Chief Risk Officer, American Fidelity, strengthens secuirty with Advanced Controls

1,546 views
1,428 views

Published on

Published in: Technology, Business
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,546
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
38
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

Chief Risk Officer, American Fidelity, strengthens secuirty with Advanced Controls

  1. 1. Automate Robust User Access and Security Controls for PeopleSoft David Maberry Chief Risk Officer American Fidelity Assurance Company Madeline Osit Chief Operating Officer Beacon Application Services Corporation Stephanie Golly Sr. Product Manager, Oracle
  2. 2. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal2 Agenda  Introduction to AFA and David Maberry – Glimpse into the unfolding events leading up to PeopleSoft and GRC Advanced Controls implementation  Introduction to Beacon Application Services – Glimpse into implementation approach  Introduction to Advanced Controls and a demonstration  Lessons learned  Q&A
  3. 3. Beacon Application Services Corporation Proprietary and Confidential www.beaconservices.com Beacon Application Services Corporation Proprietary and Confidential www.beaconservices.com 3 About American Fidelity Assurance (AFA) American Fidelity provides supplemental health insurance benefits and financial services to education employees, auto dealerships, health care providers and municipal workers across the United States. American Fidelity was also named one of FORTUNE magazine’s “100 Best Companies to Work For” in America for nine years. American Fidelity serves more than 1 million Customers in 49 states and in 23 countries worldwide.
  4. 4. Beacon Application Services Corporation Proprietary and Confidential www.beaconservices.com Beacon Application Services Corporation Proprietary and Confidential www.beaconservices.com 4 Your Speaker from AFA David Maberry, Chief Risk Officer • Responsible for developing and maintaining a comprehensive process for identifying, assessing, mitigating, monitoring, and reporting key operational, financial, strategic, technology and regulatory related risks that could potentially impact the organization’s operations. • Prior to coming to American Fidelity, worked for 10 years as a Principal & Director in Deloitte and Touche’s Audit and Enterprise Risk Services practice in Los Angeles. • Presented at numerous events hosted by the Institute of Internal Auditors (IIA) and the Information Systems Audit and Control Association (ISACA). • Frequent guest speaker at Texas A&M University, the University of Southern California and California State - Los Angeles on topics including enterprise risk management, internal control rationalization, and information technology risk. • Graduate of Baylor University and the University of Wisconsin in Madison.
  5. 5. Beacon Application Services Corporation Proprietary and Confidential www.beaconservices.com Beacon Application Services Corporation Proprietary and Confidential www.beaconservices.com 5 Timeline for selection process March 2011 Investigation and Demo August 2011 Demonstration Contract July 2012 July 2011 Implementation Scoping June Justification Due Diligence
  6. 6. Beacon Application Services Corporation Proprietary and Confidential www.beaconservices.com Beacon Application Services Corporation Proprietary and Confidential www.beaconservices.com 6 AFA pre-Oracle/PeopleSoft ERP GL/AP – multiple systems, both home grown and via acquisition Assets – FAS and CLAS Cash Management - manual AR/Billing – manually for internal charges Purchasing – manual, excel/access based system Hyperion for budget and planning
  7. 7. Beacon Application Services Corporation Proprietary and Confidential www.beaconservices.com Beacon Application Services Corporation Proprietary and Confidential www.beaconservices.com 7 AFA pre-Oracle/PeopleSoft ERP Risks & Vulnerabilities Outdated systems – some without support, many unrecognizable Lack of visibility and transparency to financial data No analytics – no drilldown to detail – no info on separate accounts Hard coded integration with insurance admin systems, no flexibility Lack of controls – worries about audit Costs out of line with benefits Quality compromises Internal customer satisfaction low Consolidations, Allocations (other) outside ledger – lack of transparency and manual intervention Usability issues Finance viewed as reporters of data not information
