Chief Risk Officer, American Fidelity, strengthens secuirty with Advanced Controls

Automate Robust User Access
and Security Controls for
PeopleSoft
David Maberry
Chief Risk Officer
American Fidelity Assurance Company
Madeline Osit
Chief Operating Officer
Beacon Application Services Corporation
Stephanie Golly
Sr. Product Manager, Oracle

Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal2
Agenda
 Introduction to AFA and David Maberry
– Glimpse into the unfolding events leading up to PeopleSoft and GRC Advanced Controls implementation
 Introduction to Beacon Application Services
– Glimpse into implementation approach
 Introduction to Advanced Controls and a demonstration
 Lessons learned
 Q&A

Beacon Application Services Corporation Proprietary and Confidential
www.beaconservices.com
3
About American Fidelity Assurance (AFA)
American Fidelity provides supplemental health insurance
benefits and financial services to education employees, auto
dealerships, health care providers and municipal workers across
the United States. American Fidelity was also named one of
FORTUNE magazine’s “100 Best Companies to Work For” in
America for nine years. American Fidelity serves more than 1
million Customers in 49 states and in 23 countries worldwide.

4
Your Speaker from AFA
David Maberry, Chief Risk Officer
• Responsible for developing and maintaining a comprehensive process for identifying,
assessing, mitigating, monitoring, and reporting key operational, financial, strategic,
technology and regulatory related risks that could potentially impact the organization’s
operations.
• Prior to coming to American Fidelity, worked for 10 years as a Principal & Director in
Deloitte and Touche’s Audit and Enterprise Risk Services practice in Los Angeles.
• Presented at numerous events hosted by the Institute of Internal Auditors (IIA) and the
Information Systems Audit and Control Association (ISACA).
• Frequent guest speaker at Texas A&M University, the University of Southern California and
California State - Los Angeles on topics including enterprise risk management, internal
control rationalization, and information technology risk.
• Graduate of Baylor University and the University of Wisconsin in Madison.

5
Timeline for selection process
March 2011
Investigation and Demo
August 2011
Demonstration
Contract July 2012
July 2011
Implementation Scoping
June
Justification
Due
Diligence

6
AFA pre-Oracle/PeopleSoft ERP
GL/AP – multiple systems, both home grown and via
acquisition
Assets – FAS and CLAS
Cash Management - manual
AR/Billing – manually for internal charges
Purchasing – manual, excel/access based system
Hyperion for budget and planning

7
AFA pre-Oracle/PeopleSoft ERP
Risks & Vulnerabilities
Outdated systems – some without support, many unrecognizable
Lack of visibility and transparency to financial data
No analytics – no drilldown to detail – no info on separate accounts
Hard coded integration with insurance admin systems, no flexibility
Lack of controls – worries about audit
Costs out of line with benefits
Quality compromises
Internal customer satisfaction low
Consolidations, Allocations (other) outside ledger – lack of transparency and manual intervention
Usability issues
Finance viewed as reporters of data not information

Key AFA Business Issues Addressed
Antiquated/non-
integrated Financial
Systems required
significant manual
intervention
Complex and Manually
Intensive Reporting
processes
Manual governance
processes

Reasons for Selecting PeopleSoft and
Advanced Controls
Benefits
Enhanced user experience and reduction in manual tasks
Increased automation – straight through Processing
Higher efficiency, accuracy and timeliness of
approvals and tighter controls
Shift from manual to automated controls
Single source of the truth for statutory, regulatory, tax, GAAP
and management reporting
Eliminate disparate systems offering partial solutions that are
difficult to maintain and reconcile
Transition away from legacy systems to support future growth through
enabling technology
Reduction in audit costs and increased accountability to management
Automation
Efficiency
Cost
Reduction

Solution
New Financial Platform
• PeopleSoft Financial
• PeopleSoft Cash Management
• Supply Chain Procurement Applications
New Financial Reporting Platform
• PeopleSoft Financials
• Oracle Business Intelligence Analytic Applications
New Governance Framework
• Oracle Advanced Controls for select PeopleSoft processes
• Implemented in the initial go-live

