The document discusses American Fidelity Assurance Company's implementation of Oracle's PeopleSoft and Advanced Controls software. It provides background on AFA and their outdated, manual systems. It then summarizes Beacon Application Services' approach to implementing PeopleSoft Financials and Advanced Controls focused initially on procurement processes. The demonstration showed how Advanced Controls identifies access conflicts and can help automate previously manual controls and audit processes.
3. Beacon Application Services Corporation Proprietary and Confidential
www.beaconservices.com
Beacon Application Services Corporation Proprietary and Confidential
www.beaconservices.com
3
About American Fidelity Assurance (AFA)
American Fidelity provides supplemental health insurance
benefits and financial services to education employees, auto
dealerships, health care providers and municipal workers across
the United States. American Fidelity was also named one of
FORTUNE magazine’s “100 Best Companies to Work For” in
America for nine years. American Fidelity serves more than 1
million Customers in 49 states and in 23 countries worldwide.
4. Beacon Application Services Corporation Proprietary and Confidential
www.beaconservices.com
Beacon Application Services Corporation Proprietary and Confidential
www.beaconservices.com
4
Your Speaker from AFA
David Maberry, Chief Risk Officer
• Responsible for developing and maintaining a comprehensive process for identifying,
assessing, mitigating, monitoring, and reporting key operational, financial, strategic,
technology and regulatory related risks that could potentially impact the organization’s
operations.
• Prior to coming to American Fidelity, worked for 10 years as a Principal & Director in
Deloitte and Touche’s Audit and Enterprise Risk Services practice in Los Angeles.
• Presented at numerous events hosted by the Institute of Internal Auditors (IIA) and the
Information Systems Audit and Control Association (ISACA).
• Frequent guest speaker at Texas A&M University, the University of Southern California and
California State - Los Angeles on topics including enterprise risk management, internal
control rationalization, and information technology risk.
• Graduate of Baylor University and the University of Wisconsin in Madison.
5. Beacon Application Services Corporation Proprietary and Confidential
www.beaconservices.com
Beacon Application Services Corporation Proprietary and Confidential
www.beaconservices.com
5
Timeline for selection process
March 2011
Investigation and Demo
August 2011
Demonstration
Contract July 2012
July 2011
Implementation Scoping
June
Justification
Due
Diligence
6. Beacon Application Services Corporation Proprietary and Confidential
www.beaconservices.com
Beacon Application Services Corporation Proprietary and Confidential
www.beaconservices.com
6
AFA pre-Oracle/PeopleSoft ERP
GL/AP – multiple systems, both home grown and via
acquisition
Assets – FAS and CLAS
Cash Management - manual
AR/Billing – manually for internal charges
Purchasing – manual, excel/access based system
Hyperion for budget and planning
7. Beacon Application Services Corporation Proprietary and Confidential
www.beaconservices.com
Beacon Application Services Corporation Proprietary and Confidential
www.beaconservices.com
7
AFA pre-Oracle/PeopleSoft ERP
Risks & Vulnerabilities
Outdated systems – some without support, many unrecognizable
Lack of visibility and transparency to financial data
No analytics – no drilldown to detail – no info on separate accounts
Hard coded integration with insurance admin systems, no flexibility
Lack of controls – worries about audit
Costs out of line with benefits
Quality compromises
Internal customer satisfaction low
Consolidations, Allocations (other) outside ledger – lack of transparency and manual intervention
