56 Set Up Sarbanes-Oxley (SOX) Compliance

This chapter contains the topic:

Thousands of companies face the task of ensuring their accounting operations are in compliance with the Sarbanes-Oxley (SOX) Act. After a comprehensive external audit by a SOX compliance specialist, which identifies areas of risk, you use several programs to set up and provide the "electronic paper trails" necessary to ensure SOX compliance. The reports you produce satisfy the requirement of an Internal Control Report stating that management is responsible for an adequate internal control structure, and an assessment by management of the effectiveness of the control structure.

Within JD Edwards World Software, action code security, processing options, menu masking, Database Audit Manager (DBAM), and imbedded iSeries security work well for managing security needs. JD Edwards World Software additionally provides an internal control report to satisfy the segregation of duties specified in section 404 of the SOX Act.

56.1 Set Up SOX Compliance

To set up your system for SOX compliance, complete the following tasks:

  • To set up generic text information

  • To set up process definitions

  • To set up conflict definitions

After you set up your system for SOX Compliance, you must verify your action code security and function key security are set up properly.

Note:

The Action Code security for user ID *PUBLIC for *ALL programs must be set to N (no) for the Add, Change, and Delete fields.

The Function Key security for user ID *PUBLIC and Field *ALL for all critical videos must be set to N (no) to prevent access.

56.1.1 Set Up Generic Text Information

You must set up new generic text information for the Process Conflicts file (F00712).

To set up generic text information

Navigation

From Developer's Workbench (G9362), choose Generic Text Definition

  1. On Generic Text Definition, enter *F00712 in the following field:

    • Application

  2. Enter Process Conflict Definitions in the following field:

    • Description

  3. Enter 2 in the following field:

    • Window Width

  4. Enter 00 in the following fields:

    • Install System

    • Reporting System

  5. Enter F00712 in the following field:

    • File ID

  6. Enter J in the following field:

    • Ownership (JD Edwards World/User)

  7. Enter RULN in the following field:

    • Data Item

  8. Enter I in the following field:

    • Display (I/O)

Figure 56-1 Generic Text Definition screen

Description of Figure 56-1 follows
Description of "Figure 56-1 Generic Text Definition screen"

Field Explanation
Application A name given to the particular application of the Generic Text Window. Various window definition data is stored based on this name.
Description The name of a particular application of the Generic Text Window, as defined in the Generic Text Window Definition file (F00161).
Window Width The size of the Generic Text Window.

1 – Half screen (40 characters)

2 – Full screen (8 characters)
Install System Enter a UDC (98/SY) for the install system code.
Reporting System Enter a UDC (98/SY) for the reporting system code.
File ID Enter a number, such as the program number, file number or report number for the software element.
Ownership (JD Edwards World/User) This flag indicates whether this information was set up by JD Edwards or by the user. If it is blank or "J", the information can be changed by JD Edwards World during PTFs and re-installs. If it is a "U", this indicates that the information was set up by the user, or that a JD Edwards World setup was modified by the user and it will NOT be changed during PTFs and re-installs. If this flag is set incorrectly, your custom modifications could be lost.
Data Item Enter the name of the data item.
Display (I/O) A flag indicating whether a key value is to be displayed in the Generic Text Window header when the window is displayed.

56.1.2 Set Up Process Definitions

You use the Process Definitions program (P00711) to set up your processes. A process can be a single program, a combination of programs, or a combination of function key and subfile options that access multiple programs across the system. You can also set up a process that includes other processes. For example, you can set up your process for Accounts Payable (A/P) entry by entering all of the programs a user accesses during A/P entry. This might include the Address Book Revisions, Speed Voucher Entry, Standard Voucher Entry, and Recurring Voucher Inquiry programs.

The system stores all processes in the Process Definitions File (F00711).

You can use the F1 function key to access other screens containing data that you might use when creating a process. Use this function key in the following fields to access the various screens:

  • Process Name/Description, accesses the Process Definitions window which contains all the process names and description that exist in F00711.

  • Program, accesses the Software Inventory window that contains all programs in the system.

  • Function Key/Selection Option, accesses the Defined Function Key/Selection Option window that contains all of the function keys (except F1, F7, F22, F24, Help, Page Up, and Page Down) as well as subfile options that exist within the video entered in the Program field.

  • Process, accesses the Process Definition Search window that contains all processes in the system.

Additionally, you can access the Process Conflict Definitions program (P007121) by choosing Process Conflict Definitions (F8). Choose Audit Information (F6) to access the Audit Information window which contains system information such as, the user ID of the individual that last updated this process and the date and time in which the update occurred.

