Thousands of Hours Saved and Risk Reduced for EBS Upgrades & Implementations

Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal1
Graphic Section Divider

The following is intended to outline our general product
direction. It is intended for information purposes only,
and may not be incorporated into any contract.
It is not a commitment to deliver any material, code, or
functionality, and should not be relied upon in making
purchasing decisions. The development, release, and
timing of any features or functionality described for
Oracle’s products remains at the sole discretion of
Oracle.

Reducing Risk for Oracle EBS
Upgrades & Implementations
(CON8830)
Dane Roberts & Steve Dalton, Oracle
Stephen D’Arcy, PwC
Chuck Scheller, Harvard Pilgrim Health Care,
Dir Business Systems

@OracleAdvCntrls
Oracle GRC Advanced Controls
Join Our Linkedin Group
Follow us on Twitter

Program Agenda
 Oracle Advanced Controls (OAC)
 Upgrade Challenges
 Case Study 1: CH2M
 Case Study 2: Harvard Pilgrim Health Care
 Realizing Value from OAC after Upgrade
 Q&A

GRC Advanced Controls
One Enterprise Foundation
Enterprise Risk & Controls Foundation
Dashboards, Reports and Alerts
NotificationsWorklists Email PerspectivesSearch
Risk, Controls & Compliance Management
ReviewsDocumentation Assessments RemediationSurveys
Continuous Controls & Risk Monitoring
SetupsAccess Master Data Audit TestsTransactions
User Authored ControlsData Connectors Fraud & Error Patterns
RoleBasedAccessSecurity
WebServices&APIs
Custom or Legacy
Applications
Comprehensive
 Enterprise Risk Management
 Financial Governance
 Continuous Controls Monitoring
Flexible
• Graphical Authoring
• Detect and Prevent
• Access, Transactions, Setups
Data Driven (Big Data)
 100% of Transactions
 Manage by Exception
 Optimize Processes

Technical Innovation
Robust Types of Automated Controls
Preventive
What users
can do
How is the process
set up
How users execute
processes
What users
have done
What’s
changed in the
process
What are the
execution
patterns
Monitor Control Effectiveness
Enforce Policies in Context
Segregation of
Duties
Application
Configuration
Transaction
Monitoring

Standard + Advanced Controls
User Roles
3-Way
Match
Approval
Hierarchies
Sentiment
Analysis
Split
Purchase
Orders
Hide
Displays of
Sensitive
Data
Duplicate
Payments
Transaction
Threshold
Amounts
Duplicate
Vendors
Fine-
grained
User
Access
Configuration
Snapshots &
Audit Trial
Transaction
Pattern
Analysis
Fuzzy
Logic,
‘similar
values’
Advanced
Controls
Standard
Controls
Social
Media
Policy
E-learning
Ethics
Policy

Copyright © 2013, Oracle and/or its affiliates. All rights reserved.10 Confidential – Oracle Internal
…by
Continuously
Monitoring
Your
ERP
Applications
Advanced Controls
Enables you to:
Improve Bottom-Line
Reduce Operational Risk
Increase Process Effectiveness

Advanced Controls
Make Processes More Effective, Efficient
Reduce Operational Risk
Improve Bottom Line
Detect unwanted transactions
Detect settings that cause loss
Detect problematic exceptions
Automate policy management

Program Agenda
 Q&A

Takes longer
than expected
Undetected
errors
Costs exceed
budget
Unforeseen
changes
Processes negatively
impacted
Improve using advanced control solutions
ERP Project Concerns
Implementation and Upgrades

What Issues Were Encountered During Your
Upgrade?
Source: OAUG Research Line, “Moving to New ERP Environments: 2011 OAUG Governance, Risk, and Compliance Best
Practices Survey”
48%
28%
26%
26%
21%
19%
12%
9%
7%
11%
Unexpected changes to application set ups
Disruption to business transactions or workflow
Other applications breaking/unable to interoperate
Rise in end-user training costs
Outdated controls
Data damaged/altered
Surge in segregation of duties conflicts
Data exposed
Missed product launches/slower time to market
Other

Advanced Access Controls
Value for ERP Projects
>Comply with access
policies from day one
>Design compliant roles
>Automate the creation of
BR-100s
>Ensure instances are
synchronized (ex: Test
vs. Prod)
>Avoid customizations
with configurations and
the creation of controls
> Automate compliant
user access provisioning
>Reduce testing/debug
time - identify changes
>Reduce risk, time and
cost of identifying, and
correcting errant
transactions that violate
control policies
>Define and manage
complex multi-instance
global access policies
>Reduce and eliminate
vulnerabilities due to
undocumented/unknown
configuration settings
>Reduce internal and
external costs where key
control changes are
necessary due to
changed functionality

