If you define a Datasource name that includes a dash (-), e.g. VIS12-TEST, you may not be able to define a Global Path Condition for this Datasource. Apparently, this is a very old problem because I found 8.1.1 Release: When Accessing Global Path Conditions From The Navigation, A Blank Screen Appear [ID 742032.1]. This has been an issue since AACG 8.1.1.
The Oracle Independent Consultants (OIC) LLC integrated Oracle Unified Method (OUM) with its Oracle Governance, Risk and Compliance (GRC) Implementation Method (GRCIM) to facilitate the effective and efficient installation and implementation of the Oracle GRC Technology Controls and Oracle GRC Applications.
Legacy Methods, such as AIM Advantage, AIM for Business Flows, EMM Advantage, and Compass, will be decommissioned as Oracle Consulting, the Global Business Units (GBU), and Oracle partners, transition to the Oracle Unified Method (OUM). The retirement date for AIM and AIM for Business Flows is January 01, 2011.
OUM is available to Oracle PartnerNetwork Platinum Partners and Gold Partners as a benefit of membership. Partners at these two levels, who also participate in one of the following Knowledge Zones, are able to download OUM from the OPN Portal at no additional cost:
Authorized use of the Oracle Unified Method (OUM) materials by Oracle PartnerNetwork Platinum Partners and Gold Partners is described in Section G. of the Oracle PartnerNetwork Agreement entitled Methodology/Engagement Materials. It grants Oracle PartnerNetwork Platinum Partners and Gold Partners a non-exclusive, non-transferable, limited license to use and make copies of the materials, subject to Oracle PartnerNetwork (OPN) policies, for the following purposes:
Oracle PartnerNetwork Platinum Partners and Gold Partners may allow their agents and contractors to use the materials for these purposes, subject to the terms of the Oracle PartnerNetwork Agreement. All titles, trademarks, and copyright and restricted rights notices contained in the materials shall be reproduced in any copies of the materials. All copies of the materials shall be subject to the terms of this agreement.
Partners meeting the access requirements described above can obtain the OUM materials. To access the method pack, related collateral, and training courses:
The zip file is encrypted. Please send an email to opn-edu_ww@oracle.com to request the password. Please be aware that it may take a few days for the OPN team to process your request.
You can learn more about OUM by reviewing Oracle Unified Method (OUM) 5.3 on the Oracle Partner Network.
Case Study
Company
ABC Company is a global leader in its industry, employing more than 10,000 employees with operations and manufacturing plants in several foreign countries. The company is headquartered in a major city in the United States and is publically traded on the New York Stock Exchange.
Challenges
Like many other US publically traded companies operating in multiple foreign countries, ABC Company must comply with Sarbanes-Oxley Act of 2002, and many other domestic and foreign accounting standards, laws and regulations.
GRC Requirements
Initially, the company wants to focus on improving internal controls over Segregation of Duties, Application Access Controls, Change Management and Configuration Management. The company also wants to implement a dashboard solution that will enable it to effectively manage and monitor these controls.
The company will also implement a solution to monitor Transaction Controls after they successfully accommodate their initial Governance, Risk and Compliance (GRC) requirements.
Oracle GRC Solution
The following table maps the company’s GRC requirements to the Oracle GRC applications, which accommodate each of these requirements.
Table 1: Map GRC Requirements to Oracle GRC Applications
|
GRC Requirement |
Oracle GRC Solution |
| Segregation of Duties | Application Access Controls Governor (AACG) 8.5 |
| Application Access Controls (User Provisioning) | Preventive Controls Governor |
| Change Management and Configuration Management Controls | Configuration Controls Governor (CCG) 5.5.1 |
| Dashboards and Analytics | GRC Intelligence (GRCI) 3.0 |
| Transaction Controls | Transaction Controls Governor (TCG) 8.5 |
Current State
ABC Company has implemented Release 11.5.10.2 Oracle Financials, Manufacturing, HRMS, CRM, Supply Chain and other Oracle suites of applications. The company is also in the process of implementing (i.e. not upgrading) Release 12.1.2 Oracle Financials for one of its major organizations. The company plans to migrate all of its operations from Release 11.5.10.2 to Release 12.1.2 in the near future.
Architecture Requirements
Review the Oracle GRC Support Matrix to help identify the architecture requirements to support the Oracle GRC applications.
