J'D' Edwards SOX Security For the Greater Philadelphia Peoplesoft Regional User Group - PowerPoint PPT Presentation

About This Presentation
Title:

J'D' Edwards SOX Security For the Greater Philadelphia Peoplesoft Regional User Group

Description:

... actively worked on and lead global JDE implementations for major pharmaceutical companies, real estate, construction, consumer goods, publishers, ... – PowerPoint PPT presentation

Number of Views:65
Avg rating:3.0/5.0
Slides: 21
Provided by: albertj7
Category:

less

Transcript and Presenter's Notes

Title: J'D' Edwards SOX Security For the Greater Philadelphia Peoplesoft Regional User Group


1
J.D. Edwards SOX SecurityFor the Greater
Philadelphia Peoplesoft Regional User Group
Al Marmero May 15, 2008
2
Agenda
  • Introduction
  • The need for All Doors Shut
  • 8.x Security and Roles Task Discussion
  • 8.x Security for easy upgrade to new Releases
  • Case Study A/P Clerk
  • 8.12 Security Importance of Sequencing
  • Questions/Discussion?

3
Al Marmero Project Manager/Finance Consultant
  • Over 25 years of domestic and international
    business experience and 20 years of hands-on
    experience with J.D. Edwards OneWorld and World .
    As a JDE Consultant and Project Manager, Al
    actively worked on and lead global JDE
    implementations for major pharmaceutical
    companies, real estate, construction, consumer
    goods, publishers, telecommunications, services
    and manufacturers. As a CFO for a multi-national
    manufacturer Al implemented JDE Financials and
    Distribution as well as integration with
    manufacturing in over 20 countries and the United
    States. He is an experienced Project Manager, as
    well as a Senior JDE Finance Applications
    Consultant with extensive knowledge in JDE
    OneWorld and World financial suite as well as JDE
    sales order processing, inventory, purchasing,
    work order, interfaces and conversions mapping
    and extensive experience in issue resolution. Al
    has implemented more than 50 JDE projects,
    including shared service center operations, and
    has led project teams of all sizes up to 30 Team
    members for Companies with revenues in excess of
    10 billion.

4
SOX Act- Section 404 and JDE Security
  • SEC. 404. MANAGEMENT ASSESSMENT OF INTERNAL
    CONTROLS.
  • (a) RULES REQUIRED.The Commission shall
    prescribe rules requiring each annual report
    required by section 13(a) or 15(d) of the
    Securities Exchange Act of 1934 (15 U.S.C. 78m or
    78o(d)) to contain an internal control report,
    which shall (1) state the responsibility of
    management for establishing and maintaining an
    adequate internal control structure and
    procedures for financial reporting and
  • (2) contain an assessment, as of the end of the
    most recent fiscal year of the issuer, of the
    effectiveness of the internal control structure
    and procedures of the issuer for financial
  • reporting.
  • (b) INTERNAL CONTROL EVALUATION AND
    REPORTINGWith
  • respect to the internal control assessment
    required by subsection
  • (a), each registered public accounting firm
    that prepares or issues
  • the audit report for the issuer shall attest
    to, and report on, the
  • assessment made by the management of the
    issuer. An attestation
  • made under this subsection shall be made in
    accordance with standards
  • for attestation engagements issued or
    adopted by the Board.
  • Any such attestation shall not be the
    subject of a separate engagement.

5
What role does the information technology
organization play in a companys Section 404
project?
  • The information technology organization will have
    two primary roles in the project
  • To document and self-assess its own significant
    processes (referred to as general computer
    controls) for (a) the information technology
    control environment, (b) the development and
    implementation of information technology (program
    development), (c) a change to existing
    information technology (program changes), (d)
    information security (access to programs and
    data), and (e) computer operations. These are
    pervasive controls since the effectiveness of all
    automated controls across the organization
    depends on them.
  • To support personnel who are responsible for
    specific processes by helping those individuals
    document and assess their control activities.
    Because those individuals are accountable for the
    controls pertaining to the processes they
    oversee, they should be responsible for
    documenting and testing both manual and automated
    controls, even though automated controls often
    rely on or reside in information technology
    systems. It is important for personnel who are
    responsible for processes in their business units
    to understand all the controls for their
    processes, not simply the manual controls. To
    facilitate this understanding, the company should
    assign information technology liaisons to the
    control assessment teams.

