Evolving from Financial Compliance to Next Generation GRC

Gary Prince Principal Solution Specialist - GRC

Agenda

Business Challenges Oracles Leadership in Governance, Risk and Compliance Solution Overview Solution Demo

Financial Compliance is Only the First Step

Pressure mounts to fortify financial compliance foundation
1 Regulations Go Beyond Financial Reporting
CFR OFAC

2 Vulnerability to Information Breaches

3 Real-Time Public Exposure of Misdeeds

AML

IT Governance

Records Retention

Patriot Act

ERM Basel II HIPAA E-Discovery PCI NERC/FERC

Increasing number of regulations pose challenge to sustainable GRC

Growing recognition that information breaches stem from inside the organization

Instantaneous media communication increases risk of reputational damage

GRC is the New Normal

Requirements Increase in Number and Complexity
Service Level Compliance Financial Reporting Compliance Compliance & Ethics Programs IT Governance Records Retention Anti-Money AntiLaundering

Audit Management

Supply Chain Traceability

Legal Discovery

Data Privacy

People
Finance Suppliers R&D Mfg Sales HR Legal Customers

Technology
Data Enterprise Applications Warehouse Database Mainframes Mobile Devices Apps Server

Regions

Mandates

SOX SOX

JSOX JSOX

EU EU Directives Directives

HIPAA HIPAA

Basel II Basel II

GLBA GLBA

PCI PCI

Patriot Patriot Act Act

SB1386 SB1386

Source: Open Compliance and Ethics Group

New Risks to Your Business: Credit Card / Identity Theft

TJ Maxx
8 class-action lawsuits filed as of March 23; a Massachusetts-led investigation by attorneys general from 30 states; a pretax charge of $25 million spent to date.
Source: 2006 Annual Report, March 2007

<Insert Picture Here>

Chipotle
Fast food chain stored full range of customer data from credit card accounts. Roughly 2,000 fraudulent charges against Chipotle customers totalled $1.3M, additional fines from Visa and Mastercard amounted to $1.7M, and legal fees racked up another $1.3M.
Source: Computerworld, December 2005

Dollar Tree
Customers of the discount store have reported money stolen from their bank accounts due to unauthorized ATM withdrawals. Cyber-thieves have stolen as much as $700,000 from personal accounts during the last two months.
Source: Eweek, August 2006

Life is Good
Boston-based retailer today disclosed a security breach in which hackers accessed a database containing 9,250 customers' credit card numbers.
Source: Boston.com, Sept. 2006

Security Breaches are increasingly Expensive

Costs are increasing
Breaches cost companies an average of $182 per compromised record This was a 31% increase over 2005 In 2006 31 companies experienced a data breach. The total costs for each loss ranged from $1 Million to over $22 Million
Source: The Ponemon Institute, October 2006

Penalties are Severe Companies can be barred from processing credit card transactions, higher
processing fees can be applied; and in the event of a serious security breach, fines of up to $500,000 can be levied for each instance of non-compliance.
Source http://www.internetretailer.com/internet/marketing-conference/80146-compliance-dilemma.html

Proactive Security Is Cheaper

The cost of a breach can reach at least $90 per customer, for companies with at least 100,000 accounts, versus $6 to $16 per account per year to strongly protect that data.
Source Gartner Study: 16 September 2005 Data Protection is less costly than breaches

Complementary Compliance Efforts

Sarbanes-Oxley Requires that public companies have effective internal controls on financial information with independent auditor attestation. Prudent private companies comply as well. It comes down to this: Access control: Who has access to what information? Auditability: Can you monitor and track access to information? Gramm-Leach-Bliley Act Requires that financial institutions safeguard Personally Identifiable information (PII) Prudent retailers consider GLBA compliance a best practice Personal service depends on secure access to PII. Data Privacy: Do your best customers trust you?

Practical Lessons from Sarbanes-Oxley

Most organizations progress through maturity curve

Cost

MANUAL, REDUNDANT EFFORTS

REMEDIATION & STANDARDIZATION EMBEDDED GRC & OPERATIONAL EXCELLENCE

New AS5 Guidance: Top-down risk-based approach Tailor audit to specific company profile

DEFINE

RATIONALIZE AUTOMATE, MONITOR & VERIFY

External auditors can use work of others as evidence

Number of Controls

Year 1 & 2

Year 3

Year 4+

Agenda

Business Challenges Oracles Leadership in Governance, Risk and Compliance Solution Overview Customer Success

10

Oracles Compliance Solution

Cross-Enterprise Policy and Process Management Enterprise Control Management Analytics & Performance Management

Infrastructure

End-to-End Policy & Process Management Governs Risk and Compliance Activities

Enterprise Control Management Detects and Prevents Control Failures Integrated Analytics Deliver Actionable Insight

11

Oracle Compliance Solution

Cross-Enterprise Policy and Process Management Enterprise Control Management Infrastructure Analytics & Performance Management

End-to-End Policy & Process Management Governs Risk and Compliance Activities

Enterprise Control Management Detects and Prevents Control Failures Integrated Analytics Deliver Actionable Insight

12

A World of Paper and Manual Hand Offs

Current state of risk and compliance management
Auditors

A Fragmented Approach
?

