using oracle grc software to automate and proactively monitor your e business suite

43

Upload: bradleywstorts

Post on 01-Dec-2014

3.567 views

Category:

Technology


2 download

DESCRIPTION

An overview of the Oracle GRC software suite.

TRANSCRIPT

Page 1: Using oracle grc software to automate and proactively monitor your e business suite
Page 2: Using oracle grc software to automate and proactively monitor your e business suite

Using Oracle’s GRC Software Suite to automate

and proactively monitor your E-Business Suite

Session 9333

Page 3: Using oracle grc software to automate and proactively monitor your e business suite

Introduction•Brad Storts, AXIA Consulting (

[email protected])•Client: a utility company in the Midwest

•Better controls over the Oracle E-business suite•A tool to manage Sox compliance

•Solution: Oracle GRC software suite

Page 4: Using oracle grc software to automate and proactively monitor your e business suite

Agenda•GRC controls suite

•Preventative Controls Governor (PCG)•Access Controls Governor (ACG)•Transaction Controls Governor (TCG)•Configuration Controls Governor (CCG)

•GRC Manager / Intelligence

Page 5: Using oracle grc software to automate and proactively monitor your e business suite

Preventative Controls Governor•Tool to control user viewing and changing of E-Business suite

(EBS) data •Application is embedded in your EBS as a custom application

oNo hardware requiredoHigher risk of adversely impacting your key processing

•Three types of rulesoForm rules: interact directly with an EBS java formoFlow rules: fired from a database trigger or a periodic

scheduleoAudit or change control rules: triggered by EBS table

changes

Page 6: Using oracle grc software to automate and proactively monitor your e business suite

Form / Flow ControlAudit Track changes in values for the 10 segments of the GL accounting flexfieldForm Prevent a receipt against a 2-Way PO line (will exclude purchase orders created before 8/21/2011)Form Prevention when a PO has a distribution line with a General Ledger liability account Form Prevention when a PO has a distribution line to an asset GL account (1010000 to 1219999) but no project and taskForm Force a a 2-Way PO for services to have a price of $1)Flow Notification when a non-stock PO is closed with remaining dollarsFlow Notification to requisitioner when 80% of a services purchase order total is reachedFlow Notification for unabalanced journals posted during month end closingFlow Notification of HR location changesFlow Department or employee group (union / management) quarterly report on changes Form Hide social security number for HR inquiry users Flow Notification of new supervisors to HRFlow Notification on projects where actual costs are approaching budgeted costsFlow Notification on Missed Payment DiscountsFlow PO terms differ from vendor termsFlow Alert AP when max ship on hold is released as more money added to purchase orderFlow AFUDC Flag set incorrectly for ProjectsForm Stop User from matching a Receipt against a PO they created or approvedFlow Notify WAM Help Desk if purchasing category is created or changedForm Provide form validation new employees missing schedule or rotation plan, earning policy, payroll in OTL based on employee categoryAudit Audit report on certain supplier changesFlow Payment terms changed on an invoice from what was on POFlow Notification to requisitioner when non stock item received

Page 7: Using oracle grc software to automate and proactively monitor your e business suite

Form rule example

Page 8: Using oracle grc software to automate and proactively monitor your e business suite

Triggering a flow rule

Page 9: Using oracle grc software to automate and proactively monitor your e business suite

Sql check for flow rule processing

Page 10: Using oracle grc software to automate and proactively monitor your e business suite

Flow rule notification

Page 11: Using oracle grc software to automate and proactively monitor your e business suite

Flow rule notificationFlow rule notification

Page 12: Using oracle grc software to automate and proactively monitor your e business suite

Preventative Controls Governor Lessons Learned•Requires custom.pll updates – form rules only impact java

forms not HTML•Documentation references applcust.txt, ignore (not used in

R12)•Create a browse only PCG responsibility to be able to browse

rules•Cloning environments works, you just need to add additional

steps to be able to migrate rule changes•When migrating rules, you have to recompile triggers and

re-enter periodic rules as well as audit rules•Watch out for triggers based on dates, triggers may not

handle nulls correctly

Page 13: Using oracle grc software to automate and proactively monitor your e business suite

Access Controls Governor•Evaluates Oracle access and can prevent or monitor policy

violations•Runs on separate hardware using Oracle Data Integrator to

pull information from the EBS about users, responsibilities, menus, and functions

•Incidents are created and tracked to resolution

Page 14: Using oracle grc software to automate and proactively monitor your e business suite

Access Controls Governor - Benefits• Moved from manual process to automated process to check for

segregation of duties violations• We found responsibilities that needed changed• We found some users with access they didn’t need• A lot of work on the initial setup and cleanup of false positives,

but very little work to maintain after that

Page 15: Using oracle grc software to automate and proactively monitor your e business suite

You can visualize the paths, from the user through the responsibility through the menus to the functions that cause the segregation of duties conflict.

