Alliance session 4373 risk management from on premise to the cloud – a focus on controls
-
Upload
smart-erp-solutions-inc -
Category
Software
-
view
90 -
download
0
Transcript of Alliance session 4373 risk management from on premise to the cloud – a focus on controls
![Page 1: Alliance session 4373 risk management from on premise to the cloud – a focus on controls](https://reader031.fdocuments.us/reader031/viewer/2022030313/58ce8d291a28ab8c3b8b492b/html5/thumbnails/1.jpg)
RISK MANAGEMENT FROM ON PREMISE TO THE CLOUD – A FOCUS ON CONTROLS
03/01/2017
![Page 2: Alliance session 4373 risk management from on premise to the cloud – a focus on controls](https://reader031.fdocuments.us/reader031/viewer/2022030313/58ce8d291a28ab8c3b8b492b/html5/thumbnails/2.jpg)
PRESENTERS
Lewis Hopkins
Snr Applications Consultant
Smart ERP Solutions
Security and Risk Management since 2003.
Board member – OAUG GRC Customer Group.
![Page 3: Alliance session 4373 risk management from on premise to the cloud – a focus on controls](https://reader031.fdocuments.us/reader031/viewer/2022030313/58ce8d291a28ab8c3b8b492b/html5/thumbnails/3.jpg)
AGENDA
• About Smart ERP Solutions, Inc. • Review of Risks • Technologies • Q&A
![Page 4: Alliance session 4373 risk management from on premise to the cloud – a focus on controls](https://reader031.fdocuments.us/reader031/viewer/2022030313/58ce8d291a28ab8c3b8b492b/html5/thumbnails/4.jpg)
ABOUT SMART ERP SOLUTIONS, INC
Innovative solutions and services to automate, streamline and simplify ERP applications.
Achieve Best-In-Class Performance Our mission is to provide innovative, configurable, flexible, cost-effective solutions
to common business challenges, enabling our clients to save time, increase productivity, minimize costs, and maximize their return on investment.
Solutions Business applications that
offer organizations an end-to-end solution providing the
right design and implementation from start to
finish.
Services A 24/7 seasoned and experienced staff of experts to help you
implement your business solutions efficiently and effectively at a cost-
effective rate.
Cloud Cloud applications provide
solutions built on proven enterprise class architecture
that enable high configurability and ease of
monitoring.
![Page 5: Alliance session 4373 risk management from on premise to the cloud – a focus on controls](https://reader031.fdocuments.us/reader031/viewer/2022030313/58ce8d291a28ab8c3b8b492b/html5/thumbnails/5.jpg)
SMARTERP & ORACLE Embracing Partnerships with Oracle / PeopleSoft and Our Clients
![Page 6: Alliance session 4373 risk management from on premise to the cloud – a focus on controls](https://reader031.fdocuments.us/reader031/viewer/2022030313/58ce8d291a28ab8c3b8b492b/html5/thumbnails/6.jpg)
CURRENT RISKS Finance Student Finance HR
![Page 7: Alliance session 4373 risk management from on premise to the cloud – a focus on controls](https://reader031.fdocuments.us/reader031/viewer/2022030313/58ce8d291a28ab8c3b8b492b/html5/thumbnails/7.jpg)
US Fraud averages $150,000, 22% exceed $1m
The average time to finding Fraudulent activity is 18 months
41% of Fraud committed Internally – KPMG Securing the ERP 2016 See: http://www.fraudweek.com/uploadedFiles/Fraudweek/content/documents/cost-of-
complacency.pdf
SECURITY AND FRAUD
![Page 8: Alliance session 4373 risk management from on premise to the cloud – a focus on controls](https://reader031.fdocuments.us/reader031/viewer/2022030313/58ce8d291a28ab8c3b8b492b/html5/thumbnails/8.jpg)
THE IMPACT OF TIME
$75k loss at <7 months $150k at 19 months $965k at 61 months +
0
200000
400000
600000
800000
1000000
1200000
7 19 61
Loss in $
Time: 7 to 61 months
Loss over Time
![Page 9: Alliance session 4373 risk management from on premise to the cloud – a focus on controls](https://reader031.fdocuments.us/reader031/viewer/2022030313/58ce8d291a28ab8c3b8b492b/html5/thumbnails/9.jpg)
PROACTIVE VS REACTIVE MEASURES
“PROACTIVE MEASURES catch fraud sooner and minimize losses. Frauds that are caught by reactive measures last longer and cause more harm.”
