4/13/2015 1 Business Considerations Example Approach to an SOD Program Client Preparation Sample SOD Controls Sample Output from SOD Assessment Cost Estimate for SOD Assessment 4/13/2015 2 Business Considerations 4/13/2015 3 Segregation of Duties (SOD) is the separation of incompatible duties that could allow one person to commit and conceal fraud that may result in financial loss or misstatement to the company. Segregation of duties may be within an application or within the infrastructure. • Represents a key internal control that ensures no single person has too much influence over any business transaction or operation • Serves to prevent unintentional errors or fraud and ensure timely detection of errors that may occur • Provides a method of improving organizational, business process and IT control alignment Segregation of duties has always been an important component of a properly functioning internal control environment 4/13/2015 4 Control deficiencies, typically, stemmed from changes or actions taken outside of the formal process Limited mechanisms to consistently enforce policies at an enterprise level Lack of strong executive-level support and insufficient alignment between IT and the business Lack of user education & awareness regarding SOD Management’s preference to rely on mitigating controls in place of implementing proper SOD Inadequate policies and procedures for effectively changing or removing access when users change jobs or leave the company Limited automated reporting capabilities for IT controls No monitoring tools/capability to periodically review “access rights” Typically, leads to access creep, fraud risk, and failed user management processes 4/13/2015 5 Drivers causing companies to consider use of Segregation of Duties (SOD) in the management of their business Regulatory Compliance - Sarbanes-Oxley and other regulatory issues are forcing companies to increase their awareness and accountability of their employees actions within the company Security and Data Management – Recent privacy laws and prosecution of security violations is bringing a new awareness to monitoring and controlling security and access to data within the organization Access Management – Provisioning and management of users access to applications have not been enforced, resulting in access creep Rapid Implementation of ERPs – Application Security was often overlooked or implemented incompletely (Segregation of Duties was not addressed) 4/13/2015 6 Sarbanes-Oxley is now providing a compelling case for the implementation and maintenance of appropriate segregation of duties at the organizational, manual process and system Level. Not only should business functions be separated departmentally, and at an even more granular level within departments, companies now find that they need to provide system enforcement of traditional segregation of duties models External auditors are insisting on evidence that proper segregation of duties exists 4/13/2015 7 Recent privacy laws and prosecution of security violations is bringing a new awareness to monitoring and controlling security and access to data within the organization. Lack of application specific Segregation of Duties are resulting in Access Creep, Fraud Risk, Failed User Management Processes Disclosure of sensitive information can have a negative impact on shareholder value Increased use of web services (online auctions and banking) has brought increased risk of identity theft and fraud Privacy laws and disclosure of violations is increasing the need for proactive segregation and control over access to data 4/13/2015 8 Recent privacy laws and prosecution of security violations is bringing a new awareness to monitoring and controlling security and access to data within the organization. Lack of application specific Segregation of Duties are resulting in Access Creep, Fraud Risk, Failed User Management Processes Disclosure of sensitive information can have a negative impact on shareholder value Increased use of web services (online auctions and banking) has brought increased risk of identity theft and fraud Privacy laws and disclosure of violations is increasing the need for proactive segregation and control over access to data 4/13/2015 9 Implementation of identity management and ERP tools provides an avenue to leverage technologies to enforce and regulate enterprise level segregation of duties. Established authoritative sources of information through ERP systems (HRMS) Leverage user lifecycle through role based access control and system integration Automated provisioning to lower operational costs Greater visibility by management to monitor user activity Centralization of user ID