  8. 8. Beacon Application Services Corporation Proprietary and Confidential www.beaconservices.com Beacon Application Services Corporation Proprietary and Confidential www.beaconservices.com Key AFA Business Issues Addressed Antiquated/non- integrated Financial Systems required significant manual intervention Complex and Manually Intensive Reporting processes Manual governance processes
  9. 9. Beacon Application Services Corporation Proprietary and Confidential www.beaconservices.com Beacon Application Services Corporation Proprietary and Confidential www.beaconservices.com Reasons for Selecting PeopleSoft and Advanced Controls Benefits Enhanced user experience and reduction in manual tasks Increased automation – straight through Processing Higher efficiency, accuracy and timeliness of approvals and tighter controls Shift from manual to automated controls Single source of the truth for statutory, regulatory, tax, GAAP and management reporting Eliminate disparate systems offering partial solutions that are difficult to maintain and reconcile Transition away from legacy systems to support future growth through enabling technology Reduction in audit costs and increased accountability to management Automation Efficiency Cost Reduction
  10. 10. Beacon Application Services Corporation Proprietary and Confidential www.beaconservices.com Beacon Application Services Corporation Proprietary and Confidential www.beaconservices.com Solution New Financial Platform • PeopleSoft Financial • PeopleSoft Cash Management • Supply Chain Procurement Applications New Financial Reporting Platform • PeopleSoft Financials • Oracle Business Intelligence Analytic Applications New Governance Framework • Oracle Advanced Controls for select PeopleSoft processes • Implemented in the initial go-live
  11. 11. Beacon Application Services Corporation Proprietary and Confidential www.beaconservices.com Beacon Application Services Corporation Proprietary and Confidential www.beaconservices.com Why Advanced Controls Bringing high value product to • Document, manage, remediate • Enforce user access policies and procedures • Control introduction of new systems to the organization Strong audit capabilities to reduce external costs Tight integration with PeopleSoft security
  12. 12. Beacon Application Services Corporation Proprietary and Confidential www.beaconservices.com Beacon Application Services Corporation Proprietary and Confidential www.beaconservices.com Project Approach Installation •Installation of new Financial ERP Platform •Installation of Delivered OBIAA solutions with roadmap for future capabilities Implementation •Implement Advanced Controls foundation, targeting high-value controls with roadmap for future expansion •Rapid implementation with low impact (time and budget) to overall implementation Partner •Select a partner who could achieve these objectives as a co-owner of the implementation with expertise to pull it off.
  13. 13. Beacon Application Services Corporation Proprietary and Confidential www.beaconservices.com Project Implementation Approach
  14. 14. Beacon Application Services Corporation Proprietary and Confidential www.beaconservices.com Beacon Application Services Corporation Proprietary and Confidential www.beaconservices.com 14 About Beacon Application Services Beacon is an Oracle Platinum Partner exclusively focused on the delivery of services and software for PeopleSoft customers. Since 1993, Beacon has been providing implementation, upgrade, enhancement and integration services for Human Capital Management, Financials, and Supply Chain. To meet our PeopleSoft customers’ increasing regulatory requirements and complex information needs, Beacon also offers services for Advanced Controls for PeopleSoft and Oracle Business Intelligence. We also offer our Oracle Validated BEAM suite of software to manage your PeopleSoft environment.