Why Advanced Controls
Bringing high value product to
• Document, manage, remediate
• Enforce user access policies and procedures
• Control introduction of new systems to the organization
Strong audit capabilities to reduce external costs
Tight integration with PeopleSoft security

Project Approach
Installation
•Installation of new Financial ERP Platform
•Installation of Delivered OBIAA solutions with roadmap for future capabilities
Implementation
•Implement Advanced Controls foundation, targeting high-value controls with roadmap
for future expansion
•Rapid implementation with low impact (time and budget) to overall implementation
Partner
•Select a partner who could achieve these objectives as a co-owner of the implementation
with expertise to pull it off.

Project Implementation Approach

14
About Beacon Application Services
Beacon is an Oracle Platinum Partner exclusively focused on the delivery of
services and software for PeopleSoft customers. Since 1993, Beacon has
been providing implementation, upgrade, enhancement and integration
services for Human Capital Management, Financials, and Supply Chain. To
meet our PeopleSoft customers’ increasing regulatory requirements and
complex information needs, Beacon also offers services for Advanced
Controls for PeopleSoft and Oracle Business Intelligence. We also offer our
Oracle Validated BEAM suite of software to manage your PeopleSoft
environment.

15
Timeline for Project Activities
January 2012
Chartfield design Workshop
Requirements
Thru Jan 2013
Go Live
January
2014
July 2012 - Implementation
Construct
August 2013
Test
Creating a timeline that achieved the
objectives at a pace comfortable to AFA

Project Approach for PeopleSoft
Simplify, Automate, Consolidate, Standardize
• Identify areas of pain with current business processes
• Conduct Business Process Review sessions to document manual, off-line or
redundant activities and high audit risk process areas
• Create a future “to be” state to remediate the above either through process
redesign in delivered PeopleSoft applications or through adoption of AC
• Implement Advanced Controls foundation, targeting high-value controls with
roadmap for future expansion rather than “biting off more than we could chew”
• Embrace audit requirements as a fundamental part of the implementation rather
than an afterthought
• Target a specific area of concern to serve as a model for approaching all other
target areas

Advanced Controls Business Drivers and
Requirements
• Eliminate cumbersome and costly manual auditing of system
controls – Reduction in Time, increase in transparency
• Reduce External Audit Cost and Effort – Reduction in Cost
• Enforce Separation of Duties – Eliminate possibility of Fraud
• Minimize Risk of Financial Loss – Reduction in Cost

Advanced Controls –
Implementing our focus area
Initial focus on Procure-to-Pay process where highest risk was
identified
• Separation of duties for adding and paying vendors - Advanced Controls
identifies violations of the controls (entitlements) and flags them allowing
for correction
• Paying unapproved invoices – implementing workflow processes
• Identifying potentially fraudulent payments – AC was to be used in
support of ensuring that multiple payments are not unknowingly
processed to bypass certain threshold levels established in the application

Advanced Controls – Approach
Key to success was narrowing scope from all available and non-
material or appropriate to AFA
255
Delivered Controls
57
Procure to Pay
Identify
Pertinent
11
GOAL

20
Controls Implemented
No. Control Names Entitlement
1 Add Vendors & Create Vouchers 1. Add Vendors
2. Create Vouchers
2 Create Control Groups & Approve Control Groups 1. Create Control Group
2. Approve Control Groups
3 Create Payments & Create Vouchers 1. Create Vouchers
2. Create Payments
4 Create Self Service Invoice & Create Urgent
Payment
1. Create Self-Service Invoice
2. Create Urgent Payment
5 Create Suppliers & Create Vouchers 1. Create Vouchers
2. Create Suppliers
6 Create Voucher & Selective Payment Update 1. Create Vouchers
2. Selective Urgent Payment
7 Create Voucher & Vendor Maintenance 1. Create Vouchers
2. Vendor Maintenance
8 Create Voucher & Voucher Maintenance 1. Create Vouchers
2. Voucher Maintenance
9 Create Vouchers & Approve Vouchers 1. Create Vouchers
2. Approve Vouchers
10 Create Vouchers & Create Express Checks 1. Create Vouchers
2. Create Express Checks
11 Create Vouchers & Print Checks 1. Print Checks
2. Create Vouchers

