Achieving Compliance with JD Edwards EnterpriseOne › us › media › 057007.pdfcontrolling operations beyond traditional accounting controls. There are many features available within

Achieving Compliance with JD Edwards EnterpriseOne

An Oracle White Paper Written in Collaboration with Q Software Global Ltd. April 2007

Achieving Compliance with JD Edwards EnterpriseOne Page i

PURPOSE STATEMENT

This document is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle. Updates and enhancements are provided in accordance with Oracle’s Technical Support Policies at: www.oracle.com/support/collateral/oracle-technical-support-policies.pdf

Achieving Compliance with JD Edwards EnterpriseOne Page ii


INTRODUCTION....................................................................................................... 1 COMPLIANCE FUNDAMENTALS....................................................................... 2

COSO Framework.................................................................................................... 2 Sarbanes-Oxley Act .................................................................................................. 3 Small and Medium Businesses and Internal Controls......................................... 6 Public Sector Requirements for Internal Controls .............................................. 7 Supply Chain Management and Compliance........................................................ 7 Penalties and Fines.................................................................................................... 8

COMPLIANCE AND JD EDWARDS ENTERPRISEONE ............................. 9 Compliance Highlights by Release ......................................................................... 9 Compliance Capabilities in JD Edwards EnterpriseOne Today ..................... 12

Systems-Based Internal Controls..................................................................... 12 Automated Processes ........................................................................................ 14 Foundation Calendar ......................................................................................... 15 Data Change Tracker......................................................................................... 15 Additional Internal Controls ............................................................................ 15

ENHANCING ERP SYSTEM COMPLIANCE WITH Q SOFTWARE....... 17 Issue 1: Security and Compliance ......................................................................... 17 Issue 2: Roles Management and Compliance ..................................................... 20

CONCLUSIONS......................................................................................................... 24 ABOUT Q SOFTWARE........................................................................................... 24 ACRONYMNS AND ABREVIATIONS .............................................................. 26 ACKNOWLEDGEMENTS..................................................................................... 26

Achieving Compliance with JD Edwards EnterpriseOne Page 1


INTRODUCTION The USA financial compliance law Sarbanes-Oxley has heightened focus on controlling operations beyond traditional accounting controls. There are many features available within JD Edwards EnterpriseOne that assist small, medium and large organizations, including private and public companies and non-profit, public sector organizations, with compliance not just to Sarbanes-Oxley but with the growing plethora of regulations either in place or evolving in countries across the globe. This paper highlights features available today with JD Edwards EnterpriseOne that can be used today to meet a wide variety of financial compliance situations in the USA and elsewhere for private and public enterprises of any size.

There are also compliance scenarios that require additional capabilities to enhance, improve and simplify security and role management with respect to a variety of financial compliance requirements and processes. This paper explores how JD Edwards EnterpriseOne works with a third party software solution to provide complementary and additional financial compliance solutions which can be appropriate to incorporate into your JD Edwards EnterpriseOne implementation.

Specific issues addressed in this paper include:

The fundamentals of financial compliance, including legal requirements that are complimentary and additive to Sarbanes-Oxley;

Compliance capability highlights of JD Edwards EnterpriseOne releases;

The implications of compliance and supply chain management activities;

The effects of associated and hidden programs and how to include them in your security model;

How to effectively manage the sheer volume of objects to be secured and maintained;

How to overcome challenges of multiple roles management, including the unexpected security that can result from sequence manager;

How to integrate your segregation of duties policy into JD Edwards EnterpriseOne to enforce your compliance policies;

How to provide the security audit reports required by your auditor.

There are many financial compliance

capabilities available today in JD Edwards

EnterpriseOne that can be used to meet

Sarbanes-Oxley and other legal requirements

both within and outside the USA

Q Software is a third party software solution

that integrates with JD Edwards

EnterpriseOne to add complimentary

capabilities to enhance your compliance

activities


COMPLIANCE FUNDAMENTALS

COSO Framework The COSO framework for internal control is provided by the Committee of Sponsoring Organizations of the Treadway Commission.1 This organization is a voluntary, private sector group that is dedicated to improving quality of financial reporting. Their framework is an effective standard for establishing an internal control system. This system can be completely tailored to the specific business requirements of the customer and should assist with the evaluation of internal control systems.

The COSO framework strives to achieve objectives in the categories of

Operational effectiveness

Reliable financial reporting

Compliance with regulations

There are five main components of internal control that you need to hit these objectives:

1. Monitoring

2. Information and communication

3. Control activities

4. Risk assessment

5. Control environment

1 COSO is a voluntary private sector organization dedicated to improving the quality of financial reporting through business ethics, effective internal controls, and corporate governance.

COSO was originally formed in 1985 to sponsor the National Commission on Fraudulent Financial Reporting, an independent private sector initiative which studied the causal factors that can lead to fraudulent financial reporting and developed recommendations for public companies and their independent auditors, for the SEC and other regulators, and for educational institutions.

The National Commission was jointly sponsored by five major professional associations in the United States, the American Accounting Association, the American Institute of Certified Public Accountants, Financial Executives International, The Institute of Internal Auditors, and the National Association of Accountants (now the Institute of Management Accountants). The Commission was wholly independent of each of the sponsoring organizations, and contained representatives from industry, public accounting, investment firms, and the New York Stock Exchange.

