leverage informationtechnology: turn corporate governance into business performance™ copyright ©....
TRANSCRIPT
Leverage Information Technology:
Turn Corporate Governance into Business Performance™
Copyright ©. Fulcrum Information Technology, Inc.
Application Risks and Controls Management Survey Findings
July 15th, 2008
The surveys were conducted independently by Jeffrey T. Hare, CPA CISA CIA of ERP Seminars, reviewed by the board of Oracle Applications Internal Controls and Security SIG. Fulcrum is a Co-Sponsor of this Survey
Disclaimer: The survey results, observations and findings included in this Webinar are not scientific. Our goal is to provide you information on how Oracle customers are dealing with key issues in application risk and controls management
www.fulcrumway.comPage 2
Application Risks and Controls Management
IntroductionApplication Controls Survey FindingsGovernance Risk and Compliance TrendsIT Controls Framework Application Controls OverviewAuditing Challenges Case Studies
AGENDA
www.fulcrumway.comPage 3
To Join Webinar
Open the Webinar confirmation email and click the Join Webinar link. Alternatively, you may be invited to a Webinar that is already in session
If prompted, click Yes or Grant to accept the download.
No Webinar password is required
Download Presentation
Fulcrum Webinar Assistance Email: [email protected]
www.fulcrumway.comPage 4
Panel Members
Jeff Hare, CPA, CISA, CIA– Jeff 's extensive background includes public accounting, industry, and Oracle applications implementation
experience. His sole focus is on the development of internal controls and security best practices for companies running Oracle Applications. Jeff is a Certified Public Accountant (CPA), a Certified Information Systems Auditor (CISA), and a Certified Internal Auditor (CIA). He is the founder of ERP Seminars and the Oracle Users Best Practices Board and is widely published.
Lane Leskela– Vice President of Technology Programs at nonprofit think tank the Open Compliance & Ethics Group .Prior to
his role at OCEG, Lane served as the Senior Product Marketing Director for GRC applications at Oracle Corporation .Prior to joining Oracle, Lane was a Research Vice President at technology research firm Gartner, Inc. At Gartner, he managed software market research, analysis, reporting and client services for enterprise risk
management, regulatory compliance management and financial control and reporting.
Adil Khan– Senior Director at Fulcrum with over 15 years of experience in enterprise business systems. Adil also serves on
the board of the Oracle Applications Users Group Internal Controls and Security Interest Group (OAUG-ICSSIG). At Fulcrum, Adil has successfully designed and implemented internal controls management systems for more than 50 global companies listed on NYSE and NASDAQ. His expertise includes streamlining and automating Governance Risk and Compliance processes based on industry standards such as ERM-COSO and COBit. Prior to Fulcrum, Adil served as a board member and Chief Executive Officer of ALTM - a public
company listed on the NASDAQ.
www.fulcrumway.comPage 5
About Fulcrum
We are a Leading provider of Governance, Risk and Compliance solutions for enterprise customers. Our solutions focus on:
Enterprise Application Controls Monitoring
GRC Process Management
GRC Intelligence
FulcrumWare GRC Tools include Content and On-line services to rapidly reduce risks such as Segregation of Duty violations in Enterprise Systems such as Oracle E-business Suite, PeopleSoft, JD Edwards, SAP and other Legacy Apps
FulcrumWay Professionals are leading experts with real world experience in Internal Audit, Enterprise Systems and GRC Process Management.
FulcrumPoint Insight provides the latest trends, best practices and thought leadership through regional and national conferences held by OAUG, IIA, ISACA
Privately Held Delaware corporation with US presence in:New York, Texas and California
International Presence in UK and India
www.fulcrumway.comPage 6
Fulcrum Credentials
Media and Entertainment
Financial Services
Healthcare
Natural Resources
Life Sciences
Industrial Manufacturing
Defense/ Aerospace
Retail
Construction
High Technology
Readers Digest
Retail
Food
www.fulcrumway.comPage 7
FulcrumPoint Insight
Thought Leadership - Events
Compliance Week Magazine - Healthcare Firm Aligns Compliance Efforts, Cuts Costs
Economist Magazine –Compliance Guide for Enterprise Systems
POD Cast – How Automating the Enterprise Risk Management Process helps organizations comply with regulations
OAUG - Impact of AS5 for Oracle Enterprise Customers
IIA – Top Five Reasons for Automating Application Controls
Oracle Open World – Annual GRC Dinner, GE and Birds Eye Case Study
Web casts – GRC Best Practices, Trends and Expert Insight.
