Presentation on theme: "Al Marmero May 15, 2008. Introduction The need for “All Doors Shut” 8.x Security and Roles & Task Discussion 8.x Security for easy upgrade to."— Presentation transcript:
Al Marmero May 15, 2008
Introduction The need for “All Doors Shut” 8.x Security and Roles & Task Discussion 8.x Security for easy upgrade to new Releases Case Study A/P Clerk 8.12 Security – Importance of Sequencing Questions/Discussion? Agenda
Over 25+ years of domestic and international business experience and 20 years of hands-on experience with J.D. Edwards OneWorld and World. As a JDE Consultant and Project Manager, Al actively worked on and lead global JDE implementations for major pharmaceutical companies, real estate, construction, consumer goods, publishers, telecommunications, services and manufacturers. As a CFO for a multi-national manufacturer Al implemented JDE Financials and Distribution as well as integration with manufacturing in over 20 countries and the United States. He is an experienced Project Manager, as well as a Senior JDE Finance Applications Consultant with extensive knowledge in JDE OneWorld and World financial suite as well as JDE sales order processing, inventory, purchasing, work order, interfaces and conversions mapping and extensive experience in issue resolution. Al has implemented more than 50 JDE projects, including shared service center operations, and has led project teams of all sizes up to 30 Team members for Companies with revenues in excess of $10 billion. Al Marmero Project Manager/Finance Consultant
SEC MANAGEMENT ASSESSMENT OF INTERNAL CONTROLS. (a) RULES REQUIRED.—The Commission shall prescribe rules requiring each annual report required by section 13(a) or 15(d) of the Securities Exchange Act of 1934 (15 U.S.C. 78m or 78o(d)) to contain an internal control report, which shall— (1) state the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting; and (2) contain an assessment, as of the end of the most recent fiscal year of the issuer, of the effectiveness of the internal control structure and procedures of the issuer for financial reporting. (b) INTERNAL CONTROL EVALUATION AND REPORTING—With respect to the internal control assessment required by subsection (a), each registered public accounting firm that prepares or issues the audit report for the issuer shall attest to, and report on, the assessment made by the management of the issuer. An attestation made under this subsection shall be made in accordance with standards for attestation engagements issued or adopted by the Board. Any such attestation shall not be the subject of a separate engagement. SOX Act- Section 404 and JDE Security
The information technology organization will have two primary roles in the project: 1. To document and self-assess its own significant processes (referred to as general computer controls) for (a) the information technology control environment, (b) the development and implementation of information technology (program development), (c) a change to existing information technology (program changes), (d) information security (access to programs and data), and (e) computer operations. These are pervasive controls since the effectiveness of all automated controls across the organization depends on them. 2. To support personnel who are responsible for specific processes by helping those individuals document and assess their control activities. Because those individuals are accountable for the controls pertaining to the processes they oversee, they should be responsible for documenting and testing both manual and automated controls, even though automated controls often rely on or reside in information technology systems. It is important for personnel who are responsible for processes in their business units to understand all the controls for their processes, not simply the manual controls. To facilitate this understanding, the company should assign information technology liaisons to the control assessment teams. What role does the information technology organization play in a company’s Section 404 project?
Major Objectives Promote an understanding of SOX compliance and cooperation between IT and the end users Secured ERP system that addresses SOX 404 Insure a smooth go-live after testing all business processes that encompass all roles Reduce roles– and you reduce maintenance and improve security Create a flexible task view design that can grow with the enterprise Implement an ADS Model/Default Deny Model Use Templates JDE Security Implementation
System integrity of data and stability—does it stand up to the test? Stronger, bullet proof system controls No misuse Sarbanes Oxley compliance Lock down security – All Doors Shut – Default Deny Why Security? Let’s review some of the reasons…… There are better ways to hide sensitive information
A user ran the recurring invoices report for all invoices. He deleted the data selection. A user did mass disposal of all assets. A user inquired on sensitive payroll information. A user changed the address of a vendor to route payments to himself. These are only a few of the many, many security breaches that are easy to create. Some live problems – can be resolved by security
8.0 Security and Task Views Roles UDC (H95/RL) Task Views (F9000 Tables) Security (F00950 Table) Users Group (User Revs)Users 8.9 to 8.12 Security and Task Views Task Views (F9000 Tables) Security (F00950 Table) UsersRoles UDC (H95/RL) Roles and Groups should be created such that in the upgrade process all of the groups are converted to Roles and there should be minimal security changes. For example, Group = ARACCTG Role = ARACCT Note: In 8.9 to 8.12 users can have multiple roles
Roles and Task Design Matrix
Discuss the steps for 8.x Security for Accounts Payable group Task view design and Security design Phased Implementation Case Study - Accounts Payable Group
Step 1: Identify major business groups & process AP Clerk/Voucher Entry AP Manager/Admin AP Accountant/Check Writer Accounts Payable Group Step 2: Role Definition.
AP CLERK Speed Voucher Entry P0411 Standard Voucher Entry P0411 Company Search and Select (Indirect) P0010S Address Book Search and Select (Indirect) P0101SL Business Unit Search and Select (Indirect) P0006S GL Distribution Screen (Indirect) P0901S Step 3: Task view design
The EnterpriseOne format (Main View) of the view will be used as a standard model for implementing task views. For any given role, Fine Cut functionality will be used to enable/disable items as per the task view requirements. Step 4: Task View implementation AP Accounts AP Manager AP Clerk JDE Task View
Step 5: Security Design The overall security is divided in three components for ADS: Control Layer – These are the applications that are required for a user to navigate and use the EnterpriseOne software. Required Layer – These are the applications that are required by a particular role to perform a business process/s. Optional Layer – This is more common to cross-functional users who have some functions that have some one off requests in addition to the required applications.
Steps Lock out * Public * ALL = N N Open up the Control Applications for * Public. Open up required applications based on role. Open any optional applications if applicable. Also do the Business Unit or Company level security for each group/user. Step 6: Security Implementation
Step 6: Security Implementation …continued ProgramApplicationsVersionAddDelete OK/ SelectCopy Row Exit Form Exit Report Exit Speed Voucher EntryP0411SV YYYYNNN Standard Voucher EntryP0411 YYYYNNN Recurring Voucher EntryP0411 YYYYNNN Recycle Recurring VoucherR YYYYNNN Purchase Order Inquiry - DetailP4310 NNNNNNN Open Orders InquiryP4310 NNNNNNN Open Receipts by SupplierP43214 YYYYNNN
Reasons for Phased Go Live Risk Mitigation Early winners in implementation Solutions tested are a smaller scale Problems identified on a smaller risk platform Method for Phase Go Live Role Based phased go live Work based phased go live (accounting, shipping) Geography based phase go live (corporate, plant, floor) People based phased go live (number of people) Step 7: Phased Go-Live
Multiple role assignments to a user Sequencing GO LIVE (create another Security F00950 table and implement ADS in sequenced and controlled steps) Implementation of lock down for IT staff Multiple system maintenance during go live Help desk support cycle 8.9 to 8.12 Implementation Concepts
Questions/Discussions Al Marmero J.D. Edwards Project Manager Finance Consultant Questions/Discussions Al Marmero J.D. Edwards Project Manager Finance Consultant