Date post: | 06-May-2015 |
Category: |
Technology |
Upload: | fulcrumway |
View: | 492 times |
Download: | 1 times |
Leverage Technology:Move Your Business Forward™
Risk and Compliance Financial Reporting Internal Audit Controls Catalog Application Security Advanced Analytics
A Leader in Risk Based Enterprise Controls Management Solutions
Copyright ©. Fulcrum Information Technology, Inc.Give me a lever long enough and a fulcrum on which to place it, and I shall move the world - Archimedes
Earn Admiration and Love from your CIO and CFO!
Implement Effective Access Controls within your Oracle ERP System
Webinar – February 19th , 2014
Adil Khan
Managing Director
www.fulcrumway.comPage 2Copyright © FulcrumWay
Implement Effective Access Controls within your Oracle ERP System
Introductions
Top Access Challenges for CIO and CFO
Overview of Access Risk Assessment
Access Management Techniques
Case Study
Q&A
Agenda
www.fulcrumway.comPage 3Copyright © FulcrumWay
Implement Effective Access Controls within your Oracle ERP System
Introductions
Top Access Challenges for CIO and CFO
Overview of Access Risk Assessment
Access Management Techniques
Case Study
Q&A
Agenda
www.fulcrumway.comPage 4Copyright © FulcrumWay
A Leader in Risk Based Controls Management™
FulcrumWay: is the #1 End-to-End Provider of Risk Based Enterprise Controls Management Solutions for Oracle EBS, PeopleSoft and JDE customers with over 200 Fortune-500 to Middle Market clients. Since 2003, we have successfully assisted companies across all major industry segments.
Expertise: Risk Advisory Services. Advanced Controls Design for Enterprise Applications. Best Practices for Risk Mitigation and Internal Controls Automation. Audit, Compliance, Financial, Enterprise and Operational Risk Assessments. Risk Remediation Services.
Packaged Solutions: FulcrumWay is the #1 choice of Oracle customers for Oracle GRC Advanced Controls, GRC Manager, and GRC Intelligence/OBIEE software implementation. Oracle has certified us as the only partner with Accelerators for Oracle GRC. We also provide Managed Services
Software Services: Risk Assessment for ERP systems, Control Design and Management Tools, Controls Catalog, Enterprise Risk Manager, Financial Reporting Manager, Audit Manager
USA Presence: Privately held Delaware Corporation with US offices in New York City, Dallas and San Francisco
International Presence: in Auckland, Chennai, Johannesburg, London, Mexico City
FulcrumWay
www.fulcrumway.comPage 5Copyright © FulcrumWay
FulcrumWay Clients Successful Track Record
Government Oil and Gas
Healthcare
Communications
Financial Services
Transportation Natural ResourcesManufacturing
Retail
High TechMedia/Entertainment Life Sciences
www.fulcrumway.comPage 6Copyright © FulcrumWay
FulcrumWay™ Insight
Thought Leadership
Co-Authored GRC Book: First book on GRC for Oracle Applications
Executive Round Tables – GRC Solutions for Energy Industry, Houston, November 2012
OAUG GRC Solution Lab - April 7th – 11th Denver: GRC Case Studies and Best Practices
IIA - Presentations - Top Five Reasons for Automating Application Controls
Collaborate 14 – GRC Client Appreciation Dinner April 9th , 2014 Las Vegas
Webcasts – GRC Best Practices, Trends and Expert Insight
Oracle Open World – Annual GRC Dinner on September 23rd , 2014 W Hotel San Francisco
LinkedIn –FulcrumWay Risk, Compliance and Audit Software Group
YouTube Podcasts – FulcrumWay Instant Insight in 10 min or less
Proven Expertise
www.fulcrumway.comPage 7Copyright © FulcrumWay
Access Management Challenges for CIO and CFO Top Challenges
ERP Roles need significant changes
to meet requirements
User provisioning does not prevent control violations
Super User activity in not monitored
Periodic user Certification is not
reliable
Segregation of Duty controls are
deficient
Access to sensitive data is not protected
No audit trail on ERP configuration
controls
Can not prevent unauthorized Master Data
changes
Terminated employees have
access to ERP
www.fulcrumway.comPage 8Copyright © FulcrumWay
Key Factors impacting Access ControlTop Challenges
Complexity of ERP System Security Model– An average Oracle EBS R12 customer has over 35,000 functions and 12,500
menus
Effectiveness Roles Design – Single Global Roles Template or wide variation based on user needs
Completeness of User Provisioning Process– Does user provisioning process include control warnings for approvers?
