Copyright © 2015, Oracle and/or its affiliates. All rights reserved.

Oracle Risk Management Top 10 T&E Reporting Controls for EBS CON7988

Glen Walton Oracle Application Development Oct 28, 2015

Presented with

___________ Source-to-Settle

Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |

Safe Harbor Statement

The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.

2

Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |

Agenda

Panelist Introductions

Travel and Expense Reporting Controls - Panel Discussion

More Resources

1

2

3

3

Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |

• Sangeeta Roy, Senior IT Manager, Finance and Employee Services IT, Cisco Systems

• Jeramie Taylor, Manager Internal Controls, Nobel Energy

• Joel Ninemire, Enterprise Applications Advisor, Noble Energy

• Gena Alexander, Snr Director Operations and Strategy, Oracle’s Source to Settle

• Chris Doxey, Chris Doxey Inc.

4

Today’s Panelists

5

Oracle Advanced Controls Speaker Bios

Jeramie Taylor, Manager Internal Controls At Noble for 4 years, joined to lead IT Audit function and now lead the Internal Controls

Department

Own the Company’s Internal Controls Program including Planning, Fieldwork and Reporting

Responsible for Oracle Advanced Controls Road Map and Value Creation Through Controls Automation

Formally a Big-4 Auditor focusing on General IT Controls and Advisory Engagements

Joel Ninemire, Enterprise Apps Advisor At Noble for 1 year, joined to lead (re)implementation of GRC

eBS Admin reporting to IT, integrating IT operations with Compliance initiatives

Lead security (RBAC), GRC administration

Formerly GRC implementation (2) and PeopleSoft implementation (1) consultant

IT Audit (3)

Founded in 1932 by Lloyd Noble

Noble Energy is an S&P 500 public company with proved reserves of 1.7 billion barrels of oil equivalent and assets totaling over $22 billion at year-end 2014

Noble Energy's corporate purpose is "Energizing the World, Bettering People's Lives®”

We strive to provide energy for the world through finding and producing hydrocarbons, while positively influencing the lives of our stakeholders. To us, the two responsibilities cannot exist separately.

Company Overview A Company of Growth and Expansion

6

Company Overview Focus on Core Value-add Assets

7

8

Implemented Oracle EBS version 11.5.10 in Q4 of 2007

Current Oracle EBS version 12.1.3

6 instances 1 Prod, 4 Test, 1 Dev

Hosted by Oracle Managed Cloud Services

Core users ~3000

EBS Modules: General Ledger

Financial Reporting

Payables

Receivables

Fixed Assets

Projects

Asset Management

Inventory

Purchasing

iExpense

OTL Time Entry

Human Resources/ iRecruitment

Payroll

P2 Enterprise Upstream: Revenue

Revenue Reporting

Division Orders

Joint Venture Accounting

Production Reporting

GRC/ PCG

Hyperion

Business Intelligence Apps

Numerous Disconnected Apps

Oracle eBS Overview Technology that Enables Business

9

Noble does not sell or manufacture goods in the typical sense, we explore and extract petroleum reserves which are sold at meter stations or processing facilities

International operations, often in politically embattled regions, and as a US public company we must have strict control around managing projects, assets, and related payments

Central governance from Houston-based headquarters of distinct regional offices, each with their own variations of corporate processes

Financial authorization for asset procurement is captured on the requisition; direct entry invoices are scrutinized and also require system approval

Forecasting performed in Hyperion, with resulting budgets loaded into Oracle, and OU performance trending OBIEE dashboards

5-year business objective to mature end-to-end processes through IT-enabled automation, simplification (cloud services), and predictive reporting focused on Requisition-to-Pay, Acquire (Build)-to-Retire, and Asset Life-cycle Maintenance

Control and reporting of T&E are a component of each of these cycles

Oracle eBS Overview Uniquely Noble Operations

Repository (3rd Party GRCM)

10

Oracle Advanced Controls Holistic Solution

AACG

CCG

TCG

PCG

OBIEE

Staff

2014 2015 - Implemented 12 AACG Controls - Defined basic access entitlements from

controls matrix

- Continue refining entitlement - Integration with IT for security fixes,

RBAC implementation

- Implemented 20 CCG Controls - Select baseline definitions being

monitored - Snapshot for year-end audit config

controls

- No change/ additional content - Snapshot alleviates Internal Audit

need for IT involvement

- Implemented 25 TCG controls - 15% are SOX controls - 85% are non-key monitoring controls or

supplemental reports

- 46 TCG controls - 25% SOX - 75% non-key monitoring/ reporting

- 12 PCG controls - 40% used in SOX - 60% used for business automation or

monitoring

- 55 PCG controls - 35% SOX - 65% business automation/

monitoring - User Access Recertification

automated using PCG - eGRC functional but content not yet

defined - No change/ additional content

- Partnership with Navillus for implementation and baseline configuration

- Internal Controls analyst - Integration with IT: GRC application

analyst, DBA, server admin, OBIEE analyst, EBS analysts/ admins

- Navillus partnership concluded - No change in full-time IA, IT staff

11

Lessons Learned: Fragile tech stack—heavy usage and untrained users can cause application or data issues

Clear responsibilities and Integration between IT and Compliance is critical for ongoing success

User training and ownership

Defined content development (and testing) before production use

Top T&E Controls

[TCG] Exception monitoring by Merchant name (e.g. Apple, BestBuy, Home Depot)

[TCG] Exception monitoring by Vendor name for credit services (i.e. Credit, Credit Card Services, Fuel Card)

[TCG] Periodic review of CC transactions prior to expense submission

[TCG] Exception monitoring of supplier bank account same as employee bank account

[eBS] AME workflow approvals for Expense Reports (1-up)

[eBS] Restricted access to AME approval override

[eBS] Audit Rules (i.e. Percentage Review, Select Employees, Expense Date)

[eBS] Expense Templates (duplicates, default flexfield, receipt required)

[T&E] Spending limits by person by card

[T&E] Restricted merchant codes

Oracle eBS Overview T&E Controls

Copyright © 2015 Oracle and/or its affiliates. All rights reserved. |

Agenda

Panelist Introductions

Travel and Expense Reporting Controls - Panel Discussion

More Resources

1

2

3

12

Copyright © 2015 Oracle and/or its affiliates. All rights reserved. | 13

Oracle GRC Wins Ventana Technology Innovation Award!

“Oracle’s GRC solution provides a unique approach to the problem of risk management by automating risk controls which are embedded into critical business

processes; applying leading edge technologies to solve complex risk challenges.”

- Mark Smith, CEO of Ventana Research

Copyright © 2015 Oracle and/or its affiliates. All rights reserved. |

Elite panel of judges (NASA CIO, FCC CIO, Army CIO and others) have selected PA Treasury IT project as one of

the top 10 public sector projects of the nation

14

Pennsylvania Treasury GRC Project Wins Multiple Awards

Copyright © 2015 Oracle and/or its affiliates. All rights reserved. |

Case Studies and Speakers at OpenWorld 2015

Oracle Confidential – Internal/Restricted/Highly Restricted 15

_________________

Source-to-Settle

Copyright © 2015 Oracle and/or its affiliates. All rights reserved. | 16

Follow Us & join the conversation .

Oracle GRC Advanced Controls Group _______________________________________________________________

OracleAdvControls @OracleAdvCntrls