WORKSHOP 84 - PDI 2017pdi2017.org/wp-content/uploads/2017/06/84-Torson-Reba.pdf · 2017-06-19 ·...
Transcript of WORKSHOP 84 - PDI 2017pdi2017.org/wp-content/uploads/2017/06/84-Torson-Reba.pdf · 2017-06-19 ·...
WORKSHOP 84
STREAMLINING COMPLIANCE
THROUGH GRC – INTEGRATING
A-123 UPDATES AND MORE!
BOB THORSONACCENTURE
2
Bob Thorson is a Senior Manager in Accenture Federal Service’s Defense Practice, specializing in Governance, Risk, and Compliance (GRC) tools and human capital solutions. Bob currently oversees DLA’s SAP GRC implementation, working to automate their internal controls testing and documentation, and the Department of the Navy’s (DON) Managers’ Internal Control Program (MICP) contractor support, working to create the DON Statement of Assurance.
In addition to being Accenture’s financial GRC capability lead, Bob has an extensive background in organizational job design, training, and change management.
SIMONE REBAACCENTURE
3
Simone Reba is a senior financial manager with Accenture Federal Services, primarily focused on supporting the Department of Navy Financial Improvement Program (FIP). Prior to her move to Accenture, Reba served 30 years with the Defense Logistics Agency (DLA), culminating in her induction into the Senior Executive Service in May 2007 as the DLA’s Deputy Chief Financial Officer (CFO). As Deputy CFO, she oversaw and provided guidance to all core financial functions – budget, accounting, audit, and process management, served as the Agency budget officer, and the Agency’s audit readiness program manager. As Agency’s Audit Readiness Program Manager, she successfully led DLA’s 27,000 DLA employees to a successful financial statement audit readiness assertion in FY 2015, making DLA the first Defense entity of its size and complexity to assert readiness (two years ahead of the 2017 Congressional Mandate
NAVIGATING A-123
UPDATES
4
5
OMB A-123 UPDATES
• Takes an Enterprise Risk Management based approach for more effective internal controls, integrating risk management and internal controls
• Creates a holistic portfolio view of risk, providing agencies greater visibility into uncertainties, enabling better decision making
• Requires documentation of compliance with 17 GAO Green Book principles
• Requires creation of a Senior Management Council (or similar existing group) to provide oversight and governance in establishing risk profiles, overseeing operation of an effective system of internal control and implementing an ERM
Enterprise Risk Management
• Establishes an ERM program integrating risk and internal controls throughout all management processes, including budget, strategy, accounting, and audits
Internal Controls and System Assessments
• Increased documentation requirements will require a solid reporting structure for compliance, leveraging an SMC to manage towards an annual Statement of Assurance, that now includes a summary of an Agency’s risk profile
Deficiencies and Reporting
• To receive the most benefit from the A-123 revisions, agencies should promote comprehensive corrective action plan documentation and follow-up
WHAT’S CHANGED?
INTEGRATION OF PERFORMANCE, RISK AND INTERNAL
CONTROLS
• Reduce risk and
cost of
mitigation
• Revised GAO
Green Book
• GAO Fraud Risk
Management
Framework
• Upcoming Fraud
Reduction and
Data Analytics
Act
• OMB A-11
Why
• Develop ERM implementation plan
• Include findings from Risk Profile as a
component of Strategic Review
meetings
• Provide assurance (SOA) on the
effectiveness and efficiency of IC over
ALL processes & reporting
• Include risk profile in SOA
• Integrate ERM and IC
• Update Risk Profile: Annually by June
3rd
• Document evidence to substantiate
Green Book compliance
• Leverage/create Senior Management
Council (SMC) to: provide risk appetite,
risk profile, IC and ERM governance
What Agencies Have to Do
• Increases
performance -
streamlined
processes that:
o Reduces
business
operations cost
o Reduces
mitigation, CAP
& compliance
cost
o Increases
effectivenss
• Reduces risk
• Increases
accountability
• Increases
transparency
Value
DLA’S JOURNEY
7
8
DLA’s Mission, Vision, and Values
Mission
America’s Combat Logistics Support Agency, the Defense Logistics Agency
(DLA) provides effective and efficient worldwide support to Warfighters and
other customers
Vision
Warfighter-focused, globally responsive, and fiscally responsible supply
chain leadership
Values
• Warfighter’s needs guide DLA
• Integrity defines DLA
• Diversity strengthens DLA
• Excellence inspires DLA
9
What is DLA?
