Segregation of Duties - Access to Migrate Changes to Prod

[Auditor Bob]

Hello all!

I've recently moved into a new role at my company and your assistance would be greatly appreciated, as it will help me make a great first impression on my new supervisor.

The company I am working for runs JDE and I have been tasked with auditing segregation of duties as it relates to change management. Specifically, I need to request, obtain, and review the proper evidence to prove that no users with access to perform development (make a change) can also move changes into the production environment.

Can you all please help me out by letting me know what pieces of documentation I should request, and then what I am specifically looking for?

I have an audit program that indicates that individuals with the System Administrator role can perform all functions and, thus, are in violation of SoD conflicts, but I don't understand how based on the documentation. This is for SOx, by the way, if that matters.

 

[CHo]

Hi. The first thing that comes to my mind is "Who has access to promote code to PD in OMW?" The promotion sequence should be from DV to PY to PD.

 

[Luke Phillips]

hi Bob,

I would suggest that you get a trial version of the software we have - free of charge - and do the audit that way. It will take approx 1 hour to implement.

If you prefer to do this manually, it is difficult (hence why we have a product) you need to get:
F0092 users and roles
F00950 security
F00926 role sequence
F0093 environments
F95921 role relationships

From experience:
If you havent got a 'deny all' in place you will have lots of breaches.
If you have a deny all but big roles with names like 'AP Clerk' those roles will create breaches (eg Vouchers and Payments).

Let me know if you want more information.

Cheers

 

[Ken Morris]

Hello all!

I've recently moved into a new role at my company and your assistance would be greatly appreciated, as it will help me make a great first impression on my new supervisor.

The company I am working for runs JDE and I have been tasked with auditing segregation of duties as it relates to change management. Specifically, I need to request, obtain, and review the proper evidence to prove that no users with access to perform development (make a change) can also move changes into the production environment.

Can you all please help me out by letting me know what pieces of documentation I should request, and then what I am specifically looking for?

I have an audit program that indicates that individuals with the System Administrator role can perform all functions and, thus, are in violation of SoD conflicts, but I don't understand how based on the documentation. This is for SOx, by the way, if that matters.

Auditor Bob, did you ever figure out how to complete the user access review in JDE?