management for multiple applications through the single sign-on concept 4/13/2015 10 Client Preparation 4/13/2015 11 Take a copy of Production Instance to create Test Instance Provide OIC with System Administrator Access to Test Instance Identify Business Owner (BPO) for each Business Process Flow who can make decisions regarding access privileges to grant to users Identify System Administrator who will modify Oracle Menus and/or Responsibilities to Remediate SOD incidents Provide Copy of Change Controls Policies so that we can revise the Production Instance in accordance with Client Policy Review SOD Rules with External Auditors Finalize SOD Design with BPO 4/13/2015 12 Example Approach to Segregation of Duties Assessment 4/13/2015 13 Establishing a process for defining SOD rules and policies, aligning organization and process, establishing enforcement, mitigating controls and monitoring are essential components of an SOD solution that helps meet business objectives. Comply with the regulatory requirements, example Sarbanes- Oxley legislation Improve company-wide internal control structure Mitigate the risk of intentional fraud or unintentional error to the organization Align functions organizationally with common best practices Gain a level of comfort that the financial statements are free from misstatement Improve financial data, thereby improving management reporting Satisfy increasing customer and investor demands for sound internal controls 4/13/2015 14 Component Tasks Comments Rules and Policies • • • • • • Confirm SOD requirements (including regulatory compliance requirements) Develop segregation of duties rules Develop restricted access rules Eliminate false positives from rule set Define manual segregation of duties components We have several hundred SOD Rules developed by Oracle and the Big 4 Accounting Firms that we use to evaluate SOD Controls. Organizational and Process Alignment • • • • • These are best practices that every organization should implement • • Perform risk assessments to identify requirements and strategies Identify key stakeholders and establish a communication plan Understand and adapt standards (including policies and procedures) Build and maintain support within initiative and within organization Align processes to effect the proper balance between control value and operational efficiency (cost vs. benefit analysis) Identify appropriate segregation points within relevant processes Obtain buy-in to SOD solution from process owners • • • • • • • Assist in selecting the appropriate technology solution Pilot the implementation to validate the solution Implement the solution; deliver in phases (highest value first) Test performance and functionality Assist in selecting the appropriate technology solution Pilot the implementation to validate the solution Implement the solution; We recommend that you use Oracle Application Access Controls Governor (AACG) to facilitate enforcement of SOD Controls. You can establish preventive enforcement by integrating Oracle AACG with Oracle Preventive Controls Governor (PCG) Establish Enforcement 4/13/2015 15 Component Tasks Comments Remediating Controls • • Revise security model to eliminate SOD control violations Eliminate false positives from rule set We review the GRC reports with your Business Process Owners (BPO) and System Administrators to help you revise your Oracle Application Security Model to resolve SOD Control violations. Mitigating Controls • Develop compensating controls to address functions, which cannot be adequately segregated. We help you define, document and implement (if necessary) compensating controls for functions that cannot be adequately segregated. Monitoring and Governance • • Adhere to business policies and procedures after initial deployment Perform periodic SOD assessments to validate adherence to policies and rules Adapt solution as the business changes (e.g. M&A, reorganizations, upgrades, implement new Oracle applications, etc.) This process would be very difficult to complete without installing and deploying the Oracle GRC Controls, which includes Oracle Application Access Controls (AACG) for Restricted Access and SOD, and Oracle Transaction Controls. • The OIC offers periodic SOD Assessment Services. 