  15. 15. Beacon Application Services Corporation Proprietary and Confidential www.beaconservices.com Beacon Application Services Corporation Proprietary and Confidential www.beaconservices.com 15 Timeline for Project Activities January 2012 Chartfield design Workshop Requirements Thru Jan 2013 Go Live January 2014 July 2012 - Implementation Construct August 2013 Test Creating a timeline that achieved the objectives at a pace comfortable to AFA
  16. 16. Beacon Application Services Corporation Proprietary and Confidential www.beaconservices.com Beacon Application Services Corporation Proprietary and Confidential www.beaconservices.com Project Approach for PeopleSoft Simplify, Automate, Consolidate, Standardize • Identify areas of pain with current business processes • Conduct Business Process Review sessions to document manual, off-line or redundant activities and high audit risk process areas • Create a future “to be” state to remediate the above either through process redesign in delivered PeopleSoft applications or through adoption of AC • Implement Advanced Controls foundation, targeting high-value controls with roadmap for future expansion rather than “biting off more than we could chew” • Embrace audit requirements as a fundamental part of the implementation rather than an afterthought • Target a specific area of concern to serve as a model for approaching all other target areas
  17. 17. Beacon Application Services Corporation Proprietary and Confidential www.beaconservices.com Beacon Application Services Corporation Proprietary and Confidential www.beaconservices.com Advanced Controls Business Drivers and Requirements • Eliminate cumbersome and costly manual auditing of system controls – Reduction in Time, increase in transparency • Reduce External Audit Cost and Effort – Reduction in Cost • Enforce Separation of Duties – Eliminate possibility of Fraud • Minimize Risk of Financial Loss – Reduction in Cost
  18. 18. Beacon Application Services Corporation Proprietary and Confidential www.beaconservices.com Beacon Application Services Corporation Proprietary and Confidential www.beaconservices.com Advanced Controls – Implementing our focus area Initial focus on Procure-to-Pay process where highest risk was identified • Separation of duties for adding and paying vendors - Advanced Controls identifies violations of the controls (entitlements) and flags them allowing for correction • Paying unapproved invoices – implementing workflow processes • Identifying potentially fraudulent payments – AC was to be used in support of ensuring that multiple payments are not unknowingly processed to bypass certain threshold levels established in the application
  19. 19. Beacon Application Services Corporation Proprietary and Confidential www.beaconservices.com Beacon Application Services Corporation Proprietary and Confidential www.beaconservices.com Advanced Controls – Approach Key to success was narrowing scope from all available and non- material or appropriate to AFA 255 Delivered Controls 57 Procure to Pay Identify Pertinent 11 GOAL
  20. 20. Beacon Application Services Corporation Proprietary and Confidential www.beaconservices.com Beacon Application Services Corporation Proprietary and Confidential www.beaconservices.com 20 Controls Implemented No. Control Names Entitlement 1 Add Vendors & Create Vouchers 1. Add Vendors 2. Create Vouchers 2 Create Control Groups & Approve Control Groups 1. Create Control Group 2. Approve Control Groups 3 Create Payments & Create Vouchers 1. Create Vouchers 2. Create Payments 4 Create Self Service Invoice & Create Urgent Payment 1. Create Self-Service Invoice 2. Create Urgent Payment 5 Create Suppliers & Create Vouchers 1. Create Vouchers 2. Create Suppliers 6 Create Voucher & Selective Payment Update 1. Create Vouchers 2. Selective Urgent Payment 7 Create Voucher & Vendor Maintenance 1. Create Vouchers 2. Vendor Maintenance 8 Create Voucher & Voucher Maintenance 1. Create Vouchers 2. Voucher Maintenance 9 Create Vouchers & Approve Vouchers 1. Create Vouchers 2. Approve Vouchers 10 Create Vouchers & Create Express Checks 1. Create Vouchers 2. Create Express Checks 11 Create Vouchers & Print Checks 1. Print Checks 2. Create Vouchers
  21. 21. Beacon Application Services Corporation Proprietary and Confidential www.beaconservices.com Beacon Application Services Corporation Proprietary and Confidential www.beaconservices.com 21 Tactical Steps Install and activate integration with Financials Select Targeted business process (procure to pay) Identify delivered entitlements – Pare down list Execute delivered controls against configured security Produce delivered reports to identify conflicts Adjust Roles and Rules as identified
  22. 22. Beacon Application Services Corporation Proprietary and Confidential www.beaconservices.com Demonstration of how it’s done!
