Leverage T echnology: Move Your Business Forward™
Risk and Compliance Financial Reporting Internal Audit Controls Catalog Application Security Advanced Analytics
A Leader in Risk Based Enterprise Controls Management Solutions
Copyright ©. Fulcrum Information Technology, Inc. Give me a lever long enough and a fulcrum on which to place it, and I shall move the world - Archimedes
Rapidly Reduce Segrega/on of Duty Viola/ons in Oracle EBS R12 Responsibili/es
Adil Khan
Managing Director
www.fulcrumway.com Page 2 Copyright © FulcrumWay
! Introductions ! Top SOD Challenges in EBS R12 ! Overview of SOD Controls Assessment ! Roles Design Techniques ! Case Study ! Q&A
Agenda Implement Effective Access Controls within
your Oracle ERP System
www.fulcrumway.com Page 3 Copyright © FulcrumWay
! Introductions ! Top SOD Challenges in EBS R12 ! Overview of SOD Controls Assessment ! Roles Design Techniques ! Case Study ! Q&A
Agenda Implement Effective Access Controls within
your Oracle ERP System
www.fulcrumway.com Page 4 Copyright © FulcrumWay
A Leader in Risk Based Controls Management™
! FulcrumWay: is the #1 End-to-End Provider of Risk Based Enterprise Controls Management Solutions for Oracle EBS, PeopleSoft and JDE customers with over 200 Fortune-500 to Middle Market clients. Since 2003, we have successfully assisted companies across all major industry segments.
! Expertise: Risk Advisory Services. Advanced Controls Design for Enterprise Applications. Best Practices for Risk Mitigation and Internal Controls Automation. Audit, Compliance, Financial, Enterprise and Operational Risk Assessments. Risk Remediation Services.
! Packaged Solutions: FulcrumWay is the #1 choice of Oracle customers for Oracle GRC Advanced Controls, GRC Manager, and GRC Intelligence/OBIEE software implementation. Oracle has certified us as the only partner with Accelerators for Oracle GRC. We also provide Managed Services
! Software Services: Risk Assessment for ERP systems, Control Design and Management Tools, Controls Catalog, Enterprise Risk Manager, Financial Reporting Manager, Audit Manager
! USA Presence: Privately held Delaware Corporation with US offices in New York City, Dallas and San Francisco
! International Presence: in Auckland, Chennai, Johannesburg, London, Mexico City
FulcrumWay
www.fulcrumway.com Page 5 Copyright © FulcrumWay
FulcrumWay Clients Successful Track Record
Government Oil and Gas
Healthcare
Communications
Financial Services
Transportation Natural Resources
Manufacturing
Retail
High Tech Media/Entertainment Life Sciences
www.fulcrumway.com Page 6 Copyright © FulcrumWay
FulcrumWay™ Insight Thought Leadership
! Co-Authored GRC Book: First book on GRC for Oracle Applications
! Executive Round Tables – GRC Solutions for Energy Industry, Houston, November 2012
! OAUG GRC Solution Lab - April 7th – 11th Denver: GRC Case Studies and Best Practices
! IIA - Presentations - Top Five Reasons for Automating Application Controls
! Collaborate 14 – GRC Client Appreciation Dinner April 9th , 2014 Las Vegas
! Webcasts – GRC Best Practices, Trends and Expert Insight
! Oracle Open World – Annual GRC Dinner on September 23rd , 2014 W Hotel San Francisco
! LinkedIn –FulcrumWay Risk, Compliance and Audit Software Group
! YouTube Podcasts – FulcrumWay Instant Insight in 10 min or less
Proven Expertise
www.fulcrumway.com Page 7 Copyright © FulcrumWay
Enforce Segregation of Duty Controls and Security Polices
! We can not use Oracle “seeded” Responsibilities because of inherent SOD conflicts. GL Supper User can Enter Journals, Post Journal. Change Approval Limits, Update GL Accounts, Change Calendar. Our R12 Patches created even more SOD issues.
! Which SOD Policies will mitigate the risk in our Oracle Responsibility Design? ! How do we ensure that the activities of users granted “super user”
Responsibilities have effective compensating control? ! Why do have so many False Positives and how do we remove them from our
analysis? ! What is an effective approach to Design and Test Oracle Security Model before
deployment? ! When will be able to close all SOD incidents?
