Book Image

Governance, Risk, and Compliance Handbook for Oracle Applications

By : Nigel King, Adil R Khan, Adil Khan
Book Image

Governance, Risk, and Compliance Handbook for Oracle Applications

By: Nigel King, Adil R Khan, Adil Khan

Overview of this book

It seems that every year since the Enron collapse there has been a fresh debacle that refuses to lower the spotlight from corporate Governance, Risk, and Compliance management.Before Sarbanes Oxely forced company managers to become risk conscious, if you asked a chief executive whether he thought he had adequate internal controls, the most likely answer would have been "What is an internal control?" This is clearly no longer the case. Every week some story breaks detailing a lack of good governance, a failure to plan for a foreseeable catastrophe or a failure to comply with an important law or regulation. These stories bring GRC themes into public view, and public scrutiny, and make management and directors keen to show they have put their best efforts forward to govern their companies well, manage risks to the enterprise, and to comply with all applicable laws.Perhaps only Oracle and SAP are in a position to really address all three aspects. The mission of GRC applications is to ensure that the managers and directors of Enterprises that run such applications have a strong defensible position. Written by industry experts with more than 30 years combined experience, this book covers the Governance, Risk Management and Compliance Management of a large modern enterprise and how the IT Infrastructure, in particular the Oracle IT Infrastructure, can assist in that governance. This book is not an implementation guide for GRC products rather it shows you how those products participate in the governance process, how they introduce or mitigate risk, and how they can be brought into compliance with best practice, as well as applicable laws and regulations.The book is divided into three major sections:Governance ñ where we discuss the strategic management of the enterprise, setting plans for managers, making disclosures to investors, and ensuring that the board knows that the enterprise is meeting its goals and staying within its policies.Risk Management ñ where we discuss audit disciplines. This is where we work out what can go wrong, document what we have to do to prevent it from going wrong and check that what we think prevents it going wrong - actually works! We move through the various sub-disciplines within the audit profession and show what tools are best suited from within the Oracle family to assist.Compliance Management ñ where we map the tools and facilities that we have discovered in the first two sections to frameworks and legislations. We give this from an industry and geography agnostic viewpoint, and then drill into some specific industries and countries.We neither stay in the narrow definition of GRC applications, nor limit ourselves to the Business Applications but take you to the most appropriate places in the full Oracle footprint. The book is written from the perspective of big GRC. It is not an implementation manual for the GRC products, although we hope you can get the best out of the GRC products after reading this book. We discuss many applications and technology products that are not in the GRC product family.
Table of Contents (22 chapters)
Governance, Risk, and Compliance Handbook for Oracle Applications
About the Authors
About the Authors
About the Reviewers

Oracle's Governance Risk and Compliance Footprint

The following figure gives an overview of the major functional areas of the governance, risk, and compliance problems and the Oracle Component that best addresses that problem:

When you consider who is involved in the governance, risk, and compliance process, you start to appreciate the tools that you need to complete the footprint.

Balanced Scorecard

This tool is used to express and communicate the mission of the enterprise.

Business Intelligence

This tool is used to measure the degree to which the strategy that has been communicated is actually executing.

Financial Planning and Analysis

This tool is used to convert the mission of the enterprise into financial goals, forecasts that can be discussed with investors through the management )discussion, and analysis.

Consolidations and Financial Reporting

This set of tools is used to report to investors the progress toward the goals expressed in the financial plan.


This tool is used to ensure delivery of ethics and policy education and confirm their understanding.

Risk Management Applications

This tool is used to discover and document risks to the mission of the enterprise, and to ensure that management has well-designed and effective operating controls to mitigate those risks. Such tools cover the following:

  • Access Controls Governor: To ensure that appropriate access is granted to systems.

  • Transaction Controls Governor: To ensure that transaction policies are followed and fraudulent transactions found.

  • Configuration Controls Governor: To ensure that recommended settings of the applications that themselves constitute great automated controls are appropriately configured and that changes are authorized and recorded.

  • Preventive Controls Governor: To extend the controls footprint of the delivered application.

  • Oracle Enterprise Manager: Enterprise Manager also has great capabilities to extract configuration settings and measure them against baseline. The settings that are tracked within EM by default tend to be deeper technical settings.

  • GRC Manager: To provide self assessment, testing operations, and to aggregate the results of the documentation and testing phases of the governance program for managers of the risk assurance activity.

  • GRC Intelligence: To provide the most potent and important information to the executive suite and directors on the residual risk to the enterprise.

Sub Certification

Sub Certification applications are used to allow management to confirm the controls within processes that they are responsible for. Such tools include Hyperion Close Process Manager.

Process Management Applications

These applications are used to provide the pivot point for the risk analysis and management accountability. Largely, these are the processes within the applications themselves. The process may be orchestrated through Oracle Workflow as in the case of purchase order approval or journal approval.

Content Management Applications

These applications are used to provide evidence store for unstructured information. They also provide a store for standard working papers and completed working papers that have been part of the testing activity.

