Effective Governance Risk and Compliance with JD Edwards EnterpriseOne An Oracle White Paper Written in Collaboration with Q Software Global Ltd. July 2008

PURPOSE STATEMENT This document is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle. Updates and enhancements are provided in accordance with Oracle’s Technical Support Policies at: www.oracle.com/support/collateral/oracle-technical-support-policies.pdf

Effective Governance Risk and Compliance with JD Edwards EnterpriseOne  Page i

Effective Governance Risk and Compliance with JD Edwards EnterpriseOne

INTRODUCTION....................................................................................................... 1 COMPLIANCE FUNDAMENTALS ...................................................................... 2 COSO Framework ................................................................................................................... 2 Sarbanes-Oxley Act ................................................................................................................. 3 Midsize Businesses and Internal Controls ........................................................................... 6 Public Sector Requirements for Internal Controls ............................................................. 7 Supply Chain Management and Compliance....................................................................... 7 Penalties and Fines................................................................................................................... 8 Compliance Activities in 2007 ............................................................................................... 9

COMPLIANCE AND JD EDWARDS ENTERPRISEONE ........................... 11 Compliance Highlights by Release ...................................................................................... 11 Compliance Capabilities in JD Edwards EnterpriseOne Today .................................... 14 Systems-Based Internal Controls ................................................................................... 14 Automated Processes ....................................................................................................... 16 Foundation Calendar ....................................................................................................... 17 Data Change Tracker ....................................................................................................... 17 Desktop Access to Financial and Compliance Data .................................................. 18 Segregation of Duties Management .............................................................................. 20 Additional Internal Controls........................................................................................... 20

ENHANCING ERP SYSTEM COMPLIANCE WITH Q SOFTWARE ...... 21 Issue 1: Security and Compliance ........................................................................................ 22 Issue 2: Roles Management and Compliance .................................................................... 25

CONCLUSIONS ........................................................................................................ 30 ABOUT Q SOFTWARE ........................................................................................... 30 ACRONYMNS AND ABREVIATIONS .............................................................. 33 ACKNOWLEDGEMENTS ..................................................................................... 33

Effective Governance Risk and Compliance with JD Edwards EnterpriseOne  Page ii

Effective Governance Risk and Compliance with JD Edwards EnterpriseOne

INTRODUCTION There are many financial compliance capabilities available today in JD Edwards EnterpriseOne that can be used to meet Sarbanes-Oxley and other legal requirements both within and outside the USA

The USA financial compliance law Sarbanes-Oxley has heightened focus on controlling operations beyond traditional accounting controls. There are many features available within JD Edwards EnterpriseOne that assist small, medium and large organizations, including private and public companies and non-profit, public sector organizations, with compliance not just to Sarbanes-Oxley but with the growing plethora of regulations either in place or evolving in countries across the globe. This paper highlights features available today with JD Edwards EnterpriseOne that can be used today to meet a wide variety of financial compliance situations in the USA and elsewhere for private and public enterprises of any size. There are also compliance scenarios that require additional capabilities to enhance, improve and simplify security and role management with respect to a variety of financial compliance requirements and processes. This paper explores how JD Edwards EnterpriseOne works with a third party software solution to provide complementary and additional financial compliance solutions which can be appropriate to incorporate into your JD Edwards EnterpriseOne implementation.

Q Software is a third party software solution that integrates with JD Edwards EnterpriseOne

Specific issues addressed in this white paper include: 

The fundamentals of financial compliance, including legal requirements that are complementary and additive to Sarbanes-Oxley;



Compliance capability highlights of JD Edwards EnterpriseOne releases;



The implications of compliance and supply chain management activities;



The effects of associated and hidden programs and how to include them in your security model;



How to effectively manage the sheer volume of objects to be secured and maintained;



How to overcome challenges of multiple roles management, including the unexpected security that can result from sequence manager;



How to integrate your segregation of duties policy into JD Edwards EnterpriseOne to enforce your compliance policies;



How to provide the security audit reports required by your auditor.

to add complementary capabilities to enhance your compliance activities

Effective Governance Risk and Compliance with JD Edwards EnterpriseOne  Page 1

COMPLIANCE FUNDAMENTALS COSO Framework

The COSO framework for internal control is provided by the Committee of Sponsoring Organizations of the Treadway Commission.1 This organization is a voluntary, private sector group that is dedicated to improving quality of financial reporting. Their framework is an effective standard for establishing an internal control system. This system can be completely tailored to the specific business requirements of the customer and should assist with the evaluation of internal control systems. The COSO framework strives to achieve objectives in the categories of 

Operational effectiveness



Reliable financial reporting



Compliance with regulations

There are five main components of internal control that you need to hit these objectives: 1)

Monitoring

2)

Information and communication

3)

Control activities

4)

Risk assessment

5)

Control environment

1

COSO is a voluntary private sector organization dedicated to improving the quality of financial reporting through business ethics, effective internal controls, and corporate governance. COSO was originally formed in 1985 to sponsor the National Commission on Fraudulent Financial Reporting, an independent private sector initiative which studied the causal factors that can lead to fraudulent financial reporting and developed recommendations for public companies and their independent auditors, for the SEC and other regulators, and for educational institutions. The National Commission was jointly sponsored by five major professional associations in the United States, the American Accounting Association, the American Institute of Certified Public Accountants, Financial Executives International, The Institute of Internal Auditors, and the National Association of Accountants (now the Institute of Management Accountants). The Commission was wholly independent of each of the sponsoring organizations, and contained representatives from industry, public accounting, investment firms, and the New York Stock Exchange. The Chairman of the National Commission was James C. Treadway, Jr., Executive Vice President and General Counsel, Paine Webber Incorporated and a former Commissioner of the US Securities and Exchange Commission. (Hence, the popular name "Treadway Commission")

Effective Governance Risk and Compliance with JD Edwards EnterpriseOne  Page 2

Each component is relevant to each objective category. All five components must be present and functioning properly for objective area. Now you can see the five components as a process, not a single static event. Internal control is a process not a ―snapshot‖ situation. The objectives of the COSO framework are to provide assurance that you will achieve: 

Reliability in financial reporting



Effectiveness and efficiency of operations



Compliance with appropriate and applicable laws and regulations

What is required to build an effective compliance program to leverage the COSO framework? Oracle has identified four major requirements. 1)

Systems-based internal (automated) controls

2)

Automated processes – the goal is ―the less human interaction the better‖ because that means a reduction in the opportunities for data entry errors and for fraud. The key for compliance in this case is segregation of duties.

3)

Consistent documentation – provide a single version of the truth between system functionality, documentation, and the way you actually run your business.

4)

Ongoing control and monitoring of the internal control framework

Sarbanes-Oxley Act “Sarbanes-Oxley is essential is restoring investor confidence by providing transparency in financial reporting.”

Christopher Cox

The increasing plethora of legislation, not just on corporate governance, but covering various data privacy requirements, places more emphasis on the business need for effective corporate governance (Table 1 lists regulatory highlights of the law). In particular, four sections of the Sarbanes-Oxley Act2 are relevant for many JD Edwards EnterpriseOne customers:

USA Securities and Exchange Commission (SEC) Chairman (current since 2005)



Section 202 – System Testing – Section 202 requires you to perform regular testing, at least quarterly. Many companies go beyond this and carry out on-going round the year testing.



