This book covers the topic of Governance Risk and Compliance management. It seems that every year since the Enron collapse, there has been a fresh debacle that refuses to lower the spotlight from this area. Before Sarbanes-Oxley forced the management of companies to become risk conscious, if you asked a Chief Executive whether he thought he had adequate internal controls, I think the most likely the answer would have been "What is an internal control?" This is clearly no longer the case. Every week some story of lack of good governance, failure to plan for a foreseeable catastrophe, or failure to comply with an important law or regulation, brings the GRC themes into public view and scrutiny and this makes management and directors keen to show they have put their best efforts forward to govern their companies well, manage risks to the enterprise, and to comply with all applicable laws.
Perhaps only Oracle and SAP are in a position to really address all three aspects of Governance, Risk, and Compliance. The mission of the GRC applications is to ensure that the managers and directors of the enterprises that run our applications have a strong defensible position. The mission is to provide:
Controls that provide the highest degree of mitigation to the risks to the enterprise
Efficiency in testing and consistency in enforcement of Controls
Highest degree of certainty in the risk assessment
Lowering the costs of collating the Management Assertions of the effectiveness of the controls for investors
Chapter 1, Introduction, introduces the GRC Concepts and shows you the breadth of tools that Oracle has to address the GRC problems. We introduce the fictional company with whom we will be taking the governance risk and compliance journey.
We introduce the key roles that have a stake in the Governance Risk and Compliance process and explain what that stake is. We show the overall risk management and compliance process at a very high level to see how the information comes together for the signing officers to certify to the investors in the enterprise that the risks are managed and the controls effective.
Chapter 2, Corporate Governance, covers the governance problem from the perspective of the board of directors and very senior management. We have taken a cursory glance at the array of corporate governance problems and reviewed some candidate applications from Oracle that address those problems.
Chapter 3, Information Technology Governance, covers governance of enterprise IT. We develop an IT strategy and document that strategy in Oracle's Balanced Scorecard. We review the alignment between the projects and that scorecard. We help the CIO see the ranking of those projects with respect to financial and non-financial goals. We sit with the IT Director to ensure that the configuration of the systems is baselined at an agreed state and that configuration is under an effective change management. Lastly, we work with the IT Director to ensure that Infission has good processes for support of end users.
Chapter 4, Security Governance, constructs a Security Balanced Scorecard with objectives for security management that are in concert with the overall corporate objectives. We then demonstrate how principles of least privilege are implemented through the role. We look at how the principle of accountability is implemented. We explain how employee on-boarding, off-boarding, transfers, and promotions are reflected in the security system. We show the CSO how the policies of what duties must be segregated are articulated, enforced, and violations reported. We explain how to harden the system to address security threats. Lastly, we take the CSO through security incident tracking and response.
Chapter 5, Risk Assessment and Control Verification, examines the process of evaluating the risks to the enterprise and its mission that is generally executed as part of a Sarbanes-Oxley Program Management Office established by the Chief Financial Officer. We review the Enterprise Risk Management (ERM) framework, established by COSO for risk assessment and controls verification.
Chapter 6, Documenting Your Controls, provides details to help you create and maintain control documentation such as process, procedures, risk controls, and business units.
Chapter 7, Managing Your Testing Phase: Management Testing and Certifying Controls, describes the Management Testing process, approach, and automation to help identify risks and provide reasonable assurance that an entity is able to meet its business and financial reporting objectives under an Enterprise Risk Management (ERM) framework.
Chapter 8, Managing Your Audit Function, explains the management of Internal Audit function to provide independent assessment of internal controls that provide the independent assurance to the Board of Directors and stockholders that financial and operational information is reliable, operations are performed efficiently, objectives are achieved, assets are safeguarded, and actions and decisions of the organization are in compliance with laws, regulations, and contracts.
Chapter 9, IT Audit, covers the IT Audit management function that mitigates information technology risks. The scope of an IT Audit plan includes testing general computer controls as well as application controls. The domains of IT Audit include access controls to reduce the segregation of duties risk, transaction controls to indentify if the user with access to the ERP system has created a transaction that violates a business policy, and configuration controls to track configuration changes in the ERP system.
Chapter 10, Cross Industry Cross Compliance, covers compliance issues that will be faced by companies in almost any industry. We start off by looking at Sarbanes-Oxley and then move on through ISO 27000 that defines the Security Management System Requirements and on to COBIT that defines control objectives for Information Technology. We look at the California Breach Law, Health Information Portability, and Payment Card Industry regulations. These have the common theme of privacy and we showed Oracle capabilities for hiding, encrypting, and masking values. We also looked at federal sentencing guidelines and showed how a learning management solution provides a defensible position and demonstrates due diligence.
