Segregation of Duties to Comply with Sarbanes-Oxley

Below is a snippet from one of hundreds of articles available to JDEtips subscribers.

If you would like a complimentary copy of the full article, please email
Mark.Downs@ERPtips.com
(include the title of the article in your email)

To subscribe to JDEtips, go to
www.JDEtips.com/Subscribe.asp.

JDEtips is published by Klee Associates, Inc.

JDEtips University provides both public and onsite training for JD Edwards clients.
For more about JDEtips University, including the current schedule, click on
www.JDEtips.com/WorkshopSchedule.asp

Segregation of Duties to Comply with Sarbanes-Oxley

Laura Jackson reports on her recent engagement with Hamilton Sundstrand to identify
employees who have access to programs that create a potential conflict of interest. For example,
an employee should not be able to enter a voucher and cut a check. The project covered
Financials, Distribution, and Manufacturing, and used a combination of technical and
non-technical methods of discovery and analysis. Hamilton Sundstrand agreed to let Laura share
the discovery process with our readers.

Click here to read this Snippet

 Segregation of Duties to Comply with
Sarbanes-Oxley Requirements
Following is a table of security types that must be analyzed along with examples of their primary
uses.
Code Description 1 Description
1 Action Security Secures users from executing a
particular action, such as adding,
deleting, revising, inquiring, or
copying a record.
2 Table Column Secures users from viewing a
Security particular field or changing the
value for a particular field. This
can be a database field or a field
that is defined in the data
dictionary but is not in the
database.
4 Table Row Secures users from accessing a
Security particular range or list of data in
any table.
** You must also update the DD
item by flagging the ‘Row Security’
box.
5 Processing Secures users from viewing or
Option Security changing the values of the
processing options, or places
security on prompting form version
for specific applications.
Program Specifications:
Objective: Using Business Objects, gather security information from JDE EnterpriseOne to
analyze potential conflicts of interest. Build queries or use Microsoft Access to build your
comparison tables or files.
Major Files Usage Table
Name Description
Access Controls database
F00950 Security Workbench Table
F0092 User Profile & Library List
F0005 User Defined Code
F980011 Cross - Reference Relationships
F0101 Address Book
Copyright© 2005 Klee Associates, Inc.
www.JDEtips.com
Example
P0000 (System Set Up) using
*PUBLIC and action code
security that allows viewing but
not adding, changing or deleting.
Default Location/Printer/Route
(F40095), using the associated
data item ARTG (Routing
Approval) with add, change,
delete options.
Sales Order Header table
(F4201), using the associated
data item DCTO (Order type)
with From Value/Through Value,
and with add, change, delete
options.
Enter a complete user or group
ID, which includes *PUBLIC.
Enter an application name (or
*ALL), such as P03013
(Customer Master), along with
add, change, and delete options.
Input/Output/
Update
(I/O/U)
I/O
I
I
I
I
I
Page 3
 Segregation of Duties to Comply with
Sarbanes-Oxley Requirements

1. Select data using the following fields:

• F01: F00950 – Select FSUSER, FSOBNM, FSSETY, FSVWYN, FSA,

FSCHNG, FSDLT

• F02: F0092 - Select ULUGRP, ULUSER, ULMNI, ULFSTP, ULAN8

• F03: F0005 - Select DRSY, DRRT, DRKY

• F04: F0101 - Select ABAN8, ABAT1, ABALPH

2. For each question determine which table(s) hold the information. Run the JDE cross-
reference application (P980011), which identifies what tables, fields, and applications are
used within each other. For example, the question of who could update the AP subledger?
The table for the AP subledger is the F0411. You can then look at the applications that could
update the F0411, using the cross–reference tool. Then list those applications that update
that table.

In EnterpriseOne there are some batch applications the can add, change, and delete data
within tables. They should be included in the list of applications for a table.

3. Join F01 to F02 by User ID FSUSER = ULUSER. This will capture the user ID, even if the
security is set up by group.

4. Join F02 to F04 by Address Book Number ULAN8 = ABAN8. This will give you the user
name (ABALPH).

5. Join F01 to F03 by Security Type FSSETY = DRKY by Product Code DRSY = 98 and User
defined codes DRRT = TY. This will give you the security type; e.g., ‘1’ action code security
(view, add, change, deleted or copy).

6. Identify Security Type - At specific object levels, you can set the levels of security, alone or in
any combination, for users and groups; i.e., Security Type ‘2’ (Column Security).

For example, if you secure a user from viewing the Salary field on the Employee Master
application, the Salary field does not appear on the form when that user accesses that
application.

7. Establish your questions. The following are samples of some of the segregation of duty
questions, with their respective tables and applications:

Purchasing Questions:
1. Who can create or change a PO or Req.? (Based on F4301 and F4311)
P40320, P4242, P43025, P430301, P43032, P43081, P4310, R43990, R47132

2. Who can approve a PO or Req.?

Select from F0092 where ULAN8 = APRPER in F43008
P43008, P43280, P43081

Cash Disbursement Questions:

1. Who can generate a check run? (Based on F0413)
P04570, R04570

Copyright© 2005 Klee Associates, Inc. Page 4

www.JDEtips.com