Program Agenda
 Q&A

Leveraging Oracle
Advanced Controls to
accelerate your R12 project
“A story of two different Oracle
Advanced Controls
implementation strategies for
Oracle R12 projects”

The CH2M HILL Story
“Implementing Oracle
Advanced Controls during a
global R12 re-
implementation”

PwC
Overview
1. Project Background & Scope
2. Implementation Approach - Stakeholders
3. Improving the bottom line for CH2M HILL
4. Examples of the Advanced Controls Solutions implemented
5. Keys to success
6. Benefits of implementing Oracle Advanced Controls during the R12 project
19

PwC
Project Background & Scope
20
Applications Tools
Financials
Security
Procurement
GRC
Human Capital
Mgmt.
Plans &
Methodologies
Training
Oracle Unified
Method
Industry Best
Practices
Oracle Applications
Experience
Projects
Business
Intelligence
Standard Process
 98+ Prim ledgers, 10 Sec Ledgers, 170 OU’s, 50+ countries, 30,000 + end users

PwC
Implementation Approach - Stakeholders
Oracle
Advanced
Controls
Process
Design
Workshops
CEMLI/
RICEFW
Internal Audit
Government
Compliance
Dept
Security
Officers
Business
Process
Owners
21

PwC
Implementation Approach - Stakeholders
Oracle
Advanced
Controls
Process
Design
Workshops
CEMLI/
RICEFW
Internal Audit
Government
Compliance
Dept
Security
Officers
Business
Process
Owners
22

PwC
Improving the bottom line for CH2M HILL
• Replaced approximately 15% of the clients 400+ Customizations
 Saved approximately 2000 developer hours
 On average it took 15-20 hours to build a PCG solution
 On average it was taking the EBS implementation partner 60-70 hours
• Facilitating the Shared Services model for a global organization
 Centralized assessment of security and segregation of duties violations – Estimated Savings –
approximately 500 hrs per year – 130 SOD Rules built in
 More detailed visibility into which users can perform critical functions within Oracle –
especially in foreign locations.
• Transaction Controls Implemented – saving time & benefiting the bottom line
 Already identified a number of duplicate payments for investigation and future recovery
 Monitoring for compliance exceptions (Enter vs Post Journals)
23

PwC
Improving the bottom line for CH2M HILL
• Over 100+ critical setups and configurations now being monitored
 Reduced time spent testing patches, troubleshooting EBS & validation
automated controls
• Over 130 security & segregation of duties rules built
 Accelerated security re-design evaluation & identified conflicts prior to go-
live
 Will reduce Internal & External Audit testing time significantly going
forward
• Accelerating multiple Federal Compliance requirements and building many
of the solutions into the EBS environment vs more manual time consuming
manual effort outside of a system
24

PwC
Examples of the Advanced Controls Solutions built
25
Duplicate Payments
Journals posted by the same
user
Prevent re-opening of projects
assigned to inactive Organizations
Notification on chart of
accounts changes
Alert when super-user
responsibilities are used
Preventing changes to own pay
elements
Identification of federal-related invoices
where a variance exists between the invoice
amount and the cash amount applied.
Identification of employees in the federal
entities who have a salary outside of their
defined salary range for their job grade.

PwC
Keys to Success
• Business led implementation of Oracle Advanced Controls
 What do you need?
 Why do you need it?
 What value will it bring you?
 Compared to other business requirements what is the priority?
 Are you prepared to own and operate the output post implementation?
• CEMLI Assessment
 Worked with IT and the business to identify customization candidates that could be replaced with Oracle
Advanced Controls
 Determined those CEMLI’s where it would be truly more efficient
• Looking at things from a Shared Services perspective
 Leveraged to monitor activity across the global EBS footprint
 Duplicate payments, entering and posting journals, security/sod etc
26

PwC
Benefits of implementing as part of the R12 project
• Oracle Advanced controls viewed as an additional tool or accelerator by the project
team
• Ability to use PCG to address unique business requirements real time
• Embed controls into the to-be processes as opposed to a more expensive retro-fit post
go-live
• Project ran in parallel with the overall EBS R12 re-implementation (did not impact or
slow-down the critical path)
• Tools were available to monitor activity during the project (e.g. configuration changes)
• Helped the security re-design team understand where the potential conflicts sat prior
to go-live as opposed to expensive re-design post go-live.
27

The Harvard Pilgrim Story
“Implementing Oracle
Advanced Controls prior to a
R12 implementation”
Private and confidential

