1. Copyright © 2016, Oracle and/or its affiliates. All rights reserved.
Introducing Oracle Fusion
Advanced Access Controls
to Strengthen Security
OpenWorld 2016

2. Copyright © 2016, Oracle and/or its affiliates. All rights reserved.
Introducing Oracle Fusion
Advanced Access Controls
to Strengthen Security
This session provides a first look at this upcoming cloud service:
Continually detect and manage unwanted user access in ERP, HCM & SCM Clouds
Streamline role design, access policies
Improve access controls for SOX, other regulations
This session will help you:
Learn about this cloud service from industry experts and Oracle’s product developers
Determine whether this cloud service will be right for your organization
Get answers to your questions in live Q&A with our panelists

3. Copyright © 2016, Oracle and/or its affiliates. All rights reserved.
Safe Harbor Statement
The following is intended to outline our general product direction. It is intended for
information purposes only, and may not be incorporated into any contract. It is not a
commitment to deliver any material, code, or functionality, and should not be relied upon
in making purchasing decisions. The development, release, and timing of any features or
functionality described for Oracle’s products remains at the sole discretion of Oracle.
3

4. 4
© 2016 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG
International”), a Swiss entity. All rights reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International.
Why Are Access Controls
Needed?

5. Copyright © 2016, Oracle and/or its affiliates. All rights reserved.
Agenda
Panelist Introductions
Introducing Advanced Access Controls
Panelist Q&A
More Resources
1
2
3
4
5

6. Copyright © 2016, Oracle and/or its affiliates. All rights reserved.
Panelists
– Katrina Johnson
Chief Audit Executive
Service Corp International
– Nicholas Seeman
Director, Advisory Services
KPMG LLP
– Mark Stebelton
Director, Product Management
Oracle Product Development
Moderator
– Barry Greenhut
Director, Product Strategy
Oracle Product Development
6
Session Speakers

7. Copyright © 2016, Oracle and/or its affiliates. All rights reserved.
Agenda
Panelist Introductions
Introducing Advanced Access Controls
Panelist Q&A
More Resources
1
2
3
4
11

8. Copyright © 2016, Oracle and/or its affiliates. All rights reserved.
Advanced Access Controls – Design Objectives
Find users in
Oracle
ERP/HCM/SCM
Cloud who…
• Can generate unwanted transactions – e.g., have
separation of duties (SoD) conflicts
• Have access to sensitive data
Let
organizations…
• Identify and minimize unnecessary financial and
operational risk
• Demonstrate compliance with SOX and similar obligations
12

9. Copyright © 2016, Oracle and/or its affiliates. All rights reserved.
Why Are Access Controls Needed?
14
• Enforcement includes detecting users who can:
• Application owners must continually enforce those policies
Enter unwanted
transactions
Create invoices then pay them
Create purchase orders then record
receipts for them
Create/change critical setup
data and configurations
Spending authorization limits
Opening closed accounting periods
Create/change
master data
Supplier
Customer
Employee
Item

10. 17
© 2016 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG
International”), a Swiss entity. All rights reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International.
Access Control Maturity

11. Copyright © 2016, Oracle and/or its affiliates. All rights reserved.
Create Supplier Invoice Create PaymentSupplier
Create Supplier Create Payment for
same supplier
+ Create Supplier Create Payment for
supplier
≠
Why Is Separation of Duties Needed?
18

12. Copyright © 2016, Oracle and/or its affiliates. All rights reserved.Copyright © 2016, Oracle and/or its affiliates. All rights reserved. |
Advanced Access Controls – Design Objectives
Restrict Unauthorized Access & Automate SoD Analysis
Manage Exceptions & Simulate Changes
Link Results to Business Risks
Automate User Security Analysis
Deploy Pre-Built SoD Controls
Author New Access Rules & Policies
19

13. Copyright © 2016, Oracle and/or its affiliates. All rights reserved.
Deep, Dynamic Analysis
• Generate unwanted transactions
E.g., Separation of Duties
• Access to sensitive data
ERP/HCM/SCM
user abilities
• Ready to grow as privileges are added
to ERP/HCM/SCM
6,000+
ERP/HCM/SCM
privileges
20

14. Copyright © 2016, Oracle and/or its affiliates. All rights reserved.
User: Janie Adams
Job Role: Accounts Payable Supervisor
Duty Role: Payables Payment Creation
Privilege: Create Payables Payments
Privilege: Create Purchase Order
Job Role: Buyer
SoD Conflict
Deep, Dynamic Analysis
Duty Role: Purchase Order Authoring

15. Copyright © 2016, Oracle and/or its affiliates. All rights reserved.
Closed-loop, Compliant System
Enforce
control
objectives,
policies,
regulations
Maintain
as users
are added,
assigned
other roles
Evaluate
& enact
treatment
Detect users’
access
continually
Detect Evaluate
EnforceMaintain
24

16. Copyright © 2016, Oracle and/or its affiliates. All rights reserved.
Agenda
Panelist Introductions
Introducing Advanced Access Controls
Preview
Panelist Q&A
More Resources
1
2
3
4
26