www.fulcrumway.comPage 8
Recap of surveys
Two surveys conducted by ERP Seminars
Fulcrum is a Co-Sponsor of the Survey
Related to internal controls and security issues for Oracle’s eBusiness Suite
www.fulcrumway.comPage 9
Recap of surveys: Demographics
Cross representation of industries
Representing various sales levels from Under $100 million to over $5 billion
Generally over 250 users ranging to many respondents over 5000 users
Most common roles range from IT management, business analysts, and internal audit/corporate governance
www.fulcrumway.comPage 10
Recap of surveys
Identify the awareness of the
deficiency:My company was not aware of this risk
My company is aware of this risk, but has chosen not to address it yet
My company is aware of this risk and has chosen to accept the risk
My company is aware of this risk and has addressed it via a manual control
My company is aware of this risk and has implemented a customization / extension
I am not qualified to address this risk
My company does not use this functionality
Other
There were 20 scenarios presented and each scenario included two questions:
Determine likelihood of implemented
if Oracle provided a solution:
Would likely not implement because we don't agree with the risks
Would likely not implement because we already addressed via a Customization
Would likely not implement because we have chosen to accept the risks
Would likely implement it because we have not addressed the issue
Would likely implement it because we would rather replace our customization
I am not able to know what our company would do
Other
www.fulcrumway.comPage 11
My company was not aware of this riskMy company is aware of this risk, but has chosen not to address it yetMy company is aware of this risk and has chosen to accept the riskMy company is aware of this risk and has addressed it via a manual controlMy company is aware of this risk and has implemented a customization / extensionI am not qualified to address this riskMy company does not use this functionalityOther
www.fulcrumway.comPage 12
Overview of results
Lack of awareness of the risks - average 19%. (varied from 6.3% to 39%)
Most of the deficiencies, if correctly by Oracle, would be widely adopted – average 78.4%. “Would likely implement it because we have not addressed the issue” or “Would likely implement it because we would rather replace our customization.” (varied from 55% to 89%)
www.fulcrumway.comPage 13
Specific results
Workflow history retention:
www.fulcrumway.comPage 14
Specific results
Workflow history retention:
www.fulcrumway.comPage 15
Specific results
Workflow history retention recommendations:
Remove purge program from all but one request group (DBA or business analyst?) – tightly control
Document process for retaining history• Maintain history for 15 months, then purge after
404 audit• Develop archive and purge process for approvals
separate from notifications
www.fulcrumway.comPage 16
Specific results
Inquiry forms for support personnel / auditors – if Oracle provided standard forms:Question 7 on survey 1: Adjustment Approval Limits, Journal Authorization Limits, PO and Req Approval Limits, AME setups. 83% would implement.
Question 8 on survey 1: Foundational setups such as Payables Options, Purchasing Options, Receiving Options, and Value Set Values. 86% would implement.
Question 9 on survey 1: Menus, Functions, Request Groups, Responsibilities, and Users. 75% would implement.
