Book Image

Governance, Risk, and Compliance Handbook for Oracle Applications

Book Image

Governance, Risk, and Compliance Handbook for Oracle Applications

Overview of this book

It seems that every year since the Enron collapse there has been a fresh debacle that refuses to lower the spotlight from corporate Governance, Risk, and Compliance management.Before Sarbanes Oxely forced company managers to become risk conscious, if you asked a chief executive whether he thought he had adequate internal controls, the most likely answer would have been "What is an internal control?" This is clearly no longer the case. Every week some story breaks detailing a lack of good governance, a failure to plan for a foreseeable catastrophe or a failure to comply with an important law or regulation. These stories bring GRC themes into public view, and public scrutiny, and make management and directors keen to show they have put their best efforts forward to govern their companies well, manage risks to the enterprise, and to comply with all applicable laws.Perhaps only Oracle and SAP are in a position to really address all three aspects. The mission of GRC applications is to ensure that the managers and directors of Enterprises that run such applications have a strong defensible position. Written by industry experts with more than 30 years combined experience, this book covers the Governance, Risk Management and Compliance Management of a large modern enterprise and how the IT Infrastructure, in particular the Oracle IT Infrastructure, can assist in that governance. This book is not an implementation guide for GRC products rather it shows you how those products participate in the governance process, how they introduce or mitigate risk, and how they can be brought into compliance with best practice, as well as applicable laws and regulations.The book is divided into three major sections:Governance ñ where we discuss the strategic management of the enterprise, setting plans for managers, making disclosures to investors, and ensuring that the board knows that the enterprise is meeting its goals and staying within its policies.Risk Management ñ where we discuss audit disciplines. This is where we work out what can go wrong, document what we have to do to prevent it from going wrong and check that what we think prevents it going wrong - actually works! We move through the various sub-disciplines within the audit profession and show what tools are best suited from within the Oracle family to assist.Compliance Management ñ where we map the tools and facilities that we have discovered in the first two sections to frameworks and legislations. We give this from an industry and geography agnostic viewpoint, and then drill into some specific industries and countries.We neither stay in the narrow definition of GRC applications, nor limit ourselves to the Business Applications but take you to the most appropriate places in the full Oracle footprint. The book is written from the perspective of big GRC. It is not an implementation manual for the GRC products, although we hope you can get the best out of the GRC products after reading this book. We discuss many applications and technology products that are not in the GRC product family.

Related Content you might be interested in

Current Title:

Small book image
Governance, Risk, and Compliance Handbook for Oracle Applications
Aug, 2012 | 488 pages
No titles found
Table of Contents (22 chapters)
Governance, Risk, and Compliance Handbook for Oracle Applications
Governance, Risk, and Compliance Handbook for Oracle Applications
Credits
Credits
Foreword
Foreword
About the Authors
About the Authors
Acknowledgement
Acknowledgement
About the Authors
About the Authors
Acknowledgement
Acknowledgement
About the Reviewers
About the Reviewers
www.PacktPub.com
www.PacktPub.com
Preface
Preface
Free Chapter
1
Introduction
Introduction
How this book is organized
Definitions
Oracle's Governance Risk and Compliance Footprint
The Audit and Compliance process
GRC Capability Maturity Model
Summary
2
Corporate Governance
Corporate Governance
Developing and Communicating Corporate Strategy with Balanced Scorecard
Communicating and confirming Corporate Strategy with iLearning
Managing Records Retention Policies with Content Management Server
Financial planning and analysis with Hyperion FR
Monitoring Execution with Oracle Business Intelligence
Enterprise Risk Management
Whistle-blower protections
Summary
3
Information Technology Governance
Information Technology Governance
Developing and communicating IT strategy with balanced scorecards
Maintaining a valid configuration
Service desk administration through Oracle Enterprise Manager
Summary
4
Security Governance
Security Governance
Security balanced scorecard
System wide advice
Summary
5
Risk Assessment and Control Verification
Risk Assessment and Control Verification
InFission approach for Risk Assessment and Control Verification
Oracle's GRC Manager and Intelligence—risk assessment and control verification system
Summary
6
Documenting Your Controls
Documenting Your Controls
Process and procedure documents
InFission approach for managing process and procedure documents
Managing process documents in Oracle GRC Manager
Risks and controls documents
InFission approach to risk and controls documentation
Managing risks in Oracle GRC Manager
Managing controls in Oracle GRC Manager
Managing control documentation lifecycle in GRC Manager
Summary
7
Managing Your Testing Phase: Management Testing and Certifying Controls
Managing Your Testing Phase: Management Testing and Certifying Controls
Management testing for internal audit program
Management testing for Regulatory Compliance Audits
Management testing for Enterprise Risk Management
InFission's approach to management testing
Management testing using Oracle GRC Manager
Summary
8
Managing Your Audit Function
Managing Your Audit Function
Audit planning
Internal controls assessment
Audit report
Summary
9
IT Audit
IT Audit
InFission IT Audit approach
Automated application controls using Oracle GRC Controls Suite
Summary
10
Cross Industry Cross Compliance
Cross Industry Cross Compliance
Sarbanes-Oxley
ISO 27001 — Information Security Management System (ISMS)
Control Objectives for IT (COBIT)
California Breach Law
Healthcare Information Portability and Protection Act (HIPPA)
Payment Card Industry (PCI)
Federal Sentencing Guidelines
Summary
11
Industry-focused Compliance
Industry-focused Compliance
Hi-tech manufacturing
Environmental compliance and ISO 14000
RoHS WEEE
Life sciences and medical instrument manufacturing
Banking and financial services
Summary
12
Regional-focused Compliance
Regional-focused Compliance
Regulatory compliance in major economic regions
Managing regional compliance using Oracle GRC Manager
Summary

