ceenankooper
Member
I am in the process of performing an audit of a client that is running JDE as their main ERP. The client's IT department is small, and there is an individual who has privileged access at every layer of the system. They have an account with the CNC Admin role and they also keep the password for the named "JDE" account, which is part of the administrator group on the application server and has db_owner permissions on the SQL server. Based on our audit methodology, this presents a significant SOD conflict as the user could potentially develop and promote their own changes AND has the ability to directly modify any log which would capture such activity. Ordinarily, we would ask the client to perform a monitoring control whereby a user without an SOD conflict (but with sufficient knowledge) reviews the activity and ensures that it followed the change management process. However, because the individual has direct data access at the SQL level, we determined that we would not be able to rely on the log. After many conversations with the client, we have not been able to produce any suitable log which would be outside the reach of the individual in question.
The client has responded that it is impossible to avoid such a finding in any JDE environment as SOMEONE will always have access to the "JDE" account. I have searched for answers within the Oracle support documents (as well as on this forum) and cannot seem to find what I'm looking for. The client (and their former auditor) have asserted that such elevated access is routine in JDE environments, and since the individual with the SOD conflicts does not perform development as part of her job (and does not know how to) there is no problem with this access.
I am not a JDE expert by ANY measure: I have passed my CISA exam and have several years of experience in performing both IT and financial audits. My instinct and methodology lead me to believe that there IS an issue (specifically: the individual in question could create a phony vendor and pay themselves, or make changes to the system's functionality and circumvent any attempt at logging such changes). The client's response does not give me the warm and fuzzies, but I do not have the expertise to say that they are wrong.
Am I overthinking this? Is it really normal for somebody to have carte blanche in a system because they have CNC Admin access and know the password for the JDE account? How have you dealt with auditors in similar situations?
The client has responded that it is impossible to avoid such a finding in any JDE environment as SOMEONE will always have access to the "JDE" account. I have searched for answers within the Oracle support documents (as well as on this forum) and cannot seem to find what I'm looking for. The client (and their former auditor) have asserted that such elevated access is routine in JDE environments, and since the individual with the SOD conflicts does not perform development as part of her job (and does not know how to) there is no problem with this access.
I am not a JDE expert by ANY measure: I have passed my CISA exam and have several years of experience in performing both IT and financial audits. My instinct and methodology lead me to believe that there IS an issue (specifically: the individual in question could create a phony vendor and pay themselves, or make changes to the system's functionality and circumvent any attempt at logging such changes). The client's response does not give me the warm and fuzzies, but I do not have the expertise to say that they are wrong.
Am I overthinking this? Is it really normal for somebody to have carte blanche in a system because they have CNC Admin access and know the password for the JDE account? How have you dealt with auditors in similar situations?