FulcrumWay - Implement Effective Access Controls within your Oracle ERP System

Leverage Technology:Move Your Business Forward™

Risk and Compliance Financial Reporting Internal Audit Controls Catalog Application Security Advanced Analytics

A Leader in Risk Based Enterprise Controls Management Solutions

Copyright ©. Fulcrum Information Technology, Inc.Give me a lever long enough and a fulcrum on which to place it, and I shall move the world - Archimedes

Earn Admiration and Love from your CIO and CFO!

Implement Effective Access Controls within your Oracle ERP System

Webinar – February 19th , 2014

Adil Khan

Managing Director

www.fulcrumway.comPage 2Copyright © FulcrumWay


Introductions

Top Access Challenges for CIO and CFO

Overview of Access Risk Assessment

Access Management Techniques

Case Study

Q&A

Agenda



Introductions




Case Study

Q&A

Agenda


A Leader in Risk Based Controls Management™

FulcrumWay: is the #1 End-to-End Provider of Risk Based Enterprise Controls Management Solutions for Oracle EBS, PeopleSoft and JDE customers with over 200 Fortune-500 to Middle Market clients. Since 2003, we have successfully assisted companies across all major industry segments.

Expertise: Risk Advisory Services. Advanced Controls Design for Enterprise Applications. Best Practices for Risk Mitigation and Internal Controls Automation. Audit, Compliance, Financial, Enterprise and Operational Risk Assessments. Risk Remediation Services.

Packaged Solutions: FulcrumWay is the #1 choice of Oracle customers for Oracle GRC Advanced Controls, GRC Manager, and GRC Intelligence/OBIEE software implementation. Oracle has certified us as the only partner with Accelerators for Oracle GRC. We also provide Managed Services

Software Services: Risk Assessment for ERP systems, Control Design and Management Tools, Controls Catalog, Enterprise Risk Manager, Financial Reporting Manager, Audit Manager

USA Presence: Privately held Delaware Corporation with US offices in New York City, Dallas and San Francisco

International Presence: in Auckland, Chennai, Johannesburg, London, Mexico City

FulcrumWay


FulcrumWay Clients Successful Track Record

Government Oil and Gas

Healthcare

Communications

Financial Services

Transportation Natural ResourcesManufacturing

Retail

High TechMedia/Entertainment Life Sciences

http://www.rd.com/

http://www.arvinmeritor.com/

http://www.semiconductorstore.com/pages/asp/supplier.asp?pl=0133

http://www.integralife.com/index.aspx


FulcrumWay™ Insight

Thought Leadership

Co-Authored GRC Book: First book on GRC for Oracle Applications

Executive Round Tables – GRC Solutions for Energy Industry, Houston, November 2012

OAUG GRC Solution Lab - April 7th – 11th Denver: GRC Case Studies and Best Practices

IIA - Presentations - Top Five Reasons for Automating Application Controls

Collaborate 14 – GRC Client Appreciation Dinner April 9th , 2014 Las Vegas

Webcasts – GRC Best Practices, Trends and Expert Insight

Oracle Open World – Annual GRC Dinner on September 23rd , 2014 W Hotel San Francisco

LinkedIn –FulcrumWay Risk, Compliance and Audit Software Group

YouTube Podcasts – FulcrumWay Instant Insight in 10 min or less

Proven Expertise


Access Management Challenges for CIO and CFO Top Challenges

ERP Roles need significant changes

to meet requirements

User provisioning does not prevent control violations

Super User activity in not monitored

Periodic user Certification is not

reliable

Segregation of Duty controls are

deficient

Access to sensitive data is not protected

No audit trail on ERP configuration

controls

Can not prevent unauthorized Master Data

changes

Terminated employees have

access to ERP


Key Factors impacting Access ControlTop Challenges

Complexity of ERP System Security Model– An average Oracle EBS R12 customer has over 35,000 functions and 12,500

menus

Effectiveness Roles Design – Single Global Roles Template or wide variation based on user needs

Completeness of User Provisioning Process– Does user provisioning process include control warnings for approvers?

Auditability of ERP Configuration and Data Access– Can you track ALL changes to key setup and or master?

Number of ERP environments – Do you need to control access to multiple ERP systems?


