Public Sector Best Practices that Protect the Citizens against Financial Losses, Waste and Fraud Using Advanced Controls FulcrumWay Leading Provider of Enterprise Risk Assessment Mitigation and Remediation Solutions Enterprise Risk Management Financial Close Monitor Advanced Controls Catalog Enterprise Audit GRC Monitor Robert Enders Client Services Director July 23, 2013 Leverage T echnology: Move Your Business Forward Give me a lever long enough and a fulcrum on which to place it, and I shall move the world - Archimedes Copyright. Fulcrum Information Technology, Inc.
Page 2 Agenda Risks in the Public Sector Introduction Risk in Public Sector Overview of Advanced Controls Oracle Advanced Controls Overview and Demonstration Q&A
Page 3 Agenda Risks in the Public Sector Introduction Risk in Public Sector Overview of Advanced Controls Oracle Advanced Controls Overview and Demonstration Q&A
Page 5 Introduction FulcrumWay Intelligent, Integrated Instant Risk Management FulcrumWay: is the #1 End-to-End Provider of Enterprise Risk Management Expertise, Solutions and Software Services for Oracle EBS, PeopleSoft and JDE customers with over 200 Fortune-500 to Middle Market clients. Since 2003, we have successfully assisted companies across all major industry segments. Expertise: Risk Advisory Services. Advanced Controls Design for Enterprise Business Applications. Best Practices for Risk Mitigation and Internal Controls Automation. Audit, Compliance, Financial, Enterprise and Operational Risk Assessments. Risk Remediation Services such as Segregation of Duties. Packaged Solutions: FulcrumWay is the #1 choice of Oracle customers for Oracle GRC Manager, GRC Controls and GRC Intelligence/OBIEE software implementation. Oracle has certified us as the only partner with Accelerators for Oracle GRC. We also provide Managed Services and Hosting for Oracle GRC applications. Software Services: Risk Management Tools: Enterprise Risk Manager, Financial Risk Manager, Risk Based Audit Manager, IT Risk Workbench, and Advanced Controls Catalog. Data Management Tools: Rules Repository, DataProbe and Data Hub for Intelligent, integrated, and Instant Risk Management USA Presence: Privately held Delaware Corporation with US offices in New York City, Dallas and San Francisco
Page 6 Our Experience FulcrumWay Clients Government Oil and Gas Financial Services Retail Communications Manufacturing Industrial Equipment Natural Resources Media and Entertainment Healthcare High Tech Life Sciences
Page 7 Our Experience FulcrumWay Insight Thought Leadership Co-Authored GRC Book: First book on GRC for Oracle Applications Executive Round Tables GRC Solutions for Energy Industry, Houston, November 2012 OAUG GRC Solution Lab - April 7 th 11 th Denver: GRC Case Studies and Best Practices IIA - Presentations - Top Five Reasons for Automating Application Controls Collaborate 13 GRC Client Appreciation Dinner April 9 th, 2013 Denver Webcasts GRC Best Practices, Trends and Expert Insight Oracle Open World Annual GRC Dinner on September 23 rd, 2013 W Hotel San Francisco LinkedIn FulcrumWay Risk, Compliance and Audit Software Group YouTube Podcasts FulcrumWay Instant Insight in 10 min or less
GRC Analytics Implementation Approach Copyright FulcrumWay FulcrumWay ERP Risk Analytics, Mitigation and Remediation Page 8 Enterprise Risk Management (ERM) Risk Monitor Survey Monitor Policy Monitor Incident Monitor Controls Monitor Financial Governance Audit / Compliance Automation Operations Management Task Monitor Enterprise Audit Manager Audit Planner Variance Analytics Reconciliation Analytics Compliance Monitor Control Analytics Financial Controls: (GL,AP,AR,FA,CM) Business Process Rules Repository HCM/HR Controls : (HR,PR) Distribution Controls: (OM,INV,WMS,PO) Supply Chain Controls : (ENG,QP,WIP,BOM) IT Governance/Application Life Cycle Risk Management Access Monitor Data Monitor Transaction Monitor Audit Log Monitor Database Monitor
Page 9 Agenda Risks in the Public Sector Introduction Risk in the Public Sector Overview of Advanced Controls Oracle Advanced Controls Overview and Demonstration Q&A
Page 10 Uncertainty is All Around Us Global Economic Chaos Decline in Consumer Confidence Market Volatility Political Instability
Risks in the Public Sector Public Sector Organizations face multiple Risk Management Challenges Operational Risk infrastructure, services, natural disasters (Katrina, Sandy), terrorism, etc. Financial Risk Waste, Fraud & Abuse Political Risk Changes in priorities Public depends on Government in the face of any risk event Increased pressure to perform well in existing operations Poor response to Risk or Fraud events lead to a lack of public trust Copyright FulcrumWay Page 11
