Governance, Risk, and Compliance Handbook for Oracle Applications

Governance, Risk, and Compliance Handbook for Oracle Applications
eBook: $44.99
Formats: PDF, PacktLib, ePub and Mobi formats
save 15%!
Print + free eBook + free PacktLib access to the book: $119.98    Print cover: $74.99
save 37%!
Free Shipping!
UK, US, Europe and selected countries in Asia.
Also available on:
Table of Contents
Sample Chapters
  • Governance: In depth coverage of corporate, IT, and security Governance, which includes important topics such as strategy development and communication, strategic reporting and control, and more
  • Risk Management: Creating a risk management program, performing risk assessment and control verification, and more
  • Compliance Management: Cross-industry, cross-regional laws and regulations, industry-specific laws and regulations, region-specific laws and regulations
  • To maximize real world learning, the book is built around a fictional company establishing its governance processes
  • Written by industry experts with more than 30 years combined experience

Book Details

Language : English
Paperback : 488 pages [ 235mm x 191mm ]
Release Date : August 2012
ISBN : 1849681708
ISBN 13 : 9781849681704
Author(s) : Nigel King, Adil R Khan
Topics and Technologies : All Books, Enterprise Products and Platforms, Enterprise, Oracle

Table of Contents

Chapter 1: Introduction
Chapter 2: Corporate Governance
Chapter 3: Information Technology Governance
Chapter 4: Security Governance
Chapter 5: Risk Assessment and Control Verification
Chapter 6: Documenting Your Controls
Chapter 7: Managing Your Testing Phase: Management Testing and Certifying Controls
Chapter 8: Managing Your Audit Function
Chapter 9: IT Audit
Chapter 10: Cross Industry Cross Compliance
Chapter 11: Industry-focused Compliance
Chapter 12: Regional-focused Compliance
  • Chapter 1: Introduction
    • How this book is organized
    • Definitions
      • Governance
      • Risk
      • Compliance
    • Oracle's Governance Risk and Compliance Footprint
      • Balanced Scorecard
      • Business Intelligence
      • Financial Planning and Analysis
      • Consolidations and Financial Reporting
      • Learning
      • Risk Management Applications
      • Sub Certification
      • Process Management Applications
      • Content Management Applications
      • Identity and Authorization Management Applications
      • Our case study
      • Roles involved in GRC activities
        • Audit Committee member
        • Signing Officers
        • Chief Audit Executive
        • Chief Financial Officer
        • Chief Information Officer
        • Chief Operating Officer
    • The Audit and Compliance process
      • Risk Assessment phase
      • Documentation phase
      • Testing phase
      • Reporting phase
    • Relationships between entities, accounts, process, risk controls, and tests
  • GRC Capability Maturity Model
  • Summary
    • Chapter 2: Corporate Governance
      • Developing and Communicating Corporate Strategy with Balanced Scorecard
        • Balanced Scorecard Theory
          • The four perspectives
          • Measures
          • Strategy Maps
          • Infission's strategic initiative
          • Oracle's Balanced Scorecard
          • Accessing Oracle Hyperion's Balanced Scorecard
          • The main components and how they are related
          • Setting up measures
          • Setting up an Accountability Hierarchy
          • Assembling the Scorecard
          • Breaking down Measures and Scorecards into lower-level objectives
          • Authorizing Managers to Scorecards
          • Loading data
          • Developing the Strategy Map for Infission and reviewing it with the Board
          • Assigning objectives to Managers and creating goals in HCM
      • Communicating and confirming Corporate Strategy with iLearning
        • Developing Learning Assets Flow
        • The major components of the Learning System
        • Responsibilities
        • Adding an Entry in the Course Catalog
        • Uploading Course Content
        • Developing a question bank to confirm understanding
        • Monitoring employee's understanding
        • The Infission Strategic Objectives Classes
      • Managing Records Retention Policies with Content Management Server
        • Records Governance Process
        • Records Governance Components and how they are related
        • Roles for accessing Universal Content Manager (UCM)
        • Standard Sensitivity Classifications
        • Typical Security Groups that reflect Security Boundaries and Sensitivity Classifications
        • Illustrative Retention Policies
        • Running the Document Disposition Check
      • Financial planning and analysis with Hyperion FR
        • Financial Planning and Analysis Flow
        • Accessing the Financial Planning and Analysis tools
        • Constructing Account Balance Data Cube
        • Developing the Financial Model
        • Developing planning assumptions
        • Constructing the Financial plan
        • Publishing the Financial plan
        • Analyzing the results
        • Publishing the results
        • Financial Planning and Analysis Components and how they are related
      • Monitoring Execution with Oracle Business Intelligence
        • Oracle Financial Analytics
