Case Study GRC Implementation A User Perspective

1
Case Study GRC Implementation - A User Perspective

• Wendy K. Roberts, CPA, CIA
• Adil Khan, GRC Client Director, FulcrumWay
• Hari Radhakrishnan, IT Consultant, Control
  Solutions
• January 21, 2009

2
Agenda

• Introduction
• GRC Objectives
• Selection Process Research and Approach
• About FulcrumWay
• Controls Survey
• Controls Framework
• Application Controls Best Practices
• GRC Monitor Implementation
• Compliance Best Practices
• GRC Manager Implementation

3
About Our Company

• Harris Stratex Networks, Inc. is a leading
  provider in backhaul solutions for mobility and
  broadband networks. We serve all global markets,
  including mobile network operators, public safety
  agencies, private network operators, utility and
  transportation companies, government agencies and
  broadcasters. With customers in more than 135
  countries, Harris Stratex Networks is recognized
  around the world for innovative, best-in-class
  wireless networking solutions and services.

4
Objective for a GRC Tool

• Obtain a versatile tool that could be used WW
• Move away from spreadsheets and word documents to
  a more automated environment.
• A product that could grow with the company.
• Be used for SOX 302 and 404 Certification.
• Supported Control Self Assessment testing.
• Used to enhance the testing and reporting for
  Internal Audit.
• Provide a central database for compliance use
  such as Code of Conduct and policy management.
• Incorporate other compliance programs such as ISO
  and EHS.

5
Research and Approach

• Gartner Report - Magic Quadrant for Finance
  Governance, Risk and Compliance Management
  Software, 2007. Published February 1, 2007.
• Research for the tool began in July 2007.
• Developed an analysis matrix with 32 criteria
  points.
• Use of the magic quadrant to select vendors based
  on criteria and objectives of the company.
• Six vendors chosen which met the most criteria
  points.
• Demos performed with executive management.
• Top two vendors were asked for RFPs.

6
Research and Approach

• Decision for purchase of tool
• Top two vendors were presented to a steering
  committee.
• Recommendation was made for Oracle GRC Manager as
  the tool of choice.
• Presented to the Board of Directors for approval.
• Approval obtained in January 2008.

7
Implementation of GRC Monitor

• Tool used to analyze Segregation of Duties (SOD)
  violations in Oracle
• On-demand service commenced in February 2008.
• Developed over 400 business rules which
  represented best practices in the industry.
• Design of a risk matrix using High-Medium-Low
  risks for Oracle modules GL, AP, AR, FA.
• Remediation of violations for high risks
  completed in June 2008 (FY08 Year End).
• Medium and low risks violations being completed
  for FY09 by the end of January 2009.

8
Implementation of GRC Manager

• Tool used to address policy management, 302
  quarterly certifications and 404 SOX compliance
• Implementation began mid-October with completion
  estimated to be March 2009.
• Policy management and 302 quarterly certification
  using Stellant Content Manager in GRC.
• Use of GRC Manager for SOX 404 Certification and
  Control Self Assessment and Internal Audit
  testing.
• Developing on-line training using Oracle User
  Productivity Kit (UPK).

9
About FulcrumWay

• FulcrumWay is the 1 provider of Governance,
  Risk and Compliance Expertise, Solutions and
  Software Services for Oracle enterprise
  customers.
• Expertise Risk Management, Compliance, IT Audit,
  Internal Controls, Financial Reporting and GRC
  Software implementation consulting services.
  Since 2003, we have successfully assisted over
  one hundred Fortune-500 to Middle Market
  companies across all major industry segments.
• Solutions Oracle certified Systems Integrator
  and ISV member of the Oracle Partner Network.
  FulcrumWay solution are built on software
  technologies from Oracle Corporation. FulcrumWay
  GRC Solutions are the 1 choice of Oracle
  customers.
• Software Services We enable organizations to
  assess Financial, Operational and Information
  Technology risks, monitor internal controls and
  optimize business processes. Auditors, Risk
  Managers and Business Process Owners can access a
  wide range of web based services over a secure
  internet connection to FulcrumWay GRCMONITOR
  (https//www.grcmonitor.com) Software as a
  Service (SaaS) platform.
• Privately Held Delaware corporation with US
  presence in
• New York, Texas and California
• International Presence in UK and India

www.fulcrumway.com
10
Fulcrum Credentials
Media and Entertainment
Financial Services
Life Sciences
Retail
Readers Digest
Industrial Manufacturing
Natural Resources
High Technology
Healthcare
Defense/ Aerospace
Construction
Food

11
FulcrumPoint Insight
Thought Leadership - Events

• Compliance Week Magazine - Healthcare Firm Aligns
  Compliance Efforts, Cuts Costs
• Economist Magazine Compliance Guide for
  Enterprise Systems
• POD Cast How Automating the Enterprise Risk
  Management Process helps organizations comply
  with regulations
• OAUG - Impact of AS5 for Oracle Enterprise
  Customers
• IIA Top Five Reasons for Automating Application
  Controls
• Oracle Open World Annual GRC Dinner, GE and
  Birds Eye Case Study
• Web casts GRC Best Practices, Trends and Expert
  Insight.

