Leverage T echnology:
Move Your Business Forward™
Enterprise Risk Management Financial Close Monitor Advanced Controls Catalog Enterprise Audit GRC Monitor
FulcrumWay Leading Provider of Enterprise Risk Assessment Mitigation and Remediation Solutions
Copyright ©. Fulcrum Information Technology, Inc. Give me a lever long enough and a fulcrum on which to place it, and I shall move the world - Archimedes
Rapidly reduce Segregation of Duty Violations in Oracle EBS R12 Responsibilities with effective roles management techniques.
.
www.fulcrumway.com Page 2 Copyright © FulcrumWay
Reduce SOD Access Violations with effective
roles management techniques.
Introduction
Top SOD Challenges in Oracle EBS
SOD Controls Assessment Overview
Role Design Techniques
Case Study
Q&A
Agenda
www.fulcrumway.com Page 3 Copyright © FulcrumWay
Reduce SOD Access Violations with effective
roles management techniques.
Introduction
Top SOD Challenges in Oracle EBS
SOD Controls Assessment Overview
Role Design Techniques
Case Study
Q&A
Agenda
www.fulcrumway.com Page 4 Copyright © FulcrumWay
FulcrumWay Intelligent, Integrated Instant Risk Management™
FulcrumWay: is the #1 End-to-End Provider of Enterprise Risk Management Expertise,
Solutions and Software Services for Oracle EBS, PeopleSoft and JDE customers with
over 200 Fortune-500 to Middle Market clients. Since 2003, we have successfully
assisted companies across all major industry segments.
Expertise: Risk Advisory Services. Advanced Controls Design for Enterprise Business
Applications. Best Practices for Risk Mitigation and Internal Controls Automation.
Audit, Compliance, Financial, Enterprise and Operational Risk Assessments. Risk
Remediation Services such as Segregation of Duties.
Packaged Solutions: FulcrumWay is the #1 choice of Oracle customers for Oracle GRC
Manager, GRC Controls and GRC Intelligence/OBIEE software implementation. Oracle
has certified us as the only partner with Accelerators for Oracle GRC. We also provide
Managed Services and Hosting for Oracle GRC applications.
Software Services: Risk Management Tools: Enterprise Risk Manager, Financial Close
Risk Manager, Risk Based Audit Manager, IT Risk Workbench, and Advanced Controls
Catalog. Data Management Tools: Rules Repository, DataProbe™ adaptors and Data
Hub.
USA Presence: Privately held Delaware Corporation with US offices in New York City,
Dallas and San Francisco
International Presence: in Chennai, Dubai, Kampala, London, Rome, Santiago,
Singapore
Introduction
www.fulcrumway.com Page 5 Copyright © FulcrumWay
Government Oil and Gas
Healthcare
Communications
Financial Services
Industrial
Equipment
Natural
Resources
Manufacturing
Retail
FulcrumWay Clients
High Tech
Our Experience
Media and
Entertainment Life Sciences
www.fulcrumway.com Page 6 Copyright © FulcrumWay
FulcrumWay™ Insight
Thought Leadership
Our Experience
Co-Authored GRC Book: First book on GRC for Oracle Applications
Executive Round Tables – GRC Solutions for Energy Industry, Houston, November 2012
OAUG GRC Solution Lab - April 7th – 11th Denver: GRC Case Studies and Best Practices
IIA - Presentations - Top Five Reasons for Automating Application Controls
Collaborate 13 – GRC Client Appreciation Dinner April 9th , 2013 Denver
Webcasts – GRC Best Practices, Trends and Expert Insight
Oracle Open World – Annual GRC Dinner on September 23rd , 2013 W Hotel San Francisco
LinkedIn –FulcrumWay Risk, Compliance and Audit Software Group
YouTube Podcasts – FulcrumWay Instant Insight in 10 min or less
www.fulcrumway.com Page 7 Copyright © FulcrumWay
Reduce SOD Access Violations with effective
roles management techniques.