6
JDE Security Implementation
  • Major Objectives
  • Promote an understanding of SOX compliance and
    cooperation between IT and the end users
  • Secured ERP system that addresses SOX 404
  • Insure a smooth go-live after testing all
    business processes that encompass all roles
  • Reduce roles and you reduce maintenance and
    improve security
  • Create a flexible task view design that can grow
    with the enterprise
  • Implement an ADS Model/Default Deny Model
  • Use Templates

7
Why Security? Lets review some of the reasons
  • System integrity of data and stabilitydoes it
    stand up to the test?
  • Stronger, bullet proof system controls
  • No misuse
  • Sarbanes Oxley compliance
  • Lock down security All Doors Shut Default
    Deny

There are better ways to hide sensitive
information
8
Some live problems can be resolved by security
  • A user ran the recurring invoices report for all
    invoices. He deleted the data selection.
  • A user did mass disposal of all assets.
  • A user inquired on sensitive payroll information.
  • A user changed the address of a vendor to route
    payments to himself.
  • These are only a few of the many, many security
    breaches that are easy to create.

9
  • 8.0 Security and Task Views

Roles and Groups should be created such that in
the upgrade process all of the groups are
converted to Roles and there should be minimal
security changes. For example, Group
ARACCTG Role ARACCT Note In 8.9 to 8.12 users
can have multiple roles
8.9 to 8.12 Security and Task Views
10
Roles and Task Design Matrix
11
Case Study - Accounts Payable Group
  • Discuss the steps for 8.x Security for Accounts
    Payable group
  • Task view design and Security design
  • Phased Implementation

12
Step 1 Identify major business groups process
Step 2 Role Definition.
Accounts Payable Group
  • AP Clerk/Voucher Entry
  • AP Manager/Admin
  • AP Accountant/Check Writer

13
Step 3 Task view design
  • AP CLERK
  • Speed Voucher Entry P0411
  • Standard Voucher Entry P0411
  • Company Search and Select (Indirect) P0010S
  • Address Book Search and Select (Indirect) P0101SL
  • Business Unit Search and Select (Indirect) P0006S
  • GL Distribution Screen (Indirect) P0901S

14
Step 4 Task View implementation
  • The EnterpriseOne format (Main View) of the view
  • will be used as a standard model for implementing
  • task views.
  • For any given role, Fine Cut
  • functionality will be used to
  • enable/disable items as per
  • the task view requirements.

15
Step 5 Security Design
The overall security is divided in three
components for ADS Control Layer These are the
applications that are required for a user to
navigate and use the EnterpriseOne software.
Required Layer These are the applications that
are required by a particular role to perform a
business process/s. Optional Layer This is more
common to cross-functional users who have some
functions that have some one off requests in
addition to the required applications.
16
Step 6 Security Implementation
  • Steps
  • Lock out Public ALL N N
  • Open up the Control Applications for Public.
  • Open up required applications based on role.
  • Open any optional applications if applicable.
  • Also do the Business Unit or Company level
    security for each group/user.

17
Step 6 Security Implementation continued
18
Step 7 Phased Go-Live
  • Reasons for Phased Go Live
  • Risk Mitigation
  • Early winners in implementation
  • Solutions tested are a smaller scale
  • Problems identified on a smaller risk platform
  • Method for Phase Go Live
  • Role Based phased go live
  • Work based phased go live (accounting, shipping)
  • Geography based phase go live (corporate, plant,
    floor)
  • People based phased go live (number of people)

19
8.9 to 8.12 Implementation Concepts
  • Multiple role assignments to a user
  • Sequencing GO LIVE (create another Security
    F00950 table and implement ADS in sequenced and
    controlled steps)
  • Implementation of lock down for IT staff
  • Multiple system maintenance during go live
  • Help desk support cycle

20
Questions/Discussion
sAl MarmeroJ.D. Edwards Project
ManagerFinance Consultant609-313-7530
Write a Comment
User Comments (0)
About PowerShow.com