You are previewing Governance, Risk, and Compliance Handbook for Oracle Applications.
O'Reilly logo
Governance, Risk, and Compliance Handbook for Oracle Applications

Book Description


Written by industry experts with more than 30 years combined experience, this handbook covers all the major aspects of Governance, Risk, and Compliance management in your organization with this book and ebook.

  • Governance: In depth coverage of corporate, IT, and security Governance, which includes important topics such as strategy development and communication, strategic reporting and control, and more

  • Risk Management: Creating a risk management program, performing risk assessment and control verification, and more

  • Compliance Management: Cross-industry, cross-regional laws and regulations, industry-specific laws and regulations, region-specific laws and regulations

  • To maximize real world learning, the book is built around a fictional company establishing its governance processes

  • Written by industry experts with more than 30 years combined experience

In Detail

It seems that every year since the Enron collapse there has been a fresh debacle that refuses to lower the spotlight from corporate Governance, Risk, and Compliance management.

Before Sarbanes Oxely forced company managers to become risk conscious, if you asked a chief executive whether he thought he had adequate internal controls, the most likely answer would have been “What is an internal control?”

This is clearly no longer the case. Every week some story breaks detailing a lack of good governance, a failure to plan for a foreseeable catastrophe or a failure to comply with an important law or regulation. These stories bring GRC themes into public view, and public scrutiny, and make management and directors keen to show they have put their best efforts forward to govern their companies well, manage risks to the enterprise, and to comply with all applicable laws.

Perhaps only Oracle and SAP are in a position to really address all three aspects. The mission of GRC applications is to ensure that the managers and directors of Enterprises that run such applications have a strong defensible position.

Written by industry experts with more than 30 years combined experience, this book covers the Governance, Risk Management and Compliance Management of a large modern enterprise and how the IT Infrastructure, in particular the Oracle IT Infrastructure, can assist in that governance. This book is not an implementation guide for GRC products rather it shows you how those products participate in the governance process, how they introduce or mitigate risk, and how they can be brought into compliance with best practice, as well as applicable laws and regulations.

The book is divided into three major sections: Governance – where we discuss the strategic management of the enterprise, setting plans for managers, making disclosures to investors, and ensuring that the board knows that the enterprise is meeting its goals and staying within its policies.

Risk Management – where we discuss audit disciplines. This is where we work out what can go wrong, document what we have to do to prevent it from going wrong and check that what we think prevents it going wrong - actually works! We move through the various sub-disciplines within the audit profession and show what tools are best suited from within the Oracle family to assist.

Compliance Management – where we map the tools and facilities that we have discovered in the first two sections to frameworks and legislations. We give this from an industry and geography agnostic viewpoint, and then drill into some specific industries and countries.

We neither stay in the narrow definition of GRC applications, nor limit ourselves to the Business Applications but take you to the most appropriate places in the full Oracle footprint. The book is written from the perspective of big GRC. It is not an implementation manual for the GRC products, although we hope you can get the best out of the GRC products after reading this book. We discuss many applications and technology products that are not in the GRC product family.