Section 401 – Off Balance Sheet Obligations – This section typically concerns inventory and supply chain activities but also does involves capital assets (including equipment and buildings).



Section 404 – Internal Controls – Section 404 states that company officers have to testify as to the effectiveness of your controls. Ignorance of exposures is no longer an excuse, as officers can still be prosecuted if they have failed to take positive action. This section often receives the most public visibility.



Section 409 – Timely Reporting of Material Events – Many events,

The Sarbanes-Oxley Act of 2002 – Public Law No. 107-204, 116 Stat. 745, also known as the Public Company Accounting Reform and Investor Protection Act of 2002 and commonly called SOX or Sarbox was passed by the USA Congress on July 30, 2002 2

Effective Governance Risk and Compliance with JD Edwards EnterpriseOne  Page 3

including supply chain problems or changes, could be considered a material event if financial performance is impacted. Financial compliance is not just an American issue with Sarbanes-Oxley. Countries across the globe are adopting similar and

Following passage of Sarbanes-Oxley in the USA, corporate governance laws were passed around the world and soon other data privacy laws were introduced in different countries. Examples are listed in Table 2.

complimentary regulations.

Table 1. Primary Requirements of the Sarbanes-Oxley Act 









Creation of the Public Company Accounting Oversight Board (PCAOB) Public companies must evaluate and disclose the effectiveness of their internal controls as they relate to financial reporting, and that independent auditors for such companies "attest" (i.e., agree, or qualify) to such disclosure Certification of financial reports by chief executive officers and chief financial officers Enhanced criminal and civil penalties for violations of securities law Significantly longer maximum jail sentences and larger fines for corporate executives who knowingly and willfully misstate financial statements, although maximum sentences are largely irrelevant because judges generally follow the Federal Sentencing Guidelines in setting actual sentences

 Auditor independence, including outright bans on certain types of work for audit clients and pre-certification by the company's audit committee of all other non-audit work  A requirement that companies listed on stock exchanges have fully independent audit committees that oversee the relationship between the company and its auditor  Ban on most personal loans to any executive officer or director  Accelerated reporting of insider trading  Prohibition on insider trades during pension fund blackout periods  Employee protections allowing those corporate fraud whistleblowers who file complaints with OSHA within 90 days to win reinstatement, back pay and benefits, compensatory damages, abatement orders, and reasonable attorney fees and costs.

These compliance and privacy laws are bringing more companies under corporate governance regulations that are effecting day-to-day ERP software implementations of business processes and rules. When your auditors visit they will typically focus on segregation of duties as their number one target. However, you should not be applying controls because the law says you should. You should do so anyway, as it makes sound business sense to apply effective business controls. For example, a firm that manufactured semiconductor chips does not wait until the end of the production line to look for defects within its microchips. It looks at each step along the process. The manufacturer would much rather find a flaw in a silicon wafer before it has burned all the circuitry. It is a lot cheaper to throw away that faulty wafer before investing time and production cycles into a defective final product.

Effective Governance Risk and Compliance with JD Edwards EnterpriseOne  Page 4

Companies should apply that same mentality to their financial processes. Look for errors and defects throughout the process to minimize correction costs and downstream impact.

Table 2. Select Countries with Sarbanes-Oxley Type Legislation3 Country

Name of Legislation

Year Enacted

Argentina

 Business Companies Law

1972, 1983

Armenia

 Law on Joint Stock Companies

2001

Australia

 ASX Listing Rules

2001, 2003

 Corporations Act 2001 (including CLERP 9 Amendments) Brazil

 Recomendacoes sobre Governanca Corpotrativa

Canada

 Multi-lateral Instrument 52-109

China

 Company Law

1993, 1999

Colombia

 Financial Framework Law 25, expanded with Resolution 25

1993, 2001

European Union

 Directive on Statutory Audit.

France

 Bouton Report

2002

2002

 Loi de Securite Financiere Germany

 Crome Code

2003

 KonTraG – Law for Control and Transparency and the German Code of Corporate Governance Hong Kong

 Hong Kong Code of Corporate Governance Practices

2005

India

 Report of the Naresh Chandra Committee on Corporate Audit & Governance and Narayanmurthy Committee Report

2002, 2003

Japan

 Revised Corporate Governance Principles

2001

Netherlands

 Corporate Governance Code of Conduct

2004

New Zealand

 NZX Listing Rules and Best Practices Code

2003

Philippines

 Code of Corporate Governance

2002

Russia

 Corporate Governance Code

2002

South Africa

 King Report (1) and King Report (2) on Corporate Governance

1994, 2002

Spain

 Olivencia Code & Aldama Reports

1998, 2003

Sri Lanka

 Code of Best Practice for Audit Committees

2002, 2003

 Code of Best Practice on Corporate Governance

3

Compiled from various sources

Effective Governance Risk and Compliance with JD Edwards EnterpriseOne  Page 5

Table 2. Select Countries with Sarbanes-Oxley Type Legislation3 Country

Name of Legislation

Year Enacted

Turkey

 TUSIAD & Corporate Governance Principles

2002, 2003

United Kingdom

 Combined Code

2003

 Turnbull Report  The Companies Bill of 2004 Ukraine

 National Principles of Corporate Governance Securities and Stock Market State Commission

2002

USA

 Sarbanes-Oxley Act

2002

Midsize Businesses and Internal Controls Financial compliance is not just a large company issue. Midsize businesses, public or private, need to be concerned about Sarbanes-Oxley and other regulations.

Many midsized businesses believe they have no need for business controls as they are not bound by Sarbanes-Oxley or other legislation. Increasingly, however, public sector bodies and larger organizations require their suppliers to implement effective governance. Smaller companies will lose out on business if they fail to effect adequate controls. Regardless of legislation or contractual requirements, businesses should implement effective controls because it makes sound business sense. Imagine these scenarios: 1)

In your small business you come to the office Monday morning to discover that your assistant has been using one of your client‘s credit card data to indulge in a wild shopping spree

2)

Your accounts payable clerk has been double paying invoices for services from his brother‘s-in-law company that they now have enough money for a lavish lifestyle?

