Contents

1. OIC Segregation of Duties Assessment ServicesPrepared by: Roger Drolet MBA, CPA, CISA, CISM, CITP, CRISC, CGMA Oracle Independent Consultants LLC

2. Contents • Business Considerations • Example Approach to an SOD Program • Client Preparation • Sample SOD Controls • Sample Output from SOD Assessment • Cost Estimate for SOD Assessment

3. Business Considerations Business Considerations

4. Segregation of Duties Segregation of Duties (SOD) is the separation of incompatible duties that could allow one person to commit and conceal fraud that may result in financial loss or misstatement to the company. Segregation of duties may be within an application or within the infrastructure.

5. Common Challenges and Pitfalls of IT Controls Control deficiencies, typically, stemmed from changes or actions taken outside of the formal process • Limited mechanisms to consistently enforce policies at an enterprise level • Lack of strong executive-level support and insufficient alignment between IT and the business • Lack of user education & awareness regarding SOD • Management’s preference to rely on mitigating controls in place of implementing proper SOD • Inadequate policies and procedures for effectively changing or removing access when users change jobs or leave the company • Limited automated reporting capabilities for IT controls • No monitoring tools/capability to periodically review “access rights”

6. Why the Increased Interest Drivers causing companies to consider use of Segregation of Duties (SOD) in the management of their business • Regulatory Compliance - Sarbanes-Oxley and other regulatory issues are forcing companies to increase their awareness and accountability of their employees actions within the company • Security and Data Management – Recent privacy laws and prosecution of security violations is bringing a new awareness to monitoring and controlling security and access to data within the organization • Access Management – Provisioning and management of users access to applications have not been enforced, resulting in access creep • Rapid Implementation of ERPs – Application Security was often overlooked or implemented incompletely (Segregation of Duties was not addressed)

7. Regulatory Compliance Sarbanes-Oxley is now providing a compelling case for the implementation and maintenance of appropriate segregation of duties at the organizational, manual process and system Level. • Not only should business functions be separated departmentally, and at an even more granular level within departments, companies now find that they need to provide system enforcement of traditional segregation of duties models • External auditors are insisting on evidence that proper segregation of duties exists

8. Security and Data Management Recent privacy laws and prosecution of security violations is bringing a new awareness to monitoring and controlling security and access to data within the organization. • Lack of application specific Segregation of Duties are resulting in Access Creep, Fraud Risk, Failed User Management Processes • Disclosure of sensitive information can have a negative impact on shareholder value • Increased use of web services (online auctions and banking) has brought increased risk of identity theft and fraud • Privacy laws and disclosure of violations is increasing the need for proactive segregation and control over access to data

9. Security and Data Management Recent privacy laws and prosecution of security violations is bringing a new awareness to monitoring and controlling security and access to data within the organization. • Lack of application specific Segregation of Duties are resulting in Access Creep, Fraud Risk, Failed User Management Processes • Disclosure of sensitive information can have a negative impact on shareholder value • Increased use of web services (online auctions and banking) has brought increased risk of identity theft and fraud • Privacy laws and disclosure of violations is increasing the need for proactive segregation and control over access to data

10. Access Management Implementation of identity management and ERP tools provides an avenue to leverage technologies to enforce and regulate enterprise level segregation of duties. • Established authoritative sources of information through ERP systems (HRMS) • Leverage user lifecycle through role based access control and system integration • Automated provisioning to lower operational costs • Greater visibility by management to monitor user activity • Centralization of user ID management for multiple applications through the single sign-on concept

11. Client Preparation Client Preparation

12. Client Preparation • Take a copy of Production Instance to create Test Instance • Provide OIC with System Administrator Access to Test Instance • Identify Business Owner (BPO) for each Business Process Flow who can make decisions regarding access privileges to grant to users • Identify System Administrator who will modify Oracle Menus and/or Responsibilities to Remediate SOD incidents • Provide Copy of Change Controls Policies so that we can revise the Production Instance in accordance with Client Policy • Review SOD Rules with External Auditors • Finalize SOD Design with BPO

13. Example Approach to SOD Assessment Example Approach to Segregation of Duties Assessment

14. Companies Need a Process for Establishing andManaging Segregation of Duties Establishing a process for defining SOD rules and policies, aligning organization and process, establishing enforcement, mitigating controls and monitoring are essential components of an SOD solution that helps meet business objectives. • Comply with the regulatory requirements, example Sarbanes- Oxley legislation • Improve company-wide internal control structure • Mitigate the risk of intentional fraud or unintentional error to the organization • Align functions organizationally with common best practices • Gain a level of comfort that the financial statements are free from misstatement • Improve financial data, thereby improving management reporting • Satisfy increasing customer and investor demands for sound internal controls