Table of Contents

  1. Governance, Risk, and Compliance Handbook for Oracle Applications
    1. Table of Contents
    2. Governance, Risk, and Compliance Handbook for Oracle Applications
    3. Credits
    4. Foreword
    5. About the Authors
    6. Acknowledgement
    7. About the Authors
    8. Acknowledgement
    9. About the Reviewers
      1. Support files, eBooks, discount offers and more
        1. Why Subscribe?
        2. Free Access for Packt account holders
        3. Instant Updates on New Packt Books
    11. Preface
      1. What this book covers
      2. What you need for this book
      3. Who this book is for
      4. Conventions
      5. Reader feedback
      6. Customer support
        1. Errata
        2. Piracy
        3. Questions
    12. 1. Introduction
      1. How this book is organized
      2. Definitions
        1. Governance
        2. Risk
        3. Compliance
      3. Oracle's Governance Risk and Compliance Footprint
        1. Balanced Scorecard
        2. Business Intelligence
        3. Financial Planning and Analysis
        4. Consolidations and Financial Reporting
        5. Learning
        6. Risk Management Applications
        7. Sub Certification
        8. Process Management Applications
        9. Content Management Applications
        10. Identity and Authorization Management Applications
        11. Our case study
        12. Roles involved in GRC activities
          1. Audit Committee member
          2. Signing Officers
          3. Chief Audit Executive
          4. Chief Financial Officer
          5. Chief Information Officer
          6. Chief Operating Officer
      4. The Audit and Compliance process
        1. Risk Assessment phase
        2. Audit Planning phase
        3. Documentation phase
        4. Testing phase
        5. Reporting phase
        6. Relationships between entities, accounts, process, risk controls, and tests
      5. GRC Capability Maturity Model
      6. Summary
    13. 2. Corporate Governance
      1. Developing and Communicating Corporate Strategy with Balanced Scorecard
        1. Balanced Scorecard Theory
          1. The four perspectives
          2. Measures
          3. Strategy Maps
          4. Infission's strategic initiative
          5. Oracle's Balanced Scorecard
          6. Accessing Oracle Hyperion's Balanced Scorecard
          7. The main components and how they are related
          8. Setting up measures
          9. Setting up an Accountability Hierarchy
          10. Assembling the Scorecard
          11. Breaking down Measures and Scorecards into lower-level objectives
          12. Authorizing Managers to Scorecards
          13. Loading data
          14. Developing the Strategy Map for Infission and reviewing it with the Board
          15. Assigning objectives to Managers and creating goals in HCM
      2. Communicating and confirming Corporate Strategy with iLearning
        1. Developing Learning Assets Flow
        2. The major components of the Learning System
        3. Responsibilities
        4. Adding an Entry in the Course Catalog
        5. Uploading Course Content
        6. Developing a question bank to confirm understanding
        7. Monitoring employee's understanding
        8. The Infission Strategic Objectives Classes
      3. Managing Records Retention Policies with Content Management Server
        1. Records Governance Process
        2. Records Governance Components and how they are related
        3. Roles for accessing Universal Content Manager (UCM)
        4. Standard Sensitivity Classifications
        5. Typical Security Groups that reflect Security Boundaries and Sensitivity Classifications
        6. Illustrative Retention Policies
        7. Running the Document Disposition Check
      4. Financial planning and analysis with Hyperion FR
        1. Financial Planning and Analysis Flow
        2. Accessing the Financial Planning and Analysis tools
        3. Constructing Account Balance Data Cube
        4. Developing the Financial Model
        5. Developing planning assumptions
        6. Constructing the Financial plan
        7. Publishing the Financial plan
        8. Analyzing the results
        9. Publishing the results
        10. Financial Planning and Analysis Components and how they are related
      5. Monitoring Execution with Oracle Business Intelligence
        1. Oracle Financial Analytics
          1. Other dashboards in Financial Analytics
        2. Oracle Sales Analytics
          1. Other dashboards in Sales Analytics
        3. Oracle Procurement Analytics
          1. Other dashboards in Procurement Analytics
        4. Oracle Human Resources Analytics
          1. Other Dashboards in Human Resources Analytics
      6. Enterprise Risk Management
        1. Conducting a Risk Assessment
        2. Scope Controls to be Tested
        3. Develop Audit Plan
        4. Briefing the Board
      7. Whistle-blower protections
        1. Setting up iSupport for anonymous access
        2. Configuring for recording whistle-blower complaints
        3. Creating a template for whistle-blower complaints
