Hear how a major engineering company and healthcare providor have used Oracle GRC Advanced Controls to save thousands of hours security access provisioing, configuration change control, testing, project management and internal and external audit.
4. Reducing Risk for Oracle EBS
Upgrades & Implementations
(CON8830)
Dane Roberts & Steve Dalton, Oracle
Stephen D’Arcy, PwC
Chuck Scheller, Harvard Pilgrim Health Care,
Dir Business Systems
17. Leveraging Oracle
Advanced Controls to
accelerate your R12 project
“A story of two different Oracle
Advanced Controls
implementation strategies for
Oracle R12 projects”
18. The CH2M HILL Story
“Implementing Oracle
Advanced Controls during a
global R12 re-
implementation”
19. PwC
Overview
1. Project Background & Scope
2. Implementation Approach - Stakeholders
3. Improving the bottom line for CH2M HILL
4. Examples of the Advanced Controls Solutions implemented
5. Keys to success
6. Benefits of implementing Oracle Advanced Controls during the R12 project
19
20. PwC
Project Background & Scope
20
Applications Tools
Financials
Security
Procurement
GRC
Human Capital
Mgmt.
Plans &
Methodologies
Training
Oracle Unified
Method
Industry Best
Practices
Oracle Applications
Experience
Projects
Business
Intelligence
Standard Process
98+ Prim ledgers, 10 Sec Ledgers, 170 OU’s, 50+ countries, 30,000 + end users
21. PwC
Implementation Approach - Stakeholders
Oracle
Advanced
Controls
Process
Design
Workshops
CEMLI/
RICEFW
Internal Audit
Government
Compliance
Dept
Security
Officers
Business
Process
Owners
21
22. PwC
Implementation Approach - Stakeholders
Oracle
Advanced
Controls
Process
Design
Workshops
CEMLI/
RICEFW
Internal Audit
Government
Compliance
Dept
Security
Officers
Business
Process
Owners
22
23. PwC
Improving the bottom line for CH2M HILL
• Replaced approximately 15% of the clients 400+ Customizations
Saved approximately 2000 developer hours
On average it took 15-20 hours to build a PCG solution
On average it was taking the EBS implementation partner 60-70 hours
• Facilitating the Shared Services model for a global organization
Centralized assessment of security and segregation of duties violations – Estimated Savings –
approximately 500 hrs per year – 130 SOD Rules built in
More detailed visibility into which users can perform critical functions within Oracle –
especially in foreign locations.
• Transaction Controls Implemented – saving time & benefiting the bottom line
Already identified a number of duplicate payments for investigation and future recovery
Monitoring for compliance exceptions (Enter vs Post Journals)
23
24. PwC
Improving the bottom line for CH2M HILL
• Over 100+ critical setups and configurations now being monitored
Reduced time spent testing patches, troubleshooting EBS & validation
automated controls
• Over 130 security & segregation of duties rules built
Accelerated security re-design evaluation & identified conflicts prior to go-
live
Will reduce Internal & External Audit testing time significantly going
forward
• Accelerating multiple Federal Compliance requirements and building many
of the solutions into the EBS environment vs more manual time consuming
manual effort outside of a system
24
25. PwC
Examples of the Advanced Controls Solutions built
25
Duplicate Payments
Journals posted by the same
user
Prevent re-opening of projects
assigned to inactive Organizations
Notification on chart of
accounts changes
Alert when super-user
responsibilities are used
Preventing changes to own pay
elements
Identification of federal-related invoices
where a variance exists between the invoice
amount and the cash amount applied.
Identification of employees in the federal
entities who have a salary outside of their
defined salary range for their job grade.
26. PwC
Keys to Success
• Business led implementation of Oracle Advanced Controls
What do you need?
Why do you need it?
What value will it bring you?
Compared to other business requirements what is the priority?
Are you prepared to own and operate the output post implementation?
• CEMLI Assessment
Worked with IT and the business to identify customization candidates that could be replaced with Oracle
Advanced Controls
Determined those CEMLI’s where it would be truly more efficient
• Looking at things from a Shared Services perspective
Leveraged to monitor activity across the global EBS footprint
Duplicate payments, entering and posting journals, security/sod etc
26
27. PwC
Benefits of implementing as part of the R12 project
• Oracle Advanced controls viewed as an additional tool or accelerator by the project
team
• Ability to use PCG to address unique business requirements real time
• Embed controls into the to-be processes as opposed to a more expensive retro-fit post
go-live
• Project ran in parallel with the overall EBS R12 re-implementation (did not impact or
slow-down the critical path)
• Tools were available to monitor activity during the project (e.g. configuration changes)
• Helped the security re-design team understand where the potential conflicts sat prior
to go-live as opposed to expensive re-design post go-live.