4/13/2015 16 The ability to fine-tune user access—and to track that access—is key to complying with regulatory requirements and ensuring corporate security. Oracle Application Access Controls Governor provides real-time monitoring and proactive enforcement of crucial access policies, such as those that support segregation of duties (SOD). The system anticipates potential SOD conflicts before they arise, and even prevents any assignment of roles or responsibilities within an application that would compromise proper segregation of duties. Application Access Controls Governor also extends key access controls to "super-users" and temporary or contract workers. Real-time monitoring and enforcement of SOD controls, including prevention of access provisioning that would jeopardize SOD Graphical simulation to look into access points, detect SOD conflicts, and evaluate treatment options Comprehensive library of best practice SOD controls 4/13/2015 17 4/13/2015 18 Task # In Scope 1 Yes Extract Data from Client EBS Test or Production instance Client We recommend that you take a copy of your Production to perform this step. We provide you with a script that extracts the information that we need to complete an analysis of your SOD Controls 2 Yes Create a Database for Client Data OIC We create a Database on the server that hosts our instance of Oracle Application Access Controls Governor (AACG). We will use this Database to import the data that we extract from your EBS Instance. 3 Yes Import Data into Database 4 Yes Define Client’s Database as a Datasource in AACG 4/13/2015 Task Responsibility Comments Import Data that we extracted from your EBS instance into the Database that we created to store that data. OIC Our DBA will create a Datasource in Oracle AACG so we can generate Access Synchronization to synchronize the Oracle GRC Schema data in AACG with the same data that we imported into the Database that we created for you. 19 Task # In Scope 5 Yes Create SOD Controls for Client OIC We use the Oracle predefined SOD Models to create the SOD Controls that we use to assess your SOD Controls. We provide you with a report that lists these DOD Controls and we recommend that you review them with your internal and external auditors to finalize the list of controls. 6 Yes Define Global Access Conditions Client We define Global Access Conditions for your organization to eliminate false positives including Oracle Responsibilities that have been end-dated, Oracle Responsibilities assigned to Users that have been end-dated and other instances where a true SOD incident does not exist. 7 Yes Create a Database for Client Data OIC We create a Database on the server that hosts our instance of Oracle Application Access Controls Governor (AACG). We will use this Database to import the data that we extract from your EBS Instance. 8 Yes Generate Access Synchronization 4/13/2015 Task Responsibility Comments We generate Access Synchronization for the Datasource we created for your organization. This process updates the GRC Schema tables in Oracle AACG with the most current data contained in the Database that we defined to import the data that we extracted from your EBS Instance 20 Task # In Scope 9 Yes General SOD Control Analysis OIC We generate SOD Control Analysis to record the SOD Incidents (i.e. Conflicts) associated with your EBS instance. 10 Yes Generate and Review Incident Reports OIC Upon completion of the SOD Control Analysis, we generate several SOD Incident Reports for Intra-Role and Inter-Role SOD Conflicts. We review these reports with you and make high level recommends to remediate or mitigate these SOD Incidents. 11 Remediate SOD Incidents Client We work with your Business Process Owners (BPO) and System Administrator to Remediate (i.e. Resolve) any SOD incidents that you have not Mitigated. This includes identifying the responsibilities, menus or functions that we need to remove from a user. Similarly, we work with your System Administrator to make the necessary revisions in your EBS instance. 12 Mitigate SOD Incidents Client At times, organizations simply do not have sufficient resources to strictly enforcement one or more SOD Controls. In these instances, we work with you to help you document the compensating controls you have in place to mitigate the risk associated with these SOD Incidents. 4/13/2015 Task Responsibility Comments 21 Task # In Scope Task Responsibility Comments 13 Repeat steps 1 through 12 for the EBS Test Instance until you have remediated or mitigated the SOD Incidents you wish to resolve. OIC and Client 14 In EBS Production Instance, replicate the revisions you made in the EBS Test instance to remediate SOD Incidents Client Using your change control procedures, your System Administrator will revise your security model to reflect the revisions he or she made to your EBS Test instance to resolve your SOD incidents. 15 Repeat steps 1 through 12 for the EBS Production Instance until you have remediated or mitigated the SOD Incidents you wish to resolve. OIC and Client We generate SOD Control Analysis to record the SOD Incidents (i.e. Conflicts) associated with your EBS instance. 