Comcast, Integra LifeSciences, LPL Financial, and Smucker's - Doing Your ERP Implementation/Upgrade...

Doing Your ERP Implementation/Upgrade Right…with Oracle Advanced Controls Solutions Panel Discussion CON8203

William Compton Chief Information Officer, Integra LifeSciences

Patrick Gilroy Director - Financial System, Comcast

Travis Strong Lead Analyst - IS Risk Management, Smucker’s

Gloria Warrens Vice President - Financial Systems, LPL Financial

Moderator: Barry Greenhut, Director, Oracle GRC Product Development

Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |


Safe Harbor Statement

The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.

3


Agenda

4

Introduction

Panel Discussion


There are many kinds of ERP projects

• Adopt ERP for first time

• Expand ERP scope– EXAMPLES: New module, process, business unit, ledger, account, etc.

• Upgrade ERP

• Patch ERP


ERP Project Issues Encountered

Source: OAUG Research Line, “Moving to New ERP Environments: 2011 OAUG Governance, Risk, and Compliance Best Practices Survey”

48%

28%

26%

26%

21%

19%

12%

9%

7%

11%

Unexpected changes to application set ups

Disruption to business transactions or workflow

Other applications breaking/unable to interoperate

Rise in end-user training costs

Outdated controls

Data damaged/altered

Surge in segregation of duties conflicts

Data exposed

Missed product launches/slower time to market

Other


Agenda

7

Introduction

Panel Discussion• William Compton Chief Information Officer, Integra LifeSciences

• Patrick Gilroy Director - Financial System, Comcast

• Travis Strong Lead Analyst - IS Risk Management, Smucker’s

• Gloria Warrens Vice President - Financial Systems, LPL Financial

• Moderator: Barry Greenhut, Director, Oracle GRC Product Development

• ASK QUESTIONS ANYTIME!


10:00 am

ID # 8207Stop the Fraudster! Set the Tone at the Top and Prevent Fraud with Oracle Advanced Controls

OLYMPIC ROOM, Westin

WEDNESDAY: Oracle GRC Advanced Controls

8

SESS

ION

S:

2:45 pmWEDNESDAY

ID # 8200Do You Really Know What Your Users Can Do—or Maybe Have Done?

FRANCISCAN I ROOM, Westin

10:45 am

IOFM Workshop: How Your Vendor Master File is Critical to GRC and Compliance

Presenter: Jon CasherLength: 90 MinutesCPE Credits: 1.5

ZEUM ROOM 8th FLOOR, Palomar JON CASHER Ph.D.

IOFM WorkshopPresident, Casher Associates

Leading Industry Expert & Consultant

CPECREDITS

1.5

LOCATION: Hotel Palomar4th & Market

Contact: Dane Roberts [email protected]

SPEA

KER

S:


10:15 am

ID # 8208Achieve a Quicker and Compliant Financial Close with Oracle Governance, Risk, Compliance


THURSDAY: Oracle GRC Advanced Controls

9

SPEA

KER

S:SE

SSIO

NS:

12:45 pm

ID # 8154Controlling for Multiple ERP Systems with Oracle Advanced Controls


2:45 pm

ID # 8213How Your Vendor Master File is Critical to Governance, Risk Management and Compliance


LOCATION: Westin3rd & Market


5:00 pmWEDNESDAY

ID # MTE 8487Meet the Governance, Risk, and Compliance Experts

METROPOLITAN III ROOM

MEET EXPERTS & DEMO GROUNDS: Oracle GRC

10

HO

ST:

SESS

ION

S:

ID # 4250Demo Station: Oracle Fusion Governance, Risk, and Compliance Advanced Controls

MONDAY 9:45 – 6:00TUESDAY 9:45 – 6:00WEDNESDAY 9:30 – 3:45

LOCATION: Westin3rd & Market

HO

ST:

SESS

ION

S:

LOCATION: Moscone West


DEMOgrounds: Moscone West Station ID WCL-003

11


Follow Us & join the conversation .

