Thursday, 5 April 2012

GRC Introduction

Introduction
Upgrading to Oracle E-Business Suite Release 12.1 (EBS Release 12.1) is much more than a technical activity; it raises a myriad of business questions that organizations must carefully evaluate. Historically, risk and control considerations have been overlooked during ERP upgrades in the name of implementation speed, efficiency, and resource constraints. However, new regulatory demands, more stringent investor scrutiny, and the increasing opportunity for fraud in a frail global economy are raising the stakes for organizations to focus on the importance of control when upgrading their ERP systems.
The good news is that getting controls “right” during an upgrade is less expensive than retrofitting controls after the upgrade is complete. Going live before appropriate internal controls are in place will not only decrease business performance, it gives rise to unnecessary costs because of the need to subsequently go back and correct the ERP system. It may also cause the organization to report significant control deficiencies, lose the confidence of critical stakeholders, and leave itself vulnerable to fraud and wastage.
This white paper highlights several areas where the opportunities to take advantage of substantial enhancements in EBS Release 12.1 may also lead to significant risks when effective change management and control procedures are not properly applied. The paper describes optimal points to incorporate risk and control considerations before, during, and after an upgrade; and explains how the Oracle Governance, Risk, and Compliance (GRC) applications suite may be leveraged to streamline the upgrade process itself, while building an enterprise GRC platform that helps realize operating efficiencies, transparency, and sustainable compliance and risk management well into the future.
1
Harnessing Oracle GRC to Improve Your E-Business Suite 12.x Upgrade
New Opportunities, New Risks
Oracle E-Business Suite Release 12.1 delivers significant functional enhancements across Financials, Human Resources, Supply Chain, Procurement, Projects, Service, Master Data Management, and Applications Technology. The release represents over six years of development effort and provides comprehensive improvements for every line of business user. These pervasive enhancements introduce important changes for current E-Business Suite customers to consider.
One essential upgrade planning activity is determining which business processes and controls to keep and which to change. Certain business processes should be kept intact to ensure continued compliance and performance, while others will inevitably change to address the evolving needs of the business. The effects of these changes can also reach far beyond the E-Business Suite, to affect other application systems and activities that are currently performed manually. If not anticipated and managed, change can come at considerable cost and risk. The most significant risks to the upgrade are:

Unmanaged changes that hold up the upgrade process

Unnoticed and unwanted changes that cause costly deficiencies
New Centralized Financials Architecture
Let’s take Oracle E-Business Suite Financials as an example. Some of the key features introduced in EBS Financials Release 12.x include:

Support for Multiple Reporting Requirements: Global companies face challenges to prepare statutory, regulatory and IFRS financial statements. The following new features let companies meet multiple reporting requirements and transition more easily to IFRS:
o
Ledgers and Ledger Sets: Ledgers (formerly Sets of Books) can support different accounting conventions to meet multiple reporting needs. Each time a transaction or journal is recorded, it can be simultaneously represented in each ledger. Ledgers with similar characteristics can belong to a “Ledger Set” that treats distinct ledgers as if they were one for reporting and accounting purposes.
o
Subledger Accounting (SLA): This configurable, rules-based accounting engine can generate multiple accounting representations of a business transaction. For example, a supplier invoice to record the purchase of goods can be simultaneously recorded using three conventions - US GAAP, IFRS, and local statutory - each associated with a different ledger.
2
Harnessing Oracle GRC to Improve Your E-Business Suite 12.x Upgrade
o
Multiple Reporting Currencies: Organizations can generate an unlimited number of currency views at any level of detail (transaction, journal or balance level) to comply with currency conversion standards and reporting requirements.

