using oracle grc software to automate and proactively monitor your e business suite
Post on 01-Dec-2014
Embed Size (px)
DESCRIPTIONAn overview of the Oracle GRC software suite.
- 1. Using Oracles GRC SoftwareSuite to automate and proactively monitor your E-Business Suite Session 9333
2. Introduction Brad Storts, AXIA Consulting ([email protected]) Client: a utility company in the Midwest Better controls over the Oracle E-business suite A tool to manage Sox compliance Solution: Oracle GRC software suite 3. Agenda GRC controls suitePreventative Controls Governor (PCG)Access Controls Governor (ACG)Transaction Controls Governor (TCG)Configuration Controls Governor (CCG) GRC Manager / Intelligence 4. Preventative Controls Governor Tool to control user viewing and changing of E-Business suite (EBS)data Application is embedded in your EBS as a custom application o No hardware required o Higher risk of adversely impacting your key processing Three types of rules o Form rules: interact directly with an EBS java form o Flow rules: fired from a database trigger or a periodic schedule o Audit or change control rules: triggered by EBS table changes 5. Form / Flow Control AuditTrack changes in values for the 10 segments of the GL accounting flexfield Form Prevent a receipt against a 2-Way PO line (will exclude purchase orders created before 8/21/2011) Form Prevention when a PO has a distribution line with a General Ledger liability account Form Prevention when a PO has a distribution line to an asset GL account (1010000 to 1219999) but no project and task Form Force a a 2-Way PO for services to have a price of $1) Flow Notification when a non-stock PO is closed with remaining dollars Flow Notification to requisitioner when 80% of a services purchase order total is reached Flow Notification for unabalanced journals posted during month end closing Flow Notification of HR location changes Flow Department or employee group (union / management) quarterly report on changes Form Hide social security number for HR inquiry users Flow Notification of new supervisors to HR Flow Notification on projects where actual costs are approaching budgeted costs Flow Notification on Missed Payment Discounts Flow PO terms differ from vendor terms Flow Alert AP when max ship on hold is released as more money added to purchase order Flow AFUDC Flag set incorrectly for Projects Form Stop User from matching a Receipt against a PO they created or approved Flow Notify WAM Help Desk if purchasing category is created or changed Form Provide form validation new employees missing schedule or rotation plan, earning policy, payroll in OTL based on employee category AuditAudit report on certain supplier changes Flow Payment terms changed on an invoice from what was on PO Flow Notification to requisitioner when non stock item received 6. Form rule example 7. Triggering a flow rule 8. Sql check for flow ruleprocessing 9. Flow rule notification 10. Flow rule notificationFlow rule notification 11. Preventative Controls Governor Lessons Learned Requires custom.pll updates form rules only impact java forms notHTML Documentation references applcust.txt, ignore (not used in R12) Create a browse only PCG responsibility to be able to browse rules Cloning environments works, you just need to add additional steps tobe able to migrate rule changes When migrating rules, you have to recompile triggers and re-enterperiodic rules as well as audit rules Watch out for triggers based on dates, triggers may not handle nullscorrectly 12. Access Controls Governor Evaluates Oracle access and can prevent or monitor policy violations Runs on separate hardware using Oracle Data Integrator to pullinformation from the EBS about users, responsibilities, menus, andfunctions Incidents are created and tracked to resolution 13. Access Controls Governor - Benefits Moved from manual process to automated process to check for segregationof duties violations We found responsibilities that needed changed We found some users with access they didnt need A lot of work on the initial setup and cleanup of false positives, but verylittle work to maintain after that 14. You can visualize the paths, from the userthrough the responsibility through the menus tothe functions that cause the segregation ofduties conflict. 15. Entitlements: elements within the EBS thatallow a certain function 16. Create controls that prevent or monitor uses that have segregation ofduties conflicts due to their entitlements: 17. Access Global Conditions: allow you to turn off certain conditions to remove false positives 18. Access Path Conditions 19. Access incidents 20. Access Controls implementation Lots of initial work to weed out many false positive oSystem accounts show up with lots of violations oSome responsibilities do not really allow function Some screens allow browse only Receiving: organizations not defined oCleanup can also be time consuming to review all the incidents and try to figure out what the proper course of action is 21. Access Controls Governor lessons learned Default is to evaluate access based on email note that several users canshare an email address and can cause lots of confusion so you shouldchange to email + user id (our example: IT support staff ids created fromexisting users) The ability to forecast conflicts is limited: you can see the impact ofmodifying a responsibility or menu, but you cant see the potential impact ofgiving a responsibility to a user (which is much more common in my opinion) 22. Transaction Controls Governor Review EBS transactions to highlight potential issues (fraud, baddata, policy violations, etc.) oReview manual journal entries posted during certain times of the month oReview employee expenses oReview duplicate invoices 23. Easily create a new model 24. Easily add filters to fine tune results: 25. Results of transaction model run for journals entered manually over acertain dollar limit: 26. Employee Expense AcceleratorFree content / software from OracleRequirements: Run TCG 184.108.40.20600 EBS: iExpense Deploy some tables and views on your EBS 27. Sample models included in Employee Expense Accelerator Employee Claims Per Diem and Meals Employees misses receipts consistently indicating Fraud Employees with large number of round dollar amounts close to the approval limits Employees split expenses for a large event Single or multiple employees submit the same receipt more than one time Hotel Expenses without other travel related expenses Employees delinquent frequently Employee Expenses Spike Department Expenses Spike 28. Transaction Controls Governor review Good for detective controls, not preventive since you are alerted after the fact Designed for non IT personnel to be able to use Note objects have been developed for some EBS subject areas, but certainly notall (we ended up using PCG often where content was missing for TCG) 29. Configuration Controls Governor Application that monitors changes to key setup values Compare snapshots of setups from one point in time to another, or betweeninstances 30. Configuration Controls Governor Examples Purchasing Purchasing options Receiving optionsAccounts Payable Invoice Payment Terms Invoice Tolerance levels Payables Controls Options Payables system setup 31. Here a user changes the receivingtolerance in EBS 32. The CCG user receives a notification that akey setup has been modified via email: 33. The user can log into CCG and see who made the change, when, what theold value was: 34. CCG Snapshot: easily create a snapshot of your EBS, and then compare toanother instance or to another point in time: 35. CCG Lessons Learned Another detective control tool, will not prevent entry Connecting to a data source takes about 1-2 hours, and every time yourefresh an instance you have to reconnect No good way to clone / refresh from production to test Snapshots can run for a long time, and consume lots of EBS resources and can be tricky to cancel (terminate button doesnt show up until youkill the process in EBS) 36. GRC Manager Tool to document your business processes, risks associated with thoseprocesses, and controls to mitigate those risks Designed to manage SOX compliance, or any similar compliancerequirements Completely separate application from EBS GRC Intelligence is the reporting solution, using Oracle BusinessIntelligence to extract data from GRC Manager 37. Control Testing 38. Can create and manage simple surveys: 39. Can track issues: 40. GRCI: OBIEE tool to analyze data 41. GRC Manager and GRC Intelligence We implemented GRCM 7.8 and GRCI 2.0, there is a new GRC Manager(Fusion Edition) which you would want to review there is no upgradepath for GRCM 7.8GRCM 7.8 is built on Stellent Content Management, GRCI 2.0 is built onOBIEE a steep learning curve if your organization doesnt already usethese