Governance, Risk, and Compliance Handbook电子书

Governance, Risk, and Compliance Handbook for Oracle Applications

Table of Contents

Governance, Risk, and Compliance Handbook for Oracle Applications

Credits

Foreword

About the Authors

Acknowledgement

About the Authors

Acknowledgement

About the Reviewers

www.PacktPub.com

Support files, eBooks, discount offers and more

Why Subscribe?

Free Access for Packt account holders

Instant Updates on New Packt Books

Preface

What this book covers

What you need for this book

Who this book is for

Conventions

Reader feedback

Customer support

Errata

Piracy

Questions

1. Introduction

How this book is organized

Definitions

Governance

Risk

Compliance

Oracle's Governance Risk and Compliance Footprint

Balanced Scorecard

Business Intelligence

Financial Planning and Analysis

Consolidations and Financial Reporting

Learning

Risk Management Applications

Sub Certification

Process Management Applications

Content Management Applications

Identity and Authorization Management Applications

Our case study

Roles involved in GRC activities

Audit Committee member

Signing Officers

Chief Audit Executive

Chief Financial Officer

Chief Information Officer

Chief Operating Officer

The Audit and Compliance process

Risk Assessment phase

Audit Planning phase

Documentation phase

Testing phase

Reporting phase

Relationships between entities, accounts, process, risk controls, and tests

GRC Capability Maturity Model

Summary

2. Corporate Governance

Developing and Communicating Corporate Strategy with Balanced Scorecard

Balanced Scorecard Theory

The four perspectives

Measures

Strategy Maps

Infission's strategic initiative

Oracle's Balanced Scorecard

Accessing Oracle Hyperion's Balanced Scorecard

The main components and how they are related

Setting up measures

Setting up an Accountability Hierarchy

Assembling the Scorecard

Breaking down Measures and Scorecards into lower-level objectives

Authorizing Managers to Scorecards

Loading data

Developing the Strategy Map for Infission and reviewing it with the Board

Assigning objectives to Managers and creating goals in HCM

Communicating and confirming Corporate Strategy with iLearning

Developing Learning Assets Flow

The major components of the Learning System

Responsibilities

Adding an Entry in the Course Catalog

Uploading Course Content

Developing a question bank to confirm understanding

Monitoring employee's understanding

The Infission Strategic Objectives Classes

Managing Records Retention Policies with Content Management Server

Records Governance Process

Records Governance Components and how they are related

Roles for accessing Universal Content Manager (UCM)

Standard Sensitivity Classifications

Typical Security Groups that reflect Security Boundaries and Sensitivity Classifications

Illustrative Retention Policies

Running the Document Disposition Check

Financial planning and analysis with Hyperion FR

Financial Planning and Analysis Flow

Accessing the Financial Planning and Analysis tools

Constructing Account Balance Data Cube

Developing the Financial Model

Developing planning assumptions

Constructing the Financial plan

Publishing the Financial plan

Analyzing the results

Publishing the results

Financial Planning and Analysis Components and how they are related

Monitoring Execution with Oracle Business Intelligence

Oracle Financial Analytics

Other dashboards in Financial Analytics

Oracle Sales Analytics

Other dashboards in Sales Analytics

Oracle Procurement Analytics

Other dashboards in Procurement Analytics

Oracle Human Resources Analytics

Other Dashboards in Human Resources Analytics

Enterprise Risk Management

Conducting a Risk Assessment

Scope Controls to be Tested

Develop Audit Plan

Briefing the Board

Whistle-blower protections

Setting up iSupport for anonymous access

Configuring for recording whistle-blower complaints

Creating a template for whistle-blower complaints

Summary

3. Information Technology Governance

Developing and communicating IT strategy with balanced scorecards

IT project portfolio planning

Roles for accessing portfolio analysis

Decide investment criteria

Create portfolio

Initiate planning cycle

Submit new projects for inclusion in portfolio

Score projects

Create and compare the scenarios

Recommend and approve the scenario

Close planning cycle and implement scenario recommendations

Maintaining a valid configuration

Managing the configuration using Applications Manager

Maintaining a valid configuration using Enterprise Manager Application Management Pack for E-Business Suite

