Sumário Itens Encontrados: 364Chapter 1: Introduction 7How this book is organized 8Definitions 8Governance 9Risk 9Compliance 9Oracle's Governance Risk and Compliance Footprint 10Balanced Scorecard 10Business Intelligence 10Financial Planning and Analysis 11Consolidations and Financial Reporting 11Learning 11Risk Management Applications 11Sub Certification 12Process Management Applications 12Content Management Applications 12Identity and Authorization Management Applications 12Our case study 12Roles involved in GRC activities 13Audit Committee member 13Signing Officers 14Chief Audit Executive 14Chief Financial Officer 15Chief Information Officer 15Chief Operating Officer 16The Audit and Compliance process 16Risk Assessment phase 17Documentation phase 17Testing phase 17Reporting phase 18Relationships between entities,accounts,process,risk controls,and tests 18GRC Capability Maturity Model 19Chapter 2: Corporate Governance 21Developing and Communicating Corporate Strategywith Balanced Scorecard 22Balanced Scorecard Theory 22The four perspectives 22Measures 23Strategy Maps 24Infission's strategic initiative 25Oracle's Balanced Scorecard 25Accessing Oracle Hyperion's Balanced Scorecard 25The main components and how they are related 26Setting up measures 27Setting up an Accountability Hierarchy 28Assembling the Scorecard 28Breaking down Measures and Scorecards into lower-level objectives 29Authorizing Managers to Scorecards 30Loading data 31Developing the Strategy Map for Infission and reviewing it with the Board 32Assigning objectives to Managers and creating goals in HCM 34Communicating and confirming Corporate Strategy with iLearning 35Developing Learning Assets Flow 35The major components of the Learning System 36Responsibilities 37Adding an Entry in the Course Catalog 37Uploading Course Content 38Developing a question bank to confirm understanding 39Monitoring employee's understanding 40The Infission Strategic Objectives Classes 41Managing Records Retention Policies with Content Management Server 41Records Governance Process 42Records Governance Components and how they are related 43Roles for accessing Universal Content Manager (UCM) 44Standard Sensitivity Classifications 45Typical Security Groups that reflect SecurityBoundaries and Sensitivity Classifications 47Illustrative Retention Policies 48Running the Document Disposition Check 52Financial planning and analysis with Hyperion FR 55Financial Planning and Analysis Flow 55Accessing the Financial Planning and Analysis tools 56Constructing Account Balance Data Cube 56Developing the Financial Model 57Developing planning assumptions 58Constructing the Financial plan 59Publishing the Financial plan 61Analyzing the results 61Publishing the results 62Financial Planning and Analysis Components and how they are related 63Monitoring Execution with Oracle Business Intelligence 65Oracle Financial Analytics 65Other dashboards in Financial Analytics 67Oracle Sales Analytics 67Other dashboards in Sales Analytics 69Oracle Procurement Analytics 70Other dashboards in Procurement Analytics 73Oracle Human Resources Analytics 73Other Dashboards in Human Resources Analytics 75Enterprise Risk Management 76Conducting a Risk Assessment 77Scope Controls to be Tested 78Develop Audit Plan 78Briefing the Board 79Whistle-blower protections 79Setting up iSupport for anonymous access 81Configuring for recording whistle-blower complaints 81Creating a template for whistle-blower complaints 82Chapter 3: Information Technology Governance 85Developing and communicating IT strategy with balanced scorecards 87IT project portfolio planning 89Roles for accessing portfolio analysis 91Decide investment criteria 91Create portfolio 92Initiate planning cycle 93Submit new projects for inclusion in portfolio 94Score projects 94Create and compare the scenarios 95Recommend and approve the scenario 96Close planning cycle and implement scenario recommendations 96Maintaining a valid configuration 98Managing the configuration using Applications Manager 98Maintaining a valid configuration using Enterprise ManagerApplication Management Pack for E-Business Suite 99Service desk administration through Oracle Enterprise Manager 100Support workbench 102Problem details 103Packaging problem details 104Chapter 4: Security Governance 107Security balanced scorecard 108Relationships between the objectives 109Metrics for the objectives 111Perspectives from standard bodies and