Risk Management Webinar

1
Streamline Simplify Your Audit Process Using
Oracle Risk Management Cloud

• April 26, 2021

2
The Southwest US Regional Oracle Applications
Technology Users Group was formed in the Costa
Mesa, California area kickoff meeting in January
1996 by a group of Oracle Applications Users to
share information and meet the specialized needs
of Oracle Applications professionals, to provide
them a regional forum to train, evaluate and
network with their peers throughout all
industries.
oatug.org/sroatug _at_sroaug linkedin.com/groups/3120
25
3
(No Transcript)
4
(No Transcript)
5
Expertise 20 Years as an Accountant and
Internal Auditor 9 Years as a Risk Management
Consultant Certified GRC Professional Masters
and BBA in Accounting Florida
6
Agenda

• Introductions
• Risk Management Introduction
• Risk Management Control Basic Concepts
• Optimized Security by Design
• Automate Segregation of Duties(SOD) controls for
  compliance reporting
• Digitize User Access Certification Workflows
• Continuous monitoring of User Security
• Continuous monitoring of changes to critical
  configuration
• Continuous monitoring of financial transactions
• Digitize audit and SOX Compliance workflows
• Digitize risk ( Enterprise Risk Management )
  continuity ( business continuity management )
  workflows
• Walk through of "Separation of duties analysis
• Implementation Considerations

7
Questions?
Please submit questions using the Questions
option on the GoToWebinar panel
8
Introduction
9
State of Risk Management Maturity

• Are Silos and spreadsheets still the norm for
  your client?

Only 8 No silos Cross-org standardization Autom
ated processes Integrated, enterprise-wide
solution
67
25
Largely siloed Some standardization
Spreadsheets Some org-based solutions
Siloed No standardization Ad-hoc or manual
processes Spreadsheets
Source GRC Maturity Survey, OCEG, 2020
10
Hidden Costs of the Risk Management Norm

• Are these costs impacting your client?

Adverse Audit Results
Cash Leaks
Lawsuit Exposure
Executive Inaction
Penalty Exposure
Risk Unawareness
45 increase in adverse ICFR audit opinions 1
1 in 8 managers 1 in 15 executives, display
risky behaviors 2
60 of accounting lawsuits involve control
weaknesses 3
Profit reduction due to errors and fraud
Over 50 of Mid Managers dont understand
business risks inherent to their roles 2
Executive inaction slows revenue growth by up to
47 2
Sources1 Current Issues, Trends, and Open
Questions In Audits of ICRF, PCAOB, 2020 2
Executive Guidance Reducing Risk Managements
Organizational Drag, CEB, 2014 3 Accounting
Class Action Filings and Settlements,
Cornerstone Research, 2014
11

• Risk Cloud Solutions for Oracle SaaS

Manage risks - map to controls. Assess control
ensure compliance. Engage people.
COMPLIANCE WORK FLOW (SOX, GDPR ETC)

• CFOs Controllers
• CIOs CISOs
• Auditors
• Process Owners

What do people actually do? Is it appropriate or
unusual?
ADVANCED CONFIGURATION CONTROLS
ADVANCED TRANSACTION CONTROLS
Who can get into your systems? What can they
really do?
SECURE ROLE DESIGN
SENSITIVE ACCESS CERTIFICATION
SECURE ROLE ASSIGNMENTS
12

• Why are Controls Needed?

• A growing body of regulations and standards
  require deep continual monitoring of crucial
  access policies for users (SOX, GDPR, etc.)
• Including typical business users, super-users,
  temporary/contract workers
• Auditors are increasingly obliged to assess the
  validity of users fine-grained access privileges
  and determine whether controls are in place and
  working effectively
• Unfortunately, complying with access policies
  using manual methods quickly becomes unwieldy and
  unreliable

13

• How Do You Ensure Effective Risk Management is in
  Place?

• Right People Have Right Access
• Financials Risks, Controls, Compliance are met
• Correct policies and procedures have been
  implemented to increase risk awareness
• Effective Management of continuous change in Risk
  and Compliance Regulations
• Timely Reporting, Seamless Dashboards Robust
  Exception Management

14
Financial Reporting Compliance - Best Practice
Process
15

• Oracle Financial Reporting Compliance

• Risk Management Cloud service that
• streamlines internal control assessments
• automates labor-intensive tasks required to
  complete external certifications for SOX or
  similar mandates

16

• Financial Compliance Requirements (examples)

Financial Regulations Accounting Frameworks

• Sarbanes-Oxley (SOX) Act of 2002
• COSO 2013

US - Publicly Traded or have Public Debt
Accounting Internal Control Framework
Similar regulations around the world, such as

• Canadian CSOX/Bill 198
• Loi sur la Sécurité Financière 2003
• JSOX 2006

Canada France Japan
Sector specific regulations, such as

• OMB Uniform Guidance (incl. OMB A-123) Higher
  Ed, HealthCare, Public Sector

• Model Audit Rule

Insurance Companies
17
Risk Management Process Flow
18

• Internal and External Users

Internal Users
External Users
19

• Why Are Access Controls Needed?