These types of fraud happen in small, medium and large businesses every day because of poor basic internal controls. According to research carried out by KPMG, 75 percent of US companies surveyed admitted to suffering fraud, mainly due to inadequate internal controls. This is not just an issue for companies operating in the USA.4 The PriceWaterhouse Global Economic Survey shows 45 percent of companies worldwide admitted to fraud and these were generally uncovered by chance, not through adequate business controls.5 Generally there are two categories of internal control:

4 5

1)

Detective – Detective controls detect errors after they have occurred;

2)

Preventative – Preventative controls seek to prevent the errors from happening in the first place

KPMG Fraud Survey, December 2003 PricewaterhouseCoopers‘ Global Economic Crime Survey, 2005

Effective Governance Risk and Compliance with JD Edwards EnterpriseOne  Page 6

Public Sector Requirements for Internal Controls Public and non-profit enterprises are incorporating financial compliance processes

The BoardSource report on the Sarbanes-Oxley Act and associated implications for nonprofit organizations notes6: ―[Sarbanes-Oxley] has forced the non-profit sector to analyze its board practices and methods of operation. Individual organizations have begun to identify loopholes — and figure out how to eliminate them. Watchdog agencies and other nonprofit field-building organizations are reconsidering assumptions and standard operating procedures in an effort to identify guidelines, standards, and best practices in the sector.

and practices for a variety of practical and legal reasons

―While no standard guidelines mandate when a nonprofit organization should undertake a full audit, the board is responsible for assessing the potential benefits and costs of an audit. Generally, nonprofits that have budgets of more than $500,000 and that receive federal funds are required to conduct an annual audit. Some state laws have lower thresholds. ―In addition, participating in the Combined Federal Campaign requires an audit at $100,000. Smaller non-profits, for whom an audit would be an unreasonable financial burden, should choose a review or at least have their financial statements compiled by a professional accountant. The boards of non-profit organizations that forego an audit should evaluate that decision periodically.‖

Supply Chain Management and Compliance

Since Sarbanes-Oxley was enacted in the United States, the issue of compliance has become more than just a concern for executive management, financial management and auditors.7 How your supply chain is managed also affects your company‘s ability to meet many compliance regulations. Three sections of Sarbanes-Oxley in particular have direct implications for supply chain management and subsequent reporting to company compliance and financial officers: 1)

Section 401 (Off Balance Sheet Obligations) – If supply chain agreements create a financial obligation for your company then compliance activities should be considered. Examples include a)

Vendor Managed Inventory (VMI);

b) Long term purchase agreements with penalty clauses; c) Lease agreements with financial impact if the lease is terminated; For further information see ―The Sarbanes-Oxley Act and Implications for Nonprofit Organizations‖, 2003 BoardSource and Independent Sector (www.boardsource.org and www.IndependentSector.org ) 7 ―Sarbanes-Oxley Impact on Supply Chain Management‖ Robert J. Engel CPM, Resources Global Professionals (SCM Practice), [email protected]. Presented at 91st Annual International Supply Management Conference (May 2006) 6

Effective Governance Risk and Compliance with JD Edwards EnterpriseOne  Page 7

d) Letters of intent for long term or long lead time production schedules that have a cancellation clause with financial impact (this could also be construed as an off balance sheet transaction) 2)

Section 404 (Internal Controls) – For supply chain managers this section concerns four key supply chain activities: a)

Inventory and inventory write-offs – Material must be present when it is booked as a financial asset. Material value must also be properly represented and if it has changed value for whatever reason (including obsolescence or deterioration) the new value must be entered. Inventory that is not properly recorded into the company‘s financial system can generate financial transparency problems;

b) Material transfers – Material movements must be booked and accurately recorded; c) After the fact purchase orders – Purchase orders should not be created after a purchasing event activity has occurred if it done to circumvent an established process or policy; d) Segregation of duties – In this content, supply chain management must ensure that assets are safeguarded and only individuals authorized by policy or procedure are engaging goods and services providers. For supply chain management this typically requires segregation of duties with corresponding policies for:

3)



Receiving



Order placement



Invoice processing



Vendor master or supplier establishment

Section 409 (Timely Reporting of Events) – There are specific supply chain events that can have compliance implications. Since SarbanesOxley does not provide specific guidelines on what constitutes a material event under this section, many companies are including activities beyond typical financial situations including late supplier deliveries that could cause production problems and in turn delay shipment of revenue producing products, and problems at out-sourced goods or services providers that will negatively impact revenue.

Penalties and Fines

Sarbanes-Oxley also provides for significant penalties if compliance failure occurs. Established fines and penalties for each offense include: 

Fines of $15 million



Prison terms of up to 25 years

Effective Governance Risk and Compliance with JD Edwards EnterpriseOne  Page 8

Compliance Activities in 2007

After a year when compliance was top of the mind for companies everywhere, compliance will continue to remain a huge discussion topic within large enterprises for the foreseeable future. Many still struggle to assess the true impact to their environment of ongoing regulatory scrutiny. Major compliance issues in 2007 include: 

Payment Card Industry (PCI) – Payment Card Industry (PCI) Data Security Standard really came into its own with the acceptance of Data Security Standard version 1.1 and the compliance deadlines for Level 1 and Level 2 merchants. PCI was created by a collaborative group of five major credit card associations – VISA, MasterCard, American Express, Discover and JCB – that banded together to form the Payment Card Industry Security Standards Council in 2004. The increased awareness and understanding that PCI is important has had a dramatic and positive impact on security efforts. In contrast to the Health Insurance Portability and Accountability (HIPAA) and GrammLeach-Bliley Act of 1999 (GLB Act)8, the 12 requirements of PCI DSS are reasonably specific about what is acceptable from a security controls standpoint. Five of these 12 PCI standards call for strictly controlled access that can be assisted by identity management Unlike SOX and HIPAA, which are enforced by the US Federal government, PCI DSS is enforced by the credit card associations, with fines and other consequences for non-compliance varying from one credit card association to another. Table 3 lists different aspects of PCI.



8

Lost Laptops – A large number of lost laptops triggered data breach disclosure laws around the world. However, we did not see the expected USA Federal breach disclosure legislation, which means United States companies are still governed by the dozens of different laws on the books in almost every USA state. USA Federal law is under consideration in 2008 which would likely include input and requirements of a more global audience which would mean standardized terminology and consequences of data breaches.

Otherwise known as The Financial Modernization Act of 1999

Effective Governance Risk and Compliance with JD Edwards EnterpriseOne  Page 9

Table 3. PCI Compliance PCI Compliance Requirement

Identity Management Feature

Restrict Access to Data By Business Need To Know

Provisioning – Ensures critical data can only be accessed by authorized personnel whose roles require access to that data on a ―need to know‖ basis.

Assign A Unique ID to Each Person With Computer Access

User ID Ownership – In an identity management system a person is associated with, or ―owns‖, each user ID, assisting in eliminating the shared user ID problem.

Do Not Use Vendor Supplied Defaults For System Passwords And Other Security Parameters

Centralized Password Policy – Enforcement ensures strong passwords are used on managed applications and systems.

Protect Stored Cardholder Information

Workflow with Recertification – Persons no longer requiring access or no longer associated with the organization are deactivated from applications or databases that hold cardholder information.

Track And Monitor All Access to Network Resources And Sensitive Data

Audit Reporting – Only appropriate people have access and that access was authorized.

Effective Governance Risk and Compliance with JD Edwards EnterpriseOne  Page 10

COMPLIANCE AND JD EDWARDS ENTERPRISEONE Compliance Highlights by Release



Release 8.9 – Release 8.9 introduced support for 21 CFR Part 11 to enable life sciences companies to comply with FDA regulations for auditing and signatures (aka signature tracking). Life sciences companies also use the enhanced lot control enhancement which provides up to eleven lot control dates, such as best before, sell by, and user-defined dates (i.e. lot agitation). Release 8.9 also affords much more control over the commitment of lots for shipping. For example you can set the system up so that you never ship a lot with an older best by (or sell by date) than the last lot you shipped to that specific customer. The ability to track products by lot can also be important for life science and other industries.