      8. Summary
    14. 3. Information Technology Governance
      1. Developing and communicating IT strategy with balanced scorecards
        1. IT project portfolio planning
          1. Roles for accessing portfolio analysis
          2. Decide investment criteria
          3. Create portfolio
          4. Initiate planning cycle
          5. Submit new projects for inclusion in portfolio
          6. Score projects
          7. Create and compare the scenarios
          8. Recommend and approve the scenario
          9. Close planning cycle and implement scenario recommendations
      2. Maintaining a valid configuration
        1. Managing the configuration using Applications Manager
        2. Maintaining a valid configuration using Enterprise Manager Application Management Pack for E-Business Suite
      3. Service desk administration through Oracle Enterprise Manager
        1. Support workbench
        2. Problem details
        3. Packaging problem details
      4. Summary
    15. 4. Security Governance
      1. Security balanced scorecard
        1. Relationships between the objectives
        2. Metrics for the objectives
        3. Perspectives from standard bodies and professional institutions
          1. IT Governance Institute
          2. ISO 17799
        4. Quotes from prominent Security managers
        5. Account provisioning and identity management
        6. Designing roles
          1. Function Security
          2. Data security
          3. Aggregating responsibilities into roles
          4. Role provisioning
          5. Identity management
          6. Limiting access to administrative pages
        7. Segregation of Duties Policies
        8. Server, applications, and network hardening
      2. System wide advice
        1. Database tier
          1. Oracle TNS listener security
          2. Oracle database security
        2. Application tier
          1. Protect administrative web pages
          2. E-Business Suite security
          3. Desktop security
            1. Turn off auto-complete in browser settings
        3. Operating environment security
          1. Firewall configuration and filtering of IP packets
          2. Security incident response through Oracle service
      3. Summary
    16. 5. Risk Assessment and Control Verification
      1. InFission approach for Risk Assessment and Control Verification
        1. Establishing Program Office
        2. Selecting controls framework
          1. The COSO framework
            1. Holistic risk assessment—COSO ERM
          2. The COBIT framework
        3. Survey and interview management
        4. Reviewing prior year documentation
        5. Rating current year risk
        6. Verifying controls
      2. Oracle's GRC Manager and Intelligence—risk assessment and control verification system
        1. Assessment workflow in Oracle GRC Manager
          1. Initiating assessment
            1. Selecting assessment type
            2. Selecting risks in scope
            3. Selecting control in scope
            4. Starting assessment
          2. Assessing risks
          3. Reviewing risks
          4. Verifying Controls
          5. Certifying assessment
        2. Evaluating assessment
        3. Assessing quantitative risks in Oracle GRC Intelligence
          1. Conduct quantitative risk assessment
      3. Summary
    17. 6. Documenting Your Controls
      1. Process and procedure documents
      2. InFission approach for managing process and procedure documents
      3. Managing process documents in Oracle GRC Manager
        1. Creating a Business Process in Oracle GRC Manager
        2. Document process narrative in Oracle Tutor
      4. Risks and controls documents
      5. InFission approach to risk and controls documentation
      6. Managing risks in Oracle GRC Manager
      7. Managing controls in Oracle GRC Manager
      8. Managing control documentation lifecycle in GRC Manager
        1. Use Data collection workflow to update documents
          1. Contributing to a process
          2. Reviewing data for a process
            1. Reviewing a process in data collection review
            2. Approving a process in data collection review
            3. Rejecting a process in data collection review
            4. Canceling changes to a process
      9. Summary
    18. 7. Managing Your Testing Phase: Management Testing and Certifying Controls
      1. Management testing for internal audit program
      2. Management testing for Regulatory Compliance Audits
      3. Management testing for Enterprise Risk Management
      4. InFission's approach to management testing
      5. Management testing using Oracle GRC Manager
        1. Using GRC Survey tool to determine the scope of audit plan
          1. Managing survey questions
          2. Managing survey choice sets
          3. Managing survey templates
            1. Adding questions to a survey template
            2. Deleting a survey template
            3. Survey translations
          4. Creating and initiating a survey
            1. Completing a survey