Introduction
Top SOD Challenges in Oracle EBS
SOD Controls Assessment Overview
Role Design Techniques
Case Study
Q&A
Agenda
www.fulcrumway.com Page 8 Copyright © FulcrumWay
Enforce Segregation of Duty
Controls and Security Polices
We can not use Oracle “seeded” Responsibilities because of
inherent SOD conflicts. GL Supper User can Enter Journals, Post
Journal. Change Approval Limits, Update GL Accounts, Change
Calendar. Our R12 Patches created even more SOD issues.
Which SOD Policies will mitigate the risk in our Oracle
Responsibility Design?
How do we ensure that the activities of users granted “super
user” Responsibilities have effective compensating control?
Why do have so many False Positives and how do we remove
them from our analysis?
What is an effective approach to Design and Test Oracle Security
Model before deployment?
When will be able to close all SOD incidents?
Top Challenges
www.fulcrumway.com Page 9 Copyright © FulcrumWay
Responsibility
Form
Complicated Security Model
High Risk of Segregation of
Duties Issues
Menu
Function
User
Evaluate User Access • Test by User
• Test by Privilege
Manage Segregation of Duties • Identify incompatible Privileges
• Predefined & Extensible SOD
Rule Sets
Top Challenges
www.fulcrumway.com Page 10 Copyright © FulcrumWay
Key Factors impacting SOD
violations Top Challenges
EBS Release and Business Cycles enables by Oracle modules:
Order to Cash, Procure to Pay, Record to Report, Hire to Retire,
Design to Build, etc:
– An average R12 customer has over 35,000 functions and 12,500 menus
Number and complexity of SOD Policies
– Range from 25 to 250
Number of Business Units and variation in Responsibilities
across the business
Security Model – RBAC, Single-Sign-On, OIM, etc
Number of Users and Responsibilities
www.fulcrumway.com Page 11 Copyright © FulcrumWay
User: John Doe
Responsibility: Payables Manager, US
Menu: AP_Navigate_GUI12
Submenu: AP_Invoices_Entry
Function: Invoice Batches
User: Mike Jones
Payables Users
Responsibility: Payables Supervisor
Responsibility:
Payables User Menu: UK_AP_Navigate_GUI12
SubMenu: AP_Invoices_Entry
SubMenu: AP_Invoices_GUI12_G Menu: AX_Payables_User
Responsibility: Payables Supervisor
Responsibility: Payables Manager, US
Responsibility:
Payables User
Remediation in Oracle EBS is a
permutation problem
What if we exclude ‘Invoice
Batches’ from
AP_Invoices_Entry?
Root Cause Analysis is
required for remediation!
Top Challenges
www.fulcrumway.com Page 12 Copyright © FulcrumWay
Reduce SOD Access Violations with effective
roles management techniques.
Introduction
Top SOD Challenges in Oracle EBS
SOD Controls Assessment Overview
Role Design Techniques
Case Study
Q&A
Agenda
www.fulcrumway.com Page 13 Copyright © FulcrumWay
Select ERP
Controls from
FW Controls
Catalogs
Detect
Control
Violations
Analyze
Issues
Confirm
Findings
Present
Project
Plan
Implement
ERP
Advanced
Controls
Prepare
Assessment
Checklist
Probe
ERP
Data
Manage
Exceptions
Prepare
Remediation
Plan
FW Risk
Advisor/Client
Lead/Control Owners
FW Risk
Advisor/Client Lead
Client
Executive
Sponsors
FW/Client
Project Team
Establish
Test
Environment
FulcrumWay™ Application Risk
Assessment Best Practices Controls
Assessment
www.fulcrumway.com Page 14 Copyright © FulcrumWay
DataProbe™ extracts the security,
setup and master data information
DataProbe™ is a desktop utility for the client DBA/manager to provide the data
On average it takes our cleints less than an hour to install and extract the ERP security , setup and master data for submission to FulcrumWay risk advisory services
Controls
Assessment
www.fulcrumway.com Page 15 Copyright © FulcrumWay
FW Controls Catalog with over 1,000
advance controls
Select SOD, Master Data, Setup, and Transaction Controls Risk Assessment
Detect control weaknesses across ERP system to identify business process optimization opportunities
Controls
Assessment
www.fulcrumway.com Page 16 Copyright © FulcrumWay
