Professional Documents
Culture Documents
Philip McGivney
Senior Manager Pittsburgh, PA 12+ years experience Representative Clients Campbell Soup HJ Heinz Estee Lauder SC Johnson Shell Chemical Duquesne Light Regeneron Independence Blue Cross
2008 KPMG LLP, a U.S. limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in the U.S.A. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. 19045PHL
2008 KPMG LLP, a U.S. limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in the U.S.A. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. 19045PHL
KPMG Overview
What is Governance, Risk and Compliance (GRC)? Broad Definition and Supporting Technology Oracle GRC Application Suite Why is Governance, Risk and Compliance (GRC) important? Oracle GRC and Approach
2008 KPMG LLP, a U.S. limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in the U.S.A. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. 19045PHL
2008 KPMG LLP, a U.S. limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in the U.S.A. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. 19045PHL
Many : Many
6
CIS sub region Armenia Kazakhstan Russia Ukraine Africa sub region Angola & Mozambique Botswana Ghana Kenya, Tanzania & Uganda Malawi Mauritius Namibia Nigeria Sierra Leone South Africa Swaziland Zambia Zimbabwe MESA sub region Afghanistan Bahrain Egypt India Iran Iraq Kuwait Lebanon Oman Pakistan Qatar Saudi Arabia Sri Lanka Syria UAE Yemen TOG sub region Anguilla Bahamas Bermuda Caricom Cayman Islands & BVIs Channel Islands Isle of Man Malta Turks and Caicos Islands
Americas
Argentina Brazil Canada Central America (KCA) Chile Colombia Ecuador Israel Mexico Netherlands Antilles Peru US Uruguay Venezuela
ASPAC
Australia Cambodia Hong Kong / China SAR Indonesia Japan Korea Laos Malaysia New Zealand Philippines Singapore Taiwan Thailand Vietnam
EMA
Africa Austria Belgium Cyprus Denmark Finland France Germany Greece Iceland Ireland Italy
Central America sub region Costa Rica Dominican Republic Guatemala Honduras Nicaragua Panama
Luxembourg Morocco Netherlands Norway Portugal Spain Sweden Switzerland Tunisia Turkey UK
CEE sub region Albania Bulgaria Croatia & Bosnia Czech Republic Estonia Hungary Latvia Lithuania Macedonia Poland Romania & Moldova Serbia and Montenegro Slovakia Slovenia
2008 KPMG LLP, a U.S. limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in the U.S.A. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. 19045PHL
KPMG Overview
What is Governance, Risk and Compliance (GRC)? Broad Definition and Supporting Technology Oracle GRC Application Suite
Why is Governance, Risk and Compliance (GRC) important? Oracle GRC and Approach
2008 KPMG LLP, a U.S. limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in the U.S.A. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. 19045PHL
Governance is the management of strategic directives Risk is the effect of uncertainty on business objectives and risk management is the mechanism to improve performance while minimizing financial losses Compliance transcends focus on laws and regulations to encompass all facets that affect integrity, reputation and brand IT enabler - Oracle GRC fully deployed for maximum impact Other enablers include change management, performance and value measurement and management, and monitoring mechanisms GRC implementation is not about a single role in the organization that is responsible for everything related to governance, risk, and compliance GRC works best when multiple roles (e.g., corporate secretary, corporate compliance, enterprise risk, audit, IT, line-of-business, investigations, legal) work together in a common framework, collaboration, and architecture to bring an enterprise view across governance, risk, and compliance activities throughout the organization
2008 KPMG LLP, a U.S. limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in the U.S.A. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. 19045PHL
Governance
Functional (IT, Finance, Sales, etc.) Managerial (Line Management) Risk Assessment
Information
Risk Measurement Risk Strategy Risk Monitoring Company Level Controls Environmental Entity Managerial
Risk Management
Business Activity
2008 KPMG LLP, a U.S. limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in the U.S.A. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. 19045PHL
10
Oracle GRC Application Solution provides the infrastructure to automate end-to-end GRC processes, including corporate governance and oversight, risk management, and compliance management and reporting
Retail & Consumer Goods Financial Services Risk Management Utilities & Energy Communications
IT Governance
Environmental Health
Corporate Responsibility
Financial Compliance
CxO
Dashboards
Life Sciences
Visibility to enterprise GRC status Role-tailored analysis Flexible ad hoc reporting Data repository
Event & Loss Management
GRC system of record End-to-end GRC process mgmt Continuous monitoring of access, policies and controls
11
KPMG Overview
2008 KPMG LLP, a U.S. limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in the U.S.A. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. 19045PHL
12
Sarbanes Oxley changes the scope and magnitude of the Oracle Implementation Process
Compliance
SOX makes appropriate controls and security a business imperative SOX 404 mandates that controls be designed and operating effectively the year in which system and process changes occur. If not, significant deficiencies or perhaps an adverse audit opinion may result SOX created a greater focus on tax and new tax reporting requirements, i.e. FIN 48 Companies are no longer willing to accept the risk.