          • Other dashboards in Financial Analytics
        • Oracle Sales Analytics
          • Other dashboards in Sales Analytics
        • Oracle Procurement Analytics
          • Other dashboards in Procurement Analytics
        • Oracle Human Resources Analytics
          • Other Dashboards in Human Resources Analytics
      • Enterprise Risk Management
        • Conducting a Risk Assessment
        • Scope Controls to be Tested
        • Develop Audit Plan
        • Briefing the Board
      • Whistle-blower protections
        • Setting up iSupport for anonymous access
        • Configuring for recording whistle-blower complaints
        • Creating a template for whistle-blower complaints
      • Summary
      • Chapter 3: Information Technology Governance
        • Developing and communicating IT strategy with balanced scorecards
          • IT project portfolio planning
            • Roles for accessing portfolio analysis
            • Decide investment criteria
            • Create portfolio
            • Initiate planning cycle
            • Submit new projects for inclusion in portfolio
            • Score projects
            • Create and compare the scenarios
            • Recommend and approve the scenario
            • Close planning cycle and implement scenario recommendations
        • Maintaining a valid configuration
          • Managing the configuration using Applications Manager
          • Maintaining a valid configuration using Enterprise Manager Application Management Pack for E-Business Suite
        • Service desk administration through Oracle Enterprise Manager
          • Support workbench
          • Problem details
          • Packaging problem details
        • Summary
        • Chapter 4: Security Governance
          • Security balanced scorecard
            • Relationships between the objectives
            • Metrics for the objectives
            • Perspectives from standard bodies and professional institutions
              • IT Governance Institute
              • ISO 17799
            • Quotes from prominent Security managers
            • Account provisioning and identity management
            • Designing roles
              • Function Security
              • Data security
              • Aggregating responsibilities into roles
              • Role provisioning
              • Identity management
              • Limiting access to administrative pages
            • Segregation of Duties Policies
            • Server, applications, and network hardening
          • System wide advice
            • Database tier
              • Oracle TNS listener security
              • Oracle database security
            • Application tier
              • Protect administrative web pages
              • E-Business Suite security
              • Desktop security
            • Operating environment security
              • Firewall configuration and filtering of IP packets
              • Security incident response through Oracle service
          • Summary
          • Chapter 5: Risk Assessment and Control Verification
            • InFission approach for Risk Assessment and Control Verification
              • Establishing Program Office
              • Selecting controls framework
                • The COSO framework
                • The COBIT framework
              • Survey and interview management
              • Reviewing prior year documentation
              • Rating current year risk
              • Verifying controls
            • Oracle's GRC Manager and Intelligence—risk assessment and control verification system
              • Assessment workflow in Oracle GRC Manager
                • Initiating assessment
                • Assessing risks
                • Reviewing risks
                • Verifying Controls
                • Certifying assessment
              • Evaluating assessment
              • Assessing quantitative risks in Oracle GRC Intelligence
                • Conduct quantitative risk assessment
            • Summary
            • Chapter 6: Documenting Your Controls
              • Process and procedure documents
              • InFission approach for managing process and procedure documents
              • Managing process documents in Oracle GRC Manager
                • Creating a Business Process in Oracle GRC Manager
                • Document process narrative in Oracle Tutor
              • Risks and controls documents
              • InFission approach to risk and controls documentation
              • Managing risks in Oracle GRC Manager
              • Managing controls in Oracle GRC Manager
              • Managing control documentation lifecycle in GRC Manager
                • Use Data collection workflow to update documents
                  • Contributing to a process
                  • Reviewing data for a process
              • Summary
              • Chapter 7: Managing Your Testing Phase: Management Testing and Certifying Controls
                • Management testing for internal audit program
                • Management testing for Regulatory Compliance Audits
                • Management testing for Enterprise Risk Management
                • InFission's approach to management testing
                • Management testing using Oracle GRC Manager