Top Challenges
www.fulcrumway.com Page 8 Copyright © FulcrumWay
Responsibility
Form
Complicated Security Model High Risk of Segregation of Duties Issues
Menu
Function
User Evaluate User Access • Test by User • Test by Privilege
Manage Segregation of Duties • Identify incompatible Privileges • Predefined & Extensible SOD Rule Sets
Top Challenges
www.fulcrumway.com Page 9 Copyright © FulcrumWay
Key Factors Impacting SOD Violations Top Challenges
! EBS Release and Business Cycles enables by Oracle modules: Order to Cash, Procure to Pay, Record to Report, Hire to Retire, Design to Build, etc:
– An average R12 customer has over 35,000 functions and 12,500 menus
! Number and complexity of SOD Policies – Range from 25 to 250
! Number of Business Units and variation in Responsibilities across the business
! Security Model – RBAC, Single-Sign-On, OIM, etc ! Number of Users and Responsibilities
www.fulcrumway.com Page 10 Copyright © FulcrumWay
User: John Doe
Responsibility: Payables Manager, US
Menu: AP_Navigate_GUI12
Submenu: AP_Invoices_Entry Function: Invoice Batches
User: Mike Jones Payables Users
Responsibility: Payables Supervisor
Responsibility: Payables User Menu: UK_AP_Navigate_GUI12
SubMenu: AP_Invoices_Entry
SubMenu: AP_Invoices_GUI12_G Menu: AX_Payables_User
Responsibility: Payables Supervisor
Responsibility: Payables Manager, US
Responsibility: Payables User
What if we exclude ‘Invoice Batches’ from AP_Invoices_Entry?
Root Cause Analysis is required for remediation!
Top Challenges Remediation in Oracle EBS is a Permutation Problem
www.fulcrumway.com Page 11 Copyright © FulcrumWay
! Introductions ! Top SOD Challenges in EBS R12 ! Overview of SOD Controls Assessment ! Roles Design Techniques ! Case Study ! Q&A
Agenda Implement Effective Access Controls within
your Oracle ERP System
www.fulcrumway.com Page 12 Copyright © FulcrumWay
Select ERP
Controls from FW Controls
Catalogs
Detect Control
Violations
Analyze Issues
Confirm Findings
Present Project
Plan
Implement ERP
Advanced Controls
Prepare
Assessment Checklist
Probe ERP Data
Manage Exceptions
Prepare Remediation
Plan
FW Risk Advisor/Client Lead/Control
Owners FW Risk Advisor/
Client Lead
Client Executive Sponsors
FW/Client Project Team
Establish Test
Environment
FulcrumWay Application Risk Assessment Best Practices
Controls Assessment
www.fulcrumway.com Page 13 Copyright © FulcrumWay
DataProbe™ Extracts the Security, Setup and Master Data Information
Controls Assessment
DataProbe™ is a desktop u/lity for the client DBA/manager to provide the data
On average it takes our cleints less than an hour to install and extract the ERP security , setup and master data for submission to FulcrumWay risk advisory services
www.fulcrumway.com Page 14 Copyright © FulcrumWay
Controls Catalog with over 1,000 Advance Controls
Select SOD, Master Data, Setup, and Transac/on Controls Risk Assessment
Detect control weaknesses across ERP system to iden/fy business process op/miza/on opportuni/es
Controls Assessment
www.fulcrumway.com Page 15 Copyright © FulcrumWay
ERP Test Environment Consists of ERP Configurations and Data Objects
Selected security, setup and data objects are included in the environment
ERP Configura/on such as 3-‐way match in payable op/ons, master data such as Users, Responsibili/es, Customers, Invoices, Suppliers, Assets and Payments records are analyzed for control failure risks
Controls Assessment
www.fulcrumway.com Page 16 Copyright © FulcrumWay
Advanced Analytics to Analyze ERP Risks
Pre-‐built Risk Analy/cs. Risk Reports available for client review
Risk Advisory identifies controls violations and has the capability to analyze issues, remove false positives to prepare the findings report
Controls Assessment
www.fulcrumway.com Page 17 Copyright © FulcrumWay
! Introductions ! Top SOD Challenges in EBS R12 ! Overview of SOD Controls Assessment ! Roles Design Techniques ! Case Study ! Q&A
Agenda Implement Effective Access Controls within
your Oracle ERP System
www.fulcrumway.com Page 18 Copyright © FulcrumWay
FulcrumWay Roles Manager Overview
Eliminate Root Cause of Access Control Violations in ERP: ! Improve Segregation of Duty controls within mission critical applications ! Reduce ERP implementation and upgrade costs with pre-configured roles ! Lower ERP Total Cost of Ownership by assigning pre-approved Roles We enable ERP Administrators: ! Select pre-configured ERP roles from a roles catalog ! Update, Review and Approve Role design changes. ! Identify SOD conflicts before the Roles are assigned to Users.