The Chairman of the National Commission was James C. Treadway, Jr., Executive Vice President and General Counsel, Paine Webber Incorporated and a former Commissioner of the US Securities and Exchange Commission. (Hence, the popular name "Treadway Commission")


Each component is relevant to each objective category. All five components must be present and functioning properly for objective area. Now you can see the five components as a process, not a single static event. Internal control is a process not a “snapshot” situation. The objectives of the COSO framework are to provide assurance that you will achieve:

Reliability in financial reporting

Effectiveness and efficiency of operations

Compliance with appropriate and applicable laws and regulations

What is required to build an effective compliance program to leverage the COSO framework? Oracle has identified four major requirements.

1. Systems-based internal (automated) controls

2. Automated processes – the goal is “the less human interaction the better” because that means a reduction in the opportunities for data entry errors and for fraud. Separation of duties is key here.

3. Consistent documentation – provide a single version of the truth between system functionality, documentation, and the way you actually run your business.

4. Ongoing control and monitoring of the internal control framework

Sarbanes-Oxley Act The increasing plethora of legislation, not just on corporate governance, but covering various data privacy requirements, places more emphasis on the business need for effective corporate governance (Table 1 lists regulatory highlights of the law). In particular, four sections of the Sarbanes-Oxley Act2 are relevant for many JD Edwards EnterpriseOne customers:

Section 202 – System Testing: Section 202 requires you to perform regular testing, at least quarterly. Many companies go beyond this and carry out on-going round the year testing.

Section 401 – Off Balance Sheet Obligations: This section typically concerns inventory and supply chain activities but also does involves capital assets (including equipment and buildings).

Section 404 – Internal Controls: Section 404 states that company officers have to testify as to the effectiveness of your controls. Ignorance of exposures is no longer an excuse, as officers can still be prosecuted if they have failed to take positive action. This section often receives the most public visibility.

Section 409 – Timely Reporting of Material Events: Many events,

2 The Sarbanes-Oxley Act of 2002 – Public Law No. 107-204, 116 Stat. 745, also known as the Public Company Accounting Reform and Investor Protection Act of 2002 and commonly called SOx or Sarbox was passed by the USA Congress on July 30, 2002

“Sarbanes-Oxley is essential is restoring

investor confidence by providing transparency

in financial reporting”

USA Securities and Exchange Commission

(SEC) Chairman


including supply chain problems or changes, could be considered a material event if financial performance is impacted.

Following passage of Sarbanes-Oxley in the USA, corporate governance laws were passed around the world and soon other data privacy laws were introduced in different countries. Examples are listed in Table 2.

These compliance and privacy laws are bringing more companies under corporate governance regulations that are effecting day-to-day ERP software implementations of business processes and rules.

When your auditors visit they will typically focus on segregation of duties as their number one target. However, you should not be applying controls because the law says you should. You should do so anyway, as it makes sound business sense to apply effective business controls.

For example, a firm that manufactured semiconductor chips does not wait until the end of the production line to look for defects within its microchips. It looks at each step along the process. The manufacturer would much rather find a flaw in a silicon wafer before it has burned all the circuitry. It is a lot cheaper to throw away that faulty wafer before investing time and production cycles into a defective final product.

Financial compliance is not just an American

issue with Sarbanes-Oxley. Countries across

the globe are adopting similar and

complimentary regulations. Table 1. Primary Requirements of the Sarbanes-Oxley Act

Creation of the Public Company Accounting Oversight Board (PCAOB)

Public companies must evaluate and disclose the effectiveness of their internal controls as they relate to financial reporting, and that independent auditors for such companies "attest" (i.e., agree, or qualify) to such disclosure

Certification of financial reports by chief executive officers and chief financial officers

Enhanced criminal and civil penalties for violations of securities law

Significantly longer maximum jail sentences and larger fines for corporate executives who knowingly and willfully misstate financial statements, although maximum sentences are largely irrelevant because judges generally follow the Federal Sentencing Guidelines in setting actual sentences

Auditor independence, including outright bans on certain types of work for audit clients and pre-certification by the company's audit committee of all other non-audit work

A requirement that companies listed on stock exchanges have fully independent audit committees that oversee the relationship between the company and its auditor

Ban on most personal loans to any executive officer or director

Accelerated reporting of insider trading

Prohibition on insider trades during pension fund blackout periods

Employee protections allowing those corporate fraud whistleblowers who file complaints with OSHA within 90 days to win reinstatement, back pay and benefits, compensatory damages, abatement orders, and reasonable attorney fees and costs.


Companies should apply that same mentality to their financial processes. Look for errors and defects throughout the process to minimize correction costs and downstream impact.

Table 2. Select Countries with Sarbanes-Oxley Type Legislation3

Country Name of Legislation Year Enacted

Argentina Business Companies Law 1972, 1983

Armenia Law on Joint Stock Companies 2001

Australia ASX Listing Rules

Corporations Act 2001 (including CLERP 9 Amendments)

2001, 2003

Brazil Recomendacoes sobre Governanca Corpotrativa

2002

Canada Multi-lateral Instrument 52-109

China Company Law 1993, 1999

Colombia Financial Framework Law 25, expanded with Resolution 25

1993, 2001

European Union Directive on Statutory Audit.

