Convergence of Enterprise Risk Management (ERM) and Continuous Controls Management (CCM)
Webinar mar 22 23 ccm contineous controls monitoring
Transcript of Webinar mar 22 23 ccm contineous controls monitoring
Leverage Technology:Move Your Business Forward™
Risk and Compliance Financial Reporting Internal Audit Controls Catalog Application Security Advanced Analytics
A Leader in Risk Based Enterprise Controls Management Solutions
Copyright ©. Fulcrum Information Technology, Inc.Give me a lever long enough and a fulcrum on which to place it, and I shall move the world - Archimedes
Gain Actionable Business Insight with Continuous Controls Monitoring (CCM)
Adil Khan, Managing Director
Mar 23rd , 2017 – 12:00 NYC Time
Mar 22, 2017 – 12:00 London Time
www.fulcrumway.comPage 2Copyright © FulcrumWay
Gain Actionable Business Insight with CCM
Introductions
Continuous Controls Monitoring
Access Monitoring
Transaction Monitoring
Configuration Monitoring
Master Data Monitoring
Case Study
Q&A
Agenda
www.fulcrumway.comPage 3Copyright © FulcrumWay
Introductions
Continuous Controls Monitoring
Access Monitoring
Transaction Monitoring
Configuration Monitoring
Master Data Monitoring
Case Study
Q&A
Agenda Gain Actionable Business Insight with CCM
www.fulcrumway.comPage 4Copyright © FulcrumWay
FulcrumWay™ Insight
Global Thought Leadership
Oracle Cloud – London – Feb 1-2 GRC Round Table, London, UK
Educational Webinar – Mar 23rd – Continuous Controls Monitoring
Collaborate 17 – April 2-6 Las Vegas GRC Open House
Oracle Modern Finance Experience – April 11-13 Boston – FEMSA Oracle Risk Cloud Case Study
Educational Webinar – April 20th – Internal Audit Management with Advanced Control Analytics
Oracle Open World – October 1-5 – Mascone West, San Francisco, CA
Gitex – October 8-12 – GRC Round Table, Dubai UAE
Oracle UK Users Group – December – GRC Round Table, Birmingham, UK
Oracle Connect Africa – October – GRC Round Table, South Africa
Proven Expertise
www.fulcrumway.comPage 5Copyright © FulcrumWay
FulcrumWay Client Studies Successful
Track RecordGovernment Oil and Gas
Healthcare
Communications
Financial Services
Transportation Natural ResourcesManufacturing
Retail
High TechMedia/Entertainment Life Sciences
www.fulcrumway.comPage 6Copyright © FulcrumWay
Introductions
Continuous Controls Monitoring
Access Monitoring
Transaction Monitoring
Configuration Monitoring
Master Data Monitoring
Case Study
Q&A
Agenda Gain Actionable Business Insight with CCM
www.fulcrumway.comPage 7Copyright © FulcrumWay
Continuous Controls Monitoring Overview
Continuous controls monitoring (CCM)
is a set of technologies to reduce
business losses through continuous
monitoring and reducing the cost of
audits through continuous auditing of
the controls in financial and other
transactional applications.
www.fulcrumway.comPage 8Copyright © FulcrumWay
Monitoring prevents unpleasant surprises Overview
Manual Controls
Mostly detective Invasive, with little direct
business benefit. Focus on what's visible
Automated Controls
Mostly preventive. Continuous, with direct
performance benefits. Often inherent in
the system
www.fulcrumway.comPage 9Copyright © FulcrumWay
CCM Benefits
Complete testing coverage …100%
Improved timeliness of testing
Consistent Results
Remediation based on Trends Analysis
Lower Risk with Faster Corrective Actions
Overview
www.fulcrumway.comPage 10Copyright © FulcrumWay
Return on Investment (ROI)Overview
Continuous Controls Monitoring (CCM)
Comprehensive Monitoring of Internal Controls
• Provides most effective control baseline
• Minimizes remediation re-work
• Long-term cost is lower
• Leverages existing controls matrix to
automate
Annual Controls Audit
Annual Audits are reactive, untimely and
obsolete
• Less start-up cost
• Little Monitoring of Controls
• Significant Effort through audit period
• Internal resources 5x external audit
Time
$
“Annual”
Approach
Higher Level
of Detail
Testing
“CCM”
Approach
www.fulcrumway.comPage 11Copyright © FulcrumWay
Return on Investment (ROI)Overview
Master DataData Accuracy and PermissionsAudit Trail
Application
Configuration
Presence and
Config. of
Controls
Transactions
Working Capital
Financial
Governance
Segregation
of Duties
Antifraud
PII
www.fulcrumway.comPage 12Copyright © FulcrumWay
Enterprise Governance Risk and Compliance
Maturity Model
Informal:
▪ Adhoc approach
