Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Using oracle grc software to automate and proactively monitor your e business suite
1.
2. Using Oracle’s GRC Software
Suite to automate and proactively
monitor your E-Business Suite
Session 9333
3. Introduction
• Brad Storts, AXIA Consulting (Brad.Storts@axiaconsulting.net)
• Client: a utility company in the Midwest
• Better controls over the Oracle E-business suite
• A tool to manage Sox compliance
• Solution: Oracle GRC software suite
5. Preventative Controls Governor
• Tool to control user viewing and changing of E-Business suite (EBS)
data
• Application is embedded in your EBS as a custom application
o No hardware required
o Higher risk of adversely impacting your key processing
• Three types of rules
o Form rules: interact directly with an EBS java form
o Flow rules: fired from a database trigger or a periodic schedule
o Audit or change control rules: triggered by EBS table changes
6. Form / Flow Control
Audit Track changes in values for the 10 segments of the GL accounting flexfield
Form Prevent a receipt against a 2-Way PO line (will exclude purchase orders created before 8/21/2011)
Form Prevention when a PO has a distribution line with a General Ledger liability account
Form Prevention when a PO has a distribution line to an asset GL account (1010000 to 1219999) but no project and task
Form Force a a 2-Way PO for services to have a price of $1)
Flow Notification when a non-stock PO is closed with remaining dollars
Flow Notification to requisitioner when 80% of a services purchase order total is reached
Flow Notification for unabalanced journals posted during month end closing
Flow Notification of HR location changes
Flow Department or employee group (union / management) quarterly report on changes
Form Hide social security number for HR inquiry users
Flow Notification of new supervisors to HR
Flow Notification on projects where actual costs are approaching budgeted costs
Flow Notification on Missed Payment Discounts
Flow PO terms differ from vendor terms
Flow Alert AP when max ship on hold is released as more money added to purchase order
Flow AFUDC Flag set incorrectly for Projects
Form Stop User from matching a Receipt against a PO they created or approved
Flow Notify WAM Help Desk if purchasing category is created or changed
Form Provide form validation new employees missing schedule or rotation plan, earning policy, payroll in OTL based on employee category
Audit Audit report on certain supplier changes
Flow Payment terms changed on an invoice from what was on PO
Flow Notification to requisitioner when non stock item received
12. Preventative Controls Governor Lessons Learned
• Requires custom.pll updates – form rules only impact java forms not
HTML
• Documentation references applcust.txt, ignore (not used in R12)
• Create a browse only PCG responsibility to be able to browse rules
• Cloning environments works, you just need to add additional steps to
be able to migrate rule changes
• When migrating rules, you have to recompile triggers and re-enter
periodic rules as well as audit rules
• Watch out for triggers based on dates, triggers may not handle nulls
correctly
13. Access Controls Governor
• Evaluates Oracle access and can prevent or monitor policy violations
• Runs on separate hardware using Oracle Data Integrator to pull
information from the EBS about users, responsibilities, menus, and
functions
• Incidents are created and tracked to resolution
14. Access Controls Governor - Benefits
• Moved from manual process to automated process to check for segregation
of duties violations
• We found responsibilities that needed changed
• We found some users with access they didn’t need
• A lot of work on the initial setup and cleanup of false positives, but very
little work to maintain after that
15. You can visualize the paths, from the user
through the responsibility through the menus to
the functions that cause the segregation of
duties conflict.
21. Access Controls implementation
• Lots of initial work to weed out many false positive
oSystem accounts show up with lots of violations
oSome responsibilities do not really allow function
Some screens allow browse only
Receiving: organizations not defined
oCleanup can also be time consuming to review all the incidents and try
to figure out what the proper course of action is
22. Access Controls Governor lessons learned
• Default is to evaluate access based on email note that several users can
share an email address and can cause lots of confusion so you should
change to email + user id (our example: IT support staff id’s created from
existing users)
• The ability to forecast conflicts is limited: you can see the impact of
modifying a responsibility or menu, but you can’t see the potential impact of
giving a responsibility to a user (which is much more common in my opinion)
23. Transaction Controls Governor
• Review EBS transactions to highlight potential issues (fraud, bad
data, policy violations, etc.)
oReview manual journal entries posted during certain times of the month
oReview employee expenses
oReview duplicate invoices
26. Results of transaction model run for journals entered manually over a
certain dollar limit:
27. Employee Expense Accelerator
•Free content / software from Oracle
•Requirements:
• Run TCG 8.6.3.4000
• EBS: iExpense
• Deploy some tables and views on your EBS
28. Sample models included in Employee Expense Accelerator
• Employee Claims Per Diem and Meals
• Employees misses receipts consistently indicating Fraud
• Employees with large number of round dollar amounts close to the approval limits
• Employees split expenses for a large event
• Single or multiple employees submit the same receipt more than one time
• Hotel Expenses without other travel related expenses
• Employees delinquent frequently
• Employee Expenses Spike
• Department Expenses Spike
29. Transaction Controls Governor review
• Good for detective controls, not preventive since you are alerted after the fact
• Designed for non IT personnel to be able to use
• Note objects have been developed for some EBS subject areas, but certainly not
all (we ended up using PCG often where content was missing for TCG)
30. Configuration Controls Governor
• Application that monitors changes to key setup values
• Compare snapshots of setups from one point in time to another, or between
instances
32. Here a user changes the receiving
tolerance in EBS
33. The CCG user receives a notification that a
key setup has been modified via email:
34. The user can log into CCG and see who made the change, when, what the
old value was:
35. CCG Snapshot: easily create a snapshot of your EBS, and then compare to
another instance or to another point in time:
36. CCG Lessons Learned
• Another detective control tool, will not prevent entry
• Connecting to a data source takes about 1-2 hours, and every time you
refresh an instance you have to reconnect
• No good way to clone / refresh from production to test
• Snapshots can run for a long time, and consume lots of EBS resources –
and can be tricky to cancel (terminate button doesn’t show up until you
kill the process in EBS)
37. GRC Manager
• Tool to document your business processes, risks associated with those
processes, and controls to mitigate those risks
• Designed to manage SOX compliance, or any similar compliance
requirements
• Completely separate application from EBS
• GRC Intelligence is the reporting solution, using Oracle Business
Intelligence to extract data from GRC Manager
43. GRC Manager and GRC Intelligence
• We implemented GRCM 7.8 and GRCI 2.0, there is a new GRC Manager
(“Fusion Edition”) which you would want to review – there is no upgrade
path for GRCM 7.8
•GRCM 7.8 is built on Stellent Content Management, GRCI 2.0 is built on
OBIEE – a steep learning curve if your organization doesn’t already use
these