Centralized Financials Architecture helps organizations standardize and simplify key business processes. These advances help organizations enact consistent accounting policies; institute a faster period close process; reduce complexity in managing bank accounts, accelerate payment cycles, and simplify compliance with complex tax requirements.
o
Accounting Policies: Subledger Accounting (which replaces the Global Accounting Engine) centralizes the definition of accounting rules and the generation of accounting entries from both Oracle and non-Oracle systems.
o
Intercompany Accounting: The Advanced Global Intercompany System serves as a forum for subsidiaries to exchange intercompany transactions.
o
Legal Entity Structures: The Legal Entity Configurator models legal corporate structures and ties all related components together.
o
Banks and Bank Accounts: Internal banks and accounts are defined from a single access point and shared across Oracle Applications.
o
Payments: Oracle Payments provides a central place to disburse and capture funds, with automated and streamlined integration with external financial institutions.
o
Transaction Taxes: E-Business Tax centralizes the setup and maintenance of tax rules to ensure consistency in rule application and eliminate redundant setup across legal entities.
While the improved support for multiple reporting requirements and the centralized Financials architecture offers the opportunity for unprecedented operational efficiency, these significant changes also introduces the risk of unanticipated, unwanted, and unnoticed effects. For example, E-Business Suite Financials modules that share critical application setups may be inadvertently affected when the upgrade occurs. Keeping track of these changes is imperative, yet nearly impossible to do without the aid of automation and stringent documentation. Improper configurations can affect the integrity of an organization’s data and lead to extensive financial error, misstatement, and exposure to fraud. For example, an incorrect tax configuration may lead to over or under payment, with serious repercussions that an incorrect tax configuration may lead to. The consequences of these ill effects include poor business performance and potential financial loss.
3
Harnessing Oracle GRC to Improve Your E-Business Suite 12.x Upgrade
New User Access Models
A similar mix of opportunity and risk is introduced through advances in the user access models for EBS Release 12.x. When converting Release 11i responsibilities to Release 12.1 roles, users can unintentionally gain or lose access.

Multiple Organization Access Control (MOAC) expands access to multiple organizations’ data. It allows shared services personnel to enter transactions, process data, view information, and run reports for multiple divisions or business units from a single responsibility, greatly increasing user productivity.

Expanded Role-Based Access Control (RBAC) offers more granular control over user access and includes a new User Management model (UMX) RBAC component for heterogeneous business application environments. Risks associated with this more granular user access include:
o
Unnecessary Controls: Existing controls may become outdated as a result of the more granular access grants provided by RBAC. Outdated controls may increase the number of false positives and contribute to business process inefficiency.
o
Uncontrolled Access: Conversely, new access grants, including those that span business application environments, can result in overly broad or unnecessarily narrow user privileges.
Adoption of these new user access models, if not effectively managed, can lead to inappropriate user privileges and segregation of duties conflicts, increasing the risk of security and privacy policy violations, error and fraud.
Redesigned User Interface
Portions of EBS Release 12.1’s user interface (UI) have been redesigned significantly and converted from Oracle Forms technology to Oracle Application Framework (OAF) HTML technology. In many cases, where the user interface has changed, the functionality has also changed; in some cases, the underlying data model itself is revised as well. These changes have potential implications for existing controls and may necessitate new controls:

Organizations that altered or customized the Release 11i Forms UI using personalization or customization will lose those changes when the page is replaced with the newer Release 12.1 OAF UI. 4
Harnessing Oracle GRC to Improve Your E-Business Suite 12.x Upgrade

Functional and data model changes can render existing controls unnecessary or inadequate, and introduce new behaviors that could require control. For example, the Payables Invoice Workbench data model was revised in Release 12.x in order to separate the invoice lines from distributions to more closely model a real-world invoice and support line-level approval.
Again, unless these changes are properly managed, they can introduce new operational risk to the enterprise. In the following sections, we’ll review specific recommendations for when and how to leverage the Oracle Governance, Risk, and Compliance (GRC) applications suite to help fully realize the benefits of an upgrade to EBS Release 12.1, while intelligently minimizing the risks.
When to Consider Risks and Controls in Your Upgrade
Organizations seeking to “design in” controls as part of an ERP upgrade should proactively identify risks at both the entity and business-process level, and evaluate controls that will mitigate those risks. Organizations that wait for control issues to surface during the upgrade could experience distraction and delays in the upgrade timeline. The methods used to identify risks and controls, and the results found, often depend on the organization’s GRC maturity. Risks and controls might be managed enterprise-wide and interdependently in a mature organization, while others might have a more ad-hoc or fragmented approach. Regardless, steps can be taken to minimize disruptions during the upgrade and ensure that business processes are protected over the long term, well after the upgrade.
The suggested tasks before an upgrade are:

Assess the organization’s operational, financial and compliance requirements.