Auditability of ERP Configuration and Data Access– Can you track ALL changes to key setup and or master?
Number of ERP environments – Do you need to control access to multiple ERP systems?
www.fulcrumway.comPage 9Copyright © FulcrumWay
Complicated Security ModelHigh Risk of Access Control Deficiencies Top Challenges
www.fulcrumway.comPage 10Copyright © FulcrumWay
Responsibility
Form
Complicated Security ModelHigh Risk of Access Control Deficiencies
Menu
Function
User
Evaluate User Access• Test by User • Test by Privilege
Manage Segregation of Duties• Identify incompatible Privileges• Predefined & Extensible SOD Rule Sets
Top Challenges
www.fulcrumway.comPage 11Copyright © FulcrumWay
User: John Doe
Responsibility: Payables Manager, US
Menu: AP_Navigate_GUI12
Submenu: AP_Invoices_EntryFunction: Invoice Batches
User: Mike Jones
Payables Users
Responsibility: Payables Supervisor
Responsibility: Payables User
Menu: UK_AP_Navigate_GUI12
SubMenu: AP_Invoices_Entry
SubMenu: AP_Invoices_GUI12_G Menu: AX_Payables_User
Responsibility: Payables Supervisor
Responsibility: Payables Manager, US
Responsibility: Payables User
ERP Security Management is a permutation problem
What if we exclude ‘Invoice Batches’ from AP_Invoices_Entry?
Root Cause Analysis is required for remediation!
Top Challenges
www.fulcrumway.comPage 12Copyright © FulcrumWay
Implement Effective Access Controls within your Oracle ERP System
Introductions
Top Access Challenges for CIO and CFO
Overview of Access Risk Assessment
Access Management Techniques
Case Study
Q&A
Agenda
www.fulcrumway.comPage 13Copyright © FulcrumWay
Select ERP Controls fromFW Controls
Catalogs
Detect Control
Violations
AnalyzeIssues
Confirm Findings
Present Project
Plan
Implement Access
Management System
Prepare Assessment
Checklist
Probe ERP Data
ManageExceptions
Prepare Remediation
Plan
FW Risk Advisor/Client
Lead/Control Owners
FW Risk Advisor/Client Lead
Client Executive Sponsors
FW/Client Project Team
Establish Test
Environment
FulcrumWay Application Risk Assessment Best Practices
Access Risk Assessment
www.fulcrumway.comPage 14Copyright © FulcrumWay
DataProbe™ extracts the security, setup and master data information
DataProbe™ is a desktop utility for the client DBA/manager to provide the data
On average it takes our cleints less than an hour to install and extract the ERP security , setup and master data for submission to FulcrumWay risk advisory services
Access Risk Assessment
www.fulcrumway.comPage 15Copyright © FulcrumWay
Controls Catalog with over 1,000 advance controls
Select SOD, Master Data, Setup, and Transaction Controls Risk Assessment
Detect control weaknesses across ERP system to identify business process optimization opportunities
Access Risk Assessment
www.fulcrumway.comPage 16Copyright © FulcrumWay
ERP Test environment consists of ERP configurations and data objects
Selected security, setup and data objects are included in the environment
ERP Configuration such as 3-way match in payable options, master data such as Users, Responsibilities, Customers, Invoices, Suppliers, Assets and Payments records are analyzed for control failure risks
Access Risk Assessment
www.fulcrumway.comPage 17Copyright © FulcrumWay
Advanced Analytics to analyze ERP Risks
Pre-built Risk Analytics. Risk Reports available for client review
Risk Advisors identifies controls violations and has the capability to analyze issues, remove false positives to prepare the findings report
Access Risk Assessment
www.fulcrumway.comPage 18Copyright © FulcrumWay
Implement Effective Access Controls within your Oracle ERP System
Introductions
Top Access Challenges for CIO and CFO
Overview of Access Risk Assessment
Access Management Techniques
Case Study
Q&A
Agenda
www.fulcrumway.comPage 19Copyright © FulcrumWay
FulcrumWay Roles Manager Overview
Eliminate Root Cause of Access Control Violations in ERP:
Improve Segregation of Duty controls within mission critical applications
Reduce ERP implementation and upgrade costs with pre-configured roles
Lower ERP Total Cost of Ownership by assigning pre-approved Roles
We enable ERP Administrators:
Select pre-configured ERP roles from a roles catalog
Update, Review and Approve Role design changes.
