Overview and Current Trends with Governance Risk and

Скачать презентацию Overview and Current Trends with Governance Risk and

68821ffcee24140cb137ab05e601906c.ppt

Количество слайдов: 52

Overview and Current Trends with Governance, Risk and Compliance Chris Martin Oracle GRC Specialist January 19, 2010 1

Agenda • GRC Today • Key Business Challenges • GRC is Good Business • • Strategies to Consider-Solutions Today • Wrap Up 2

The Big Picture Business Model Strategy, people, process, technology and infrastructure in place to drive toward objectives Mandated Boundary defined by management including public commitments, organizational values, contractual obligations, and other voluntary policies Obstacles impede progress toward achieving objectives Obstacles Voluntary Boundary Objectives Strategic, operational, customer, compliance and reporting objectives cascaded throughout the organization Boundary established by external forces including laws, government regulation and other mandates. © OCEG 3

Governance, Risk, and Compliance (GRC) At-a. Glance Governance Culture • Set and evaluate • Establish an organizational performance against objectives climate and individual mindset that promotes trust, integrity, and accountability Governance • Authorize business • Identify, assess, and k Risk Management address potential obstacles to achieving objectives • Identify / address violation of mandated and voluntary boundaries Co mp lia Culture nc e strategy & model to achieve objectives Compliance • Encourage / require compliance with established policies and boundaries • Detect non-compliance and respond accordingly Source: Open Compliance and Ethics Group 4

Governance, Risk, & Compliance Mgmt is more than just SOX = Section 404, 302 • Enterprise Risk Management • Operational Risk • • Management IT Governance Identity Mgmt Database Security Industry Regulations • Environmental Regulations • Records & Retention Mgmt • Document and File Protections • e. Mail Security 5

The Boundaries Constantly Changing AMERICAS • HIPAA • FDA CFR 21 Part 11 • OMB Circular A-123 • SEC and Do. D Records Retention • USA PATRIOT Act • Gramm-Leach-Bliley Act • Federal Sentencing Guidelines • Foreign Corrupt Practices Act • Market Instruments 52 (Canada) EMEA • EU Privacy Directives • UK Companies Law • Restriction of Hazardous Substances (ROHS/WEE) APAC • J-SOX, C-SOX, K-S 0 X, C 49, etc • CLERP 9: Audit Reform and Corporate • Disclosure Act (Australia) Stock Exchange of Thailand Code on Corporate Governance GLOBAL • International Accounting Standards • Basel II (Global Banking) • OECD Guidelines on Corporate Governance 6

While Cost of Compliance Continues to Rise $32 Billion $29 Billion 2008 - 09 2006 - 07 “Governance, risk management, and compliance (GRC) spending will exceed $32 B for 2008, up 7. 4% from 2007, as companies shift toward identifying, assessing, and managing risk across numerous business and IT areas. ” The Governance, Risk Management, and Compliance Spending Report, 2008– 2009, -- AMR Research 7

Practical Lessons from Sarbanes-Oxley Most organizations progress through maturity curve Cost MANUAL, REDUNDANT EFFORTS New AS 5 Guidance: REMEDIATION & STANDARDIZATION EMBEDDED GRC & OPERATIONAL EXCELLENCE • Top-down risk-based approach • Tailor audit to specific company profile DEFINE RATIONALIZE AUTOMATE, MONITOR & VERIFY • External auditors can use work of others as evidence Number of Controls Year 1 & 2 Year 3 Year 4+ 8

Agenda • GRC Today • Key Business Challenges • GRC is Good Business • • Strategies to Consider-Solutions Today • Wrap Up 9

Pain Points Our Clients are Facing C 1 a C 2 a C 3 a C 1 b C 2 b C 3 b C 1 c C 2 c C 3 c C 5 a C 6 a C 7 a C 5 b C 6 b C 7 b C 5 c C 6 c C 7 c C 9 a C 10 a C 11 a C 9 b C 10 b C 11 b C 9 c C 10 c C 11 c Multiple Requirements, Fragmented Response • No real-time visibility and communication to/from data, results, and status • Duplication of efforts – silos of compliance/audit activity with limited collaboration across functional groups companywide • Non-standard information architecture for audit/compliance activities • Lack a sustainable platform for growth and change in business environment 10

Pain Points Our Clients are Facing Insufficient Resources, Manual Efforts • Cost of audit and compliance activities • Not leveraging synergies of the broad spectrum of audit and compliance activities • Cumbersome and manual processes – many man hours chasing and compiling paper • Inconsistent audit plans, work paper methodologies, reporting, etc. • No clearly defined roles and responsibilities holding individuals accountable for audit and compliance activities 11

