Governance, Risk und Compliance Application Suite · PDF file• Herausforderungen •...
Transcript of Governance, Risk und Compliance Application Suite · PDF file• Herausforderungen •...
Governance, Risk und Compliance Application Suite
Klaus NiemannPrincipal Sales Consultant NOG & CH Financials & Projects
The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be
Safe Harbor Statement
2
material, code, or functionality, and should not be relied upon in making purchasing decision. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.
• Herausforderungen
• Positionierung GRC Application Suite
• Oracle GRC-Application Suite
AGENDA
3
• Zusammenfassung
36%
28%
Public trust in 2006Public trust in 2002, Peak of corporate scandal
Erosion of Public Trust,Call for Greater Transparency
Source: Mckinsey, 2007
Increasing Number & Complexity of Regulations
Sarbanes-Oxley Act
Fair Credit Reporting Act
Family Education Rights
Privacy Protection Act
Federal Rules of Civil Procedure
Title 21 CFR Part 11
Computer Fraud & Abuse Act
Health Insurance Portability & Accountability Act
Children’s Online Privacy Protection Act
Gramm-Leach Bliley Act
Patriot Act
Domestic Security Enhancement Act
… and many more
BELASTUNG durch “Compliance”
4
Unabated Spending on Compliance
Source: AMR Research, Feb 2007
Technology$9.8B
Services$7.3B Headcount
$12.6B
High Stakes for Brand and Reputation
Source: BusinessWeek, 2007
=Brand Value$15B$15B
Regulation A
Standard C
Risk B
C1b C2b C3b
C5b C6b C7b
C9b C10b C11b
R1 R2 R3 R1 R2 R3 R1 R2 R3
C1c C2c C3c
C5c C6c C7c
C9c C10c C11c
C1a C2a C3a
C5a C6a C7a
C9a C10a C11a
Challenge:
Multiple Requirements, Fragmented Response
Challenge:
AUSWIRKUNGEN durch “Compliance”
5Sources: Adapted from Deloitte Consulting, Open Compliance and Ethics Group, and IDC
Challenge:
Manual Processes and Controls
Challenge:
GRC as an Afterthought, Holding Up the Business Business Processes
GRC
Solution:
Consolidate
Solution:
Regulation A
Standard C
Risk B
R1 R2 R3
C1 C2 C3
C5 C6 C7
C9 C10 C11
PolicyRisk
OPTIMIERUNG durch GRC Lösungen
6Sources: Adapted from Deloitte Consulting, Open Compliance and Ethics Group, and IDC
Solution:
Automate
Solution:
Embed
Business Process
GRC
Process
Policy
Assessment
Detective Control
PreventiveControl
Issues
Remediation
Reporting &Diagnostics
• COSO und Internal Controls
• Gewährleistung der Wirksamkeit und Effizienz betrieblicher Abläufe
• Verlässlichkeit der finanziellen Berichterstattung
Komponenten der Unternehmensüber-wachung
7
• Einhaltung relevanter Gesetze und Vorschriften
• Risikomanagement und Überwachung
• Integration von Controlling
• Risikofrüherkennungssystem
• Herausforderungen
• Positionierung GRC Application Suite
• Oracle GRC-Application Suite
AGENDA
8
• Zusammenfassung
GRC Application Controls
Reporting KRI & AlertsDashboards
GRC Reporting & Analytics
GRC Process Management
Audit Management Assessment
Purpose-built business solutions for key industries and GRC initiatives
�
Best-in-class GRC core solutions to support all mandates and regulations
�Issue &
RemediationEvent &
Loss Mgmt
Oracle Lösungen für GRC Anforderungen
9
GRC Application Controls
TransactionMonitoring
SOD & Access
Application Configuration
Custom or Legacy Applications
GRC Infrastructure Controls
ChangeMgmt
Digital Rights
Data Security
Identity Mgmt
Records Mgmt
Pre-integrated with Oracle applications and technology, supports heterogeneous environments
mandates and regulations
�
GRC Process Management
Audit Management Assessment
Reporting KRI & AlertsDashboards
GRC Reporting & AnalyticsPurpose-built business solutions for key industries and GRC initiatives
�
GRC Manager solutions to support all mandates and regulations
�Issue & Remediation
Event & Loss Mgmt
Oracle Lösungen für GRC Anforderungen
10
GRC Application Controls
TransactionMonitoring
SOD & Access
Application Configuration
Custom or Legacy Applications