▪ Compliant but at a high cost to business
▪ Manual control
▪ No best practices
Reactive:
▪ Tactical approach
▪ Risks are
documented
▪ Manual risk
assessment
▪ After the fact
reporting
Proactive:
▪ Unified,
standardized &
strategic approach
▪ Policies are
enforced
▪ Automated process
▪ Prevent policy
Optimized:
▪ Control objectives
embedded
throughout the
organization
▪ Analyze and trend
▪ Automated risk
mitigation /
Predictive risk
assessments
Financial Governance
Enterprise Risk Management
Continuous Monitoring
IT Governance
Internal Audit and Compliance Management
SafePaaS
www.fulcrumway.comPage 13Copyright © FulcrumWay
Governance Risk and Compliance (GRC)
Management PlatformFunctional
Overview
MonitorPaaS
ProcessPaaS Operations Management
RiskPaaS
Risk Library KRI ManagerPolicy Manager
Financial Close Task Manager
Close Controls Manager Reconciliation Manager
Audit Manager Audit Planner
Compliance Manager
Master Data Monitor
Da
taP
rob
e In
teg
rati
on
Se
rvic
es
Risk Assessments
RiskPaaS
Transaction Monitor App Configuration Monitor Rules Repository
Access Monitor SOD Policy Monitor Roles Manager
AccessPaaS
iAccess Policy based provisioning
Issue Manager
Survey Manager
Enterprise Risk Management
Continuous Controls Monitoring
Financial Governance Audit and Compliance Automation
IT Governance
www.fulcrumway.comPage 14Copyright © FulcrumWay
Introductions
Continuous Controls Monitoring
Access Monitoring
Transaction Monitoring
Configuration Monitoring
Master Data Monitoring
Q&A
Agenda Gain Actionable Business Insight with CCM
www.fulcrumway.comPage 15Copyright © FulcrumWay
User Security Standard Control
Oracle EBS User
Password Policy
User is assigned to the HR Record
Active/Inactive User
One or more responsibilities assigned to a
User
A Responsibility has many Menus and Sub-Menus
Menu has many functions /
forms
www.fulcrumway.comPage 16Copyright © FulcrumWay
User: John Doe
Responsibility: Payables Manager, US
Menu: AP_Navigate_GUI12
Submenu: AP_Invoices_EntryFunction: Invoice Batches
User: Mike Jones
Payables Users
Responsibility: Payables Supervisor
Responsibility:
Payables UserMenu: UK_AP_Navigate_GUI12
SubMenu: AP_Invoices_Entry
SubMenu: AP_Invoices_GUI12_G Menu: AX_Payables_User
Responsibility: Payables Supervisor
Responsibility: Payables Manager, US
Responsibility:
Payables User
Detect and Prevent Access Policy
Violations
Prevent SOD/Access Policy
Violations by Monitoring
User Access Requests
Detect SOD/Access
Policy Violations in ERP
Security Model
Continuous
Monitoring
www.fulcrumway.comPage 17Copyright © FulcrumWay
Access/SOD Policy Management Approach
Detect
SOD/Policy
Violations
Analyze
Violations
Correct
Role
Access
Monitor
Violation
Incidents
Application
Security
Model
Application
Security
Snapshot
Exceptions
Correct
User
Access
App Control Owners/
IS SecurityIS Security/
Audit/Compliance
Control
Owners/
IS Security
Application
Test
Environment
Access AnalyticsRules Manager Action Workflow
Application
Administrator
Continuous
Monitoring
Violations ManagerDataProbe ETL
Corrective
Actions
Dashboard
Application
Access
Rules
Roles Manager
www.fulcrumway.comPage 18Copyright © FulcrumWay
A Risk Based Approach to User Provisioning
User
Registration
Request
Roles
Add/
Update
User
Monitor
Application
Access
Employee/
Manager
List
Network
User
List (AD)
Test
Access
Policy
Add/
Update
Role
Requesters /
ApproversIS Security/
Audit/Compliance
IS Security
Active
Employee
Users
iAccess Rules Manager Workflow
Application
Administrator
Rules ManagerDataProbe ETL
Process
Approval
Request
Dashboard
Application
Access
Rules
DataProbe ETL
Continuous
Monitoring
www.fulcrumway.comPage 19Copyright © FulcrumWay
Introductions
Continuous Controls Monitoring
Access Monitoring
Transaction Monitoring
Configuration Monitoring
Master Data Monitoring
Q&A
Agenda Gain Actionable Business Insight with CCM
www.fulcrumway.comPage 20Copyright © FulcrumWay
Business Process Models Service Oriented Architecture
Corporate Performance Management Collaboration
Strategic Sourcing & Contract Mgmt
Supplier Collaboration
Spend Categories
Indirect & MRO
Direct
Materials
Services SWIFTNet
Settlement
Payment
Processors
RequisitionPurchase
Goods /
Services
Receive
Goods /
Services
InvoiceIssue
Payments
Banks
Oracle Procure-to-Pay Control Points
Transaction Controls
www.fulcrumway.comPage 21Copyright © FulcrumWay