Release 8.9 and Release 8.109 – These releases provides the opportunity to integrate with PeopleSoft Internal Controls Enforcer which provides the following capability: 

Powerful diagnostics, dashboards and reporting for real-time compliance monitoring



An integrated, user-centered compliance and performance environment



Snapshot of risk assessment and control status



Sub-process and departmental accountability



Surveys to monitor manual controls



Version control, edit and comment tracking, time and user stamping



Central document repository for supporting materials



Pre-built diagnostics



Continuous monitoring



Proactive alerts of system changes



Third-party applications can also be linked

Release 8.11 – Release 8.11 compliance enhancements were directed toward: 

Continuous monitoring of key financial data through scorecards



Scheduling and management of compliance activities



Notifications via workflow

Release 8.9 needs an ESU to include these capabilities; for Release 8.10 these features are effective with Update 11. 9

Effective Governance Risk and Compliance with JD Edwards EnterpriseOne  Page 11

These increase control and insight into business processes and improve the documentation of controls by:





Create a single version of "the truth" between documentation and actual system-based business processes;



Streamline process and control point documentation;



Improve the efficiency of the compliance process

Release 8.12 – With JD Edwards EnterpriseOne 8.12 organizations can enhance compliance with: 

Compliance Innovations – Financial accountability and compliance with regulations for public and private businesses is a growing concern. Release 8.12 provides an integrated architecture with dashboard tools, which allows you to easily generate compliance and financial data across your organization - and drastically reduce errors that can occur when working with nonintegrated data from disparate systems. Specifically, JD Edwards EnterpriseOne Tools 8.96 includes enhancements that help Oracle's customers deal with security, audit and compliance requirements.



Attachment Security – When adding attachments (aka media object) to a transaction, the attachments are often a supporting document that should never be changed, even by the person who originally attached it. This enhancement allows an attachment to be permanently attached, preventing modification or deletion after the transaction is committed.



Security Reports – This enhancement provides customers the ability to report which users have access to JD Edwards EnterpriseOne applications, UBEs, and tables, and what level of access the user ID or role is granted. The report can be filtered by an object, system code, or object type for any user or role combination. A programmable interface will also be provided for development of custom reports.



Selective Auditing – Before this enhancement, when a column of a table was marked to have its changes tracked in the audit trail, any change to any marked column would trigger the audit record. With this enhancement, customers have the ability to select which columns trigger an audit record and which columns will be added as information into the audit record without triggering an audit.



Country Specific – Oracle protects customers‘ software investment with respect to changing statutory and local business requirements through localization support. Statutory updates for localized offerings for JD Edwards EnterpriseOne are supported

Effective Governance Risk and Compliance with JD Edwards EnterpriseOne  Page 12

for the countries listed in Table 410. There may be support for other countries from Oracle partners.

Table 4. Countries Supported with Localization Direct from JD Edwards EnterpriseOne Development  Argentina

 Ecuador

 Norway

 Australia

 Finland

 Peru

 Austria

 France

 Poland

 Belgium

 Germany

 Russia

 Brazil

 Hungary

 Spain

 Chile

 India

 Sweden

 China

 Ireland

 Switzerland

 Columbia

 Italy

 Taiwan

 Czech Republic

 Japan

 United Kingdom

 Denmark

 Mexico

 Venezuela

 Netherlands

This table is subject to change without notice; for up to date list check www.oracle.com/applications/jdedwards-enterpriseone-country-support.html 10

Effective Governance Risk and Compliance with JD Edwards EnterpriseOne  Page 13

Compliance Capabilities in JD Edwards EnterpriseOne Today Systems-Based Internal Controls 

Application Security – Arguably one of the most important areas of internal controls. Applications security plays a key role in enforcing segregation of duties and therefore preventing fraud. For example, it ensures that the person who creates a purchase order will not be allowed to also approve the requisition. Security for the JD Edwards EnterpriseOne Business Services is broken into two main categories: 1)

Authentication – Provides for consuming JD Edwards EnterpriseOne Business Services uses standard EnterpriseOne user credentials to allow specific access, auditing, and anonymous authentication for users.

2)

Access – Execution of individual business services is managed through the JD Edwards EnterpriseOne Security Workbench. Customers are able to define which business services should be exposed as web services and which users/roles have access to execute these business services.



Processing Options – Processing options control the flow of business processes within the system. For example, a processing option can be set within the sales order entry application to prevent changes in an order after a particular predefined status has been reached, such as after inventory has shipped. Processing options can vary based on individual user roles which permits flexibility and tight control of the system.



System Constants – System constants provide system-wide control of the way and application works, regardless of individual user roles. For examples, a system constant can be used if a company wants to control posting of journal entries into a prior closed period, no matter who in the organization initiates the transaction. The system constant can be set to allow the posting and show a warning or disallow the posting.



Cash Forecasting – JD Edwards EnterpriseOne cash forecasting helps your company project, or forecast, future cash requirements and effectively manage your cash accounts. With cash forecasting, you can analyze one or more bank accounts and forecast your cash position daily or periodically based on a date horizon. This enhancement provides functionality such as: 

A rules based system;



Cash flow forecasts that can include general ledger, accounts receivable and accounts payable transactions;



Functionality to assign weighting factors to different types of transactions;



Capability to include or exclude past due documents in

Effective Governance Risk and Compliance with JD Edwards EnterpriseOne  Page 14

calculations; 



An inquiry screen to display results and produce hard copy reports

Cash Statements – International Accounting Standards require companies to present a cash flow statement that shows the historical changes in cash and cash equivalents during a specified period of operations for a company.11 They further require that you classify cash flows that result from the following categories: 

Operating – Cash flow from principal revenue-producing activities, such as cash receipts from the sale of goods and services, and other activities that are not investing or financing activities



Investing – Cash flow from the acquisition and disposal of long term assets and other investments that are not included in cash equivalents



Financing – Cash flow from changes in the size and composition of the equity capital and borrowings

If amounts on the statement of cash flow report are out of balance, an error message prints at the end of the report. The out-of-balance condition occurs when the difference between beginning and ending cash and cash equivalents is not equal to the net increase or decrease in cash and cash equivalents.

11



Integrity Reports – Integrity reports supplement internal procedures by helping companies locate any data inconsistencies. These reports can be run between multiple applications as well as within the general ledger itself, helping to ensure data integrity throughout the enterprise.



Integrated Postings – JD Edwards EnterpriseOne Financial Management software has built-in integration with other JD Edwards EnterpriseOne applications and functions listed in Table 5. Entries into these applications are automatically posted to the general ledger, providing enterprise-wide data integrity.

See standard no. 7.