Surveillance / Monitoring, IT Controls:
$59k
Tip or Confession:
$184k
Notification by Law Enforcement:
$1.25m
![Page 10: Alliance session 4373 risk management from on premise to the cloud – a focus on controls](https://reader031.fdocuments.us/reader031/viewer/2022030313/58ce8d291a28ab8c3b8b492b/html5/thumbnails/10.jpg)
GRAMM-LEACH-BLILEY ACT & THE DEPARTMENT FOR HIGHER EDUCATION
GLBA requires institutions to ensure, among other things:
• Develop, implement, and maintain a written information security program.
• Designate the employee(s) responsible for coordinating the program.
• Identify and assess risks to student information.
• Design and implement an information safeguards program.
• Select appropriate service providers that are capable of maintaining appropriate safeguards.
• Periodically evaluate and update the security program.
ED plans to incorporate the GLBA security controls into the Annual Audit Guide and will look at GLBA compliance as part of institutions' annual student aid compliance audits.
![Page 11: Alliance session 4373 risk management from on premise to the cloud – a focus on controls](https://reader031.fdocuments.us/reader031/viewer/2022030313/58ce8d291a28ab8c3b8b492b/html5/thumbnails/11.jpg)
NIST 800-17, OMB UNIFORM GUIDANCE AND MORE… Designed to build a SOX like framework for non Federal Organizations sharing Federal Data. Controls include:
• Access Controls
• Security Assessment
• Risk Assessment
http://www.nacubo.org/Business_and_Policy_Areas/Student_Financial_Services/Student_Financial_Services_News/ED_Reminds_Schools_about_Protecting_Student_Information.html
https://library.educause.edu/~/media/files/library/2016/4/nist800.pdf
![Page 12: Alliance session 4373 risk management from on premise to the cloud – a focus on controls](https://reader031.fdocuments.us/reader031/viewer/2022030313/58ce8d291a28ab8c3b8b492b/html5/thumbnails/12.jpg)
MANAGING CONTROLS AND RISKS IN ERP
1
No Segregation of Duties out of the box
2
Difficult to answer who has access to what
3
Reports in ERP technically orientated
4
No way to document Risks and Controls
‘inside ERP’
![Page 13: Alliance session 4373 risk management from on premise to the cloud – a focus on controls](https://reader031.fdocuments.us/reader031/viewer/2022030313/58ce8d291a28ab8c3b8b492b/html5/thumbnails/13.jpg)
Today we use spreadsheets, but with spreadsheets….
No workflow No audit trail Difficult to create attachments Purely acts a data store, cannot take actions within spreadsheets No segregation of duties or data Too much effort to manage users and get them to carry out their tasks If someone did something they were not supposed to do, we have to manually track and fix it Difficult to track progress of actions Too much effort to provide executive snapshot
Financial Controller Vision Corp
MANAGING CONTROLS AND RISKS OUTSIDE OF ERP
![Page 14: Alliance session 4373 risk management from on premise to the cloud – a focus on controls](https://reader031.fdocuments.us/reader031/viewer/2022030313/58ce8d291a28ab8c3b8b492b/html5/thumbnails/14.jpg)
TECHNOLOGIES Cloud
![Page 15: Alliance session 4373 risk management from on premise to the cloud – a focus on controls](https://reader031.fdocuments.us/reader031/viewer/2022030313/58ce8d291a28ab8c3b8b492b/html5/thumbnails/15.jpg)
FINANCIAL RISK CLOUD
Risk Management Cloud service that:
Streamlines internal control assessments Automates labor-intensive tasks required to complete external certifications for SOX/NIST or similar legislation
![Page 16: Alliance session 4373 risk management from on premise to the cloud – a focus on controls](https://reader031.fdocuments.us/reader031/viewer/2022030313/58ce8d291a28ab8c3b8b492b/html5/thumbnails/16.jpg)
BENEFITS
• Replace Spreadsheets • Does not depend on the ERP Platform, no integration • Detail Risks and their impact • Provide workflow approval for process owners
![Page 17: Alliance session 4373 risk management from on premise to the cloud – a focus on controls](https://reader031.fdocuments.us/reader031/viewer/2022030313/58ce8d291a28ab8c3b8b492b/html5/thumbnails/17.jpg)
• Sample Risks:
• “Potential fraud may occur in payroll due to inappropriate access and transactions”
• “Changes to master data information that is not authorized or incorrectly entered which causes errors to sales, credit, or payment related transactions.”
