Governance, Risk, and Compliance Handbook for Oracle Applications doc

Governance, Risk, and

Compliance Handbook

for Oracle Applications

Written by industry experts with more than 30 years

combined experience, this handbook covers all the

major aspects of Governance, Risk, and Compliance

management in your organization

Nigel King

Adil R Khan

P U B L I S H I N G

professional expertise distilled

BIRMINGHAM - MUMBAI

Governance, Risk, and Compliance Handbook

for Oracle Applications

Copyright © 2012 Packt Publishing

All rights reserved. No part of this book may be reproduced, stored in a retrieval

system, or transmitted in any form or by any means, without the prior written

permission of the publisher, except in the case of brief quotations embedded in

critical articles or reviews.

Every effort has been made in the preparation of this book to ensure the accuracy

of the information presented. However, the information contained in this book is

sold without warranty, either express or implied. Neither the authors, nor Packt

Publishing, and its dealers and distributors will be held liable for any damages

caused or alleged to be caused directly or indirectly by this book.

Packt Publishing has endeavored to provide trademark information about all of the

companies and products mentioned in this book by the appropriate use of capitals.

However, Packt Publishing cannot guarantee the accuracy of this information.

First published: August 2012

Production Reference: 1170812

Published by Packt Publishing Ltd.

Livery Place

35 Livery Street

Birmingham B3 2PB, UK.

ISBN 978-1-84968-170-4

www.packtpub.com

Cover Image by Artie Ng ([email protected])

Credits

Authors

Nigel King

Adil R Khan

Reviewers

Sam Bicheno

Sam Monarch

Acquisition Editor

Dhwani Devater

Lead Technical Editor

Susmita Panda

Technical Editors

Mehreen Shaikh

Veronica Fernandes

Joyslita D'Souza

Copy Editor

Laxmi Subramanian

Project Coordinator

Vishal Bodwani

Proofreaders

Mario Cecere

Aaron Nash

Indexer

Hemangini Bari

Graphics

Valentina D'silva

Manu Joseph

Production Coordinators

Alwin Roy

Prachali Bhiwandkar

Kruthika Bangera

Cover Work

Alwin Roy

Prachali Bhiwandkar

Foreword

Governance is nothing less than running a company well, and Oracle has proved

itself a well-run company for over 30 years. It has found the need to provide the

management team and directors many tools and facilities to plot course and help

guide this huge enterprise. Though we steer through many storms, the risks are

known, the course is plotted, the equipment is lashed to the decks, or properly

stowed. The crew is prepared to sheet or drop sail.

These are the same tools that we make available to our customers, and while I

have jokingly drawn the parallels to a sport with some connections to Oracle, the

governance of an enterprise is a very broad and serious topic. What Nigel and Adil

have shown in this book is just how broad it is and how many facets of Governance,

Risk, and Compliance are handled through those tools. We have great tools that

specialize in GRC and we have many other tools that intersect with it.

Just like the winds and the seas, the commercial, legal, and technological

environment and the tools that we provide to help you manage them are varied

and changing. This book gives you a great map on which you can chart your GRC

journey, both present and near future. It is a journey that we are honored to share

with you, as one of the many customers that has entrusted Oracle to provide the

vessel and seamanship.

Chris Leone

Senior Vice President, HCM and GRC Products,

Oracle Corporation

About the Authors

Nigel King is the Vice President for Functional Architecture at Fusion

Applications. As such he leads a band of architects whose job is to steward the

designs and underpinnings for those things that span product families. He has

been working with Oracle for the past 17 years. In that time he has worked mostly

in Applications Development. He has worked in many areas of Applications,

starting off in Distribution Management and then leading Oracle Applications'

first venture into Business Intelligence, and Product Lifecycle Management

Applications. A restless observer and inventor, his real passion has always been

to see a problem defined, and in being defined well; resolved. By first profession

he is a Chartered Management Accountant. He is also a Certified Internal Auditor

(CIA), Certified Information Systems Auditor (CISA), Certified Information

Security Manager (CISM), and Certified Information Security Professional (CISSP).

He swears that as soon as he gets the book finished, he will catch up with his

continuing professional education credits (CPE). His patents include, Methods and

systems for portfolio planning, Audit management workbench, Internal audit operations

for Sarbanes Oxley compliance, and Audit planning. He was fortunate to be hanging

around at Oracle when the whole Enron issue happened. A decade later, GRC

Apps was born, was new, then grew old, and is now suffused into many of the

applications that surround it.

He is also Chairman of the Open Applications Group. The Open Applications

Group is a 501(c)(6) not-for-profit standards development organization (SDO).

This community is focused on building process-based business standards for

e-commerce, Cloud Computing, Service Oriented Architecture (SOA), Web

Services, and Enterprise Integration.

The OAGI Specification includes ICXML, an XML specification for the exchange,

or risk and control libraries.