Oracle GRC Advanced Controls Group

@OracleAdvCntrls

https://www.linkedin.com/groups?mostRecent=&gid=5185359&trk=my_groups-tile-flipgrp

https://www.linkedin.com/groups?mostRecent=&gid=5185359&trk=my_groups-tile-flipgrp

https://twitter.com/OracleAdvCntrls




Background and Supplemental Information

15


Background and Supplemental Information: Smucker’s

Agenda

• Introduction

• Historical Perspective

• Smucker R12 Upgrade

• Continuous Improvement

IntroductionThe J.M. Smucker Company

• Headquartered in Orrville, Ohio

– $5.6 billion in net sales

– 4,800 employees

– SJM: publicly traded on the NYSE; S&P 500 company

IntroductionMe: Travis Strong

• BS degree in Accounting – The University of Akron

• Internal Audit, IT Audit, Accounting and IS Risk

• Audit background: key business processes, IT general controls,

mobile devices, data privacy, application security, application

upgrades, and others

• Managed Smucker's implementation of Oracle's Governance, Risk

and Compliance (GRC) suite of applications in 2012 and to this

day leads the operation of the tool set

• Certified Information Systems Auditor (CISA)

Historical PerspectiveOracle Internal Controls Manager (ICM)

• Used 2005-2012

• Implemented primarily for SOX purposes

• Monitor users with sensitive access (31 controls)

• Annual detective review of access

• Provided part of the picture – not the whole

• Reports were ugly

• Became an unsupported application

• Decision to move forward with the GRC suite

• Vision

– Foundational project

– Critical component of the Smucker Enterprise Risk & Security

Program

– Turning point in IT controls governance

• Shift from Internal Audit-driven to business-led control

• Shift from manual to automated controls

• Shift from point-in-time to continuous controls

Historical PerspectiveOracle GRC Implementation

• Implemented as R12 upgrade was in planning

• Scope

– Implementation of various controls for R12

• Access controls

• Configuration controls

• Transactions controls

– Replaced 11i ICM with an R12-aligned tool

– Provided new capability for configuration and transaction monitoring

– Strategically scoped to use software to test, validate and remediate as needed

Oracle R12 prior to go-live

Historical PerspectiveOracle GRC Implementation

Shift control environment

Manual, error-prone

Delayed, detective

Annual, point-in-time

Transactional sampling

Heavy remediation efforts

Unpredictable results

Financial reporting focused

Audit focused

Automated, reliable

Real-time, preventive

Near continuous

Near 100% evaluation

Cleaner data, pointed exception handling

Streamlined, predictable operations

More beneficial, wider focus

Business-centric

GRC and R12

• Responsibility over R12 security build

– Ensuring teams properly build security; prevent security issues at go-live

– Validate consistency in R12 development environments production

• Implement sensitive access controls

– Monitor environments for sensitive access violations

– Address security issues pre-production

• Monitoring at go-live

– Elevated access privileges at go-live

– Combination of transaction and configuration monitoring

Automated, reliable

Real-time, preventive

Near continuous

Near 100% evaluation

Cleaner data, pointed exception handling

Streamlined, predictable operations

More beneficial, wider focus

Business-centric

Benefits

Manual, error-prone

Delayed, detective

Annual, point-in-time

Transactional sampling

Heavy remediation efforts

Unpredictable results

Financial reporting focused

Audit focused

What did we learn?

• Get involved early

• Have a general knowledge of Oracle EBS security

• Know the upgrade timeline

• Know what’s important

• Monitor, detect, remediateBefore go-live!

What’s next?

• Drive business involvement and ownership

• Research and implement PCG

– Advanced controls within business processes

– User access certifications

• Integration with Oracle Identity Manager

• Continue to enhance and mature the process and overall security

posture

Thank You!


