Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal 1
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal 2
The following is intended to outline our general product
direction. It is intended for information purposes only,
and may not be incorporated into any contract.
It is not a commitment to deliver any material, code, or
functionality, and should not be relied upon in making
purchasing decisions. The development, release, and
timing of any features or functionality described for
Oracle’s products remains at the sole discretion of
Oracle.
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal 3
@OracleAdvCntrls
Post Questions Before,
During and After
Optimizing Order-to-Cash (E-Business Suite) with GRC Advanced Controls
Mark Stebelton, CPA, CFE
Director, Product Management – Oracle
Daryl Geryol
SVP, Technology and Operations - Navillus
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal 5
Program Agenda
Twitter Topic Review – Session Flow
Oracle Advanced Controls Overview - Mark
Implementation Review, Tips and Tricks
Order to Cash Examples
Questions, Demo Pod and Other GRC Sessions
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal 6
Advanced Controls Market Info and Drivers
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal 7
Strategic Priorities
Survey of 263 Finance Executives
BETTER CONTROLS AND EFFICIENCIES
Reaching New Heights: The Dividends of Collaboration between Finance and Procurement is published by CFO Publishing LLC, May 2012
Compliance
Understanding Payables Exposure
Audit and Control of Procurement
Business Risk Analysis
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 8 Confidential – Oracle Internal
Vulnerable Key Processes Error, Waste, Misuse, Abuse and Fraud
Source: “2011 OAUG Governance, Risk & Compliance Best Practices Survey”, Unisphere Research, Feb 2011
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 9 Confidential – Oracle Internal
Standard Controls
User Roles
3-Way
Match
Approval
Hierarchies
Standard
Controls
Social
Media
Policy
E-learning
Ethics
Policy
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 10 Confidential – Oracle Internal
Standard + Advanced Controls
Sentiment
Analysis
Split
Purchase
Orders Hide
Displays of
Sensitive
Data
Duplicate
Payments
Transaction
Threshold
Amounts
Duplicate
Vendors
Fine-
grained
User
Access
Configuration
Snapshots &
Audit Trial
Transaction
Pattern
Analysis
Fuzzy
Logic,
‘similar
values’
User Roles
3-Way
Match
Approval
Hierarchies
Advanced
Controls
Standard
Controls
Social
Media
Policy
E-learning
Ethics
Policy
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal 11
Oracle Advance Controls Product Slides
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal 12
GRC Advanced Controls One Enterprise Foundation
Enterprise Risk & Controls Foundation
Dashboards, Reports and Alerts
Notifications Worklists Email Perspectives Search
Risk, Controls & Compliance Management
Reviews Documentation Assessments Remediation Surveys
Continuous Controls & Risk Monitoring
Setups Access Master Data Audit Tests Transactions
User Authored Controls Data Connectors Fraud & Error Patterns
Ro
le B
as
ed
Ac
ce
ss
Se
cu
rity
We
b S
erv
ice
s &
AP
Is
Custom or Legacy Applications
Comprehensive Enterprise Risk Management
Financial Governance
Continuous Controls Monitoring
Flexible • Business User Authoring
• Access, Transactions, Setups
• Extensible to Other Platforms
Data Driven (Big Data)
100% of Transactions
Manage by Exception
Optimize Processes
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal 13
Application Access Controls Governor (AACG)
Complete user and entire path
analysis
Removal of false-positives
Library of pre-built automated SOD
controls for EBS and PSFT
Author new controls, extend to any
business application
Advanced SOD and Security
Compensating Policies
Preventive Provisioning
Remediation (Clean-up)
Access Analysis
Define Access Controls
Detection Prevention
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal 14
• 100% Audit
• Continuously monitor accuracy of transactions and mitigate exposure to fraud
• Test against thresholds
• Search for anomalies
• Focus on Exceptions
Pre-delivered Transaction Controls
Suspect Transactions
Pre-delivered Transaction Controls
Suspect Transactions
Review and Address Suspects
Detection Prevention
Enterprise Transaction Controls Governor (TCG) Advanced Transaction Analysis
Preventive Transactions
Controls
Identify & Review
Suspects
Perform Transaction
Analysis
Define Transaction
Controls
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal 15
Configuration Controls Governor (CCG) Advanced Configuration Analysis
• Achieve consistent application setup and operating standards across multiple instances
• Track audit trails for changes to key configurations
• Tightly control change management to accelerate development and test time
Define Configuration
Controls
Enforce Change Control
Manage Data
Integrity
Detection Prevention
Manage Data Integrity
Enforce Change Control
Monitor Configuration
Changes
Compare Configuration
Deployed
Define Configuration
Controls
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal 16
Preventive Controls Governor (PCG)
•Configure advanced controls in Oracle EBS
•Replace Forms customizations for easier
support and upgrades
•Change-track critical fields for auditing
•Require approval for changes to critical
data
Oracle E-Business Suite In-line Controls
Notification of Changes
Logged Changes to Critical Data
Required Approvals
Blocked Access to Sensitive Data
Detection Prevention
Mask Sensitive
Data
-
Optimizing Order-to-Cash (E Business Suite)
with Oracle Advanced Controls
18
AGENDA
Navillus Partners
Presenter Bio
Project Introduction
Accomplishments
Business Case examples
What is Next?
