FulcrumWay GRC Solutions

Leverage Information Technology:

Turn Corporate Governance into Business Performance™

Risk Assessment and

Controls Monitoring

Copyright ©. Fulcrum Information Technology, Inc.

A FulcrumWay International Regional Service Partner

www.mantala.com.mtPage 2

FulcrumWay Market Leadership

FulcrumWay: is the #1 End-to-End Provider of Governance, Risk and Compliance Expertise, Solutions and Software Services for Oracle enterprise customers

Expertise: Risk Management, Compliance, IT Audit, Internal Controls, Financial Reporting and GRC Software implementation consulting services. Since 2003, we have successfully assisted over one hundred Fortune-500 to Middle Market companies across all major industry segments.

Packaged Solutions: Oracle certified Systems Integrator and ISV member of the Oracle Partner Network. FulcrumWay solution are built on software technologies from Oracle Corporation. FulcrumWay GRC Solutions are the #1 choice of Oracle customers.

Software Services: We enable organizations to assess Financial, Operational and Information Technology risks, monitor internal controls and optimize business processes. Auditors, Risk Managers and Business Process Owners can rapidly assess enterprise risk and monitor controls using web based software services.

Privately Held Delaware corporation with US presence in:New York, Texas and California

International Presence in UK, Chile, Italy, Singapore, Turkey and India


Media and Entertainment

Financial Services

Healthcare

Natural Resources

Life Sciences

Industrial Manufacturing

Defense Oil and Gas

High Technology

Retail

FulcrumWay Clients

Industrial Equipment

Communications


FulcrumWay™ InsightFulcrumWay™ Insight

Thought Leadership

Compliance Week Magazine - Healthcare Firm Aligns Compliance Efforts, Cuts Costs

Economist Magazine –Compliance Guide for Enterprise Systems

Podcasts – How Automating the Enterprise Risk Management Process helps organizations comply with regulations

OAUG GRCSIG - Impact of AS5 for Oracle Enterprise Customers

IIA – Top Five Reasons for Automating Application Controls

Oracle Open World – Annual GRC Dinner, GE and Birds Eye Case Study

Collaborate - Financial Governance - Achieving Timeliness, Reliability and Efficiency in Financial Management and Reporting

Webcasts – GRC Best Practices, Trends and Expert Insight


FulcrumWay 2009 EventsFulcrumWay 2009 Events

Current, Recent and Upcoming Events

December 16 – Webinar " Strengthening Compliance and Performance by improving the Financial Transaction Controls and Close Processes "December 2 – Financial Governance Luncheon in Palo Alto November 18 - Webinar "Ensuring Compliant Processes and IT Risk Management with Configuration Change Controls"November 13 – FulcrumWay at the SROAUG Meeting in Los Angeles at the LAX Crowne PlazaNovember 4 – “OAUG GRC Special Interest Group Meeting: GRC Highlights @ Oracle OpenWorld 2009”October 28 – “Aligning Risk and Performance Management” Oracle iSeminarOctober 22 – “Slashing Compliance Costs and Boosting Risk Management In Midsized Companies” free WebinarOctober 21 – “Risk and Compliance Management Power Across the Enterprise: Oracle’s Enterprise GRC Manager” free WebinarOctober 11-15 – Oracle OpenWorld: 4 GRC Sessions and the Sixth Annual GRC Roundtable DinnerSeptember 29 – NYC Metro OAUG Meeting GRC SessionSeptember 16 – “Risk and Compliance Management Success Stories: GRC Business Cases that Get Approved” free Webinar


Governance, Risk and Compliance Challenges

Detect and Prevent Outright Fraud

Mitigate Financial Misstatement Risk

Develop and Maintain Sustainable Regulatory Compliance Processes

Effectively Test and Monitor Internal Controls

Dell Talking Again After AuditMore than four years of intentionally misstated results will cost the computer maker millions. Says one exec: “This is not a happy story”

Business Week, 2008

The Public Company Accounting Oversight Board issued a 33-page alert to auditors, telling them to plan their audits with an eye towards the new risks that spring from management acting under economic pressure.

