Date post: | 09-May-2015 |
Category: |
Technology |
Upload: | oracle |
View: | 1,278 times |
Download: | 4 times |
Automate Robust User Access and Security Controls for PeopleSoft
David Maberry
Chief Risk Officer
American Fidelity Assurance Company
Madeline Osit Chief Operating Officer Beacon Application Services Corporation
Stephanie Golly Sr. Product Manager, Oracle
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal 2
Agenda
Introduction to AFA and David Maberry
– Glimpse into the unfolding events leading up to PeopleSoft and GRC Advanced Controls implementation
Introduction to Beacon Application Services
– Glimpse into implementation approach
Introduction to Advanced Controls and a demonstration
Lessons learned
Q&A
Beacon Application Services Corporation Proprietary and Confidential
www.beaconservices.com
Beacon Application Services Corporation Proprietary and Confidential
www.beaconservices.com 3
About American Fidelity Assurance (AFA)
American Fidelity provides supplemental health insurance benefits and financial services to education employees, auto dealerships, health care providers and municipal workers across the United States. American Fidelity was also named one of FORTUNE magazine’s “100 Best Companies to Work For” in America for nine years. American Fidelity serves more than 1 million Customers in 49 states and in 23 countries worldwide.
Beacon Application Services Corporation Proprietary and Confidential
www.beaconservices.com
Beacon Application Services Corporation Proprietary and Confidential
www.beaconservices.com 4
Your Speaker from AFA
David Maberry, Chief Risk Officer • Responsible for developing and maintaining a comprehensive process for identifying,
assessing, mitigating, monitoring, and reporting key operational, financial, strategic, technology and regulatory related risks that could potentially impact the organization’s operations.
• Prior to coming to American Fidelity, worked for 10 years as a Principal & Director in Deloitte and Touche’s Audit and Enterprise Risk Services practice in Los Angeles.
• Presented at numerous events hosted by the Institute of Internal Auditors (IIA) and the Information Systems Audit and Control Association (ISACA).
• Frequent guest speaker at Texas A&M University, the University of Southern California and California State - Los Angeles on topics including enterprise risk management, internal control rationalization, and information technology risk.
• Graduate of Baylor University and the University of Wisconsin in Madison.
Beacon Application Services Corporation Proprietary and Confidential
www.beaconservices.com
Beacon Application Services Corporation Proprietary and Confidential
www.beaconservices.com 5
Timeline for selection process
March 2011 Investigation and Demo
August 2011
Demonstration
Contract July 2012
July 2011 Implementation Scoping
June Justification
Due Diligence
Beacon Application Services Corporation Proprietary and Confidential
www.beaconservices.com
Beacon Application Services Corporation Proprietary and Confidential
www.beaconservices.com 6
AFA pre-Oracle/PeopleSoft ERP
GL/AP – multiple systems, both home grown and via acquisition
Assets – FAS and CLAS
Cash Management - manual
AR/Billing – manually for internal charges
Purchasing – manual, excel/access based system
Hyperion for budget and planning
Beacon Application Services Corporation Proprietary and Confidential
www.beaconservices.com
Beacon Application Services Corporation Proprietary and Confidential
www.beaconservices.com 7
AFA pre-Oracle/PeopleSoft ERP
Risks & Vulnerabilities
Outdated systems – some without support, many unrecognizable
Lack of visibility and transparency to financial data
No analytics – no drilldown to detail – no info on separate accounts
Hard coded integration with insurance admin systems, no flexibility
Lack of controls – worries about audit
Costs out of line with benefits
Quality compromises
Internal customer satisfaction low
