Are others in the USA experiences challenges with documenting Baan processes for the new Sarbanes-Oxley regulations?

I saw one post regarding version control. We will also have challenges with change management (moving our components from a test->prod environment and different physical boxes).

If you have had experience, I would love to chat and share ours! It's been a difficult road, trying to translate the rules into our own IT standards and procedures.

Denise

We are being audited for compliance with the Sarbanes_Oxley regulations. One of the issues the auditors had problems with was the movement of modifications from test to production and developers having super user access and development access in production.

We are going to remedy this situation by two means:

1) Hire one person to perform all the change management - meaning all moves from dev to prod. This person could not be in the development department.

2) Developers will NOT have developer rights in the production system. We will be able to do table maintenance when needed. But no developer access set up.

We are running these ideas past our auditors this month.

Denise

PMC Distributor might be a good option to look into as well -

Developers would be able to create solutions that an admin would then
load. I wrote a script that even automated that process.

Plus you get all the revision control that you can handle, since you can always
back out a PMC solution and get the original object.

Dave

I use PMC for my Baan solutions, but are you saying we can create our own?

Is this all custom, or Baan supported?

Hire one person to perform all the change management - meaning all moves from dev to prod. This person could not be in the development department.
In our situation we had a person moved from my team to another team called - "Production Control" and I gave up some my BaaN administration duties for QA and Production, although I still do the first line support for all tools issues. Their main purpose is to do software migrations from Dev -> QA -> Production, handle root authorizations need for some BaaN stuffs, handle Job Schedulers, user creations and On-Call.
I am not on-call anymore or have to work in weekends, and I can focus on other projects as Gemini, development, OW etc. :)
I think there is also some new regulation about password expiration, and disabling users who did not login for a particular time, user id coding conventions etc.

Another question for the group - what are you doing for documentation. We have found, we think, that if the process is entirely standard Baan, Baan's documentation will suffice. Are you using Baan's documentation and if so, how?

How do you handle the customizations you may have made?

Denise

Hi Denise,

Yes you can create your own solutions. The creation process is Baan supported (i.e., if you have problems with PMC distributor, you can get help)

It's not documented though, so you sort of have to muddle through the PMC Distributor sessions to figure it out, but its really not too bad..

Dave

Just a thought. I saw a reporting solution from Cyberscience at the last Baan Users event in the UK. Each report has it's own banner page with date/time/data source/developer ID etc etc, and I thought then about SARBOX. If you need to prove where you got the data from, when and by who - there it is at the top of the page - easy!

Hope that helps.
Jacob.

We had to negotiate this process with our SOX-related auditors. We do not have sufficient staff to have a promote-only person and it would be a severe hindrance for troubleshooting to restrict developers from production environments.

Our auditors bought into our internal QC process as a compensating control. Every script created in the development environment is reviewed by an IT QC person before moving to production.

There are three people who can do development. The developer may choose either of the other two as his (there are only guys in this role) QC person. These two will communicate by email with questions and comments regarding the script in development. When the work is satisfactory, the IT QC person gives his approval for the developer to move the objects to production.

We track all this through logs and keep the documentation in Microsoft Outlook folders.

It's been a burden getting comfortable with this but we get better at it all the time. By this time next year it will be second nature.

We're pretty much set with SOX stuff but we're still struggling with user account auditing - looking for internal control conflicts and being able to prove to the auditors that we've identified and snuffed out any problems.

I'm going to post a question on that and see if I can find out what others are doing.

in our company also auditors are coming for BAAN audit. this is our first audit.
pl tell us what all preparation is required to face the auditors. Thanks in advance

Matgrp

The audit process can be long and complex. Unfortunately, I can't summarize in one note what it takes to survive an external audit. Just to give you an idea of how complex it can be, the listing you see below is from our company's controls documentation. If you have more detailed questions, I'll try to help.