21
Tactical Steps
Install and activate integration with Financials
Select Targeted
business process
(procure to pay)
Identify
delivered
entitlements –
Pare down list
Execute
delivered
controls against
configured
security
Produce
delivered reports
to identify
conflicts
Adjust Roles and
Rules as
identified

Demonstration of how it’s done!

The following is intended to outline our general product
direction. It is intended for information purposes only,
and may not be incorporated into any contract.
It is not a commitment to deliver any material, code, or
functionality, and should not be relied upon in making
purchasing decisions. The development, release, and
timing of any features or functionality described for
Oracle’s products remains at the sole discretion of
Oracle.

Create Supplier Invoice Create PaymentSupplier
Create Supplier Create Payment
for same supplier
+ Create Supplier Create Payment
for supplier≠
Prevent user from creating and paying the same
supplier

Prevent user from creating and paying the same
supplier
 AACG : Find users who could create and pay fictitious suppliers
– Users with both “Create Supplier” and “Create Payment” privileges
– Remove privileges when possible
 TCG: Monitor users who have created and paid the same supplier
– For users who must have both privileges

Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal27 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal27
Advanced Controls Foundation
Custom or Legacy
Applications
Fusion Platform with Dashboards,
Alerts & Drilldowns
Sophisticated Controls Monitoring
and Enforcement Engine
Many Types of Controls against
Various Business Applications

• Move away from silo’d information
• Multiple ERPs monitored from a single application.
• Control totals and exposure areas in self-serve capacity.
Advanced Controls – Embedded Dashboards

Copyright © 2013 Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal29
Application Access Controls Governor (AACG)
 Document, assess and certify
Application Security/SOD policies
 Library of pre-built automated SOD
controls for EBS, PSFT
 Author new controls, extend to any
business application
Advanced SOD and Security Controls
Compensating
Policies
Preventive
Provisioning
Remediation
(Clean-up)
Access
Analysis
Define Access
Controls
Detection Prevention

AACG – Finding Conflicts
User: Janie Adams
Responsibility: Payables Super User (Process Operations)
Menu: AP_Navigate_GUI12
Submenu: AZN_AP_Invoices_Entry
Function: Payments
Privilege: Create Purchase Order
Role: Buyer
Permission List: Buyer Duty
SOD Conflict
PeopleSoft
EBS

Role
Permission List
Menu
Component
Page Definition
Component
Page Definition
Access Hierarchy Example – PeopleSoft
Other important attributes:
Business Unit, Effective Date, Set ID, Ledger, Account Lock etc.
Access Points

Glossary of Terminology
Control ManagementAccessPoint
Any level node in
the access model
hierarchy for a
particular
application.
Entitlement
A logical
grouping of
Access points.
E.g. All pages
that allow a user
to create a
voucher grouped
as a single
Entitlement
“Create Voucher”
ModelControl
A rule that
defines toxic
combinations of
entitlements
and/or access
points.

Copyright © 2013 Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal33
 Review Model Definition
 Analyze Results
 Modify Entitlement
 Deploy Control
 Generate Incidents
 Secure, Route and Remediate
Incidents
Demonstration

Demonstration Summary
• Review Entitlements and Model Definition
• Modify to fit needs and generate focused results
• Compliment PeopleSoft embedded controls with Advanced Controls
Leverage
Delivered Content
• Limit who can see generated results
• Route generated results for Investigation, Review and Approval
• Determine and document remediation actions
Secure, Route and
Take Action
• Validate role structure during PeopleSoft Implementation
• Identify and update role structures during an upgrade
Implementation or
Upgrades

35
Lessons Learned
• While implementing new
systems, integrating a formal
risk-management approach
increases value of the effort
• Staying on point for a focus area
narrows work effort
• Smaller scope enables
confirmation with audit team
that this is a viable and valid
solution for all business
processes