Consolidations, Allocations (other) outside ledger – lack of transparency and manual intervention
Usability issues
Finance viewed as reporters of data not information
Beacon Application Services Corporation Proprietary and Confidential
www.beaconservices.com
Beacon Application Services Corporation Proprietary and Confidential
www.beaconservices.com
Key AFA Business Issues Addressed
Antiquated/non-integrated Financial
Systems required significant manual
intervention
Complex and Manually Intensive Reporting
processes
Manual governance processes
Beacon Application Services Corporation Proprietary and Confidential
www.beaconservices.com
Beacon Application Services Corporation Proprietary and Confidential
www.beaconservices.com
Reasons for Selecting PeopleSoft and Advanced Controls
Benefits
Enhanced user experience and reduction in manual tasks
Increased automation – straight through Processing
Higher efficiency, accuracy and timeliness of approvals and tighter controls
Shift from manual to automated controls
Single source of the truth for statutory, regulatory, tax, GAAP and management reporting
Eliminate disparate systems offering partial solutions that are difficult to maintain and reconcile
Transition away from legacy systems to support future growth through enabling technology
Reduction in audit costs and increased accountability to management
Automation
Efficiency
Cost Reduction
Beacon Application Services Corporation Proprietary and Confidential
www.beaconservices.com
Beacon Application Services Corporation Proprietary and Confidential
www.beaconservices.com
Solution
New Financial Platform
• PeopleSoft Financial
• PeopleSoft Cash Management
• Supply Chain Procurement Applications
New Financial Reporting Platform
• PeopleSoft Financials
• Oracle Business Intelligence Analytic Applications
New Governance Framework
• Oracle Advanced Controls for select PeopleSoft processes
• Implemented in the initial go-live
Beacon Application Services Corporation Proprietary and Confidential
www.beaconservices.com
Beacon Application Services Corporation Proprietary and Confidential
www.beaconservices.com
Why Advanced Controls
Bringing high value product to
• Document, manage, remediate
• Enforce user access policies and procedures
• Control introduction of new systems to the organization
Strong audit capabilities to reduce external costs
Tight integration with PeopleSoft security
Beacon Application Services Corporation Proprietary and Confidential
www.beaconservices.com
Beacon Application Services Corporation Proprietary and Confidential
www.beaconservices.com
Project Approach
Installation
•Installation of new Financial ERP Platform
•Installation of Delivered OBIAA solutions with roadmap for future capabilities
Implementation
•Implement Advanced Controls foundation, targeting high-value controls with roadmap for future expansion
•Rapid implementation with low impact (time and budget) to overall implementation
Partner
•Select a partner who could achieve these objectives as a co-owner of the implementation with expertise to pull it off.
Beacon Application Services Corporation Proprietary and Confidential
www.beaconservices.com
Project Implementation Approach
Beacon Application Services Corporation Proprietary and Confidential
www.beaconservices.com
Beacon Application Services Corporation Proprietary and Confidential
www.beaconservices.com 14
About Beacon Application Services Beacon is an Oracle Platinum Partner exclusively focused on the delivery of services and software for PeopleSoft customers. Since 1993, Beacon has been providing implementation, upgrade, enhancement and integration services for Human Capital Management, Financials, and Supply Chain. To meet our PeopleSoft customers’ increasing regulatory requirements and complex information needs, Beacon also offers services for Advanced Controls for PeopleSoft and Oracle Business Intelligence. We also offer our Oracle Validated BEAM suite of software to manage your PeopleSoft environment.