ERP Test environment consists of ERP
configurations and data objects
Selected security, setup and data objects are included in the environment
ERP Configuration such as 3-way match in payable options, master data such as Users, Responsibilities, Customers, Invoices, Suppliers, Assets and Payments records are analyzed for control failure risks
Controls
Assessment
www.fulcrumway.com Page 17 Copyright © FulcrumWay
Advanced Analytics to analyze ERP
Risks
Pre-built Risk Analytics. Risk Reports available for client review
Risk Advisory identifies controls violations and has the capability to analyze
issues, remove false positives to prepare the findings report
Controls
Monitoring
www.fulcrumway.com Page 18 Copyright © FulcrumWay
Mitigate and Control Risks
Monitor Control Effectiveness
Enforce Policies in Context
What users can do
How is the process set up
How users execute processes
What users have done
What’s changed in the process
What are the execution patterns
SOD & Access Application
Configuration Transaction Monitoring
Preventive
GRC Manager
SOD & Access
Application Configuration
Transaction Monitoring
GRC Intelligence
GRC Controls
Preventive
Controls
Assessment
www.fulcrumway.com Page 19 Copyright © FulcrumWay
Compensating Policies
Preventive Provisioning
Remediation (Clean-up)
Access Analysis
• Accelerate deployment and time to value with pre-delivered controls library
• Mitigate risk of privileged user access to enterprise applications with approval workflow and audit trails
• Simplify segregation of duties enforcement with simulation and remediation
Define Access Controls
Detection Prevention
GRC Manager
SOD & Access
Application Configuration
Transaction Monitoring
GRC Intelligence
GRC Controls
Preventive
Enforce Proper Segregation of Duties in
Applications
Controls
Assessment
www.fulcrumway.com Page 20 Copyright © FulcrumWay
Prevent Suspicious
Transactions
Enforce Transaction
Controls
Investigate Incidents
Transaction Analytics
• Identify anomalies missed by traditional audit and controls
• Apply Advanced Forensic and Pattern Analysis
• Continuous Monitoring of Controls and Transactions
Define Transaction
Controls
Detection Prevention
GRC Manager
SOD & Access
Application Configuration
Transaction Monitoring
GRC Intelligence
GRC Controls
Preventive
Test integrity of transactions and controls
across business processes
Controls
Assessment
www.fulcrumway.com Page 21 Copyright © FulcrumWay
Reduce SOD Access Violations with effective
roles management techniques.
Introduction
Top SOD Challenges in Oracle EBS
SOD Controls Assessment Overview
Role Design Techniques
Case Study
Q&A
Agenda
www.fulcrumway.com Page 22 Copyright © FulcrumWay
FulcrumWay Roles Manager
Overview
Eliminate Root Cause of Access Control Violations in ERP:
Improve Segregation of Duty controls within mission critical
applications
Reduce ERP implementation and upgrade costs with pre-configured
roles
Lower ERP Total Cost of Ownership by assigning pre-approved
Roles
We enable ERP Administrators:
Select pre-configured ERP roles from a roles catalog
Update, Review and Approve Role design changes.
Identify SOD conflicts before the Roles are assigned to Users.
Role Design
www.fulcrumway.com Page 23 Copyright © FulcrumWay
Role Manager is an ERP security design tool
Contains a pre-configured catalog of roles which comply with
segregation of duty (SOD) policies.
Roles by ERP module and typical access requirements for those
modules such as Manager, Supervisor, Clerk, Inquiry, Business
Setup and IT Setup.
You can use this tool to view existing role templates and design new
roles by easily selecting or deselecting ERP functions/transaction.
Once you complete the roles design, you can send it, using
workflows, to pre-assigned reviewers and approvers to finalize the
roles.
The role preparers, reviewers and approvers can also assess the
SOD control risks before finalizing the roles.