Introduction
The Governance, Risk and Compliance (GRC) market is a relatively new market and the demand for GRC products and services is growing in spite of the current economic climate. Many Accounting, Auditing, and Oracle Finance Professionals are interested in learning more about Oracle GRC Technology Products and/or Applications. Some of these professionals realize very quickly that they can leverage their Accounting, Auditing and/or Oracle Financials experience to become proficient implementing GRC Solutions using the Oracle GRC Technology Products and/or Applications.
Oracle GRC Platform
The first step is to become familiar with the Oracle GRC Technology Products and Applications included in the Oracle GRC Platform. You accomplish this by viewing the OIC presentation Introduction to the Oracle Governance, Risk and Compliance (GRC) Platform. You can also download the accompanying PowerPoint presentation. The PowerPoint presentation provides links to the Oracle GRC Portal, which you can use to quickly learn more about each Oracle Technology Product and/or Application included in the Oracle GRC Platform.
What is Reality GRC?
Reality GRC is an OIC Blog, which you can use to participate in the installation and/or implementation of one or more Oracle GRC Technology Products and/or Applications. We (OIC) installed the Oracle GRC Technology Products and Applications included in the Oracle GRC Platform on our dedicated server hosted by The Planet. The Planet is the largest privately held hosting company in the world and is SAS 70 Type II compliant. We have also installed Release 12.1.1 of the Oracle Vision Demo EBS Instance.
We will use the collective experience of Oracle GRC Professionals to develop case studies of the installation and/or implementation of one or more of the Oracle GRC Technology Products and/or Applications. We will use fictitious companies with real world GRC requirements to develop these case studies. Additionally, we will use the OIC tools and resources to implement an Oracle GRC solution to provide our participants with an opportunity to gain “hands on” experience using the Oracle GRC Technology Products and/or Applications.
We Need Oracle GRC Professionals
We need Oracle GRC Professionals to place on projects installing and implementing the Oracle GRC Technology Products and Applications. If you wish to be considered for one of these Oracle GRC contract positions, please forward your resume to roger.drolet@theoicllc.com. You must have hands on experience installing and/or implementing and using one of more of the following Oracle Applications and/or Technology Products:
Oracle GRC Applications
¡ Oracle GRC Process Management
¡ Oracle GRC Application Controls
Oracle GRC Technology Products
This program provides you with access to the entire suite of Oracle Governance Risk and Compliance (GRC) Applications Controls for ninety (90) days. This program also includes access to Release 12.1.1 of the Oracle E-Business Suite Vision Demo Instance, which is integrated with these Oracle GRC Applications.
When you subscribe to this program you become an OIC Contractor for ninety (90) days, which enables you to access our applications, My Oracle Support and the Oracle Partner Network (OPN). This provides you with access to all of the Oracle documentation for these applications. In addition, you will have access to all of the resources available on the Oracle Partner Network.
This program is ideal for Oracle Financial Professionals who want to become proficient implementing and using the Oracle GRC Applications. You will be able to gain “hands on” experience working with the Oracle GRC applications.
When you feel comfortable with one or more of the Oracle GRC applications, you can take one of our Oracle GRC assessment exams, which assesses your knowledge of an Oracle GRC application as well as your communications skills. If you pass the assessment exam and have, at least, good oral and written communication skills, you can use the OIC as a reference. Moreover, we will aggressively promote your services and attempt to place you on one of our Oracle GRC projects.
The OIC does not guarantee that we will be able to successfully place you on an Oracle GRC project.
Go to http://www.theoicllc.com/membership to learn more and register for this program.
About the OIC
The Oracle Independent Consultants (OIC) is an Oracle Gold Partner. We focus solely on providing Oracle Governance, Risk and Compliance (GRC) training, services and resources.
The Oracle Independent Consultants (OIC) LLC is an Oracle Gold Partner. We focus solely on providing training, services and resources for Oracle Governance, Risk and Compliance (GRC) Solutions.
ORACLE GRC PROFESSIONALS ARE IN DEMAND, BUT SCARCE
The demand for Oracle GRC Professionals is increasing as the economy improves. I currently receive more unsolicited Oracle GRC requirements than I am able to fill. Oracle GRC Professionals are very difficult to find.
I’m not looking for Oracle consultants who can implement Oracle GRC applications. I need GRC Professionals who can implement GRC solutions using Oracle GRC applications.