professional institutions 111IT Governance Institute 111ISO 17799 111Quotes from prominent Security managers 113Account provisioning and identity management 114Designing roles 114Function Security 115Data security 116Aggregating responsibilities into roles 118Role provisioning 119Identity management 120Limiting access to administrative pages 121Segregation of Duties Policies 121Server,applications,and network hardening 123System wide advice 124Database tier 125Oracle TNS listener security 126Oracle database security 126Application tier 126Protect administrative web pages 127E-Business Suite security 127Desktop security 129Operating environment security 129Firewall configuration and filtering of IP packets 130Security incident response through Oracle service 130Chapter 5: Risk Assessment and Control Verification 133InFission approach for Risk Assessment and Control Verification 135Establishing Program Office 136Selecting controls framework 137The COSO framework 137The COBIT framework 139Survey and interview management 140Reviewing prior year documentation 140Rating current year risk 141Verifying controls 142Oracle's GRC Manager and Intelligenceârisk assessmentand control verification system 143Assessment workflow in Oracle GRC Manager 144Initiating assessment 144Assessing risks 149Reviewing risks 151Verifying Controls 151Certifying assessment 154Evaluating assessment 154Assessing quantitative risks in Oracle GRC Intelligence 155Conduct quantitative risk assessment 156Chapter 6: Documenting Your Controls 161Process and procedure documents 161InFission approach for managing process and procedure documents 162Managing process documents in Oracle GRC Manager 163Creating a Business Process in Oracle GRC Manager 165Document process narrative in Oracle Tutor 166Risks and controls documents 170InFission approach to risk and controls documentation 171Managing risks in Oracle GRC Manager 172Managing controls in Oracle GRC Manager 174Managing control documentation lifecycle in GRC Manager 176Use Data collection workflow to update documents 178Contributing to a process 180Reviewing data for a process 181Chapter 7: Managing Your Testing Phase:Management Testing and Certifying Controls 185Management testing for internal audit program 185Management testing for Regulatory Compliance Audits 186Management testing for Enterprise Risk Management 187InFission's approach to management testing 188Management testing using Oracle GRC Manager 189Using GRC Survey tool to determine the scope of audit plan 189Managing survey questions 190Managing survey choice sets 191Managing survey templates 192Creating and initiating a survey 196GRC Manager assessments 197Creating the assessment templates 198Creating an assessment plan 199Assigning the delegate 200Initiating/completing the assessment 200Reviewing the assessment results 202Closing an assessment 203Chapter 8: Managing Your Audit Function 205Audit planning 205InFission audit planning approach 206Managing audit plan using Oracle GRC Manager 207Creating the audit template 208Creating the audit plan 209Internal controls assessment 213InFission internal controls assessment approach 214Assessing internal controls using Oracle GRC Manager 215Initiating the assessment 216Selecting criteria 216Selecting the components 217Selecting the participants 217Controls assessment 218Managing issues 222Closing an assessment 227Audit report 228InFission's approach to audit report 228Obtain audit report in Oracle GRC Manager 229Chapter 9: IT Audit 233InFission IT Audit approach 234IT Audit scope management 234IT Audit plan management 236Automated application controls using Oracle GRC Controls Suite 237Oracle Application Access Controls Governor 238Identifying objectives 238Selecting controls 240Model walk-through 241Analyzing controls 245Remediation 245Assigning incidents to business owners 251Managing access approval 256Oracle Transaction Controls Governor 257Create model 258Testing the controls 260Configuration Controls Governor 266Creating definitions 266Creating a snapshot definition 266Testing a snapshot definition 269Locking the definition 271Sharing the definition 271Comparing snapshots 272Defining change tracker 274Deploying change tracker 275Viewing change tracker results 276Setting up queries and alerts 277Preventive Controls Governor 280Creating rules 280Creating a Rule Element 283Capturing Events with Event Tracker 283Updating Element definition 