12
IT Governance, Risk and Compliance Needs
13
OAUG Survey Demographics
14
OAUG Survey Demographics
15
Application Survey Questions
There were 20 scenarios presented and each
scenario included two questions

• Identify the awareness of the
• deficiency
• My company was not aware of this risk
• My company is aware of this risk, but has chosen
  not to address it yet
• My company is aware of this risk and has chosen
  to accept the risk
• My company is aware of this risk and has
  addressed it via a manual control
• My company is aware of this risk and has
  implemented a customization / extension
• I am not qualified to address this risk
• My company does not use this functionality
• Other

• Determine likelihood of implemented
• if Oracle provided a solution
• Would likely not implement because we don't agree
  with the risks
• Would likely not implement because we already
  addressed via a Customization
• Would likely not implement because we have chosen
  to accept the risks
• Would likely implement it because we have not
  addressed the issue
• Would likely implement it because we would rather
  replace our customization
• I am not able to know what our company would do
• Other

16
Customer Master
17
Order Forms Transaction Entry vs. Approval
18
Workflows
19
Controls Framework

• IT organizations should consider the nature and
  extent of their
• operations in determining which, if not all, of
  the following control objectives need to be
  included in internal control program
• PLAN AND ORGANIZE
• ACQUIRE AND IMPLEMENT
• DELIVER AND SUPPORT
• MONITOR AND EVALUATE

20
What are Application Controls?

• Orders are processed only within approved
  customer credit limits.
• Orders are approved by management as to prices
  and terms of sale.
• Purchase orders are placed only for approved
  requisitions.
• Purchase orders are accurately entered.
• All purchase orders issued are input and
  processed.
• All recorded production costs are consistent with
  actual direct and indirect expenses associated
  with production.
• All direct and indirect expenses associated with
  production are recorded as production costs.

• Application controls apply to the business
  processes they support. These controls are
  designed within the application to prevent or
  detect unauthorized transactions. When combined
  with manual controls, as necessary, application
  controls ensure completeness, accuracy,
  authorization and validity of processing
  transactions
• Control objectives can be supported with
  automated application controls. They are most
  effective in integrated ERP environments, such as
  SAP, PeopleSoft, Oracle, JD Edwards and others.

21
Risk Assessment

• The IT organization has an entity-level and
  activity-level risk assessment framework, which
  is used periodically to assess information risk
  to achieving business objectives.
• Managements risk assessment framework focuses on
  the examination of the essential elements of
  risk and the cause and effect relationship among
  them.
• A risk assessment framework exists and considers
  the risk assessment probability and likelihood of
  threats.
• The IT organizations risk assessment framework
  measures the impact of risks according to
  qualitative and quantitative criteria.
• The IT organizations risk assessment framework
  is designed to support cost-effective controls
  to mitigate exposure to risks on a continuing
  basis, including risk avoidance, mitigation or
  acceptance.
• A comprehensive security assessment is performed
  for critical systems and locations based on
  their relative priority.

22
Control Activities

• An organization has and does the following
• A system development life cycle methodology that
  considers security, availability and processing
  integrity requirements of the organization. This
  ensures that information systems are designed to
  include application controls that support
  complete, accurate, authorized and valid
  transaction processing.
• An acquisition and planning process that aligns
  with its overall strategic direction.
• Acquires software in accordance with its
  acquisition and planning process.
• Procedures ensure that system software is
  installed and maintained in accordance with the
  organizations requirements.
• Procedures ensure that system software changes
  are controlled in line with the organizations
  change management procedures.
• Ensures that the implementation of system
  software do not jeopardize the security of the
  data.

23
Control Monitoring

• Changes to IT systems and applications are
  performed and designed to meet the expectations
  of users.
• IT management monitors its delivery of services
  to identify shortfalls and responds with
  actionable plans to improve.
• IT management monitors the effectiveness of
  internal controls Monitoring in the normal course
  of operations through management and supervisory
  activities, comparisons and benchmarks.
• Serious deviations in the operation of internal
  control, Monitoring including major security,
  availability and processing integrity events, are
  reported to senior management.
• Internal control assessments are performed
  periodically, using Monitoring self-assessment
  or independent audit, to examine whether internal
  controls are operating satisfactorily.

24
Stages of Application Controls Implementation

• Define Define Audit Units, Application
  Environments, and Controls in-scope for Audit
  Testing
• Detect Analyze Control Violations based on risk,
  impact. Eliminate false-positives, exceptions
• Remediate Resolve Control Violations
• Prevent Automated Controls deny unauthorized
  access, transactions and system changes in
  real-time
• Monitor Analytics to notify management of all
  control violations

25
Application Controls Management Best Practices
Manage Exceptions
Setup Preventive Controls
Determine Scope by Application
Establish Rules Repository
Detect Violations
Analyze Issues
Remediate Issues
Implement Changes
Monitor Application Environment
Establish Test Environment
Extract ERP Data
Business Process Teams
IT Management
Application Control Teams
Corporate Access Controls
26
Rules Library is the master repository that
contains all SOD Rules stored in Access Control
27
GRC Management Process
Document Findings
Gather GRC Data
Assess Risk Top Down
Conduct Assessments
Scope Audit Projects
Test Internal Controls
Certify Business Processes
Certify Financial Statements
Establish Enterprise Structure
Establish Risk Controls Library
Implement Changes
Management
Compliance Manager
Business Process Owner
Signing Officer
Compliance Manager
28
RCM Hierarchy in GRC Manager
29
Create Business Process
30
Controls Interface
31
Business Process Lifecycle
32
Questions

• Questions?