EARN HIGHER RATES
IT Auditors and Accountants who have Oracle Financials and/or Oracle GRC experience earn higher rates than IT Auditors and Accountants who don’t have the Oracle experience. I encourage you to do your research. Our business model supports, at least, $80 per hour plus expenses.
LEVERAGE YOUR ACCOUNTING AND/OR AUDITING EXPERIENCE
Leverage your experience to become proficient implementing GRC solutions using Oracle GRC applications. You also MUST HAVE, AT LEAST, GOOD ORAL AND WRITTEN COMMUNICATION SKILLS.
The GRC applications are nothing more than tools to implement the GRC solutions and you probably already understand the COSO and CobiT internal control frameworks. Similarly, you probably understand Segregation of Duties (SOD), internal controls, continuous monitoring of internal controls and many of the other principles associated with accounting and auditing. I can help you learn how to use the Oracle GRC applications to implement GRC solutions.
BECOME AN OIC CONTRACTOR
As an OIC Contractor, you can work for whomever and wherever you wish; however, we will do our best to place you on an Oracle GRC project. We have a huge monetary incentive to do this; however, we CANNOT GUARANTEE you that we will be able to do this.
Access to OIC Resources
OIC Contractors are provided FREE access to My Oracle Support (Oracle knowledge base and source of all documentation), Oracle Partner Network (OPN, which provides access to many Oracle free online self paced training courses and other collateral that is only available to Oracle Partners. In addition, we provide our members with FREE access to Release 12.1.1 of Oracle’s Vision Demo E-Business Suite. This enables you to gain “hands on” experience working with the Oracle Financial applications (and other applications installed with EBS).
Discount on OIC and Oracle University (OU) Training Courses
All OIC Contractors receive a 25% discount on all Oracle GRC Courses and fee-based courses provided by Oracle University.
Discount on Access to Oracle GRC Applications
We have installed the full suite of Oracle GRC applications on our dedicated server hosted by The Planet, which is the largest privately held hosting company in the world and SAS 70 Type II compliant. All OIC Contractors receive a 25% on all fees charged to access one or more of the Oracle GRC Applications:
OUR GOAL
Our goal is to be the firm that Oracle Sales, Oracle Consulting, Oracle Partners, Oracle Customers, Oracle Recruiters/Hiring Managers, Risk and Advisory Firms, SOX Advisors, External Auditors and other Oracle Consulting firms call when they need training, services or resources for Oracle GRC solutions.
SUMMARY
I encourage you to visit our website at www.theoicllc.com to learn more. You can also visit us on YouTube at www.youtube.com/theoicllc. If you have questions, you can contact us at www.theoicllc.com/contact_us or simply send me an email to roger.drolet@theoicllc.com.
Please include your resume and use email to write a short cover letter that explains why you would be a good for our Oracle GRC Practice.
I welcome your comments and/or suggestions.
Regards,
Roger Drolet CPA, MBA, CISA, CITP
Founder and CEO
Oracle Independent Consultants (OIC) LLC
roger.drolet@theoicllc.com
www.theoicllc.com
LinkedIn.Com Profile
www.youtube.com/theoicllc
www.youtube.com/oraclevideosolutions
www.oracleelearning.com/moodle
214-783-0751
If you currently use or have experience using Oracle Transaction Controls Governor (TCG) and/or Preventive Controls Governor (PCG), please let us know how you used them to improve internal controls for your organization or your client organization.
In this blog, I describe how you can use Oracle CCG to comply with the COSO and CobiT 4.1 Control Objectives including:
Oracle Configuration Controls Governor (CCG) 5.5.1 provides you with the functionality you need to “Manage the Configuration” to comply with:
Controls provide reasonable assurance that IT components, as they relate to security and processing, are well protected, would prevent any unauthorized changes, and assist in the verification and recording of the current configuration
Configuration management includes procedures such that security and processing integrity controls are set up in the system and maintained through its life cycle. Insufficient configuration controls can lead to security exposures that may permit unauthorized access to systems and data and impact financial reporting. An additional potential risk is corruption to data integrity caused by poor control of the configuration when making system changes or by the introduction of unauthorized system components.
Ensuring the integrity of hardware and software configurations requires the establishment and maintenance of an accurate and complete configuration repository. This process includes collecting initial configuration information, establishing baselines, verifying and auditing configuration information, and updating the configuration repository as needed. Effective configuration management facilitates greater system availability, minimizes production issues and resolves issues more quickly.