Risks in the Public Sector - Fraud 91% of organizations expect fraud to increase or remain the same Layoffs and pay cuts result in disgruntled employees Restructuring throws segregation of duties controls into disarray Outsourcing and expansion heightens risk of bribery & corruption It is estimated that 7% of annual public sector budgets are lost to Fraud Increased regulatory requirements to combat potential Fraud Changes occur every 3 months, on average public sector organizations taking up to 6 months to comply Copyright FulcrumWay Page 12
Page 14 Risks in the Public Sector - Fraud
Page 15 Risks in the Public Sector - Fraud
Page 16 Agenda Risks in the Public Sector Introduction Risk in Public Sector Overview of Advanced Controls Oracle Advanced Controls Overview and Demonstration Q&A
Page 17 Advanced Controls What do Advanced Controls do? 1. Augment Standard ERP Controls 2. Bridge GAP Policy Creation and Transaction Systems 3. Automate Policy Enforcement 4. Deliver Business Process Efficiency A well executed business process is run efficiently AND according to organizational policies
Advanced Controls Example - Oracle Procure-to-Pay Procure-to Pay Controls are Required Page 18 Spend Categories Corporate Performance Management Collaboration Control Points Settlement Strategic Sourcing & Contract Mgmt Indirect & MRO Banks Requisition Purchase Goods / Services Receive Goods / Services Invoice Issue Payments Direct Materials Payment Processors Supplier Collaboration Services SWIFTNet Business Process Models Service Oriented Architecture
Page 19 Advanced Controls Spend Categories Example - Oracle Procure-to-Pay Automated Controls for Strategic Sourcing & Contract Mgmt Corporate Performance Management Collaboration Settlement Indirect & MRO Are there inappropriate associations between Requisi- a vendor and an employee? tion Direct Materials Strategic Sourcing & Contract Mgmt Purchase Goods / Services CONTROLS Receive Goods / Services Invoice Banks Are there frequent changes to Supplier Issue information? Payments Payment Processors Do you have duplicate suppliers? Services Business Process Models Are your vendors compliant with trade regulations? Supplier Collaboration Are the vendors blacklisted? Service Oriented Architecture Are you missing critical supplier information? Is the information valid? SWIFTNet
Page 20 Advanced Controls Spend Categories Example - Oracle Procure-to-Pay Automated Controls for Requisitions and Purchases Corporate Performance Management Strategic Sourcing & Contract Mgmt Collaboration Do you have duplicate Purchase Orders? Settlement Indirect & MRO Requisition Purchase Goods / Services Receive Goods / Services Invoice Are POs created on the same day as goods arrive? Issue Payments Banks Direct Materials CONTROLS Are there split POs? Payment Processors Services Business Process Models Supplier Collaboration Are there purchases with nonpreferred vendors? Service Oriented Architecture SWIFTNet
Page 21 Advanced Controls Spend Categories Corporate Performance Management Are you making accurate and timely payments? Example - Oracle Procure-to-Pay Automated Controls for Receiving, Invoices, and Payments Collaboration Settlement Are payment term changes reviewed before payment? Indirect & MRO Strategic Sourcing & Contract Mgmt Banks Are there duplicate invoice Requisiamounts being tion processed? Purchase Goods / Services Receive Goods / Services Invoice Issue Payments Direct Materials Did the person making the payment create or modify the vendor? CONTROLS Payment Processors Services Supplier Collaboration Are there discrepancies in freight charges? Business Process Models Service Oriented Architecture SWIFTNet
Page 22 Advanced Controls Application Controls Monitoring & Enforcement Monitor Control Effectiveness GRC Intelligence GRC Manager GRC Controls SOD & Access Application Transaction Configuration Monitoring Preventive Controls What users can do How is the process set up How users execute processes SOD & Access Application Configuration Transaction Monitoring Preventive What users have done What s changed in the process What are the execution patterns Enforce Policies in Context