DLA is the largest agency within the DoD
Provides technical and logistics services to military services and several
agencies
Supplies almost every consumable item military services need to
operate, from food to fuel
DLA Statistics
Military and civilian personnel (48 states and 28 countries) Over 25,000
Items managed in 9 supply chains ~6M
Requisitions per day Over 100,000
Contract actions per day (new awards and mods) 9,000+
Annual Revenue $34B
Weapon systems supported ~2,400
Distribution centers managed worldwide 25
Support items annually for 112 nations $2.1B
10
Enterprise Business System (EBS)
EBS is DLA’s enterprise approach utilizing necessary leading edge technology, to allow DLA to focus on its core business
• Re-engineered and transformed
how DLA does business
• Enables DLA to consistently
deliver new capabilities,
minimizes transition risk to DLA
and the warfighter
• Integrates all enterprise system
capabilities
• Financial system of record
• Single face to customers, suppliers,
and external stakeholders
SAP
HANA
Sidecar
SAP BWSAP
CRM
SAP
SRM
SAP
SCM
EB
S
En
cla
ve
Greenlight/
Laserfocus
JDA
Manu
SAP
ECC
Enterprise Portal (Internal) - SAP Enterprise Portal , Role, Navigation
Web/Application Services/SOANetweaver/WAS, SAP PI WS, BEA Web Logic,Tomcat
Terminal ServicesCitrix (SAPGUI, BEX)
Smart FormsAdobe
External Portal Direct
Web ServicesMicrosoft IIS
Access
Controls
Process
ControlsRisk
Management
GRC
11
Eliminate or mitigate Segregation of Duties violations within the System Access Profiles (Job Role)
Establish enterprise process to prevent recurrence of violations with future access profile maintenance or creation
Guard against employee fraud, abuse, mistakes, and mistake cover-ups
Implement a tool to manage risk, reduce costs, and minimize complexity to support day-to-day management efforts across DLA
Pass FISCAM and Internal Controls A-123 audit
GRC Audit Readiness Goals
12
Existing Control Environment
• Program or process to be tested
• Site locations
• Controls to test
• TOD/TOE
• Testers, reviewers, approvers
• Monitoring: data collection, storage,
remediation
• Reporting
Enterprise Risk E2E Program/Process Control
Test
Inability to adapt to a
constant and evolving
environment
P2S Law Enforcement
Support Office
(LESO)
Annual Physical Inventory
Inspection
Improper Handling of
controlled material
P2S Safeguarding of
control substances
Verification of storage vault,
vault log, personnel clearances,
alarm monitoring, and quarterly
inventories
Manual Control testing conducted through extensive
coordination, meetings and collaboration to determine:
13
GRC Implementation Timeline
June 2013: Established enterprise access control processes & procedures
March 2014: SAP GRC Access Controls identifies and monitors risks for enterprise systems based on enterprise SoD ruleset
June 2014: Implemented Emergency Access Management (EAM) for IT Production Support users
June 2015: Redesigned end user system access to remove or mitigate SoD violations and implemented ongoing monitoring of SoD violations using Access Violation Management
September 2016: Implemented SAP GRC Process Controls and Risk Management for internal control documentation and testing
June 2017: Implementing automated monitoring
and policy management through SAP GRC
AUTOMATING
COMPLIANCE
14
SAP GRC PROCESS CONTROL
CONVERGENCE OF COMPLIANCE PROCESS MANAGEMENT AND CONTINUOUS
CONTROLS MONITORING
Perform Self-
Assessments
Test Automated Controls
Test Manual
Controls
Do
cu
me
nt
Te
st
Mo
nit
or
Ce
rtif
y
Certify and Sign-off(302, Designs,…)
Process-Control-Objective-Risk
IT Infrastructure
Business Processes
…
Review Exceptions Remediate Issues
11
34
5
6
910
11 12
1516
1718
19
78
1314
2223
2425
26
2021
2930
2728
2
One system for end-to-end enterprise control management
Deploys controls using risk-based approach
Automatically monitors controls in multiple enterprise applications
Detects global risks and prioritizes corrective action
16
CONTINUOUS CONTROL MONITORING (CCM)
AUTOMATING COMPLIANCE
Source: SAP
CCM enables GRC users to continuously monitor and report on master data, business transactions, and configuration changes, enabling:
• Improved oversight of key business controls
• Rapid response to identified deficiencies
• Significant reduction in compliance cost and effort
17
CONTINUOUS CONTROL MONITORING (CCM)
Automates running reports or monitoring tables in other systems
• Results are returned to GRC tool and sent to identified users for review
• Integrates easily with many different systems
Enables automation of compliance testing
Examples of automated controls include:
• Monitoring of high dollar transactions
• Timely resolution of key interface failures
• Monitoring compliance of cyber security standards
AUTOMATING COMPLIANCE
Reliability and Consistency of Testing
Cost of Compliance
QUESTIONS?
18