www.fulcrumway.comPage 17
Specific results
Inquiry forms recommendations:Take risk with access in Prod – not recommended
Grant selected access to super users – recommended if proper controls are in place to monitor their activity
Frequent cloning to non-prod instance
Third party solution for inquiry forms
www.fulcrumway.comPage 18
Specific results
Change management – lack of audit trails for security, setups, DDL, & development don’t allow for best practices audit
Adoption rate for trigger or log-based auditing solution is low
Companies general not following change management best practice guidance (IIA)
www.fulcrumway.comPage 19
Specific results
Change management recommendations:
Use a risk-based approach to identify critical audits to implement– SQL forms, development, security, high-risk setups
and transactions
Look at choices in log-based and trigger-based space – understand full scope before determining choice
Look for companies with pre-seeded audits
www.fulcrumway.comPage 20
Specific results
Manual controls to mitigate form/function deficiencies – examples:Order entry versus order approval
AR Transaction entry versus approval
Lack of credit checking in AR
Override of matching level at PO level
Monitoring of multiple adjustments entered in AR
www.fulcrumway.comPage 21
Specific results
Form/function deficiencies recommendations:
Look at using custom forms, forms personalization, or custom.pll to automate controls
Analyze as part of risk-based approach access control risks / Segregation of Duties issues
www.fulcrumway.comPage 22
Fraud: Revenue Recognition
(c) Deloitte Consulting LLP, 2008
The Deloitte Forensic Center reports large numbers of offenders with multiple fraud schemes:
• Seventy-four percent of the SEC enforcement releases described at least two fraud schemes
• Twenty-five percent described at least five schemes
• Seven percent described more than 10 alleged fraud schemes
• One percent alleged over 20 schemes
www.fulcrumway.comPage 23
Instead of This Mayhem…
Regulation A Regulation B Standard C
A1 A2 A3
C1 C2
C3 C4
C5 C6
C1 C2
C3 C4
C5 C6
C1 C2
C3 C4
C5 C6
DiscreteRegulations& Standards
DiscreteRequirements
DiscreteControls& Activities
SiloedFunctions& Departments
B1 B2 B3
C1 C2
C3 C4
C5 C6
C1 C2
C3 C4
C5 C6
C1 C2
C3 C4
C5 C6
C1 C2 C3
C1 C2
C3 C4
C5 C6
C1 C2
C3 C4
C5 C6
C1 C2
C3 C4
C5 C6
IT Business
Integration
IT
IT Business
Integration
IT
IT Business
Integration
IT
No Linkage Weak Linkage
04/18/23
(c) OCEG
Adapted from Deloitte Consulting Graphic
www.fulcrumway.comPage 24
Full Linkage Stronger Linkage
Regulation A Regulation B Standard C
A1 A2 A3
C1 C2
C3 C4
C5 C6
C1 C2
C3 C4
C5 C6
C1 C2
C3 C4
C5 C6
DiscreteRegulations& Standards
CommonRequirements
CommonControls& Activities
IntegratedFunctions& Departments
B1 B2 B3
C1 C2
C3 C4
C5 C6
C1 C2
C3 C4
C5 C6
C1 C2
C3 C4
C5 C6
C1 C2 C3
C1 C2
C3 C4
C5 C6
C1 C2
C3 C4
C5 C6
C1 C2
C3 C4
C5 C6
IT Business
Integration
IT
IT Business
Integration
IT
IT Business
Integration
IT
AB1
C1 C2
C3 C4
C5 C6
C1 C2
C3 C4
C5 C6
(c) OCEG
AS5 also Supports This…
www.fulcrumway.comPage 25
Current State • Managed in silos
• Mostly reactionary
• More projects than programs
• Handled separately from mainstream processes and decision-making
• People used as middleware
• Limited and fragmented use of technology
GRC Program Management
Future State • Enterprise approach
• Integrated controls and processes
• Program based approach
• Embedded within mainstream processes and decision-making
• Effective use of information technology
• Architected solutions
The Integration Imperative
(c) OCEG, 2008
www.fulcrumway.comPage 26
(c) OCEG, 2008
I
D
O
AM
PR
ORGANIZE & OVERSEEO1 – Purpose & Commitment O2 – Roles & ResponsibilitiesO3 – Approach & Authorization
INFORM & INTEGRATEI1 – Information ManagementI2 – Information Flows & TriggersI3 – Technology & Infrastructure
ASSESS & ALIGNA1 – Risk IdentificationA2 – Risk AnalysisA3 – Risk EvaluationA4 – Risk Planning
PREVENT & PROMOTEP1 – Codes of ConductP2 – Policies & ProceduresP3 – Awareness & EducationP4 – Human Capital IncentivesP5 – Human Capital ControlsP6 – Process ControlsP7 – Technology ControlsP8 – Physical ControlsP9 – Risk Sharing, Transfer, Financing
DETECT & DISCERND1 – Notification & AlertsD2 – Inquiry & SurveyD3 – Detective ControlsD4 – Aggregation & Analysis
RESPOND & RESOLVER1 – Inquiry & InvestigationR2 – Third-Party InvestigationR3 – Crisis ResponseR4 – Remediation
MONITOR & MEASUREM1 – Risk MonitoringM2 – Performance MonitoringM3 – Systemic ImprovementM4 – Audit & Assurance
CONTEXT & CULTUREC1 – External ContextC2 – Internal ContextC3 – CultureC4 – Values & Objectives
The OCEG Capability Model
www.fulcrumway.comPage 27
Industry Process Applications (P)
GRC Core Applications (G)
Business Applications (B)Business Applications (B)
Infrastructure (I)Infrastructure (I)
Industry Specific Requirements (PR)
GRC Process Requirements (GR)
Internal and External Content Specialists(e.g., law firms, consultants, departmental staff, management)
Role and Context Applications(e.g., compliance processes, risk, quality, audit, legal, contracts)
Organizational Functionality(e.g., ECM, BPM, BI, LMS, ERP)
IT infrastructure(e.g., identity management, Databases, Information Security)
(c) OCEG, 2008
The GRC Technology Model
www.fulcrumway.comPage 28
Performance-Based Control
EFFECTIVE
EFFICIENT RESPONSIVE
O U T C O M E SO U T C O M E S
ACTIVITIES
EFFECTIVE• Design Effectiveness – Is the system
logically designed to meet all legal and other defined requirements?