Leverage FW DataProbe/Scripts to load current Roles
Secure Access from fulcrumway.com portal
Role Design FulcrumWay Roles Manager
Features
www.fulcrumway.com Page 24 Copyright © FulcrumWay
Access to Roles Manager Role Design
Sign-in to ERP Controls and Navigate to Roles Manager at FulcrumWay.com
Roles Manager is a component of the FulcrumWay Risk Remediation software services that is available instantly over a secure internet-connection.
www.fulcrumway.com Page 25 Copyright © FulcrumWay
Select the Access Monitor Icon. Then click on the Maintain Access Roles Tab
Search and Browse through catalog of
Roles for Oracle EBS R12
Roles Manager contains hundreds of Oracle EBS Responsibilities with SOD Controls Designed into the configuration to give you a jump start
Role Design
www.fulcrumway.com Page 26 Copyright © FulcrumWay
Access to Roles Manager
Use a “source” role to create a new “target” role. View existing SOD issues with the “source” role. Assign Reviewers and Approvers for the role
Embed SOD Controls into Oracle Responsibilities design by eliminating conflicting business activities inherent in the EBS Responsibility configuration
Role Design
www.fulcrumway.com Page 27 Copyright © FulcrumWay
Access to Roles Manager Role Design
Select/ Deselect business activities to update Role configuration automatically
Reduce Role design time and effort by selecting business activities to drive the configuration of Oracle Responsibilities.
www.fulcrumway.com Page 28 Copyright © FulcrumWay
Access to Roles Manager Role Design
Select/ Deselect Request Sets to update Role configuration automatically
Effective SOD Controls should include access to Concurrent Request. Remember in R12 you can open/close GL Periods by submitting a request.
www.fulcrumway.com Page 29 Copyright © FulcrumWay
Access to Roles Manager Role Design
Review and approve Roles using email notifications
Reduce ERP implementation/upgrade costs and audit fees by enabling change controls over the Oracle Responsibilities. Reduce risk of SOD control failure
www.fulcrumway.com Page 30 Copyright © FulcrumWay
Access to Roles Manager Role Design
Access the link to approve or reject the new Role
Reduce ERP implementation/upgrade costs and audit fees by enabling change controls over the Oracle Responsibilities. Reduce risk of SOD control failure
www.fulcrumway.com Page 31 Copyright © FulcrumWay
Access to Roles Manager Role Design
Assign Application Role Owner, Reviewer, Approver and Security Admin
Reduce ERP implementation/upgrade costs and audit fees by enabling change controls over the Oracle Responsibilities. Reduce risk of SOD control failure
www.fulcrumway.com Page 32 Copyright © FulcrumWay
Reduce SOD Access Violations with effective
roles management techniques.
Introduction
Top SOD Challenges in Oracle EBS
SOD Controls Assessment Overview
Role Design Techniques
Case Study
Q&A
Agenda
www.fulcrumway.com Page 33 Copyright © FulcrumWay
Global car and equipment rental company,
improves employee productivity
Our Client
Leader in the car and equipment rental businesses worldwide
Providing quality car rental service for over 90 years.
Over 30,000 employees
Challenges Replace multiple legacy systems with one ERP solution Improved Segregation of Duty controls within mission critical applications Maintain consistent ERP system access roles across the subsidiaries leveraging the shared services model Increase external auditor’s reliance on ERP Access Controls Monitoring
Solutions
GRC DataProbe
ERP Controls Catalog
ERP Roles Monitor
Results: Reduce ERP Role design, build, testing and implementation time by 80% resulting in over $200,000 cost savings during ERP system implementation and global roll-out. Created over 100 Segregation of Duty compliant Roles by business segment with two weeks from FulcrumWay Role Templates within the controls catalog. Lowered ERP Total Cost of Ownership by reducing SoD remediation time and costs by ensuring that all users a assigned only the pre-approved Roles Improve SoD and Access Controls testing time by providing auditors the access log reports showing all Update, Review and Approve Role design changes. Accelerated ERP testing and deploying time by identifying SOD conflicts before the Roles are assigned to Users.
Client case
www.fulcrumway.com Page 34 Copyright © FulcrumWay
Reduce SOD Access Violations with effective
roles management techniques.
Introduction
Top SOD Challenges in Oracle EBS
SOD Controls Assessment Overview
Role Design Techniques
Case Study
Q&A
Agenda
www.fulcrumway.com Page 35 Copyright © FulcrumWay
Thank You! Join us on LinkedIn to view
webinar and discussion Summary and Q&A