Complicated Security ModelHigh Risk of Access Control Deficiencies Top Challenges


Responsibility

Form

Complicated Security ModelHigh Risk of Access Control Deficiencies

Menu

Function

User

Evaluate User Access• Test by User • Test by Privilege

Manage Segregation of Duties• Identify incompatible Privileges• Predefined & Extensible SOD Rule Sets

Top Challenges


User: John Doe

Responsibility: Payables Manager, US

Menu: AP_Navigate_GUI12

Submenu: AP_Invoices_EntryFunction: Invoice Batches

User: Mike Jones

Payables Users

Responsibility: Payables Supervisor

Responsibility: Payables User

Menu: UK_AP_Navigate_GUI12

SubMenu: AP_Invoices_Entry

SubMenu: AP_Invoices_GUI12_G Menu: AX_Payables_User

Responsibility: Payables Supervisor

Responsibility: Payables Manager, US

Responsibility: Payables User

ERP Security Management is a permutation problem

What if we exclude ‘Invoice Batches’ from AP_Invoices_Entry?

Root Cause Analysis is required for remediation!

Top Challenges



Introductions




Case Study

Q&A

Agenda


Select ERP Controls fromFW Controls

Catalogs

Detect Control

Violations

AnalyzeIssues

Confirm Findings

Present Project

Plan

Implement Access

Management System

Prepare Assessment

Checklist

Probe ERP Data

ManageExceptions

Prepare Remediation

Plan

FW Risk Advisor/Client

Lead/Control Owners

FW Risk Advisor/Client Lead

Client Executive Sponsors

FW/Client Project Team

Establish Test

Environment

FulcrumWay Application Risk Assessment Best Practices

Access Risk Assessment


DataProbe™ extracts the security, setup and master data information

DataProbe™ is a desktop utility for the client DBA/manager to provide the data

On average it takes our cleints less than an hour to install and extract the ERP security , setup and master data for submission to FulcrumWay risk advisory services



Controls Catalog with over 1,000 advance controls

Select SOD, Master Data, Setup, and Transaction Controls Risk Assessment

Detect control weaknesses across ERP system to identify business process optimization opportunities



ERP Test environment consists of ERP configurations and data objects

Selected security, setup and data objects are included in the environment

ERP Configuration such as 3-way match in payable options, master data such as Users, Responsibilities, Customers, Invoices, Suppliers, Assets and Payments records are analyzed for control failure risks



Advanced Analytics to analyze ERP Risks

Pre-built Risk Analytics. Risk Reports available for client review

Risk Advisors identifies controls violations and has the capability to analyze issues, remove false positives to prepare the findings report




Introductions




Case Study

Q&A

Agenda


FulcrumWay Roles Manager Overview

Eliminate Root Cause of Access Control Violations in ERP:

Improve Segregation of Duty controls within mission critical applications

Reduce ERP implementation and upgrade costs with pre-configured roles

Lower ERP Total Cost of Ownership by assigning pre-approved Roles

We enable ERP Administrators:

Select pre-configured ERP roles from a roles catalog

Update, Review and Approve Role design changes.

Identify SOD conflicts before the Roles are assigned to Users.

Role Design


Role Manager is an ERP security design tool

Contains a pre-configured catalog of roles which comply with segregation of duty (SOD) policies.

Roles by ERP module and typical access requirements for those modules such as Manager, Supervisor, Clerk, Inquiry, Business Setup and IT Setup.

You can use this tool to view existing role templates and design new roles by easily selecting or deselecting ERP functions/transaction.

Once you complete the roles design, you can send it, using workflows, to pre-assigned reviewers and approvers to finalize the roles.

The role preparers, reviewers and approvers can also assess the SOD control risks before finalizing the roles.

Leverage FW DataProbe/Scripts to load current Roles

Secure Access from fulcrumway.com portal

Role Design FulcrumWay Roles Manager Features


Access to Roles ManagerRole DesignSign-in to ERP Controls and Navigate to Roles Manager at FulcrumWay.com

Roles Manager is a component of the FulcrumWay Risk Remediation software services that is available instantly over a secure internet-connection.


Select the Access Monitor Icon. Then click on the Maintain Access Roles Tab

Search and Browse through catalog of Roles for Oracle EBS R12

Roles Manager contains hundreds of Oracle EBS Responsibilities with SOD Controls Designed into the configuration to give you a jump start

Role Design


Access to Roles Manager

Use a “source” role to create a new “target” role. View existing SOD issues with the “source” role. Assign Reviewers and Approvers for the role

Embed SOD Controls into Oracle Responsibilities design by eliminating conflicting business activities inherent in the EBS Responsibility configuration

Role Design


Access to Roles ManagerRole Design

Select/ Deselect business activities to update Role configuration automatically

Reduce Role design time and effort by selecting business activities to drive the configuration of Oracle Responsibilities.