Information System Risk Assessment Copyright FulcrumWay FW Controls Catalog with over 1,000 advance controls Page 23 Select SOD, Master Data, Setup, and Transaction Controls Risk Assessment Detect control weaknesses across ERP system to identify business process optimization opportunities
Advanced Controls Application Controls Monitoring & Enforcement Duplicate Payments Invoice Sequence Anomalies invalid invoice numbers/format Invoice Sequence Anomalies - sequential numbers Split Payments Payment to Prohibited Vendors Invoice Amount Exceeding Limit Duplicate Vendors Multiple Payment to One-time vendors Same bank account multiple vendors Employee reimbursements not on travel expense vouchers Payments to internal departments Vendor Address Incorrect PO Box, Kinkos, other Vendor / Employee relationship Gift, donation, promotion, incentive, payments No supporting detail Missing Vendor Address Copyright FulcrumWay Page 24
Page 25 Agenda Risks in the Public Sector Introduction Risk in Public Sector Overview of Advanced Controls Oracle Advanced Controls Overview and Demonstration Q&A
Page 26 Access Controls Enforce Proper Segregation of Duties in Applications GRC Intelligence GRC Manager GRC Controls Preventive SOD & Access Application Configuration Transaction Monitoring Simplify segregation of duties enforcement with simulation and remediation Mitigate risk of privileged user access to enterprise applications with approval workflow and audit trails Accelerate deployment and time to value with pre-delivered controls library Detection Prevention Define Access Controls Access Analysis Remediation (Clean-up) Preventive Provisioning Compensating Policies
Page 27 Transaction Controls Test integrity of transactions and controls across business processes GRC Intelligence GRC Manager GRC Controls Preventive SOD & Access Application Configuration Transaction Monitoring Continuous Monitoring of Controls and Transactions Apply Advanced Forensic and Pattern Analysis Identify anomalies missed by traditional audit and controls Detection Prevention Define Transaction Controls Transaction Analytics Investigate Incidents Enforce Transaction Controls Prevent Suspicious Transactions
Page 28 Configuration Controls Ensure Integrity of Critical Application Setups GRC Intelligence GRC Manager GRC Controls Preventive SOD & Access Application Configuration Transaction Monitoring Achieve consistent application setup and operating standards across multiple instances Track complete audit trails for changes to key configurations Tightly control change management to accelerate development and test time Detection Prevention Define Configuration Controls Document or Compare Configurations Monitor Configuration Changes Enforce Change Control Manage Data Integrity
Client case Our Client A state government agency responsible for safeguarding financial assets more than $120 billion of public funds. Helps local governments and nonprofits invest their money with flexibility, security, and confidence. Challenges Replace fragmented legacy system for recovery audit department with a single incident management system Replace manual control checklists with a audit analytics system to identify suspicious vouchers submitted for payments by 28+ agencies across the state. Assign suspension transaction to auditors for final review and approval using a pattern matching system Solutions GRC DataProbe GRC Data Hub GRC Incident Monitor Fiscal watchdog ensures tens of billions of dollars in payments are lawful and correct Results: Reduce erroneous payment processing by 5% on millions of payments processed each day by consolidating all vouchers across 28 agencies into a single data hub. Improve incident investigation process by establishing business rules to assign incidents based upon risk level, investigation type, priority that match the auditor skills and job role Provide management visibility and independent oversight to monitor approved and rejected payments Eliminate inconsistent and contradictory actions by auditors by providing a structured investigation process based on approved investigation checklists based on type of the suspicious transaction. Optimize recover audit business process with integration to the ERP system for vendor management and payment processing Copyright FulcrumWay Page 29
Page 30 Agenda Risks in the Public Sector Introduction Risk in Public Sector Overview of Advanced Controls Oracle Advanced Controls Overview and Demonstration Q&A
Page 31 Summary and Q&A Thank You! Join us on LinkedIn to view webinar and discussion