Session ID 100190 SOD From Design to Cross Applicaiton Reporting…apps.questdirect.org/eweb/upload/CFP_Fil… · PPT file · Web view · 2017-07-13Eric is a Senior JD Edwards Security

www.qsoftware.com ERP audit, security & efficiency

Segregation of Duties From Design to Cross Application Reporting

Carrie CurrySenior Delivery Manager Q Software

Eric HendersonJDE Senior Security, Risk and Compliance Specialist ErpX Security & Technology LLC


Introductions

Eric is a Senior JD Edwards Security and Compliance Specialist, with more than 14 years of experience specializing in the delivery of JDE security solutions from assessments, design and configuration, and system implementations. He has deep experience in executing and managing projects related to JDE user security, segregation of duties analysis, configuration and controls reviews, pre- and post-implementation reviews, and security and configuration implementations.

Eric served clients in a number of industries, including Consumer Products, Construction and Engineering, Manufacturing, Media and Entertainment, Oil and Gas and related services, Real Estate, and Technology.


Introductions

For the past 13 years, Carrie has worked with JD Edwards in various roles such as business process analyst, report specialist, systems analyst and ERP Security team lead. Her experience with JD Edwards and in progress CISA certification make her a unique authority on JD Edwards compliance topics. Carrie is currently a Senior Implementation Consultant for Q Software.

Carrie regularly provides training and implementation services to clients across North America. She has been sharing her passion for security with various presentations at InFocus and Collaborate. She is the founder and past president of the Quest JDE E1 Security SIG and is currently an active board member.


AgendaKey Area’s of Risk Drivers for Change Segregation of Duties Design Cross Application Segregation of DutiesReporting Questions


Objectives

1. To highlight and discuss key area’s of risk where fraudulent activity can occur

2. To share best practices and lessons learned in the design of segregation of duties

3. To discuss the importance of effective reporting when it comes to maintaining compliance for both in application and cross application reporting


Key Area’s of Risk “Risks are not isolated to one piece of the puzzle, rather they extend to a broader risk universe”

ProcessesData Technology

Technology • Infrastructure • Networks • Security • Disaster Recovery

Data• Conversion / validation• Data Governance • Reporting • Back up and Refresh

Processes • Requirements • Business Processes • Lifecycles • Controls • Interfaces


Drivers for Change 1. Regulatory Compliance

Sarbanes-Oxley and other regulatoryissues are forcing companies to increase their awareness andaccountability of their employees actions within the company

2. Security and Data Management Recent privacy laws and prosecution of security violations is bringing a new awareness to monitoring and controlling security and access to data within the organization

Departments Procurement

vs Accounts Payable

Business Function Procure to Pay

Manual Processes Signature on paper

SystemsApplication - JDE


Getting Started

Identify Business

Processes

Identify Risks or Conflicts

Design SOD Rule

Identify Systems

Business Process: Order to CashConflict: Credit Approval & Sales Order EntryRisks: Approve increase credit and enter large sales order customer cannot pay for SOD Rule: Establish Credit Limits & Payments Terms VERSUS Enter Sales Order System(s): JD Edwards


Segregation of Duties: Matrix

Order To Cash

Enter customer order

Issue credit memos

Review and approve credit memos

Establish credit limits/payment terms

Override credit holds/approve overrides

Adjust inventory records

Maintain accounts receivable sub-ledger

Adjust inventory sub-ledger

Review and approve aged accounts receivable trial balance

Reconcile sub-ledger information

Post to the general ledger

Receive cash/remittance

Apply payments to customer accounts

Perform bank reconciliation

Enter write-offs of bad debt

Review and approve write-offs of bad debt

Maintain customer master file

Enter changes to price list

Enter customer order Issue credit memos Review and approve credit memos Establish credit limits/payment terms X Override credit holds/approve overrides


Custom Objects

Base Objects

Segregation of Duties: Details Conflict: Credit Approval & Sales Order Entry

Credit Approval Sales Order Entry

P03B305 P4210

N/A R554210

Versions ZJDE0001 QSG0002


Segregation of Duties: Process

Rules Policies

Align Processes

Establish Enforcemen

tMitigate

Monitor


Considerations

• How does IT work with the business to identify segregation of duties issues? • One application or multiple applications

• Does the organization design roles in a way that creates inherent SOD issues?• Does the organization take appropriate action when SOD conflicts are

identified?• Is GRC Software currently used to effectively manage SOD risk?

• What sensitive data do we hold, where does it reside?• How well do we understand privacy regulations that affect our business?• Do users follow control procedures to address regulation?


Access Associated with User Profiles

User ProfilesApplications

Cross Application Segregation of Duties

Application AJD Edwards

Application BHyperion

User AUser B

User AUser B

Role Access

Role Access



Reporting


Questions?

Eric HendersonJDE Senior Security, Risk and Compliance Specialist ErpX Security & Technology LLC

[email protected]

Carrie Curry Senior Delivery ManagerQ Software

[email protected]

mailto:[email protected]

mailto:[email protected]

Documents

Session ID 100190 SOD From Design to Cross Applicaiton Reporting…apps.questdirect.org/eweb/upload/CFP_Fil… · PPT file · Web view · 2017-07-13Eric is a Senior JD Edwards Security