                  • Using GRC Survey tool to determine the scope of audit plan
                    • Managing survey questions
                    • Managing survey choice sets
                    • Managing survey templates
                    • Creating and initiating a survey
                  • GRC Manager assessments
                    • Creating the assessment templates
                    • Creating an assessment plan
                    • Assigning the delegate
                    • Initiating/completing the assessment
                    • Reviewing the assessment results
                    • Closing an assessment
                • Summary
                • Chapter 8: Managing Your Audit Function
                  • Audit planning
                    • InFission audit planning approach
                    • Managing audit plan using Oracle GRC Manager
                      • Creating the audit template
                      • Creating the audit plan
                  • Internal controls assessment
                    • InFission internal controls assessment approach
                    • Assessing internal controls using Oracle GRC Manager
                      • Initiating the assessment
                      • Selecting criteria
                      • Selecting the components
                      • Selecting the participants
                      • Controls assessment
                      • Managing issues
                      • Closing an assessment
                  • Audit report
                    • InFission's approach to audit report
                      • Obtain audit report in Oracle GRC Manager
                  • Summary
                  • Chapter 9: IT Audit
                    • InFission IT Audit approach
                      • IT Audit scope management
                      • IT Audit plan management
                    • Automated application controls using Oracle GRC Controls Suite
                      • Oracle Application Access Controls Governor
                        • Identifying objectives
                        • Selecting controls
                        • Model walk-through
                        • Analyzing controls
                        • Remediation
                        • Assigning incidents to business owners
                        • Managing access approval
                      • Oracle Transaction Controls Governor
                        • Create model
                        • Testing the controls
                      • Configuration Controls Governor
                        • Creating definitions
                        • Creating a snapshot definition
                        • Testing a snapshot definition
                        • Locking the definition
                        • Sharing the definition
                        • Comparing snapshots
                      • Defining change tracker
                      • Deploying change tracker
                      • Viewing change tracker results
                      • Setting up queries and alerts
                      • Preventive Controls Governor
                        • Creating rules
                        • Creating a Rule Element
                        • Capturing Events with Event Tracker
                        • Updating Element definition
                        • Configuring element details
                        • Creating SQL procedures
                    • Summary
                    • Chapter 10: Cross Industry Cross Compliance
                      • Sarbanes-Oxley
                        • Important sections of the act and the technologies that apply
                          • Title 1: Establishment and Operation of the Public Company Accounting Oversight Board
                          • Title 2: Auditor Independence
                          • Title 4: Financial Disclosures
                          • Title 8: Legal Ramifications for Corporate Fraud
                      • ISO 27001 – Information Security Management System (ISMS)
                        • The components of an Information Security Management System
                          • The risk assessment process
                          • The Risk Treatment Plan
                          • The Statement of Applicability
                        • Oracle's products and ISO 27000
                      • Control Objectives for IT (COBIT)
                        • Managing IT processes in Oracle GRC applications to support COBIT Framework
                        • InFission COBIT Framework setup in Oracle GRC Manager
                          • InFission IT Controls Management Approach
                      • California Breach Law
                        • PII Columns: Trading Community Architecture
                        • PII Columns: Procurement
                        • PII Columns: Financials
                        • Oracle's products and California Breach Law
                          • Transparent data encryption
                      • Healthcare Information Portability and Protection Act (HIPPA)
                        • Oracle's products and HIPPA
                          • Scrambling and data masking
                          • Data vault
                      • Payment Card Industry (PCI)
                        • Oracle's products and PCI
                          • Oracle Payments