17. Copyright © 2016, Oracle and/or its affiliates. All rights reserved.
Preview
InFusion Corp: Goals and Requirements
Requirements: We need an enterprise solution that:
• Automates detection of users with excessive access
• Provides an audit trail of remediation activities for access issues
• Secures what users see and do within the solution
• Provides data and reports that key stakeholders need to make good decisions
• Requires minimum resources to administer after go-live
27
Goal: We need to address user access risk by understanding excessive
user access, treating access issues, and documenting accordingly
Process Owner and
Auditor

18. Copyright © 2016, Oracle and/or its affiliates. All rights reserved. 28
Best Practice Process
Identify
Excessive
Access
Deploy
Controls
Address
Issues
Report
Results
28
Create Models and
assess results
Remediate excessive access
where feasible
Convert Models to
Controls
Run Control Analysis
periodically
Manage incidents - options:
Adjust ERP/HCM/SCM
security configuration
Add compensating
transaction controls
Report incident
management results to
managers, auditors

19. Copyright © 2016, Oracle and/or its affiliates. All rights reserved. 31
I import pre-built models, test and
refine them, and use the results to
guide improvements to role
definitions
Preview
Diane Analyst

20. Copyright © 2016, Oracle and/or its affiliates. All rights reserved. 32
Import Pre-built Models

21. Copyright © 2016, Oracle and/or its affiliates. All rights reserved.
Import Pre-built Models
Procurement
• Create Payments &
• Create Suppliers
• Set Up Payment
• Create Purchase Orders &
• Approval Authorization
Control
• Approve Invoices
• Create Invoices
Financials
• Enter Journal Entry &
• Approve Invoices
• Assets Workbench
• Create Invoices
• Create Payments
• Create Purchase Orders
• Post Journal Entry &
• Approve Invoices
• Assets Workbench
• Create Invoices
• Create Payments
• Create Purchase Orders
• Physical Inventory
Supply Chain
• Create Items &
• Cycle Counting
• Inventory Transactions
• Inventory Transactions &
• Receive Goods and Services
• Item Costing &
• Create Items
• Create Purchase Orders
• Ship Confirm Goods
33
Some of the planned pre-built models (100+ planned)

22. Copyright © 2016, Oracle and/or its affiliates. All rights reserved. 34
Review Model

23. Copyright © 2016, Oracle and/or its affiliates. All rights reserved. 35
Configure Model – Business Objects

24. Copyright © 2016, Oracle and/or its affiliates. All rights reserved. 36
Configure Model- Filter Logic

25. Copyright © 2016, Oracle and/or its affiliates. All rights reserved. 37
Configure Model- Access Conditions

26. Copyright © 2016, Oracle and/or its affiliates. All rights reserved. 38
Review Model Results

27. Copyright © 2016, Oracle and/or its affiliates. All rights reserved. 39
Visualize Incidents

28. Copyright © 2016, Oracle and/or its affiliates. All rights reserved. 40
Convert Models to Controls

29. Copyright © 2016, Oracle and/or its affiliates. All rights reserved. 41
I review and remediate incidents in
my business area
Review and Remediate Incidents
Chris Owner

30. Copyright © 2016, Oracle and/or its affiliates. All rights reserved. 42
Review and Remediate Incidents

31. Copyright © 2016, Oracle and/or its affiliates. All rights reserved. 43
Simulate Role Redesign

32. Copyright © 2016, Oracle and/or its affiliates. All rights reserved. 44
I review incident reports and re-
evaluate our existing access controls
Review Incident Reports
Alan Auditor

33. Copyright © 2016, Oracle and/or its affiliates. All rights reserved. 45
Review Incident Reports

34. Copyright © 2016, Oracle and/or its affiliates. All rights reserved.Copyright © 2016, Oracle and/or its affiliates. All rights reserved. |
Advanced Access Controls – Design Objectives
Restrict Unauthorized Access & Automate SoD Analysis
Manage Exceptions & Simulate Changes
Link Results to Business Risks
Automate User Security Analysis
Deploy Pre-Built SoD Controls
Author New Access Rules & Policies
46

35. Copyright © 2016, Oracle and/or its affiliates. All rights reserved.
Agenda
Panelist Introductions
Introducing Advanced Access Controls
Panelist Q&A
Katrina Johnson Service Corp International
Nicholas Seeman KPMG LLP
Mark Stebelton Oracle Product Development
More Resources
1
2
3
4
51

36. Copyright © 2016, Oracle and/or its affiliates. All rights reserved.
Agenda
Panelist Introductions
Introducing Advanced Access Controls
Panelist Q&A
More Resources
1
2
3
4
52

37. Copyright © 2016, Oracle and/or its affiliates. All rights reserved.Copyright © 2016, Oracle and/or its affiliates. All rights reserved. |
DEMOgrounds
Moscone West Level 3 Lobby (M,T,W) ERP Showcase
Workstation
WEP-020
53

