The document outlines Oracle's GRC (Governance, Risk, and Compliance) Advanced Controls presentation, emphasizing the need for organizations to adopt modern technology strategies to improve risk management, compliance, and operational efficiency. It includes a case study of the Intercontinental Exchange (ICE) detailing their implementation of Oracle Advanced Controls to address operational needs across multiple ERP systems. Key challenges and opportunities for future expansion are also discussed, highlighting stakeholder involvement and the importance of automation in compliance processes.

2. Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |
Safe Harbor Statement
The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.
2

3. Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |
Controlling for Multiple ERP Systems with Oracle Advanced Controls
CON8154
Eugene Hugh - InterContinental Exchange
Dane Roberts – Oracle GRC Strategy
Stephen D’Arcy - PWC
October 2, 2014
Presented with
@OracleAdvCntrls
Oracle GRC Advanced Controls

4. Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |
Agenda
What are Oracle GRC Advanced Controls?
Case Study:
•Background
•ICE Requirements
•Challenges
•Solutions
•Project Summary
•What’s Next?

5. Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |
5
Reality: Document/Email Approaches Challenge GRC
OCEG SURVEY • 2014 GRC Technology Strategy Survey • www.OCEG.org HOW ORGANIZATIONS APPROACH AND ADAPT THEIR TECHNOLOGY STRATEGY FOR GRC
70%
SPREADSHEETS, DOCUMENTS, EMAIL & IN-HOUSE SOLUTIONS
30%
1 OR MORE COMMERCIAL GRC SOLUTIONS
The lack in modern technology makes achieving goals challenging
The impact on FTE’s is particularly significant
One financial services organization stated that 80% of their GRC staff resources were nothing more than document reconciles for reporting. […] A mess they are aggressively trying to correct.
of GRC professionals reported that they use Spreadsheets, Emails, Custom Reports Apps.
70%

6. Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |
6
When looking for new GRC technology, organizations indicate that the primary goals they aim to achieve are:
Drivers: for Adopting New GRC Technology
OCEG SURVEY • 2014 GRC Technology Strategy Survey • www.OCEG.org HOW ORGANIZATIONS APPROACH AND ADAPT THEIR TECHNOLOGY STRATEGY FOR GRC
INCREASE ANALYTICS & RAPID VISIBILITY OF RISK
Complex risk and regulatory environments demand advanced capabilities of risk data integration and analytics to provide full situational awareness of risk”
#1
IMPROVE CONSISTENCY OF INFORMATION Organizations are realizing that good GRC requires good information, there is increasing focus on the integrity and consistency of GRC information”
#2
MEET NEW REGULATORY REQUIREMENTS
Regulatory change has more than doubled in several industries over the past five years (e.g., banking, insurance, healthcare) and drives the organization to GRC technologies that enable regulatory intelligence and agility”
#3
REDUCE COSTS & IMPROVE PERFORMANCE When deploying new GRC technologies the organization is driven to reduce costs while increasing the performance of business operations”
#4

7. Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |
Comprehensive Risk & Controls Management
Detect and Fix Issues
Continuous Improvement and Monitoring
Assess Risk & Compliance
Close the
LOOP
Identification
Analysis
Evaluate
1. BUSINESS RISKS
Document
Assessments
Reviews
2. CONTROL OBJECTIVES
Author Execute Investigate
3. CONTINUOUS MONITORS

8. Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |
Custom or Legacy Applications
Enterprise Risk and Controls Foundation
One Unified Platform
Flexible
•Graphical Authoring
•Detect and Prevent
•Access, Transactions, Setups
Data Driven
•100% of Transactions
•Manage by Exception
•Pattern Analysis
Comprehensive
•Multiple GRC Projects
•From Documentation to Test
•Closed Loop Approach
Enterprise Risk & Controls Foundation
Dashboards, Reports and Alerts
Notifications
Worklists
Email
Perspectives
Search
Risk, Controls & Compliance Management
Reviews
Documentation
Assessments Remediation
Surveys Continuous Controls & Risk Monitoring
Setups Access Master Data
Audit Tests
Transactions
User Authored Controls
Data Connectors
Fraud & Error Patterns
Role Based Access Security
Web Services & APIs

9. Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |
Specialized Partners
Increase your Return On Investment
•Get more from Advanced Controls Specialists address more of your needs with Advanced Controls’ many capabilities
•Increase your organization’s effectiveness Specialists help you embed Advanced Controls in your business processes
•Accelerate your implementation Specialists guide and support you during planning, implementation and go-live
Oracle Confidential – Internal/Restricted/Highly Restricted
10

10. Intercontinental Exchange, Inc. (ICE)
Oracle Advanced Controls Implementation
“One AC instance connected to two different ERP’s”
www.pwc.com
“Any trademarks included are trademarks of their respective owners and are not affiliated with, nor endorsed by, PricewaterhouseCoopers LLP.”