Establish a supporting tool and a central repository to contain all relevant information on configuration items. Monitor and record all assets and changes to assets. Maintain a baseline of configuration items for every system and service as a checkpoint to which to return after changes.
Establish configuration procedures to support management and logging of all changes to the configuration repository. Integrate these procedures with change management, incident management and problem management procedures.
Periodically review the configuration data to verify and confirm the integrity of the current and historical configuration. Periodically review installed software against the policy for software usage to identify personal or unlicensed software or any software instances in excess of current license agreements. Report, act on and correct errors and deviations.
You can use Oracle CCG 5.5.1 to take snapshot definitions of your approved “baseline” application configuration for each Oracle application. Similarly, you can generate snapshot definitions of your Oracle applications and compare them with your “baseline” snapshots to ensure that the current configuration is consistent with your “baseline” configuration.
Oracle Configuration Controls Governor (CCG) 5.5.1 provides you with the functionality you need to Manage Changes to comply with:
Controls provide reasonable assurance that system changes of financial reporting significance are authorized and appropriately tested before being moved to production.
Managing changes addresses how an organization modifies system functionality to help the business meet its financial reporting objectives. Deficiencies in this area could significantly impact financial reporting. For instance, changes to the programs that allocate financial data to accounts require appropriate approvals and testing prior to the change so that proper classification and reporting integrity is maintained.
Set up formal change management procedures to handle in a standardized manner all requests (including maintenance and patches) for changes to applications, procedures, processes, system and service parameters, and the underlying platforms.
Assess all requests for change in a structured way to determine the impact on the operational system and its functionality. Ensure that changes are categorized, prioritized and authorized.
Establish a process for defining, raising, testing, documenting, assessing and authorizing emergency changes that do not follow the established change process.
Establish a tracking and reporting system to document rejected changes, communicate the status of approved and in-process changes, and complete changes. Make certain that approved changes are implemented as planned.
Whenever changes are implemented, update the associated system and user documentation and procedures accordingly
You can use the Change Tracking Details reports in Oracle CCG 5.5.1 to identify all changes made to the Oracle application configuration parameters. Similarly, you can use these reports to ensure that each change has been processed properly through the Change Management Process.
“Manage Changes” is one of the COSO and CobiT 4.1 Control Objectives. The Control Objectives for Manage Changes are described in the CobiT process A16 Manage Changes. You can use Oracle CCG 5.5.1 to facilitate compliance with this CobiT Control Objective.
Once you “Deploy” the Change Tracking Definitions, Oracle CCG 5.5.1 tracks EVERY change that a user makes to any object included in the definition. You can review the complete detailed history of changes online and/or generate reports in HTML, PDF and CSV formats. Moreover, you can review the history of changes from the date and time that you first deploy the Change Tracking Definitions through the date and time that you purge Change Tracking Data.
In this blog, I provide you with a couple of examples of how a Customer can use Oracle CCG 5.5.1 to reduce IT expenses:
Customer’s IT staff spends a significant amount of time each year responding to requests from its external auditors for information that the external auditors need to complete their review of Customer’s Internal Controls and audit of Customer’s Financial Statements. Many of these requests require Customer’s IT staff to answer questions regarding the configuration of the Oracle Financial applications and changes to these configuration parameters.
Currently, the IT staff generally writes and/or executes multiple queries to provide the documentation required by its external auditors. This is a very time consuming task and diverts IT resources from performing their core activities.
Customer’s IT staff can minimize the time required to respond to requests from their external auditors and spend more time working on their core activities by using Oracle CCG to provide the external auditors with snapshot definition occurrences generated on a specific date and time and compare them with the same snapshot definitions generated on a subsequent date and time to quickly identify the differences in configuration parameters between the two snapshot definitions. Similarly, Customer’s IT staff and generate Change Tracking Details for one or more application configuration objects to provide its external auditors with a detailed history of all changes made to these objects during a specific period of time. This functionality can significantly reduce the time it takes the IT staff to manually create and generate the queries required to provide this information to the auditors.
Customer’s IT Security and Compliance Team can save time completing their security and compliance activities by comparing snapshot definitions with “baseline” snapshot definitions to ensure continued compliance with the approved “baseline”. Similarly, this team can generate Change Tracking Details reports to ensure that all changes have been process properly using the approve Change Management Procedures.