Q & A
19
NAVILLUS PARTNERS
An international consulting firm headquartered in Boston, MA
An Oracle Gold Level Partner specializing in Oracle Governance, Risk & Compliance & E-Business Suite professional implementation and advisory services
Recognized as the #1 Oracle GRC Partner in 2012
Highly experienced resources with one of the strongest track records for delivery success in the North America & Europe.
Oracle Resource(s) have 13+ years dedicated to Oracle Implementations, Security Design, and Project / Program Management
Our team members average more than 8 years of Oracle Advanced Controls Experience
The majority or our team developed core Oracle Advanced Controls Applications
Proprietary accelerated delivery methodology, NAViGATE
Process Driven approach tailored specifically for Advanced Process & Controls and Governance, Risk, and Compliance
‘Design In’ Approach for Oracle e-Business Suite & PeopleSoft implementations and upgrades
Developed and maintain and Advanced Process & Controls Library
Solution set process optimization and control accelerators
GRC & Business Process Controls Library for PCG, CCG, & TCG
Comprehensive extension to Oracle’s out of the box Access Controls Content
Application Modules File System APPLTOP
-
20
PRESENTER BIO
Daryl Geryol-
As Partner and Senior Vice President of Technology and Operations for Navillus Partners, Daryl brings more than 15 years of Oracle system integration, GRC leadership and implementation experience across various organizations and industries worldwide.
He has successfully led numerous Oracle GRC related engagements helping clients achieve a greater level of compliance security, an automation of complex regulatory requirements including SOX 404, 302, OMB A-123, HIPAA, PCI DSS, PII and SSI.
Daryl is well known for his innovative application of Oracle GRC’s Controls Suite technology in helping clients optimize complex or time consuming business processes across the enterprise.
He is a published author/co-author of such books as, “Shining the Light on the Release 12 World” as well as a presenter on various topics covering Oracle applications, GRC and industry best practices for upgrades, implementation and business process controls automation.
-
21
PROJECT INTRODUCTION
Company Information: Fortune 100 Company implementing Oracle R12 covering all business processes
Objectives: Implement Oracle Advanced Controls to address not only regulatory requirements but
eliminate customization, address data entry and transaction efficiency and accuracy per corporate policy.
Policies dictated the reduced usage of DFFs, support of centralized processes such as Supplier Vendor
master and optimization of application functionality. These controls addressed the P2P, O2C and R2R
processes with 54 controls moved to production
Solution: Implement Oracle Advanced controls and leverage each application throughout the
organization.
Oracle Access Controls manages Segregation of Duties and Sensitive Access reporting
Oracle Configuration Controls manages key configurations across the numerous environments
Oracle Preventive Controls supports corporate audit policies and IT analysts. These controls
addressed the P2P, O2C and R2R processes with 54 controls in production
Application Modules File System APPLTOP
-
Focus
22
ACCESS CONTROLS SUMMARY
Application Modules File System APPLTOP
-
Core Financials 18 controls
• Covering sensitive access functions (cross validation, account setup, Periods, FSGs)
• Focus on major functions(COA, Journal Entry, Posting, FSGs
• Controls added for Project and Billing functions (expenditures, draft invoices, budgets)
Procure to Pay 20 controls
• Covering sensitive access functions (approval setup, buyer, terms)
• Focus on major transactions (invoices, payments, purchasing, receipts)
Order to Cash 25 controls
• Covering sensitive access functions (customer, receivable setups, holds, discounts, pricing)
• Focus on major transactions (Order, shipment, AR Transaction)
IT Controls (system, Security and Administration) 10 controls
• Covering sensitive access functions (User, Responsibility, Menu, Function, Concurrent Managers)
23
ADVANCED CONTROLS (FOR EBS) PRODUCTION SUMMARY
Application Modules File System APPLTOP
-
Core Financials 11 controls
• Corporate wide push to eliminate descriptive flexfields, personalizations and custom code wherever
possible.
• Place audit trails on key value fields.
• Enforce expenditure orgs, data entry standards
Procure to Pay 18 controls
• Approval and audit of changes to payment terms, use of extension forms to provide reasons for
updates and approval history/comments.
• Application of additional form security for data created through 3rd party.