Chapter 11, Industry-focused Compliance, covers regulations that apply to particular industries. We show the major compliance issues in high-tech manufacturing, pharmaceutical and life sciences, and banking. These compliance issues will generally still involve audit staff, but require specialized tools for each of the compliance issues.
Chapter 12, Regional-focused Compliance, covers Canada's Bill 198, the United Kingdom's Corporate Governance Code, the European Union's 8th Directive, Japan's Financial Instruments and Exchange Law, and Australia's Corporate Law Economic Reform Program (CLERP).
We neither stay in the narrow definition of the GRC applications, nor limit ourselves to the Business Applications but take you to the most appropriate places in the full Oracle footprint. For example, some of the configuration management and change control problems are addressed within the GRC Applications and some of them are addressed within enterprise manager.
This means that the book is not organized by product, but is organized by the governance and risk assurance processes. A given product may be represented in multiple places within the book and a given process may contain multiple product references.
In the governance chapters we take you through Oracle Balanced Scorecard, Oracle ilearning, Oracle Human Resources, Oracle Universal Content Management - Records Management, Project Portfolio Analysis, Oracle Enterprise Manager, and Oracle Service.
In the risk management chapters we take you through Oracle GRC Manager, Oracle Fusion GRC Intelligence, Oracle Enterprise GRC Manager, Application Access Controls Governor, Transaction Controls Governor, Oracle Preventive Control Governor, and Oracle Configuration Controls Governor.
In the compliance chapters we take you through Enterprise Manager, Oracle Payments, Oracle Database Vault, Oracle Data Masking Packs, Oracle E-records Management, Agile's Product Governance and Compliance, Oracle Reveleus, and Oracle Mantas.
We have baselined the book at the 11GR2 Database, 11GR2 Middleware, and release 12.1 of E-Business Suite.
You will need to download the following software for this book:
Oracle GRC Manager 7.8
Oracle Fusion GRC Intelligence 2.01
Oracle Enterprise GRC Manager 8.6.4
Oracle GRC Controls Suite (AACG and TCG) 8.6.3
Oracle Preventive Control Governor 7.3.2
Oracle Configuration Controls Governor 5.5
The audience for this book are the people who advise the board, the Internal Audit department, and CIO office on controls, security, and risk assurance. Consultants that are implementing Financials or GRC Applications who wish to gain an understanding of the Governance Risk and Compliance processes, and how they are represented in Oracle, should find it a useful primer. Risk Assurance professionals should find it a reliable companion and constant friend.
In this book, you will find a number of styles of text that distinguish between different kinds of information. Here are some examples of these styles, and an explanation of their meaning.
Code words in text are shown as follows: "Use the configuration files httpd.conf and httpd_pls.conf to limit web page access to a list of trusted hosts."
A block of code is set as follows:
<Location ~ "/(dms0|DMS|Spy|AggreSpy)"> </Location> <Location ~ "/dev60html/run(form|rep).htm"> </Location>
Any command-line input or output is written as follows:
*.dispatchers='(PROTOCOL=TCP) (SERVICE=sidXDB)'
New terms and important words are shown in bold. Words that you see on the screen, in menus or dialog boxes for example, appear in the text like this: "When you are in the Hyperion® System 9 Workspace, from the Applications tab select Performance Scorecard in order to access the scorecard."
Feedback from our readers is always welcome. Let us know what you think about this book—what you liked or may have disliked. Reader feedback is important for us to develop titles that you really get the most out of.
To send us general feedback, simply send an e-mail to <[email protected]>, and mention the book title through the subject of your message.
If there is a topic that you have expertise in and you are interested in either writing or contributing to a book, see our author guide on www.packtpub.com/authors.
Now that you are the proud owner of a Packt book, we have a number of things to help you to get the most from your purchase.
Although we have taken every care to ensure the accuracy of our content, mistakes do happen. If you find a mistake in one of our books—maybe a mistake in the text or the code—we would be grateful if you would report this to us. By doing so, you can save other readers from frustration and help us improve subsequent versions of this book. If you find any errata, please report them by visiting http://www.packtpub.com/support, selecting your book, clicking on the errata submission form link, and entering the details of your errata. Once your errata are verified, your submission will be accepted and the errata will be uploaded to our website, or added to any list of existing errata, under the Errata section of that title.
Piracy of copyright material on the Internet is an ongoing problem across all media. At Packt, we take the protection of our copyright and licenses very seriously. If you come across any illegal copies of our works, in any form, on the Internet, please provide us with the location address or website name immediately so that we can pursue a remedy.
Please contact us at <[email protected]> with a link to the suspected pirated material.
We appreciate your help in protecting our authors, and our ability to bring you valuable content.
You can contact us at <[email protected]> if you are having a problem with any aspect of the book, and we will do our best to address it.