11. About ICE

12. Background
13
Client Background
•ICE (runs PeopleSoft) located in Atlanta
•PeopleSoft is hosted off-premise by a Hosting Provider
•ICE recently acquired NYSE, (run Oracle EBS)
•EBS is hosted on premise in New York
Oracle Advanced Controls
•Needed a solution to address operational and compliance needs
•Goal to implement by summer 2014
•Needed a partner to navigate their complex IT environment and implement a right-sized, sustainable, scalable solution
•Decided to implement an on premise Advanced Controls Environment

13. Requirements
14
EBS Visibility
Having recently acquired NYSE, ICE wanted to gain visibility into the risks, controls and transactions within their EBS environment.
PeopleSoft Visibility
Access, configurations and transactions were difficult to manage with standard PeopleSoft functionality alone.
Operational Efficiency
The business needed to analyze certain risky transactions on a periodic basis, and was stuck with ad- hoc queries written by IT and manual investigation in the ERP systems.
Controls Automation
ICE was looking to drive automated control over access and configurations to improve the efficiency of their internal and external audits.
Scalability
Given the extent of integration and expansion that is and will be going on at ICE over the next several years, the solution had to be scalable to accommodate future change.
Audit Support
Build a sustainable automated solution that could evaluate security, segregation of duties, automated controls and transactional activity to support Internal and External Audits.

14. Solutions
15
The right Collaboration
PwC worked with ICE to help create a tailored, right-sized solution to their operational and compliance needs.
Business, internal audit, and IT stakeholder involvement was a key success factor from requirements gathering through implementation.
Transactions
Led by the business, the stakeholders identified 22 ways they could use TCG to improve exception-based transaction reporting.
This was narrowed down to 18 key requirements for Phase I across 5 business and IT processes.
Security & Segregation of Duties
The stakeholders identified 98 ways they could use AACG to address existing operational and compliance concerns.
This was narrowed down to 61 key requirements for Phase I across 8 business and IT processes.
Configuration Mgmt.
In a discussion driven by IT, the stakeholders identified 141 opportunities for continuous configuration monitoring using CCG.
This was narrowed down to 130 key requirements for Phase I across 7 business and IT processes.

15. Systems Diagram
AACG & TCG
CCG

16. Project Scope/Summary/Benefits
17
Delivered Scope
Approximately 90-120 Security and SOD controls in AACG
Approximately 90-120 Configuration Change Trackers in CCG
Approximately 15-25 Transaction Analytic controls in TCG
PCG considered for NYSE but not included
Timeline
Phase I: February – August 2014
Initial go-live for NYSE AACG and CCG given audit requirements (June 2014)
Final go-live for NYSE TCG and ICE AACG, CCG and TCG (Aug 2014)
ICE business process control owners for key processes
ICE and NYSE system administrators
ICE internal audit team
Increased automation in the quarterly access review process
Increased visibility into risks in the EBS and PeopleSoft environments
Resulting changes made to improve security, configurations & processes. Automation of various audit activities
Stakeholder Groups
Benefits

17. Advanced Controls Examples
•GL Entries not posted at month end
•AR Entries without GL entries
•Duplicate Employees
•Duplicate Invoice Payments
•Refunds over specific threshold
•Unusual Journals – Debit Rev, Credit Expenses
•Inactive users
Business Solutions beyond Compliance and Internal Audit

18. Advanced Controls Examples (cont’d)
•Custom Content/Objects for PeopleSoft
•Change trackers to monitor changes to automated controls
•Impact assessment during patch application
•Ability to compare setup changes during integration of NYSE (EBS) on to ICE PeopleSoft environment

19. Main Project Challenges
20
Stakeholder Availability
01
Stakeholder Availability
02
Standardizing processes during acquisition
03
Educating Stakeholders
04
Technology Delays

20. What’s Next?
21
Controls Operation
RMB Integration
EBS Migration
Future Expansion
Business process control owners have already began operating their monthly and quarterly access and transaction controls, and system administrators are continuing to investigate configuration changes as they occur.
PwC is implementing Oracle Revenue Management and billing as ICE’s optimized billing solution, and will build custom connectors to allow RMB to interface with billing rules that will be implemented into Advanced Controls.
In 2015, ICE will begin to migrate NYSE from EBS into ICE’s PeopleSoft environment. This will require consideration of the impact to Advanced Controls and may require changes to existing rules.
As ICE becomes more comfortable with Advanced Controls capabilities and their existing solution, there will be opportunities to expand their use of the applications and increase the value they derive from it.

21. Questions?
Copyright:
© 2014 PricewaterhouseCoopers LLP, a Delaware limited liability partnership. All rights reserved.
Definition:
PwC refers to the US member firm, and may sometimes refer to the PwC network. Each member firm is a separate legal entity. Please see www.pwc.com/structure for further details.

22. Contact Information: Stephen D'Arcy - Director (PwC) stephen.j.darcy@us.pwc.com Ph: 856.577.0022
Copyright:
© 2014 PricewaterhouseCoopers LLP, a Delaware limited liability partnership. All rights reserved.
Definition:
PwC refers to the US member firm, and may sometimes refer to the PwC network. Each member firm is a separate legal entity. Please see www.pwc.com/structure for further details.

23. Follow Us & join the conversation .
Oracle GRC Advanced Controls Group
@OracleAdvCntrls

24. Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |
25

25. Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |
Safe Harbor Statement
The preceding is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.
26