France Bouton Report

Loi de Securite Financiere

2002

Germany Crome Code

KonTraG – Law for Control and Transparency and the German Code of Corporate Governance

2003

Hong Kong Hong Kong Code of Corporate Governance Practices

2005

India Report of the Naresh Chandra Committee on Corporate Audit & Governance and Narayanmurthy Committee Report

2002, 2003

Japan Revised Corporate Governance Principles 2001

Netherlands Corporate Governance Code of Conduct 2004

New Zealand NZX Listing Rules and Best Practices Code 2003

Philippines Code of Corporate Governance 2002

Russia Corporate Governance Code 2002

South Africa King Report (1) and King Report (2) on Corporate Governance

1994, 2002

Spain Olivencia Code & Aldama Reports 1998, 2003

Sri Lanka Code of Best Practice for Audit Committees

Code of Best Practice on Corporate

2002, 2003

3 Compiled from various sources


Table 2. Select Countries with Sarbanes-Oxley Type Legislation3

Country Name of Legislation Year Enacted Governance

Turkey TUSIAD & Corporate Governance Principles 2002, 2003

United Kingdom Combined Code

Turnbull Report

The Companies Bill of 2004

2003

Ukraine National Principles of Corporate Governance Securities and Stock Market State Commission

2002

USA Sarbanes-Oxley Act 2002

Small and Medium Businesses and Internal Controls Many small and medium sized businesses believe they have no need for business controls as they are not bound by Sarbanes-Oxley or other legislation. Increasingly, however, public sector bodies and larger organizations require their suppliers to implement effective governance. Smaller companies will lose out on business if they fail to effect adequate controls.

Regardless of legislation or contractual requirements, businesses should implement effective controls because it makes sound business sense. Imagine these scenarios:

1. In your small business you come to the office Monday morning to discover that your assistant has been using one of your client’s credit card data to indulge in a wild shopping spree

2. Your accounts payable clerk has been double paying invoices for services from his brother’s in law company that they now have enough money for a lavish lifestyle?

These types of fraud happen in small, medium and large businesses every day because of poor basic internal controls.

According to research carried out by KPMG, 75 percent of US companies surveyed admitted to suffering fraud, mainly due to inadequate internal controls. This is not just an issue for companies operating in the USA.4 The PriceWaterhouse Global Economic Survey shows 45 percent of companies worldwide admitted to fraud and these were generally uncovered by chance, not through adequate business controls.5

Generally there are two categories of internal control:

1. Detective: Detective controls detect errors after they have occurred;

2. Preventative: Preventative controls seek to prevent the errors from happening in the first place

4 KPMG Fraud Survey, December 2003 5 PricewaterhouseCoopers’ Global Economic Crime Survey, 2005

Financial compliance is not just a large

company issue. Small and medium

businesses, public or private, need to be

concerned about Sarbanes-Oxley and other

regulations.


Public Sector Requirements for Internal Controls The BoardSource report on the Sarbanes-Oxley Act and associated implications for nonprofit organizations notes6:

“[Sarbanes-Oxley] has forced the non-profit sector to analyze its board practices and methods of operation. Individual organizations have begun to identify loopholes — and figure out how to eliminate them. Watchdog agencies and other nonprofit field-building organizations are reconsidering assumptions and standard operating procedures in an effort to identify guidelines, standards, and best practices in the sector.

“While no standard guidelines mandate when a nonprofit organization should undertake a full audit, the board is responsible for assessing the potential benefits and costs of an audit. Generally, nonprofits that have budgets of more than $500,000 and that receive federal funds are required to conduct an annual audit. Some state laws have lower thresholds.

“In addition, participating in the Combined Federal Campaign requires an audit at $100,000. Smaller non-profits, for whom an audit would be an unreasonable financial burden, should choose a review or at least have their financial statements compiled by a professional accountant. The boards of non-profit organizations that forego an audit should evaluate that decision periodically.”

Supply Chain Management and Compliance Since Sarbanes-Oxley was enacted in the United States, the issue of compliance has become more than just a concern for executive management, financial management and auditors.7 How your supply chain is managed also affects your company’s ability to meet many compliance regulations. Three sections of Sarbanes-Oxley in particular have direct implications for supply chain management and subsequent reporting to company compliance and financial officers:

1. Section 401 (Off Balance Sheet Obligations). If supply chain agreements create a financial obligation for your company then compliance activities should be considered. Examples include

a. Vendor Managed Inventory (VMI);

b. Long term purchase agreements with penalty clauses;

c. Lease agreements with financial impact if the lease is terminated;

6 For further information see “The Sarbanes-Oxley Act and Implications for Nonprofit Organizations”, 2003 BoardSource and Independent Sector (www.boardsource.org and www.IndependentSector.org ) 7 “Sarbanes-Oxley Impact on Supply Chain Management” Robert J. Engel CPM, Resources Global Professionals (SCM Practice), [email protected]. Presented at 91st Annual International Supply Management Conference (May 2006)

Public and non-profit enterprises are

incorporating financial compliance processes

and practices for a variety of practical and

legal reasons


d. Letters of intent for long term or long lead time production schedules that have a cancellation clause with financial impact (this could also be construed as an off balance sheet transaction)

2. Section 404 (Internal Controls). For supply chain managers this section concerns four key supply chain activities:

a. Inventory and inventory write-offs. Material must be present when it is booked as a financial asset. Material value must also be properly represented and if it has changed value for whatever reason (including obsolescence or deterioration) the new value must be entered. Inventory that is not properly recorded into the company’s financial system can generate financial transparency problems;

b. Material transfers. Material movements must be booked and accurately recorded;

c. After the fact purchase orders. Purchase orders should not be created after a purchasing event activity has occurred if it done to circumvent an established process or policy;

d. Segregation of duties. In this content, supply chain management must ensure that assets are safeguarded and only individuals authorized by policy or procedure are engaging goods and services providers. For supply chain management this typically requires segregation of duties with corresponding policies for:

Receiving

Order placement

Invoice processing

Vendor master or supplier establishment

3. Section 409 (Timely Reporting of Events). There are specific supply chain events that can have compliance implications. Since Sarbanes-Oxley does not provide specific guidelines on what constitutes a material event under this section, many companies are including activities beyond typical financial situations including late supplier deliveries that could cause production problems and in turn delay shipment of revenue producing products, and problems at out-sourced goods or services providers that will negatively impact revenue.