Compliance Week, 2009

Online fraud is becoming so lucrative, said Katherine Hutchison, PayPal’s senior director of global risk management, that it has developed into an industry with specialized players that hire each others in areas such as harvesting credit card numbers and freight forwarding. “A single professional thief doesn’t have to have all of the skills needed to commit fraud,” she said.)

WSJ April, 2009


Current State • Managed in silos

• Mostly reactionary

• More projects than programs

• Handled separately from mainstream processes and decision-making

• People used as middleware

• Limited and fragmented use of technology

GRC Program Management

Future State • Enterprise approach

• Integrated controls and processes

• Program based approach

• Embedded within mainstream processes and decision-making

• Effective use of information technology

• Architected solutions

Enterprise GRC Program Management

(c) OCEG, 2008


The Big Picture: GRC Maturity

Informal:

Adhoc approach

Compliant but at a high cost to business

Manual control

No best practices

Reactive:

Tactical approach

Risks are documented

Manual risk assessment and reporting

After the fact reporting

Proactive:

Unified, standardized & strategic approach

Policies are enforced

Automated process

Prevent policy violation

Optimized:

GRC objectives embedded throughout the organization

Analyze and trend

Automated risk mitigation / Predictive risk assessments

Compliance and Audit Automation

Controls and Process Monitoring

Integrated GRC

IT Governance

Enterprise Risk Management

Financial Governance


Enterprise Applications / IT InfrastructureEnterprise Applications / IT Infrastructure

Oracle EBS Hyperion JD Edwards PeopleSoft SAP Legacy/Custom

Significant Business Processes / Operations ManagementSignificant Business Processes / Operations Management

Financial Close Procure to Pay Hire to Retire Other …Order to Cash

Financial ManagementFinancial Management Operations ManagementAudit / ComplianceAudit / Compliance

Enterprise ManagementEnterprise Management

Corporate Governance Planning and Forecasting Performance Management Risk Management

Reporting

Budgeting Reconciliation

Audit Planning Assessment / Testing

Issues / Actions

Enterprise Model


Continuous Controls Monitoring / IT Governance Continuous Controls Monitoring / IT Governance

Oracle EBS Hyperion JD Edwards PeopleSoft SAP Legacy/Custom

Process MonitoringProcess Monitoring

Financial Close Procure to Pay Hire to Retire Other …Order to Cash

Financial GovernanceFinancial Governance Operations ManagementAudit / Compliance Audit / Compliance AutomationAutomation

Enterprise Risk ManagementEnterprise Risk Management

Corporate Governance Planning and Forecasting Performance Management Risk Management

Reporting

Budgeting Reconciliation

Audit Planning Assessment / Testing

Issues/ Actions

FulcrumWay Enterprise Solutions Framework

GR

C I

nte

gra

tio

nG

RC

In

teg

rati

on


Continuous Controls Monitoring / IT GovernanceContinuous Controls Monitoring / IT Governance




FulcrumWay End to End GRC ServicesG

RC

In

teg

rati

on

GR

C I

nte

gra

tio

n

Financial Risk Dashboard Governance/Policy Dashboard Operational Risk Dashboard KPI/KRI Dashboard

Automated Reconciliation

Disclosure Workflow Financial Intelligence

Plan Optimizer Test AutomationSelf-Assessment

Issue / Remediation Workflow

Close Monitor P2P Monitor T&E Monitor O2C Monitor H2R Monitor

Segregation of Duties Privileged AccessTransactions Configurations e-DiscoveryIdentity


FulcrumWay™™ GRC Strategic Opportunity Assessment

AssessAssessRisksRisks Scope AuditScope Audit

PlanPlan

PreparePrepareWorkWork

PapersPapers

TestTestInternalInternalControlsControls

CertifyCertifyResultsResults

DiscloseDiscloseBusinessBusinessResultsResults

GatherGatherGRCGRCDataData

EstablishEstablishRisk &Risk &

ControlsControlsLibraryLibrary

DocumentDocumentIssues/Issues/ActionsActions

ImplementImplementChangesChanges

Senior Management

BoardProcess Owner

Chief OfficerChief Auditor

EstablishEstablishControlControl

EnvironmentEnvironment

Audit Managers / Control Owners


FulcrumWay Expertise, Packaged Solutions and Software Services


FulcrumWay Touch-less Integration ™

Financial adapters for Oracle E-Business Suite, Oracle’s PeopleSoft Enterprise, and Oracle’s JD Edwards EnterpriseOne. Universal adapters to extract and load data from non-Oracle or legacy applications