Service desk administration through Oracle Enterprise Manager

Support workbench

Problem details

Packaging problem details

Summary

4. Security Governance

Security balanced scorecard

Relationships between the objectives

Metrics for the objectives

Perspectives from standard bodies and professional institutions

IT Governance Institute

ISO 17799

Quotes from prominent Security managers

Account provisioning and identity management

Designing roles

Function Security

Data security

Aggregating responsibilities into roles

Role provisioning

Identity management

Limiting access to administrative pages

Segregation of Duties Policies

Server, applications, and network hardening

System wide advice

Database tier

Oracle TNS listener security

Oracle database security

Application tier

Protect administrative web pages

E-Business Suite security

Desktop security

Turn off auto-complete in browser settings

Operating environment security

Firewall configuration and filtering of IP packets

Security incident response through Oracle service

Summary

5. Risk Assessment and Control Verification

InFission approach for Risk Assessment and Control Verification

Establishing Program Office

Selecting controls framework

The COSO framework

Holistic risk assessment—COSO ERM

The COBIT framework

Survey and interview management

Reviewing prior year documentation

Rating current year risk

Verifying controls

Oracle's GRC Manager and Intelligence—risk assessment and control verification system

Assessment workflow in Oracle GRC Manager

Initiating assessment

Selecting assessment type

Selecting risks in scope

Selecting control in scope

Starting assessment

Assessing risks

Reviewing risks

Verifying Controls

Certifying assessment

Evaluating assessment

Assessing quantitative risks in Oracle GRC Intelligence

Conduct quantitative risk assessment

Summary

6. Documenting Your Controls

Process and procedure documents

InFission approach for managing process and procedure documents

Managing process documents in Oracle GRC Manager

Creating a Business Process in Oracle GRC Manager

Document process narrative in Oracle Tutor

Risks and controls documents

InFission approach to risk and controls documentation

Managing risks in Oracle GRC Manager

Managing controls in Oracle GRC Manager

Managing control documentation lifecycle in GRC Manager

Use Data collection workflow to update documents

Contributing to a process

Reviewing data for a process

Reviewing a process in data collection review

Approving a process in data collection review

Rejecting a process in data collection review

Canceling changes to a process

Summary

7. Managing Your Testing Phase: Management Testing and Certifying Controls

Management testing for internal audit program

Management testing for Regulatory Compliance Audits

Management testing for Enterprise Risk Management

InFission's approach to management testing

Management testing using Oracle GRC Manager

Using GRC Survey tool to determine the scope of audit plan

Managing survey questions

Managing survey choice sets

Managing survey templates

Adding questions to a survey template

Deleting a survey template

Survey translations

Creating and initiating a survey

Completing a survey

GRC Manager assessments

Creating the assessment templates

Creating an assessment plan

Assigning the delegate

Initiating/completing the assessment

Initiating an ad-hoc assessment

Completing the assessments

Reviewing the assessment results

Closing an assessment

Summary

8. Managing Your Audit Function

Audit planning

InFission audit planning approach

Managing audit plan using Oracle GRC Manager

Creating the audit template

Creating the audit plan

Internal controls assessment

InFission internal controls assessment approach

Assessing internal controls using Oracle GRC Manager

Initiating the assessment

Selecting criteria

Selecting the components

Selecting the participants

Controls assessment

Managing issues

Closing an assessment

Audit report

InFission's approach to audit report

Obtain audit report in Oracle GRC Manager

Issues Management Report

Controls Management Report

Executive Reports

Summary

9. IT Audit

InFission IT Audit approach

IT Audit scope management

IT Audit plan management

Automated application controls using Oracle GRC Controls Suite

Oracle Application Access Controls Governor

Identifying objectives

Selecting controls

Model walk-through

Analyzing controls

Remediation

Reviewing intra-role incidents

Reviewing inter-role incidents

Additional reports to analyze incidents

Assigning incidents to business owners

Running simulation

Revaluate

Managing access approval

Oracle Transaction Controls Governor

Create model

Testing the controls

Implementing corrections

Monitoring controls

Reviewing summary graphs to monitor incidents

Generating reports to monitor control status

Configuration Controls Governor

Creating definitions

Creating a snapshot definition

Testing a snapshot definition

Locking the definition

Sharing the definition

Comparing snapshots

Defining change tracker

Deploying change tracker

Viewing change tracker results

Setting up queries and alerts

Preventive Controls Governor

Creating rules

Creating a Form Rule

Creating a Rule Element

Capturing Events with Event Tracker

Capturing Items from a Form

Using the Event Tracker to set security

Updating Element definition

Configuring element details

Setting up security

Selecting Components

Setting up navigation paths

Creating menu links

Creating zooms

Creating messages

Setting default values

Creating and modifying lists of values

Altering an existing LOV

Creating a new List of Value

Setting field attributes

Blocking Attributes

Field attributes

Field instance attributes

Creating SQL procedures

Summary

10. Cross Industry Cross Compliance

Sarbanes-Oxley

Important sections of the act and the technologies that apply

Title 1: Establishment and Operation of the Public Company Accounting Oversight Board