Effective Governance Risk and Compliance with JD Edwards EnterpriseOne  Page 15

Table 5. Integrated Postings to Other JD Edwards EnterpriseOne Modules and Functionality  Accounts Payable

 License Plating

 Accounts Receivable

 Load and Delivery Management

 Advanced Pricing

 Localizations

 Advanced Stock Valuation

 Manufacturing – PDM

 Bulk Stock Management

 Manufacturing – Shop Floor

 Customer Service

 Preventive Maintenance

 Demand Flow Manufacturing

 Project Costing

 Fixed Assets

 Real Estate Management

 Homebuilder Management

 Sales Order Management

 Inventory Management

 Time and Labor  Work Order Completion

Automated Processes



Process Modeler – The first step in automating processes is to understand them. Process Modeler is a tool that allows you to visualize, understand, document, and easily change your business processes (see the example in Figure 1).This can be done easily by using the software‘s dragand-drop functionality. You are not starting from scratch. Process Modeler comes standard with hundreds of business processes that are based on industry best practices. These provide an ideal starting point for companies to create their own processes, either by customizing the prebuilt ones or by using them as models to build their own from the ground up.

Figure 1. Process Modeler in JD Edwards EnterpriseOne

Effective Governance Risk and Compliance with JD Edwards EnterpriseOne  Page 16

The Process Modeler goes beyond a standard Microsoft Visio-type tool. It gives you the ability to re-use objects and ―click through‖ an object to associated sub-objects. It was built from the ground up to meet the requirements of hard-core enterprise-level business process modeling. 

Workflow – JD Edwards EnterpriseOne offers workflow management functionality for the paper-based tasks that typically beleaguer attempts to automate processes. Workflow enables you to implement internal controls by using user-defined rules, routes, and roles. For example, you can use workflow to automate business processes by establishing how tasks are passed from one employee to another for action. Workflow can be utilized to manage transactions and notify users when a Key Performance Indicator (KPI) indicates risk.

Foundation Calendar

The Foundation Calendar provides core calendaring functionality which is directly integrated to JD Edwards EnterpriseOne products. The calendar is designed to track activities, tasks, and events across a variety of entities including people, companies, and branch plants. Each calendar created can have a defined work day and work week. Activities can be assigned to the calendar directly using calendaring application or automatically by linking calendar entries to specific activities within the system workflow. In addition to scheduling meetings, events, and tasks, the calendar can also be used to schedule resources by assigning users to an activity. The JD Edwards EnterpriseOne Calendar can be synched directly to Lotus Notes and Microsoft Outlook, giving you a connection between the JD Edwards EnterpriseOne system and time management systems people are comfortable using. The calendar can also be configured to send out alarms to users for activity notification purposes. The calendaring functionality will provide for monitoring of internal controls defined within the workflow functionality. Based upon the configuration of workflow, an email notification can be sent and a calendar entry can be created when a specific event occurs. In addition, calendar entries can be created directly using the tool to track activities as defined by the Sarbanes-Oxley compliance team within an organization. Data Change Tracker

Data Change Tracker functionality was created to address concerns about 21 CFR Part 11 within the life sciences industry.12 13 This regulation outlines its criteria for acceptance of electronic records, electronic signatures, and handwritten signatures.

The Data Change Tracker was added with SP21 for releases Xe and ERP8, and SP2 for 8.9 and 8.10 13 21 CFR Part 11 became law on August 20, 1997 12

Effective Governance Risk and Compliance with JD Edwards EnterpriseOne  Page 17

It allows electronic records to be considered equivalent to paper records and handwritten signatures. The Data Change Tracker can create a date, time, and user stamp of any change to the database with the customer selecting which fields they want to track. The tracker includes the ability to record changes made to key database fields which control overall system functionality such as system constants, automatic accounting instructions, and security settings. These recorded data changes can then be accessed by custom reports to support a variety of compliance requirements including 21 CFR Part 11 and Sarbanes-Oxley. Desktop Access to Financial and Compliance Data

Operational dashboards and consoles are the new front door to analytics for rapid and timely access to financial and compliance information across your business. Many businesses want to put analytics capability into the hands of operational users so they can better communicate operational goals at the line of business level and users can immediately identify offending problems across their operation. Without an operational console to view organizational health, companies can be unaware of an out-of-tolerance condition that may be impacting operations. A supplier delivering poor quality parts may be driving returns higher throughout a particular month. Without proper vigilance through a dashboard application, the knowledge of this condition may not exist until the end of the month or quarter when analysts look into the high number or returns. This knowledge gap results in increased costs and lost value to the organization. With Oracle‘s JD Edwards EnterpriseOne Financial Management and Compliance Console (see example in Figure 2) you close the finance and compliance knowledge-to-execution gap across your business. The console provides an intuitive interface that delivers individualized views of information, manages exceptions, determines exception causes, and lets you take appropriate action based on an interactive view of your business.

Effective Governance Risk and Compliance with JD Edwards EnterpriseOne  Page 18

Figure 2 – Financial Metrics Data Displayed in JD Edwards Financial Management and Compliance Console

The console provides for: 

Ready access for activity ratio metrics, leverage ratios, liquidity ratios and profitability ratios.



General Accounting metrics to support accounting measurements across your business.



Accounts Receivables and Cash Flow analysis.



Accounts Payable and Cash Out analysis.



Broad monitoring of business operations for Corporate Governance including system change monitoring, Segregation of Duties monitoring and a whistle-blower facility.

Effective Governance Risk and Compliance with JD Edwards EnterpriseOne  Page 19

Segregation of Duties Management

The Segregation of Duties (SoD) alert available via the Oracle JD Edwards EnterpriseOne Financial Management and Operational Console notifies predefined users when a person within an organization has the opportunity to commit fraud within a particular business process. This SoD alert, though, should be used as a quick guide only, as the simple model a user can set up within JD Edwards EnterpriseOne does not check Action codes, so there is a definite possibility of false SoD violations being reported. For a more sophisticated analysis and reporting against SoD controls Q Software SEC-Qure™ E1SoD tool can be used, which caters for Applications Security, Action Codes, Processing Options, Severity Levels, From and To date ranges and allows for complex rule definitions. The E1SoD tool is supplied with a pre-built SoD model and is quick to implement with your own rules. Additional Internal Controls

JD Edwards EnterpriseOne also includes an extensive number of native internal controls features and functionality that are part of the core JD Edwards EnterpriseOne solution. These native features are listed in Table 5.

Table 5. Native Internal Controls for JD Edwards EnterpriseOne 

Workflow



Balanced Posting Requirements



Processing Options



Valid Account Edit



Application Security



Approval Limits



System Constants



Credit Limits



Integrated Postings to G/L



Hierarchical Approval Routing



Budget Expenditure Approval



Posting Approval



Positive Pay



On-Demand Audit Trails



Expense Management



Built-in Balancing Controls



Integrity Reports



Payee Control



Batch Controls



Row and Column Security



Data Privacy



Version Control

Effective Governance Risk and Compliance with JD Edwards EnterpriseOne  Page 20

ENHANCING ERP SYSTEM COMPLIANCE WITH Q SOFTWARE

If you are planning a new implementation of, or a migration from an earlier release of EnterpriseOne or OneWorld to, EnterpriseOne 8.9 or later; there are fundamental questions you should ask yourself before proceeding:  What new or enhanced functionality do you plan to use? 