Control

ConfigurationControls

Configuration Change

Enforce & validate allowable values. Ensure appropriate entitlement to change data is mapped to SOD rules

Provide audit history of changes to critical application data

TransactionControls

TransactionValidation

Validate transaction against business policy rules. Including fail safe monitoring for SOD rules.

Enforce & Identify transactions for validation and audit history for SOD

Detective & Preventive ControlsDetective & Preventive Controls

PreventiveValidation

TransactionMonitor

AccessControls

AccessValidation

AccessMonitoring

Segregation of Duties: Ensure no conflicts of interest for a given user or role

Identify user access events for validation and audit history

Enforce additional access restrictions based on user entitlements based on SOD rules

FormRestriction


User Access Validation


Segregation of Duties Violation Report

Once the Account

Balance / Entity data

in loaded into GRCi.

Management will be able

analyze multiple Risk Scenarios to

determine Scope


Application Configuration Controls Library


Improving User Provisioning & Segregation of Duties

Our Client Wholly owned subsidiary of Fortune 500 focused on communication and information technologies for security, safety and lifestyle enhancementsOperations in more than 30 countriesOracle E-Business Suite

ChallengesComply with SOX Needed to automate a manual and labor-intensive process to define and approve user accessSegregation of Duties ConcernsOracle E-Business Environment

40 Modules 2,500 Users, 100 + user responsibilities

FulcrumWay Solutions Automate User Access Provisioning Compliant with SOD Policies

Successes Implemented access provisioning solution to identify user violations and allow auditable override capability for authorized access Security provisioning time reductionSenior Management Commitment to GRCSOD Rules Content jump-started comprehensive GRC management processesDetected over 5,000 violationsReduced access provisioning time from 14 days to 4 hoursTrained Process Owners through online self-service portal


Cost Reduction through Integrated Compliance and Control

Our ClientWorld’s pre-eminent gold producer, with a portfolio of 27 operating minesMany advanced exploration and development projects located across five continentsThe largest gold reserves in the industry

ChallengesNeed to reduce SOX Compliance Audit expenseImplement continuous controls monitoringBaseline ERP Configurable Controls for AS5

FulcrumWay Solutions

Identify Controls for full or partial automation Benchmark ERP ConfigurationsSetup audit logs on all configuration changes

SuccessesAnalyzed over 1,000 controlsApplication Audit Portal provides audit trail on all configuration changes in ERP SystemsTrack changes to key application setup data and codeApproval workflows and notifications facilitate change management without negatively impacting core business operations Increase visibility into the actual operations of the controls environment Reduced Testing Time by 30%


Data Protection And Security

The FulcrumWay servers are hosted in Dallas, Texas in 78,500 sq. ft. facilities with 35,500 sq. ft. raised floor (23) HVAC units totaling 574 tons which includes Very Early Smoke Detection Apparatus (VESDA) Pre-action dry pipe sprinkler system Over 500 smoke detectors in integrated system. Physical access is protected byNorthern Proximity security badge entry/exit.

Server Availability is ensured through Multiple TXU electrical grids: 4800 amps of 480v input power. Backup power is provided by three main transfer switches 500KVA Powerware UPS units, 90 batteries each Standalone PDUs at each cabinet row 1-megawatt generator (2000 gallon tank) 1.5-megawatt generator (2200 gallon tank) DataTrax monitoring for all datacenter infrastructure

FulcrumWay utilizes some of the most advanced technology for Internet security available today. When you access our site using Netscape Navigator 6.0 or Microsoft Internet Explorer versions 5.5 or higher, Secure Socket Layer (SSL) technology protects your information using both server authentication and data encryption, ensuring that your data is safe, secure, and available only to registered Users in your organization. FulcrumWay provides each User in your organization with a unique user name and password that must be entered each time a User logs on. We issue a session "cookie" only to record encrypted authentication information for the duration of a specific session. The session "cookie" does not include either the username or password of the user.