Page 16: Using oracle grc software to automate and proactively monitor your e business suite

Entitlements: elements within the EBS that allow a certain function

Page 17: Using oracle grc software to automate and proactively monitor your e business suite

Create controls that prevent or monitor uses that have segregation of duties conflicts due to their entitlements:

Page 18: Using oracle grc software to automate and proactively monitor your e business suite

Access Global Conditions: allow you to turn off certain conditions to remove false positives

Page 19: Using oracle grc software to automate and proactively monitor your e business suite

Access Path Conditions

Page 20: Using oracle grc software to automate and proactively monitor your e business suite

Access incidents

Page 21: Using oracle grc software to automate and proactively monitor your e business suite

Access Controls implementation• Lots of initial work to weed out many false positive

oSystem accounts show up with lots of violationsoSome responsibilities do not really allow function

Some screens allow browse onlyReceiving: organizations not defined

oCleanup can also be time consuming to review all the incidents and try to figure out what the proper course of action is

Page 22: Using oracle grc software to automate and proactively monitor your e business suite

Access Controls Governor lessons learned• Default is to evaluate access based on email note that several

users can share an email address and can cause lots of confusion so you should change to email + user id (our example: IT support staff id’s created from existing users)

• The ability to forecast conflicts is limited: you can see the impact of modifying a responsibility or menu, but you can’t see the potential impact of giving a responsibility to a user (which is much more common in my opinion)

Page 23: Using oracle grc software to automate and proactively monitor your e business suite

Transaction Controls Governor• Review EBS transactions to highlight potential issues (fraud, bad

data, policy violations, etc.)oReview manual journal entries posted during certain times of

the monthoReview employee expensesoReview duplicate invoices

Page 24: Using oracle grc software to automate and proactively monitor your e business suite

Easily create a new model

Page 25: Using oracle grc software to automate and proactively monitor your e business suite

Easily add filters to fine tune results:

Page 26: Using oracle grc software to automate and proactively monitor your e business suite

Results of transaction model run for journals entered manually over a certain dollar limit:

Page 27: Using oracle grc software to automate and proactively monitor your e business suite

Employee Expense Accelerator• Free content / software from Oracle• Requirements:

•Run TCG 8.6.3.4000•EBS: iExpense•Deploy some tables and views on your EBS

Page 28: Using oracle grc software to automate and proactively monitor your e business suite

Sample models included in Employee Expense Accelerator • Employee Claims Per Diem and Meals • Employees misses receipts consistently indicating Fraud• Employees with large number of round dollar amounts close to the

approval limits• Employees split expenses for a large event • Single or multiple employees submit the same receipt more than one

time• Hotel Expenses without other travel related expenses• Employees delinquent frequently• Employee Expenses Spike • Department Expenses Spike

Page 29: Using oracle grc software to automate and proactively monitor your e business suite

Transaction Controls Governor review• Good for detective controls, not preventive since you are alerted after

the fact• Designed for non IT personnel to be able to use• Note objects have been developed for some EBS subject areas, but

certainly not all (we ended up using PCG often where content was missing for TCG)

Page 30: Using oracle grc software to automate and proactively monitor your e business suite

Configuration Controls Governor• Application that monitors changes to key setup values• Compare snapshots of setups from one point in time to another, or

between instances

Page 31: Using oracle grc software to automate and proactively monitor your e business suite

Configuration Controls Governor Examples Purchasing

•Purchasing options•Receiving options

Accounts Payable•Invoice Payment Terms•Invoice Tolerance levels•Payables Controls Options•Payables system setup

Page 32: Using oracle grc software to automate and proactively monitor your e business suite

Here a user changes the receiving tolerance in EBS

Page 33: Using oracle grc software to automate and proactively monitor your e business suite

The CCG user receives a notification that a key setup has been modified via email:

Page 34: Using oracle grc software to automate and proactively monitor your e business suite

The user can log into CCG and see who made the change, when, what the old value was:

Page 35: Using oracle grc software to automate and proactively monitor your e business suite

CCG Snapshot: easily create a snapshot of your EBS, and then compare to another instance or to another point in time:

Page 36: Using oracle grc software to automate and proactively monitor your e business suite

CCG Lessons Learned•Another detective control tool, will not prevent entry•Connecting to a data source takes about 1-2 hours, and every

time you refresh an instance you have to reconnect•No good way to clone / refresh from production to test•Snapshots can run for a long time, and consume lots of EBS

resources – and can be tricky to cancel (terminate button doesn’t show up until you kill the process in EBS)

Page 37: Using oracle grc software to automate and proactively monitor your e business suite

GRC Manager •Tool to document your business processes, risks associated

with those processes, and controls to mitigate those risks•Designed to manage SOX compliance, or any similar

compliance requirements•Completely separate application from EBS•GRC Intelligence is the reporting solution, using Oracle

Business Intelligence to extract data from GRC Manager

Page 38: Using oracle grc software to automate and proactively monitor your e business suite
Page 39: Using oracle grc software to automate and proactively monitor your e business suite

Control Testing

Page 40: Using oracle grc software to automate and proactively monitor your e business suite

Can create and manage simple surveys:

Page 41: Using oracle grc software to automate and proactively monitor your e business suite

Can track issues:

Page 42: Using oracle grc software to automate and proactively monitor your e business suite

GRCI: OBIEE tool to analyze data

Page 43: Using oracle grc software to automate and proactively monitor your e business suite

GRC Manager and GRC Intelligence• We implemented GRCM 7.8 and GRCI 2.0, there is a new GRC

Manager (“Fusion Edition”) which you would want to review – there is no upgrade path for GRCM 7.8

• GRCM 7.8 is built on Stellent Content Management, GRCI 2.0 is built on OBIEE – a steep learning curve if your organization doesn’t already use these