Before Sarbanes Oxley, GRC integration would be postponed or ignored, as many companies chose to accept the risk on an interim basis.
2008 KPMG LLP, a U.S. limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in the U.S.A. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. 19045PHL
13
Controls Transformation
Objectives Drive both a bottoms up and top-down approach to analyze, evaluate, and design controls at the process level transformation across the enterprise and eliminate redundant processes, controls and data environments Seamless integration with a challenging organization Targeted Benefits Centered on migration from a mostly manual, detective control-based paradigm to one of a more automated and preventive nature Tax also adds value in this type of project by identifying complementary tax planning opportunities that may add additional value to the client Parallel path project goal : Controls Transformation
Manual Automated
Detective
Preventative
Many companies still rely primarily on manual controls, which are generally detective in nature (i.e. after the transaction). Transformed companies maximize the use of automated controls, substantially reducing the cost of control. Automated controls are frequently detective controls (i.e. during the transaction) which yield better control assurance. The objective is to move from the lower left quadrant to the upper right quadrant.
2008 KPMG LLP, a U.S. limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in the U.S.A. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. 19045PHL
14
Pain Points addressed by GRC: Additional critical aspects supporting the need to integrate stronger controls in an ERP Implementation
Process-driven ERP systems require controls to be applied throughout business processes. Poorly designed controls or misplaced controls result in redundancy and higher costs. Existing key controls have deteriorated and are too manual. Organizations are experiencing high cost of controls and are looking to eliminate manual and redundant controls to reduce costs and improve process efficiency
Controls
The cost of rework for poor controls is exorbitant and can lead to a complete reimplementation of an ERP system that lacks controls. Improving financial controls in an ERP system must have controls designed and integrated throughout the organization. Given system configuration and employee training redundancies, redesigning controls at the end of an ERP implementation is inefficient, expensive and could result in reportable material weaknesses or deficiencies.
2008 KPMG LLP, a U.S. limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in the U.S.A. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. 19045PHL
15
Automation is driving ERP technology integration initiatives and helping to optimize controls within key processes, resulting in improved process efficiency, cost reductions and effective compliance management. Organizations have long recognized the value of an efficient control structure and its role in driving complete and accurate financial information. When a new ERP system is implemented, along with the customary process changes, controls (including security) must be revised to support the new business and system functions.
Controls
We believe GRC Integration is critical and should to be addressed and integrated into an ERP implementation
2008 KPMG LLP, a U.S. limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in the U.S.A. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. 19045PHL
16
GRC integration is an area that is often poorly performed by project teams. Appoint a Security and Controls Lead on the project to create and maintain visibility of controls and security requirements throughout the duration of the project. Plan for the need to continuously educate the project team and stress the importance of the security and controls aspects of the system throughout the project lifecycle. Start early with Security and Controlsit is a lot of work. Involve your security and controls team in the early design stage of the project, and maintain their involvement through the entire project lifecycle. Security and Controls is a collaborative process that requires all parties to be engaged early including Business Process Owners (BPOs), IT and security teams, Internal Audit and your External Auditors. A key area that is often overlooked during an ERP implementation is tax. Incorporating the tax perspective into the project can help avoid costly rework and degradation in tax reporting needs. Determining the balance between preventive and detective controls can be challenging. Security, SOD and configuration controls are mostly preventive in nature. Manual controls can be more costly to operate/perform and are generally less reliable than automated controls. If correctly configured and managed, your new ERP system will provide numerous opportunities for organizations to have a highly automated control environment.