        2. GRC Manager assessments
          1. Creating the assessment templates
          2. Creating an assessment plan
          3. Assigning the delegate
          4. Initiating/completing the assessment
            1. Initiating an ad-hoc assessment
            2. Completing the assessments
          5. Reviewing the assessment results
          6. Closing an assessment
      6. Summary
    19. 8. Managing Your Audit Function
      1. Audit planning
        1. InFission audit planning approach
        2. Managing audit plan using Oracle GRC Manager
          1. Creating the audit template
          2. Creating the audit plan
      2. Internal controls assessment
        1. InFission internal controls assessment approach
        2. Assessing internal controls using Oracle GRC Manager
          1. Initiating the assessment
          2. Selecting criteria
          3. Selecting the components
          4. Selecting the participants
          5. Controls assessment
          6. Managing issues
          7. Closing an assessment
      3. Audit report
        1. InFission's approach to audit report
          1. Obtain audit report in Oracle GRC Manager
            1. Issues Management Report
            2. Controls Management Report
            3. Executive Reports
      4. Summary
    20. 9. IT Audit
      1. InFission IT Audit approach
        1. IT Audit scope management
        2. IT Audit plan management
      2. Automated application controls using Oracle GRC Controls Suite
        1. Oracle Application Access Controls Governor
          1. Identifying objectives
          2. Selecting controls
          3. Model walk-through
          4. Analyzing controls
          5. Remediation
            1. Reviewing intra-role incidents
            2. Reviewing inter-role incidents
            3. Additional reports to analyze incidents
          6. Assigning incidents to business owners
            1. Running simulation
            2. Revaluate
          7. Managing access approval
        2. Oracle Transaction Controls Governor
          1. Create model
          2. Testing the controls
            1. Implementing corrections
            2. Monitoring controls
            3. Reviewing summary graphs to monitor incidents
            4. Generating reports to monitor control status
        3. Configuration Controls Governor
          1. Creating definitions
          2. Creating a snapshot definition
          3. Testing a snapshot definition
          4. Locking the definition
          5. Sharing the definition
          6. Comparing snapshots
        4. Defining change tracker
        5. Deploying change tracker
        6. Viewing change tracker results
        7. Setting up queries and alerts
        8. Preventive Controls Governor
          1. Creating rules
            1. Creating a Form Rule
          2. Creating a Rule Element
          3. Capturing Events with Event Tracker
            1. Capturing Items from a Form
            2. Using the Event Tracker to set security
          4. Updating Element definition
          5. Configuring element details
            1. Setting up security
              1. Selecting Components
              2. Setting up navigation paths
              3. Creating menu links
              4. Creating zooms
              5. Creating messages
              6. Setting default values
              7. Creating and modifying lists of values
              8. Altering an existing LOV
              9. Creating a new List of Value
              10. Setting field attributes
              11. Blocking Attributes
              12. Field attributes
              13. Field instance attributes
          6. Creating SQL procedures
      3. Summary
    21. 10. Cross Industry Cross Compliance
      1. Sarbanes-Oxley
        1. Important sections of the act and the technologies that apply
          1. Title 1: Establishment and Operation of the Public Company Accounting Oversight Board
          2. Title 2: Auditor Independence
          3. Title 4: Financial Disclosures
          4. Title 8: Legal Ramifications for Corporate Fraud
      2. ISO 27001 — Information Security Management System (ISMS)
        1. The components of an Information Security Management System
          1. The risk assessment process
          2. The Risk Treatment Plan
          3. The Statement of Applicability
        2. Oracle's products and ISO 27000
      3. Control Objectives for IT (COBIT)
        1. Managing IT processes in Oracle GRC applications to support COBIT Framework
        2. InFission COBIT Framework setup in Oracle GRC Manager
          1. InFission IT Controls Management Approach
            1. Plan and Organize (PO)
            2. Acquire and Implement (AI)
            3. Deliver and Support (DS)
            4. Monitor and Evaluate (ME)
      4. California Breach Law
        1. PII Columns: Trading Community Architecture
        2. PII Columns: Procurement
        3. PII Columns: Financials
        4. Oracle's products and California Breach Law
          1. Transparent data encryption
            1. E-Business Suite with transparent data encryption
