrics, if applicable
Identification of Rule Set customizations Design specification Document Customized GRC Rule Files Rule set maintenance procedure Final custom Rule Sets Updated business processes and procedures
3rd Party controls software

for segregation of duties
3rd Party controls software;
Process controls functionality
User guide and training documents Management reports and preliminary

assessment of security environment
Conduct training for end users
33
Remediate Phase
Purpose: This phase covers remediating the SOD conflicts via security access and authorization changes in the Business Application system. Key Activities Key Deliverables Key Technology Enablers
Identify users in scope and their

reporting relationships
Management and team phase

kick-off presentations
3rd Party controls software

for Segregation of Duties
Determine security design approach

to remediate SOD conflicts
Gather user access requirements Convert requirements to security
User access requirements Remediation and security

design approach
3rd Party controls software;

security features
Process controls functionality
Business Application System
design specifications Remediate SOD conflicts through building to-be user access
QA test to-be user access Cutover to production system

with to-be user access
Security design specifications QA test scripts and test results End-user training presentation Cutover SOD conflict report List of users with SOD conflicts requiring mitigation
Train end-users Hold go-live and support users
Incident tickets and tracking lists
34
Mitigate Phase
Purpose: This phase covers mitigating remaining operational risks posed by remaining SOD conflicts. Determining and mapping the proper controls to mitigate these risks, as well as, configuring and maintaining the mitigating control records are performed in this phase. Key Activities Key Deliverables Key Technology Enablers
Determine to-be roles/responsibilities

and processes and procedures for managing mitigating controls (MC) Document remaining SOD conflicts and users requiring mitigation Determine if underlying controls are sufficient and operate effectively Design and Build Mitigating Controls and map to users and SOD conflicts Test Mitigating Control records and their associations Cutover to production system Train end-users Deliver final SOD report
Management and team phase
kick-off presentations List of users and SOD conflicts targeted for Mitigating Control Mitigating Control record mapping to users and SOD conflicts List of Mitigating Control monitors and approvers New business processes and procedures for managing MCs QA test scripts End-user training presentation Cutover SOD conflict report showing users and risks marked by mitigating controls Incident tickets and tracking lists
3rd Party Controls Software
for Segregation of Duties 3rd Party Controls Software; Process Controls functionality Business Application System Security features
35
Continuous Compliance Phase
Purpose: This phase covers execution and monitoring of operational processes and policies to help ensure continuous compliance. Knowledge transfer is also performed in this phase between the project team and identified customer stakeholders. Key Activities Key Deliverables Key Technology Enablers
Perform additional knowledge transfer

as necessary procedures
Refine and maintain policies and Perform periodic review of security and Update Rule Set as Necessary Periodically review mitigating control
effectiveness compliance processes and user access
Knowledge Transfer Checklist Security and Compliance Policies and

Procedures signed-off
3rd Party Controls Software Business Application System

Security Features
Periodic review results appropriately
Business Application System

embedded controls
Update mitigating controls content

and markings in SOD tool as required
Remediate or mitigate SOD conflicts
36

Oracle GRC Overview KPMG

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Oracle GRC Overview KPMG

Uploaded by

Copyright:

Available Formats

IT ADVISORY SERVICES

Oracle Governance, Risk and Compliance (GRC) Overview

Presenter Background Philip McGivney

Presenter Background Jason Lindsley

Jason Lindsley, CPA, CISA

Oracle GRC POV Discussion Outline

KPMGs Market Offering

What we do: The Global Services we offer:

Our Global Lines of Business:

Who are our clients?

Advisory Services Framework

Advisory Service Lines

Skills & Competencies

Client Solutions Skill Bundling Client Solutions Skill Bundling

Advisory Foundation Methods Advisory Foundation Methods

Service Line Fundamentals Service Line Fundamentals

Technical Skill Specific Technical Skill Specific

KPMGs Global Reach

Americas ASPAC EMA No Member Firm

Oracle GRC POV Discussion Outline

Governance, Risk and Compliance (GRC)

KPMG Governance, Risk and Compliance Framework

Enterprise (Board, Operating Committee)

Strategy & Policy

Compliance and Controls

Process Embedded Controls (manual, auto) Financial Operational Regulatory

Oracle GRC Intelligence

Oracle GRC Manager

Risk and Control Frameworks

Oracle GRC Controls

Preventive and detective controls Controls risk monitoring Information security

GRC Technology Enablers IT Manager

Enterprise access provisioning IT configuration management

Source: Oracle Corporation

Oracle GRC POV Discussion Outline

What is Governance, Risk and Compliance (GRC)?

Broad Definition and Supporting Technology Oracle GRC Application Suite

Why is Governance, Risk and Compliance (GRC) important?

Oracle GRC and Approach

Sarbanes Oxley (SOX)

Approach, Techniques and Process

Sustained Value and Confidence

Typical company controls Improved company controls

1. Eliminate Redundancy and Reduce Cost

2. Manual Controls are Expensive and Inefficient

3. Retrofitting Controls is Cost Prohibitive

Pain Points addressed by GRC: Additional Benefits of GRC Integration

4. Automated and Preventive Controls

5. Complete and Accurate Financial Information

Key Lessons Learned and Leading Practices

Oracle GRC POV Discussion Outline

Oracle GRC and Approach

Oracle GRC Suite

Retail & Consumer Goods

Utilities & Energy

Oracle GRC Intelligence

Oracle GRC Manager

Risk and Control Frameworks

Oracle GRC Controls

GRC Technology Enablers IT Manager

Source: Oracle Corporation

Oracle GRC Controls Access Controls

Control Type Oracle GRC Controls Module