2008 KPMG LLP, a U.S. limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in the U.S.A. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. 19045PHL
17
KPMG Overview
What is Governance, Risk and Compliance (GRC)? Broad Definition and Supporting Technology Oracle GRC Application Suite Why is Governance, Risk and Compliance (GRC) important?
2008 KPMG LLP, a U.S. limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in the U.S.A. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. 19045PHL
18
Financial Services
Risk Management
Communications
IT Governance
Environmental Health
Corporate Responsibility
Financial Compliance
Life Sciences
CxO
Dashboards
Visibility to enterprise GRC status Role-tailored analysis Flexible ad hoc reporting Data repository
Event & Loss Management
GRC system of record End-to-end GRC process mgmt Continuous monitoring of access, policies, and controls Preventive and detective controls Controls risk monitoring Information security Enterprise access provisioning IT configuration management
19
Preventive
Provide compliant user provisioning Enforce compensating controls What-if SOD risk simulation
2008 KPMG LLP, a U.S. limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in the U.S.A. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. 19045PHL
20
N access point definitions Simple Operand Combinations X to Y Complex Operand Combinations X to Y to Z to N Inter-Operand hierarchy Seeded Entitlement based policies Oracle (11.5.10 and R12) PeopleSoft (8.8/9) Entitlement - Grouping of access points
(similar to Entity Groups)
2008 KPMG LLP, a U.S. limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in the U.S.A. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. 19045PHL
21
Preventive
Validation of transaction data (e.g. valid product code) Approvals based on transaction data thresholds
2008 KPMG LLP, a U.S. limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in the U.S.A. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. 19045PHL
22
Exception Remediation
Post
Financial Supervisor
Entry
> $25K
No
Yes
Approved
Preventive SOD
Control Monitors
Exception Reporting
Post Entry
Financial Clerk
Source: Oracle Corporation
Excessive Debt
!
Unable to modify account numbers
2008 KPMG LLP, a U.S. limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in the U.S.A. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. 19045PHL
Preventive
Validate that setups and data updates conform to valid values Require conditional approval cycles (e.g., exceed threshold) Enforce data consistency; (e.g. force data to upper case)
2008 KPMG LLP, a U.S. limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in the U.S.A. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. 19045PHL
24
Single system of record End-to-end GRC process management Platform independent Integrated control management Closed-loop issue remediation
Certify
Respond
Analyze
Assess
Document
2008 KPMG LLP, a U.S. limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in the U.S.A. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. 19045PHL
25
Pre-built dashboards aggregate information from all sources Combine performance and GRC information Respond to KRI and issues Produce attestations and disclosures Configure to meet your specific needs
2008 KPMG LLP, a U.S. limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in the U.S.A. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. 19045PHL
26
Below is a list of typical key activities reflected in a Risk and Controls Framework
Evaluation
Design
Build
Test
Sustain
Key Activities
Key Activities
Key Activities
Key Activities
Key Activities
Planning Activities Controls Cutover Strategy accountability and Controls Portfolio monitoring and accountability for activities and responsibilities
Key Activities
Support
Planning and
and Risk Assessment
Project Initiation
Initial Project
Project Planning
Activities
Project Management
Planning Activities Procedures
Establish
Project
Business Process
Project Project
Business Process Project Kickoff Flow Standards Quality Check with Data Quality Stakeholders
Standards
Security Approach
and Standards
Quality Check
with Stakeholders
2008 KPMG LLP, a U.S. limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in the U.S.A. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. 19045PHL
27
Help organizations to view Enable the detail design and evaluate their controls of automated controls for portfolio. The model assists financial applications so that companies in identifying less efficient manual controls opportunities to decrease can be eliminated. Catalogs costs, improve process include testing guidance & efficiency and evaluate the procedures to support SOX organizations controls 404 preparation & compliance portfolio holistically
Non-proprietary tools
KPMG can also utilize other automated security software and tools to support Oracle GRC implementations
2008 KPMG LLP, a U.S. limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in the U.S.A. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. 19045PHL
28
Presenters contact details Philip McGivney KPMG LLP (412) 576-7298 pmcgivney@kpmg.com Jason Lindsley KPMG LLP (856) 373-0853 jlindsley@kpmg.com
2008 KPMG LLP, a U.S. limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in the U.S.A. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. 19045PHL
29
Appendices
2008 KPMG LLP, a U.S. limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in the U.S.A. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. 19045PHL
30
Perform detailed scoping and planning of the project to identify activities, deliverables, project plan, milestones, and desired outcome (s). Assist in the validation of the compliance tool installation, review of segregation of duties controls, develop a customized set of prevention/detection rules (SOD rules, critical transactions, etc.) in your compliance tool and develop operational compliance and security provisioning processes. Assist in the review and design of current security and automated control environment to develop and help execute strategy to remediate SOD conflicts and other control deficiencies. Assist in the design and identification of mitigating controls for SOD conflicts and other control weaknesses deemed necessary, develop and execute strategy to configure mitigating controls in compliance tool and recommend a monitoring process. Implement governance, control, and reporting process to maintain continuous compliance.