• Operating Effectiveness – Does the system operate as designed for all users?
EFFICIENT• Financial Efficiency – How much capital
investments is required to maintain it?• Human Capital Efficiency – What level of
individual(s) are required to use it?
RESPONSIVE• Cycle Time – How much time does it take
to implement and upgrade?• Flexibility / Adaptability – Can the
system adapt to the changing environment including new Audit requirements and/or new business units?
(c) OCEG
04/18/23
(c) OCEG, 2008
www.fulcrumway.comPage 29
IT Controls Framework
IT organizations should consider the nature and extent of theiroperations in determining which, if not all, of the following control objectives need to be included in internal control program:
PLAN AND ORGANIZE
ACQUIRE AND IMPLEMENT
DELIVER AND SUPPORT
MONITOR AND EVALUATE
IT Controls
www.fulcrumway.comPage 30
What are Application Controls?
Application controls apply to the business processes they support. These controls are designed within the application to prevent or detect unauthorized transactions. When combined with manual controls, as necessary, application controls ensure completeness, accuracy, authorization and validity of processing transactions
Control objectives can be supported with automated application controls. They are most effective in integrated ERP environments, such as SAP, PeopleSoft, Oracle, JD Edwards and others.
Examples:Orders are processed only within approved customer credit limits.Orders are approved by management as to prices and terms of sale.Purchase orders are placed only for approved requisitions. Purchase orders are accurately entered. All purchase orders issued are input and processed. All recorded production costs are consistent with actual direct and indirect expenses associated with production.All direct and indirect expenses associated with production are recorded as production costs.
Application Controls Overview
www.fulcrumway.comPage 31
Risk Assessment
The IT organization has an entity- and activity-level risk assessment framework, which is used periodically to assess information risk to achieving business objectives.Management’s risk assessment framework focuses on the examination of the essential elements of risk and the cause and effect relationship among them.A risk assessment framework exists and considers the risk assessment probability and likelihood of threats.The IT organization’s risk assessment framework measures the impact of risks according to qualitative and quantitative criteria.The IT organization’s risk assessment framework is designed to support cost-effective controls to mitigate exposure to risks on a continuing basis, including risk avoidance, mitigation or acceptance.A comprehensive security assessment is performed for critical systems and locations based on their relative priority.
Application Controls Overview
www.fulcrumway.comPage 32
Control Monitoring
Changes to IT systems and applications are performed and designed to meet the expectations of users.IT management monitors its delivery of services to identify shortfalls and responds with actionable plans to improve.IT management monitors the effectiveness of internal controls Monitoring in the normal course of operations through management and supervisory activities, comparisons and benchmarks.Serious deviations in the operation of internal control, Monitoring including major security, availability and processing integrity events, are reported to senior management.Internal control assessments are performed periodically, using Monitoring self-assessment or independent audit, to examine whether internal controls are operating satisfactorily.