Penalties and Fines Sarbanes-Oxley also provides for significant penalties if compliance failure occurs. Established fines and penalties for each offense include:

Fines of $15 million

Prison terms of up to 25 years


COMPLIANCE AND JD EDWARDS ENTERPRISEONE

Compliance Highlights by Release Release 8.9: Release 8.9 introduced support for 21 CFR Part 11 to enable

life sciences companies to comply with FDA regulations for auditing and signatures (aka signature tracking). Life sciences companies also use the enhanced lot control enhancement which provides up to eleven lot control dates, such as best before, sell by, and user-defined dates (i.e. lot agitation).

Release 8.9 also affords much more control over the commitment of lots for shipping. For example you can set the system up so that you never ship a lot with an older best by (or sell by date) than the last lot you shipped to that specific customer. The ability to track products by lot can also be important for life science and other industries.

Release 8.9 and Release 8.108: These releases provides the opportunity to integrate with PeopleSoft Internal Controls Enforcer which provides the following capability:

Powerful diagnostics, dashboards and reporting for real-time compliance monitoring

An integrated, user-centered compliance and performance environment

Snapshot of risk assessment and control status

Sub-process and departmental accountability

Surveys to monitor manual controls

Version control, edit and comment tracking, time and user stamping

Central document repository for supporting materials

Pre-built diagnostics

Continuous monitoring

Proactive alerts of system changes

Third-party applications can also be linked

Release 8.11: Release 8.11 compliance enhancements were directed toward:

Continuous monitoring of key financial data through scorecards

Scheduling and management of compliance activities

Notifications via workflow

These increase control and insight into business processes and improve the documentation of controls by:

8 Release 8.9 needs an ESU to include these capabilities; for Release 8.10 these features are effective with Update 11.


Create a single version of "the truth" between documentation and actual system-based business processes;

Streamline process and control point documentation;

Improve the efficiency of the compliance process

Release 8.12: With JD Edwards EnterpriseOne 8.12 organizations can enhance compliance with:

Compliance Innovations: Financial accountability and compliance with regulations for public and private businesses is a growing concern. Release 8.12 provides an integrated architecture with dashboard tools, which allows you to easily generate compliance and financial data across your organization - and drastically reduce errors that can occur when working with non-integrated data from disparate systems. Specifically, JD Edwards EnterpriseOne Tools 8.96 includes enhancements that help Oracle's customers deal with security, audit and compliance requirements.

Attachment Security: When adding attachments (aka media object) to a transaction, the attachments are often a supporting document that should never be changed, even by the person who originally attached it. This enhancement allows an attachment to be permanently attached, preventing modification or deletion after the transaction is committed.

Security Reports: This enhancement provides customers the ability to report which users have access to JD Edwards EnterpriseOne applications, UBEs, and tables, and what level of access the user ID or role is granted. The report can be filtered by an object, system code, or object type for any user or role combination. A programmable interface will also be provided for development of custom reports.

Selective Auditing: Before this enhancement, when a column of a table was marked to have its changes tracked in the audit trail, any change to any marked column would trigger the audit record. With this enhancement, customers have the ability to select which columns trigger an audit record and which columns will be added as information into the audit record without triggering an audit.

Country Specific: Oracle protects customers’ software investment with respect to changing statutory and local business requirements through localization support. Statutory updates for localized offerings for JD Edwards EnterpriseOne are supported for the countries listed in Table 39.

9 This table is subject to change without notice; for up to date list check www.oracle.com/applications/jdedwards-enterpriseone-country-support.html


Table 3. Countries Supported with Localization

Argentina

Australia

Austria

Belgium

Brazil

Canada

Chile

China

Columbia

Czech Republic

Denmark

Ecuador

Finland

France

Germany

Hungary

India

Ireland

Italy

Japan

Mexico

Netherlands

New Zealand

Norway

Peru

Poland

Russia

Singapore

Spain

Sweden

Switzerland

United Kingdom

Venezuela


Compliance Capabilities in JD Edwards EnterpriseOne Today

Systems-Based Internal Controls Application Security: Arguably one of the most important areas of

internal controls. Applications security plays a key role in enforcing segregation of duties and therefore preventing fraud. For example, it ensures that the person who creates a purchase order will not be allowed to also approve the requisition.

Processing Options: Processing options control the flow of business processes within the system. For example, a processing option can be set within the sales order entry application to prevent changes in an order after a particular predefined status has been reached, such as after inventory has shipped. Processing options can vary based on individual user roles which permits flexibility and tight control of the system.

System Constants: System constants provide system-wide control of the way and application works, regardless of individual user roles. For examples, a system constant can be used if a company wants to control posting of journal entries into a prior closed period, no matter who in the organization initiates the transaction. The system constant can be set to allow the posting and show a warning or disallow the posting.

