Search icon CANCEL
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Conferences
Free Learning
Arrow right icon
Arrow up icon
GO TO TOP
Governance, Risk, and Compliance Handbook for Oracle Applications

You're reading from   Governance, Risk, and Compliance Handbook for Oracle Applications Written by industry experts with more than 30 years combined experience, this handbook covers all the major aspects of Governance, Risk, and Compliance management in your organization with this book and ebook.

Arrow left icon
Product type Paperback
Published in Aug 2012
Publisher Packt
ISBN-13 9781849681704
Length 488 pages
Edition 1st Edition
Arrow right icon
Toc

Table of Contents (22) Chapters Close

Governance, Risk, and Compliance Handbook for Oracle Applications
Credits
1. Foreword
About the Authors
Acknowledgement
About the Authors
Acknowledgement
About the Reviewers
2. www.PacktPub.com
3. Preface
1. Introduction 2. Corporate Governance FREE CHAPTER 3. Information Technology Governance 4. Security Governance 5. Risk Assessment and Control Verification 6. Documenting Your Controls 7. Managing Your Testing Phase: Management Testing and Certifying Controls 8. Managing Your Audit Function 9. IT Audit 10. Cross Industry Cross Compliance 11. Industry-focused Compliance 12. Regional-focused Compliance

Oracle's Governance Risk and Compliance Footprint


The following figure gives an overview of the major functional areas of the governance, risk, and compliance problems and the Oracle Component that best addresses that problem:

When you consider who is involved in the governance, risk, and compliance process, you start to appreciate the tools that you need to complete the footprint.

Balanced Scorecard

This tool is used to express and communicate the mission of the enterprise.

Business Intelligence

This tool is used to measure the degree to which the strategy that has been communicated is actually executing.

Financial Planning and Analysis

This tool is used to convert the mission of the enterprise into financial goals, forecasts that can be discussed with investors through the management )discussion, and analysis.

Consolidations and Financial Reporting

This set of tools is used to report to investors the progress toward the goals expressed in the financial plan.

Learning

This tool is used to ensure delivery of ethics and policy education and confirm their understanding.

Risk Management Applications

This tool is used to discover and document risks to the mission of the enterprise, and to ensure that management has well-designed and effective operating controls to mitigate those risks. Such tools cover the following:

  • Access Controls Governor: To ensure that appropriate access is granted to systems.

  • Transaction Controls Governor: To ensure that transaction policies are followed and fraudulent transactions found.

  • Configuration Controls Governor: To ensure that recommended settings of the applications that themselves constitute great automated controls are appropriately configured and that changes are authorized and recorded.

  • Preventive Controls Governor: To extend the controls footprint of the delivered application.

  • Oracle Enterprise Manager: Enterprise Manager also has great capabilities to extract configuration settings and measure them against baseline. The settings that are tracked within EM by default tend to be deeper technical settings.

  • GRC Manager: To provide self assessment, testing operations, and to aggregate the results of the documentation and testing phases of the governance program for managers of the risk assurance activity.

  • GRC Intelligence: To provide the most potent and important information to the executive suite and directors on the residual risk to the enterprise.

Sub Certification

Sub Certification applications are used to allow management to confirm the controls within processes that they are responsible for. Such tools include Hyperion Close Process Manager.

Process Management Applications

These applications are used to provide the pivot point for the risk analysis and management accountability. Largely, these are the processes within the applications themselves. The process may be orchestrated through Oracle Workflow as in the case of purchase order approval or journal approval.

Content Management Applications

These applications are used to provide evidence store for unstructured information. They also provide a store for standard working papers and completed working papers that have been part of the testing activity.

Identity and Authorization Management Applications

These applications are used to provide authentication of users, accountability for their actions in the system, and authorization to information assets required to do their jobs.

Our case study

In order to ensure that we keep ourselves grounded in real problems, we have written the book as a journal of a fictional company establishing its governance processes. We will introduce managers and directors responsible for various aspects of the governance, risk, and compliance problem and where that problem is exposed and how it is addressed in the technology and business applications.

In the previous figure, we have seen the key roles that are directly engaged in the governance, risk management, and compliance activities in a typical organizational chart.

Their IT infrastructure is comprised of Sun Hardware and are running Oracle database, middleware, and business applications. We do have one of the subsidiaries of InFission running JD Edwards just to allow us to illustrate GRC working in a heterogeneous applications environment.