                      • Federal Sentencing Guidelines
                        • Standards for an effective compliance and ethics program
                        • Oracle's products and Federal Sentencing Guidelines
                          • Creating the ethics program in iLearning
                          • Monitoring the ethics program in iLearning
                      • Summary
                      • Chapter 11: Industry-focused Compliance
                        • Hi-tech manufacturing
                          • ISO 9000
                          • Oracle Tutor
                          • Oracle Quality
                            • Oracle Quality components and how they are related
                            • Responsibilities for accessing Oracle Quality
                        • Environmental compliance and ISO 14000
                          • Requirements of ISO 14001
                          • ISO 14000 compliance auditing
                          • Organization certification
                          • How ISO 14000 fits into GRC Manager
                          • Example environmental risk portfolio
                        • RoHS WEEE
                          • RoHS WEEE and hazardous substance compliance
                          • Who needs to comply?
                            • Oracle Agile Product Governance and Compliance
                            • Major components of PG&C and how they relate to each other
                        • Life sciences and medical instrument manufacturing
                          • Title 21: Code of Federal Regulations
                          • The requirements of electronic records
                          • Oracle's E-records Management Solution
                            • E-records management features
                            • E-records management components
                            • Responsibilities in E-records management
                            • Functions in the E-records process
                        • Banking and financial services
                          • Basel
                          • Requirements of Basel
                            • The three pillars
                            • The second pillar—Supervisory review process
                            • The third pillar—Market discipline
                          • Oracle's solutions in the banking sector
                            • Comply with pillar one—Capital adequacy
                            • Comply with pillar two—Management review
                            • Comply with pillar three—Disclosure
                          • Patriot Act
                            • Oracle's solution for Patriot Act – Oracle Mantas
                        • Summary
                        • Chapter 12: Regional-focused Compliance
                          • Regulatory compliance in major economic regions
                            • The Sarbanes-Oxley Act of 2002 (USA)
                              • Public Company Accounting Oversight Board (PCAOB)
                              • Auditor Independence
                              • Corporate Responsibility
                              • Enhanced Financial Disclosures
                              • Analyst Conflicts of Interest
                              • Commission Resources and Authority
                              • Studies and Reports
                              • Corporate and Criminal Fraud Accountability
                              • White Collar Crime Penalty Enhancement
                              • Corporate Tax Returns
                              • Corporate Fraud Accountability
                            • Canada Bill 198 (Canadian Sarbanes-Oxley)
                            • UK Corporate Governance Code 2010
                            • European Union's 8th Directive
                            • Financial Instruments and Exchange Law (Japan SOX)
                            • Corporate Law Economic Reform Program (CLERP – Australia)
                            • InFission approach to Regional Compliance
                          • Managing regional compliance using Oracle GRC Manager
                            • Setting up Financial Governance module
                            • Regionalizing your Financial Governance Framework
                            • Setting up Content Type for Regulatory Documentation
                            • Updating Lookup tables
                            • Creating user-defined attributes (UDA) for regional compliance
                            • Setting up Regional Compliance Framework using perspectives
                              • InFission Organization Structure perspective
                              • InFission Regulatory Compliance perspective
                              • InFission Standard and Framework perspective
                              • Loading data
                              • Setting up user profile for regional roles
                            • Assessing Regional Compliance using Oracle GRC Manager
                              • Monitoring Regional Compliance in Oracle GRC Intelligence
                              • Regional Compliance Dashboards
                              • Regional Compliance reports
                          • Summary