  23. 23. Beacon Application Services Corporation Proprietary and Confidential www.beaconservices.com
  24. 24. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal24 The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.
  25. 25. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal25 Create Supplier Invoice Create PaymentSupplier Create Supplier Create Payment for same supplier + Create Supplier Create Payment for supplier≠ Prevent user from creating and paying the same supplier
  26. 26. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal26 Prevent user from creating and paying the same supplier  AACG : Find users who could create and pay fictitious suppliers – Users with both “Create Supplier” and “Create Payment” privileges – Remove privileges when possible  TCG: Monitor users who have created and paid the same supplier – For users who must have both privileges
  27. 27. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal27 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal27 Advanced Controls Foundation Custom or Legacy Applications Fusion Platform with Dashboards, Alerts & Drilldowns Sophisticated Controls Monitoring and Enforcement Engine Many Types of Controls against Various Business Applications
  28. 28. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal28 • Move away from silo’d information • Multiple ERPs monitored from a single application. • Control totals and exposure areas in self-serve capacity. Advanced Controls – Embedded Dashboards
  29. 29. Copyright © 2013 Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal29 Application Access Controls Governor (AACG)  Document, assess and certify Application Security/SOD policies  Library of pre-built automated SOD controls for EBS, PSFT  Author new controls, extend to any business application Advanced SOD and Security Controls Compensating Policies Preventive Provisioning Remediation (Clean-up) Access Analysis Define Access Controls Detection Prevention
  30. 30. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal30 AACG – Finding Conflicts User: Janie Adams Responsibility: Payables Super User (Process Operations) Menu: AP_Navigate_GUI12 Submenu: AZN_AP_Invoices_Entry Function: Payments Privilege: Create Purchase Order Role: Buyer Permission List: Buyer Duty SOD Conflict PeopleSoft EBS
  31. 31. Copyright © 2012, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal31 Role Permission List Menu Component Page Definition Component Page Definition Access Hierarchy Example – PeopleSoft Other important attributes: Business Unit, Effective Date, Set ID, Ledger, Account Lock etc. Access Points
  32. 32. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal32 Glossary of Terminology Control ManagementAccessPoint Any level node in the access model hierarchy for a particular application. Entitlement A logical grouping of Access points. E.g. All pages that allow a user to create a voucher grouped as a single Entitlement “Create Voucher” ModelControl A rule that defines toxic combinations of entitlements and/or access points.
  33. 33. Copyright © 2013 Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal33  Review Model Definition  Analyze Results  Modify Entitlement  Deploy Control  Generate Incidents  Secure, Route and Remediate Incidents Demonstration
  34. 34. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal34 Demonstration Summary • Review Entitlements and Model Definition • Modify to fit needs and generate focused results • Compliment PeopleSoft embedded controls with Advanced Controls Leverage Delivered Content • Limit who can see generated results • Route generated results for Investigation, Review and Approval • Determine and document remediation actions Secure, Route and Take Action • Validate role structure during PeopleSoft Implementation • Identify and update role structures during an upgrade Implementation or Upgrades
  35. 35. Beacon Application Services Corporation Proprietary and Confidential www.beaconservices.com Beacon Application Services Corporation Proprietary and Confidential www.beaconservices.com 35 Lessons Learned • While implementing new systems, integrating a formal risk-management approach increases value of the effort • Staying on point for a focus area narrows work effort • Smaller scope enables confirmation with audit team that this is a viable and valid solution for all business processes