Detect
Remediate
2008 KPMG LLP, a U.S. limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in the U.S.A. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. 19045PHL
31
Purpose: This phase covers conducting detailed scoping and planning of the project against the signed LOE and its key deliverables, milestones, and desired outcome(s). It also includes securing and educating team resources (client + KPMG), outlining roles and responsibilities, and formally starting the project. Key Activities Key Deliverables Key Technology Enablers
Secure project resources and contacts Finalize and Develop Project Plan Develop Project Responsibility Matrix Deliver initial business system security and GRC education
2008 KPMG LLP, a U.S. limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in the U.S.A. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. 19045PHL
32
Detect Phase
Purpose: This phase covers 1) finalizing the rule set to be used for Segregation of Duties (SOD) analysis and performing the baseline analysis, 2) modifying the SOD analysis system configuration settings, and 3) redesigning the access administration and compliance processes. Key Activities Key Deliverables Key Technology Enablers
Test SOD and Process Control Rule Set Transport tested SOD and Process
Control Rule Sets to production system Analyze SOD conflict baseline metrics, if applicable
Identification of Rule Set customizations Design specification Document Customized GRC Rule Files Rule set maintenance procedure Final custom Rule Sets Updated business processes and procedures
2008 KPMG LLP, a U.S. limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in the U.S.A. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. 19045PHL
33
Remediate Phase
Purpose: This phase covers remediating the SOD conflicts via security access and authorization changes in the Business Application system. Key Activities Key Deliverables Key Technology Enablers
design specifications Remediate SOD conflicts through building to-be user access
Security design specifications QA test scripts and test results End-user training presentation Cutover SOD conflict report List of users with SOD conflicts requiring mitigation
2008 KPMG LLP, a U.S. limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in the U.S.A. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. 19045PHL
34
Mitigate Phase
Purpose: This phase covers mitigating remaining operational risks posed by remaining SOD conflicts. Determining and mapping the proper controls to mitigate these risks, as well as, configuring and maintaining the mitigating control records are performed in this phase. Key Activities Key Deliverables Key Technology Enablers
kick-off presentations List of users and SOD conflicts targeted for Mitigating Control Mitigating Control record mapping to users and SOD conflicts List of Mitigating Control monitors and approvers New business processes and procedures for managing MCs QA test scripts End-user training presentation Cutover SOD conflict report showing users and risks marked by mitigating controls Incident tickets and tracking lists
for Segregation of Duties 3rd Party Controls Software; Process Controls functionality Business Application System Security features
2008 KPMG LLP, a U.S. limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in the U.S.A. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. 19045PHL
35
Purpose: This phase covers execution and monitoring of operational processes and policies to help ensure continuous compliance. Knowledge transfer is also performed in this phase between the project team and identified customer stakeholders. Key Activities Key Deliverables Key Technology Enablers
Refine and maintain policies and Perform periodic review of security and Update Rule Set as Necessary Periodically review mitigating control
effectiveness compliance processes and user access
2008 KPMG LLP, a U.S. limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in the U.S.A. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. 19045PHL
36