Background and Supplemental Information: Comcast

Pat Gilroy

• Director, Financial System at Comcast responsible for the EBusiness Suite

• Bachelor of Science degree in Business Administration from Villanova University

• Career experience within Oracle Applications since Release 8 – General Ledger

• Managed numerous Upgrades as an employee and Consultant

• Technical lead for the implementation of Oracle's Governance, Risk and Compliance (GRC) suite of applications at Comcast

• The R12 Re-Implementation Project went live in July, 2014

R12 Re-Implementation Project

• Oracle R12 Re-Implementation Project

• Chart of Accounts re-design

• Security re-design

• Process re-design

• New modules implemented

• Incorporated GRC as part of the R12 project

• New reporting solutions

• Expansion of OBIEE footprint with Analytics

• 350 RICEFW Elements

Comcast – Advanced Controls Story

Multiple enhancements to tailor the Oracle experience

Transaction Analytics to monitor process efficiencies

Snapshots allowing comparison of setups across environments

Change Trackers monitoring critical configurations

100+ Rules to manage security and segregation of duties

Multiple rules to monitor and control GL Activity

GL Period Status Restriction, remove

Permanently Closed status

Who can enter or

post journals?

Monitor Journal

Source changes

Detect duplicate suppliersIdentify dormant users

Prevent user approving

their own cycle count

Notify if approval workflow

is changed

Notify if period is closed with Unposted

journals


Background and Supplemental Information: LPL Financial

LPL Financial Member FINRA/SIPC 34

LPL Financial

Offices in Boston, San Diego and Charlotte

– Approximately $4 billion in revenue

– 3,300 employees

– Publicly traded on the NASDAQ – LPLA

– http://lplfinancial.lpl.com/about_lpl.htm

Hosted by Oracle Managed Cloud Services (OMCS) since 2010

– Oracle EBS R12.1.3 (GL, AP, AR, FA, PA, CE)

– Advanced Controls v 8.6.4 (ACG, CCG, PCG, TCG)

Gloria Warrens, Vice President Finance Systems

– Manages hosted / support relationship with OMCS

– Team provides level 1 support to LPL business users

– LPL lead on Advanced Control upgrade

Source text is Arial 8, sentence case

http://lplfinancial.lpl.com/about_lpl.htm


Project Timeline

Oct-13 – project kick off, application overview, detailed requirements created

Nov-13 – prioritization for in scope rules, development of rules

Dec-13 to Jan-14 – 1st round of testing of rules for PCG & TCG, ACG/TCG upgrade test and production instances

Jan-14 to Feb-14 – 2nd round of PCG & TCG testing, review of access incidents identified from models in ACG

Mar-14 – Go live. ACG, TCG, PCG, CCG training

Remainder of 2014 - continued work on new rules, coordination with Internal Audit



LPL Financial by Module – ACG & CCG

ACG

– Utilized since 2011 for application access approval in Oracle R12

– Used to define, maintain and manage specific SOD policies

– Used to quickly detect and remediate access policy violations

CCG

– Originally utilized for access change tracking reporting. Expanded utilization as a result of this project.

– Monitor key setups for any change, track Who, What, Where and When

– Receive email notification for specific field level changes that matter



LPL Financial by Module – TCG

Continuous monitoring of transactional activity

− Monitor 100% of transactional activity instead of samples of data

− Notification to process owner of at risk transaction activity based on policy

− Transaction reviews and remediation activity is captured and tracked in the application

− Transaction monitors run near real time, covering a more complete set of transactions as compared to sampling methodologies that occur only during the audit review period

Out of the box rules implemented

Dormant users User last login New account set up

Duplicate AP vendors Duplicate payments Invoices over $ amt.

