Does anyone have a guide or listing of segregation of duties conflicts between Baan sessions and/or subsessions? By conflicting sessions I mean, any combination of sessions and/or subsessions when assigned to one user that could potentially facilitate fraud to occur. We are being audited from a Sarbanes Oxley perspecitive and I'm not sure what the best way to approach this area is. Does anyone know of any tools in the market to help discover these conflicting areas?

We are also interesting in such solution. Do you have more information on this post ?
Thanks

I am not sure there is a clear cut case for "segregation of duties". We have 3 sites 1 baan system and all three sites have different job descriptions. Since we were purchased we no longer have to worry about SOX, but we did keep some of the checks and balances in place.

I agree, this is a very complex process. There are several consulting firms that do just that from a Baan perspective (not us, so that's not a sales pitch). If such a list exits it sure would be nice if it was provided by SSA. Have you discussed this with them? They are actually having a Webcast on this on Feb 22, and some seminars on SOX. Not sure if they will focus on ERP LN or have information for everyone, but it may be worth contacting them on it.

http://www.ssaglobal.com/enablingsox/

Can you be more specific as to what firms have a tool which will help analyze segregation of duties?

I don't think it's a tool . I think it's a process, a consultant (or consultants!) that will come in and help analyze and set things up. You may try the major consulting players - Crow Chizek I think would do this. Also, NextStep. I have no idea on the quality or outcome of their services, I am a consultant so I have not gone through this as a company. Maybe someone who has can post up who they used...?

Basic roles are already segregated per module.
Commonly, the people who defy SarbOx are the IT staff, because they have their access all areas passes.
However, SarbOx is NOT about segregation of duties. This is a common misconception. It is about accountability and tracability.
So really, it doesn't matter who does what, as long as you keep track of who does what. ;)

It is very complex and we have to review all our dem's for SOX. Baan standard report tgbrg4450m000 is horrible and incorrect. It runs for days and no output.

Has anyone got any program / tools which dump all the DEM in plain text or excel format ?

In brief, we have created something whereby we associate “required sessions” and “conflicting sessions” to job functions by user. It includes a session which will “Print User Authorization Conflicts by Function”. The solution is quite slick, feel free to contact me should you like more information.

To all,

The above business requirement and inquiries are fully addressed by a Baan certified business solution called EZ-Process (www.ez-process.com). Its EZ-Compliance module is not only compliant to all Baan versions (from Triton 1.0 to ERP-LN), it is also able to perform automated Segregation of Duties validation on Baan Tools and/or DEM user authorizations (with or without User Roles). The availability of a pre-defined SOD Baan Conflicting Sessions Library also enables daily SOD conflicts identification for all user authorizations.

EZ-Compliance was selected and implemented by organizations such as Olympus, Komatsu, Herman Miller, Bio-Rad, Coopervision, Zebra Technologies, Microchip, Griffin Pipes, Magna, Immucor, EnerSys, etc... With the support of EZ-Compliance, these organizations successfully passed their SOX/J-SOX/SOD audits, conducted by E&Y, PWC, Deloitte, KPMG, ...

Tip: You can request via the website a SOD scan. It's free of charge, applicable for all versions of Baan and clearly show you of all your SOD conflicts.


Hope this help,


- Pierre

This is what I do for our auditors:

We have a matrix already set of what user could be considered "cross authorizations" There are 9 scenerios.

I started with those and found which Baan sessions correlate i.e. One user cannot Maintain Vendors/Maintain POs/Maintain Receipts. So - I run Print Resulting Sessions for each of these sessions and export to Excel. I'll list the results from each session on one Excel sheet. They are in alpha order so I'll just look through to see if any one has all three sessions. I know it's not real good for larger companies with many users but we're rather small. Also - I always start with the session list with the least amount of users.

I've done this for the past 3 audits so it's easier now that I have it setup and I just start with the previous yr workbook. So far it's been fine for our auditors.

Nikkiz

To all,

EZ-Compliance eliminates the need to extract Baan data, load it in Excel and manipulate data manually. You simply import your Baan authorizations (DEM or Tools) via standard Baan sessions (from Triton 1.0 to ERP-LN) and launch the SoD scan. Within 15 minutes, ALL employee accesses are validated against 22,000 (22 thousands!) Baan conflicting sessions patterns. The scan then generates a detailed report showing each user representing a Segregation of Duties (SoD) risk for the organization, what sessions he/she is accessing and what menu/role/diagram is granting this user such access. The above import-scan-reporting can also be automated (Ex. every Thursday at 1:00am), eliminating 95% of the human effort and cost of SoD validation.

You can also request the above scan free of charge at
http://www.ez-process.net/EZ-ProcessCD/ezcompliance_BaanSOD.htm

Note: This scan engine is also able to perform SoD validation on SAP, Oracle, Mapics, etc...

Hope this help readers,