• Enforce expenditure orgs, data entry standards
Order to Cash 25 controls
• Contract security, disallowing entry or copy of contracts with incorrect characters, required contracts
field updates based on contract line type, security of contract fields based on client specific criteria.
• Notification of Order lines with revenue past due.
• Credit Memo Approval process
• Order entry controls (order types, freeze lines….)
24
DEFERRED ENGINEERING BILLING FROM CONTRACTS
Business Problem- Billing was deferred until engineering billing was at 50% or more.
At this time the other project items could be billed in full. This was a manual process,
which inherently had delays in billing and prone to errors. This simple act of updating
a project required contracts and coordination to ensure billing was done correctly.
Solution
Using Advanced Controls, a process flow was created that would assess the deferred billing
progress of all items, and then remove the deferred billing status, allowing that contract to bill.
Benefits
No human intervention is saving upfront time and research when billing was incorrect
No delays in revenue recognition
No customization
Happy users
-
25
DEFERRED BILLING PROCESS FLOW
Application Modules File System APPLTOP
-
26
EXAMPLE OF CONTRACT EXCLUSION
Application Modules File System APPLTOP
-
Exclude from
invoicing
27
DERIVE ORDER TYPES
Business Problem- It is imperative that the correct order line types are selected
during order entry due to complexity in line type mapping to receivables transaction
types. The AR transaction types require their own sequence thus setting up an order
incorrectly would result in incorrect receivables and other reconciliation issues.
Solution
Advanced controls was used to default the correct order line type on orders based on factors such
as project code, project line type, customer address and item removing possibility of AR interface
errors.
Benefits
Removed human errors that were being introduced in order management during order type
selection
Improved receivables accuracy and reconciliation
No customization
-
28
EXAMPLE MAPPING
29
DRAFT INVOICES APPROVAL
Business Problem- Invoices require approval prior to actual invoice print. Draft
invoices are provided to support this process- but required a way to manage what
lines had been approved from the draft.
Solution
Using both Advanced Controls form and flow rules, order lines were frozen (secured from update)
producing a draft invoice and an approval process to remove the freeze and allow final invoicing.
Benefits
Elimination of invoice errors and reversal resubmission of invoices.
No customization
-
30
EXAMPLE OF DRAFT INVOICE LINE FREEZE
31
WHAT IS NEXT?
Access Controls
Incorporate single sign on with the GRC application
Move to a preventive provisioning process
Fraud Analysis
Provide analysis models and controls to address monitor for fraud in the following areas
• Payables
Invoicing (Duplication, out of tolerance, aging, terms)
Payments ( Duplication, Void/Reissue, out of tolerance, aging)
• Receivables
Credit memo analaysis, credit holds, customer changes
• General Ledger
Posting irregularities
High risk accounts
Further Optimization
Preventive Controls will continue to be the GO TO development tool onshore and offshore to
eliminate custom coding and inflexible customization
-
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal 32
Advanced Controls Approach
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal 33
Fusion Platform with Dashboards, Alerts & Drilldowns
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal 33
Advanced Controls Approach
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal 34
• Embedded intelligence provides visibility into multiple control and process areas.
Advanced Controls – Embedded Dashboards
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal 35
• Move away from silo’d information • Multiple ERPs monitored from a single application.
Advanced Controls – Embedded Dashboards
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal 36
• Automatic alerts notify appropriate personnel for action • Actionable Insight to drive the business forward
Advanced Controls – Business Process Monitoring
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal 37
Sophisticated Controls Monitoring and Enforcement Engine
Advanced Controls Approach
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal 37
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal 38
Access Analysis
Create
Conflict
Conditions
Remove
False
Positives
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal 39
Access Hierarchy Example – Oracle EBS
Role
Responsibility
Menu
Sub - Menu
Function: Create Invoice
Function: Create Customer
Other important attributes:
Operating Units, Data Groups, Set of Books etc
Access Points
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal 40
Interpreting Access Conflicts
User
Role
Permission List
Menu
Panel Component
Page Definition
Finding the Right Path to Resolution
U
R
M
C
D
L
Remove
Menu
Path
Conflicts
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal 41
Elevated Productivity – Optimize Process & Empower Users • Library of pre- definedAdvanced Controls (and extensible) • Ability to build new controls by business owners (no coding) • 100% Transaction coverage (no more sampling)
Transaction Controls – Author, Deploy, & Monitor
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal 42
Manage Setups