PwC
Agenda
1. Project Background
2. Project Approach
3. Key Benefits for Harvard Pilgrim
4. ROI Framework
29

PwC
Project Background – Oracle GRC Manager (2010)
• Harvard Pilgrim engaged with PwC in late 2010 to implement Oracle
Governance Risk and Compliance Manager solution for Model Audit Rule
(MAR) and SAS70 compliance activities and reporting
• As a part of this initiative, PwC team members worked closely with HPHC’s
Financial Controls Manager to design and implement data repository for
compliance content and automate periodic assessment activities and
reporting for MAR and SAS70
30

PwC
Project Background – Oracle Insight (2012)
31
In 2012, PwC and Oracle Insight team conducted a week-long discovery session to identify opportunity for Harvard Pilgrim to
leverage Oracle GRC Controls solution in advance of Oracle R12 upgrade. The team identified and recommended three phase
iterative implementation project to build incremental value for Harvard Pilgrim;
Phase 1 – Quick Wins (Current Scope)
• Review, prioritize and identify key corporate-wide and division-specific controls for potential automation using Oracle GRC
Controls
• Maintain focus on acquiring value and decreasing manual effort by the audit teams in executing Segregation of Duties (SOD)
testing, access reviews, and configuration change management
• Implement SOD access controls (AACG) and configurations monitoring (CCG)
Phase 2 – Facilitate R12 Upgrade and Implement Transaction Controls
• Maximize usage of AACG and CCG to facilitate R12 upgrade efforts
• Conduct workshops with business process owners to identify high risk transactional controls
• Evaluate opportunity to implement transaction controls (TCG) to address key transactional level risk exposures in Oracle EBS
Phase 3 – GRC Optimization Assessment
• Evaluate opportunity to implement preventive/approval based SOD controls
• Evaluate opportunity to implement approval based change control for key EBS configurations
• Evaluate integration between GRC Control and GRC Manager to automate Model Audit Rules testing
• Assess and provide scope for OHI integration to GRC Controls

PwC
Key Benefits for Harvard Pilgrim
• Reduce manual efforts to compile reporting packages for periodic access reviews and
configuration change controls
• Maintain integrity of system configurations and provide the ability to track unintended
changes from periodic maintenance and patching activities
• Establish Segregation of Duties policies to reduce the cost of R12 upgrade and prevent
remediation of access violations post go-live
• Reduce the level of effort to document and manage system configuration changes
during R12 upgrade
• Automate the continuous monitoring of key financial controls to reduce the risk of
fraudulent transactions
• Expected reduction in external audit scope and fees through the use of automated tool
32

PwC
HPHC ROI
33
Tangible Cost Savings (Total ROI 6 years)
• Access Management – Leverage AACG to reduce the level of effort to provision,
monitor, and remediate access risk exposures
• Estimated reduction of 2,298 hours across IT, Internal and External Audit
• Controls Management – Leverage CCG to reduce the level of effort to manage and
test Oracle configuration change controls
• Estimated reduction of 5,815 hours across IT, HPHC Business, Internal and
External Audit
• R12 Upgrade – Leverage AACG and CCG to facilitate R12 upgrade activities such as
instance comparison and new responsibility design
• Estimated reduction of 2,278 hours during R12 upgrade and subsequent periods

PwC
HPHC ROI
Risk Reduction
• Reduce risk of Fraud, Waste and Abuse by leveraging continuous auditing of access
and configuration change control
• Reduce access risk exposure by defining and reviewing SOD and Restricted
Access controls at the user and function level
• Reduce risk of inappropriate changes to Oracle configuration by enhanced ability
to test configuration change controls by producing system record of changes and
audit trail evidence
• Pushes controls testing responsibility & compliance ownership to business area
owners. Frees internal audit hours to pursue other IA initiatives versus access and
configuration controls testing
• Preventive User Access Administration (automated SOD Policies via AIM)
34

Learn More
PwC GRC Whitepaper
“Leveraging advanced controls with E-Business suite implementation and upgrade projects”
http://www.oracle.com/us/products/applications/ebusiness/optimizing-erp-projects-1855138.pdf
Optimize your ERP Projects leveraging Oracle Advanced Controls

Program Agenda
 Case Study 2: Harvard Pilgrim Healthcare
 Q&A

The Opportunity
Any Time
Transform your business processes
ERP Implementation
Provide optimal control solutions from day 1
ERP Upgrade
Add advanced controls to monitor and enhance ERP controls

Utilize Project Solutions Post-Production
Prevent inappropriate
activities with security
rules
Improve data
integrity by
monitoring
setup changes
Uncover
unauthorized
changes with
embedded rules