15. Program to Establish and Manage SOD

16. Program to Establish and Manage SOD

17. Oracle Application Access Controls Governor Helps Companies Manage and Enforce SOD The ability to fine-tune user access—and to track that access—is key to complying with regulatory requirements and ensuring corporate security. Oracle Application Access Controls Governor provides real-time monitoring and proactive enforcement of crucial access policies, such as those that support segregation of duties (SOD). The system anticipates potential SOD conflicts before they arise, and even prevents any assignment of roles or responsibilities within an application that would compromise proper segregation of duties. Application Access Controls Governor also extends key access controls to "super-users" and temporary or contract workers. • Real-time monitoring and enforcement of SOD controls, including prevention of access provisioning that would jeopardize SOD • Graphical simulation to look into access points, detect SOD conflicts, and evaluate treatment options • Comprehensive library of best practice SOD controls

18. OIC SOD Assessment Process

19. SOD Assessment Tasks (1 of 5)

20. SOD Assessment Tasks (2 of 5)

21. SOD Assessment Tasks (3 of 5)

22. SOD Assessment Tasks (4 of 5)

23. Sample SOD Controls Sample SOD Controls

24. Conflict Rule Set Working with the Big 4 accounting firms, Oracle has predefined approximately 150 SOD Controls. We imported these controls into our instance of Oracle AACG. We have supplemented these SOD Controls with additional SOD controls as well as Access Controls that we defined in conjunction with E&Y and our customers. We have predefined SOD Rules for the following Business Process Flows: • Procure to Pay • Order to Cash • Accounting to Reporting • Hire to Terminate • Acquire to Retire

25. SOD Controls

26. SOD Controls

27. SOD Controls

28. SOD Controls

29. Restricted Access Controls Oracle AACG enables you to maintain Restricted Access Controls , which enable you to maintain access to privileged functions such as those listed in the following table. Each of these functions should be “restricted” and assigned to very few users who need access to perform their job tasks.

30. Sample Output from SOD Controls Assessment Sample Output from SOD Controls Assessment

31. Sample SOD Incident Reports • Control Detail Extract Report • Incident Summary Extract Report • Incident by Control Summary Extract Report • Access Incident Details Extract Report • Access Point Report • Access Violations by User Report • Access Violations Within a Single Role Report • Intra-Role Violations by Control Report • Users with Access Violations by Control Report • Conditions Report • Global Users Report

32. Control Detail Extract Report A Control Detail Extract Report provides information about controls configured in EGRCC. For each control, the data includes name, description and comments, type (Access or Transaction), priority, the users who created and most recently updated the control, the dates on which they did so, and status (Active or Inactive), as well as the number of pending incidents it has generated. The report also lists tag values assigned to the control, its participants, and related controls. Finally, it displays the processing logic of the control and, for an access control, any conditions defined for it and entitlements that belong to it.

33. Access Violations within a Single Role (Intra-Role) Report Use this report to identify conflicting functions defined for a single Oracle Responsibility. In our example, the responsibility is OIC General Ledger Super User. The Control is “Enter Journal Entry & Post Journal Entry”. Only one user, HAROLD_SCHMITT is currently assigned this responsibility, which enables Harold to enter and post journal entries. The Grouping identifies the path that provide access to each Conflicting Access Point. Harold should be able to Post Journals and AutoPost Criteria or Enter Encumbrances and Enter Journals; however it should not be able to Enter an Encumbrance or Enter Journals AND Post Journals or AutoPost Criteria.

34. Intra-Role Violations by Control Report Use this report to list the controls with SOD Incidents and the Roles (i.e. Oracle Responsibilities) that provide access to the incompatible functions identified in the SOD Control. In our example, the first control is “Create Customer & Create Sales Order”, which is used to identify Roles that enable a user to perform both of theses tasks. As you can see, the Roles Order Management Super User and Order Management User enable a user to create a customer and create a sales order.

35. SOD Conflicts • Incident by Control Summary Extract Report • Intra-Role Violations by Control Report • Access Violations within a Single Role Report • Users with Access Violations by Control Report

36. Estimated Cost of SOD Assessment Estimated Cost of SOD Assessment with Remediation and Mitigation of SOD Control Violations

37. Cost of OIC SOD Assessment

38. About OIC Oracle Independent Consultants LLC (OIC) is a leading provider of Risk Advisory and Oracle Fusion Governance, Risk, and Compliance (GRC)-based solutions. OIC GRC Express is an approved Oracle Accelerate program for Oracle GRC Controls and provides fixed scope methodologies for the rapid deployment of Oracle GRC Controls. The solutions are designed to make Oracle GRC Controls applications more affordable for midsize organizations. OIC’s Oracle Accelerate solution significantly reduces implementation costs and timeframes and lowers the total cost of ownership of Oracle GRC Controls. Contact Us to Learn More.