Thousands of Hours Saved and Risk Reduced for EBS Upgrades & Implementations

1,092 views
1,008 views

Published on

Hear how a major engineering company and healthcare providor have used Oracle GRC Advanced Controls to save thousands of hours security access provisioing, configuration change control, testing, project management and internal and external audit.

Published in: Technology, Business
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,092
On SlideShare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
44
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Thousands of Hours Saved and Risk Reduced for EBS Upgrades & Implementations

  1. 1. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal1 Graphic Section Divider
  2. 2. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal2
  3. 3. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal3 The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.
  4. 4. Reducing Risk for Oracle EBS Upgrades & Implementations (CON8830) Dane Roberts & Steve Dalton, Oracle Stephen D’Arcy, PwC Chuck Scheller, Harvard Pilgrim Health Care, Dir Business Systems
  5. 5. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal5 @OracleAdvCntrls Oracle GRC Advanced Controls Join Our Linkedin Group Follow us on Twitter
  6. 6. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal6 Program Agenda  Oracle Advanced Controls (OAC)  Upgrade Challenges  Case Study 1: CH2M  Case Study 2: Harvard Pilgrim Health Care  Realizing Value from OAC after Upgrade  Q&A
  7. 7. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal7 GRC Advanced Controls One Enterprise Foundation Enterprise Risk & Controls Foundation Dashboards, Reports and Alerts NotificationsWorklists Email PerspectivesSearch Risk, Controls & Compliance Management ReviewsDocumentation Assessments RemediationSurveys Continuous Controls & Risk Monitoring SetupsAccess Master Data Audit TestsTransactions User Authored ControlsData Connectors Fraud & Error Patterns RoleBasedAccessSecurity WebServices&APIs Custom or Legacy Applications Comprehensive  Enterprise Risk Management  Financial Governance  Continuous Controls Monitoring Flexible • Graphical Authoring • Detect and Prevent • Access, Transactions, Setups Data Driven (Big Data)  100% of Transactions  Manage by Exception  Optimize Processes
  8. 8. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal8 Technical Innovation Robust Types of Automated Controls Preventive What users can do How is the process set up How users execute processes What users have done What’s changed in the process What are the execution patterns Monitor Control Effectiveness Enforce Policies in Context Segregation of Duties Application Configuration Transaction Monitoring
  9. 9. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal9 Standard + Advanced Controls User Roles 3-Way Match Approval Hierarchies Sentiment Analysis Split Purchase Orders Hide Displays of Sensitive Data Duplicate Payments Transaction Threshold Amounts Duplicate Vendors Fine- grained User Access Configuration Snapshots & Audit Trial Transaction Pattern Analysis Fuzzy Logic, ‘similar values’ Advanced Controls Standard Controls Social Media Policy E-learning Ethics Policy
  10. 10. Copyright © 2013, Oracle and/or its affiliates. All rights reserved.10 Confidential – Oracle Internal …by Continuously Monitoring Your ERP Applications Advanced Controls Enables you to: Improve Bottom-Line Reduce Operational Risk Increase Process Effectiveness
  11. 11. Copyright © 2013, Oracle and/or its affiliates. All rights reserved.11 Confidential – Oracle Internal Advanced Controls Make Processes More Effective, Efficient Reduce Operational Risk Improve Bottom Line Detect unwanted transactions Detect settings that cause loss Detect problematic exceptions Automate policy management
  12. 12. Copyright © 2013, Oracle and/or its affiliates. All rights reserved.12 Confidential – Oracle Internal Program Agenda  Oracle Advanced Controls (OAC)  Upgrade Challenges  Case Study 1: CH2M  Case Study 2: Harvard Pilgrim Health Care  Realizing Value from OAC after Upgrade  Q&A
  13. 13. Copyright © 2013, Oracle and/or its affiliates. All rights reserved.13 Confidential – Oracle Internal Takes longer than expected Undetected errors Costs exceed budget Unforeseen changes Processes negatively impacted Improve using advanced control solutions ERP Project Concerns Implementation and Upgrades
  14. 14. Copyright © 2013, Oracle and/or its affiliates. All rights reserved.14 Confidential – Oracle Internal What Issues Were Encountered During Your Upgrade? Source: OAUG Research Line, “Moving to New ERP Environments: 2011 OAUG Governance, Risk, and Compliance Best Practices Survey” 48% 28% 26% 26% 21% 19% 12% 9% 7% 11% Unexpected changes to application set ups Disruption to business transactions or workflow Other applications breaking/unable to interoperate Rise in end-user training costs Outdated controls Data damaged/altered Surge in segregation of duties conflicts Data exposed Missed product launches/slower time to market Other