POLICIES

ITPL001 - Global Information Technology General Policy

ITPL002 - Remote Access Policy

ITPL003 - Electronic Mail Policy

ITPL004 - Internet Usage Policy

ITPL005 - Trusted User Security Policy

ITPL006 - Global IT Governance Policy

ITPL007 - Systems Security Policy

ITPL008 - Data Management Security Policy

ITPL009 - Management of IT Assets Policy

ITPL010 - Disaster Recovery Planning Policy

ITPL011 - Global IT Project Lifecycle Management Policy

PROCEDURES

ITPR006.1 - Global IT Self-Monitoring Procedure

ITPR006.2 - Global IT Management Testing Procedure

ITPR006.3 - Exceptions Request Procedure

ITPR006.4 - IT Polices, Standards, and Procedures Maintenance Procedure

ITPR006.5 - IT Review for SAS70 Procedure

ITPR006.6 - Annual Review for Policy and Standard Compliance Procedure

ITPR007.1 - User Access Procedure

ITPR007.2 - Password Change Request Procedure

ITPR007.3 - Weekly Invalid Login Review Procedure

ITPR007.4 - Quarterly Privileged Account Access Review Procedure

ITPR007.5 - Semi-Annual Active User Review Procedure

ITPR007.6 - Annual User Access Review Procedure

ITPR007.7 - Terminated Employee Access Procedure

ITPR008.1 - System Data Backup Procedure

ITPR008.2 - System Backup Validation Procedure

ITPR008.3 - Request for Restricted Information Procedure

ITPR009.1 - Permanent Data Center Access Procedure

ITPR009.2 - Temporary Data Center Access Procedure

ITPR009.3 - Asset Lost/Stolen Procedure

ITPR009.4 - Quarterly Inventory of IT Microsoft and Anti-virus Software Procedure

ITPR009.5 - Annual Inventory of IT Software Assets Procedure

ITPR009.6 - Annual Review of Data Center Access Procedure

ITPR010.1 - Annual Test of Disaster Recovery for Tier 1 Data Centers Procedure

ITPR011.1 - Project Initiation Procedure

ITPR011.2 - Business Analysis and Design Procedure

TPR011.3 - Technical Design Procedure

ITPR011.4 - Construction Procedure

ITPR011.5 - Testing and Implementation Readiness Procedure

ITPR011.6 - Migration to Production Procedure

ITPR011.7 - Type 1 Change Control Procedure

ITPR011.8 - Monthly Change Control Review Procedure

ITPR011.9 - Emergency Change Control Procedure

STANDARDS

IT-ST001 – WAN Standards

IT-ST002 – Hardware-Software Standards

IT-ST003 – Blackberry Standards

IT-ST004 – Naming Convention Standards

IT-ST006 – AD 2003 Standards

IT-ST007 – SMS 2003 Standards

IT-ST008 – Wireless Standards

IT-ST009 – Data Center Standards

IT-ST011 - AS400 Security Standards

IT-ST012 - JDE World Standards

IT-ST013 - SSA Baan Standards

IT-ST014 - JDE OneWorld Standards

IT-ST015 - KBM Standards

IT-ST017 - SyteLine Standards

IT-ST018 - Oracle 11-03 Standards

IT-ST019 - Hyperion Enterprise Standards

IT-ST020 – Anti-Virus Standards

IT-ST021 - RS6000 Security Standards for a Baan Environment

IT-ST023 – Video Conferencing Standards

IT-ST024 - Oracle E-Business Suite

BEST PRACTICES

IT-BP001 – Remote Access Best Practices

IT-BP002 – HADC Maintenance Best Practices

IT-BP006 – AD 2003 Best Practices

IT-BP010 – Windows System Setup Best Practice

Very nice input has been given by u. i required more details in each topic. pl suggest me the mode of communication which suits u.

Regards,
MATGRP

Matgrp,

Let's start with the basics and see if you can help me by answering a few questions.

In what kind of organization do you work? Is it a manufacturing company, a government agency, etc?

If you work in a private company, in general terms how large is the company in annual income and employees?

In what kind of Information Technologies organization do you work? Is it just a few people, dozens of people, hundreds of people?

What are your largest systems by brand name, JD Edwards, Peoplesoft, Oracle, etc?

Mick

Who is your external auditor, PriceWaterhouseCoopers, KPMG, or some other?

Mick

Mick,

Organization:a manufacturing company

Total Employees: 860

Information Technologies organization :250

ERP : Baan

external auditor : some other

Mick,

pl guide me to create

1. User Access Procedure
2. Weekly Invalid Login Review Procedure

matgrp

To all,

The Baan user access control requirement is fully addressed by a Baan certified business solution called EZ-Process (www.ez-process.com). Its EZ-Compliance module is compliant to all Baan versions (from Triton 1.0 to ERP-LN), and is able to perform automated Segregation of Duties validation on Baan Tools and/or DEM user authorizations (with or without User Roles). The availability of a pre-defined SoD Baan Conflicting Sessions Library also enables daily SOD conflicts identification for all user authorizations.

EZ-Compliance was selected by organizations such as Olympus, Komatsu, Herman Miller, Bio-Rad, Coopervision, Zebra Technologies, Microchip, Griffin Pipes, Magna, Immucor, EnerSys, etc... With the support of EZ-Compliance, these organizations successfully passed their SOX/J-SOX/Eur-SOX/SoD audits, conducted by E&Y, PWC, Deloitte, KPMG, ...

Tip-1: The website offers a free of chargea SoD scan.
Tip-2: This SoD scan engine is also able to handle SAP, Oracle, Mapics, and others.


Hope this help,


- Pierre