27
28. The Harvard Pilgrim Story
“Implementing Oracle
Advanced Controls prior to a
R12 implementation”
Private and confidential
30. PwC
Project Background – Oracle GRC Manager (2010)
• Harvard Pilgrim engaged with PwC in late 2010 to implement Oracle
Governance Risk and Compliance Manager solution for Model Audit Rule
(MAR) and SAS70 compliance activities and reporting
• As a part of this initiative, PwC team members worked closely with HPHC’s
Financial Controls Manager to design and implement data repository for
compliance content and automate periodic assessment activities and
reporting for MAR and SAS70
30
31. PwC
Project Background – Oracle Insight (2012)
31
In 2012, PwC and Oracle Insight team conducted a week-long discovery session to identify opportunity for Harvard Pilgrim to
leverage Oracle GRC Controls solution in advance of Oracle R12 upgrade. The team identified and recommended three phase
iterative implementation project to build incremental value for Harvard Pilgrim;
Phase 1 – Quick Wins (Current Scope)
• Review, prioritize and identify key corporate-wide and division-specific controls for potential automation using Oracle GRC
Controls
• Maintain focus on acquiring value and decreasing manual effort by the audit teams in executing Segregation of Duties (SOD)
testing, access reviews, and configuration change management
• Implement SOD access controls (AACG) and configurations monitoring (CCG)
Phase 2 – Facilitate R12 Upgrade and Implement Transaction Controls
• Maximize usage of AACG and CCG to facilitate R12 upgrade efforts
• Conduct workshops with business process owners to identify high risk transactional controls
• Evaluate opportunity to implement transaction controls (TCG) to address key transactional level risk exposures in Oracle EBS
Phase 3 – GRC Optimization Assessment
• Evaluate opportunity to implement preventive/approval based SOD controls
• Evaluate opportunity to implement approval based change control for key EBS configurations
• Evaluate integration between GRC Control and GRC Manager to automate Model Audit Rules testing
• Assess and provide scope for OHI integration to GRC Controls
32. PwC
Key Benefits for Harvard Pilgrim
• Reduce manual efforts to compile reporting packages for periodic access reviews and
configuration change controls
• Maintain integrity of system configurations and provide the ability to track unintended
changes from periodic maintenance and patching activities
• Establish Segregation of Duties policies to reduce the cost of R12 upgrade and prevent
remediation of access violations post go-live
• Reduce the level of effort to document and manage system configuration changes
during R12 upgrade
• Automate the continuous monitoring of key financial controls to reduce the risk of
fraudulent transactions
• Expected reduction in external audit scope and fees through the use of automated tool
32
33. PwC
HPHC ROI
33
Tangible Cost Savings (Total ROI 6 years)
• Access Management – Leverage AACG to reduce the level of effort to provision,
monitor, and remediate access risk exposures
• Estimated reduction of 2,298 hours across IT, Internal and External Audit
• Controls Management – Leverage CCG to reduce the level of effort to manage and
test Oracle configuration change controls
• Estimated reduction of 5,815 hours across IT, HPHC Business, Internal and
External Audit
• R12 Upgrade – Leverage AACG and CCG to facilitate R12 upgrade activities such as
instance comparison and new responsibility design
• Estimated reduction of 2,278 hours during R12 upgrade and subsequent periods
34. PwC
HPHC ROI
Risk Reduction
• Reduce risk of Fraud, Waste and Abuse by leveraging continuous auditing of access
and configuration change control
• Reduce access risk exposure by defining and reviewing SOD and Restricted
Access controls at the user and function level
• Reduce risk of inappropriate changes to Oracle configuration by enhanced ability
to test configuration change controls by producing system record of changes and
audit trail evidence
• Pushes controls testing responsibility & compliance ownership to business area
owners. Frees internal audit hours to pursue other IA initiatives versus access and
configuration controls testing
• Preventive User Access Administration (automated SOD Policies via AIM)
34
35. Learn More
PwC GRC Whitepaper
“Leveraging advanced controls with E-Business suite implementation and upgrade projects”
http://www.oracle.com/us/products/applications/ebusiness/optimizing-erp-projects-1855138.pdf
Optimize your ERP Projects leveraging Oracle Advanced Controls