How will this affect your business processes?



What is the risk to your business of ineffective security?



How will you align your security to your new business processes?

Some organizations perceive that, if they had set up security in their JD Edwards OneWorld Xe or EnterpriseOne 8.0 implementation, taking their security forward to EnterpriseOne 8.9 or above is straightforward. However, it does need careful planning. Since OneWorld Xe, JD Edwards has introduced some 800 enhancements, 18 new products and over 200 new programs. Extra functionality has been added to assist with evolving corporate governance legislations and industry specific requirements. Most users upgrading their JD Edwards OneWorld or EnterpriseOne implementations do so to access many of these new programs or functionality. New programs and functionality will affect business processes and security settings.

Upgrading will require additional considerations regarding how these relate to your business processes, which users need access, and what security authorizations are appropriate. Additionally, can you honestly say that your security controls have kept pace with organizational changes to reflect current business processes, company structure and staff responsibilities? Some existing programs will have been modified to accommodate links to these new programs (ref. Hidden Programs later in this paper). This further affects your security structure. These are not well documented, so you cannot be sure what has or has not been changed from a security perspective. Upgrading your JD Edwards EnterpriseOne implementation provides an excellent opportunity to take a step back to review and update your security controls. JD Edwards EnterpriseOne 8.9 and above present new features for setting up and maintaining security. The switch from Groups to Roles presents new ways of implementing and maintaining a security model. Menus give way to Solution Explorer task views, which are not associated with security, but there is a requirement to make sure that users can only see the task views, to which they require access, in order to complete their tasks. All these things will have a profound impact on your security structure, implementation and on-going maintenance.

Effective Governance Risk and Compliance with JD Edwards EnterpriseOne  Page 21

Issue 1: Security and Compliance An inherently risky strategy is to maintain an “All Doors Open” policy within your JD Edwards EnterpriseOne installation.

The best security approach is to adopt an “All Doors Closed” or “Deny All” policy

Many organizations using JD Edwards EnterpriseOne have maintained an All Doors Open policy. This is inherently risky. For example, a user with access to the Sales Order Entry program will have exits to other programs, including the address book. These are called "Associated and Hidden" as they are associated to the initial program being executed, but are not easy for the security officer to identify to include in his security model. In an open policy the user has the potential to create phony suppliers and commence a process to commit fraud. The only secure approach to adopt is an ―All Doors Closed‖ or ―Deny All‖ policy. Not only is this more secure, it will better enable you to map roles to your business processes and simplify auditing. Locking everything down in JD Edwards EnterpriseOne is easy. However, one of the key problems with securing JD Edwards EnterpriseOne is working out which applications are accessible outside the normal menu travel. Users often think that securing access to common programs will be enough, but most users are aware of the problems caused by the multiple exit points, and calls to what is termed ―hidden programs‖. Typical users of JD Edwards EnterpriseOne also require assistance with segregation of duties management and reporting, simplifying the use of multiple roles while retaining the added flexibility multiple roles provide; reducing security management effort and security audit reporting.

Figure 3 - Hidden Programs Example



Associated and Hidden Programs – There are about 15 exit programs in each major JD Edwards EnterpriseOne application (see example in Figure 3). Some have over 40 exits to programs which in turn have other exits. Locking down a system securely can mean that users no longer can run important

Effective Governance Risk and Compliance with JD Edwards EnterpriseOne  Page 22

applications since there is no easy way within JD Edwards EnterpriseOne to identify areas of concern. Q Software provides a method to identify associated and hidden programs and then enables you to include them easily into your security model. 

Security Configuration – Q Software provides JD Edwards EnterpriseOne users with three alternatives to rapid security configuration: 1)

Capture security from a previous version of JD Edwards EnterpriseOne – To create security in release 8.12 based on your Xe security model: a)

Identify the roles you have defined in JD Edwards EnterpriseOne. Where there are any duplicates, these can be discarded or ignored.

b) Include the JD Edwards EnterpriseOne roles with Q Software and break them down into re-usable components. c) Assign them to job functions within Q Software Because you have broken down the functions into its task components, these can be re-used when defining other roles, with the same benefits, such as saving time, when security is set up from scratch. 2)

Create a security model from Solution Explorer – The second strategy option is to create an entire security model based on the Solution Explorer tasks pre-defined in JD Edwards EnterpriseOne. Obviously there will be a lot of customization; however these initial tasks can form the basis of a new security model. There is no link between Solution Explorer tasks and security for those tasks and that there is much duplication of effort required to define security. However, Q Software will allow a security officer to capture all of the solution explorer task views. This will be done by breaking them down into lower level tasks or capturing them entirely, the choice is down to preference. These captured components will then be customized by adding the relevant action code security, etc to form a complete security template. There is even an option in Q Software to capture all Solution Explorer task views and generate automatically all the appropriate security settings as a single operation. In order to implement the ‗deny all‘ strategy additional settings may need to be included from the components library. All of these components can be sequenced by order of power and segregation of duties rules created. The components and job functions will be linked to one role per user, forming the new security strategy. The *PUBLIC settings for application and action code security

Effective Governance Risk and Compliance with JD Edwards EnterpriseOne  Page 23

should now be set to N, meaning that the all doors closed strategy is implemented. Providing all of the necessary security has been attributed to the roles, there should be no problems with users carrying out their daily tasks. Finally reports can be created to show the relationship between each role and the security it has been specifically granted access to. 3)

Start fresh using reusable components – With Q Software you structure your security by creating jobs or roles and then build the relevant security for the job. It is then an easy matter to create a link to a group or user ID and populate the JD Edwards EnterpriseOne security tables with the relevant settings. In this way duplication is eliminated and any changes automatically update the end user settings. Q Software supplies a library of some 500 re-usable task level components. You can use these pre-configured components, create your own or modify those supplied. These tasks include all the programs and security necessary to perform the task, such as "Update Address Book". Now the existing security can be combined with the Components library to create the security model ready for to go all doors closed. The components and job functions will be linked to one role per user, forming the new security strategy. The *PUBLIC settings for Application and Action Code security should now be set to N, meaning that the all doors closed strategy is implemented. Providing all of the necessary security has been attributed to the roles, there should be no problems with users carrying out their daily tasks. Finally reports can be created to show the relationship between each user/role combination and the access security specifically granted.

Effective Governance Risk and Compliance with JD Edwards EnterpriseOne  Page 24

Issue 2: Roles Management and Compliance Multiple roles capabilities within JD Edwards EnterpriseOne provide system flexibility but can create security challenges if not properly managed.

JD Edwards JD Edwards EnterpriseOne added multiple roles starting with release 8.9 (see example in Figure 4). The implementation of multiple roles can create challenges to companies who decide to use this flexible capability. The most obvious benefit that the switch from groups to roles created was the reduction in the implementation of security. By creating a pre-defined set of roles these could then be allocated to as many users as was required, instead of making one user belong to one group profile as before. However, several issues that make security hard to setup, maintain and audit have been resolved by Q Software.

