oow2014 nk 2
DESCRIPTION
Experiences solving operational and technology risks using Oracle Advanced ControlsTRANSCRIPT
controllayers.com
CON8213 How Your Vendor Master File is Critical to
Governance, Risk Management and Compliance
®
Oracle Advanced Controls ExperiencesNasser Khan
controllayers.com 2
IntroControlLayers is a service line of NHI GRCystems
A business technology systems’ risk consulting practice dedicated to thought leadership and implementation, management, automation, and enforcement of business process and technology controls
High caliber advisory and implementation services Consultants provide deep domain expertise in enforcing internal
controls in enterprise business processes and security functions Assists clients in managing operational, regulatory compliance,
and privacy-related risks by providing strategy, roadmap and tools to ensure effective and continuous compliance utilizing its partner’s tools and its own proprietary service offerings
controllayers.com 3
Client Profiles Major healthcare and other service providers in North America
averaging over 100 business units all over North America On average, over 130,000 employees Master Data Management is key risk mitigation control with large
data entry and management teams Over 8,000 unique vendors supply sources Purchasing spend in excess of $ 100 million Significant PeopleSoft clients of Oracle globally Highly regulated environments Stakeholders need higher degree of assurance from internal
controls over financial reporting
controllayers.com 4
Challenges at clients
Ambitious business transformation initiatives involving PeopleSoft FSCM 9.1, HCM 9.1 and OBIEE (centralized reporting)
Financial transformation processes include GL, AP, AR, AM, KK, PC and Supply Chain transformed by deploying PO, IN, and Vendors, Contracts and Items
Over 100 business units purchasing from over 8000 vendors
controllayers.com 5
Challenges at clients
One vendor (name) may have many subsidiaries dealing with totally different items, pricing models, payment terms, lead times
Consistent and accurate data needed to be entered based against stringent standards
Same name vendor may have different subsidiary at same location or same city
Distributed purchasing at BU level, conflicting and sometimes unfavorable contract terms were in force
Receiving and matching challenges occurred on many levels Vendor approvals not structured, inactive or blocked vendors
could get paid (OIG of Dept. of HHS)
controllayers.com 6
Key Needs and Control Gaps Needed at critical system to provide
operating effectiveness of application-based controls in Procure to Pay on a continuous basis
Duplicate Vendor report in PeopleSoft had limitations (only on short name) and does not provide real-time validations
Financial Sanctions Validation was not enabled in PeopleSoft, an independent validation methods needed to be used based on data from another source
Comparison of address history in PeopleSoft, was again, not real-time.
Needed to map controls in source system conveniently with the control framework to assist in operational and compliance audits
No Control
PS Control
PS Control
No Control
PS Control
Manual Control
No Control
Manual Control
No Control
Manual Control
controllayers.com 7
Actual Vs. Desired Controls Landscape
controllayers.com 8
Why did we need Advanced Controls?
• Audit coverage, confidence, reporting
• Incident investigation, whistle-blower support
• Continuous Process Monitoring
Improve Audit Efficiency
Improve Audit Efficiency
• Fictitious vendors
• Overstated invoices
• Receiving discrepancies
Minimize Fraud and Abuse
Minimize Fraud and Abuse
• Overpayment, duplicate payment
• Payment timing, discounts
• Reduce cost of manual controls-Incorrect vendor paid
Reduce Error and Leakage
Reduce Error and Leakage
• Preventative and detective segregation of duties policy enforcement
• Access appropriateness reporting
• Mapping users to transactions and providing audit trails of actions
Secure Systems Down
Secure Systems Down
controllayers.com 9
Main Vendor Management Goals
Increase buying leverage significantly and get the volume discounts based on collective purchasing power of all entities across operations
Improve many procure-to-pay sub processes Uniquely identify vendor operating across service geographies Standardize payment methods and terms of payment Reduce incorrect PO issuance, check issuance, late payment
penalties, and overheads in managing the vendor landscape Ensure vendors or their banks are not on OIG or OFAC lists Make Item and Catalog administration structured and clear
controllayers.com 10
Advanced Transaction Controls
controllayers.com 11
Found this value in Oracle Advanced Controls
Continuous Monitoring-Transaction Controls Governor
Pre-seeded best practice controls for PeopleSoft Vendor management
Scalable to add more automated controls Pre-seeded controls for Procure-to-Pay use gave perspective on
vendor information being reported Continuous monitoring and schedulable alerts for exceptions Independent ‘Witness System’ to hold evidence data should
external auditor or regulator need it
controllayers.com 12
Key Transaction Controls Deployed
Duplicate vendors entries Duplicate invoice payments Vendor address similar to employee address Payments made to blocked vendors More than one vendor, similar addresses Payments beyond norm, outliers Monitor for approval of payments to vendors which
were created by the same user
controllayers.com 13
TCG Model Setup: Is Vendor Overpaid?