GRC Infrastructure Controls
ChangeMgmt
Digital Rights
Data Security
Identity Mgmt
Records Mgmt
Pre-integrated with Oracle applications and technology, supports heterogeneous environments
�
Policy, Process, Event
Cycle AccountOrganization
A
Master LibrariesObjectives,Risks,Controls,Tests,Docs
TransactionsAA
Beispiel: COSO – Internal Control Frame im GRC- Manager
11
Policy, Process, Event
Risks
Control Tests
Controls IssuesObjectives AA
AA
AA
AA
Organisationselement und zugeordnete Prozesse / Subprozesse
12
Subprozesse: Cash Disbursement
13
Risiken (Risks)
14
Kontrollen (Controls)
15
Beispiel: Prozesse und Zuordnung
16
Beispiel: Mixed Approach im SSC
17
Reporting KRI & AlertsDashboards
GRC Reporting & Analytics
GRC Process Management
Audit Management Assessment
Purpose-built business solutions for key industries and GRC initiatives
�
GRC Manager solutions to support all mandates and regulations
�Issue & Remediation
Event & Loss Mgmt
Oracle Lösungen für GRC Anforderungen
18
GRC Application Controls
TransactionMonitoring
SOD & Access
Application Configuration
Custom or Legacy Applications
GRC Infrastructure Controls
ChangeMgmt
Digital Rights
Data Security
Identity Mgmt
Records Mgmt
Pre-integrated with Oracle applications and technology, supports heterogeneous environments
�
• Reporting (Standard)
• Predefined ”out-of-the-box” reports
• Grouped by: Project, Audit, Exception, Scheduling, Matrix, Library
• Reports can provided in MS-Excel, GRC-Intelligence and 3rd
Reporting / Intelligence
19
• Reports can provided in MS-Excel, GRC-Intelligence and 3rd
Party Applications
• Analytics / Dashboards / Answers
• Predefined Dashboards, KPI / KRI, Reports, Analytics
• Answers (create reports by drag and drop)
Intelligence > Control Issue > Details > Drill Down into GRC-Manager
20
Reporting KRI & AlertsDashboards
GRC Reporting & Analytics
GRC Process Management
Audit Management Assessment
Purpose-built business solutions for key industries and GRC initiatives
�
GRC Manager solutions to support all mandates and regulations
�Issue & Remediation
Event & Loss Mgmt
Oracle Lösungen für GRC Anforderungen
21
GRC Application Controls
TransactionMonitoring
SOD & Access
Application Configuration
Custom or Legacy Applications
GRC Infrastructure Controls
ChangeMgmt
Digital Rights
Data Security
Identity Mgmt
Records Mgmt
Pre-integrated with Oracle applications and technology, supports heterogeneous environments
�
What usershave done
What’s changed in the
process
What are the execution patterns
Detective Controls
Monitor Control Effectiveness
GRC Application Controls ManagementDetect and prevent control failure
ACCESSACCESS
22
What userscan do
How is the process setup
How users execute
processes
Preventive Controls
CONFIGURATIONControls
CONFIGURATIONControls
TRANSACTIONControls
TRANSACTIONControls
Enforce Policies in Context
ACCESSControlsACCESSControls
Access Controls (Zugang)Provide fine grained access control and segregation of duties
Know who has access to do what and ensure that someone isn’t given inappropriate privileges
23
AccessAnalysis
Compensating Policies
Define AccessControls
Remediation(Clean-up)
PreventiveProvisioning
PreventionDetection
Define SOD conflict & business rules and policies
Execute access analysis engine that understands application’s detailed access architecture
Remediation and analysis via pre-packaged reports & what-if simulation
Real-time enforcement of SOD controls during user provisioning
Handle exceptions with compensating process & transaction analysis policies
DRAG & DROP: Plattformübergreifende “Policy”- Definition
24
Policies can be created using access points
from various business platforms, applications and data sources by
drag and drop
PRODDatabase
DEV, TEST, QA, CRPDatabase
Automatically
Migrate Setups
An automated solution for a manual activity that all
Oracle Apps customers are doing.
