Configuration GRC & Oracle Configuration Controls Governor 5.5March 2009Oracle GRC Strategy – Barry Greenhut

2

Application GRC tells you…

Who’s using our apps?ACCESS CONTROLS

What can they do?CONFIGURATION CONTROLS

What have they done?TRANSACTION CONTROLS

3

Application GRC controls reduce…

Financial Loss

Compliance Cost

Audit Effort

!!

4

Configuration examples

• Financial Loss• Tax mis-configuration causes under-collection of taxes, goes

undetected for months. Consequences: Pay taxes on behalf of customers, plus penalties.

• Clerk changes bank account info without cross-check, millions transferred before fraud discovered.Consequences: Money lost, or frozen pending litigation; public confidence shaken due to notoriety.

• Sales reps raise customers’ credit limits so they can buy more.Consequences: Customers default on payments, receivables aging forces write-downs.

5

Configuration examples

• Compliance Cost• Ledger Set mis-configuration allocates revenues amongst

divisions incorrectly. Consequences: Restate and refile quarterly results; public confidence shaken due to notoriety.

• Audit Effort• Production patch resets vendor tolerances, goes unnoticed

for months. Consequences: Internal audit team spends months proving there were no abuses; external auditors perform substantial transaction examination.

!!

6

How do I control costs/risks?

• Control setup changes that can have significant financial or regulatory impact

• Identify setup changes that violate financial or regulatory policy

• Accelerate documentation and analysis of setup values

7

Use CCG to control costs/risks

Use CCG to:Change Tracking

Snapshots & Comparisons

Reduce Financial LossControl setup changes that can have significant financial or regulatory impactReduce Compliance CostsIdentify setup changes that violate financial or regulatory policy

Alert users when key

setups change

Find differences

between production &

baseline

Reduce Audit EffortAccelerate documentation and analysis of setup values

Audit trail of changes

Document all setup values, as seen in the

original application

8

CCG has delivered GRC savings since 1998

• No substantial competitors• Just the configuration GRC you absolutely need:

• Full audit trails and alerts (Change Tracking)

• Comprehensive record keeping (Snapshots)

• Find discrepancies (Snapshot Comparisons)

9

CCG has delivered GRC savings since 1998

• Quick to implement – can be done in one day, thanks to shrink-wrap support for:• EBS R12 – 12 modules (550+ setups)

EBS 11i – 66 modules (3,000+ setups)• PSFT HCM 8.8 – 9 modules (400+ setups)

• Protects data from prying eyes – you control all access

• Centralizes all controls and data in a single source of truth

10

CCG 5.5 keeps all key GRC features

• Snapshots, Comparisons and Change Tracking• Quick implementation with shrink-wrap coverage for

EBS R12, EBS 11i, PSFT HCM 8.8• Use MetaBuilder to add coverage of any setup data that’s

stored in an Oracle database• Comprehensive Data Security• Single Install, Centralized Control Repository• Flexible – Reconfigure whenever needed• No price increase – Costs far less than custom or

manual solutions

11

Shrink-Wrap Coverage

EBS R12 550+ setups

EBS 11i 3,000+ setups

PSFT HCM 8.8 400+ setups

BASE ENGINEAlertsApplication Object LibraryCommon ModulesSystem Administration

FINANCIALS General LedgerSubledger AccountingPayableseBusiness TaxLegal Entity ConfiguratorReceivables / iReceivables

PROCUREMENT iProcurementPurchasing

BASE ENGINE

CONTRACTS

CRM

DISTRIBUTION

FINANCIALS

HR/PAYROLL

MANUFACTURING

PLANNING

PROCUREMENT

PROJECTS

PUBLIC SECTOR

BASE ENGINE

HCM Benefits Compensation HR Payroll Pension Recruiting Stock Administration Workflow

12

Use MetaBuilder to Add More Coverage

13

Use MetaBuilder to Add More Coverage

• Use MetaBuilder to add support for more setups • Anything that's stored in an Oracle database is fair game• Requires app developer expertise

• Make markets by: • Identifying a group of clients that need configuration GRC for

a specific vertical, line of business, or business process• Identifying a handful of key setups to govern• Building support just for those setups

14

EBS R12 Snapshots, Comparisons & Change Tracking

• Protect your Configuration GRC investment when upgrading to R12, and when using R12• Identify configuration changes with Snapshot Comparisons –

no other product can compare 11i10 to R12• Change-track R12 setups from Day 1• Dedicated presentation: “CCG for R12 Upgrades”