4/13/2015 22 Sample SOD Controls 4/13/2015 23 Working with the Big 4 accounting firms, Oracle has predefined approximately 150 SOD Controls. We imported these controls into our instance of Oracle AACG. We have supplemented these SOD Controls with additional SOD controls as well as Access Controls that we defined in conjunction with E&Y and our customers. We have predefined SOD Rules for the following Business Process Flows: Procure to Pay Order to Cash Accounting to Reporting Hire to Terminate Acquire to Retire 4/13/2015 24 Procure to Pay Order to Cash Accounting to Reporting Hire to Terminate Approve & Create Invoices Control Budgets & Create Sales Order Asset Workbench & Asset Depreciation Modify Employee Information & Define Payroll Information Approve Invoices & Create Payments Control Budgets & Enter Customer Receipts Asset Workbench & Mass Transactions Modify Employee Position & Define Payroll Information Approve Invoices & Print Checks Control Budgets & Release Sales Order Asset Workbench & Physical Inventory Modify Employee Salary & Define Payroll Information Approve Invoices & Void Payments Control Budgets & Remittances Enter Journal Entry & Assets Depreciation Modify Employee Information & Define Payroll Information Approve Purchase Orders & Approval Authorization Controls Control Budgets & Ship Customer Goods Enter Journal Entry & Assets Workbench Approve Purchase Orders & Approve Invoices Create Customer & Create Sales Order Enter Journal Entry & Capitalizing Assets Approve Purchase Orders & Create Invoices Create Customer & Customer Credit Information Enter Journal Entry & Mass Transactions Approve Purchase Orders & Create Purchase Orders Create Customer & Enter Accounts Receivable Invoice Entry Journal Entry & Physical Inventory Approve Purchase Orders & Received Goods and Services Create Customer & Enter Customer Receipts Enter Journal Entry & Post Journal Entry 4/13/2015 25 Procure to Pay Order to Cash Accounting to Reporting Control Budgets & Approve Invoices Create Customer & Release Sales Order Enter Journal Entry & Setup General Ledger Control Budgets & Approve Purchase Orders Create Customer & Remittances Mass Allocate Journal Entries & Enter Journal Entries Control Budgets & Create Invoices Create Customer & Ship Customer Goods Perform Cash Reconciliation & Bank Account Reconciliation Control Budgets & Create Payments Create Items & Cycle Counting Physical Inventory & Receive Goods & Services Control Budgets & Create Purchase Orders Create Items & Inventory Transactions Post Journal Entry & Assets Depreciation Create Invoices & Create Payments Create Sales Order & Inventory Transactions Post Journal Entry & Assets Workbench Create Invoices & Print Checks Post Journal Entry & Capitalizing Assets Create Invoices & Void Payments Post Journal Entry & Mass Transactions Create Purchase Orders & Approval Authorization Controls Post Journal Entry & Physical Inventory 4/13/2015 Hire to Terminate 26 Procure to Pay Create Purchase Orders and Approve Invoices Order to Cash Accounting to Reporting Hire to Terminate Post Journal Entry & Setup GL Create Purchase Orders & Create Invoices Create Purchase Orders & Receive Goods and Services Create Requisition & Approve Purchase Order Create Requisition & Create Invoices Create Requisition & Create Items Create Requisition & Create Payments Create Requisition & Create Purchase Order Create Requisition & Create Suppliers 4/13/2015 27 Procure to Pay Order to Cash Accounting to Reporting Hire to Terminate Create Requisition & Setup Auto Create Purchase Orders Create Suppliers & Approve Invoices Create Suppliers & Approve Purchase Orders Create Suppliers and Create Invoices Create Suppliers & Create Payments Create Requisition & Create Items Create Requisition & Create Payments Create Requisition & Create Purchase Order Create Requisition & Create Suppliers 4/13/2015 28 Oracle AACG enables you to maintain Restricted Access Controls , which enable you to maintain access to privileged functions such as those listed in the following table. Each of these functions should be “restricted” and assigned to very few users who need access to perform their job tasks. Restricted Access Controls Restricted Access Controls Restricted Access Controls AP Invoice Item Master Transaction Batches Approve Payroll Maintain Assets Vendor Master AR Open/Close Accounting Periods Maintain Employee Vendor Payments Customer Master Maintain Periods Edit Pay Element OTC Configuration FA Configuration Post Journals GL Configuration Price List INV Configuration P2P Configuration AR Billing 4/13/2015 29 Sample Output from SOD Controls Assessment 4/13/2015 30 