FulcrumWay Risk Assessment Options

Risk Assessment Service: You can utilize our Risk Assessment software services any time you need. This low cost service can quickly provide you a detail view of Security and Data Access risks in your system and help you determine the scope of work needed to improve controls and security.

Unlimited Use Service: You can have full unlimited access to our Risk Assessment and Monitoring Software Services so that you can analyze SOD risk as often as you like, manage violations, track remediate actions, continuously monitor access controls, and obtain periodic access control verifications from process owners.

Limited Use Service: You can have limited access to the Risk Assessment Software Service to perform Quarterly testing, manage violations and track remediation actions.

Implementation Services: In addition to the above Risk Assessment and Controls Monitoring services, we also offer Professional Services to implement Oracle GRC Manager and GRC Intelligence software applications to help build an integrated platform for all your Governance, Risk and Compliance activities. This solution will help you consolidate multiple GRC activities into a single platform to reduce costs and provide management better visibility.


Define Application Controls

Analyze Violations Tasks:

•Define Application Controls based on Company Control objectives•Assign Risk Rating to each Rule•Mark Waivers and Exceptions•Configure Snapshot ERP Data Manger•Setup Application Test Environment •Finalize project plan

Duration Duration Duration

Remediate Violations Tasks:

•Detect SOD Violations•Detect Configuration Baseline /Threshold Violations•Detect suspicious transactions•Setup Application Control Owners •Notify Controls Owners•Analyze SOD Violations•Analyze Configuration Violations•Analyze Transaction Violations

Tasks:

• Create Corrective Action Plan•Redesign Roles•Reassign Users•Change Configurations•Restrict Transactions •Resolve Issues•Migrate to Production

Duration

Knowledge Transfer / Train the Trainer

Monitor Controls

Tasks:

• Setup Access Monitor•Setup Trx. Monitors•Setup Configuration Change Monitors•Complete Training

FulcrumWay Risk Advisory Services


FulcrumWay delivers Rapid Return on Investment (ROI). Auditors and other users can access the application and controls library within 24 hours after signing-up. There is NO requirements to install software or hardware.

FulcrumWay delivers high user productivity. The web based software services are designed for ease to use for successful adoption amongst a wide range of enterprise users. Powerful Business Intelligence reporting capabilities empower users to integrate GRC into existing business processes.

FulcrumWay delivers lower total cost of ownership. Application owners can administer all aspects of the application without requiring IT support resources.

FulcrumWay delivers thought leadership and best practices. We employ a wide range of GRC Professionals including leading Sarbanes-Oxley Compliance Management Experts, Ex-Auditors with CPA, CIA and CISA Credentials, Certified Technology Professionals with deep knowledge of ERP Implementations, and Senior Oracle DBA’s to ensure superior quality of service.

FulcrumWay has a Successful Track Record of assisting Oracle ERP customers with compliance initiatives around Application Controls such as Segregation of Duties, Configurations, and Transactions Controls since 2003.

FulcrumWay Advantage


FulcrumWay Services:Key Business Benefits


Continuous Controls Monitoring / IT GovernanceContinuous Controls Monitoring / IT Governance




GR

C I

nte

gra

tio

nG

RC

In

teg

rati

on

Financial Risk Dashboard Governance/Policy Dashboard Operational Risk Dashboard KPI/KRI Dashboard

Automated Reconciliation

Disclosure Workflow Financial Intelligence

Plan Optimizer Test AutomationSelf-Assessment

Issue / Remediation Workflow

Close Monitor P2P Monitor T&E Monitor O2C Monitor H2R Monitor

Segregation of Duties Privileged AccessTransactions Configurations e-DiscoveryIdentity

Next Steps Proof of Concept and Assessment


A FulcrumWay International Regional Service Partner

Info:

www.mantala.com.mt

[email protected]