Beacon Application Services Corporation Proprietary and Confidential
www.beaconservices.com
Beacon Application Services Corporation Proprietary and Confidential
www.beaconservices.com 15
Timeline for Project Activities
January 2012 Chartfield design Workshop
Requirements Thru Jan 2013
Go Live January 2014
July 2012 - Implementation
Construct August 2013
Test
Creating a timeline that achieved the objectives at a pace comfortable to AFA
Beacon Application Services Corporation Proprietary and Confidential
www.beaconservices.com
Beacon Application Services Corporation Proprietary and Confidential
www.beaconservices.com
Project Approach for PeopleSoft
Simplify, Automate, Consolidate, Standardize • Identify areas of pain with current business processes • Conduct Business Process Review sessions to document manual, off-line or
redundant activities and high audit risk process areas • Create a future “to be” state to remediate the above either through process
redesign in delivered PeopleSoft applications or through adoption of AC • Implement Advanced Controls foundation, targeting high-value controls with
roadmap for future expansion rather than “biting off more than we could chew” • Embrace audit requirements as a fundamental part of the implementation rather
than an afterthought • Target a specific area of concern to serve as a model for approaching all other
target areas
Beacon Application Services Corporation Proprietary and Confidential
www.beaconservices.com
Beacon Application Services Corporation Proprietary and Confidential
www.beaconservices.com
Advanced Controls Business Drivers and Requirements
• Eliminate cumbersome and costly manual auditing of system controls – Reduction in Time, increase in transparency
• Reduce External Audit Cost and Effort – Reduction in Cost
• Enforce Separation of Duties – Eliminate possibility of Fraud
• Minimize Risk of Financial Loss – Reduction in Cost
Beacon Application Services Corporation Proprietary and Confidential
www.beaconservices.com
Beacon Application Services Corporation Proprietary and Confidential
www.beaconservices.com
Advanced Controls – Implementing our focus area
Initial focus on Procure-to-Pay process where highest risk was identified • Separation of duties for adding and paying vendors - Advanced Controls
identifies violations of the controls (entitlements) and flags them allowing for correction
• Paying unapproved invoices – implementing workflow processes • Identifying potentially fraudulent payments – AC was to be used in
support of ensuring that multiple payments are not unknowingly processed to bypass certain threshold levels established in the application
Beacon Application Services Corporation Proprietary and Confidential
www.beaconservices.com
Beacon Application Services Corporation Proprietary and Confidential
www.beaconservices.com
Advanced Controls – Approach
Key to success was narrowing scope from all available and non-material or appropriate to AFA
255 Delivered Controls
57 Procure to Pay
Identify Pertinent
11
GOAL
Beacon Application Services Corporation Proprietary and Confidential
www.beaconservices.com
Beacon Application Services Corporation Proprietary and Confidential
www.beaconservices.com 20
Controls Implemented
No. Control Names Entitlement
1 Add Vendors & Create Vouchers 1. Add Vendors 2. Create Vouchers
2 Create Control Groups & Approve Control Groups 1. Create Control Group 2. Approve Control Groups
3 Create Payments & Create Vouchers 1. Create Vouchers 2. Create Payments
4 Create Self Service Invoice & Create Urgent Payment
1. Create Self-Service Invoice 2. Create Urgent Payment
5 Create Suppliers & Create Vouchers 1. Create Vouchers 2. Create Suppliers
6 Create Voucher & Selective Payment Update 1. Create Vouchers 2. Selective Urgent Payment
7 Create Voucher & Vendor Maintenance 1. Create Vouchers 2. Vendor Maintenance
8 Create Voucher & Voucher Maintenance 1. Create Vouchers 2. Voucher Maintenance
9 Create Vouchers & Approve Vouchers 1. Create Vouchers 2. Approve Vouchers
10 Create Vouchers & Create Express Checks 1. Create Vouchers 2. Create Express Checks
11 Create Vouchers & Print Checks 1. Print Checks 2. Create Vouchers
Beacon Application Services Corporation Proprietary and Confidential
www.beaconservices.com
Beacon Application Services Corporation Proprietary and Confidential
www.beaconservices.com 21
Tactical Steps
Install and activate integration with Financials
Select Targeted business process (procure to pay)
Identify delivered
entitlements – Pare down list
Execute delivered
controls against configured
security
Produce delivered reports
to identify conflicts
Adjust Roles and Rules as
identified
Beacon Application Services Corporation Proprietary and Confidential
www.beaconservices.com
Demonstration of how it’s done!
Beacon Application Services Corporation Proprietary and Confidential
www.beaconservices.com
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal 24
The following is intended to outline our general product
direction. It is intended for information purposes only,
and may not be incorporated into any contract.