Manage Customers
Manage Order / Invoice
Dispatch Items
Manage Revenue
Manage Receivables
Advanced Controls Business Objects (Example) Sample OTC Semantic Library
Business Objects
•Customer
• Customer
Account (Site)
Contact
• Customer
Account Sites
• Order
Management
Transaction
Type
Business Objects
• Receivable
Accounting
Rules
• Receivable
Activities
• Receivable
Aging Buckets
• Receivables
Approval Limits
• Receivable
Auto-Cash Rule
Set
• Receivables
Location
• Receivable
Receipt Class
• Receivable
Receipt Source
Business Objects
• Sales Order
• Sales Order
Payment
• Receivables
Invoice
Business Objects
• Ship Customer
Goods
• Shipping
Deliveries
Business Objects
• Receivables
Payment
Schedule
Business Objects
• Subledger
Journal Entry:
Accounts
Receivable
• Receivables
Receipt Batch
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal 43
Business Logic Filters
String, Integer Numeric Date Functions
AND OR
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal 44
Advanced Pattern Analysis
• Pattern analysis identifies outlying incidents that may not be apparent
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal 45
Advanced Control Extensibility
Custom or Legacy
Applications
Continuous SOD Controls Monitoring
Pre-built
Extensible
Partner Pre-built
CUSTOMER CARE
& BILLING
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 46 Confidential – Oracle Internal
Oracle Advance Controls in the Order To Cash Process
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 47 Confidential – Oracle Internal
Example Order to Cash Controls
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 47
Access (SOD): Who Can
Perform
Transaction: What HAS Happened
Create Customer and
Create Order
Created/edited a customer and
created/edited an order
Create Customer and
Perform Write-Off
Edited a customer and performed a write-off
Modify Customer and
Create Order
Orders created in a period that exceeded
the customer’s credit limit
View an Order and
Receive an Order
Micro-orders for a customer to avoid
approvals
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal 48
TXN
SYSTEMS
USERS
ROLES
USERS
SETUPS
MASTER
DATA
ROLES
TXN
SYSTEMS
TXN
ROLES
TXN USERS
SETUPS
TXN
ROLES
SYSTEMS
MASTER
DATA
ROLES
TXN
TXN
SETUPS
Enterprise Risk Graph
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 49 Confidential – Oracle Internal
Enterprise Risk Graph
EBS
EMEA
SYSTEM
JOHN
USER
Receivables
ADMIN
ROLE
CUSTOMER
MENU
CUSTOMER
ENTRY
SUBMENU
QUICK
UPDATE
SUBMENU
EDIT
CUSTOMER
FUNCTION
ORDER
MGT
MENU ORDER
ERNTRY
SUBMENU
ORDER
RELEASE
FUNCTION
JOHN
CHANGES
CUSTOMER SHIPTO
FOR ACME
AND
PROCESSES ORDER
FOR ACME
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 50 Confidential – Oracle Internal
Cut Order to Cash Inefficiency & Risk
• Determine if product master
data is accurate
• Find & remediate users with
privileges to enter & modify
master data
• Add data entry rules to
validate sales order ship-to
destination against localized
product configuration
• Find sales order transaction
exceptions
• Find revenue and COGS
mismatches
• Validate customer invoice
aging, thresholds
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 51 Confidential – Oracle Internal
Wrapup Questions of O2C Optimization
What is YOUR organization’s overall risk exposure in the O2C
process?
– Ex. Duplicate customers exist to get around single customer credit limits, thus
exposing the organization to material bad debts.
Who in YOUR organization can create at-risk transactions?
– SOD: Create/Modify a Customer and a Sales Order
Who in YOUR organization has already created at-risk transactions?
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal 52
Oracle Advance Controls OOW2013 Sessions & Demo Pod
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal 53
Demo Workstation Moscone West 1st Floor #W-013
Monday Tuesday Wednesday
Demo ID 3532
Workstation #: W--013 9:45 – 6:00 9:45 – 6:00 9:45 – 4:00
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal 54
Demo Workstation Moscone West 1st Floor #W-013
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal 55
Reducing Risk for Oracle E-Business Suite Upgrades and Implementations
1:15PM Moscone West – 3018
CON8830
Panel Discussion: Intelligent Controls for Key Business Processes and Upgrades
3:30PM Moscone West – 2002 / 2004
CON8832
Learn More About Oracle Advance Controls Wednesday
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal 56
Advanced Access and User Security for Oracle E-Business Suite and Fusion Applications
2:00PM Moscone West – 3018
CON8824
Meet the Governance, Risk, and Compliance Experts
12:30PM Moscone West 2001A
MTE9412
Learn More About Oracle Advance Controls Thursday
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal 57
@OracleAdvCntrls
Oracle GRC Advanced Controls
Join Our Linkedin Group
Follow us on Twitter
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal 58
?’s
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal 59
The preceding is intended to outline our general product direction. It is
intended for information purposes only, and may not be incorporated into
any contract.
It is not a commitment to deliver any material, code, or functionality, and
should not be relied upon in making purchasing decisions. The
development, release, and timing of any features or functionality
described for Oracle’s products remains at the sole discretion of Oracle.
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal 60