Title 2: Auditor Independence

Title 4: Financial Disclosures

Title 8: Legal Ramifications for Corporate Fraud

ISO 27001 — Information Security Management System (ISMS)

The components of an Information Security Management System

The risk assessment process

The Risk Treatment Plan

The Statement of Applicability

Oracle's products and ISO 27000

Control Objectives for IT (COBIT)

Managing IT processes in Oracle GRC applications to support COBIT Framework

InFission COBIT Framework setup in Oracle GRC Manager

InFission IT Controls Management Approach

Plan and Organize (PO)

Acquire and Implement (AI)

Deliver and Support (DS)

Monitor and Evaluate (ME)

California Breach Law

PII Columns: Trading Community Architecture

PII Columns: Procurement

PII Columns: Financials

Oracle's products and California Breach Law

Transparent data encryption

E-Business Suite with transparent data encryption

Healthcare Information Portability and Protection Act (HIPPA)

Oracle's products and HIPPA

Scrambling and data masking

Data vault

Protecting database objects with realms and rules

Preseeded realms for the E-Business Suite

Pre-seeded Realm Authorizations

Payment Card Industry (PCI)

Oracle's products and PCI

Oracle Payments

Key management

Federal Sentencing Guidelines

Standards for an effective compliance and ethics program

Oracle's products and Federal Sentencing Guidelines

Creating the ethics program in iLearning

Monitoring the ethics program in iLearning

Summary

11. Industry-focused Compliance

Hi-tech manufacturing

ISO 9000

Oracle Tutor

Oracle Quality

Oracle Quality components and how they are related

Responsibilities for accessing Oracle Quality

Creating a collection plan

Entering collection results

Auditing ISO 9000

Environmental compliance and ISO 14000

Requirements of ISO 14001

ISO 14000 compliance auditing

Organization certification

How ISO 14000 fits into GRC Manager

Example environmental risk portfolio

RoHS WEEE

RoHS WEEE and hazardous substance compliance

Who needs to comply?

Oracle Agile Product Governance and Compliance

Major components of PG&C and how they relate to each other

Defining specifications

Defining substances

Defining declarations and compositions

Reviewing compliance data for assemblies

Life sciences and medical instrument manufacturing

Title 21: Code of Federal Regulations

The requirements of electronic records

Oracle's E-records Management Solution

E-records management features

E-records management components

Responsibilities in E-records management

Functions in the E-records process

Upload and approve files

Notify approvers

Searching the evidence store

Banking and financial services

Basel

Requirements of Basel

The three pillars

The first pillar—Minimum capital requirements

Credit risk

Market risk

Operational risk

The second pillar—Supervisory review process

The third pillar—Market discipline

Oracle's solutions in the banking sector

Comply with pillar one—Capital adequacy

Comply with pillar two—Management review

Comply with pillar three—Disclosure

Patriot Act

Oracle's solution for Patriot Act — Oracle Mantas

Major components of Mantas

Summary

12. Regional-focused Compliance

Regulatory compliance in major economic regions

The Sarbanes-Oxley Act of 2002 (USA)

Public Company Accounting Oversight Board (PCAOB)

Auditor Independence

Corporate Responsibility

Enhanced Financial Disclosures

Analyst Conflicts of Interest

Commission Resources and Authority

Studies and Reports

Corporate and Criminal Fraud Accountability

White Collar Crime Penalty Enhancement

Corporate Tax Returns

Corporate Fraud Accountability

Canada Bill 198 (Canadian Sarbanes-Oxley)

UK Corporate Governance Code 2010

European Union's 8th Directive

Financial Instruments and Exchange Law (Japan SOX)

Corporate Law Economic Reform Program (CLERP — Australia)

InFission approach to Regional Compliance

Managing regional compliance using Oracle GRC Manager

Setting up Financial Governance module

Regionalizing your Financial Governance Framework

Setting up Content Type for Regulatory Documentation

Updating Lookup tables

Creating user-defined attributes (UDA) for regional compliance

Setting up Regional Compliance Framework using perspectives

InFission Organization Structure perspective

InFission Regulatory Compliance perspective

InFission Standard and Framework perspective

Loading data

Setting up user profile for regional roles

Assessing Regional Compliance using Oracle GRC Manager

Monitoring Regional Compliance in Oracle GRC Intelligence

Regional Compliance Dashboards

Regional Compliance reports

Certification reports

Issue reports

Analysis reports

Standard reports

Summary

Index