Usability issues
Finance viewed as reporters of data not information
8. Beacon Application Services Corporation Proprietary and Confidential
www.beaconservices.com
Beacon Application Services Corporation Proprietary and Confidential
www.beaconservices.com
Key AFA Business Issues Addressed
Antiquated/non-
integrated Financial
Systems required
significant manual
intervention
Complex and Manually
Intensive Reporting
processes
Manual governance
processes
9. Beacon Application Services Corporation Proprietary and Confidential
www.beaconservices.com
Beacon Application Services Corporation Proprietary and Confidential
www.beaconservices.com
Reasons for Selecting PeopleSoft and
Advanced Controls
Benefits
Enhanced user experience and reduction in manual tasks
Increased automation – straight through Processing
Higher efficiency, accuracy and timeliness of
approvals and tighter controls
Shift from manual to automated controls
Single source of the truth for statutory, regulatory, tax, GAAP
and management reporting
Eliminate disparate systems offering partial solutions that are
difficult to maintain and reconcile
Transition away from legacy systems to support future growth through
enabling technology
Reduction in audit costs and increased accountability to management
Automation
Efficiency
Cost
Reduction
10. Beacon Application Services Corporation Proprietary and Confidential
www.beaconservices.com
Beacon Application Services Corporation Proprietary and Confidential
www.beaconservices.com
Solution
New Financial Platform
• PeopleSoft Financial
• PeopleSoft Cash Management
• Supply Chain Procurement Applications
New Financial Reporting Platform
• PeopleSoft Financials
• Oracle Business Intelligence Analytic Applications
New Governance Framework
• Oracle Advanced Controls for select PeopleSoft processes
• Implemented in the initial go-live
11. Beacon Application Services Corporation Proprietary and Confidential
www.beaconservices.com
Beacon Application Services Corporation Proprietary and Confidential
www.beaconservices.com
Why Advanced Controls
Bringing high value product to
• Document, manage, remediate
• Enforce user access policies and procedures
• Control introduction of new systems to the organization
Strong audit capabilities to reduce external costs
Tight integration with PeopleSoft security
12. Beacon Application Services Corporation Proprietary and Confidential
www.beaconservices.com
Beacon Application Services Corporation Proprietary and Confidential
www.beaconservices.com
Project Approach
Installation
•Installation of new Financial ERP Platform
•Installation of Delivered OBIAA solutions with roadmap for future capabilities
Implementation
•Implement Advanced Controls foundation, targeting high-value controls with roadmap
for future expansion
•Rapid implementation with low impact (time and budget) to overall implementation
Partner
•Select a partner who could achieve these objectives as a co-owner of the implementation
with expertise to pull it off.
14. Beacon Application Services Corporation Proprietary and Confidential
www.beaconservices.com
Beacon Application Services Corporation Proprietary and Confidential
www.beaconservices.com
14
About Beacon Application Services
Beacon is an Oracle Platinum Partner exclusively focused on the delivery of
services and software for PeopleSoft customers. Since 1993, Beacon has
been providing implementation, upgrade, enhancement and integration
services for Human Capital Management, Financials, and Supply Chain. To
meet our PeopleSoft customers’ increasing regulatory requirements and
complex information needs, Beacon also offers services for Advanced
Controls for PeopleSoft and Oracle Business Intelligence. We also offer our
Oracle Validated BEAM suite of software to manage your PeopleSoft
environment.