Currently, the IT Security and Compliance Team must employ manual methods to identify the differences between the actual configuration parameters and the approved “baseline”. Moreover, the current process to identify the individual changes to “baseline” configuration parameters is a very time consuming manual process.
All organizations would like to be able to reduce the cost associated with the implementation and/or upgrade of the Oracle applications. These costs generally range from several hundred thousand dollars several million dollars depending on the scope and complexity of the Oracle implementation.
The majority of the cost to implement Oracle application is associated with consulting fees. An Oracle implementation is very labor intensive; therefore, anything that you can do to minimize the use of Oracle consultants and/or make them more efficient usually results in a significant reduction of implementation costs.
You can effectively use Oracle Configuration Controls Governor (CCG) throughout the Software Development Life Cycle (SDLC) to help reduce IT costs. I have listed some of the ways that you can employ CCG to realize these savings. For example, you can use Snapshot Definitions to:
When you submit a SR to Oracle Support to report an issue or a suspected bug in the program, Oracle often responds with a request for screen prints that document the issue. Often this includes documentation of profile options and other configuration parameters.
Many times, several consultants working on the implementation are not able to be as productive as they normally would be while they wait for the SR to be resolved. For example, during integration testing, the Payables team is dependent on the Purchasing team to complete their setup and tests before Payables can test the integration with Purchasing.
You can save time and consequently reduce implementation costs by providing Oracle support with snapshot definitions that document profile options and other setup parameters that Oracle Support requires to quickly resolve an issue.
Most Oracle consulting firms use a SDLC methodology that requires the consultants who implement the Oracle applications to document the setup (i.e. configuration parameters) of these applications. For example, Oracle and many other Oracle consulting firms use Oracle Application Implementation Method (AIM) to prepare a BR100 to document the “baseline” configuration of the Oracle applications.
This is a very time consuming process and consultants usually spend several hours over an extended period of time to complete the documentation. Also, this is a manual effort, which is prone to human error.
You can use Oracle Configuration Controls Governor (CCG) to define snapshot definitions to document your “baseline” configuration of each Oracle application. This process eliminates human error and takes a “snapshot” of your application configuration parameters at a specific point in time. Thus, you eliminate the need to manually prepare documents such as the BR100 to complete this task.
First, create a BR100-like framework in Oracle GRC Manager. Enter your business requirements into the framework, and import the setup data that’s captured by CCG. Then, add your comments in the framework as desired, and take any needed compensating, remediating, or mitigating steps. If you’re wondering why CCG doesn’t let you annotate the setup data it captures, it’s because that would be at odds with a key GRC best practice: providing a single point of interaction between GRC users and all the data they need to make good decisions. Only solutions like GRCM and GRCI permit that holistic view, and only solutions like GRCM permit the automation of policies and workflows that rely on data from multiple sources, CCG being just one.
In today’s business environment many companies that use Oracle the Oracle E-Business Suite (EBS) merge with and/or acquire other companies. As part of the M&A process, these companies may have to integrate the newly acquired entities with the existing EBS. Normally, this requires that the new entities be defined as additional Operating Units, added to an existing Set of Books or defined with a new Set of Books.
You can use the snapshot definitions generated by Oracle Configuration Controls Governor (CCG) to effectively and efficiently integrate newly acquired entities with your existing Oracle EBS. Moreover, after you complete the setup of these new entities, you can use snapshot comparisons to ensure that you have configured these new entities properly.
Database Administrators (DBAs) frequently apply patches to the Oracle applications. Generally, the DBA initially applies the patch to a patch, test or development instance applying the patch to the production instance. Oracle implementation consultants and/or users are requested to “test” the functionality in their respective applications to ensure that the patch hasn’t “broken” anything.
Testing is a manual effort and most times the testing that is done is not very thorough. You can save time and minimize the risk that a patch has changed something unexpectedly by taking a snapshot before and after the patch is applied and comparing the snapshots for differences in the configuration parameters. You can then investigate the differences to ensure that they changes in the configuration are valid.
Organizations continually refresh databases due to limited system resources or other business requirements. After the refresh, users sometimes find that functionality in the new instance is not the same as it had been before the refresh.
You can save time and frustration by taking snapshots before and after the refresh, which you can compare and identity any differences between configuration parameters before and after the database was refreshed.