285Configuring element details 287Creating SQL procedures 300Chapter 10: Cross Industry Cross Compliance 305Sarbanes-Oxley 305Important sections of the act and the technologies that apply 306Title 1: Establishment and Operation of the Public Company Accounting Oversight Board 306Title 2: Auditor Independence 306Title 4: Financial Disclosures 307Title 8: Legal Ramifications for Corporate Fraud 307ISO 27001 â Information Security Management System (ISMS) 308The components of an Information Security Management System 308The risk assessment process 309The Risk Treatment Plan 309The Statement of Applicability 309Oracle's products and ISO 27000 312Control Objectives for IT (COBIT) 315Managing IT processes in Oracle GRCapplications to support COBIT Framework 315InFission COBIT Framework setup in Oracle GRC Manager 315InFission IT Controls Management Approach 317California Breach Law 325PII Columns: Trading Community Architecture 325PII Columns: Procurement 328PII Columns: Financials 329Oracle's products and California Breach Law 330Transparent data encryption 330Healthcare Information Portability and Protection Act (HIPPA) 332Oracle's products and HIPPA 333Scrambling and data masking 333Data vault 336Payment Card Industry (PCI) 340Oracle's products and PCI 341Oracle Payments 341Federal Sentencing Guidelines 345Standards for an effective compliance and ethics program 346Oracle's products and Federal Sentencing Guidelines 347Creating the ethics program in iLearning 347Monitoring the ethics program in iLearning 348Chapter 11: Industry-focused Compliance 351Hi-tech manufacturing 351ISO 9000 351Oracle Tutor 352Oracle Quality 354Oracle Quality components and how they are related 355Responsibilities for accessing Oracle Quality 357Environmental compliance and ISO 14000 364Requirements of ISO 14001 365ISO 14000 compliance auditing 366Organization certification 367How ISO 14000 fits into GRC Manager 367Example environmental risk portfolio 370RoHS WEEE 372RoHS WEEE and hazardous substance compliance 372Who needs to comply? 372Oracle Agile Product Governance and Compliance 373Major components of PG&C and how they relate to each other 374Life sciences and medical instrument manufacturing 382Title 21: Code of Federal Regulations 382The requirements of electronic records 383Oracle's E-records Management Solution 384E-records management features 384E-records management components 385Responsibilities in E-records management 385Functions in the E-records process 386Banking and financial services 391Basel 391Requirements of Basel 391The three pillars 391The second pillarâSupervisory review process 394The third pillarâMarket discipline 394Oracle's solutions in the banking sector 394Comply with pillar oneâCapital adequacy 395Comply with pillar twoâManagement review 396Comply with pillar threeâDisclosure 398Patriot Act 398Oracle's solution for Patriot Act â Oracle Mantas 398Chapter 12: Regional-focused Compliance 403Regulatory compliance in major economic regions 404The Sarbanes-Oxley Act of 2002 (USA) 405Public Company Accounting Oversight Board (PCAOB) 405Auditor Independence 405Corporate Responsibility 406Enhanced Financial Disclosures 406Analyst Conflicts of Interest 406Commission Resources and Authority 406Studies and Reports 406Corporate and Criminal Fraud Accountability 407White Collar Crime Penalty Enhancement 407Corporate Tax Returns 407Corporate Fraud Accountability 407Canada Bill 198 (Canadian Sarbanes-Oxley) 407UK Corporate Governance Code 2010 408European Union's 8th Directive 409Financial Instruments and Exchange Law (Japan SOX) 409Corporate Law Economic Reform Program (CLERP â Australia) 410InFission approach to Regional Compliance 410Managing regional compliance using Oracle GRC Manager 412Setting up Financial Governance module 412Regionalizing your Financial Governance Framework 413Setting up Content Type for Regulatory Documentation 415Updating Lookup tables 417Creating user-defined attributes (UDA) for regional compliance 419Setting up Regional Compliance Framework using perspectives 422InFission Organization Structure perspective 423InFission Regulatory Compliance perspective 423InFission Standard and Framework perspective 424Loading data 428Setting up user profile for regional roles 430Assessing Regional Compliance using Oracle GRC Manager 433Monitoring Regional Compliance in Oracle GRC Intelligence 435Regional Compliance Dashboards 435Regional Compliance reports 437