Title: J'D' Edwards SOX Security For the Greater Philadelphia Peoplesoft Regional User Group
1J.D. Edwards SOX SecurityFor the Greater
Philadelphia Peoplesoft Regional User Group
Al Marmero May 15, 2008
2Agenda
- Introduction
- The need for All Doors Shut
- 8.x Security and Roles Task Discussion
- 8.x Security for easy upgrade to new Releases
- Case Study A/P Clerk
- 8.12 Security Importance of Sequencing
- Questions/Discussion?
3Al Marmero Project Manager/Finance Consultant
-
- Over 25 years of domestic and international
business experience and 20 years of hands-on
experience with J.D. Edwards OneWorld and World .
As a JDE Consultant and Project Manager, Al
actively worked on and lead global JDE
implementations for major pharmaceutical
companies, real estate, construction, consumer
goods, publishers, telecommunications, services
and manufacturers. As a CFO for a multi-national
manufacturer Al implemented JDE Financials and
Distribution as well as integration with
manufacturing in over 20 countries and the United
States. He is an experienced Project Manager, as
well as a Senior JDE Finance Applications
Consultant with extensive knowledge in JDE
OneWorld and World financial suite as well as JDE
sales order processing, inventory, purchasing,
work order, interfaces and conversions mapping
and extensive experience in issue resolution. Al
has implemented more than 50 JDE projects,
including shared service center operations, and
has led project teams of all sizes up to 30 Team
members for Companies with revenues in excess of
10 billion.
4SOX Act- Section 404 and JDE Security
- SEC. 404. MANAGEMENT ASSESSMENT OF INTERNAL
CONTROLS. - (a) RULES REQUIRED.The Commission shall
prescribe rules requiring each annual report
required by section 13(a) or 15(d) of the
Securities Exchange Act of 1934 (15 U.S.C. 78m or
78o(d)) to contain an internal control report,
which shall (1) state the responsibility of
management for establishing and maintaining an
adequate internal control structure and
procedures for financial reporting and - (2) contain an assessment, as of the end of the
most recent fiscal year of the issuer, of the
effectiveness of the internal control structure
and procedures of the issuer for financial - reporting.
- (b) INTERNAL CONTROL EVALUATION AND
REPORTINGWith - respect to the internal control assessment
required by subsection - (a), each registered public accounting firm
that prepares or issues - the audit report for the issuer shall attest
to, and report on, the - assessment made by the management of the
issuer. An attestation - made under this subsection shall be made in
accordance with standards - for attestation engagements issued or
adopted by the Board. - Any such attestation shall not be the
subject of a separate engagement.
5What role does the information technology
organization play in a companys Section 404
project?
- The information technology organization will have
two primary roles in the project - To document and self-assess its own significant
processes (referred to as general computer
controls) for (a) the information technology
control environment, (b) the development and
implementation of information technology (program
development), (c) a change to existing
information technology (program changes), (d)
information security (access to programs and
data), and (e) computer operations. These are
pervasive controls since the effectiveness of all
automated controls across the organization
depends on them. - To support personnel who are responsible for
specific processes by helping those individuals
document and assess their control activities.
Because those individuals are accountable for the
controls pertaining to the processes they
oversee, they should be responsible for
documenting and testing both manual and automated
controls, even though automated controls often
rely on or reside in information technology
systems. It is important for personnel who are
responsible for processes in their business units
to understand all the controls for their
processes, not simply the manual controls. To
facilitate this understanding, the company should
assign information technology liaisons to the
control assessment teams.
6JDE Security Implementation
- Major Objectives
- Promote an understanding of SOX compliance and
cooperation between IT and the end users - Secured ERP system that addresses SOX 404
- Insure a smooth go-live after testing all
business processes that encompass all roles - Reduce roles and you reduce maintenance and
improve security - Create a flexible task view design that can grow
with the enterprise - Implement an ADS Model/Default Deny Model
- Use Templates
7Why Security? Lets review some of the reasons
- System integrity of data and stabilitydoes it
stand up to the test? - Stronger, bullet proof system controls
- No misuse
- Sarbanes Oxley compliance
- Lock down security All Doors Shut Default
Deny
There are better ways to hide sensitive
information
8Some live problems can be resolved by security
- A user ran the recurring invoices report for all
invoices. He deleted the data selection. - A user did mass disposal of all assets.
- A user inquired on sensitive payroll information.
- A user changed the address of a vendor to route
payments to himself. - These are only a few of the many, many security
breaches that are easy to create.
9- 8.0 Security and Task Views
Roles and Groups should be created such that in
the upgrade process all of the groups are
converted to Roles and there should be minimal
security changes. For example, Group
ARACCTG Role ARACCT Note In 8.9 to 8.12 users
can have multiple roles
8.9 to 8.12 Security and Task Views
10 Roles and Task Design Matrix
11Case Study - Accounts Payable Group
- Discuss the steps for 8.x Security for Accounts
Payable group - Task view design and Security design
- Phased Implementation
12Step 1 Identify major business groups process
Step 2 Role Definition.
Accounts Payable Group
- AP Clerk/Voucher Entry
- AP Manager/Admin
- AP Accountant/Check Writer
13Step 3 Task view design
- AP CLERK
- Speed Voucher Entry P0411
- Standard Voucher Entry P0411
- Company Search and Select (Indirect) P0010S
- Address Book Search and Select (Indirect) P0101SL
- Business Unit Search and Select (Indirect) P0006S
- GL Distribution Screen (Indirect) P0901S
14Step 4 Task View implementation
- The EnterpriseOne format (Main View) of the view
- will be used as a standard model for implementing
- task views.
- For any given role, Fine Cut
- functionality will be used to
- enable/disable items as per
- the task view requirements.
15Step 5 Security Design
The overall security is divided in three
components for ADS Control Layer These are the
applications that are required for a user to
navigate and use the EnterpriseOne software.
Required Layer These are the applications that
are required by a particular role to perform a
business process/s. Optional Layer This is more
common to cross-functional users who have some
functions that have some one off requests in
addition to the required applications.
16Step 6 Security Implementation
- Steps
- Lock out Public ALL N N
- Open up the Control Applications for Public.
- Open up required applications based on role.
- Open any optional applications if applicable.
- Also do the Business Unit or Company level
security for each group/user.
17Step 6 Security Implementation continued
18Step 7 Phased Go-Live
- Reasons for Phased Go Live
- Risk Mitigation
- Early winners in implementation
- Solutions tested are a smaller scale
- Problems identified on a smaller risk platform
- Method for Phase Go Live
- Role Based phased go live
- Work based phased go live (accounting, shipping)
- Geography based phase go live (corporate, plant,
floor) - People based phased go live (number of people)
-
198.9 to 8.12 Implementation Concepts
- Multiple role assignments to a user
- Sequencing GO LIVE (create another Security
F00950 table and implement ADS in sequenced and
controlled steps) - Implementation of lock down for IT staff
- Multiple system maintenance during go live
- Help desk support cycle
20 Questions/Discussion
sAl MarmeroJ.D. Edwards Project
ManagerFinance Consultant609-313-7530