• The ability to fine-tune and track Oracle
  ERP/HCM/SCM Cloud user access is key to ensuring
  corporate security
• Users can have conflicting and even toxic
  access privileges due to the multiplicity of
  possible access points and navigation pathways

20
Advanced Access Controls - Flow
Model results
Manage incidents -options Adjust ERP/HCM/SCM
security configuration Add compensating
transaction controls
Convert Models to Controls Run Control Analysis
periodically
Report incident management results to managers,
auditors
21
SoD Conflict
Inter-role vs Intra-role violations
22
(No Transcript)
23

• Auditing Security
• The following audit reports are available
• List of users and provisioned roles
• List of users and provisioned function and data
  accesses
• List of inactive users

24
What is Advanced Controls?
StandardControls
User Roles
Track Payments
3-Way Match
Approval Hierarchies
Track Discounts
25
Advanced Access Controls Certify User Access
26
Advanced Access Controls Certify User Access
Sensitive Access Certification Meet SOX
certification requirement Simple workflow to
certify users that have access to sensitive
functions Replace spreadsheet and emails based
compliance tasks Scope sensitive ERP Roles and
users for approval by process owners Approve,
remove or investigate users with high-risk access
27
(No Transcript)
28

• Applications Cloud Analytics Delivering Business
  Insights

• Oracle Transactional Business Intelligence (OTBI)

• On-demand operational reporting embedded in
  Oracle Cloud Applications (ERP, HCM, CX)
• Business Insights for Risk Management
  Stakeholders (CFO/ CRO/ CISO/ LOB Managers/
  Auditors)
• Supports daily decision making, proactive problem
  resolution, and business speed and agility
• Always Available
• Enables Operational Excellence

29

• Streamline Source-to-Pay

• Control spend and simplify supplier payments

30
Continuous monitoring Configuration Changes
Detect business risks and breaches by
continuously monitoring ERP master data and
setup changes. Automate risk-based tracking of
250 setups across accounts payable, accounts
receivable, general ledger, and procurement
For Example Get alerts for frequent changes made
to supplier bank accounts, payment methods,
item master, accounting period, and more
Leverage library of best-practice rules, and
author new audit rules using a built-in visual
workbench
31

• Top Ten Configuration Controls for Oracle
  Financials Cloud

Has a period's ledger been altered? The changes
could necessitate an accounting audit, and
if significant changes occurred after you
reported financial results, restatement of
results. How about journal entries or accounting
rules? The former are the foot soldiers of
accounting, and the latter the generals -
corruption at either level spells trouble. Have
suppliers' information changed unexpectedly -
e.g., bank accounts, payments, sites, or
contacts? Any could be the result of a
scam intended to route payment to a
fraudster. Has a supplier's information changed
frequently, or outside business hours? Neither
should be necessary in healthy business activity
they could indicate fraud, or simply inefficiency
- e.g., a frequent alternation between two values
to work around the need for better process.
Have Supply Chain item masters changed
unexpectedly - e.g., Were unnecessary items
added to bills of materials, or
manufacturing/supply lead times and safety stock
levels manipulated, to trigger unnecessary
orders? Have changes to cost of goods been made
to engineer a better budget or forecast (tainting
your accounting in the process)? Were contract
lines altered? Items, amounts and terms could
be changed in collusion with counterparties to
bilk your business. Did site or user Profile
Options change unexpectedly? - This trove of
preferences, installation settings, configuration
choices, and processing options affects nearly
every aspect of Financials- are changes innocuous
or hacks? Find patterns of the latter.

• How about Data Roles and Security Profiles?
• Two more deep and pervasive types of
  configuration- do changes indicate illicit
  broadening/heightening of privileges?
• Did Flexfield Cross Validation Rules change?
• These are often an uncharted or at least
  untamed - territory in the world of
  configuration, since there are no common
  standards or rules - they are all invented by
  your business. They might change only rarely, but
  when they do, heads up - their effects can spread
  across entire business processes, with unintended
  consequences.
• Have Receiving parameters changed unexpectedly-
  ex.
• Do you suddenly allow the receiving location to
  differ from the ship-to location (with tax,
  inventory, and restricted territory impacts)?
• Did your late receiving tolerance increase?
• How about tolerance for receiving more than
  approved?
• How often was receipt routing overridden?

32

• Financial Reporting Compliance Advanced Controls

Automate control tests
Associate control analysis results
33
Main Drivers for Risk Management Implementations
34
Model/Control Lifecycle
Risk Management Implementation Steps
35
Main Drivers for Risk Management Implementations
After Go-Live
Configure custom roles and user
role assignments Monitor transactions
using compensating AFC Control
Run control analysis periodically Did
analysis find incidents?
Import finalized Access Models Accept Incidents
Deploy Controls Are access conflicts expected?
YES
YES
Production
NO Remediate Incidents
Periodic Sensitive Access Certification
Security Console
Advanced Access Controls
\
36
Remediation Process
First, accept incidents that cannot be acted
on Next, act on residual intra-role and
inter-role violations Option 1 Inactivate
obsolete users involved in conflicts Option 2
Take away access from users with conflicts
Option 3 Use Compensating Controls Consider
the use of compensatory controls such as AFC
controls to monitor related transactions for
users identified in these conflicts Option 4
Re-design roles in Fusion security Visualize
these incidents and then use Simulation to create
remediation plans for resolving these conflicts
Once the remediation plans are finalized,
implement the plan in Security Console
37

• Promote Financial Oversight

• Facilitate risk-aware business decisions

Executives Contextual, role-based insight ensures
certifications are based on managed risks
Control Owners Visibility of risks and controls
highlights ownership, and ensures accountability
Process Owners, Auditors On-Demand access to
control assessments ensures issues are promptly
resolved
38
Discussion/Questions?
Thank you for joining todays webinar.
39
Contact Us
Dublin, Ireland
Bellevue, WA
Bridgewater, NJ
Orange, CA Santa Ana, CA
New Delhi, India
Chicago, IL
Bangalore, India
Chennai, India