Cash Forecasting: JD Edwards EnterpriseOne cash forecasting helps your company project, or forecast, future cash requirements and effectively manage your cash accounts. With cash forecasting, you can analyze one or more bank accounts and forecast your cash position daily or periodically based on a date horizon. This enhancement provides functionality such as:

A rules based system;

Cash flow forecasts that can include general ledger, accounts receivable and accounts payable transactions;

Functionality to assign weighting factors to different types of transactions;

Capability to include or exclude past due documents in calculations;

An inquiry screen to display results and produce hard copy reports

Cash Statements: International Accounting Standards require companies to present a cash flow statement that shows the historical changes in cash and cash equivalents during a specified period of operations for a company.11 They further require that you classify cash flows that result from the following categories:

11 See standard no. 7.


Operating: Cash flow from principal revenue-producing activities, such as cash receipts from the sale of goods and services, and other activities that are not investing or financing activities

Investing: Cash flow from the acquisition and disposal of long term assets and other investments that are not included in cash equivalents

Financing: Cash flow from changes in the size and composition of the equity capital and borrowings

If amounts on the statement of cash flow report are out of balance, an error message prints at the end of the report. The out-of-balance condition occurs when the difference between beginning and ending cash and cash equivalents is not equal to the net increase or decrease in cash and cash equivalents.

Integrity Reports: Integrity reports supplement internal procedures by helping companies locate any data inconsistencies. These reports can be run between multiple applications as well as within the general ledger itself, helping to ensure data integrity throughout the enterprise.

Integrated Postings: JD Edwards EnterpriseOne Financial Management software has built-in integration with other JD Edwards EnterpriseOne applications and functions listed in Table 4. Entries into these applications are automatically posted to the general ledger, providing enterprise-wide data integrity.

Table 4. Integrated Postings to Other JD Edwards EnterpriseOne Modules and Functionality

Accounts Payable

Accounts Receivable

Advanced Pricing

Advanced Stock Valuation

Bulk Stock Management

Customer Service

Demand Flow Manufacturing

Fixed Assets

Homebuilder Management

Inventory Management

License Plating

Load and Delivery Management

Localizations

Manufacturing – PDM

Manufacturing – Shop Floor

Preventive Maintenance

Project Costing

Real Estate Management

Sales Order Management

Time and Labor

Work Order Completion


Automated Processes Process Modeler: The first step in automating processes is to understand

them. Process Modeler is a tool that allows you to visualize, understand, document, and easily change your business processes (see the example in Figure 1).This can be done easily by using the software’s drag-and-drop functionality. You are not starting from scratch. Process Modeler comes standard with hundreds of business processes that are based on industry best practices. These provide an ideal starting point for companies to create their own processes, either by customizing the pre-built ones or by using them as models to build their own from the ground up.

The Process Modeler goes beyond a standard Microsoft Visio-type tool. It gives you the ability to re-use objects and “click through” an object to associated sub-objects. It was built from the ground up to meet the requirements of hard-core enterprise-level business process modeling.

Workflow: JD Edwards EnterpriseOne offers workflow management functionality for the paper-based tasks that typically beleaguer attempts to automate processes. Workflow enables you to implement internal controls by using user-defined rules, routes, and roles. For example, you can use workflow to automate business processes by establishing how tasks are passed from one employee to another for action. Workflow can be utilized to manage transactions and notify users when Key Performance Indicators (KPI) are at risk.

Figure 1. Process Modeler in JD Edwards EnterpriseOne


Foundation Calendar The Foundation Calendar provides core calendaring functionality which is directly integrated to JD Edwards EnterpriseOne products. The calendar is designed to track activities, tasks, and events across a variety of entities including people, companies, and branch plants. Each calendar created can have a defined work day and work week.

Activities can be assigned to the calendar directly using calendaring application or automatically by linking calendar entries to specific activities within the system workflow. In addition to scheduling meetings, events, and tasks, the calendar can also be used to schedule resources by assigning users to an activity.

The JD Edwards EnterpriseOne Calendar can be synched directly to Lotus Notes and Microsoft Outlook, giving you a connection between the JD Edwards EnterpriseOne system and time management systems people are comfortable using. The calendar can also be configured to send out alarms to users for activity notification purposes.

The calendaring functionality will provide for monitoring of internal controls defined within the workflow functionality. Based upon the configuration of workflow, an email notification can be sent and a calendar entry can be created when a specific event occurs. In addition, calendar entries can be created directly using the tool to track activities as defined by the Sarbanes-Oxley compliance team within an organization.

Data Change Tracker Data Change Tracker functionality was created to address concerns about 21 CFR Part 11 within the life sciences industry.12 13 This regulation outlines its criteria for acceptance of electronic records, electronic signatures, and handwritten signatures. It allows electronic records to be considered equivalent to paper records and handwritten signatures.

The Data Change Tracker can create a date, time, and user stamp of any change to the database with the customer selecting which fields they want to track. The tracker includes the ability to record changes made to key database fields which control overall system functionality such as system constants, automatic accounting instructions, and security settings. These recorded data changes can then be accessed by custom reports to support a variety of compliance requirements including 21 CFR Part 11 and Sarbanes-Oxley.

Additional Internal Controls JD Edwards EnterpriseOne also includes an extensive number of native internal controls features and functionality that are part of the core JD Edwards EnterpriseOne solution. These native features are listed in Table 5.