Before joining Oracle, he worked in what he now considers the "real world", first

as an Accountant and then selling and implementing business systems. He gained

insights in the high technology sector working for Philips, the consumer packaged

goods sector working for Homepride Foods and Jeyes Group, and was introduced

to the software world through Business Technology Consultants.

He is also a licensed boxer, keen soccer player and coach, and a qualified Boston

marathon runner.

He lives with his beautiful wife Anita and their soccer fanatic son Ansel in San

Mateo, California.

He also co-authored the E-Business Suite, Manufacturing and Supply Chain, Oracle

Press handbook. You can also trace his thinking on GRC at ISACA's international

conferences over the years: An Overview of Emerging Tools and Technologies for

Auditors in 2005, Compliant Access Provisioning in 2006, and Security Provisioning

for Outsourced Services in 2008.

Prior to getting interested in the GRC space, you can trace his articles on subjects as

diverse as The Convergence of Financial and Supply Chain Planning in Control, the journal

of the British Production and Inventory Control Society and Knowledge Management,

The Application of Manufacturing Theory in Knowledge Based industries in Management

Accounting, the journal of the Chartered Institute of Management Accountants.

Acknowledgement

Firstly I would like to thank Steve Miranda, the head of Oracle's Fusion applications

development for granting us the permission to write this book. He also made the

grave mistake of recruiting me onto his team and paying attention to me when I was

bleating that this Enron issue was going to mean that audit was going to have to be

automated. Steve really is a great leader and it has been a great learning experience

to watch him guide the ship of impossible dreams that is Fusion, and quell the

storms, not only of outrageous fortune, but the tempestuous spirits that are the

management team at Oracle.

I need to thank my great friend and co-conspirator Adil, without whom the

mountain would have been twice as high and the load twice as heavy.

There have been many people at Oracle who have given assistance: Georginna

Manning and the Demo Solution Services team—their support for my constant

requests for demo environments was invaluable; Swanarli Bag and the GRC team

for making screenshots from the edge of possibility.

I would like to thank Bastin Gerald, Mumu Pande, Saye Arumugam, and the team

that helped take Internal Controls Manager to market. Their minds are onto other

great ventures now, but it was great to ride those rapids in the early days with them.

We really did shape an industry.

I need to thank Mr. Kurt Robson, who brought me into Oracle and taught me the

science and discipline of design. It is not possible to work at Oracle among so many

shining intellects without having that brilliance reflect off the surface of your own

mind, however dully.

I need to thank my friends and trainers Pat Regan and Mike Marshall, who through

all this kept me fit and asked me to keep my hands up and my head moving.

There is no thanks that is enough for my beautiful wife Anita without whose support

my life would be pretty unmanageable. My thanks as well to my son Ansel, who has to

tolerate weekends spent in libraries and coffee shops watching me write and research.

About the Authors

Adil R Khan is the Managing Director at FulcrumWay, a firm that has delivered

governance, risk, and compliance solutions to more than 200 Fortune-500 and

middle-market Oracle customers in America, EMEA, and Asia Pacific since 2003.

He also serves on the board of the Oracle Applications Users Group (OAUG) and

GRC Special Interest Group. He has given over 50 presentations on GRC trends,

best practices, and case studies at many industry conferences including Gartner

GRC Summit, IIA, ISACA, Collaborate, and Oracle OpenWorld.

Prior to joining FulcrumWay, he served as the Chief Executive Officer and board

member at Alternate Marketing Networks, Inc., a NASDAQ listed company where

he was responsible for growth strategy, financial restructuring, and corporate

governance. He also co-founded Hencie, Inc. in 1996, which was ranked 157th on

Inc-500 list of the fastest growing companies and he was nominated as the

Entrepreneur of the Year in 2001 by Ernst and Young Company.

He has also worked for Oracle Corporation, a Big-4 audit firm, and several startups

to gain 20 years of combined experience in enterprise software and audit services.

He graduated from Virginia Tech University in 1987 and attended an executive

MBA program at the University of Texas in Dallas in 1993-1994.

Acknowledgement

I have dedicated this book to my father, Rasheed H Khan, who sparked my interest

in learning, critical thinking, and innovation through books, tutoring, and travel at

an early age.

I thank my close friend and co-author, Nigel for encouraging me to write this book

on a subject that both of us have followed with a deep passion for the past ten years.

I also want to thank all my clients and colleagues at FulcrumWay who have given

me the opportunity to develop the knowledge and experience to write this book. I

specially want to recognize the following individuals and clients who have given

me their personal time and shared their governance, risk, and compliance lessons at

industry conferences: Heather Brown, US Restaurant Properties; Stephen Bateman,

Allied Healthcare; Guy Mayberry, Alliance Resource; Shazia Hussainishah, Beckman

Coulter; Karan Kapoor, GE; Gloria Chandler, ITT; Danny Dodds, PCL Contractors;

Deirdre Centrillo, Readers Digest; Alison MacMillan, GFI Group; Bridget Kravchenko,

Arvin Meritor; Bob Heinz, Oxy Petroleum; Becky Jackson, Boardwalk; Patrick Palmer,

Oxbow; Jennifer Troiani, Genesis; and Rose Campbell, Hitachi.