controllayers.com
TCG-Managing Incidents
14
controllayers.com 15
Remediation
Similar names
Unapproved Vendor not
setup correctly
As part of remediation, user would likely merge if same vendorhas been created with more than one similar names.
Vendor setup may have inconsistency which would need remediation
controllayers.com 16
Advanced Access Controls
controllayers.com 17
Access Controls: Segregation of Duties
For the User Activity, we utilized the Oracle Advanced Controls application Application Access Controls Governor (AACG) that flagged if same user who created a vendor, also approved vendors, for example.
controllayers.com 18
Access Remediation
Remove the SOD conflicts
controllayers.com 19
Advanced Configuration Controls
controllayers.com 20
Found this value in Oracle Advanced Controls
Master data entry exception detection-Configuration Controls Governor
Reduced manual data entry controls that included daily checking of vendor and vendor-related entries. With CCG, only changes were needed to be analyzed selectively
Incorrect vendor on POs and reqs Payments term changes and incorrect terms on PO Bank account or Address changes User data quality improvements Leverage CCG-reported data to educate user in good practices
and process improvement
controllayers.com 21
Key Configuration Change Controls Deployed
For change management, we used CCG Change Tracking. Daily notifications of high risk field changes
CCG allowed to report daily on who changed, what, when and where
Limit performance impact on PeopleSoft on PeopleSoft due to audit data build up
On event, and at certain financial period ends, took Snapshots of configuration sets for a point-in-time picture
Combined front-end Vendor setup procedures like use of one entry per vendor and designate it as ‘Primary Vendor’ and then use address sequencing to identify multiple locations of fulfillment by vendors
controllayers.com 22
Configuration Change Tracking
Create Queries to track changers
controllayers.com 23
Setup Alerts on Vendor Changes
Specify what actions to be notified of, date range, backend or frontend, table object etc. We took a risk-based approach on only were interested on specific fields on tables
controllayers.com 24
Who changed from frontend?
Type of change?
Table name?
For what key values & What the change?
When? Who changed from Backend?
Oracle Advanced Controls (Configuration)
controllayers.com 25
Goals Vs. Value RealizedGoals Value Realized
Increase buying leverage significantly and get the volume discounts based on collective purchasing power of all entities across operations
Reduced spend significantly enough to justify the initial effort and opex of centralized vendor data management staff
Improve many procure-to-pay sub processes The exercise gave structure to work methods ensuring accurate and timely processing of vendor payments
Uniquely identify vendor operating across service geographies Reduced duplicate vendor situations to almost zero and allowed benchmarking of prices for all locations for same items
Standardize payment methods and terms of payment Cleanup gave clarity and ability to demand same terms for vendors of same or similar items. Brought all vendors on standard terms thus helped avoid payment delays and PayCycle processing
Reduce incorrect PO issuance, check issuance, and overheads in managing the vendor landscape
Vendor entry errors went down from 40% to less than 5%. Reduced need for exception Purchase Orders and helped setup priority vendors
Make Item and Catalog administration structured and clear
controllayers.com 26
Lessons learned Effective Controls with Low Resource Cost
PeopleSoft is a vastly-configurable ERP system. Having additional controls configured in it, or queries built, places a burden on it. The Oracle Advanced Controls (OAC) applications proved to be an effective companion system for controls.
Early Gap Identification for Effective Design Assess PeopleSoft and explore complimentary resolution of gaps by OAC early in implementations
Embed Controls within the Process Treat OAC as part of ‘your daily diet’ business process flows and not add-ons to achieve process
control, completeness and effectiveness
Automate Controls for Efficiency Adopt the mantra of ‘automated’ versus ‘manual’ and chips will fall in place
Highlight Root Causes by Identifying Control Points Identifying control points as ‘after thoughts’ results in band-aids. Instead, have business process
flows nailed down firstLayered Controls=Deeper Defense