RE: MAPICS - SOX - File auditing -- MAPICS-L

Greg,

Many MAPICS shops assign the group authority of "AMAPICS" to their users.
This allows them "backdoor" access to the data files using ODBC, SQL or
AS/400 query, etc.  If you run many query reports, most likely the reports
are assuming that the user requesting the queries to run have AMAPICS group
profile.

This has always been a bad, but low effort, method of allowing back door
access to "power users" etc.  While SOX does not state in anyway that this
activity is no longer "legal", the audit firms are failing all SOX audits
for these practices because they cannot audit "ad-hoc" data access.

I've had to explain this to my corporate executives and they in turn needed
to "sign off" on the practice with the consulting firms.  Thus, we were
certified with the management "exception" noted.

Hope this helps.  SOX is a real pain, mostly caused by the audit firms.

Kevin Fox
kdfox@xxxxxxxxxxxxx

-----Original Message-----
From: mapics-l-bounces@xxxxxxxxxxxx [mailto:mapics-l-bounces@xxxxxxxxxxxx]
On Behalf Of Phil Campa
Sent: Wednesday, April 13, 2005 9:19 AM
To: MAPICS ERP System Discussion
Subject: Re: MAPICS - SOX - File auditing


You can lock the production libraries. This will prevent any back door
access
via ODBC or SQL.
There are DBU utilities that provide an audit trail of any updates.



 

             Greg Wenzloff

             <GWenzloff@beckmfg.

             com>
To 
             Sent by:                    "'mapics-l@xxxxxxxxxxxx'"

             mapics-l-bounces@mi         <mapics-l@xxxxxxxxxxxx>

             drange.com
cc 
 

 
Subject 
             04/13/2005 08:50 AM         MAPICS - SOX - File auditing

 

 

              Please respond to

              MAPICS ERP System

                 Discussion

             <mapics-l@midrange.

                    com>

 

 





I know this topic has been mentioned before but left dangling I think.

We just got the report on our "practice" SOX audit of controls.  The auditor
(Grant Thornton) says we have a missing control because we do not audit the
MAPICS files for unauthorized access (back door access).   They rated our
front door access (MAPICS user security request forms) as effective.

So I'm back here asking do we really have to turn on the auditing function
in OS400 and log changes to key financial files?  Or perhaps set up triggers
to collect a log. Which files?

I know that no where in the SOX law does it say that this is required, but
if the real auditors do not rate us as having effective controls, I'm in hot
water.

Someone on this list said he has passed several SOX audits with only front
end security controls.   What are the current thoughts on this?

Your comments please.

TIA,
Greg




_______________________________________________
This is the MAPICS ERP System Discussion (MAPICS-L) mailing list
To post a message email: MAPICS-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/mapics-l
or email: MAPICS-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/mapics-l.





_______________________________________________
This is the MAPICS ERP System Discussion (MAPICS-L) mailing list
To post a message email: MAPICS-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/mapics-l
or email: MAPICS-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/mapics-l.