Identify SOD conflicts before the Roles are assigned to Users.
Role Design
www.fulcrumway.comPage 20Copyright © FulcrumWay
Role Manager is an ERP security design tool
Contains a pre-configured catalog of roles which comply with segregation of duty (SOD) policies.
Roles by ERP module and typical access requirements for those modules such as Manager, Supervisor, Clerk, Inquiry, Business Setup and IT Setup.
You can use this tool to view existing role templates and design new roles by easily selecting or deselecting ERP functions/transaction.
Once you complete the roles design, you can send it, using workflows, to pre-assigned reviewers and approvers to finalize the roles.
The role preparers, reviewers and approvers can also assess the SOD control risks before finalizing the roles.
Leverage FW DataProbe/Scripts to load current Roles
Secure Access from fulcrumway.com portal
Role Design FulcrumWay Roles Manager Features
www.fulcrumway.comPage 21Copyright © FulcrumWay
Access to Roles ManagerRole DesignSign-in to ERP Controls and Navigate to Roles Manager at FulcrumWay.com
Roles Manager is a component of the FulcrumWay Risk Remediation software services that is available instantly over a secure internet-connection.
www.fulcrumway.comPage 22Copyright © FulcrumWay
Select the Access Monitor Icon. Then click on the Maintain Access Roles Tab
Search and Browse through catalog of Roles for Oracle EBS R12
Roles Manager contains hundreds of Oracle EBS Responsibilities with SOD Controls Designed into the configuration to give you a jump start
Role Design
www.fulcrumway.comPage 23Copyright © FulcrumWay
Access to Roles Manager
Use a “source” role to create a new “target” role. View existing SOD issues with the “source” role. Assign Reviewers and Approvers for the role
Embed SOD Controls into Oracle Responsibilities design by eliminating conflicting business activities inherent in the EBS Responsibility configuration
Role Design
www.fulcrumway.comPage 24Copyright © FulcrumWay
Access to Roles ManagerRole Design
Select/ Deselect business activities to update Role configuration automatically
Reduce Role design time and effort by selecting business activities to drive the configuration of Oracle Responsibilities.