Identify the risks associated with each requirement.

Evaluate existing or new controls to mitigate those risks. Controls can consist of automation, manual activities, or a combination of the two.

Activate controls.
5
Harnessing Oracle GRC to Improve Your E-Business Suite 12.x Upgrade
During the upgrade, organizations can then focus on preserving existing controls and introducing new ones when warranted by changes in functionality, business processes, or compliance requirements.
One decision that organizations must assess is whether to identify risks and execute controls in their current EBS 11i environment. The primary advantage of this approach is that it allows organizations to establish a baseline of proper risk and control management first. For example, they can begin to ensure that segregation of duties violations are identified and corrected in their EBS 11i environment. Then when it is time to upgrade to Release 12.1, the organization can concentrate only on the changes introduced by the upgrade, resulting in an upgrade project that is faster and more focused.
Another option is to identify risks and execute controls against the backdrop of the Release 12.1 upgrade. Firms would assess their existing 11i environment, look at their internal controls, identify known deficiencies, and compare this against the expected capabilities in Release 12.1. The primary advantage of this approach is that it allows organizations to look at controls holistically as a portfolio, to better align and link control specifications to current business procedures and application configurations in EBS Release 12.1.
Regardless of the approach taken, the process of creating, reviewing and revising controls helps prepare organizations for post-upgrade operation. Efficient and sustainable business processes that are protected by ongoing monitoring will support your organization over the long run.
How the Oracle GRC Applications Suite Helps
Oracle provides an enterprise GRC platform for managing the changes to business processes and controls that are inherent in an EBS upgrade. The platform integrates documentation and process management, automated controls enforcement, and business intelligence to provide comprehensive capabilities for compliance and risk management requirements. By leveraging the Oracle GRC applications suite, organizations can ensure sustainable compliance, sound business processes, and
6
Harnessing Oracle GRC to Improve Your E-Business Suite 12.x Upgrade
protected information in post-upgrade operations. The Oracle GRC applications suite includes the following modules:

Oracle Enterprise GRC Manager (EGRCM) provides the shared foundation and tools needed for enterprise-wide management of GRC programs and reduces overlapping and redundant policies, processes, risks, and controls.

Oracle GRC Intelligence (GRCI) empowers organizations to stay on top of critical risk management activities. It offers visibility into an organization’s upgrade readiness and risk responsiveness by providing risk, control and performance analytics and dashboards.

Oracle Enterprise GRC Controls (EGRCC) continuously monitors, enforces and optimizes processes to prevent prohibited or suspicious activities. By monitoring critical setups and user access, it ensures adherence to company policy by identifying control breaches as soon as possible. There are several control governors that comprise EGRCC:

Oracle Configuration Controls Governor (CCG) - Controls and tracks changes to key application setup and master data to facilitate change management without burdening core business operations. The solution records designated setup values, permitting quick examination and evaluation of new values and comparison of values from different releases, points in time or environments. It also performs continuous monitoring once the upgrade is done to ensure ongoing configuration integrity.

Oracle Application Access Controls Governor (AACG) - Provides real-time monitoring and preventive enforcement of crucial access policies. The system anticipates potential segregation of duty (SOD) conflicts before they arise and prevents the assignment of roles or responsibilities within an application that would compromise proper SOD policies.

Oracle Preventive Controls Governor (PCG) - Provides fine-grained control over users’ activities (e.g., viewing and editing key data), while tracking users’ changes, both completed and attempted. Organizations can limit or control the fields that users can view and edit, define the types of data that users can input in various fields, and limit transaction values to enforce financial and operational controls.
7
Harnessing Oracle GRC to Improve Your E-Business Suite 12.x Upgrade