ERP User Provisioning

Save Precious Time Verifying User Provision Request

Prevent Unauthorized Systems Access

Reduce the Risk of Internal Fraud

Improve Your Compliance Audit Trail

We enable Security/ERP Administrators:

Automate manual access request processes

Ensure there are no unauthorized users

Detect and prevent disallowed access attempts


Monitor User Access RequestsRemediate Access Risks

Monitor controls over the user provisioning process. Maintain audit log

Reduce SOD violations by monitoring User Access Requests at Helpdesk and perform SOD analysis before access is granted


ERP User Access Monitor

Save Precious Time Verifying User Access

Detect Unauthorized Systems Access

Automate User Access Review

Improve Your Compliance Audit Trail


Ensure there are no unauthorized users

Maintain universal access security compliance


Remove False Positives and inactive users/roles

Remediate Access Risks

Send user access verification reuqest to application control owners using “passkey” to verif ot terminate access

Monitor User Access to Responsibility/Role and Functions


ERP User Access Monitor

Fast Forward SOD Corrective Actions

Notify manager of business activity risks

Enforce corrective actions

Reduce Compliance Costs


Automate corrective action requests

Ensure timely resolution of SOD incidents

Maintain universal access security compliance


Send Corrective Actions to implement approved changes

Remediate Access Risks

Correction Action Request is sent to Managers for Review and Approval via email survey

Application Owner Verifies Access to Business Activity

Send SOD conflict information at the business activity level to correct violations

Reduce cost and effort for remediation.


ERP Controls Management

Apply Continuous Monitoring to ERP Controls

Minimize Process Errors and Losses

Maintain compliance with regulations and internal policies

Reduce the Cost of Risk and Audit

We enable Business and IT Managers:

Meet your organizational control objectives

Complete your controls monitoring repository

Apply policies and rules to each business cycle


FW Controls Catalog with over 1,000 advance controls

Select ERP Controls

Select SOD, Master Data, Setup, and Transaction Controls Risk Assessment

Detect control weaknesses across ERP system to identify business process optimization opportunities


Authoritative Master Data Across the Enterprise

Monitor Data Changes

Ensure reliable mission critical data. Improve data governance with complete audit trail. Make informed, fact-based timely business decisions

Detect who, when, what changes are made to master data such as organziations, suppliers, customers, employees, items, assets and other key records.



Introductions

Top SOD Challenges in EBS R12

Overview of SOD Controls Assessment

Roles Design Techniques

Case Study

Q&A

Agenda


Global car and equipment rental company, improves

employee productivity Our Client

Leader in the car and equipment rental businesses worldwideProviding quality car rental service for over 90 years.Over 30,000 employees

ChallengesReplace multiple legacy systems with one ERP solutionImproved Segregation of Duty controls within mission critical applications Maintain consistent ERP system access roles across the subsidiaries leveraging the shared services model Increase external auditor’s reliance on ERP Access Controls Monitoring

SolutionsERP Controls CatalogERP Roles Monitor

Results: Reduce ERP Role design, build, testing and implementation time by 80% resulting in over $200,000 cost savings during ERP system implementation and global roll-out. Created over 100 Segregation of Duty compliant Roles by business segment with two weeks from FulcrumWay Role Templates within the controls catalog. Lowered ERP Total Cost of Ownership by reducing SoD remediation time and costs by ensuring that all users a assigned only the pre-approved RolesImprove SoD and Access Controls testing time by providing auditors the access log reports showing all Update, Review and Approve Role design changes. Accelerated ERP testing and deploying time by identifying SOD conflicts before the Roles are assigned to Users.

Client case



Introductions

Top SOD Challenges in EBS R12

Overview of SOD Controls Assessment

Roles Design Techniques

Case Study

Q&A

Agenda


Leader in Risk Based Enterprise ControlsQ & A

One-on-One with ExpertsDownload DataProbe

Follow FulcrumWay on LinkedIn for ERP Risk and Controls

Date post:	06-May-2015
Category:	Technology
Upload:	fulcrumway
View:	492 times
Download:	1 times