To set up process definitions

Navigation

From Master Directory (G), choose Hidden Selection 27

From Advanced & Technical Operations (G9), choose Security and Security Admin

From Security and System Administration (G94), choose Security Auditing and Reporting

From Security Auditing and Reporting (G947), choose Process Definitions

  1. On Process Definitions, complete the following fields:

    • Process Name

    • Description

  2. On Process Definitions, each detail line can contain a value in either of the following fields:

    • Program

    • Process

  3. If you enter a value for a video in the Program field, then you must complete the following field:

    • Function Key/Selection Option

Figure 56-2 Process Definitions screen

Description of Figure 56-2 follows
Description of "Figure 56-2 Process Definitions screen"

Field Explanation
Process Name/Description A process definition as defined for Sarbanes-Oxley compliance. A process definition can be a program or a function key/subfile option within a program, or a combination of different processes.
Program The identification, such as program number, file number, and report number that is assigned to an element of software. If you use this field in conjunction with the Function Key/Selection Option field, the system requires this to be a video.

Screen-specific information

You can also enter a video name in this field.
Function Key/Selection Option The name of the field within the function key security file. This name is used in conjunction with a video name.
Process A process definition as defined for Sarbanes-Oxley compliance. A process definition can be a program or a function key/subfile option within a video, or a combination of different processes.

56.1.3 Set Up Conflict Definitions

You use the Process Conflict Definitions program (P007121) to set up all possible process conflicts. A process conflict can be between:

  • Two processes

  • A process and a program or vice versa

  • A process and a function key/subfile option on a video or vice versa

  • Two programs

  • A program and a function key/subfile option on a video or vice versa

  • Two function key/subfile options on a video

For example, you can set up a process conflict so that the system issues a violation if a user of the A/P entry process has access to any of the programs in the A/R entry process.

The system stores all processes in the Process Conflict Definitions File (F00712).

You can use the F1 function key to access other screens containing data that you might use when defining a conflict. Use this function key in the following fields to access the various screens:

  • Rule Name, accesses the Conflicts Rule Search window which contains all the conflicts/rules.

  • Program ID, accesses the Software Inventory window that contains all programs in the system.

  • Function Key/Selection Option, accesses the Defined Function Key/Selection Option window that contains all of the function keys (except F1, F7, F22, F24, Help, Page Up, and Page Down) as well as subfile options that exist within the video entered in the Program field.

  • Process Name, accesses the Process Definition Search window that contains all processes in the F00711 file.

Additionally, you can access the Process Definitions program (P00711) by choosing Process Definitions (F8). Choose Audit Information (F6) to access the Audit Information window which contains system information such as, the user ID of the individual that last updated this conflict/rule and the date and time in which the update occurred. Choose Memo (F14) to access the Generic Text window.

To set up conflict definitions

Navigation

From Master Directory (G), choose Hidden Selection 27

From Advanced & Technical Operations (G9), choose Security and Security Admin

From Security and System Administration (G94), choose Security Auditing and Reporting

From SecurityAuditing and Reporting (G947), choose Process Conflict Definitions

  1. On Process Conflict Definitions, complete the following fields:

    • Rule Name

    • Seq

  2. On Process Conflict Definitions, each detail line can contain a value in either of the following fields:

    • Program ID

    • Process Name

  3. If you complete the Program ID (video) field, additionally, you can complete the following field:

    • Function Key/Selection Option

  4. Complete either of the following fields under the Conflicts With section:

    • Program ID

    • Process Name

  5. If you complete the Program ID (video) field, additionally, you can complete the following field:

    • Function Key/Selection Option

Figure 56-3 Process Conflct Definitions screen

Description of Figure 56-3 follows
Description of "Figure 56-3 Process Conflct Definitions screen"

Field Explanation
Rule Name A rule definition as defined for Sarbanes-Oxley compliance. A rule definition identifies conflicts between combinations of programs, function key/selection options, and/or processes. These rules help clarify segregation of duties.
Seq A number that the system uses to sequence information.
Process Name A process definition as defined for Sarbanes-Oxley compliance. A process definition can be a program or a function key/subfile option within a program, or a combination of different processes.
Program ID The identification, such as program number, file number, and report number that is assigned to an element of software. If you use this field in conjunction with the Function Key/Selection Option field, the system requires this to be a video.
Function Key/Selection Option The name of the field within the function key security file. This name is used in conjunction with a video name.