Application Controls Overview
www.fulcrumway.comPage 33
Establish Rules
RepositoryDetect
ViolationsAnalyzeIssues
RemediateIssues
ImplementChanges
MonitorApplication
Environment
DetermineScope
by Application
Extract ERP Data
ManageExceptions
SetupPreventiveControls
Application Control TeamsCorporate Access
Controls
Business Process Teams
IT Management
Establish Test
Environment
Application Controls Management Best Practices
Automation Approach
www.fulcrumway.comPage 34
Achieving regulatory compliance requires more than IT policies and process documentation
Effective application audit planning requires mapping controls over application test environments, audit units and significant business processes based on risk likelihood and impact to thousands of functions and activities accessible through many roles, menus and functions. Detecting users that have unauthorized access to one or more critical business functions such as purchase to pay requires business analytics based on application control rules.Compensating controls are needed for certain users and transactions where business constraints require exceptions. Remediation effort requires strong collaboration among Audit, IT and Business stakeholders to reconfigure security, reassign users, prevent configuration changes, monitor transaction thresholds. ERP Access Provisioning and Configurations must be approved in “real time” to keep up with business needs.
Auditing Challenges
www.fulcrumway.comPage 35
A. Case Study – Improve User Provisioning
Company OverviewWholly owned subsidiary of Fortune 500 focused on communication and information technologies for security, safety and lifestyle enhancements.Operations in more than 30 countriesOracle E Business Suite
GRC Challenges/OpportunitiesComply with SOX Needed to automate a manual and labor-intensive process to define and approve user access.Segregation of Duties ConcernsOracle E-Business Environment
– 40 Modules – 2500 Users, 100 + user
responsibilities
GRC Solutions Automate User Access Provisioning Compliant with SOD Policies
Results
Implemented access provisioning solution to identify users violations and allow auditable override capability for authorized access.
Security provisioning time reduction
Management Commitment to GRC
SOD Rules Content jump started the process
Detected over 5,000 violations
Reduced access provisioning time from 14 days to 4 hours
Trained Process Owners through online self-service portal
www.fulcrumway.comPage 36
B. Case Study – Remediate Access Control Deficiency
Company OverviewLeading manufacturer of electrical and mechanical motion control productsGrowing Rapidly through acquisitions Manufacturing and service facilities are located worldwideMultiple Enterprise Applications
GRC Challenges/OpportunitiesRemediate Significant Deficiency identified by external AuditorNeeded a central system to detect over 5000 user access violations and implement new roles across multiple systems within 90 daysLimited IT Audit Resources – One Full Time Equivalent (FTE)
GRC Solutions Risk Analytics Service Access PoliciesDetection and Remediation Service
Results
Completed First Test in 24 hours
No time or resources wasted on additional IT Infrastructure with the On Demand Web Service
Setup Compensating Controls for Waived Users
Preventive Controls Functions reduced the risk of security violations in real time.
Fully Compatible with all Enterprise Systems
Access Controls Content helped management define risk likelihood and impact
Faster Remediation through Analytical Reports and Filters
What-if Analysis Improved Self-Service User Provisioning Process
www.fulcrumway.comPage 37
C. Case Study – Reduce Expense through Configurable Controls
Company Overview
World’s pre-eminent gold producer, with a portfolio of 27 operating minesMany advanced exploration and development projects located across five continentsThe largest gold reserves in the industry
GRC Challenges/OpportunitiesNeed to reduce SOX Compliance Audit expenseImplement continuous controls monitoringBaseline ERP Configurable Controls for AS5
GRC Solutions Identify Controls for full or partial automation. Benchmark ERP ConfigurationsSetup audit logs on all configuration changes.
Results
Analyzed over 1,000 controls
Application Audit Portal provides audit trail on all configuration changes in ERP Systems
Track changes to key application setup data and code.
Approval workflows and notifications facilitate change management without negatively impacting core business operations.
Increase visibility into the actual operations of the controls environment
Reduced Testing Time by 30%
www.fulcrumway.comPage 38
Closing Comments
Download Full Survey Results at:http://www.fulcrumway.com/documents/ERP_RisksControlsSurvey.pdf
Speaker Email Contacts:Jane Jones [email protected]
Jeffrey Hare [email protected]
Lane Laskela [email protected]
Adil Khan [email protected]