Business Process Models Service Oriented Architecture
Corporate Performance Management Collaboration
Supplier Collaboration
Spend Categories
Indirect & MRO
Direct
Materials
Services SWIFTNet
Settlement
Payment
Processors
Requisi-
tion
Purchase
Goods /
Services
Receive
Goods /
Services
InvoiceIssue
Payments
Banks
Oracle Procure-to-Pay
Are your vendors compliant with trade regulations? Are the vendors
blacklisted?
Do you have duplicate suppliers?
Are there inappropriate associations between a
vendor and an employee?
Are there frequent changes to Supplier
information?
Are you missing critical supplier information? Is the information valid?
Strategic Sourcing & Contract MgmtCONTROLS
Transaction Controls
www.fulcrumway.comPage 22Copyright © FulcrumWay
Business Process Models Service Oriented Architecture
Corporate Performance Management Collaboration
Strategic Sourcing & Contract Mgmt
Supplier Collaboration
Spend Categories
Indirect & MRO
Direct
Materials
Services SWIFTNet
Settlement
Payment
Processors
Receive
Goods /
Services
InvoiceIssue
Payments
Banks
Oracle Procure-to-Pay
Do you have duplicate Purchase Orders?
Are there purchases with non-preferred vendors?
Are there split POs?
Are POs created on the same day as goods
arrive?Requisition
Purchase
Goods /
Services
CONTROLS
Transaction Controls
www.fulcrumway.comPage 23Copyright © FulcrumWay
Business Process Models Service Oriented Architecture
Corporate Performance Management Collaboration
Strategic Sourcing & Contract Mgmt
Supplier Collaboration
Spend Categories
Indirect & MRO
Direct
Materials
Services SWIFTNet
Settlement
Payment
Processors
Requisi-
tion
Purchase
Goods /
Services
Banks
Oracle Procure-to-Pay
Are you making accurate and timely payments?
Did the person making the payment create or modify
the vendor?
Are there discrepancies in freight charges?
Receive
Goods /
ServicesInvoice
Issue
Payments
CONTROLS
Are payment term changes reviewed before payment?
Are there duplicate invoice amounts being processed?
Transaction Controls
www.fulcrumway.comPage 24Copyright © FulcrumWay
Procure to PayStandard Controls
Requisitions Require PO Approval
www.fulcrumway.comPage 25Copyright © FulcrumWay
Procure to PayStandard Controls
Purchase Orders can only be issues to
valid suppliers and goods received at
valid sites
Purchase Orders Require
Approval
www.fulcrumway.comPage 26Copyright © FulcrumWay
Procure to PayStandard Controls
Goods and Services are received based
on control configurations
www.fulcrumway.comPage 27Copyright © FulcrumWay
Procure to PayStandard Controls
Duplicate Invoice numbers are
prevented
Invoice items are matched with PO and Receiving to
ensure 3-Way match
www.fulcrumway.comPage 28Copyright © FulcrumWay
Procure to PayStandard Controls
Payments are released to valid
suppliers and Invoices
Payments Terms are enforced
www.fulcrumway.comPage 29Copyright © FulcrumWay
Transaction Monitor – Metadata Continuous
Monitoring
www.fulcrumway.comPage 30Copyright © FulcrumWay
Transaction Monitor – Duplicate InvoicesContinuous
Monitoring
www.fulcrumway.comPage 31Copyright © FulcrumWay
Application Security and Controls Monitoring
Introductions
Continuous Controls Monitoring
Access Monitoring
Transaction Monitoring
Configuration Monitoring
Master Data Monitoring
Case Study
Q&A
Agenda
www.fulcrumway.comPage 32Copyright © FulcrumWay
Navigation: Purchasing Supper User > Setup > Purchasing > Document Types
Purchase Order ApprovalPurchasing
Configuration
www.fulcrumway.comPage 33Copyright © FulcrumWay
Payables
ConfigurationsUser Invoice Approval Workflow
Navigation: Payable Manager--> Setup -->Options--> Payables Options
Click on Approval Tab
www.fulcrumway.comPage 34Copyright © FulcrumWay
Navigation: Payable Manager--> Setup -->Options--> Payables Options
Click on Approval Tab
Allow Force Approval Payables
Configurations
www.fulcrumway.comPage 35Copyright © FulcrumWay
Navigation: Payables Super User->Supplier ->Entry. Select Supplier, and then Click Invoice
Management
AP Invoice Payment DiscountsPayables
Configurations
www.fulcrumway.comPage 36Copyright © FulcrumWay
Navigation: Purchasing Supper User ->Setup-> Organizations -> Receiving Options
Receiving Tolerance LevelReceiving
Configurations
www.fulcrumway.comPage 37Copyright © FulcrumWay
Navigation: Payables Super User->Setup->Options->Payables Options and then click on Invoice
Tab.
