Copyright © 2015 Oracle and/or its affiliates. All rights reserved. |
GRC Controls at Oracle Travel and Expense Reporting
Gena Alexander Sr. Director, S2S Strategy and Operations Oracle, Source-to-Settle October 26, 2015
Oracle Confidential – Internal/Restricted/Highly Restricted
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |
Safe Harbor Statement
The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.
2
Copyright © 2015 Oracle and/or its affiliates. All rights reserved. |
Introduction
• Gena started her career at Oracle as a Purchasing Buyer in June 1998 and evolved within the company as the Procurement Global Process Owner and Source-to-Settle Strategy Owner for 12 years.
• Gena is now a Senior Director leading both the Strategy and Operations teams supporting all Source-to-Pay and Expense-to-Pay functions at Oracle Corporation globally.
Oracle Confidential – Internal/Restricted/Highly Restricted 3
Copyright © 2015 Oracle and/or its affiliates. All rights reserved. |
• $38.2B in revenue in FY15*
• 400,000 customers in 145 countries
• $60B on more than 100 acquisitions
• 25,000+ partners
• 18,000 customer support specialists, speaking 29 languages
• 17,000 implementation consultants
• 120,000+ employees
• 1.5M Expense Reports Annually
• 548K PO’s Issued Annually
• 941K Invoices Processed Annually
• #1 in 50 product and industry categories
• #2 software company in the world
• #2 cloud company in the world
• 17,000+ patents worldwide
• 36,000 developers and engineers
• 15 million developers in Oracle online communities
• 900 independent Oracle user groups with 500,000 members
4
Oracle Corporation
Scale Innovation
* GAAP revenue reported in USD as of May 31, 2015
Oracle Confidential – Internal
Copyright © 2015 Oracle and/or its affiliates. All rights reserved. |
Oracle E-Business Suite – Release 12.3
Supplier Enablement Employee Self-Service
Supplier Management
Procure-to-Pay
Strategic Sourcing Contract Management
iSupplier Portal
Supplier Network*
Purchasing
Accounts Payable
iProcurement
iExpenses
Supplier Lifecycle Mgmt
Supplier Hub
Sourcing, OSOD
Sourcing Optimization
Procurement Contracts
Spend Classification Procurement & Spend Analytics Employee Expenses
Spend & Performance Analytics
Supplier Enablement Employee Self-Service
Supplier Management
Procure-to-Pay
Strategic Sourcing Contract Management
iSupplier Portal
Supplier Network*
Purchasing
Accounts Payable
Fixed Assets
iProcurement
iExpenses
Supplier Lifecycle Mgmt
Supplier Hub
Sourcing, OSOD
Sourcing Optimization
Procurement Contracts
Spend Classification Procurement & Spend Analytics Employee Expenses
Spend & Performance Analytics
Copyright © 2015 Oracle and/or its affiliates. All rights reserved. |
Problem Summary
• Misuse and policy violations detected in one off situations by manual analysis.
• Expanding post payment analysis in line to organizations goal.
• Difficult to identify misuse over time with multiple expense reports.
• Only limited analysis performed by using multiple reporting tools followed by manual manipulation/review in excel (an inefficient and time consuming process).
• Need an internal tool to perform data mining and analysis on expense reports to support investigations and identify potentially high risk and fraudulent activities.
Copyright © 2015 Oracle and/or its affiliates. All rights reserved. |
Strengthen Internal Expense Compliance
–Move audit approach from upfront audit to backend analysis. • Policy and Pattern based detection.
• Forensic audit on suspicious transactions.
• Identify repeat offenders.
• Targeted communication driven by audit findings.
