WORKSHOP 84

STREAMLINING COMPLIANCE

THROUGH GRC – INTEGRATING

A-123 UPDATES AND MORE!

BOB THORSONACCENTURE

2

Bob Thorson is a Senior Manager in Accenture Federal Service’s Defense Practice, specializing in Governance, Risk, and Compliance (GRC) tools and human capital solutions. Bob currently oversees DLA’s SAP GRC implementation, working to automate their internal controls testing and documentation, and the Department of the Navy’s (DON) Managers’ Internal Control Program (MICP) contractor support, working to create the DON Statement of Assurance.

In addition to being Accenture’s financial GRC capability lead, Bob has an extensive background in organizational job design, training, and change management.

SIMONE REBAACCENTURE

3

Simone Reba is a senior financial manager with Accenture Federal Services, primarily focused on supporting the Department of Navy Financial Improvement Program (FIP). Prior to her move to Accenture, Reba served 30 years with the Defense Logistics Agency (DLA), culminating in her induction into the Senior Executive Service in May 2007 as the DLA’s Deputy Chief Financial Officer (CFO). As Deputy CFO, she oversaw and provided guidance to all core financial functions – budget, accounting, audit, and process management, served as the Agency budget officer, and the Agency’s audit readiness program manager. As Agency’s Audit Readiness Program Manager, she successfully led DLA’s 27,000 DLA employees to a successful financial statement audit readiness assertion in FY 2015, making DLA the first Defense entity of its size and complexity to assert readiness (two years ahead of the 2017 Congressional Mandate

NAVIGATING A-123

UPDATES

4

5

OMB A-123 UPDATES

• Takes an Enterprise Risk Management based approach for more effective internal controls, integrating risk management and internal controls

• Creates a holistic portfolio view of risk, providing agencies greater visibility into uncertainties, enabling better decision making

• Requires documentation of compliance with 17 GAO Green Book principles

• Requires creation of a Senior Management Council (or similar existing group) to provide oversight and governance in establishing risk profiles, overseeing operation of an effective system of internal control and implementing an ERM

Enterprise Risk Management

• Establishes an ERM program integrating risk and internal controls throughout all management processes, including budget, strategy, accounting, and audits

Internal Controls and System Assessments

• Increased documentation requirements will require a solid reporting structure for compliance, leveraging an SMC to manage towards an annual Statement of Assurance, that now includes a summary of an Agency’s risk profile

Deficiencies and Reporting

• To receive the most benefit from the A-123 revisions, agencies should promote comprehensive corrective action plan documentation and follow-up

WHAT’S CHANGED?

INTEGRATION OF PERFORMANCE, RISK AND INTERNAL

CONTROLS

• Reduce risk and

cost of

mitigation

• Revised GAO

Green Book

• GAO Fraud Risk

Management

Framework

• Upcoming Fraud

Reduction and

Data Analytics

Act

• OMB A-11

Why

• Develop ERM implementation plan

• Include findings from Risk Profile as a

component of Strategic Review

meetings

• Provide assurance (SOA) on the

effectiveness and efficiency of IC over

ALL processes & reporting

• Include risk profile in SOA

• Integrate ERM and IC

• Update Risk Profile: Annually by June

3rd

• Document evidence to substantiate

Green Book compliance

• Leverage/create Senior Management

Council (SMC) to: provide risk appetite,

risk profile, IC and ERM governance

What Agencies Have to Do

• Increases

performance -

streamlined

processes that:

o Reduces

business

operations cost

o Reduces

mitigation, CAP

& compliance

cost

o Increases

effectivenss

• Reduces risk

• Increases

accountability

• Increases

transparency

Value

DLA’S JOURNEY

7

8

DLA’s Mission, Vision, and Values

Mission

America’s Combat Logistics Support Agency, the Defense Logistics Agency

(DLA) provides effective and efficient worldwide support to Warfighters and

other customers

Vision

Warfighter-focused, globally responsive, and fiscally responsible supply

chain leadership

Values

• Warfighter’s needs guide DLA

• Integrity defines DLA

• Diversity strengthens DLA

• Excellence inspires DLA

9

What is DLA?