• The entire GRC Controls Suite now supports R12:AACG 8.2 • CCG 5.5 • PCG 7.3 • TCG 7.3

15

Field-Level Change Tracking

• #1 feature request from CCG users• Get just the Change Alerts you want:

• Before, CCG users were numbed by a flood of alerts about non-critical fields

• Now, users choose the fields they want to hear about• Users can also choose the fields seen in dashboards and

reports• CCG always captures the full audit trail for all fields, and can

alert/display/report them anytime

16

GRC Branding

• Makes the GRC suite feel more unified

• Adopts GRCC look and feel, in UI and reports

• Replaces “Integra” and “Apps” with “Oracle” and “CCG”

17

Performance & Reporting Improvements

• #2 request from CCG users• Faster and more reliable

• Faster lists of definitions, occurrences, jobs• Faster and more reliable reports

• OBIP is extensible• This release introduces Oracle Business Intelligence

Publisher for all reporting• Owners who want to develop new reports can use their own

OBIP server – OCS/partners can assist

18

Updated Certifications

CCG 5.5 CCG 5.1Business Application

EBS R12, 11i10 EBS 11i10, 11i9, 11i8, 11i7, 11.0.3PSFT HCM 8.8 PSFT HCM 8.8, 8.3

Operating System

RedHat Enterprise Linux 5 RedHat Enterprise Linux 4Future: Solaris 10 Solaris 10, 9Future: Windows Server 2003 Windows Server 2003Future: Oracle Enterprise Linux 5

Application Server

Tomcat 5.5 Tomcat 5.0Future: Oracle 11g Oracle 10g

WebLogic 8.1Database Oracle 10gR2 Oracle 10gR2, 9iR2, 8iWeb Browser

IE7 IE6, IE5.5Firefox 3

19

What’s not in CCG 5.5

• Does not offer Setup Migration• iSetup is Oracle’s tool for migrating setups

• No license fee• OCS now able to implement• iSetup team already working with key CCG Setup Migration

customers – e.g., Dell, Pfizer, Ingersoll Rand• For CCG owners using Setup Migration today:

• Premier Support for 5.1.3 continues through December 2010• No enhancements – only bug fixes

• For EBS owners upgrading to R12: No product can migrate 11i setups to R12; only CCG can compare 11i setups to R12 setups

20

CCG & iSetup

CCG iSetupCCG and iSetup complement each other

Reduce financial lossReduce compliance costReduce audit effort

Migrate setups during application rollouts

They do not compete with each other

Snapshots perfect for GRC• Cross-release• Controlled for data security• Display setups as seen in EBS• Fine-grain filtersChange Tracking

Snapshots perfect for verifying migrationSetup Migration

21

CCG & Configuration Management Packfor Enterprise Manager

CCG CMPCCG and CMP complement each other

Reduce financial lossReduce compliance costReduce audit effort

Troubleshoot failed servers and applications

They do not compete with each other

Change tracking perfect for GRC:• Shrink-wrap supportNo need for a developer to implement• Complete change dataNo need for a developer to translate into business termsSnapshots & Comparisons

Change tracking perfect for troubleshooting

22

CCG & PCG

CCG PCGCCG and PCG complement each other

Detect configuration change• Track changes to setups and compare snapshots• Rapid start with shrink-wrap support for 1000’s of setups

Restrict user activity• Hide or mask EBS fields• Require third-party approval of EBS data changes• Require reason codes for EBS data changes

They do not compete with each other

Quick implementation with shrink-wrap supportSetup data only

Track changes to any EBS data Configured manually

23

What 5.5 means for Customers

• CCG remains a priority at Oracle• On long-term roadmap

• CCG is a trusted solution that’s only getting better

24

CCG available today

• This information can be communicated to customers immediately

• CCG can be demo’d and sold today

25

Summary

• Configuration Controls Governor offers GRC value:• Reduce Financial Loss and Risk• Reduce Regulatory Compliance Cost and Risk• Reduce Audit Effort

• CCG is a mature product that provides a single place to manage all application configuration GRC

• CCG comes ready-to-use, with support for: • EBS R12 (12 modules, 550+ setups)

EBS 11i (66 modules, 3,000+ setups)• PSFT HCM 8.8 (9 modules, 400+ setups) • Add more support using MetaBuilder