200 likes | 472 Views
J.D. Edwards “SOX” Security For the Greater Philadelphia Peoplesoft Regional User Group. Al Marmero May 15, 2008. Agenda. Introduction The need for “All Doors Shut” 8.x Security and Roles & Task Discussion 8.x Security for easy upgrade to new Releases Case Study A/P Clerk
E N D
J.D. Edwards “SOX” SecurityFor the Greater Philadelphia Peoplesoft Regional User Group Al Marmero May 15, 2008
Agenda • Introduction • The need for “All Doors Shut” • 8.x Security and Roles & Task Discussion • 8.x Security for easy upgrade to new Releases • Case Study A/P Clerk • 8.12 Security – Importance of Sequencing • Questions/Discussion?
Al Marmero Project Manager/Finance Consultant Over 25+ years of domestic and international business experience and 20 years of hands-on experience with J.D. Edwards OneWorld and World . As a JDE Consultant and Project Manager, Al actively worked on and lead global JDE implementations for major pharmaceutical companies, real estate, construction, consumer goods, publishers, telecommunications, services and manufacturers. As a CFO for a multi-national manufacturer Al implemented JDE Financials and Distribution as well as integration with manufacturing in over 20 countries and the United States. He is an experienced Project Manager, as well as a Senior JDE Finance Applications Consultant with extensive knowledge in JDE OneWorld and World financial suite as well as JDE sales order processing, inventory, purchasing, work order, interfaces and conversions mapping and extensive experience in issue resolution. Al has implemented more than 50 JDE projects, including shared service center operations, and has led project teams of all sizes up to 30 Team members for Companies with revenues in excess of $10 billion.
SOX Act- Section 404 and JDE Security SEC. 404. MANAGEMENT ASSESSMENT OF INTERNAL CONTROLS. (a) RULES REQUIRED.—The Commission shall prescribe rules requiring each annual report required by section 13(a) or 15(d) of the Securities Exchange Act of 1934 (15 U.S.C. 78m or 78o(d)) to contain an internal control report, which shall— (1) state the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting; and (2) contain an assessment, as of the end of the most recent fiscal year of the issuer, of the effectiveness of the internal control structure and procedures of the issuer for financial reporting. (b) INTERNAL CONTROL EVALUATION AND REPORTING—With respect to the internal control assessment required by subsection (a), each registered public accounting firm that prepares or issues the audit report for the issuer shall attest to, and report on, the assessment made by the management of the issuer. An attestation made under this subsection shall be made in accordance with standards for attestation engagements issued or adopted by the Board. Any such attestation shall not be the subject of a separate engagement.
What role does the information technology organization play in a company’s Section 404 project? The information technology organization will have two primary roles in the project: • To document and self-assessits own significant processes (referred to as general computer controls) for (a) the information technology control environment, (b) the development and implementation of information technology (program development), (c) a change to existing information technology (program changes), (d) information security (access to programs and data), and (e) computer operations. These are pervasive controls since the effectiveness of all automated controls across the organization depends on them. • To support personnel who are responsible for specific processesby helping those individuals document and assess their control activities. Because those individuals are accountable for the controls pertaining to the processes they oversee, they should be responsible for documenting and testing both manual and automated controls, even though automated controls often rely on or reside in information technology systems. It is important for personnel who are responsible for processes in their business units to understand all the controls for their processes, not simply the manual controls. To facilitate this understanding, the company should assign information technology liaisons to the control assessment teams.
JDE Security Implementation Major Objectives • Promote an understanding of SOX compliance and cooperation between IT and the end users • Secured ERP system that addresses SOX 404 • Insure a smooth go-live after testing all business processes that encompass all roles • Reduce roles– and you reduce maintenance and improve security • Create a flexible task view design that can grow with the enterprise • Implement an ADS Model/Default Deny Model • Use Templates
Why Security? Let’s review some of the reasons…… • System integrity of data and stability—does it stand up to the test? • Stronger, bullet proof system controls • No misuse • Sarbanes Oxley compliance • Lock down security – All Doors Shut – Default Deny There are better ways to hide sensitive information
Some live problems – can be resolved by security • A user ran the recurring invoices report for all invoices. He deleted the data selection. • A user did mass disposal of all assets. • A user inquired on sensitive payroll information. • A user changed the address of a vendor to route payments to himself. • These are only a few of the many, many security breaches that are easy to create.
Task Views (F9000 Tables) Task Views (F9000 Tables) Users Roles UDC (H95/RL) Users Roles UDC (H95/RL) Security (F00950 Table) Security (F00950 Table) Users Group (User Revs) 8.0 Security and Task Views Roles and Groups should be created such that in the upgrade process all of the groups are converted to Roles and there should be minimal security changes. For example, Group = ARACCTG Role = ARACCT Note: In 8.9 to 8.12 users can have multiple roles 8.9 to 8.12 Security and Task Views
Case Study - Accounts Payable Group • Discuss the steps for 8.x Security for Accounts Payable group • Task view design and Security design • Phased Implementation
Step 1: Identify major business groups & process Step 2: Role Definition. Accounts Payable Group • AP Clerk/Voucher Entry • AP Manager/Admin • AP Accountant/Check Writer
Step 3: Task view design AP CLERK • Speed Voucher Entry P0411 • Standard Voucher Entry P0411 • Company Search and Select (Indirect) P0010S • Address Book Search and Select (Indirect) P0101SL • Business Unit Search and Select (Indirect) P0006S • GL Distribution Screen (Indirect) P0901S
Step 4: Task View implementation JDE Task View AP Manager AP Clerk AP Accounts The EnterpriseOne format (Main View) of the view will be used as a standard model for implementing task views. For any given role, Fine Cut functionality will be used to enable/disable items as per the task view requirements.
Step 5: Security Design The overall security is divided in three components for ADS: Control Layer – These are the applications that are required for a user to navigate and use the EnterpriseOne software. Required Layer – These are the applications that are required by a particular role to perform a business process/s. Optional Layer – This is more common to cross-functional users who have some functions that have some one off requests in addition to the required applications.
Step 6: Security Implementation Steps • Lock out * Public * ALL = N N • Open up the Control Applications for * Public. • Open up required applications based on role. • Open any optional applications if applicable. • Also do the Business Unit or Company level security for each group/user.
Step 7: Phased Go-Live Reasons for Phased Go Live Risk Mitigation Early winners in implementation Solutions tested are a smaller scale Problems identified on a smaller risk platform Method for Phase Go Live Role Based phased go live Work based phased go live (accounting, shipping) Geography based phase go live (corporate, plant, floor) People based phased go live (number of people)
8.9 to 8.12 Implementation Concepts • Multiple role assignments to a user • Sequencing GO LIVE (create another Security F00950 table and implement ADS in sequenced and controlled steps) • Implementation of lock down for IT staff • Multiple system maintenance during go live • Help desk support cycle
Questions/DiscussionsAl MarmeroJ.D. Edwards Project ManagerFinance Consultant609-313-7530