Implementation Goal
Copyright © 2015 Oracle and/or its affiliates. All rights reserved. |
GRC Footprint
Oracle Confidential – Internal/Restricted/Highly Restricted 8
Current Status
GRC Transaction Controls Governor has been implemented in 2013
GRC is used as a post payment expense audit tool to identify misuse and non-compliance with our policies
Increased targeted audits on suspicious transactions and added capabilities to audit across multiple
transactions/employees
Future Plans
Complete the upgrade of GRC to 8.6.5.8027 to improve performance and add additional functionality
Create additional, more complex expense controls and aim to reduce individual transaction audits
Enable GRC for Accounts Payable and Purchasing data in order to implement additional controls across
the Source-to-Settle area and increase policy compliance
Key Stats
10 controls that have identified > 10k transactions that required investigation
Educated non-compliant employees to increase future policy compliance
Copyright © 2015 Oracle and/or its affiliates. All rights reserved. |
Lessons Learned
• GRC Control vs. Model or Report
– Clearly identify what criteria makes something suitable to be a GRC control versus what can be achieved through reporting during the initial stages of the project
– Ensure number of incidents reported is manageable for the end-users
• Promote Modules to Production – Use of export/importing of models and controls between test/production systems is
time-effective and guarantees identical setups on production
• Standard seeded models need adjustments to specific companies needs and available data points
Oracle Confidential – Internal/Restricted/Highly Restricted 9
Copyright © 2015 Oracle and/or its affiliates. All rights reserved. |
Lessons Learned Continued
• Include data vs. exclude data
– Use of ‘include’ filtering is a more effective way to more precisely identify incidents. ‘Exclude’ filtering can result in a lot of false positives
• Credit Card Information and Usage
– Detailed Credit Card information allow for more detailed and accurate controls • Enforce use of Credit Cards
• Use Credit Card integration
• Enable 3rd level data import
Oracle Confidential – Internal/Restricted/Highly Restricted 10
Copyright © 2015 Oracle and/or its affiliates. All rights reserved. |
What Makes a Good Control?
Oracle Confidential – Internal/Restricted/Highly Restricted 11
Definition of a Good Control
• Focus on identifying non-compliance that cannot be identified through the traditional audit process of
individual transactions. Look for patterns or duplications across multiple expense reports and/or employees
• Are the incidents identified individually actionable?
• Do you need to track the actions taken on all reported incidents?
Examples
• Good controls:
- Meal expense and Per Diem claimed for the same day by the same employee?
- Mileage and car rental expense claimed for the same day by the same employee?
- Meal with same attendees claimed for the same amount and day?
• Unsuitable controls:
- A list of top X expense submitters
- A list of all top expense types by $ value
Copyright © 2015 Oracle and/or its affiliates. All rights reserved. | Oracle Confidential – Internal/Restricted/Highly Restricted 12
Copyright © 2015 Oracle and/or its affiliates. All rights reserved. |
Agenda
Panelist Introductions
Travel and Expense Reporting Controls - Panel Discussion
More Resources
1
2
3
13
Copyright © 2015 Oracle and/or its affiliates. All rights reserved. | 14
Oracle GRC Wins Ventana Technology Innovation Award!
“Oracle’s GRC solution provides a unique approach to the problem of risk management by automating risk controls which are embedded into critical business
processes; applying leading edge technologies to solve complex risk challenges.”
- Mark Smith, CEO of Ventana Research
Copyright © 2015 Oracle and/or its affiliates. All rights reserved. |
Elite panel of judges (NASA CIO, FCC CIO, Army CIO and others) have selected PA Treasury IT project as one of
the top 10 public sector projects of the nation
15
Pennsylvania Treasury GRC Project Wins Multiple Awards
Copyright © 2015 Oracle and/or its affiliates. All rights reserved. |
Case Studies and Speakers at OpenWorld 2015
Oracle Confidential – Internal/Restricted/Highly Restricted 16
_________________
Source-to-Settle
Copyright © 2015 Oracle and/or its affiliates. All rights reserved. | 17
Follow Us & join the conversation .
Oracle GRC Advanced Controls Group _______________________________________________________________
OracleAdvControls @OracleAdvCntrls
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. | 18
Classroom Training
Learning Subscription
Live Virtual Class
Training On Demand
Keep Learning with Oracle University
education.oracle.com
Cloud
Technology
Applications
Industries