12 The Data Change Tracker was added with SP21 for releases Xe and ERP8, and SP2 for 8.9 and 8.10 13 21 CFR Part 11 became law on August 20, 1997


Table 5. Native Internal Controls for JD Edwards EnterpriseOne

Workflow Processing Options Application Security System Constants Integrated Postings to G/L Budget Expenditure Approval Positive Pay Expense Management Integrity Reports Batch Controls Data Privacy

Balanced Posting Requirements Valid Account Edit Approval Limits Credit Limits Hierarchical Approval Routing Posting Approval On-Demand Audit Trails Built-in Balancing Controls Payee Control Row and Column Security Version Control


Figure 2 - Hidden Programs Example

ENHANCING ERP SYSTEM COMPLIANCE WITH Q SOFTWARE

Issue 1: Security and Compliance Many organizations using JD Edwards EnterpriseOne have maintained an All Doors Open policy. This is inherently risky. For example, a user with access to the Sales Order Entry program will have exits to other programs, including the address book. These are called "Associated and Hidden" as they are associated to the initial program being executed, but are not easy for the security officer to identify to include in his security model. In an open policy the user has the potential to create phony suppliers and commence a process to commit fraud. The only secure approach to adopt is an “All Doors Closed” or “Deny All” policy. Not only is this more secure, it will better enable you to map roles to your business processes and simplify auditing.

Locking everything down in JD Edwards EnterpriseOne is easy. However, one of the key problems with securing JD Edwards EnterpriseOne is working out which applications are accessible outside the normal menu travel. Users often think that securing access to common programs will be enough, but most users are aware of the problems caused by the multiple exit points, and calls to what is termed “hidden programs”.

Typical users of JD Edwards EnterpriseOne also require assistance with segregation of duties management and reporting, simplifying the use of multiple roles while retaining the added flexibility multiple roles provide; reducing security management effort and security audit reporting.

Associated and Hidden Programs: There are about 15 exit programs in each major JD Edwards EnterpriseOne application (see example in Figure 2). Some have over 40 exits to programs which in turn have other exits. Locking down a system securely can mean that users no longer can run important

An inherently risky strategy is to maintain an

“All Doors Open” policy within

your JD Edwards EnterpriseOne installation.

The best security approach is to adopt an “All

Doors Closed” or “Deny All” policy


applications since there is no easy way within JD Edwards EnterpriseOne to identify areas of concern.

Q Software provides a quick and easy way to identify associated and hidden programs and then enable you for the first time to include them easily into your security model.

Security Configuration: Q Software provides JD Edwards EnterpriseOne users with three alternatives to rapid security configuration:

1. Capture security from a previous version of JD Edwards EnterpriseOne: To create security in release 8.12 based on your Xe security model:

a. Identify the roles you have defined in JD Edwards EnterpriseOne. Where there are any duplicates, these can be discarded or ignored.

b. Include the JD Edwards EnterpriseOne roles with Q Software and break them down into re-usable components.

c. Assign them to job functions within Q Software

Because you have broken down the functions into its task components, these can be re-used when defining other roles, with the same benefits, such as saving time, when security is set up from scratch.

2. Create a security model from Solution Explorer: The second strategy option is to create an entire security model based on the Solution Explorer tasks pre-defined in JD Edwards EnterpriseOne. Obviously there will be a lot of customization; however these initial tasks can form the basis of a new security model. There is no link between Solution Explorer tasks and security for those tasks and that there is much duplication of effort required to define security. However, Q Software will allow a security officer to capture all of the solution explorer task views. This will be done by breaking them down into lower level tasks or capturing them entirely, the choice is down to preference. These captured components will then be customized by adding the relevant action code security, etc to form a complete security template. There is even an option in Q Software to capture all Solution Explorer task views and generate automatically all the appropriate security settings as a single operation. In order to implement the ‘deny all’ strategy additional settings may need to be included from the components library. All of these components can be sequenced by order of power and segregation of duties rules created. The components and job functions will be linked to one role per user, forming the new security strategy.


The *PUBLIC settings for application and action code security should now be set to N, meaning that the all doors closed strategy is implemented. Providing all of the necessary security has been attributed to the roles, there should be no problems with users carrying out their daily tasks. Finally reports can be created to show the relationship between each role and the security it has been specifically granted access to.

3. Start fresh using reusable components: With Q Software you structure your security by creating jobs or roles and then build the relevant security for the job. It is then an easy matter to create a link to a group or user ID and populate the JD Edwards EnterpriseOne security tables with the relevant settings. In this way duplication is eliminated and any changes automatically update the end user settings. Q Software supplies a library of some 500 re-usable task level components. You can use these pre-configured components, create your own or modify those supplied. These tasks include all the programs and security necessary to perform the task, such as "Update Address Book". Now the existing security can be combined with the Components library to create the security model ready for to go all doors closed. The components and job functions will be linked to one role per user, forming the new security strategy. The *PUBLIC settings for Application and Action Code security should now be set to N, meaning that the all doors closed strategy is implemented. Providing all of the necessary security has been attributed to the roles, there should be no problems with users carrying out their daily tasks. Finally reports can be created to show the relationship between each user/role combination and the access security specifically granted.


Issue 2: Roles Management and Compliance JD Edwards JD Edwards EnterpriseOne added multiple roles starting with release 8.9 (see example in Figure 3). The implementation of multiple roles can create challenges to companies who decide to use this flexible capability. The most obvious benefit that the switch from groups to roles created was the reduction in the implementation of security. By creating a pre-defined set of roles these could then be allocated to as many users as was required, instead of making one user belong to one group profile as before. However, several issues that make security hard to setup, maintain and audit have been resolved by Q Software.