15. Beacon Application Services Corporation Proprietary and Confidential
www.beaconservices.com
Beacon Application Services Corporation Proprietary and Confidential
www.beaconservices.com
15
Timeline for Project Activities
January 2012
Chartfield design Workshop
Requirements
Thru Jan 2013
Go Live
January
2014
July 2012 - Implementation
Construct
August 2013
Test
Creating a timeline that achieved the
objectives at a pace comfortable to AFA
16. Beacon Application Services Corporation Proprietary and Confidential
www.beaconservices.com
Beacon Application Services Corporation Proprietary and Confidential
www.beaconservices.com
Project Approach for PeopleSoft
Simplify, Automate, Consolidate, Standardize
• Identify areas of pain with current business processes
• Conduct Business Process Review sessions to document manual, off-line or
redundant activities and high audit risk process areas
• Create a future “to be” state to remediate the above either through process
redesign in delivered PeopleSoft applications or through adoption of AC
• Implement Advanced Controls foundation, targeting high-value controls with
roadmap for future expansion rather than “biting off more than we could chew”
• Embrace audit requirements as a fundamental part of the implementation rather
than an afterthought
• Target a specific area of concern to serve as a model for approaching all other
target areas
17. Beacon Application Services Corporation Proprietary and Confidential
www.beaconservices.com
Beacon Application Services Corporation Proprietary and Confidential
www.beaconservices.com
Advanced Controls Business Drivers and
Requirements
• Eliminate cumbersome and costly manual auditing of system
controls – Reduction in Time, increase in transparency
• Reduce External Audit Cost and Effort – Reduction in Cost
• Enforce Separation of Duties – Eliminate possibility of Fraud
• Minimize Risk of Financial Loss – Reduction in Cost
18. Beacon Application Services Corporation Proprietary and Confidential
www.beaconservices.com
Beacon Application Services Corporation Proprietary and Confidential
www.beaconservices.com
Advanced Controls –
Implementing our focus area
Initial focus on Procure-to-Pay process where highest risk was
identified
• Separation of duties for adding and paying vendors - Advanced Controls
identifies violations of the controls (entitlements) and flags them allowing
for correction
• Paying unapproved invoices – implementing workflow processes
• Identifying potentially fraudulent payments – AC was to be used in
support of ensuring that multiple payments are not unknowingly
processed to bypass certain threshold levels established in the application
19. Beacon Application Services Corporation Proprietary and Confidential
www.beaconservices.com
Beacon Application Services Corporation Proprietary and Confidential
www.beaconservices.com
Advanced Controls – Approach
Key to success was narrowing scope from all available and non-
material or appropriate to AFA
255
Delivered Controls
57
Procure to Pay
Identify
Pertinent
11
GOAL
21. Beacon Application Services Corporation Proprietary and Confidential
www.beaconservices.com
Beacon Application Services Corporation Proprietary and Confidential
www.beaconservices.com
21
Tactical Steps
Install and activate integration with Financials
Select Targeted
business process
(procure to pay)
Identify
delivered
entitlements –
Pare down list
Execute
delivered
controls against
configured
security
Produce
delivered reports
to identify
conflicts
Adjust Roles and
Rules as
identified
22. Beacon Application Services Corporation Proprietary and Confidential
www.beaconservices.com
Demonstration of how it’s done!
35. Beacon Application Services Corporation Proprietary and Confidential
www.beaconservices.com
Beacon Application Services Corporation Proprietary and Confidential
www.beaconservices.com
35
Lessons Learned
• While implementing new
systems, integrating a formal
risk-management approach
increases value of the effort
• Staying on point for a focus area
narrows work effort
• Smaller scope enables
confirmation with audit team
that this is a viable and valid
solution for all business
processes
36. Beacon Application Services Corporation Proprietary and Confidential
www.beaconservices.com
Beacon Application Services Corporation Proprietary and Confidential
www.beaconservices.com
36
Lessons Learned
• Once completed, it provides not
only proof of concept but a
foundation for future expansion
• As system is deployed and user
population changes or grows,
delivered reports and remediation
steps become part of normal
maintenance
• Create a roadmap for the future
based on feedback from internal
and external auditors as to high
risk areas
37. Beacon Application Services Corporation Proprietary and Confidential
www.beaconservices.com
Beacon Application Services Corporation Proprietary and Confidential
www.beaconservices.com
37
Lessons Learned - not just for new
implementations
• Security is one area likely to get out of control – time to fix it!
• Advanced Controls can resolve negative audit finding with your current
PeopleSoft implementation
• Advanced Control findings can help to justify the upgrade cost
Upgrades
• Security will be reviewed in light of new roles, integrating Advanced Controls
into this work effort minimizes overall cost
• Especially pertinent to expanding Payables to full Procure-to-Pay solution
• Update of SOX documentation will incorporate additional, tighter controls
New Modules
• Easily cost justified in reduction of audit costs
• Great target area for IT compliance as well as business requirements
• Quick win for maximum return
Standalone GRC