It is not a commitment to deliver any material, code, or
functionality, and should not be relied upon in making
purchasing decisions. The development, release, and
timing of any features or functionality described for
Oracle’s products remains at the sole discretion of
Oracle.
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal 25
Create Supplier Invoice Create Payment Supplier
Create Supplier Create Payment
for same supplier + Create Supplier Create Payment
for supplier ≠
Prevent user from creating and paying the same supplier
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal 26
Prevent user from creating and paying the same supplier
AACG : Find users who could create and pay fictitious suppliers
– Users with both “Create Supplier” and “Create Payment” privileges
– Remove privileges when possible
TCG: Monitor users who have created and paid the same supplier
– For users who must have both privileges
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal 27 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal 27
Advanced Controls Foundation
Custom or Legacy Applications
Fusion Platform with Dashboards, Alerts & Drilldowns
Sophisticated Controls Monitoring and Enforcement Engine
Many Types of Controls against Various Business Applications
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal 28
• Move away from silo’d information • Multiple ERPs monitored from a single application. • Control totals and exposure areas in self-serve capacity.
Advanced Controls – Embedded Dashboards
Copyright © 2013 Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal 29
Application Access Controls Governor (AACG)
Document, assess and certify
Application Security/SOD policies
Library of pre-built automated SOD
controls for EBS, PSFT
Author new controls, extend to any
business application
Advanced SOD and Security Controls
Compensating Policies
Preventive Provisioning
Remediation (Clean-up)
Access Analysis
Define Access Controls
Detection Prevention
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal 30
AACG – Finding Conflicts
User: Janie Adams
Responsibility: Payables Super User (Process Operations)
Menu: AP_Navigate_GUI12
Submenu: AZN_AP_Invoices_Entry Function: Payments
Privilege: Create Purchase Order
Role: Buyer
Permission List: Buyer Duty
SOD Conflict
PeopleSoft EBS
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal 31
Role
Permission List
Menu
Component
Page Definition
Component
Page Definition
Access Hierarchy Example – PeopleSoft
Other important attributes:
Business Unit, Effective Date, Set ID, Ledger, Account Lock etc.
Access Points
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal 32
Glossary of Terminology Control Management
Access P
oin
t
Any level node in the access model hierarchy for a particular application.
Entitlem
ent A logical
grouping of Access points. E.g. All pages that allow a user to create a voucher grouped as a single Entitlement “Create Voucher”
Model \ C
ontr
ol
A rule that defines toxic combinations of entitlements and/or access points.
Copyright © 2013 Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal 33
Review Model Definition
Analyze Results
Modify Entitlement
Deploy Control
Generate Incidents
Secure, Route and Remediate
Incidents
Demonstration
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal 34
Demonstration Summary
• Review Entitlements and Model Definition
• Modify to fit needs and generate focused results
• Compliment PeopleSoft embedded controls with Advanced Controls
Leverage Delivered Content
• Limit who can see generated results
• Route generated results for Investigation, Review and Approval
• Determine and document remediation actions
Secure, Route and Take Action
• Validate role structure during PeopleSoft Implementation
• Identify and update role structures during an upgrade
Implementation or Upgrades
Beacon Application Services Corporation Proprietary and Confidential
www.beaconservices.com
Beacon Application Services Corporation Proprietary and Confidential
www.beaconservices.com 35
Lessons Learned
• While implementing new systems, integrating a formal risk-management approach increases value of the effort
• Staying on point for a focus area narrows work effort
• Smaller scope enables confirmation with audit team that this is a viable and valid solution for all business processes
Beacon Application Services Corporation Proprietary and Confidential
www.beaconservices.com
Beacon Application Services Corporation Proprietary and Confidential
www.beaconservices.com 36
Lessons Learned
• Once completed, it provides not only proof of concept but a foundation for future expansion
• As system is deployed and user population changes or grows, delivered reports and remediation steps become part of normal maintenance
• Create a roadmap for the future based on feedback from internal and external auditors as to high risk areas
Beacon Application Services Corporation Proprietary and Confidential
www.beaconservices.com
Beacon Application Services Corporation Proprietary and Confidential
www.beaconservices.com 37
Lessons Learned - not just for new implementations
• Security is one area likely to get out of control – time to fix it!