  36. 36. Beacon Application Services Corporation Proprietary and Confidential www.beaconservices.com Beacon Application Services Corporation Proprietary and Confidential www.beaconservices.com 36 Lessons Learned • Once completed, it provides not only proof of concept but a foundation for future expansion • As system is deployed and user population changes or grows, delivered reports and remediation steps become part of normal maintenance • Create a roadmap for the future based on feedback from internal and external auditors as to high risk areas
  37. 37. Beacon Application Services Corporation Proprietary and Confidential www.beaconservices.com Beacon Application Services Corporation Proprietary and Confidential www.beaconservices.com 37 Lessons Learned - not just for new implementations • Security is one area likely to get out of control – time to fix it! • Advanced Controls can resolve negative audit finding with your current PeopleSoft implementation • Advanced Control findings can help to justify the upgrade cost Upgrades • Security will be reviewed in light of new roles, integrating Advanced Controls into this work effort minimizes overall cost • Especially pertinent to expanding Payables to full Procure-to-Pay solution • Update of SOX documentation will incorporate additional, tighter controls New Modules • Easily cost justified in reduction of audit costs • Great target area for IT compliance as well as business requirements • Quick win for maximum return Standalone GRC
  38. 38. Beacon Application Services Corporation Proprietary and Confidential www.beaconservices.com Beacon Application Services Corporation Proprietary and Confidential www.beaconservices.com 38 Questions Beacon Application Services Corporation info@beaconservices.com
  39. 39. Beacon Application Services Corporation Proprietary and Confidential www.beaconservices.com Oracle Financial Services The Choice of Experience. Madeline Osit Beacon Application Services Corporation mosit@beaconservices.com 508.663.4407
  40. 40. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal40 Oracle Advance Controls OOW2013 Sessions & Demo Pod Slides
  41. 41. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal41 Demo Workstation Moscone West 1st Floor #W-013 Monday Tuesday Wednesday Demo ID 3532 Workstation #: W--013 9:45 – 6:00 9:45 – 6:00 9:45 – 4:00
  42. 42. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal42 Demo Workstation Moscone West 1st Floor #W-013
  43. 43. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal43 General Session: Empowering Modern Governance, Risk, and Compliance  12:15PM Moscone West – 2006/2008  GEN8812 Automate Robust User Access and Security Controls for PeopleSoft  10:45AM Moscone West - 2009  CON8820 Panel Discussion: Intelligent Controls for Key Business Processes & Upgrades in PeopleSoft  3:15PM Moscone West - 3020  CON8822 Deloitte: Leveraging Oracle GRC Technology to Reduce Revenue Loss, Cost Leakage & Fraud  3:15PM Moscone West - 2000  CON8822 Learn More About Oracle Advance Controls Monday
  44. 44. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal44 Top 10 Advanced Controls for Procure-to-Pay to Improve the Bottom Line  10:30AM Moscone West – 2003  CON8814 Center for Medicare & Medicaid Services Automates Internal Controls with Oracle GRC  3:45PM St Francis – Elizabethan C/D  CON9346 Enforce Segregation of Duties with Identity Management and Oracle Advanced Controls  5:15PM Moscone West – 3018  CON8827 Learn More About Oracle Advance Controls Tuesday
  45. 45. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal45 Optimizing Order-to-Cash with Oracle Advanced Controls for Oracle E-Business Suite  10:15AM Moscone West – 3018  CON8816 Reducing Risk for Oracle E-Business Suite Upgrades and Implementations  1:15PM Moscone West – 3018  CON8830 Panel Discussion: Intelligent Controls for Key Business Processes and Upgrades  3:30PM Moscone West – 2002 / 2004  CON8832 Learn More About Oracle Advance Controls Wednesday
  46. 46. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal46 Advanced Access and User Security for Oracle E-Business Suite and Fusion Applications  2:00PM Moscone West – 3018  CON8824 Meet the Governance, Risk, and Compliance Experts  12:30PM Moscone West 2001A  MTE9412 Learn More About Oracle Advance Controls Thursday
  47. 47. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal47 Specialized Advanced Controls Partners  New Benefit for Advanced Controls owners  Specialized Partners: – Trained by Oracle:  Designing and delivering OAC solutions – Demonstrated ability to deliver reliable OAC solutions  Coming soon
  48. 48. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal48 @OracleAdvCntrls

×