                          Nigel King

                          Nigel King is Vice President for Functional Architecture for Fusion Applications. As such he leads a band of architects whose job it is to steward the designs and underpinnings for those things that span product families. He has been working for Oracle for 17 years. In that time he has worked mostly in Applications Development. Nigel has worked in many areas of Applications, starting off in Distribution Management and then leading Oracle Applications’ first venture into Business Intelligence, and Product Lifecycle Management Applications. A restless observer and inventor, Nigel’s real passion has always been to see a problem defined, and in being defined well, resolved. By first profession Nigel is a Chartered Management Accountant. He is also a Certified Internal Auditor (CIA), Certified Information Systems Auditor (CISA), Certified Information Security Manager (CISM) and Certified Information Security Professional (CISSP). He swears that as soon as he gets the book finished he will catch up with his continuing professional education credits (CPE). Nigel’s Patents include, “Methods and systems for portfolio planning”, “Audit management workbench”, “Internal audit operations for Sarbanes Oxley compliance” and “Audit planning”. He was fortunate to be hanging around at Oracle when the whole Enron thing happened. A decade later and GRC Apps have been born, been new, grown old and are now suffused into many of the applications that surround them. Nigel is also Chairman of the Open Applications Group. The Open Applications Group is a 501(c)(6) not-for-profit standards development organization (SDO). Our community is focused on building process-based business standards for eCommerce, Cloud Computing, Service Oriented Architecture (SOA), Web Services, and Enterprise Integration. The OAGi Specification includes ICXML, an XML specification for the exchange or risk and control libraries. Before joining Oracle, Nigel worked in what he now considers the real world, first as an Accountant and then selling and implementing business systems. He gained insights in the high technology sector working for Philips, the consumer packaged goods sector working for Homepride Foods and Jeyes Group and was introduced to the software world through Business Technology Consultants. Nigel also co-authored the eBusiness Suite, Manufacturing and Supply Chain handbook. You can also trace Nigel’s thinking on GRC at ISACA’s international conferences over the years. 2005, An Overview of Emerging Tools and Technologies for Auditors, 2006 Compliant Access Provisioning, 2008 Security Provisioning for Outsourced Services. Nigel is also a licensed boxer, keen soccer player and coach, and Boston qualifying marathon runner. Nigel lives with his beautiful wife Anita and their soccer fanatic son Ansel in San Mateo, California.

                          Adil R Khan

                          Adil Khan is a Senior Director at FulcrumWay with over 15 years of experience in enterprise business systems. Adil also serves on the board of the Oracle Applications Users Group Internal Controls and Security Interest Group (OAUG-ICSSIG). At FulcrumWay, Adil has successfully designed and implemented internal controls management systems for more than 15 global companies listed on NYSE and NASDAQ. His expertise includes streamlining and automating Governance Risk and Compliance processes based on industry standards such as ERM-COSO and CoBIT. Prior to FulcrumWay, Adil served as a board member and Chief Executive Officer of ALTM - a public company listed on the NASDAQ.
                          Sorry, we don't have any reviews for this title yet.

                          Submit Errata

                          Please let us know if you have found any errors not listed on this list by completing our errata submission form. Our editors will check them and add them to this list. Thank you.

                          Sample chapters

                          You can view our sample chapters and prefaces of this title on PacktLib or download sample chapters in PDF format.

                          Frequently bought together

                          Governance, Risk, and Compliance Handbook for Oracle Applications +    Open Text Metastorm ProVision® 6.2 Strategy Implementation =
                          50% Off
                          the second eBook
                          Price for both: $73.50

                          Buy both these recommended eBooks together and get 50% off the cheapest eBook.

                          What you will learn from this book

                          • Master Oracle’s Balanced Scorecard that helps management govern the enterprise through the development and communication of strategy for the enterprise
                          • Trace execution of the strategy that was laid out in the balanced scorecard through Oracle Business Intelligence
                          • Express security priorities and objectives in the form of a balanced scorecard and ensure that the objectives are in line with the corporate strategy
                          • Perform risk assessment and control verification
                          • Capture whistleblower complaints by setting up a guest account in iSupport
                          • Develop and maintain control documentation that will be effective in the verification of controls included in the audit plan
                          • Complete coverage of Management Testing—its uses, approach and techniques—which is a critical phase of the GRC program
                          • Manage your internal Audit Function and learn how it is assisted through access controls, preventative controls, and configuration controls
                          • Describe IT Audit activities; provide an approach for managing the IT audit program and review examples of automating IT Audit activities
                          • Look at regulations that apply to particular industries and manage major compliance issues in high tech manufacturing, pharmaceutical and life sciences, and banking
                          • Build and manage an integrated compliance platform to address regional regulations in major economic zones around the world.