Business Process Owners

Executives

Testers

13

Content Management is the Cornerstone

Single system of record for compliance information

Search

Single Source of Information

Secure Enterprise Search

All Content Types

Date Effective Chain of Custody

Central Repository

Link policies and procedures to laws, regulations, and standards as evidence of compliance Apply and track permission-based access to policy and procedure documents Leverage advanced search function with familiar look and feel

14

Manage Policies and Procedures

Align policies to best-practice frameworks

Master Libraries of Policies & Controls

Embedded Frameworks (COSO, COBIT, ITIL)

Frameworks align corporate policies and associated controls to standards Link shared policies and controls in master libraries for easy maintenance

15

Manage Financial Compliance Process

Automate and streamline compliance process

wo rk f low

Inbox Notifying of Tasks Document

wo rk f low

Assess/Audit

wo rk f low

65% of companies say they have been adversely impacted by redundant or inconsistent GRC processes. What are the resulting effects?
71%

Analyze

wo rk f low

Respond

69%

wo rk f low

32%

Certify
15%

10%

Increased Increased general cost of operating reconciling expenses information

Reduced margins

Higher cost from suppliers

Higher cost of capital

Source: 2007 OCEG Benchmark Series

16

Oracle Financial Compliance Solution

Cross-Enterprise Policy & Process Management Enterprise Control Management Analytics & Performance Management

Infrastructure

End-to-End Policy & Process Management Governs Risk and Compliance Activities

Enterprise Control Management Detects and Prevents Control Failures Integrated Analytics Deliver Actionable Insight

17

Segregation of Duties for Applications

Detect access violations

PRE-DELIVERED CONTENT

PROCESS

EVIDENCE

Violation Cleared Check for Violations

Authorized Access

Employee

Library of SOD Constraints

!
Violation Detection Corrective Measures

Evidence of Due Diligence

User access deviations detected across instances Continuous monitoring through reporting

18

Role-Based Access to Applications

Prevent access violations

Employee

Assignment of Roles

Certification of Who Has Access to What

Set Up of User Profile

SOD Policy

!
Violation Prevention Denied Grant of Role

Integrated framework for user provisioning Set up of user profiles with library of constraints Segregation of duties prevention and certification across heterogeneous systems

19

Control Privileged User Access

Take away the keys of the kingdom

SUPER DBA

DBA TRIES TO ACCESS FINANCIAL TABLES DURING QUIET PERIOD

ACCESS DENIED

DBA
HR Realm

ACCESS
FIN Realm

Protect from insider threats by ensuring powerful users have access to only what they need do their job Restrict access to sensitive data and ascertain that users are who they state themselves to be

20

Control Privileged User Access

Take away the keys of the kingdom

CRITICAL DATA

SUPER USER

ACCESS CONTROLS

National ID/SSN

782-03-0275

Time of Day

Salary

DBA 3pm Monday HR Realm HR DBA

IP Address

Customer Records
FIN DBA

FIN Realm

Realms

HR Realm

FIN Realm

Protect from insider threats by ensuring powerful users have access to only what they need do their job Restrict access to sensitive data and ascertain that users are who they state themselves to be

21

Verify System Configurations

Automate and monitor application controls
Ensure internal requisition source Monitoring of changes to expensing rules Monitoring of changes to document numbering Monitoring of changes to price tolerance percentage Monitoring of discounting rules

Procurement

Inventory

Accounts Payable

Requisition

Purchase Goods / Services

Receive Goods / Services

Invoice

Issue Payments

PROCURE-TO-PAY
Monitors over 500 key configurations settings across instances Before and after snapshot of changes to settings with ability to revert back Automatic alerts notify managers as exceptions occur
SAP

22

Anticipate Auditor Requirements with Evidence of Enforcement

IT Audit
Prevent unauthorized
system configuration changes with diagnostics

Financial Audit
Deliver auditor-ready
reports for process certification and remediation analysis

Identify top audit alerts by

application, system, and audit event Provide evidence of best-practice periodic attestation

Identify trends in control performance

with snapshot comparisons Review complete audit trail for any changes to control elements

23

Oracle Financial Compliance Solution

Cross-Enterprise Policy and Process Management Enterprise Control Management Infrastructure Analytics & Performance Management

End-to-End Policy & Process Management Governs Risk and Compliance Activities

Enterprise Control Management Detects and Prevents Control Failures Integrated Analytics Deliver Actionable Insight

24

Oracle Financial Compliance Solution Summary

Policy and process management govern risk and compliance activities Reduce cost and complexity by managing multiple global
financial mandates with one system

Rely on tamper-proof chain of evidence for all financial

compliance processes

Align policies and processes with best practice risk and control
frameworks

Enterprise control management detects and prevents control failure

Control user access & enforce segregation of duties with

business-driven rules

Reduce risk of fraud with continuous monitoring of automated

controls

Enforce effective preventive and detective controls across all

systems

Integrated financial compliance analytics deliver actionable insight

Leverage a single source of GRC information across

departments, units and locations

Improve risk responsiveness with timely control and

performance analytics

Tailor GRC intelligence to the needs of your specific

organization and function

25

Why Choose Oracle GRC?

Only Oracle
Governs Risk and Compliance Activities with Policy & Process Mgmt Reduce cost and complexity by managing global financial mandates with one system Rely on tamper-proof chain of evidence for all compliance processes Align polices and processes with best-practice risk and control frameworks

Detects and Prevents Control Failures with Enterprise Control Mgmt Control user access & enforce segregation of duties with business-driven rules Reduce risk of fraud with continuous monitoring of automated controls Enforce effective preventive and detective controls across all systems

Delivers GRC Insight for Better Business Performance Leverage a single source of GRC information across departments and locations Improve risk responsiveness with timely control and performance analytics Tailor GRC intelligence to the needs of your specific organization and function

26

Oracle Governance, Risk, and Compliance

Simplify GRC and Reduce Costs

Safeguard Brand and Reputation

Run Your Business Better and Prove It