Identity and Authorization Management Applications

These applications are used to provide authentication of users, accountability for their actions in the system, and authorization to information assets required to do their jobs.

Our case study

In order to ensure that we keep ourselves grounded in real problems, we have written the book as a journal of a fictional company establishing its governance processes. We will introduce managers and directors responsible for various aspects of the governance, risk, and compliance problem and where that problem is exposed and how it is addressed in the technology and business applications.

In the previous figure, we have seen the key roles that are directly engaged in the governance, risk management, and compliance activities in a typical organizational chart.

Their IT infrastructure is comprised of Sun Hardware and are running Oracle database, middleware, and business applications. We do have one of the subsidiaries of InFission running JD Edwards just to allow us to illustrate GRC working in a heterogeneous applications environment.

Roles involved in GRC activities

It is worth examining what function is responsible for what activity and what part of the Oracle footprint each is most interested in.

Audit Committee member

The audit committee of the board of directors must have at least three members. One member must have accounting or financial management expertise and all other members must be financially literate. All members must be independent.

The Audit Committee is charged with the oversight of the Financial Reporting process, including review of quarterly and annual financial statements on behalf of the investors and to discuss annual financial statement with management and auditors.

They need to review Management Discussion and Analysis (MD&A) with management and auditors. This is where management gives guidance on where the business is going. Such guidance is also given in Earnings Announcements, press releases, and guidance provided to rating agencies.

They need to monitor the system of internal control and compliance with legal and regulatory requirements. In order to do this, they need to monitor the system of risk assessment and risk management. This may be synonymous with overseeing the internal audit function, but in recent years many enterprises have set up a separate risk management program office reporting it to the management. This oversight means that the audit plan and the scope of the audits are signed off by the audit committee.

In order to ensure that the tone at the top is appropriate, received, and understood the audit committee is generally responsible for an ethics program, and responsible to manage whistle-blower complaints.

Signing Officers

The CEO and CFO of the company are responsible for signing the Sarbanes-Oxley Section 302 Certifications.

These certifications, referred to by the Securities and Exchange Commission as "Rule 13a-14(a)/15d-14a Certifications", must be signed separately by the CEO and the CFO, and filed as an exhibit to quarterly reports on Form 10-Q or 10-Q(SB) and to annual reports on Form 10-K or Form 10-KSB, as Exhibit 31, or, for foreign private issuers, as an exhibit to Form 20-F. The SEC has specified the form and wording of these certifications, which cannot be changed.

Briefly, the Signing Officer certifies that he has reviewed the report, that he believes that it does not contain any misleading misstatement or omission, and that it fairly presents the company's financial position and results of operations. The officer also certifies his responsibility for the company's disclosure controls and procedures and internal controls over financial reporting and as to their effectiveness.

Chief Audit Executive

The Chief Audit Executive is a part of the company but generally has reporting relationships to the Audit Committee of the board of directors.

The duties of the Chief Audit Executive include:

  • Status, strategy, and organization of the Internal Audit Department

  • Management/supervision of the internal audit activity

  • Ensuring the timely completion of internal auditing engagements

  • Ensuring that reports on internal auditing engagements are provided to the audit committee with minimum delay

  • Providing an annual holistic opinion on the effectiveness and adequacy of risk management, control, and governance processes

Chief Financial Officer

As well as being one of the signing officers, the CFO obviously heads the departments that are involved in processing of transactions that most directly affect the subledgers and general ledger, the preparation of financial statements, and financial planning and analysis.

Chief Information Officer

In addition to Sarbanes-Oxley (SOX), CIOs and CSOs must understand and achieve compliance with the Health Insurance Portability and Accountability Act (HIPAA) the Payment Card Industry Data Security Standard (PCI DSS) for organizations processing credit card transactions, and the Federal Information Security Management Act (FISMA) for federal agencies as well as many other global, national, and industry-wide regulations and mandates.

IT governance includes writing IT policies that define who within an organization is responsible for key decisions with regards to IT adoption and usage, who is held accountable for such decisions, and how results are monitored and measured. Implementing IT governance strategies includes assigning committees to steer technology adoption, architectural reviews, and project analysis. Governance is about processes, which should support consistent and transparent methods for managing your information technology acquisitions and usage.

The CIO is also responsible for IT risk management. Risk management requires adapting to constantly changing business requirements and monitoring what technologies are deployed within the organization Risk management encompasses surviving a constantly changing threat landscape by tightening and optimizing an organization's information security, both perimeter and internal, while improving business agility and efficiency.

The CIO is also responsible for IT compliance approaches, governance by designing, assessing, and implementing controls. These controls must map back to the various industry requirements and best practices that ultimately determine success or failure during an IT audit.

Chief Operating Officer

Many of the controls in the business are part of the processes and procedures operating in the Business Units themselves. For example, your revenue line might be unreliable due to side contracts that are made by your salespeople. Management in the business is responsible for the design of the controls and certifying their effectiveness.