Change in Internal Control Requirements
0
50
100
150
200
250
Year 1 Year 2 Year 3 Year 4
Requirements
Functional Compliance Levels
• Manual
Processes
• Customizations
• Change Control
• More Audits
Challenges:
• Multiple ERPs
• New Regulations
• More Legal Entities
• New Contracts GAP
Social Media Monitoring
New Markets & Regions
Processes Outsourced
Acquisitions

Optimize Processes with Advanced Controls
policies are followed
for high-risk events
cash leakage

Fix Cash Leakage
On Every:
Protiviti 2010 - Procurement Assessment and AP Recovery
Solutions
Amount of Cash Leakage:

Prevent viewing of
sensitive data
Control extended
customer terms
Restrict large sales
discounts
Revise account
rec’s risk ratings
Stop split
purchase orders
Scrutinize PO
price variances
Check unapproved
vendors
Limit entertainment
expenses
Tighten user access
Require approval
of large credit
memos
Review manual
journal entries
Monitor POs entered
on receiving day
Policies Evolve Over Time

Ensure Policies are Followed
Controls
Purchase orders
not split?
User access
appropriate?
Extended customer terms
result in no write-offs?

45 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal
Customers (Sample)
Public Sector
Technology/Services
Retail
Energy
Communication
Industrial
Logistics
Healthcare/Life Sciences
Mining/Exploration
PRESENTING

Oracle Advance Controls
OOW2013 Sessions &
Demo Pod Slides

Specialized Advanced Controls Partners
 New Benefit for Advanced Controls owners
 Specialized Partners:
– Trained by Oracle:
 Designing and delivering OAC solutions
– Demonstrated ability to deliver reliable OAC
solutions
 Coming soon

Demo Workstation
Moscone West 1st Floor #W-013
Monday Tuesday Wednesday
Demo ID 3532
Workstation #: W--013
9:45 – 6:00 9:45 – 6:00 9:45 – 4:00

Demo Workstation
Moscone West 1st Floor #W-013

General Session: Empowering Modern Governance, Risk, and Compliance
 12:15PM Moscone West – 2006/2008
 GEN8812
Automate Robust User Access and Security Controls for PeopleSoft
 10:45AM Moscone West - 2009
 CON8820
Panel Discussion: Intelligent Controls for Key Business Processes & Upgrades in PeopleSoft
 3:15PM Moscone West - 3020
 CON8822
Deloitte: Leveraging Oracle GRC Technology to Reduce Revenue Loss, Cost Leakage & Fraud
 3:15PM Moscone West - 2000
 CON8822
Learn More About Oracle Advance Controls
Monday

Top 10 Advanced Controls for Procure-to-Pay to Improve the Bottom Line
 10:30AM Moscone West – 2003
 CON8814
Center for Medicare & Medicaid Services Automates Internal Controls with Oracle GRC
 3:45PM St Francis – Elizabethan C/D
 CON9346
Enforce Segregation of Duties with Identity Management and Oracle Advanced Controls
 5:15PM Moscone West – 3018
 CON8827
Tuesday

Optimizing Order-to-Cash with Oracle Advanced Controls for Oracle E-Business Suite
 10:15AM Moscone West – 3018
 CON8816
Reducing Risk for Oracle E-Business Suite Upgrades and Implementations
 CON8830
Panel Discussion: Intelligent Controls for Key Business Processes and Upgrades
 3:30PM Moscone West – 2002 / 2004
 CON8832
Wednesday

Advanced Access and User Security for Oracle E-Business Suite and Fusion Applications
 CON8824
Meet the Governance, Risk, and Compliance Experts
 12:30PM Moscone West 2001A
 MTE9412
Thursday

The preceding is intended to outline our general product direction. It is
intended for information purposes only, and may not be incorporated into
any contract.
It is not a commitment to deliver any material, code, or functionality, and
should not be relied upon in making purchasing decisions. The
development, release, and timing of any features or functionality
described for Oracle’s products remains at the sole discretion of Oracle.

Thousands of Hours Saved and Risk Reduced for EBS Upgrades & Implementations

Recomendados

Recomendados

Más contenido relacionado

La actualidad más candente

La actualidad más candente (20)

Similar a Thousands of Hours Saved and Risk Reduced for EBS Upgrades & Implementations

Similar a Thousands of Hours Saved and Risk Reduced for EBS Upgrades & Implementations (20)

Más de Oracle

Más de Oracle (6)

Último

Último (20)

Thousands of Hours Saved and Risk Reduced for EBS Upgrades & Implementations