Payable Invoice Posting to GLGL Posting
Configurations
www.fulcrumway.comPage 38Copyright © FulcrumWay
Configuration Control - DeployPayable
Options
www.fulcrumway.comPage 39Copyright © FulcrumWay
Configuration Control - ResultsContinuous
Monitoring
www.fulcrumway.comPage 40Copyright © FulcrumWay
Application Security and Controls Monitoring
Introductions
Continuous Controls Monitoring
Access Monitoring
Transaction Monitoring
Configuration Monitoring
Master Data Monitoring
Case Study
Q&A
Agenda
www.fulcrumway.comPage 41Copyright © FulcrumWay
Procure to PayStandard Controls
Prevent Duplicate
Supplier Name and Sites
www.fulcrumway.comPage 42Copyright © FulcrumWay
Master Data ObjectContinuous
Monitoring
www.fulcrumway.comPage 43Copyright © FulcrumWay
Continuous Monitoring
www.fulcrumway.comPage 44Copyright © FulcrumWay
Application Security and Controls Monitoring
Introductions
Continuous Controls Monitoring
Access Monitoring
Transaction Monitoring
Configuration Monitoring
Master Data Monitoring
Case Study
Q&A
Agenda
www.fulcrumway.comPage 45Copyright © FulcrumWay
Fiscal watchdog ensures tens of billions of dollars in
payments are lawful and correct
Our Client
A state government agency responsible for safeguarding financial assets – more than $120 billion of public funds.
Helps local governments and nonprofits invest their money with flexibility, security, and confidence.
ChallengesReplace fragmented legacy system for recovery audit department with a single incident management systemReplace manual control checklists with a audit analytics system to identify suspicious vouchers submitted for payments by 28+ agencies across the state. Assign suspension transaction to auditors for final review and approval using a pattern matching system
Solutions
Transaction Monitoring
Results: Reduce erroneous payment processing by 5% on millions of payments processed each day by consolidating all vouchers across 28 agencies into a single data hub. Improve incident investigation process by establishing business rules to assign incidents based upon risk level, investigation type, priority that match the auditor skills and job roleProvide management visibility and independent oversight to monitor approved and rejected paymentsEliminate inconsistent and contradictory actions by auditors by providing a structured investigation process based on approved investigation checklists based on type of the suspicious transaction. Optimize recover audit business process with integration to the ERP system for vendor management and payment processing
Case Study
www.fulcrumway.comPage 46Copyright © FulcrumWay
Risk Mitigation = Standard Controls + CCM
User Roles
3-Way
Match
Track
Payments
Sentiment
Analysis
Split
Purchase
OrdersSoD/
Access
Policy
Violations
Duplicate
Payments
Transaction
Threshold
Amounts
Duplicate
Vendors
Monitor
Setup
Changes
Master Data
Audit Trial
Transaction
Pattern
Analysis
Fuzzy
Logic,
‘similar
values’
Continuous
Monitoring
Standard
Controls
Approval
HierarchiesTrack
Discounts
Case Study
www.fulcrumway.comPage 47Copyright © FulcrumWay
Sign-up for FREE 14 Days EvaluationQ & A
Register online to try out
SafePaaS