Figure 4 – Roles Example



Role Selector – The ―Role Selector enables a user to be assigned to several roles and to select the roles they wish to play. The role selector requires security to be set-up so that it corresponds to each role in Solution Explorer. If this feature is used then there is considerable repetition in the security table, particularly in the area of commonly used programs and of row security. Companies that really suffer are those with identical roles in multiple branches or plants where all the security records are the same apart from the row security. Sequence Manager – This is a key problem for implementing multiple roles since the sequence manager controls the level of security which is allocated to a role. As part of any setup of multiple roles Sequence Manager needs to be used to sequence the ‗power‘ of the roles. As

Effective Governance Risk and Compliance with JD Edwards EnterpriseOne  Page 25

expected the more powerful the role, the more a user can access programs and make any kind of updates or changes to records. Then obviously the less powerful a role, the less a user can do. This process becomes complicated when there are many hundreds, possibly thousands of roles to define. The whole process can quickly spiral out of control as new roles are added or taken away from the sequence making it extremely difficult to keep a consistent hierarchy of ‗power.‘ This makes the use of multiple roles very difficult, as there is no conflict resolution. This causes many headaches for the security officer who needs to ascertain which security setting takes precedence. The resultant problems with segregation of duties can be serious. Q Software recommends you create single roles that combine the requirement of the multiple roles. Your alternative requires you to plan very carefully the role hierarchy in order to try and avoid the problems with sequence manager. However, any use of multiple roles will mean that any later changes to the security policy need to be approached with great care. To assist Q Software alerts you to potential sequence manager security issues, so you can take appropriate action. 

The Auditor – An auditor may assume that whichever role assigned to a user has the highest security for any particular task; that is the security he will assume to be in force. Due to the sequence manager determining the security hierarchy; the actual security applied and action codes available may not be as the security officer or user expected, or as the auditor has assumed. This can result in unnecessarily complex auditing. By adopting the recommended approach to address the sequence manager issues, auditing will be simplified.



Segregation of Duties – Q Software provides comprehensive segregation of duties capabilities that let you build your SoD rules inside JD Edwards EnterpriseOne.

Q Software‘s SEC-Qure™ E1SoD is a segregation of duties analysis and reporting tool that allows the user easily to set up a series of SoD rules based on your business processes and requirements. The user can define segregation rules for objects (programs), business processes or user roles, then analyze and report on all violations against these rules, which include: 

Specific security authorization for Application Security, Action Code Security and Processing Options



Reason for the rule



Remediation provisions



Severity level for each rule

Effective Governance Risk and Compliance with JD Edwards EnterpriseOne  Page 26



‗From‘ and ‗to‘ date ranges for the rule to be in effect

Q Software even provides you with a model based on input from leading audit firms and Security Officers to get you started. Q Software‘s security configuration and management tool, SEC-Qure™ E1Config, has its own less sophisticated SoD rules capability that monitors the power of components linked to a role and highlights any conflicts. It also contains a segregation of duties monitor which helps the user manage segregation at the component or object level such as segregation of duties issues that arrive as a result of two conflicting tasks being linked together in a role. It also checks for SoD conflicts across multiple roles that may be assigned to a user. Rules are set up that highlight which components or objects should not be allocated together to a user and role combination. If these rules are breached then Q Software highlights them and allows a security officer or administrator to decide whether the breach should stand. Like the conflict manager, if security is built with a SoD violation then Q Software will leave a permanent reminder that the problem exists. In turn, anyone who needs to check segregation of duties, or conflicts, can use the conflict manager function in Q Software to establish all of the segregation of duties issues that exist currently in the application. An auditor could then at this point run through all of the violations and advise on the best method of resolving them, or sign them off if they are satisfied that the necessary mitigating or compensating steps have been taken to document and control these issues 

Audit Reporting – Q Software provides an extensive array of reporting to demonstrate to your auditor that you have all appropriate controls in place. Reporting is available to show: 

Roles access to job functions and tasks



User role assignments



Users or roles in breach of segregation of duties policies

Effective Governance Risk and Compliance with JD Edwards EnterpriseOne  Page 27

Table 7. Extending Compliance Capabilities for JD Edwards EnterpriseOne with Q Software Compliance Requirement

PCI DSS

Sarbanes-Oxley Act

Section 202 Regular testing of controls

    

Section 404 Testify to effectiveness of controls

     

Continuous monitoring Proactive alerts of system changes Integrated architecture and dashboard tools Central document repository for supporting materials Single version of ―truth‖ between documentation and system processes Attachment security Security reports Selective auditing Address book controls Accounts payable approvals Accounts payment header to detail integrity

Q Software Extensions  Compliance life cycle  Comprehensive security analysis and reporting  Integrated segregation of duties controls and reporting  Re-usable task level components including pre-defined security  Job functions (roles) created from task level components  Integrated segregation of duties reporting and management across multiple roles  Simple, yet comprehensive analysis and reporting on segregation of duties violations with trends, component constructs, role assignments, user access, security authorities, critical programs access, master data programs access, and hidden programs and associated reports.  Simplified security management  Browser auditing tools usable by authorized departmental managers, internal auditors and external auditors to test and report on security settings independently of the security team.

Restrict User Access to data on a ―need to know‖ basis



Column and row security

 Job functions created from tasks level components linked to specific data  Simple, effective Segregation of Duties management

Protect stored cardholder information

 

Processing options Workflow

 Job functions created from tasks level components linked to specific data  Simple, effective Segregation of Duties management  Reports to show who has access to which job programs and data

  

Selective auditing Compliance console Data change tracker

 All security managed via pre-defined security components at a task level  Powerful reporting to show which users have access to which roles, tasks, objects and data  Audit trail of all ―permitted‖ segregation of duties violations



FDA Auditing and Signatures: data change tracker



Enhance lot tracking

 Security managed via pre-configured task level components ensures only the right people have access to the right programs and data.  Effective segregation of duties management

Track and monitor all access to network resources and sensitive data FDA

JD Edwards EnterpriseOne Baseline

21 CFR Part 11

Effective Governance Risk and Compliance with JD Edwards EnterpriseOne  Page 28

Table 7. Extending Compliance Capabilities for JD Edwards EnterpriseOne with Q Software Compliance Requirement

COSO Framework

Reliability in financial reporting

Effectiveness and efficiency of controls

JD Edwards EnterpriseOne Baseline 

Integration with PeopleSoft EPM, HCM, CRM and SCM applications  Continuous monitoring of key financial data  Version control  Multiple roles

Q Software Extensions 

Simplified security management with segregation of duties management



Simplified security configuration from pre-configured, re-usable task components Capture security from earlier versions and remove redundant duplicates Automate security build from Solution Explorer tasks Role selector and sequence manager security resolution Simple browser reporting to test the effectiveness of security controls.

   

 Internal Controls Enforcer (ICE)

Compliance with applicable laws

 Scheduling and management of compliance activities  Country specific support

 Simple, yet powerful browser reporting and segregation of duties analysis to test and prove appropriate controls are in place with full auditability.