Oracle Enterprise Transaction Controls Governor (ETCG) - Continuously monitors transactions to detect suspicious transactions and redundant business practices. During upgrades, companies will undertake changes in policies and controls, leaving them vulnerable to waste and fraud. ETCG spots anomalies in everyday transactions, thereby reducing cash leakage, and avoiding fraud and costly remediation.
The following tables summarize how organizations can potentially leverage the Oracle GRC applications suite before, during and after the upgrade.
TABLE 1. BEFORE THE UPGRADE
AACG
User Access
PCG
User Interface
CCG
Settings & Master Data
ETCG
Transactions
EGRCM/GRCI
Compliance & Risk Mgmt.
Identify compliance and GRC requirements
􀁺
Define and identify risks
􀁺
Identify controls that address risks
􀁺
􀁺
􀁺
􀁺
􀁺
Create baseline for automated controls
􀁺
􀁺
􀁺
Execute on compliance requirements
􀁺
􀁺
􀁺
􀁺
􀁺
Legend:
AACG: Application Access Controls Governor. PCG: Preventive Controls Governor. CCG: Configuration Controls Governor. ETCG: Enterprise Transaction Controls Governor. EGRCM: Enterprise GRC Manager. GRCI: GRC Intelligence.
8
Harnessing Oracle GRC to Improve Your E-Business Suite 12.x Upgrade
TABLE 2. DURING THE UPGRADE
AACG
User Access
PCG
User Interface
CCG
Settings & Master Data
ETCG
Transactions
EGRCM/GRCI
Compliance & Risk Mgmt.
Consider impact of new functionality
􀁺
􀁺
􀁺
􀁺
􀁺
Identify controls that will change
􀁺
􀁺
􀁺
􀁺
􀁺
Update “false positive” segregation of duties rules, global vs. rule-specific conditions
􀁺
􀁺
Update rules/risks/controls for:

Oracle Application Framework pages (new function names)
􀁺
􀁺
􀁺
􀁺

Requests
􀁺
􀁺
􀁺
􀁺
Update rules/controls/risks for new functionality:

MOAC
􀁺
􀁺
􀁺

RBAC & UMX
􀁺
􀁺
􀁺

Purchasing, Payables, Receivables, “i” Modules
􀁺
􀁺
􀁺
􀁺
􀁺
Confirm configurable controls
􀁺
Legend:
AACG: Application Access Controls Governor. PCG: Preventive Controls Governor. CCG: Configuration Controls Governor. ETCG: Enterprise Transaction Controls Governor. EGRCM: Enterprise GRC Manager. GRCI: GRC Intelligence.
9
Harnessing Oracle GRC to Improve Your E-Business Suite 12.x Upgrade
10
TABLE 3. AFTER THE UPGRADE
AACG
User Access
PCG
User Interface
CCG
Settings & Master Data
ETCG
Transactions
EGRCM/GRCI
Compliance & Risk Mgmt.
Gather audit evidence to demonstrate that controls have not been negatively impacted
􀁺
􀁺
􀁺
􀁺
􀁺
Document changes to functionality, controls, risks
􀁺
􀁺
􀁺
􀁺
Establish new baseline for automated controls
􀁺
􀁺
􀁺
Create “before” and “after” listings of changed configurations
􀁺
Conclusion
Oracle E-Business Suite Release 12.1 delivers new functionality with significant value for every line of business owner across the enterprise. To achieve the desired return on investment from an EBS Release 12.1 upgrade, organizations must effectively manage the business process and control changes introduced by the upgrade. Organizations must also integrate and optimize controls within re-designed business processes to realize operating efficiencies, reductions in cost, and effective risk mitigation. The Oracle Governance, Risk, and Compliance applications suite can prevent costly deficiencies and rework while helping to sustain a sound business platform for the future. Superior results can be achieved when the Oracle GRC applications suite is used before the upgrade to identify risks and automate controls. During the upgrade, the Oracle GRC applications suite accelerates and ensures the identification of critical system changes, allowing you to specify and modify controls in response to those changes. Continued use of the Oracle GRC applications suite embeds deep-seated controls within EBS Release 12.1 so business processes are kept intact and optimized long after the upgrade project is complete.

http://www.oracle.com/us/solutions/corporate-governance/harnessing-grc-ebs-303818.pdf


1 comment:

  1. Hi, A private company is one whose articles restrict the transfer of shares with Registered Agents in Qatar, the number of members to fifty and prohibit the subscription of any shares or debentures of the company whereas these restrictions do not apply to a public limited company.Thanks.....

    ReplyDelete