Pain Points Our Clients are Facing GRC GRC Business Processes GRC as an Afterthought, Holding Up the Business • No automated(preventive or mitigating) controls embedded into business processes • Limited Enterprise Value Management – compliance activities not built into the DNA of business process • Paradigm shift for external auditors and other outside auditors to leverage technology 12

Agenda • GRC Today • Key Business Challenges • GRC is Good Business • • Strategies to Consider-Solutions Today • Wrap Up 13

GRC Drives Value Reduced control deployment time by 80% Reduced time for normal audit from 2 months to 2 days Reduced controls testing by 67%, reduced 55% time savings among internal teams & 42% reduction in external auditor time Improved control pass rate by 27% in first year(0% before) Reduced consulting fees by $1, 000 Reduced transaction time from 3 -4 days to minutes Resolved 85% of SOD issues across ERP Reduced compliance turnaround time by 28% Reduce compliance costs by 30% 14

Intuit Achieves Payback in Less Than Five Months COMPANY OVERVIEW • Industry leading software & financial services company with popular products like Turbo. Tax and Quick. Books • Employees: 7, 500 • Annual Revenue: $2. 4 Billion CHALLENGES / OPPORTUNITIES • Inappropriate responsibilities granted to employees without review and approval • Oracle application configurations being modified without notification to SOX Compliance Team • Inefficient manual controls associated with SOX Compliance SOLUTIONS • Oracle GRC Controls Suite CUSTOMER PERSPECTIVE “We’ve been able to realize significant returns on our investment in the Oracle GRC Controls Suite to date. The 8. 0 release of Oracle Application Access Controls Governor should help us continue our efforts to deliver well-controlled and efficient business processes, not only across the EBusiness Suite, but also in our People. Soft and Siebel applications. ” - Rob Singleton, Manager Controls Advisory Office RESULTS • • Saved 55% time for internal departments Reduced 65% in controls testing Cut 42% in external auditor engagement Payback in less than 5 months 15

ROI Impact Internal Controls Advisory Office Impact External Audit Testing Requirements 2005 2006 2007 2008 Access Controls 100% of controls 33% of controls ? % of controls Configuration Controls 100% of controls 65% of controls ? % controls Access Controls Review by CAO Access & Configuration Controls Testing External Audit Level of Effort 14 weeks Testing Time # of Auditors 14 weeks 8 weeks ? 6 auditors 4 auditors ? Review Time 350 hrs / month 90 hrs / month 50 hrs / month FY 05 FY 06 FY 07 FY 08 Since 2006, the Controls Advisory Office only tests new or modified configuration controls. 2005 2006 2007 2008 16

Qualcomm COMPANY OVERVIEW CUSTOMER PERSPECTIVE • World's premier wireless communications “By using the embedded controls and workflows, we have been able to streamline complex interactions across multiple operating units, eliminate bottlenecks and validate accuracy much faster. ” company • Top 100 operational & strategic excellence – CIO magazine • Revenue > $7. 5 Billion Jeffrey Flecker, Snr VP & Corp Controller, • 19 Operating Units Qualcomm CHALLENGES / OPPORTUNITIES • Accelerate Financial close process • SOX compliance and SOD and streamline complex interactions across business units • Eliminate bottlenecks • Validate reporting accuracy and fast RESULTS • Eliminated SOD conflicts to meet SOX compliance and improve financial close process • Time to close each month – 2 days • Time to file 10 Q – 25 days • Time to file 10 k – 37 days SOLUTIONS • Oracle GRC Controls Suite 17

Customer Proof Points “Oracle’s GRC technology… • reduced our issue & remediation tracking time by 30%” • reduced our reporting efforts by 20%” • reduced our control and document aggregation efforts by 25%” • reduced our year-over-year audit fees by 18%” • resulted in a payback period of just over 1 year” 18

Agenda • GRC Today • Key Business Challenges • GRC is Good Business • • Strategies to Consider- Oracle Solutions • Wrap Up 19

Summary of Key Business Challenges 1 Multiple Requirements, Fragmented Response C 1 a C 2 a C 3 a C 1 b C 2 b C 3 b C 1 c C 2 c C 3 c C 5 a C 6 a C 7 a C 5 b C 6 b C 7 b C 5 c C 6 c C 7 c C 9 a C 10 a C 11 a 2 C 9 b C 10 b C 11 b C 9 c C 10 c C 11 c Insufficient Resources, Manual Efforts GRC as an Afterthought, 3 Holding Up the Business GRC GRC Business Processes Sources: Adapted from Deloitte Consulting, Open Compliance and Ethics Group, and IDC 20