      5. Healthcare Information Portability and Protection Act (HIPPA)
        1. Oracle's products and HIPPA
          1. Scrambling and data masking
          2. Data vault
            1. Protecting database objects with realms and rules
            2. Preseeded realms for the E-Business Suite
              1. Pre-seeded Realm Authorizations
      6. Payment Card Industry (PCI)
        1. Oracle's products and PCI
          1. Oracle Payments
            1. Key management
      7. Federal Sentencing Guidelines
        1. Standards for an effective compliance and ethics program
        2. Oracle's products and Federal Sentencing Guidelines
          1. Creating the ethics program in iLearning
          2. Monitoring the ethics program in iLearning
      8. Summary
    22. 11. Industry-focused Compliance
      1. Hi-tech manufacturing
        1. ISO 9000
        2. Oracle Tutor
        3. Oracle Quality
          1. Oracle Quality components and how they are related
          2. Responsibilities for accessing Oracle Quality
            1. Creating a collection plan
            2. Entering collection results
            3. Auditing ISO 9000
      2. Environmental compliance and ISO 14000
        1. Requirements of ISO 14001
        2. ISO 14000 compliance auditing
        3. Organization certification
        4. How ISO 14000 fits into GRC Manager
        5. Example environmental risk portfolio
      3. RoHS WEEE
        1. RoHS WEEE and hazardous substance compliance
        2. Who needs to comply?
          1. Oracle Agile Product Governance and Compliance
          2. Major components of PG&C and how they relate to each other
            1. Defining specifications
            2. Defining substances
            3. Defining declarations and compositions
            4. Reviewing compliance data for assemblies
      4. Life sciences and medical instrument manufacturing
        1. Title 21: Code of Federal Regulations
        2. The requirements of electronic records
        3. Oracle's E-records Management Solution
          1. E-records management features
          2. E-records management components
          3. Responsibilities in E-records management
          4. Functions in the E-records process
            1. Upload and approve files
            2. Notify approvers
            3. Searching the evidence store
      5. Banking and financial services
        1. Basel
        2. Requirements of Basel
          1. The three pillars
            1. The first pillar—Minimum capital requirements
              1. Credit risk
              2. Market risk
              3. Operational risk
          2. The second pillar—Supervisory review process
          3. The third pillar—Market discipline
        3. Oracle's solutions in the banking sector
          1. Comply with pillar one—Capital adequacy
          2. Comply with pillar two—Management review
          3. Comply with pillar three—Disclosure
        4. Patriot Act
          1. Oracle's solution for Patriot Act — Oracle Mantas
            1. Major components of Mantas
      6. Summary
    23. 12. Regional-focused Compliance
      1. Regulatory compliance in major economic regions
        1. The Sarbanes-Oxley Act of 2002 (USA)
          1. Public Company Accounting Oversight Board (PCAOB)
          2. Auditor Independence
          3. Corporate Responsibility
          4. Enhanced Financial Disclosures
          5. Analyst Conflicts of Interest
          6. Commission Resources and Authority
          7. Studies and Reports
          8. Corporate and Criminal Fraud Accountability
          9. White Collar Crime Penalty Enhancement
          10. Corporate Tax Returns
          11. Corporate Fraud Accountability
        2. Canada Bill 198 (Canadian Sarbanes-Oxley)
        3. UK Corporate Governance Code 2010
        4. European Union's 8th Directive
        5. Financial Instruments and Exchange Law (Japan SOX)
        6. Corporate Law Economic Reform Program (CLERP — Australia)
        7. InFission approach to Regional Compliance
      2. Managing regional compliance using Oracle GRC Manager
        1. Setting up Financial Governance module
        2. Regionalizing your Financial Governance Framework
        3. Setting up Content Type for Regulatory Documentation
        4. Updating Lookup tables
        5. Creating user-defined attributes (UDA) for regional compliance
        6. Setting up Regional Compliance Framework using perspectives
          1. InFission Organization Structure perspective
          2. InFission Regulatory Compliance perspective
          3. InFission Standard and Framework perspective
          4. Loading data
          5. Setting up user profile for regional roles
        7. Assessing Regional Compliance using Oracle GRC Manager
          1. Monitoring Regional Compliance in Oracle GRC Intelligence
          2. Regional Compliance Dashboards
          3. Regional Compliance reports
            1. Certification reports
            2. Issue reports
            3. Analysis reports
            4. Standard reports
      3. Summary
    24. Index