SOX Compliance in SAP

Similar Messages

• SOX report in SAP

  Hi all,
  We recently started implementing SAP and we started now with meetings to
  talk about SOX.
  I was wondering if there are any standard SAP reports to check users and
  authorizations on SOX compliant?
  We do have a customized report on an old landscape but that will not be
  recreated for the time being...
  Many thanks,
  Pedro

  Hi All,
  Can some one provide me details  for the followin regarding SOD:
  1)Do we have Auditor checklists for SOX ?
  2) Any Project plan with tasks to achieve compliance >
  3)Any other project assets such as templates, rule matrix etc.,
  4)What does standard R/3 provide to aid SoX  compliance- list of tcodes
  5)Future trends in this area ?
  Thanks,
  Deep.

• Security solution with Identity server for SOX compliance

  Hi all,
  Has anybody used Identity Server as security solution to achieve SOX compliance? i want to know general view, opinions , experiance of ppl while implementing such solution.
  Just a little background of SOX: It is Created by US Congress in the wake of corporate scandals like Enron in 2001 and 2002.it is an attempts to tighten controls over corporate financial reporting and transparency.
  I am basically interested in implementing security solutions using Identity server for SOX compliance. Section 404 of this act deals with internal controls, which essentially requires organizations to provide following facilities -
  1. User Identification, authorization and access
  2. User control of user accounts
  3. Central identification and access rights/permissions management
  4. Violation and security activity report
  Has anybody developed such solution? What are your general experiance, problems , issues etc? Please share your view....

  Just too quick to draw conclusion: See below FAQ
  If you are not in the same AS container, let me know. Jerry
  Copy from J2EE agent FAQ
  Question - Is it possible to install a J2EE 2.1agent and Identity Server on the same instance of the application server ?
  Installing the IS60SP1/IS61 server and J2EE 2.1 policy agent on the sameninstance of Application server is not a supported configuration. We do support the 21 J2EE agent and IS installed on different instances of the application server. So, users can install theJ2EE 2.1 agent on a one instance of the application server and install IS on a different instance of the apps server.

• SOX Compliance in HFM- Best Practice

  Hi guys,
  Is there any "best practice" for SOX compliance in HFM? Can you do it by using Shared Services? Should I work with the .SEC file?
  Have you ever been required to do so? I was asked to do so, but since it's not my field, I'm kind of lost...
  Any advice would be greatly appreciated.
  Thanks!
  Jay

  SOX covers a number of topics. Ask for the request list from the SOX auditors, and then go through each item and determine where in the system is the best source.
  The .sec file is likely not going to work. There is a provisioning report that is more helpful for user access.

• MSS and SoX compliance

  Hi,
  when I use Manager Self-Service to display and modify financial data over the Enterprise Portal in an Intranet environment, has the conection between the portal and the desktop to be encrypted (SSL/HTTPS) to be SoX compliant?
  br,
  Tobias

  Hi,
  Well, to sum it up:
  1. It's up to the auditor. He decides whether my control framework is accurate or not. Worst case: I choose a bad auditor and the SOx compliance won't stand up in the court.
  2. What's data integrity and confidentiality is up to the data/process. As all of you are stating:
  "data being entered is accurate" [Simon]
  "SOx does bother about whether appropriate controls have been defined and are operating effectively" [Vinay]
  "The availability,integrity and confidentiality rules will be very much applicable to your context" [Ramesh]
  The usage of SSL/encryption depends on the process and on the environment. If the process/data is highly critical, I need all the mechanisms/security necessary to ensure data integrity and confidentiality. These parameters differ from external and internal access and what is already implemented in the organization (SSO, Kerberos, backend system, etc)
  3. To ensure point 1+2 I can decide from varios frameworks. If the framework I selected - eg COBIT (PO2.3 & DS5) - and my implementation of this framework mandates security, I have to implement SSL.
  Are there any best practices of the varios possibilities available? Like:
  1. If the application is available externally, verify at least: Firewall, provide SSL, etc.
  2. If the application is available only internally, verify that I&AM is compliant to ISO X, etc?
  br,
  Tobias

• SOX compliance

  my requirement is :
  SOX compliance will require that there is a record of date and time of when an object is changed.
  There has been some report that the record of date and time on some objects are changed, even when the object is used, and not really modified. Need to know more about it. Please list any issues or recommendations.
  how do i check this feature.

  coldfire,
  Let's start off with some questions.
  1) Define 'object'
  2) "There has been some report" - from whom?
  3) "some objects are changed, even when the object is used, and not really modified." - define 'changed'.
  4) Can you provide an example of this on apex.oracle.com?
  Joel

• Oracle SOX patches for SAP platform

  Oracle has released many sox patches to implement.
  We would like know whether these patches can be installed for oracle databases in SAP.
  SAP has given note 1137346 for 10.2.0.4 with all other patches but not outlined the sox patches.
  Can any one clarify?

  I'd open an OSS call.
  Those Oracle patches may conflict with SAP patches.
  Markus

• SOX Compliance for Oracle Retail

  Is oracle retail SOX ( Sarbanes and Oxley) compliance? Under what conditions of implementation will oracle retail ( primarily RMS) be SOX compliant?

  Great question. Curious to learn the answer.