Strategies to Manage Risk and Compliance Actions You Can Take Immediately Consolidate: Multiple GRC Activities and Provide Real-time Visibility Oracle GRC Applications Oracle GRC Intelligence Automate: Critical GRC Tasks Oracle GRC Manager Oracle GRC Controls Embed: Automated Controls into Business Processes 21

GRC Application Suite – A la Carte GRC Intelligence Alerts Reports Dashboards Key Risk & Control Indicators Finance Processes Risks Configuration Controls Governor Policies Sales Transaction Controls Governor Legal Preventive Controls Governor Applications HR Issues GRC Controls Application Access Controls Governor Mfg Assessments Remediation Procedures R&D Suppliers GRC Manager Infrastructure 360º Visibility • Single source of GRC Information • Pre-built dashboards • Respond to KRI and issues Centralized GRC Oversight • Common Repository for GRC • Audit and Assessment of Controls • Integrated remediation management Embedded Controls • Detective, Preventive, Contextual • Automated controls testing • Pre-built controls library Transaction Controls Customers 25

Governance, Risk & Compliance Controls Enforce Compliance with Access, Configuration & Transactional Controls Process Control Access Controls Configuration & Change Management Controls Transaction Controls Preventive Controls 26

Preventive versus Detective Controls • Detective controls based on monitoring or scanning databases for predefined conditions. • Value is in “finding violations faster”…after the fact. • Still have to remediate every violation. • Preventive controls come in two flavors: • Basic prevention affects provisioning of user rights. • Contextual prevention affects user behavior in real-time. • Preventive controls eliminate remediation. • Value increases as you refine policies and processes. • Need both detective and preventive controls to: • Balance risk with business continuity • Verify that controls are consistently effective 27

Access Controls Provide Fine Grained Access Control and Segregation of Duties Know who has access to do what and ensure that someone isn’t given inappropriate privileges Prevention Detection Define Access Controls Access Analysis Remediation (Clean-up) Preventive Provisioning Compensating Policies Define SOD conflict & business rules and policies Execute access analysis engine that understands application’s detailed access architecture Remediation and analysis via prepackaged reports & what-if simulation Real-time enforcement of SOD controls during user provisioning Handle exceptions with compensating process & transaction analysis policies 28

Best Practice Policy Library ERP SOD Control Library Oracle 11. 5. 10 216 policies* Oracle R 12 232 policies* People. Soft 266 policies* *Note: Best practice policy libraries deliver content from years of hands -on customer implementations. Each policy is comprised of several sub -policies and controls based on its complexity, the sum total of these sub-policies and controls is over 3, 000, per ERP 29

Entitlements = Groups of Access Points Use Entitlements to group access points that correspond to a common privilege (e. g. several different pages allow you to enter a journal entry…) 30

Manage False-positives with Exception Conditions Use Global and Policy-level conditions to exclude falsepositives from analysis and reporting. 31

• Conflict Paths • Policy Library Lawson-1275 Lawson 32

Application Configuration Controls Detect and prevent configuration control failure Ensure that critical setups conform to best practices and follow robust change management procedures Prevention Detection Define Configuration Controls Document or Compare Configurations Monitor Configuration Changes Enforce Change Control Manage Data Integrity Define best practice policies & operating rules Record changes to sensitive setup data. Compare before and after values for changes Monitor for setup inconsistencies across multiple instances Require conditional approval cycles (e. g. , exceed threshold) Validate that setups and data updates conform to valid values 33

Example of Setups and Key Controls • Key Controls • Setup Data • • Application Security Document Approvals Chart of Accounts Profile Options Users Application Setups MRP rules Setups = Key Controls • Vendor tolerances • 3 -way matching of PO, Invoice and Receipt • Document spending limits (authorization of PO) • Security rules – access to sensitive transactions o o o • Operational Data • • Customers Suppliers Employees Buyers Items Chart of Account Values Category Codes • • Employee salaries Chart of account values Financial statement reports (FSGs) Price lists Inventory attributes Action for late delivery of goods Inventory stocking rules Rules to create tax on sales orders Depreciation methods 34

Document Configurations 35

Compare Configurations Differences 36

Monitor Configuration Changes When? Where? Who? What? 37

Transaction Controls Detect and prevent erroneous and fraudulent transactions Monitor transactions to detect business policy violations or unacceptable levels of risk or inefficiency Prevention Detection Define Transaction Controls Perform Transaction Analysis Review and Address Suspects Preventive Transaction Control Identify transactions violating policy (e. g. un-approved vendor) Detect patterns representing aggregate risk (e. g. micropayments) Initiate review / approval cycle based on automated policies Approvals based on transaction data thresholds 38