• Advanced Controls can resolve negative audit finding with your current PeopleSoft implementation
• Advanced Control findings can help to justify the upgrade cost
Upgrades
• Security will be reviewed in light of new roles, integrating Advanced Controls into this work effort minimizes overall cost
• Especially pertinent to expanding Payables to full Procure-to-Pay solution
• Update of SOX documentation will incorporate additional, tighter controls
New Modules
• Easily cost justified in reduction of audit costs
• Great target area for IT compliance as well as business requirements
• Quick win for maximum return Standalone GRC
Beacon Application Services Corporation Proprietary and Confidential
www.beaconservices.com
Beacon Application Services Corporation Proprietary and Confidential
www.beaconservices.com 38
Questions
Beacon Application Services Corporation [email protected]
Beacon Application Services Corporation Proprietary and Confidential
www.beaconservices.com
Oracle Financial Services
The Choice of Experience.
Madeline Osit Beacon Application Services Corporation [email protected] 508.663.4407
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal 40
Oracle Advance Controls OOW2013 Sessions & Demo Pod Slides
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal 41
Demo Workstation Moscone West 1st Floor #W-013
Monday Tuesday Wednesday
Demo ID 3532
Workstation #: W--013 9:45 – 6:00 9:45 – 6:00 9:45 – 4:00
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal 42
Demo Workstation Moscone West 1st Floor #W-013
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal 43
General Session: Empowering Modern Governance, Risk, and Compliance
12:15PM Moscone West – 2006/2008
GEN8812
Automate Robust User Access and Security Controls for PeopleSoft
10:45AM Moscone West - 2009
CON8820
Panel Discussion: Intelligent Controls for Key Business Processes & Upgrades in PeopleSoft
3:15PM Moscone West - 3020
CON8822
Deloitte: Leveraging Oracle GRC Technology to Reduce Revenue Loss, Cost Leakage & Fraud
3:15PM Moscone West - 2000
CON8822
Learn More About Oracle Advance Controls Monday
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal 44
Top 10 Advanced Controls for Procure-to-Pay to Improve the Bottom Line
10:30AM Moscone West – 2003
CON8814
Center for Medicare & Medicaid Services Automates Internal Controls with Oracle GRC
3:45PM St Francis – Elizabethan C/D
CON9346
Enforce Segregation of Duties with Identity Management and Oracle Advanced Controls
5:15PM Moscone West – 3018
CON8827
Learn More About Oracle Advance Controls Tuesday
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal 45
Optimizing Order-to-Cash with Oracle Advanced Controls for Oracle E-Business Suite
10:15AM Moscone West – 3018
CON8816
Reducing Risk for Oracle E-Business Suite Upgrades and Implementations
1:15PM Moscone West – 3018
CON8830
Panel Discussion: Intelligent Controls for Key Business Processes and Upgrades
3:30PM Moscone West – 2002 / 2004
CON8832
Learn More About Oracle Advance Controls Wednesday
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal 46
Advanced Access and User Security for Oracle E-Business Suite and Fusion Applications
2:00PM Moscone West – 3018
CON8824
Meet the Governance, Risk, and Compliance Experts
12:30PM Moscone West 2001A
MTE9412
Learn More About Oracle Advance Controls Thursday
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal 47
Specialized Advanced Controls Partners
New Benefit for Advanced Controls owners
Specialized Partners:
– Trained by Oracle:
Designing and delivering OAC solutions
– Demonstrated ability to deliver reliable OAC
solutions
Coming soon
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal 48
@OracleAdvCntrls