Duplicate AR customers New / updated AR customers



LPL Financial by Module – PCG

Create systems based controls for existing manual controls

Rules can be a notification or require approval before process can continue

Issues addressed

– Offshore monitoring

– Manual Control

– Replace a detective control

– Remediate a deficiency



LPL Financial by Module – PCG Implemented

Module Rule Name Issue Addressed

AR Invoice Approval Offshore monitoring & manual control

AR Cash Receipt Approval Offshore monitoring & manual control

AR Adjustment Notification Manual control

AP Vendor Set Up/Change Offshore monitoring & manual control

AP Invoice Coding Approval Replaces detective GL control

FA Asset Addition / Update Remediate deficiency placed in service date

PA Task & Phase Exceptions Replaces detective control in high risk area

PA PA Calendar Loader Replaces detective control in high risk area

PA PA Calendar Validation Replaces detective control in high risk area



Background and Supplemental Information: Integra LifeSciences

Background - Integra Life Sciences

World leader in medical technology

Founded in 1989, headquartered in Plainsboro, New Jersey

In the US, Integra is a leading provider of surgical instruments to hospitals, surgery

centers & alternate care sites

Over 3,300 employees worldwide

Orthopedic solutions for extremity, spine, reconstructive surgery,

neurosurgery, reconstructive & general surgery

41

Oracle EBS R12 Implementation- Overview

The project was nicknamed “Project Delphi” with a unique organization of team members under 7 different tracks, including:

Live in 7 locations, planning to complete rollouts by Summer of 2015

Global Oracle E-Business Suite (EBS) Release 12 Implementation/upgrade - started in 2011

Product Lifecycle Management Market to Customer

Order to Cash Plan to Manufacture

Procure to Pay Hire to Retire Record to Report

42

Project Delphi – Control and Compliance Directives

1. Global standardization of compliance

2. Endorsement from SOX, Controllers, Compliance & Internal Audit

3. Compliance requirements for sensitive restricted data (HIPAA, GxP, Safe Harbor, SOX)

1. Automation of periodic assessments (External / Internal Auditors)

2. Implement automated management of potential security issues (volume)

3. Extend standardization of controls to future roll-outs, locations, business units & countries

4. Extend native application controls with minimal customization

Strategic Management Direction Required Efficiencies

43

Project Delphi - Control Design and Optimization Goals

Enterprise Structures, Business Processes, Data Access and Reports

70 – 80% Common Global Design

Legal requirements, local RICEF, unique local processes

20 – 30 % Bus Unit / Geo Specific

Current and future into this single Common Global Design

Rapid Integration of new business units

Optimize design and role assignment

Standardize Security

44

Controls and Security Optimization RoadmapHow to Embed Proper Security and Controls in Our New System?

Security

Controls

1. Establish a Baseline

Define SOD Policies and Framework

Maximize Native Application (automated) Configurable Controls in

EBS

2. Improve / Optimize

Design Conflict-free Roles, and Conflict-free

User-to-Role assignment

Implement Defined Native Application Controls

3. Automate Compliance

Implement Oracle Application Access

Control Governor (AACG)

Implement Oracle Preventive Controls

Governor (PCG)

45

Security Optimization - RoadmapApplication Access Control Governor (AACG)

Define SoD and Access Policies

Match Policies to Business Practices

Enable Automated User Provisioning

On-Going Monitoring of SoD in R12

Analyze and Mitigate SoDConflicts

1. Establish Security

Baseline2. Improve Security Design

3. Automate Security

Compliance - AACG

Design Conflict-Free Roles

Create Roles in Oracle R12

Implement processes for SoD Rule Set check

Assign Users to Roles

46

Control Optimization - RoadmapPreventive Controls Governor (PCG)

Define Universe of Native Application Configurable

Controls

Define Global / Local Controls

Determine additional PCG Business Case (Form /

Flow Rules)

Proof of Concept

Track progress and Expand

1. Establish Control

Baseline2. Improve Control Design

3. Automate Control

Compliance

Implement updated EBS configuration parameters

Test and deploy Controls in subsequent rollouts

Enable Audit Trails (MDM and Application Controls)

Define Audit Trails to setup in PCG

47

Optimization Business Benefits

Quick Wins

•Optimized/customized SoD risk

framework

•Detailed SoD and Sensitive

Access risk reporting

•Reduced testing time on SoD

and access controls

•Managed controls (both manual

and automated)