Roles involved in GRC activities

It is worth examining what function is responsible for what activity and what part of the Oracle footprint each is most interested in.

Audit Committee member

The audit committee of the board of directors must have at least three members. One member must have accounting or financial management expertise and all other members must be financially literate. All members must be independent.

The Audit Committee is charged with the oversight of the Financial Reporting process, including review of quarterly and annual financial statements on behalf of the investors and to discuss annual financial statement with management and auditors.

They need to review Management Discussion and Analysis (MD&A) with management and auditors. This is where management gives guidance on where the business is going. Such guidance is also given in Earnings Announcements, press releases, and guidance provided to rating agencies.

They need to monitor the system of internal control and compliance with legal and regulatory requirements. In order to do this, they need to monitor the system of risk assessment and risk management. This may be synonymous with overseeing the internal audit function, but in recent years many enterprises have set up a separate risk management program office reporting it to the management. This oversight means that the audit plan and the scope of the audits are signed off by the audit committee.

In order to ensure that the tone at the top is appropriate, received, and understood the audit committee is generally responsible for an ethics program, and responsible to manage whistle-blower complaints.

Signing Officers

The CEO and CFO of the company are responsible for signing the Sarbanes-Oxley Section 302 Certifications.

These certifications, referred to by the Securities and Exchange Commission as "Rule 13a-14(a)/15d-14a Certifications", must be signed separately by the CEO and the CFO, and filed as an exhibit to quarterly reports on Form 10-Q or 10-Q(SB) and to annual reports on Form 10-K or Form 10-KSB, as Exhibit 31, or, for foreign private issuers, as an exhibit to Form 20-F. The SEC has specified the form and wording of these certifications, which cannot be changed.

Briefly, the Signing Officer certifies that he has reviewed the report, that he believes that it does not contain any misleading misstatement or omission, and that it fairly presents the company's financial position and results of operations. The officer also certifies his responsibility for the company's disclosure controls and procedures and internal controls over financial reporting and as to their effectiveness.

Chief Audit Executive

The Chief Audit Executive is a part of the company but generally has reporting relationships to the Audit Committee of the board of directors.

The duties of the Chief Audit Executive include:

  • Status, strategy, and organization of the Internal Audit Department

  • Management/supervision of the internal audit activity

  • Ensuring the timely completion of internal auditing engagements

  • Ensuring that reports on internal auditing engagements are provided to the audit committee with minimum delay

  • Providing an annual holistic opinion on the effectiveness and adequacy of risk management, control, and governance processes

Chief Financial Officer

As well as being one of the signing officers, the CFO obviously heads the departments that are involved in processing of transactions that most directly affect the subledgers and general ledger, the preparation of financial statements, and financial planning and analysis.

Chief Information Officer

In addition to Sarbanes-Oxley (SOX), CIOs and CSOs must understand and achieve compliance with the Health Insurance Portability and Accountability Act (HIPAA) the Payment Card Industry Data Security Standard (PCI DSS) for organizations processing credit card transactions, and the Federal Information Security Management Act (FISMA) for federal agencies as well as many other global, national, and industry-wide regulations and mandates.

IT governance includes writing IT policies that define who within an organization is responsible for key decisions with regards to IT adoption and usage, who is held accountable for such decisions, and how results are monitored and measured. Implementing IT governance strategies includes assigning committees to steer technology adoption, architectural reviews, and project analysis. Governance is about processes, which should support consistent and transparent methods for managing your information technology acquisitions and usage.

The CIO is also responsible for IT risk management. Risk management requires adapting to constantly changing business requirements and monitoring what technologies are deployed within the organization Risk management encompasses surviving a constantly changing threat landscape by tightening and optimizing an organization's information security, both perimeter and internal, while improving business agility and efficiency.

The CIO is also responsible for IT compliance approaches, governance by designing, assessing, and implementing controls. These controls must map back to the various industry requirements and best practices that ultimately determine success or failure during an IT audit.

Chief Operating Officer

Many of the controls in the business are part of the processes and procedures operating in the Business Units themselves. For example, your revenue line might be unreliable due to side contracts that are made by your salespeople. Management in the business is responsible for the design of the controls and certifying their effectiveness.

lock icon The rest of the chapter is locked
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Renews at €18.99/month. Cancel anytime