Control Detail Extract Report Incident Summary Extract Report Incident by Control Summary Extract Report Access Incident Details Extract Report Access Point Report Access Violations by User Report Access Violations Within a Single Role Report Intra-Role Violations by Control Report Users with Access Violations by Control Report Conditions Report Global Users Report 4/13/2015 31 A Control Detail Extract Report provides information about controls configured in EGRCC. For each control, the data includes name, description and comments, type (Access or Transaction), priority, the users who created and most recently updated the control, the dates on which they did so, and status (Active or Inactive), as well as the number of pending incidents it has generated. The report also lists tag values assigned to the control, its participants, and related controls. Finally, it displays the processing logic of the control and, for an access control, any conditions defined for it and entitlements that belong to it. 4/13/2015 32 Use this report to identify conflicting functions defined for a single Oracle Responsibility. In our example, the responsibility is OIC General Ledger Super User. The Control is “Enter Journal Entry & Post Journal Entry”. Only one user, HAROLD_SCHMITT is currently assigned this responsibility, which enables Harold to enter and post journal entries. The Grouping identifies the path that provide access to each Conflicting Access Point. Harold should be able to Post Journals and AutoPost Criteria or Enter Encumbrances and Enter Journals; however it should not be able to Enter an Encumbrance or Enter Journals AND Post Journals or AutoPost Criteria. 4/13/2015 33 Use this report to list the controls with SOD Incidents and the Roles (i.e. Oracle Responsibilities) that provide access to the incompatible functions identified in the SOD Control. In our example, the first control is “Create Customer & Create Sales Order”, which is used to identify Roles that enable a user to perform both of theses tasks. As you can see, the Roles Order Management Super User and Order Management User enable a user to create a customer and create a sales order. 4/13/2015 34 Incident by Control Summary Extract Report Intra-Role Violations by Control Report Access Violations within a Single Role Report Users with Access Violations by Control Report 4/13/2015 35 Estimated Cost of SOD Assessment with Remediation and Mitigation of SOD Control Violations 4/13/2015 36 Task Comments Responsibility Complete SOD Assessment in Test Instance Complete Assessment of SOD Controls in Test Instance and Generate SOD Incident Reports. Includes Tasks 1 through 10 for SOD Assessment Tasks. OIC Fixed Fee per Assessment Test GRC Incident Reports Perform random tests to ensure that GRC incident reports are accurate. OIC 4 $125 $ 500 Remediate / Mitigate SOD Conflicts Test Instance Resolve Conflicts in Test Instance and Document Mitigating Controls. Also, train System Administrator to remediate SOD incidents OIC/Client 40 $125 $5,000 Perform SOD Controls Assessment Again in Test Instance Complete Assessment of SOD Controls in Test Instance again and Generate SOD Incident Reports to ensure that outstanding SOD incidents have been remediated or mitigated. Includes Tasks 1 through 10 for SOD Assessment Tasks. OIC Revise Security Model in Production to Remediate / Mitigate SOD Conflicts in Production Instance Replicate Revisions made to Responsibilities in the Test Instance in accordance with Client’s Change Controls Policies Client Complete SOD Controls Assessment in EBS Production Instance Complete Assessment of SOD Controls in Production Instance and Generate SOD Incident Reports. . Includes Tasks 1 through 10 for SOD Assessment Tasks.. OIC Estimated Cost 4/13/2015 Note: This is an iterative process and we may have to generate the SOD Assessment more than once to remediate/mitigate SOD Incidents. Cost is $2,500 per Assessment. Estimate Hours Fixed Fee per Assessment 40 (non billable) Fixed Fee per Assessment Rate Cost $2,500 $2,500 $ 0 $2,500 $13,000 37 Oracle Independent Consultants LLC (OIC) is a leading provider of Risk Advisory and Oracle Fusion Governance, Risk, and Compliance (GRC)-based solutions. OIC GRC Express is an approved Oracle Accelerate program for Oracle GRC Controls and provides fixed scope methodologies for the rapid deployment of Oracle GRC Controls. The solutions are designed to make Oracle GRC Controls applications more affordable for midsize organizations. OIC’s Oracle Accelerate solution significantly reduces implementation costs and timeframes and lowers the total cost of ownership of Oracle GRC Controls. Contact Us to Learn More. 4/13/2015 38