Effective Governance Risk and Compliance with JD Edwards EnterpriseOne  Page 29

CONCLUSIONS

JD Edwards EnterpriseOne today offers customers many capabilities to meet legal compliance requirements not just in the USA but in many other countries. There are many out-of-the-box features that let organizations meet Sarbanes-Oxley and other laws. However, there are situations in which additional compliance capabilities are needed using complimentary software from Q Software that extends and enhances the capabilities of JD Edwards EnterpriseOne for an easier approach that provides for a more effective security implementation to: 

Enable enhanced reporting and management of segregation of duties policies;



Simplify security configuration and on-going maintenance;



Simplify compliance reporting and auditing;



Reduce the overall cost of compliance by approximately 80 percent

These capabilities of JD Edwards EnterpriseOne with Q Software are in Table 7. ABOUT Q SOFTWARE “We evaluated the Q Software security solutions and believe they can help JD Edwards EnterpriseOne customers address security and compliance initiatives”

- Gary Grieshaber, Senior Director,

Q Software's family of products has evolved over the ten years. Q Software SECQure E1Config is the result of detailed analysis of JD Edwards EnterpriseOne, experience working on the security compliance needs of JD Edwards EnterpriseOne customers and specific requests from customers to enhance JD Edwards‘ products. Q Software is Oracle's only certified partner providing security compliance solutions for JD Edwards EnterpriseOne.

JD Edwards EnterpriseOne Tools and Technology Product Strategy April 4, 2007

Q Software's SEC-Qure E1Config is a second generation security compliance solution for JD Edwards EnterpriseOne, which is installed into EnterpriseOne and has the same look and feel. JD Edwards EnterpriseOne customers use Q Software to reduce overall security compliance costs by about 80 percent while enhancing security and segregation of duties controls. Table 8 lists several JD Edwards EnterpriseOne customers and comments regarding Q Software (please note that these are not verified by Oracle). Q Software's SEC-Qure E1SoD is a segregation of duties rules management, analysis and reporting tool, which again is installed into EnterpriseOne. SEC-Qure ComplianceManager is a browser based analysis and reporting tool that uses the E1SoD segregation of duties rules models to provide authorized departmental managers, internal auditors and external auditors with testing and audit reporting capability independent from the security team.

Q Software Global Limited is Oracle‘s only certified partner focusing on security for JD Edwards World and JD Edwards EnterpriseOne. It is also an Oracle Enterprise Security and GRC global partner. Since 1996 Q Software has developed and implemented security solutions for JD Edwards‘ customers across the globe. Contact Q Software at:

Effective Governance Risk and Compliance with JD Edwards EnterpriseOne  Page 30

Q Software Global Limited Ranmore Manor, Ranmore Common Dorking, Surrey RH5 6SX United Kingdom Telephone: Fax: Email:

+ 44 (0) 1483 280 400 + 44 (0) 1483 280 401 [email protected]

Web:

www.qsoftware.com

Effective Governance Risk and Compliance with JD Edwards EnterpriseOne  Page 31

Table 8. JD Edwards EnterpriseOne Customer Experiences with Q Software IDEX Corporation

―The time savings are HUGE. I can‘t even imagine how long it would take to set up the groups without Q Software.‖

Yum! Brands Inc.

―I believe it would be almost impossible to implement an ‗all doors shut‘ security model under EnterpriseOne without Q Software‖

Meridian Gold Inc.

―Q Software provides an easy way to configure security in EnterpriseOne. Security was very time consuming using the standard JD Edwards EnterpriseOne Security Workbench. Once we had built a library of standard components, Q Software made configuring the different types of security quicker.‖

Nottingham City Council

―Previously it took at least four hours to set up new groups, but with Q Software that time has been reduced to about 15 minutes.‖

Plexus

―Using Q Software has saved us at least 1600 man hours of entering security manually for the initial 500 users we have set up so far.‖

States of Jersey

―It was estimated that the software would achieve as much as a 50 percent reduction in the workload of maintaining security.‖…―Without Q Software, it would be extremely difficult to achieve the tight security that we need.‖

20:20 Logistics

Using Q Software, the security tasks for the first implementation phase took four weeks – around 85% reduction on the original estimate of six months without Q Software.

Gallatin Steel Balance Agri-Nutrients BE&K Canadian Natural Resources

―We have saved about 10 hours work for each of the eight security groups that were set up‖. ―Without Q Software, we would not have been able to go live with a suitably closed security model in the first rollout.‖ ―We realized our EnterpriseOne security would be virtually impossible without Q Software.‖ ―Integrity of our land data is crucial to our business. Q Software helps to protect that data from unauthorized access, so is key to our business success.‖

Effective Governance Risk and Compliance with JD Edwards EnterpriseOne  Page 32

ACRONYMNS AND ABREVIATIONS

COSO

Committee of Sponsoring Organizations of the Treadway Commission

DSS

Data Security Standards

FDA

Food and Drug Administration (USA agency)

GLB Act

Gramm-Leach-Bliley Act of 1999 aka The Financial Modernization Act of 1999 (USA law)

HIPPA

Health Insurance Portability and Accountability (USA law)

ICE

PeopleSoft Internal Controls Enforcer

KPI

Key Performance Indicator

PCI

Payment Card Industry

SEC

Securities and Exchange Commission (USA agency)

SOD

Segregation of Duties

SOX

Sarbanes-Oxley Act (USA public law)

UBE

Universal Batch Engine

ACKNOWLEDGEMENTS

Extensive suggestions and review comments for this white paper were graciously provided from: 

Roger Harris of JD Edwards EnterpriseOne reseller and services partner MSS Technologies and President of the Colorado Chapter of APICS who added extensive information about supply chain management and compliance;



Keith Sholes from the JD Edwards EnterpriseOne product management staff who did a comprehensive review of JD Edwards EnterpriseOne release features and functionality.

Effective Governance Risk and Compliance with JD Edwards EnterpriseOne  Page 33

Effective Governance Risk and Compliance with JD Edwards EnterpriseOne White Paper E1WP-1016 First issue April 2007 July 2008 (Revision B.2) Authors: Mike Lutito (Oracle) and David Hunt (Q Software); Editor: Rudy Lukez (Oracle) Oracle Corporation World Headquarters 500 Oracle Parkway Redwood Shores, CA 94065 U.S.A. Worldwide Inquiries: Phone: +1.650.506.7000 Fax: +1.650.506.7200 oracle.com Copyright © 2008, Oracle. All rights reserved. This document is provided for information purposes only and the contents hereof are subject to change without notice. This document is not warranted to be error-free, nor subject to any other warranties or conditions, whether expressed orally or implied in law, including implied warranties and conditions of merchantability or fitness for a particular purpose. We specifically disclaim any liability with respect to this document and no contractual obligations are formed either directly or indirectly by this document. This document may not be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without our prior written permission. Oracle, JD Edwards, PeopleSoft, and Retek are registered trademarks of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners. Q Software, SEC-Qure, E1SoD, and E1Config are registered trademarks of Q Software Global Limited. This document is for informational purposes only and may not be incorporated into a contract or agreement.