  15. 15. Copyright © 2013, Oracle and/or its affiliates. All rights reserved.15 Confidential – Oracle Internal Advanced Access Controls Value for ERP Projects >Comply with access policies from day one >Design compliant roles >Automate the creation of BR-100s >Ensure instances are synchronized (ex: Test vs. Prod) >Avoid customizations with configurations and the creation of controls > Automate compliant user access provisioning >Reduce testing/debug time - identify changes >Reduce risk, time and cost of identifying, and correcting errant transactions that violate control policies >Define and manage complex multi-instance global access policies >Reduce and eliminate vulnerabilities due to undocumented/unknown configuration settings >Reduce internal and external costs where key control changes are necessary due to changed functionality
  16. 16. Copyright © 2013, Oracle and/or its affiliates. All rights reserved.16 Confidential – Oracle Internal Program Agenda  Oracle Advanced Controls (OAC)  Upgrade Challenges  Case Study 1: CH2M  Case Study 2: Harvard Pilgrim Health Care  Realizing Value from OAC after Upgrade  Q&A
  17. 17. Leveraging Oracle Advanced Controls to accelerate your R12 project “A story of two different Oracle Advanced Controls implementation strategies for Oracle R12 projects”
  18. 18. The CH2M HILL Story “Implementing Oracle Advanced Controls during a global R12 re- implementation”
  19. 19. PwC Overview 1. Project Background & Scope 2. Implementation Approach - Stakeholders 3. Improving the bottom line for CH2M HILL 4. Examples of the Advanced Controls Solutions implemented 5. Keys to success 6. Benefits of implementing Oracle Advanced Controls during the R12 project 19
  20. 20. PwC Project Background & Scope 20 Applications Tools Financials Security Procurement GRC Human Capital Mgmt. Plans & Methodologies Training Oracle Unified Method Industry Best Practices Oracle Applications Experience Projects Business Intelligence Standard Process  98+ Prim ledgers, 10 Sec Ledgers, 170 OU’s, 50+ countries, 30,000 + end users
  21. 21. PwC Implementation Approach - Stakeholders Oracle Advanced Controls Process Design Workshops CEMLI/ RICEFW Internal Audit Government Compliance Dept Security Officers Business Process Owners 21
  22. 22. PwC Implementation Approach - Stakeholders Oracle Advanced Controls Process Design Workshops CEMLI/ RICEFW Internal Audit Government Compliance Dept Security Officers Business Process Owners 22
  23. 23. PwC Improving the bottom line for CH2M HILL • Replaced approximately 15% of the clients 400+ Customizations  Saved approximately 2000 developer hours  On average it took 15-20 hours to build a PCG solution  On average it was taking the EBS implementation partner 60-70 hours • Facilitating the Shared Services model for a global organization  Centralized assessment of security and segregation of duties violations – Estimated Savings – approximately 500 hrs per year – 130 SOD Rules built in  More detailed visibility into which users can perform critical functions within Oracle – especially in foreign locations. • Transaction Controls Implemented – saving time & benefiting the bottom line  Already identified a number of duplicate payments for investigation and future recovery  Monitoring for compliance exceptions (Enter vs Post Journals) 23
  24. 24. PwC Improving the bottom line for CH2M HILL • Over 100+ critical setups and configurations now being monitored  Reduced time spent testing patches, troubleshooting EBS & validation automated controls • Over 130 security & segregation of duties rules built  Accelerated security re-design evaluation & identified conflicts prior to go- live  Will reduce Internal & External Audit testing time significantly going forward • Accelerating multiple Federal Compliance requirements and building many of the solutions into the EBS environment vs more manual time consuming manual effort outside of a system 24
  25. 25. PwC Examples of the Advanced Controls Solutions built 25 Duplicate Payments Journals posted by the same user Prevent re-opening of projects assigned to inactive Organizations Notification on chart of accounts changes Alert when super-user responsibilities are used Preventing changes to own pay elements Identification of federal-related invoices where a variance exists between the invoice amount and the cash amount applied. Identification of employees in the federal entities who have a salary outside of their defined salary range for their job grade.
