I want to start a conversation to see how other Baan-using companies are responding to the Sarbanes-Oxley requirement to document how user accounts are controlled and audited. (At least I assume all other SOX-inflicted companies are being asked for this.)

We have struggled with this question for over a year. We just finished our first annual-cycle audit and while the auditor will let us pass they were quite openly unhappy with our practices.

What they want is definitive evidence that we a) review user accounts for potential controls conflicts and b) we document these reviews. We have done a) often in the past, we have not done b) in a manner they find acceptable.

Our only suggestion on the table is very burdensome - prepare packages of user setups for management review. Our management rejected this approach rather ferociously. But it was the only approach the auditors seemed to like.

Under the rejected method, we would audit each user at least once a year. Three hundred-plus Baan users means 5-6 users per week. That means 5-6 review packages distributed to operational managers who can't tell an General Item Data record from a hole in the ground.

Now - quite honestly I don't blame them. I don't like it myself but it was the only method we could find that kept the auditors calm. But our management is not calm and will not accept it.

So - the question for conversation is, what are other companies doing? What are you doing?

(Oh, and the auditors won't tell us what others are doing. We've asked point blank and they've refused point blank to tell us.)

Hello Mick -

I searched baanboard for Sarbanes-Oxley, got this post (and others). You seem to have a good understanding of the SOX requirements.

I am a IT SOX consultant just started with a US-based company that has a branch in Europe using BaaN IV. I have read their 2008 SOX audit report, and the findings are numerous about account management, password control and change management.

I am not familiar with BaaN (more JD Edwards/Oracle), and am trying to learn about its capabilities, especially configuration settings about passwords and user account.

Can you point me to any available manuals/docs that could explain these things to me?

Thanks

Mick,

Your business requirement and inquiry are fully addressed by a Baan certified business solution called EZ-Process (www.ez-process.com). Its EZ-Compliance module is not only compliant to all Baan versions (from Triton 1.0 to ERP-LN), it is also able to perform automated Segregation of Duties validation on Baan Tools and/or DEM user authorizations (with or without User Roles). The availability of a pre-defined SOD Baan Conflicting Sessions Library also enables all SOD conflicts identification within the first day of implementation (and as often as desired).

EZ-Compliance was selected and implemented by organizations such as Olympus, Komatsu, Herman Miller, Bio-Rad, Coopervision, Zebra Technologies, Microchip, Griffin Pipes, Magna, Immucor, EnerSys, etc... With the support of EZ-Compliance, these organizations successfully passed their SOX/J-SOX/SOD audits, conducted by E&Y, PWC, Deloitte, KPMG, ...

Note:
- A free of charge SOD scan is available. Simply request this one at www.ez-process.com
- Customer Case Studies are also available on the website

Hope this help you,


- Pierre