                          In Detail

                          It seems that every year since the Enron collapse there has been a fresh debacle that refuses to lower the spotlight from corporate Governance, Risk, and Compliance management.

                          Before Sarbanes Oxely forced company managers to become risk conscious, if you asked a chief executive whether he thought he had adequate internal controls, the most likely answer would have been “What is an internal control?”

                          This is clearly no longer the case. Every week some story breaks detailing a lack of good governance, a failure to plan for a foreseeable catastrophe or a failure to comply with an important law or regulation. These stories bring GRC themes into public view, and public scrutiny, and make management and directors keen to show they have put their best efforts forward to govern their companies well, manage risks to the enterprise, and to comply with all applicable laws.

                          Perhaps only Oracle and SAP are in a position to really address all three aspects. The mission of GRC applications is to ensure that the managers and directors of Enterprises that run such applications have a strong defensible position.

                          Written by industry experts with more than 30 years combined experience, this book covers the Governance, Risk Management and Compliance Management of a large modern enterprise and how the IT Infrastructure, in particular the Oracle IT Infrastructure, can assist in that governance. This book is not an implementation guide for GRC products rather it shows you how those products participate in the governance process, how they introduce or mitigate risk, and how they can be brought into compliance with best practice, as well as applicable laws and regulations.

                          The book is divided into three major sections:
                          Governance – where we discuss the strategic management of the enterprise, setting plans for managers, making disclosures to investors, and ensuring that the board knows that the enterprise is meeting its goals and staying within its policies.

                          Risk Management – where we discuss audit disciplines. This is where we work out what can go wrong, document what we have to do to prevent it from going wrong and check that what we think prevents it going wrong - actually works! We move through the various sub-disciplines within the audit profession and show what tools are best suited from within the Oracle family to assist.

                          Compliance Management – where we map the tools and facilities that we have discovered in the first two sections to frameworks and legislations. We give this from an industry and geography agnostic viewpoint, and then drill into some specific industries and countries.

                          We neither stay in the narrow definition of GRC applications, nor limit ourselves to the Business Applications but take you to the most appropriate places in the full Oracle footprint. The book is written from the perspective of big GRC. It is not an implementation manual for the GRC products, although we hope you can get the best out of the GRC products after reading this book. We discuss many applications and technology products that are not in the GRC product family.


                          The book is not organized by product, rather by the governance and risk assurance processes. A given product may be represented in multiple places within the book and a given process may contain multiple product references.

                          To ensure that we keep ourselves grounded in real problems, the book is written as a journal of a fictional company establishing its governance processes. It will introduce managers and directors responsible for various aspects of the governance, risk and compliance problem and where that problem is exposed and how it is addressed in the technology and business applications.

                          Who this book is for

                          The audience for this book is the people that advise the board, the internal audit department and CIO office on controls, security and risk assurance. Consultants that are implementing Financials or GRC Applications who wish to gain an understanding of the Governance Risk and Compliance processes, and how they are represented in Oracle, should find it a useful primer. Risk Assurance professionals will find it a reliable companion.

                          Code Download and Errata
                          Packt Anytime, Anywhere
                          Register Books
                          Print Upgrades
                          eBook Downloads
                          Video Support
                          Contact Us
                          Awards Voting Nominations Previous Winners
                          Judges Open Source CMS Hall Of Fame CMS Most Promising Open Source Project Open Source E-Commerce Applications Open Source JavaScript Library Open Source Graphics Software
                          Open Source CMS Hall Of Fame CMS Most Promising Open Source Project Open Source E-Commerce Applications Open Source JavaScript Library Open Source Graphics Software