  26. 26. PwC Keys to Success • Business led implementation of Oracle Advanced Controls  What do you need?  Why do you need it?  What value will it bring you?  Compared to other business requirements what is the priority?  Are you prepared to own and operate the output post implementation? • CEMLI Assessment  Worked with IT and the business to identify customization candidates that could be replaced with Oracle Advanced Controls  Determined those CEMLI’s where it would be truly more efficient • Looking at things from a Shared Services perspective  Leveraged to monitor activity across the global EBS footprint  Duplicate payments, entering and posting journals, security/sod etc 26
  27. 27. PwC Benefits of implementing as part of the R12 project • Oracle Advanced controls viewed as an additional tool or accelerator by the project team • Ability to use PCG to address unique business requirements real time • Embed controls into the to-be processes as opposed to a more expensive retro-fit post go-live • Project ran in parallel with the overall EBS R12 re-implementation (did not impact or slow-down the critical path) • Tools were available to monitor activity during the project (e.g. configuration changes) • Helped the security re-design team understand where the potential conflicts sat prior to go-live as opposed to expensive re-design post go-live. 27
  28. 28. The Harvard Pilgrim Story “Implementing Oracle Advanced Controls prior to a R12 implementation” Private and confidential
  29. 29. PwC Agenda 1. Project Background 2. Project Approach 3. Key Benefits for Harvard Pilgrim 4. ROI Framework 29
  30. 30. PwC Project Background – Oracle GRC Manager (2010) • Harvard Pilgrim engaged with PwC in late 2010 to implement Oracle Governance Risk and Compliance Manager solution for Model Audit Rule (MAR) and SAS70 compliance activities and reporting • As a part of this initiative, PwC team members worked closely with HPHC’s Financial Controls Manager to design and implement data repository for compliance content and automate periodic assessment activities and reporting for MAR and SAS70 30
  31. 31. PwC Project Background – Oracle Insight (2012) 31 In 2012, PwC and Oracle Insight team conducted a week-long discovery session to identify opportunity for Harvard Pilgrim to leverage Oracle GRC Controls solution in advance of Oracle R12 upgrade. The team identified and recommended three phase iterative implementation project to build incremental value for Harvard Pilgrim; Phase 1 – Quick Wins (Current Scope) • Review, prioritize and identify key corporate-wide and division-specific controls for potential automation using Oracle GRC Controls • Maintain focus on acquiring value and decreasing manual effort by the audit teams in executing Segregation of Duties (SOD) testing, access reviews, and configuration change management • Implement SOD access controls (AACG) and configurations monitoring (CCG) Phase 2 – Facilitate R12 Upgrade and Implement Transaction Controls • Maximize usage of AACG and CCG to facilitate R12 upgrade efforts • Conduct workshops with business process owners to identify high risk transactional controls • Evaluate opportunity to implement transaction controls (TCG) to address key transactional level risk exposures in Oracle EBS Phase 3 – GRC Optimization Assessment • Evaluate opportunity to implement preventive/approval based SOD controls • Evaluate opportunity to implement approval based change control for key EBS configurations • Evaluate integration between GRC Control and GRC Manager to automate Model Audit Rules testing • Assess and provide scope for OHI integration to GRC Controls
  32. 32. PwC Key Benefits for Harvard Pilgrim • Reduce manual efforts to compile reporting packages for periodic access reviews and configuration change controls • Maintain integrity of system configurations and provide the ability to track unintended changes from periodic maintenance and patching activities • Establish Segregation of Duties policies to reduce the cost of R12 upgrade and prevent remediation of access violations post go-live • Reduce the level of effort to document and manage system configuration changes during R12 upgrade • Automate the continuous monitoring of key financial controls to reduce the risk of fraudulent transactions • Expected reduction in external audit scope and fees through the use of automated tool 32
  33. 33. PwC HPHC ROI 33 Tangible Cost Savings (Total ROI 6 years) • Access Management – Leverage AACG to reduce the level of effort to provision, monitor, and remediate access risk exposures • Estimated reduction of 2,298 hours across IT, Internal and External Audit • Controls Management – Leverage CCG to reduce the level of effort to manage and test Oracle configuration change controls • Estimated reduction of 5,815 hours across IT, HPHC Business, Internal and External Audit • R12 Upgrade – Leverage AACG and CCG to facilitate R12 upgrade activities such as instance comparison and new responsibility design • Estimated reduction of 2,278 hours during R12 upgrade and subsequent periods
  34. 34. PwC HPHC ROI Risk Reduction • Reduce risk of Fraud, Waste and Abuse by leveraging continuous auditing of access and configuration change control • Reduce access risk exposure by defining and reviewing SOD and Restricted Access controls at the user and function level • Reduce risk of inappropriate changes to Oracle configuration by enhanced ability to test configuration change controls by producing system record of changes and audit trail evidence • Pushes controls testing responsibility & compliance ownership to business area owners. Frees internal audit hours to pursue other IA initiatives versus access and configuration controls testing • Preventive User Access Administration (automated SOD Policies via AIM) 34