Comprehensive Transaction Monitors Detect patterns of heightened risk in business activity • Test against Material Thresholds • Journal Entry > $ threshold • Employee Checks (individual & sum) > $ threshold • Search for Anomalies • PO terms differ from vendor • Sales orders > acceptable $ range • Sampling of Transactions • 4 th quarter invoices • Days sales outstanding balances • Detect Fraudulent Behavior • PO changes after approval • Duplicate suppliers with same address • Embed Contextual / Automated Compensating Controls • Alert on customer transactions over $ threshold • Prevent journals from being entered and posted by same individual 39

Efficient, Flexible Risk and Compliance Mgmt GRC Intelligence Alerts Reports Dashboards Key Risk & Control Indicators Finance Processes Risks Procedures R&D Configuration Controls Governor Infrastructure Testing Processes – efficiencies in AS 5 Sales ü End-to-end Certification Mgmt ü Linking risks and controls to multiple regulations / processes Transaction Controls Governor Preventive Controls Governor Applications HR ü Improved Scoping / Audit Assessments Issues Policies Remediation GRC Controls Application Access Controls Governor Mfg Suppliers GRC Manager Legal Transaction Controls ü Integrated control management ü Closed-loop issue remediation and reporting ü Workflow reassignment Customers 40

GRC Orchestration Unifies risk and compliance documentation with automated monitoring & notification • Enterprise GRC System of Sign-off and Publish Certify Remediate Retest Optimize Respond Record for Process / Policy and Compliance Documentation Mgmt • Integrated Control Receive Alerts Review Reports Analyze Investigate Exceptions Management • Integrated, Centralized Survey Management Assess Perform Risk Assessment Scope Audits Test Manual Controls Monitor Automated Controls • Closed-loop Issue Remediation & Reporting • Supports all Enterprise Document - COSO/COBIT Frameworks - Risk-Control Matrix - Policies and Procedures - Evidence & Records Retention functional groups/users: Internal Audit, SOX, Corp Compliance and Risk Mgmt 41

Content Management is the Cornerstone Single System of Record for Compliance Information Search Single Source of Information Secure Enterprise Search All Content Types Date Effective Chain of Custody Central Repository Ü Link policies and procedures to laws, regulations, and standards as evidence of compliance Ü Link shared policies and controls across laws, regulations, and standards Ü Apply and track permission-based access to policy and procedure documents Ü Leverage advanced search function with familiar look and feel 42

GRC Manager Provides single repository for Regulatory Objectives, Risks, Controls 43

GRC Manager - Entity Level Controls Provides library to share controls and reduce testing A single control can be shared across the organization’s separate business units 44

GRC Manager – user defined Hierarchies Provides many-to-many linkage for Objectives, Risks, Controls Multiple hierarchies exist to represent regulations, business units and financial structures. 45

A full version history is maintained for all changes to all compliance elements in GRC Manager. You can always “go back in time” to view the state of your compliance environment as of “XX/YY/ZZ” date, by simply clicking on the history tab, and selecting the earlier version. 46

No Surprises GRC Intelligence ü Pre-built dashboards aggregate information from all sources Alerts Reports Dashboards Key Risk & Control Indicators Finance Processes Risks Procedures R&D Configuration Controls Governor Infrastructure ü Produce attestations and disclosures Sales Transaction Controls Governor Preventive Controls Governor Applications HR ü Role tailored Analytics Assessments Issues Policies Remediation GRC Controls Application Access Controls Governor Mfg Suppliers GRC Manager ü Combine GRC information from the entire stack ü Briefing Books – segmenting critical data to diverse groups üEmail alerts Legal Transaction Controls Customers 47

No Surprises: Enterprise Visibility to GRC Secured and targeted delivery of role-based dashboards Oracle GRC Manager This is to notify you of Regulatory alerts requiring your attention. The Executive Dashboard is awaiting your review. Please use the following link to access your reports Go To “Executive Dashboard” Ü Easy to use Ü Transparency across ALL GRC initiatives Ü Summarized view of key information, highlighting potential trouble areas Ü Graphical, Tabular, Drill down and integrated… 48

See which Identifyissue Openwhich process is units business failing identification by and which are having the business cycle regulations are most control and who impacted issues. originated it. 49

Perform top-down risk based scoping by tying risks, control status, and issues to the consolidated financial picture. 50

Why GRC? • Accounting Standards, SAS-112, Privacy Laws, COMPLIANCE Other Federal and State regulations • BOARD MEMBERS – from industry – now expect Sarbanes-Oxley type controls and reports BEST BUSINESS PRACTICE SAFEGUARD REPUTATION • GRC has become best business practice for efficiency • Control user access and reduce risk of fraud • Automation reduces cost of compliance • Inappropriate use of Finances • Purchasing Policy Violations • Data Security Leaks 51