Post on 01-Dec-2014
description
Using Oracle’s GRC Software Suite to automate
and proactively monitor your E-Business Suite
Session 9333
Introduction•Brad Storts, AXIA Consulting (
Brad.Storts@axiaconsulting.net)•Client: a utility company in the Midwest
•Better controls over the Oracle E-business suite•A tool to manage Sox compliance
•Solution: Oracle GRC software suite
Agenda•GRC controls suite
•Preventative Controls Governor (PCG)•Access Controls Governor (ACG)•Transaction Controls Governor (TCG)•Configuration Controls Governor (CCG)
•GRC Manager / Intelligence
Preventative Controls Governor•Tool to control user viewing and changing of E-Business suite
(EBS) data •Application is embedded in your EBS as a custom application
oNo hardware requiredoHigher risk of adversely impacting your key processing
•Three types of rulesoForm rules: interact directly with an EBS java formoFlow rules: fired from a database trigger or a periodic
scheduleoAudit or change control rules: triggered by EBS table
changes
Form / Flow ControlAudit Track changes in values for the 10 segments of the GL accounting flexfieldForm Prevent a receipt against a 2-Way PO line (will exclude purchase orders created before 8/21/2011)Form Prevention when a PO has a distribution line with a General Ledger liability account Form Prevention when a PO has a distribution line to an asset GL account (1010000 to 1219999) but no project and taskForm Force a a 2-Way PO for services to have a price of $1)Flow Notification when a non-stock PO is closed with remaining dollarsFlow Notification to requisitioner when 80% of a services purchase order total is reachedFlow Notification for unabalanced journals posted during month end closingFlow Notification of HR location changesFlow Department or employee group (union / management) quarterly report on changes Form Hide social security number for HR inquiry users Flow Notification of new supervisors to HRFlow Notification on projects where actual costs are approaching budgeted costsFlow Notification on Missed Payment DiscountsFlow PO terms differ from vendor termsFlow Alert AP when max ship on hold is released as more money added to purchase orderFlow AFUDC Flag set incorrectly for ProjectsForm Stop User from matching a Receipt against a PO they created or approvedFlow Notify WAM Help Desk if purchasing category is created or changedForm Provide form validation new employees missing schedule or rotation plan, earning policy, payroll in OTL based on employee categoryAudit Audit report on certain supplier changesFlow Payment terms changed on an invoice from what was on POFlow Notification to requisitioner when non stock item received
Form rule example
Triggering a flow rule
Sql check for flow rule processing
Flow rule notification
Flow rule notificationFlow rule notification
Preventative Controls Governor Lessons Learned•Requires custom.pll updates – form rules only impact java
forms not HTML•Documentation references applcust.txt, ignore (not used in
R12)•Create a browse only PCG responsibility to be able to browse
rules•Cloning environments works, you just need to add additional
steps to be able to migrate rule changes•When migrating rules, you have to recompile triggers and
re-enter periodic rules as well as audit rules•Watch out for triggers based on dates, triggers may not
handle nulls correctly
Access Controls Governor•Evaluates Oracle access and can prevent or monitor policy
violations•Runs on separate hardware using Oracle Data Integrator to
pull information from the EBS about users, responsibilities, menus, and functions
•Incidents are created and tracked to resolution
Access Controls Governor - Benefits• Moved from manual process to automated process to check for
segregation of duties violations• We found responsibilities that needed changed• We found some users with access they didn’t need• A lot of work on the initial setup and cleanup of false positives,
but very little work to maintain after that
You can visualize the paths, from the user through the responsibility through the menus to the functions that cause the segregation of duties conflict.
Entitlements: elements within the EBS that allow a certain function
Create controls that prevent or monitor uses that have segregation of duties conflicts due to their entitlements:
Access Global Conditions: allow you to turn off certain conditions to remove false positives
Access Path Conditions
Access incidents
Access Controls implementation• Lots of initial work to weed out many false positive
oSystem accounts show up with lots of violationsoSome responsibilities do not really allow function
Some screens allow browse onlyReceiving: organizations not defined
oCleanup can also be time consuming to review all the incidents and try to figure out what the proper course of action is
Access Controls Governor lessons learned• Default is to evaluate access based on email note that several
users can share an email address and can cause lots of confusion so you should change to email + user id (our example: IT support staff id’s created from existing users)
• The ability to forecast conflicts is limited: you can see the impact of modifying a responsibility or menu, but you can’t see the potential impact of giving a responsibility to a user (which is much more common in my opinion)
Transaction Controls Governor• Review EBS transactions to highlight potential issues (fraud, bad
data, policy violations, etc.)oReview manual journal entries posted during certain times of
the monthoReview employee expensesoReview duplicate invoices
Easily create a new model
Easily add filters to fine tune results:
Results of transaction model run for journals entered manually over a certain dollar limit:
Employee Expense Accelerator• Free content / software from Oracle• Requirements:
•Run TCG 8.6.3.4000•EBS: iExpense•Deploy some tables and views on your EBS
Sample models included in Employee Expense Accelerator • Employee Claims Per Diem and Meals • Employees misses receipts consistently indicating Fraud• Employees with large number of round dollar amounts close to the
approval limits• Employees split expenses for a large event • Single or multiple employees submit the same receipt more than one
time• Hotel Expenses without other travel related expenses• Employees delinquent frequently• Employee Expenses Spike • Department Expenses Spike
Transaction Controls Governor review• Good for detective controls, not preventive since you are alerted after
the fact• Designed for non IT personnel to be able to use• Note objects have been developed for some EBS subject areas, but
certainly not all (we ended up using PCG often where content was missing for TCG)
Configuration Controls Governor• Application that monitors changes to key setup values• Compare snapshots of setups from one point in time to another, or
between instances
Configuration Controls Governor Examples Purchasing
•Purchasing options•Receiving options
Accounts Payable•Invoice Payment Terms•Invoice Tolerance levels•Payables Controls Options•Payables system setup
Here a user changes the receiving tolerance in EBS
The CCG user receives a notification that a key setup has been modified via email:
The user can log into CCG and see who made the change, when, what the old value was:
CCG Snapshot: easily create a snapshot of your EBS, and then compare to another instance or to another point in time:
CCG Lessons Learned•Another detective control tool, will not prevent entry•Connecting to a data source takes about 1-2 hours, and every
time you refresh an instance you have to reconnect•No good way to clone / refresh from production to test•Snapshots can run for a long time, and consume lots of EBS
resources – and can be tricky to cancel (terminate button doesn’t show up until you kill the process in EBS)
GRC Manager •Tool to document your business processes, risks associated
with those processes, and controls to mitigate those risks•Designed to manage SOX compliance, or any similar
compliance requirements•Completely separate application from EBS•GRC Intelligence is the reporting solution, using Oracle
Business Intelligence to extract data from GRC Manager
Control Testing
Can create and manage simple surveys:
Can track issues:
GRCI: OBIEE tool to analyze data
GRC Manager and GRC Intelligence• We implemented GRCM 7.8 and GRCI 2.0, there is a new GRC
Manager (“Fusion Edition”) which you would want to review – there is no upgrade path for GRCM 7.8
• GRCM 7.8 is built on Stellent Content Management, GRCI 2.0 is built on OBIEE – a steep learning curve if your organization doesn’t already use these