36
Lessons Learned
• Once completed, it provides not
only proof of concept but a
foundation for future expansion
• As system is deployed and user
population changes or grows,
delivered reports and remediation
steps become part of normal
maintenance
• Create a roadmap for the future
based on feedback from internal
and external auditors as to high
risk areas

37
Lessons Learned - not just for new
implementations
• Security is one area likely to get out of control – time to fix it!
• Advanced Controls can resolve negative audit finding with your current
PeopleSoft implementation
• Advanced Control findings can help to justify the upgrade cost
Upgrades
• Security will be reviewed in light of new roles, integrating Advanced Controls
into this work effort minimizes overall cost
• Especially pertinent to expanding Payables to full Procure-to-Pay solution
• Update of SOX documentation will incorporate additional, tighter controls
New Modules
• Easily cost justified in reduction of audit costs
• Great target area for IT compliance as well as business requirements
• Quick win for maximum return
Standalone GRC

38
Questions
info@beaconservices.com

Oracle Financial Services
The Choice of Experience.
Madeline Osit
mosit@beaconservices.com
508.663.4407

Oracle Advance Controls
OOW2013 Sessions &
Demo Pod Slides

Demo Workstation
Moscone West 1st Floor #W-013
Monday Tuesday Wednesday
Demo ID 3532
Workstation #: W--013
9:45 – 6:00 9:45 – 6:00 9:45 – 4:00

Demo Workstation
Moscone West 1st Floor #W-013

General Session: Empowering Modern Governance, Risk, and Compliance
 12:15PM Moscone West – 2006/2008
 GEN8812
Automate Robust User Access and Security Controls for PeopleSoft
 10:45AM Moscone West - 2009
 CON8820
Panel Discussion: Intelligent Controls for Key Business Processes & Upgrades in PeopleSoft
 3:15PM Moscone West - 3020
 CON8822
Deloitte: Leveraging Oracle GRC Technology to Reduce Revenue Loss, Cost Leakage & Fraud
 3:15PM Moscone West - 2000
 CON8822
Learn More About Oracle Advance Controls
Monday

Top 10 Advanced Controls for Procure-to-Pay to Improve the Bottom Line
 10:30AM Moscone West – 2003
 CON8814
Center for Medicare & Medicaid Services Automates Internal Controls with Oracle GRC
 3:45PM St Francis – Elizabethan C/D
 CON9346
Enforce Segregation of Duties with Identity Management and Oracle Advanced Controls
 5:15PM Moscone West – 3018
 CON8827
Tuesday

Optimizing Order-to-Cash with Oracle Advanced Controls for Oracle E-Business Suite
 10:15AM Moscone West – 3018
 CON8816
Reducing Risk for Oracle E-Business Suite Upgrades and Implementations
 CON8830
Panel Discussion: Intelligent Controls for Key Business Processes and Upgrades
 3:30PM Moscone West – 2002 / 2004
 CON8832
Wednesday

Advanced Access and User Security for Oracle E-Business Suite and Fusion Applications
 CON8824
Meet the Governance, Risk, and Compliance Experts
 12:30PM Moscone West 2001A
 MTE9412
Thursday

Specialized Advanced Controls Partners
 New Benefit for Advanced Controls owners
 Specialized Partners:
– Trained by Oracle:
 Designing and delivering OAC solutions
– Demonstrated ability to deliver reliable OAC
solutions
 Coming soon

@OracleAdvCntrls

Chief Risk Officer, American Fidelity, strengthens secuirty with Advanced Controls

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (10)

Similar to Chief Risk Officer, American Fidelity, strengthens secuirty with Advanced Controls

Similar to Chief Risk Officer, American Fidelity, strengthens secuirty with Advanced Controls (20)

More from Oracle

More from Oracle (12)

Recently uploaded

Recently uploaded (20)

Chief Risk Officer, American Fidelity, strengthens secuirty with Advanced Controls