www.fulcrumway.comPage 25Copyright © FulcrumWay
ERP User Provisioning
Save Precious Time Verifying User Provision Request
Prevent Unauthorized Systems Access
Reduce the Risk of Internal Fraud
Improve Your Compliance Audit Trail
We enable Security/ERP Administrators:
Automate manual access request processes
Ensure there are no unauthorized users
Detect and prevent disallowed access attempts
www.fulcrumway.comPage 26Copyright © FulcrumWay
Monitor User Access RequestsRemediate Access Risks
Monitor controls over the user provisioning process. Maintain audit log
Reduce SOD violations by monitoring User Access Requests at Helpdesk and perform SOD analysis before access is granted
www.fulcrumway.comPage 27Copyright © FulcrumWay
ERP User Access Monitor
Save Precious Time Verifying User Access
Detect Unauthorized Systems Access
Automate User Access Review
Improve Your Compliance Audit Trail
We enable Security/ERP Administrators:
Ensure there are no unauthorized users
Maintain universal access security compliance
www.fulcrumway.comPage 28Copyright © FulcrumWay
Remove False Positives and inactive users/roles
Remediate Access Risks
Send user access verification reuqest to application control owners using “passkey” to verif ot terminate access
Monitor User Access to Responsibility/Role and Functions
www.fulcrumway.comPage 29Copyright © FulcrumWay
ERP User Access Monitor
Fast Forward SOD Corrective Actions
Notify manager of business activity risks
Enforce corrective actions
Reduce Compliance Costs
We enable Security/ERP Administrators:
Automate corrective action requests
Ensure timely resolution of SOD incidents
Maintain universal access security compliance
www.fulcrumway.comPage 30Copyright © FulcrumWay
Send Corrective Actions to implement approved changes
Remediate Access Risks
Correction Action Request is sent to Managers for Review and Approval via email survey
Application Owner Verifies Access to Business Activity
Send SOD conflict information at the business activity level to correct violations
Reduce cost and effort for remediation.
www.fulcrumway.comPage 31Copyright © FulcrumWay
ERP Controls Management
Apply Continuous Monitoring to ERP Controls
Minimize Process Errors and Losses
Maintain compliance with regulations and internal policies
Reduce the Cost of Risk and Audit
We enable Business and IT Managers:
Meet your organizational control objectives
Complete your controls monitoring repository
Apply policies and rules to each business cycle
www.fulcrumway.comPage 32Copyright © FulcrumWay
FW Controls Catalog with over 1,000 advance controls
Select ERP Controls
Select SOD, Master Data, Setup, and Transaction Controls Risk Assessment
Detect control weaknesses across ERP system to identify business process optimization opportunities
www.fulcrumway.comPage 33Copyright © FulcrumWay
Authoritative Master Data Across the Enterprise
Monitor Data Changes
Ensure reliable mission critical data. Improve data governance with complete audit trail. Make informed, fact-based timely business decisions
Detect who, when, what changes are made to master data such as organziations, suppliers, customers, employees, items, assets and other key records.
www.fulcrumway.comPage 34Copyright © FulcrumWay
Implement Effective Access Controls within your Oracle ERP System
Introductions
Top SOD Challenges in EBS R12
Overview of SOD Controls Assessment
Roles Design Techniques
Case Study
Q&A
Agenda
www.fulcrumway.comPage 35Copyright © FulcrumWay
Global car and equipment rental company, improves
employee productivity Our Client
Leader in the car and equipment rental businesses worldwideProviding quality car rental service for over 90 years.Over 30,000 employees
ChallengesReplace multiple legacy systems with one ERP solutionImproved Segregation of Duty controls within mission critical applications Maintain consistent ERP system access roles across the subsidiaries leveraging the shared services model Increase external auditor’s reliance on ERP Access Controls Monitoring
SolutionsERP Controls CatalogERP Roles Monitor
Results: Reduce ERP Role design, build, testing and implementation time by 80% resulting in over $200,000 cost savings during ERP system implementation and global roll-out. Created over 100 Segregation of Duty compliant Roles by business segment with two weeks from FulcrumWay Role Templates within the controls catalog. Lowered ERP Total Cost of Ownership by reducing SoD remediation time and costs by ensuring that all users a assigned only the pre-approved RolesImprove SoD and Access Controls testing time by providing auditors the access log reports showing all Update, Review and Approve Role design changes. Accelerated ERP testing and deploying time by identifying SOD conflicts before the Roles are assigned to Users.
Client case
www.fulcrumway.comPage 36Copyright © FulcrumWay
Implement Effective Access Controls within your Oracle ERP System
Introductions
Top SOD Challenges in EBS R12
Overview of SOD Controls Assessment
Roles Design Techniques
Case Study
Q&A
Agenda
www.fulcrumway.comPage 37Copyright © FulcrumWay
Leader in Risk Based Enterprise ControlsQ & A
One-on-One with ExpertsDownload DataProbe
Follow FulcrumWay on LinkedIn for ERP Risk and Controls