Role Design
www.fulcrumway.com Page 19 Copyright © FulcrumWay
! Role Manager is an ERP security design tool ! Contains a pre-configured catalog of roles which comply with segregation of
duty (SOD) policies. ! Roles by ERP module and typical access requirements for those modules
such as Manager, Supervisor, Clerk, Inquiry, Business Setup and IT Setup. ! You can use this tool to view existing role templates and design new roles
by easily selecting or deselecting ERP functions/transaction. ! Once you complete the roles design, you can send it, using workflows, to
pre-assigned reviewers and approvers to finalize the roles. ! The role preparers, reviewers and approvers can also assess the SOD
control risks before finalizing the roles. ! Leverage FW DataProbe/Scripts to load current Roles ! Secure Access from fulcrumway.com portal
Role Design FulcrumWay Roles Manager Features
www.fulcrumway.com Page 20 Copyright © FulcrumWay
Access to Roles Manager Role Design Sign-‐in to ERP Controls and Navigate to Roles Manager at FulcrumWay.com
Roles Manager is a component of the FulcrumWay Risk Remedia/on soVware services that is available instantly over a secure internet-‐connec/on.
www.fulcrumway.com Page 21 Copyright © FulcrumWay
Select the Access Monitor Icon. Then click on the Maintain Access Roles Tab
Search and Browse through catalog of Roles for Oracle EBS R12
Roles Manager contains hundreds of Oracle EBS Responsibili/es with SOD Controls Designed into the configura/on to give you a jump start
Role Design
www.fulcrumway.com Page 22 Copyright © FulcrumWay
Access to Roles Manager
Use a “source” role to create a new “target” role. View exis/ng SOD issues with the “source” role. Assign Reviewers and Approvers for the role
Embed SOD Controls into Oracle Responsibili/es design by elimina/ng conflic/ng business ac/vi/es inherent in the EBS Responsibility configura/on
Role Design
www.fulcrumway.com Page 23 Copyright © FulcrumWay
Access to Roles Manager Role Design
Select/ Deselect business ac/vi/es to update Role configura/on automa/cally
Reduce Role design /me and effort by selec/ng business ac/vi/es to drive the configura/on of Oracle Responsibili/es.
www.fulcrumway.com Page 24 Copyright © FulcrumWay
Access to Roles Manager Role Design
Select/ Deselect Request Sets to update Role configura/on automa/cally
Effec/ve SOD Controls should include access to Concurrent Request. Remember in R12 you can open/close GL Periods by submi^ng a request.
www.fulcrumway.com Page 25 Copyright © FulcrumWay
Access to Roles Manager Role Design
Review and approve Roles using email no/fica/ons
Reduce ERP implementa/on/upgrade costs and audit fees by enabling change controls over the Oracle Responsibili/es. Reduce risk of SOD control failure
www.fulcrumway.com Page 26 Copyright © FulcrumWay
Access to Roles Manager Role Design
Access the link to approve or reject the new Role
Reduce ERP implementa/on/upgrade costs and audit fees by enabling change controls over the Oracle Responsibili/es. Reduce risk of SOD control failure
www.fulcrumway.com Page 27 Copyright © FulcrumWay
Access to Roles Manager Role Design
Assign Applica/on Role Owner, Reviewer, Approver and Security Admin
Reduce ERP implementa/on/upgrade costs and audit fees by enabling change controls over the Oracle Responsibili/es. Reduce risk of SOD control failure
www.fulcrumway.com Page 28 Copyright © FulcrumWay
Reduce SOD Access Violations with Effective Roles Management Techniques.
! Introduction ! Top SOD Challenges in Oracle EBS ! SOD Controls Assessment Overview ! Role Design Techniques ! Case Study ! Q&A
Agenda
www.fulcrumway.com Page 29 Copyright © FulcrumWay
Global Car and Equipment Rental Company, Improves Employee Productivity
Our Client ! Leader in the car and equipment rental businesses
worldwide ! Providing quality car rental service for over 90 years. ! Over 30,000 employees
Challenges ! Replace mulAple legacy systems with one ERP
soluAon ! Improved SegregaAon of Duty controls within
mission criAcal applicaAons ! Maintain consistent ERP system access roles across
the subsidiaries leveraging the shared services model
! Increase external auditor’s reliance on ERP Access Controls Monitoring
Solu/ons ! GRC DataProbe ! ERP Controls Catalog ! ERP Roles Monitor
Results: ! Reduce ERP Role design, build, tesAng and
implementaAon Ame by 80% resulAng in over $200,000 cost savings during ERP system implementaAon and global roll-‐out.
! Created over 100 SegregaAon of Duty compliant Roles by business segment with two weeks from FulcrumWay Role Templates within the controls catalog.
! Lowered ERP Total Cost of Ownership by reducing SoD remediaAon Ame and costs by ensuring that all users a assigned only the pre-‐approved Roles
! Improve SoD and Access Controls tesAng Ame by providing auditors the access log reports showing all Update, Review and Approve Role design changes.
! Accelerated ERP tesAng and deploying Ame by idenAfying SOD conflicts before the Roles are assigned to Users.
Client case
www.fulcrumway.com Page 30 Copyright © FulcrumWay
Reduce SOD Access Violations with Effective Roles Management Techniques
! Introduction ! Top SOD Challenges in Oracle EBS ! SOD Controls Assessment Overview ! Role Design Techniques ! Case Study ! Q&A
Agenda
www.fulcrumway.com Page 31 Copyright © FulcrumWay
Thank You! Join us on LinkedIn and Follow us on Twitter Summary and Q&A !