Role Selector: The “Role Selector enables a user to be assigned to several roles and to select the roles they wish to play. The role selector requires security to be set-up so that it corresponds to each role in Solution Explorer. If this feature is used then there is considerable repetition in the security table, particularly in the area of commonly used programs and of row security. Companies that really suffer are those with identical roles in multiple branches or plants where all the security records are the same apart from the row security. Q Software is of significant benefit when using this strategy, as it removes all the need for any duplication of effort

Sequence Manager: This is a key problem for implementing multiple roles since the sequence manager controls the level of security which is

Multiple roles capabilities within JD Edwards

EnterpriseOne provide system flexibility but

can create security challenges if not properly

managed.

Figure 3 – Roles Example


allocated to a role. As part of any setup of multiple roles Sequence Manager needs to be used to sequence the ‘power’ of the roles. As expected the more powerful the role, the more a user can access programs and make any kind of updates or changes to records. Then obviously the less powerful a role, the less a user can do. This process becomes complicated when there are many hundreds, possibly thousands of roles to define. The whole process can quickly spiral out of control as new roles are added or taken away from the sequence making it extremely difficult to keep a consistent hierarchy of ‘power.’ This makes the use of multiple roles very difficult, as there is no conflict resolution. This causes many headaches for the security officer who needs to ascertain which security setting takes precedence. The resultant problems with segregation of duties can be serious. Q Software recommends you create single roles that combine the requirement of the multiple roles. Your alternative requires you to plan very carefully the role hierarchy in order to try and avoid the problems with sequence manager. However, any use of multiple roles will mean that any later changes to the security policy need to be approached with great care. To assist Q Software will alert you to potential sequence manager security issues, so you can take appropriate action.

The Auditor: An auditor may assume that whichever role assigned to a user has the highest security for any particular task; that is the security he will assume to be in force. Due to the sequence manager determining the security hierarchy; the actual security applied and action codes available may not be as the security officer or user expected, or as the auditor has assumed. This can result in unnecessarily complex auditing. By adopting the recommended approach to address the sequence manager issues, auditing will be simplified.

Segregation of Duties: Q Software provides a segregation of duties capability that lets you build your SOD rules inside JD Edwards EnterpriseOne. Q Software monitors the power of components linked to a role and highlights any conflicts. There is also a segregation of duties monitor which monitors segregation at the component or object level so that all segregation of duties issues will arrive as a result of two conflicting tasks being linked together in a role. It also checks for SOD conflicts across multiple roles that may be assigned to a user. Rules are set up that highlight which components or objects should not be allocated together to a user and role combination. If these rules are breached then Q Software highlights them and allows a security officer or administrator to decide whether the breach should stand. Like the conflict manager, if security is built with an SOD violation then Q Software will leave a permanent reminder that the problem exists. In turn, anyone who


needs to check segregation of duties, or conflicts, can use the conflict manager function in Q Software to establish all of the segregation of duties issues that exist currently in the application. An auditor could then at this point run through all of the violations and advise on the best method of resolving them, or sign them off if they are satisfied that the necessary mitigating or compensating steps have been taken to document and control these issues

Audit Reporting: Q Software provides an extensive array of reporting to demonstrate to your auditor that you have all appropriate controls in place. Reporting is available to show:

Roles access to job functions and tasks

User role assignments

Users or roles in breach of segregation of duties policies


Table 6. Extending Compliance Capabilities for JD Edwards EnterpriseOne with Q Software

Compliance Requirement JD Edwards EnterpriseOne Baseline Q Software Extensions

Section 202 Regular testing of controls

Continuous monitoring Proactive alerts of system changes Integrated architecture and

dashboard tools

Compliance life cycle Comprehensive security analysis and reporting Integrated segregation of duties controls and reporting

Sarb

anes

-Oxl

ey A

ct

Section 404 Testify to effectiveness of controls

Central document repository for supporting materials

Single version of “truth” between documentation and system processes

Attachment security Security reports Selective auditing Address book controls Accounts payable approvals Accounts payment header to detail

integrity

Re-usable task level components including pre-defined security Job functions (roles) created from task level components Integrated segregation of duties reporting and enforcement across multiple

roles Comprehensive reporting on component constructs role assignments, user

access, security access, hidden programs and reports. Simplified security management

FD

A

21 CFR Part 11 FDA Auditing and Signatures: data

change tracker Enhance lot tracking

Reliability in financial reporting Integration with PeopleSoft EPM, HCM, CRM and SCM applications

Simplified security management with segregation of duties enforcement

Effectiveness and efficiency of controls

Continuous monitoring of key financial data

Version control Multiple roles

Simplified security configuration from pre-configured, re-usable task components

Capture security from earlier versions and remove redundant duplicates Automate security build from Solution Explorer tasks Role selector and sequence manager security resolution

CO

SO F

ram

ewor

k

Compliance with applicable laws

Internal Controls Enforcer (ICE)

Scheduling and management of compliance activities

Country specific support


CONCLUSIONS JD Edwards EnterpriseOne today offers customers many capabilities to meet legal compliance requirements not just in the USA but in many other countries. There are many out-of-the-box features that let organizations meet Sarbanes-Oxley and other laws. However, there are situations in which additional compliance capabilities are needed using complimentary software from Q Software that extends and enhances the capabilities of JD Edwards EnterpriseOne for an easier approach that provides for a more effective security implementation to:

Enable enhanced enforcement of segregation of duties policies;

Simplify security configuration and on-going maintenance;

Simplify compliance reporting and auditing;

Reduce the overall cost of compliance by approximately 80 percent

These capabilities of JD Edwards EnterpriseOne with Q Software are in Table 6.