About the Reviewers

Sam Bicheno is a Manager in PricewaterhouseCoopers (PwC) Risk Assurance

practice focused on bringing specialist Oracle security and controls experience to a

range of clients in the service, retail, and manufacturing sectors in both commercial

and public sector environments.

He has over five years experience in Oracle consulting and is a subject matter expert

in Oracle Governance, Risk, and Compliance (GRC) having helped numerous clients

understand, evaluate, and implement improved control frameworks and business

processes as well as implementing the core Oracle GRC products.

Sam Monarch is a Sr. Principal Oracle GRC Consultant. He has more than

eight years of Oracle Database and Oracle GRC Implementation experience. He

has worked with clients in both the Commercial and Public Sector markets. Most

recently, he has been working for a variety of clients providing governance, risk,

and compliance related services including SOD Remediation, Oracle GRC Training,

Implementation Services, Project Management, and GRC Interface expertise. He

also has direct experience in serving companies during 404, SOX, and FDA

compliance reviews.

He holds a BS degree from Wayland Baptist University in MIS. He is a combat

veteran, and has served our country in the United States Air Force.

www.PacktPub.com

Support files, eBooks, discount offers and more

You might want to visit www.PacktPub.com for support files and downloads related to

your book.

Did you know that Packt offers eBook versions of every book published, with PDF and ePub

files available? You can upgrade to the eBook version at www.PacktPub.com and as a print

book customer, you are entitled to a discount on the eBook copy. Get in touch with us at

[email protected] for more details.

At www.PacktPub.com, you can also read a collection of free technical articles, sign up

for a range of free newsletters and receive exclusive discounts and offers on Packt books

and eBooks.

http://PacktLib.PacktPub.com

Do you need instant solutions to your IT questions? PacktLib is Packt's online digital book

library. Here, you can access, read and search across Packt's entire library of books.

Why Subscribe?

• Fully searchable across every book published by Packt

• Copy and paste, print and bookmark content

• On demand and accessible via web browser

Free Access for Packt account holders

If you have an account with Packt at www.PacktPub.com, you can use this to access

PacktLib today and view nine entirely free books. Simply use your login credentials for

immediate access.

Instant Updates on New Packt Books

Get notified! Find out when new books are published by following @PacktEnterprise

on Twitter, or the Packt Enterprise Facebook page.

Table of Contents

Preface 1

Chapter 1: Introduction 7

How this book is organized 8

Definitions 8

Governance 9

Risk 9

Compliance 9

Oracle's Governance Risk and Compliance Footprint 10

Balanced Scorecard 10

Business Intelligence 10

Financial Planning and Analysis 11

Consolidations and Financial Reporting 11

Learning 11

Risk Management Applications 11

Sub Certification 12

Process Management Applications 12

Content Management Applications 12

Identity and Authorization Management Applications 12

Our case study 12

Roles involved in GRC activities 13

Audit Committee member 13

Signing Officers 14

Chief Audit Executive 14

Chief Financial Officer 15

Chief Information Officer 15

Chief Operating Officer 16

The Audit and Compliance process 16

Risk Assessment phase 17

Documentation phase 17

Table of Contents

[ ii ]

Testing phase 17

Reporting phase 18

Relationships between entities, accounts, process, risk controls, and tests 18

GRC Capability Maturity Model 19

Summary 20

Chapter 2: Corporate Governance 21

Developing and Communicating Corporate Strategy

with Balanced Scorecard 22

Balanced Scorecard Theory 22

The four perspectives 22

Measures 23

Strategy Maps 24

Infission's strategic initiative 25

Oracle's Balanced Scorecard 25

Accessing Oracle Hyperion's Balanced Scorecard 25

The main components and how they are related 26

Setting up measures 27

Setting up an Accountability Hierarchy 28

Assembling the Scorecard 28

Breaking down Measures and Scorecards into lower-level objectives 29

Authorizing Managers to Scorecards 30

Loading data 31

Developing the Strategy Map for Infission and reviewing it with the Board 32

Assigning objectives to Managers and creating goals in HCM 34

Communicating and confirming Corporate Strategy with iLearning 35

Developing Learning Assets Flow 35

The major components of the Learning System 36

Responsibilities 37

Adding an Entry in the Course Catalog 37

Uploading Course Content 38

Developing a question bank to confirm understanding 39

Monitoring employee's understanding 40

The Infission Strategic Objectives Classes 41

Managing Records Retention Policies with Content Management Server 41

Records Governance Process 42

Records Governance Components and how they are related 43

Roles for accessing Universal Content Manager (UCM) 44

Standard Sensitivity Classifications 45

Typical Security Groups that reflect Security

Boundaries and Sensitivity Classifications 47

Illustrative Retention Policies 48

Running the Document Disposition Check 52