Benefits:Benefits:
•• Save TimeSave Time
•• Reduce Manual EffortReduce Manual Effort
•• Avoid ErrorAvoid Error
SETUP Migration Support
25
Database
DuplicatedEffort
Migrate Setups
Enter
SetupsEnter
Setups
What usershave done
What’s changed in the
process
What are the execution patterns
Detective Controls
CONFIGURATIONCONFIGURATION
Monitor Control Effectiveness
GRC Application Controls ManagementDetect and prevent control failure
26
What userscan do
How is the process setup
How users execute
processes
Preventive Controls
CONFIGURATIONControls
CONFIGURATIONControls
TRANSACTIONControls
TRANSACTIONControls
Enforce Policies in Context
ACCESSControlsACCESSControls
Ensure that critical setups conform to best practices and follow robust change
management procedures
Configuration Controls (Konfiguration) Detect and prevent configuration control failure
PreventionDetection
27
Document orCompare
Configurations
Manage Data
Integrity
Define Configuration
Controls
Monitor Configuration
Changes
EnforceChange Control
PreventionDetection
Define best practice policies & operating rules
Record changes to sensitive setup data. Compare before and after values for changes
Monitor for setup inconsistencies across multiple instances
Require conditional approval cycles (e.g., exceed threshold)
Validate that setups and data updates conform to valid values
John Doe
123 Main StCenter City, NY 12345
Name
Address
Employee Update
“Data Privacy” und “Data Integrity” Mask sensitive data, restrict access to actions
Embedded preventive controls restrict access to sensitive data and critical actions proactively using native EBS
interface and workflow technology
28
Center City, NY 12345
$ 53,000.00
CancelOK
Salary
XXX-XX-XXXXXSSN
Supervisor Mary Smith
Conceal SSN number if User is NOT from HR dept
Employees can only view the salary field (can’t update) Disable Invoice Approval for
Invoices created by same user
Who?When?
MONITORING
29
What?Where?
What usershave done
What’s changed in the
process
What are the execution patterns
Detective Controls
TRANSACTIONTRANSACTION
Monitor Control Effectiveness
GRC Application Controls ManagementDetect and prevent control failure
30
What userscan do
How is the process setup
How users execute
processes
Preventive Controls
CONFIGURATIONControls
CONFIGURATIONControls
TRANSACTIONControls
TRANSACTIONControls
Enforce Policies in Context
ACCESSControlsACCESSControls
Monitor transactions to detect business policy violations or unacceptable levels
of risk or inefficiency
Transaction Controls (Transaktion)Detect and prevent erroneous and fraudulent transactions
31
Perform Transaction
Analysis
Define Transaction
Controls
Review and AddressSuspects
PreventiveTransaction
Control
PreventionDetection
Identify transactions violating policy (e.g. un-approved vendor)
Detect patterns representing aggregate risk (e.g. micro-payments)
Initiate review / approval cycle based on automated policies
Approvals based on transaction data thresholds
Transaction Controls (Transaktion)Wide range of predefined controls that notify when violations occurs
Case Managerto Investigate
MONITORING DECISION-MAKING
POLICY
BusinessProcess
ControlMonitor
!!Control
Violation
32
to Investigate & Approve
Library of Transaction
Monitors
DataViolation Detected
� Integrated library of transaction monitors provides characterization and procedures for handling suspec ts
� Continuous monitoring identifies suspects � Seamless approval workflow facilitate decision-maki ng
Categorized into three functional groups:
• Operational controls (basic transactions)• Risk management controls (cash, credit, asset)• Reportable event controls (any material that impact s
financial health)
Controls can be categorized from a business & financ ial view
Umfassendes Transaktions-”Monitoring” Detect patterns of heightened risk in business activity
33
Controls can be categorized from a business & financ ial view
• Purchasing controls • PO over a given threshold
• Inventory controls • PPV rise above given threshold
• Revenue Recognition controls • Invoice or Sales amount is over a given threshold
• Account Receivables controls• Fluctuation of the DSO
• General Computer controls
• Herausforderungen
• Positionierung GRC Application Suite
• Oracle GRC-Application Suite
AGENDA
34
• Zusammenfassung
InformalReactive
ProactiveOptimized
Mat
urity
• Adhoc approach
• Compliant but at a high cost to business
• Manual control
• No best practices
• Tactical approach
• Risks are documented
• Manual risk assessment and reporting
• After the fact reporting
• Unified, standardized & strategic approach
• Policies are enforced
• Automated process
• Prevent policy violation
• GRC objectives embedded throughout the organization
• Analyze and trend
• Automated risk mitigation / Predictive risk assessments
COMPLIANCE Umsetzung mit Oracle
35
Time
Mat
urity
Oracle GRC provides solutions for each of these stages based on your objectives and helps you mature to the next
GRC Application Controls
GRC Manager
GRC Intelligence
GRC Infrastructure Controls
For More Information
http://www.oracle.com/grc
36
37