ABOUT Q SOFTWARE

Q Software's family of products has evolved over the ten years. Q Software E1Config is the result of detailed analysis of JD Edwards EnterpriseOne, experience working on the security compliance needs of JD Edwards EnterpriseOne customers and specific requests from customers to enhance JD Edwards’ products. Q Software is Oracle's only certified partner providing security compliance solutions for JD Edwards EnterpriseOne.

Q Software's SEC-ure E1Config is a second generation security compliance solution for JD Edwards EnterpriseOne. JD Edwards EnterpriseOne customers use Q Software to reduce overall security compliance costs by about 80 percent while enhancing security and segregation of duties controls. Table 7 lists a several JD Edwards EnterpriseOne customers and comments regarding Q Software (please note that these are not verified by Oracle).

Q Software Global Limited is an Oracle certified partner focusing on security for JD Edwards World and JD Edwards EnterpriseOne. Since 1996 Q Software has developed and implemented security solutions for JD Edwards’ customers across the globe. Contact Q Software at:

Q Software Global Limited Ranmore Manor, Ranmore Common Dorking, Surrey RH5 6SX United Kingdom

Telephone: + 44 (0) 1483 280 400 Fax: + 44 (0) 1483 280 401 Email: [email protected]

Web: www.qsoftware.com

“We evaluated the Q Software security

solutions and believe they can help

JD Edwards EnterpriseOne customers

address security and compliance initiatives”

- Gary Grieshaber, Senior Director,

JD Edwards EnterpriseOne

Tools and Technology Product Strategy

April 4, 2007


Table 7. JD Edwards EnterpriseOne Customer Experiences with Q Software

Yum! Brands Inc. “I believe it would be almost impossible to implement an ‘all doors shut’ security model under EnterpriseOne without Q Software”

Meridian Gold Inc.

“Q Software provides an easy way to configure security in EnterpriseOne. Security was very time consuming using the standard EnterpriseOne Security Workbench. Once we had built a library of standard components, Q Software made configuring the different types of security quicker.”

Nottingham City Council “Previously it took at least four hours to set up new groups, but with Q Software that time has been reduced to about 15 minutes.”

Plexus “Using Q Software has saved us at lest 1600 man hours of entering security manually for the initial 500 users we have set up so far.”

States of Jersey

“It was estimated that the software would achieve as much as a 50 percent reduction in the workload of maintaining security.”…“Without Q Software, it would be extremely difficult to achieve the tight security that we need.”

20:20 Logistics

Using Q Software, the security tasks for the first implementation phase took four weeks – around 85% reduction on the original estimate of six months without Q Software.

Gallatin Steel “We have saved about 10 hours works for each of the 8 security groups that were set up”.

Balance Agri-Nutrients “Without Q Software, we would not have been able to go live with a suitably closed security model in the first roll-out.”

BE&K “We realized our EnterpriseOne security would be virtually impossible without Q Software.”

Vancouver Port Authority “Q Software enabled us to undertake the security aspects of EnterpriseOne in-house and saved us the expense of employing an external consultant”

White Electronic Designs “In my previous company it took about 15-18 man months of effort to set up the JD Edwards security manually. Here, using Q Software, it took around 2 man months.”

CR Bard “Q Software enabled us to roll off two security consultants from our project.”

Trek Bicyles “We have reduced JD Edwards security set-up and maintenance from days to minutes”


ACRONYMNS AND ABREVIATIONS COSO Committee of Sponsoring Organizations of the Treadway

Commission

FDA Food and Drug Administration (USA agency)

ICE PeopleSoft Internal Controls Enforcer

KPI Key Performance Indicator

SEC Securities and Exchange Commission (USA agency)

SOD Segregation of Duties

SOX Sarbanes-Oxley Act (USA public law)

UBE Universal Batch Engine

ACKNOWLEDGEMENTS Extensive suggestions and review comments for this white paper were graciously provided from:

Roger Harris of JD Edwards EnterpriseOne reseller and services partner MSS Technologies and President of the Colorado Chapter of APICS who added extensive information about supply chain management and compliance;

Keith Sholes from the JD Edwards EnterpriseOne headquarters staff who did a comprehensive review of JD Edwards EnterpriseOne release features and functionality;

Achieving Compliance with JD Edwards EnterpriseOne White Paper E1WP-1016 First issue April 2007 April 2007 (Revision A.5) Authors: Mike Lutito (Oracle) and David Hunt (Q Software); Editor: Rudy Lukez (Oracle) Oracle Corporation World Headquarters 500 Oracle Parkway Redwood Shores, CA 94065 U.S.A. Worldwide Inquiries: Phone: +1.650.506.7000 Fax: +1.650.506.7200 oracle.com Copyright © 2007, Oracle. All rights reserved. This document is provided for information purposes only and the contents hereof are subject to change without notice. This document is not warranted to be error-free, nor subject to any other warranties or conditions, whether expressed orally or implied in law, including implied warranties and conditions of merchantability or fitness for a particular purpose. We specifically disclaim any liability with respect to this document and no contractual obligations are formed either directly or indirectly by this document. This document may not be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without our prior written permission. Oracle, JD Edwards, PeopleSoft, and Retek are registered trademarks of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners. Q Software, SEC-Qure, and E1Config are registered trademarks of Q Software Global Limited. This document is for informational purposes only and may not be incorporated into a contract or agreement.

Documents

Achieving Compliance with JD Edwards EnterpriseOne › us › media › 057007.pdfcontrolling operations beyond traditional accounting controls. There are many features available within