DLA is the largest agency within the DoD

Provides technical and logistics services to military services and several

agencies

Supplies almost every consumable item military services need to

operate, from food to fuel

DLA Statistics

Military and civilian personnel (48 states and 28 countries) Over 25,000

Items managed in 9 supply chains ~6M

Requisitions per day Over 100,000

Contract actions per day (new awards and mods) 9,000+

Annual Revenue $34B

Weapon systems supported ~2,400

Distribution centers managed worldwide 25

Support items annually for 112 nations $2.1B

10

Enterprise Business System (EBS)

EBS is DLA’s enterprise approach utilizing necessary leading edge technology, to allow DLA to focus on its core business

• Re-engineered and transformed

how DLA does business

• Enables DLA to consistently

deliver new capabilities,

minimizes transition risk to DLA

and the warfighter

• Integrates all enterprise system

capabilities

• Financial system of record

• Single face to customers, suppliers,

and external stakeholders

SAP

HANA

Sidecar

SAP BWSAP

CRM

SAP

SRM

SAP

SCM

EB

S

En

cla

ve

Greenlight/

Laserfocus

JDA

Manu

SAP

ECC

Enterprise Portal (Internal) - SAP Enterprise Portal , Role, Navigation

Web/Application Services/SOANetweaver/WAS, SAP PI WS, BEA Web Logic,Tomcat

Terminal ServicesCitrix (SAPGUI, BEX)

Smart FormsAdobe

External Portal Direct

Web ServicesMicrosoft IIS

Access

Controls

Process

ControlsRisk

Management

GRC

11

Eliminate or mitigate Segregation of Duties violations within the System Access Profiles (Job Role)

Establish enterprise process to prevent recurrence of violations with future access profile maintenance or creation

Guard against employee fraud, abuse, mistakes, and mistake cover-ups

Implement a tool to manage risk, reduce costs, and minimize complexity to support day-to-day management efforts across DLA

Pass FISCAM and Internal Controls A-123 audit

GRC Audit Readiness Goals

12

Existing Control Environment

• Program or process to be tested

• Site locations

• Controls to test

• TOD/TOE

• Testers, reviewers, approvers

• Monitoring: data collection, storage,

remediation

• Reporting

Enterprise Risk E2E Program/Process Control

Test

Inability to adapt to a

constant and evolving

environment

P2S Law Enforcement

Support Office

(LESO)

Annual Physical Inventory

Inspection

Improper Handling of

controlled material

P2S Safeguarding of

control substances

Verification of storage vault,

vault log, personnel clearances,

alarm monitoring, and quarterly

inventories

Manual Control testing conducted through extensive

coordination, meetings and collaboration to determine:

13

GRC Implementation Timeline

June 2013: Established enterprise access control processes & procedures

March 2014: SAP GRC Access Controls identifies and monitors risks for enterprise systems based on enterprise SoD ruleset

June 2014: Implemented Emergency Access Management (EAM) for IT Production Support users

June 2015: Redesigned end user system access to remove or mitigate SoD violations and implemented ongoing monitoring of SoD violations using Access Violation Management

September 2016: Implemented SAP GRC Process Controls and Risk Management for internal control documentation and testing

June 2017: Implementing automated monitoring

and policy management through SAP GRC

AUTOMATING

COMPLIANCE

14

SAP GRC PROCESS CONTROL

CONVERGENCE OF COMPLIANCE PROCESS MANAGEMENT AND CONTINUOUS

CONTROLS MONITORING

Perform Self-

Assessments

Test Automated Controls

Test Manual

Controls

Do

cu

me

nt

Te

st

Mo

nit

or

Ce

rtif

y

Certify and Sign-off(302, Designs,…)

Process-Control-Objective-Risk

IT Infrastructure

Business Processes

…

Review Exceptions Remediate Issues

11

34

5

6

910

11 12

1516

1718

19

78

1314

2223

2425

26

2021

2930

2728

2

One system for end-to-end enterprise control management

Deploys controls using risk-based approach

Automatically monitors controls in multiple enterprise applications

Detects global risks and prioritizes corrective action

16

CONTINUOUS CONTROL MONITORING (CCM)

AUTOMATING COMPLIANCE

Source: SAP

CCM enables GRC users to continuously monitor and report on master data, business transactions, and configuration changes, enabling:

• Improved oversight of key business controls

• Rapid response to identified deficiencies

• Significant reduction in compliance cost and effort

17

CONTINUOUS CONTROL MONITORING (CCM)

Automates running reports or monitoring tables in other systems

• Results are returned to GRC tool and sent to identified users for review

• Integrates easily with many different systems

Enables automation of compliance testing

Examples of automated controls include:

• Monitoring of high dollar transactions

• Timely resolution of key interface failures

• Monitoring compliance of cyber security standards

AUTOMATING COMPLIANCE

Reliability and Consistency of Testing

Cost of Compliance

QUESTIONS?

18