![Page 18: Alliance session 4373 risk management from on premise to the cloud – a focus on controls](https://reader031.fdocuments.us/reader031/viewer/2022030313/58ce8d291a28ab8c3b8b492b/html5/thumbnails/18.jpg)
• Sample Controls:
• “Ensure SoD within payroll functions”
• “Review changes to master data information, including change owner”
![Page 19: Alliance session 4373 risk management from on premise to the cloud – a focus on controls](https://reader031.fdocuments.us/reader031/viewer/2022030313/58ce8d291a28ab8c3b8b492b/html5/thumbnails/19.jpg)
Assessments distribute tasks to process owners along with the Test Plan.
Instructions included:
![Page 20: Alliance session 4373 risk management from on premise to the cloud – a focus on controls](https://reader031.fdocuments.us/reader031/viewer/2022030313/58ce8d291a28ab8c3b8b492b/html5/thumbnails/20.jpg)
Issues are raised
Status of Issue recorded
![Page 21: Alliance session 4373 risk management from on premise to the cloud – a focus on controls](https://reader031.fdocuments.us/reader031/viewer/2022030313/58ce8d291a28ab8c3b8b492b/html5/thumbnails/21.jpg)
Risk Reports help identify Controls that have issues
or failures to help assess the Organization’s overall Risk
Management position.
![Page 22: Alliance session 4373 risk management from on premise to the cloud – a focus on controls](https://reader031.fdocuments.us/reader031/viewer/2022030313/58ce8d291a28ab8c3b8b492b/html5/thumbnails/22.jpg)
TECHNOLOGIES On Premises
![Page 23: Alliance session 4373 risk management from on premise to the cloud – a focus on controls](https://reader031.fdocuments.us/reader031/viewer/2022030313/58ce8d291a28ab8c3b8b492b/html5/thumbnails/23.jpg)
SMART SEGREGATION OF DUTIES
Embedded within PeopleSoft
•Detective and Proactive SoD scanning
•Interactive Reports and Dashboards
•Mitigations/Exceptions •Rules stored in PeopleSoft •Read Only
![Page 24: Alliance session 4373 risk management from on premise to the cloud – a focus on controls](https://reader031.fdocuments.us/reader031/viewer/2022030313/58ce8d291a28ab8c3b8b492b/html5/thumbnails/24.jpg)
ABILITIES
•Abilities contain the Security required to perform a task or duty
![Page 25: Alliance session 4373 risk management from on premise to the cloud – a focus on controls](https://reader031.fdocuments.us/reader031/viewer/2022030313/58ce8d291a28ab8c3b8b492b/html5/thumbnails/25.jpg)
RULES
Ability 1 – Create Vendor
Component 1 OR Component 2 OR Component 3 OR Component 4 OR
Ability 2 – Approve Vendor
Component 1 OR Component 2 OR Component 3 OR Component 4 OR
AND
Rule: Create Vendor & Approve vendor
![Page 26: Alliance session 4373 risk management from on premise to the cloud – a focus on controls](https://reader031.fdocuments.us/reader031/viewer/2022030313/58ce8d291a28ab8c3b8b492b/html5/thumbnails/26.jpg)
STRUCTURED REPORTING
![Page 27: Alliance session 4373 risk management from on premise to the cloud – a focus on controls](https://reader031.fdocuments.us/reader031/viewer/2022030313/58ce8d291a28ab8c3b8b492b/html5/thumbnails/27.jpg)
STRUCTURED REPORTING
Ability 1 – Create Vendor
Component 1 OR Component 2 OR Component 3 OR Component 4 OR
A: “Should we have 200 Users who can Create a Vendor?” B: “There should only be 5 people who can do this!”
![Page 28: Alliance session 4373 risk management from on premise to the cloud – a focus on controls](https://reader031.fdocuments.us/reader031/viewer/2022030313/58ce8d291a28ab8c3b8b492b/html5/thumbnails/28.jpg)
SUMMARY
Risk Management Cloud
![Page 29: Alliance session 4373 risk management from on premise to the cloud – a focus on controls](https://reader031.fdocuments.us/reader031/viewer/2022030313/58ce8d291a28ab8c3b8b492b/html5/thumbnails/29.jpg)
PRESENTERS
Lewis Hopkins
Snr Applications Consultant
Smart ERP Solutions
Security and Risk Management since 2003.
Board member – OAUG GRC Customer Group
![Page 30: Alliance session 4373 risk management from on premise to the cloud – a focus on controls](https://reader031.fdocuments.us/reader031/viewer/2022030313/58ce8d291a28ab8c3b8b492b/html5/thumbnails/30.jpg)
THANK YOU!