XE and SOX Implimentation

Has onyone here got JDE XE though a SOX audit?

We have just embarked on one (having been bought by the US arm of the company) and XE seems to be failing even the most simple SOX requirements for password provision. For instance not checking previous passwords, no auto expiring on set up and basic rules for password creation.

I know later version have some of this but we are stuck with XE for the foreseeable (so telling me to upgrade is *not* helpful) and I am sure that some one out there has gone through this before and can give me some pointers.

Ian

XE is pre SOX which means System limitations. Many companies have passed/are passing on XE. You need to work with internal Audit to implement reasonable controls according to your organizations risk tolerance. I would be more concerned over the Support running out soon…

Your JDE security administrator will need to work with your Audit team on the functional and technical side.
- Add/Change/Delete some roles.
- Draw up policies/procedures documents.
- Maybe create a few reports to review.
- Institute Reviews/signoffs – Quarterly/Annually.
- Institute SOD maybe using a 3rd party like QSOFT or ALLOUT.

It is really not that bad. Remember SOX is about proving you are doing what you say you do…

Hi Ian,

Sadly XE lacks the types of controls you need for SOX audits. For example you cant create a new password the same as the old one, but there is no legacy checking on older passwords in order to build the kind of reports I guess you are looking for..

Auto expire is on the P98OWSEC and you can set the password change frequency. Sadly this is not global so you have to do it by user.

It seems you are pretty stuck on the other points - sorry.

Thanks,

[ QUOTE ]
Has onyone here got JDE XE though a SOX audit?

We have just embarked on one (having been bought by the US arm of the company) and XE seems to be failing even the most simple SOX requirements for password provision. For instance not checking previous passwords, no auto expiring on set up and basic rules for password creation.

I know later version have some of this but we are stuck with XE for the foreseeable (so telling me to upgrade is *not* helpful) and I am sure that some one out there has gone through this before and can give me some pointers.

Ian

[/ QUOTE ]

Ian

I did SOX support on XE a number of years. XE does not have the built in controls. Instead, you need to document your policies and procedures and then demonstrate that your company is following them. The auditors will pull a random sample and test that the policies and procedures are being followed.

What you will need to do is ensure that the policy is in place and then comb through the entire user database to make sure that all of the user ids are in compliance prior to your audit. If some are out of compliance, fix them and document the fixes.

During your audit, you will need to demostrate your policies and fix any findings. Going forward, you will be audited at least once a year. You will need to show that there is a continued effort to comply with your policies. Do that, and you will pass that portion of the SOX audit.

- Gregg

Greg,

The main problem is that this company has no policies at the moment so having some of the features in XE would have been useful. I have done SOx audits before but only on World systems and all the features the audits want are basic ISeries features. I just wondered if XE had them.

Still thats the least of their worries as I know the JDE security will be a problem and no segregation of duties plus things like generic profiles will also cause problems. Good job I am only the temp

Ian

Hi Ian,

You are limited by P98OOWSEC by the issues you mention - unless maybe you can use LDAP or similar - I dont know if that is compatible for your version.

Other than that, one of the main drivers of SOX is segregaation of duties. To do this you really need to implement multiple *group assignments to users(so you can easily take away roles that breach SoD rules). I can help you with that if you are interested.