• Wireless Guest SOX compliance

  Hello,
  A customer has stated that they need to be "SOX compliant" and I need to confirm whether for that compliancy, a dedicated Guest anchor WLC is required.  Can't find any Cisco reference to it other than "Secure Guest Access" which is the tradition Foreign-Anchor WLC architecture.
  thanks in advance for any comments

  Hi,
  Below Cisco AP with
  software version : 5.2.157.0 , 5.2.178.5
  Cisco Aironet Lightweight AP1131, AP1142, AP1242, AP1252, AP1522 Wireless LAN Access Points

• Training Compliance in SAP-HR

  hello Gurus,
  Can you please let me know, how to get Training Compliance Report in SAP- HR Training Module.
  Also please let me know, wat is the Transaction CODE to know wat is the Total Training imparted list.
  Please let me know the Transaction Codes.
  Regards
  AM.

  Check
  PSVT , PSVR , PSV3  tcodes might be useful
  Edited by: Sikindar on Jan 6, 2009 12:31 PM

• Oracle EBS and SOX compliance

  Hello,
  I am new to Oracle EBS
  I would like to know what are the features of Oracle EBS to comply with SOX (Access to data and programs, change control, Operations)
  Thanks in advance

  Have a look at the following notes/links, it may be helpful:
  [Note: 406401.1 - R12 Responsibilities And Roles Based On Business Flows|https://metalink2.oracle.com/metalink/plsql/ml2_documents.showDocument?p_database_id=NOT&p_id=406401.1]
  [The SOX Effect On Oracle Apps Technical Development |http://apps2fusion.com/at/pb/264-the-sox-effect-on-oracle-apps-technical-development]
  [DBA Guide to Understanding Sarbanes-Oxley (SOX) |http://www.integrigy.com/security-resources/whitepapers/DBA-Guide-to-Understanding-Sarbanes-Oxley.pdf/view]
  [Sarbanes-Oxley (SOX)—Impact on Security In Software|http://www.developer.com/security/article.php/3320861]
  [Applications Releases 11i and 12|http://www.oracle.com/technology/documentation/applications.html]

• Sox compliance and BPC

  Hi Gurus
  In our project a user is doing admin job of BPC as well.He is the sole user.Now auditor has objected to him maintaining the server and being user at same time. I am giving production support to BPC . Now I am  supposed to make sox  document  and make a list of task which he should not do. Security/access  is being maintained by me. Can some one give me some ideas or direction on this issue please ?
  Thanks
  Satya

  It is very specific to client so withdrawing.

• Product enhancement for SOX compliance to allow multiple email addresses

  Currently SBO version 8.8 oly allows a single email address for each contact to synchronize with Outlook.
  Contacts routinely have multiple email addresses which should all be enabled to synchronize with Outlook. by limiting to a single address in the contact record, the activities in the contact records will be missing critical history which may be requred for legal requirements onder Sarbanes Oxley and other legal reporting requirments for document retention requirements.
  Section 302 of the Sarbanes-Oxley Act requires the CEO and CFO of a public company to personally certify and attest to the accuracy of their company's financial statements contained in periodic reports. Section 404 requires auditors to certify the underlying controls and processes that companies use to reach financial results. Both sections require proof that a company's reported financial information can be relied on - and require companies to invest in procedures that ensure information is recorded and managed in a trustworthy manner, including email. As an organization's dependence on electronic mail continues to grow, the mismanagement of email provides a growing target for litigators and regulators. Companies must ensure that records in digital form are managed with the same care and attention as records in paper form.
  Business records must be protected at all times from unauthorized tampering and deletion, more so when a company is involved in audits, investigations, litigation or other formal proceedings. It is therefore of primary importance to copy and archive data before a user has a chance to manipulate it or delete it. Companies must ensure that directors, management and accounting personnel in particular, are informed of their obligation to preserve business records

  you are correct, the only way to be able to send to multiple addresses for the same person in a group is to create one card per email address, with a code for the name as in john doe1, john doe2, or play with prefix, suffix or middle name fields to differentiate each card. to date there is no other way around this issue.
  hope this helps.

• Sox compliance in Oracle HRMS

  Hi,
  I am looking for standard policies during implement Oracle HRMS. Such as:
  System architecture and processes to identify issue.
  Integration process. What is kind of data encryption while in transit?...
  Security Gaps
  Sensitive Data Leaks
  Non secure/Improper access
  Non secure/Improper Files
  Potential holes in the Database, OS, Application Layers.
  If you have any idea/suggestion, please kindly let me know.
  Thanks in advance.
  Hieu

  You can explore GRC 8.6.4 to meet some of your requirements:
  1. GRCM for documenting and testing the process, risks and controls
  2. AACG for access monitoring and prevention etc.
  Thanks

• SAP NW BPM and NW CE in heterogeneous system landscape and SOX

  Hi,
  Does anybody have experience with implementation of SAP NW BPM in a heterogeneous system environment (SAP, non-SAP, Legacy) in regards to detailed audit requirements (SOX compliance)? SAP Business Workflow is well established regarding SOX compliancy. But, what about NW BPM?
  Thanks for you replies in advance.
  Shahram

  Hi Shahram,
  Not sure about the way you are implementing BPM in SAP/NonSAP scenario, but in BPM you can have detailed reporting and analytics for auditing purpose.
  You can also create your own data source and pass data values from the process.
  Check : [Real-Time Reporting|http://help.sap.com/saphelp_nw72/helpdata/en/a1/bde4657d1f42e3a7c698d16a699635/content.htm]
  -Abhijeet