  35. 35. Learn More PwC GRC Whitepaper “Leveraging advanced controls with E-Business suite implementation and upgrade projects” http://www.oracle.com/us/products/applications/ebusiness/optimizing-erp-projects-1855138.pdf Optimize your ERP Projects leveraging Oracle Advanced Controls
  36. 36. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal36 Program Agenda  Oracle Advanced Controls (OAC)  Upgrade Challenges  Case Study 1: CH2M  Case Study 2: Harvard Pilgrim Healthcare  Realizing Value from OAC after Upgrade  Q&A
  37. 37. Copyright © 2013, Oracle and/or its affiliates. All rights reserved.37 Confidential – Oracle Internal The Opportunity Any Time Transform your business processes ERP Implementation Provide optimal control solutions from day 1 ERP Upgrade Add advanced controls to monitor and enhance ERP controls
  38. 38. Utilize Project Solutions Post-Production Prevent inappropriate activities with security rules Improve data integrity by monitoring setup changes Uncover unauthorized changes with embedded rules
  39. 39. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal39 Change in Internal Control Requirements 0 50 100 150 200 250 Year 1 Year 2 Year 3 Year 4 Requirements Functional Compliance Levels • Manual Processes • Customizations • Change Control • More Audits Challenges: • Multiple ERPs • New Regulations • More Legal Entities • New Contracts GAP Social Media Monitoring New Markets & Regions Processes Outsourced Acquisitions
  40. 40. Optimize Processes with Advanced Controls policies are followed for high-risk events cash leakage
  41. 41. Fix Cash Leakage On Every: Protiviti 2010 - Procurement Assessment and AP Recovery Solutions Amount of Cash Leakage:
  42. 42. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal42 Prevent viewing of sensitive data Control extended customer terms Restrict large sales discounts Revise account rec’s risk ratings Stop split purchase orders Scrutinize PO price variances Check unapproved vendors Limit entertainment expenses Tighten user access Require approval of large credit memos Review manual journal entries Monitor POs entered on receiving day Policies Evolve Over Time
  43. 43. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal43 Ensure Policies are Followed Controls Purchase orders not split? User access appropriate? Extended customer terms result in no write-offs?
  44. 44. Copyright © 2012, Oracle and/or its affiliates. All rights reserved.44 Continuously Monitor for High-Risk Events
  45. 45. 45 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal Customers (Sample) Public Sector Technology/Services Retail Energy Communication Industrial Logistics Healthcare/Life Sciences Mining/Exploration PRESENTING
  46. 46. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal46 Oracle Advance Controls OOW2013 Sessions & Demo Pod Slides
  47. 47. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal47 Specialized Advanced Controls Partners  New Benefit for Advanced Controls owners  Specialized Partners: – Trained by Oracle:  Designing and delivering OAC solutions – Demonstrated ability to deliver reliable OAC solutions  Coming soon
  48. 48. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal48 Demo Workstation Moscone West 1st Floor #W-013 Monday Tuesday Wednesday Demo ID 3532 Workstation #: W--013 9:45 – 6:00 9:45 – 6:00 9:45 – 4:00
  49. 49. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal49 Demo Workstation Moscone West 1st Floor #W-013
  50. 50. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal50 General Session: Empowering Modern Governance, Risk, and Compliance  12:15PM Moscone West – 2006/2008  GEN8812 Automate Robust User Access and Security Controls for PeopleSoft  10:45AM Moscone West - 2009  CON8820 Panel Discussion: Intelligent Controls for Key Business Processes & Upgrades in PeopleSoft  3:15PM Moscone West - 3020  CON8822 Deloitte: Leveraging Oracle GRC Technology to Reduce Revenue Loss, Cost Leakage & Fraud  3:15PM Moscone West - 2000  CON8822 Learn More About Oracle Advance Controls Monday
  51. 51. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal51 Top 10 Advanced Controls for Procure-to-Pay to Improve the Bottom Line  10:30AM Moscone West – 2003  CON8814 Center for Medicare & Medicaid Services Automates Internal Controls with Oracle GRC  3:45PM St Francis – Elizabethan C/D  CON9346 Enforce Segregation of Duties with Identity Management and Oracle Advanced Controls  5:15PM Moscone West – 3018  CON8827 Learn More About Oracle Advance Controls Tuesday
  52. 52. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal52 Optimizing Order-to-Cash with Oracle Advanced Controls for Oracle E-Business Suite  10:15AM Moscone West – 3018  CON8816 Reducing Risk for Oracle E-Business Suite Upgrades and Implementations  1:15PM Moscone West – 3018  CON8830 Panel Discussion: Intelligent Controls for Key Business Processes and Upgrades  3:30PM Moscone West – 2002 / 2004  CON8832 Learn More About Oracle Advance Controls Wednesday
  53. 53. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal53 Advanced Access and User Security for Oracle E-Business Suite and Fusion Applications  2:00PM Moscone West – 3018  CON8824 Meet the Governance, Risk, and Compliance Experts  12:30PM Moscone West 2001A  MTE9412 Learn More About Oracle Advance Controls Thursday
  54. 54. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal54 The preceding is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.
  55. 55. Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal55

×