About the Authors

Nigel King is the Vice President for Functional Architecture at Fusion Applications. As such he leads a band of architects whose job is to steward the designs and underpinnings for those things that span product families. He has been working with Oracle for the past 17 years. In that time he has worked mostly in Applications Development. He has worked in many areas of Applications, starting off in Distribution Management and then leading Oracle Applications' first venture into Business Intelligence, and Product Lifecycle Management Applications. A restless observer and inventor, his real passion has always been to see a problem defined, and in being defined well; resolved. By first profession he is a Chartered Management Accountant. He is also a Certified Internal Auditor (CIA), Certified Information Systems Auditor (CISA), Certified Information Security Manager (CISM), and Certified Information Security Professional (CISSP). He swears that as soon as he gets the book finished, he will catch up with his continuing professional education credits (CPE). His patents include, Methods and systems for portfolio planning, Audit management workbench, Internal audit operations for Sarbanes Oxley compliance, and Audit planning. He was fortunate to be hanging around at Oracle when the whole Enron issue happened. A decade later, GRC Apps was born, was new, then grew old, and is now suffused into many of the applications that surround it.

He is also Chairman of the Open Applications Group. The Open Applications Group is a 501(c)(6) not-for-profit standards development organization (SDO). This community is focused on building process-based business standards for e-commerce, Cloud Computing, Service Oriented Architecture (SOA), Web Services, and Enterprise Integration.

The OAGI Specification includes ICXML, an XML specification for the exchange, or risk and control libraries.

Before joining Oracle, he worked in what he now considers the "real world", first as an Accountant and then selling and implementing business systems. He gained insights in the high technology sector working for Philips, the consumer packaged goods sector working for Homepride Foods and Jeyes Group, and was introduced to the software world through Business Technology Consultants.

He is also a licensed boxer, keen soccer player and coach, and a qualified Boston marathon runner.

He lives with his beautiful wife Anita and their soccer fanatic son Ansel in San Mateo, California.

He also co-authored the E-Business Suite, Manufacturing and Supply Chain, Oracle Press handbook. You can also trace his thinking on GRC at ISACA's international conferences over the years: An Overview of Emerging Tools and Technologies for Auditors in 2005, Compliant Access Provisioning in 2006, and Security Provisioning for Outsourced Services in 2008.

Prior to getting interested in the GRC space, you can trace his articles on subjects as diverse as The Convergence of Financial and Supply Chain Planning in Control, the journal of the British Production and Inventory Control Society and Knowledge Management, The Application of Manufacturing Theory in Knowledge Based industries in Management Accounting, the journal of the Chartered Institute of Management Accountants.

Previous Section
Next Chapter