•Greater reliance on testing

(automated controls typically

have a higher ‘pass’ rate)

Mid-Term benefits

•Change Management for Users

and/or Roles

•Better controls around Super

User Access

•Automated Access Review

•Notification / validation around

modification of configuration

settings

• Improved reporting

Expected Long Term Benefits

•Streamlined access

management

•Automated Provision / de-

provision process

•Greater reliance on security

certification metrics

•Mitigate Risks with automated

controls

•Continuous controls monitoring

48

Secu

rity

Co

ntr

ols

Control and Security Optimization - Lessons Learned

• Work on quick wins and build on

successes to expand

One Module at a Time

• Delivered rule sets are not one

size fits all

• Results are highly dependent on

the quality of your rule-sets

Proper AACG / PCG Configuration

• Address SoD - Role and User

Level

• Do not underestimate efforts for

remediation

Address ‘Root Causes’ around Security Issues

• Business Process Owners

involvement is essential

• Internal Audit, Controller &

Compliance demo

Sponsorship and “buy-in”

• User testing is critical to ensure

requirements have been met

Involvement from GRC end-users

49


Background and Supplemental Information: Oracle


Oracle GRC Advanced Controls CanAccelerate ERP Projects and Reduce Risk

• Do your ERP projects require design, review or testing of:– ERP security?

– ERP configuration and behavior?

• If “yes” to either, then Advanced Controls can:– Accelerate these tasks

– Reduce risks of costly errors

• Advanced Controls also offer: – Pre- and post-project benefits that surpass the in-project benefits

– Demonstrable ROI

51


Advanced Controls Solutions

ERP security and configuration/behavior design/review/test

business rules and policies

design quality and change management

52


During ERP Project

Streamline Security Design/Review/Test

ConflictAnalysis

Collaborate with process owners

Evaluate access to identify conflicts

Run what-if simulations

Establish go-live security, compensating policies

Define AccessPolicies

Remediation(Clean-up)

Deploy

53


After ERP Go-Live

Immediate Feedback on Security Issues


During ERP Project

Improve Change Management during Project

CRP1 UATCRP2

Payment Terms:

30 days

Payment Terms:

30 days

Payment Terms:

30 days

Payment Terms:

45 days

PROD

55


After ERP Go-Live

Ensure Authorized Setup Changes Made


During ERP Project

Embed Automated Rules

INCREASE AUTOMATION AND EMBEDDED RULES

REDUCE MANUAL CONTROLS AND CUSTOMIZATIONS

57


After ERP Go-Live

Embedded Rules Reduce Operational Risk


• Upgraded to EBS R12.1, adopted Advanced Controls

• Used Advanced Controls to detect existing and potential SOD violations, addressed them during process of provisioning user responsibilities

• Advanced Controls replaced manual SOD process which could no longer keep pace with expanding ERP environment and complexity

• Potential unauthorized and unnecessary access now flagged by Advanced Controls

• Cut internal/external audit costs by detecting & remediating violations with Advanced Controls

Due to the sensitive nature of the financial information we work with, [we take] data security very seriously. Oracle’s GRC solutions play an important role through the careful management of segregation of duties controls. – Senior Software Manager

Case Study: Information Services $3.9B annual revenue

59


Annual Time Reductions

• 20% reduction in time spent designing/testing role security

• 75% reduction in time spent testing approval authorizations

• 55% reduction in time spent on SOD testing

Annual Cost Reductions

• 28% reduction in Help Desk, IT resources to provision security/resets

• 40% reduction in internal, external audit costs related to security, SOD

• 80% reduction in configuration change mgmt EBS, PSFT, others

• 60% reduction in consultant fees for customization works EBS

Savings Observed at Our Customers Include…

60

Comcast, Integra LifeSciences, LPL Financial, and Smucker's - Doing Your ERP Implementation/Upgrade...

Business

Transcript of Comcast, Integra LifeSciences, LPL Financial, and Smucker's - Doing Your ERP Implementation/Upgrade...