38. Copyright © 2016, Oracle and/or its affiliates. All rights reserved.Copyright © 2016, Oracle and/or its affiliates. All rights reserved. |
Wednesday
CUSTOMER CASE STUDY
Sep 21, 11:00 AM – 11:45 AM| Moscone West 3005
Securing ERP: Application Compliance
and Controls Implementation
[CAS7689]
Gautham Ramkumar: Director, Advisory Services, KMPG LLP
Chuck Devore, Director, Finance Transformation, ADM
Kenneth Kobia, Risk & Controls Lead, Archer Daniels Midland
Organizations have successfully transformed their business
operations by leveraging Oracle ERP technologies. Yet they
continue to struggle to balance the two divergent needs of
empowering ERP business users, while protecting sensitive
data and transactions. In this session KPMG and Archer
Daniels Midland detail how they took advantage of Oracle’s
ERP security and controls capabilities, to support ADM’s
initiative to deploy Oracle ERP .
PANEL SEESION
Sep 21, 1:30 PM – 2:15PM | Moscone West 3005
Introducing Oracle Fusion Advanced
Access Controls to Strengthen Security
[CON7290]
Katrina Johnson, VP Risk Assurance, Service Corp
International
Nicholas Seeman, Director, Advisory Services, KMPG LLP
Barry Greenhut, Director, Product Strategy, Oracle
Mark Stebelton, Director, Product Management, Oracle
This session provides an overview of Oracle Fusion Advanced
Access Controls to continuously detect segregation of duties
violations, manage exceptions, and fix unauthorized access to
sensitive functions and data. Compliance managers and
auditors can use Oracle Fusion Advanced Access Controls to
ensure strong access controls across ERP, HCM and SCM
cloud applications.
PANEL SESSION
Sep 21, 4:15 PM – 5:00 PM | Moscone West 3005
Implement the Best Practice for Oracle
Financial Reporting Compliance Cloud
[CON7291]
Swarnali Bag, Governance, Risk & Compliance Practice Lead,
Oracle
Barry Greenhut, Director, Product Strategy , Oracle
Lakshmi Rajamohan, Principal Product Strategy Mgr., Oracle
Mark Stebelton, Director, Product Management, Oracle
This session provides a more detailed walkthrough of Oracle
Financial Reporting Compliance from an end user’s
perspective, and highlights how the product can be
configured to automate the best practice process. Based on
learning from a decade of customer experience, it showcases
the shortest and most cost-effective path to go live and
streamline operations.
54

39. Copyright © 2016, Oracle and/or its affiliates. All rights reserved.Copyright © 2016, Oracle and/or its affiliates. All rights reserved. |
Thursday
PANEL SESSION
Sep 22, 9:30 AM – 10:15 AM| Moscone West 3005
Implement the Best Practice for Oracle Fusion Advanced Financial
Controls Cloud Service
[CAS7286]
Swarnali Bag, Governance, Risk & Compliance Practice Lead, Oracle
Barry Greenhut, Director, Product Strategy, Oracle
Christine Doxey, President, Doxey, Inc.
Lakshmi Rajamohan, Principal Product Strategy Manager, Oracle
Mark Stebelton, Director, Product Management, Oracle
This session provides a detailed walkthrough of Oracle Fusion Financial Controls Cloud Service
from an end user’s perspective, and highlights how the product can be configured to automate
best practice controls. Oracle Fusion Advanced Financial Controls Cloud Service is designed to
meet the common needs of Oracle Financials Cloud subscribers. Based on learning from a decade
of customer experience, this session showcases Oracle’s best practice business process for
maximum ROI with minimum cost of ongoing operation.
PANEL SESSION
Sep 22, 12:00 PM – 12:45 PM | Moscone West 3005
Get Started with Financial Reporting Compliance and Advanced
Financial Controls
[CON7284]
Barry Greenhut, Director, Product Strategy, Oracle
Lakshmi Rajamohan, Principal Product Strategy Manager, Oracle
Joel Alvarado, Customer Success Manager, Oracle
This session provides you with the most effective project plan to implement Oracle Financial
Reporting Compliance or Oracle Fusion Advanced Financial Controls Cloud Service. Participants
will learn the shortest and most cost-effective path to success using Oracle’s customer and
partner-tested “get started” process. Learn how to plan and adopt these cloud services, and then
sustain your use through growth and change. Learn how to get the experience and expertise
needed to succeed.
55

40. Arturo Martínez del
Campo Saucedo
Corporate Chief Financial Officer
Grupo Posadas S.A.B. de C.V. .
LEADERSHIP IN FINANCE
LATIN AMERICA - CLOUD
2016
Best
Practice
Adopter
First
Adopter
of Risk
Cloud

41. Copyright © 2016, Oracle and/or its affiliates. All rights reserved.Copyright © 2016, Oracle and/or its affiliates. All rights reserved. |
 For subscribers and partners
To Learn More
Cloud Portal Release Readiness User Documentation Modern Best Practice
Oracle University Success Managers  Get Started  Customer Connect 
57

42. Copyright © 2016, Oracle and/or its affiliates. All rights reserved.Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | 5959
Join our LinkedIn Group
For the latest Updates and Presentations .

43. Copyright © 2016, Oracle and/or its affiliates. All rights reserved. 60

44. | Confidential – Oracle Internal/Restricted/Highly Restricted61