SOX Compliance in SAP
Hi all,
we are about do one project for US based company for which they are asking about SOX compliance in SAP.
Can any one tell, what we have to do in SAP R/3 in order meet SOX compliance as per US regulations.
Regs,
Ramesh B
Hi Ramesh,
You have to maintain proper Basis authorization prefer work flow, set up prcess for any functional or technical changes in the production system i.e. form for change request, incident request for authorization, no direct access to tables in the Production client, authorization group assignment for custom program for dual validation, monthly window for production transport or Emergency transport.
Regards,
Santosh
Similar Messages
-
Hi all,
We recently started implementing SAP and we started now with meetings to
talk about SOX.
I was wondering if there are any standard SAP reports to check users and
authorizations on SOX compliant?
We do have a customized report on an old landscape but that will not be
recreated for the time being...
Many thanks,
PedroHi All,
Can some one provide me details for the followin regarding SOD:
1)Do we have Auditor checklists for SOX ?
2) Any Project plan with tasks to achieve compliance >
3)Any other project assets such as templates, rule matrix etc.,
4)What does standard R/3 provide to aid SoX compliance- list of tcodes
5)Future trends in this area ?
Thanks,
Deep. -
Security solution with Identity server for SOX compliance
Hi all,
Has anybody used Identity Server as security solution to achieve SOX compliance? i want to know general view, opinions , experiance of ppl while implementing such solution.
Just a little background of SOX: It is Created by US Congress in the wake of corporate scandals like Enron in 2001 and 2002.it is an attempts to tighten controls over corporate financial reporting and transparency.
I am basically interested in implementing security solutions using Identity server for SOX compliance. Section 404 of this act deals with internal controls, which essentially requires organizations to provide following facilities -
1. User Identification, authorization and access
2. User control of user accounts
3. Central identification and access rights/permissions management
4. Violation and security activity report
Has anybody developed such solution? What are your general experiance, problems , issues etc? Please share your view....Just too quick to draw conclusion: See below FAQ
If you are not in the same AS container, let me know. Jerry
Copy from J2EE agent FAQ
Question - Is it possible to install a J2EE 2.1agent and Identity Server on the same instance of the application server ?
Installing the IS60SP1/IS61 server and J2EE 2.1 policy agent on the sameninstance of Application server is not a supported configuration. We do support the 21 J2EE agent and IS installed on different instances of the application server. So, users can install theJ2EE 2.1 agent on a one instance of the application server and install IS on a different instance of the apps server. -
SOX Compliance in HFM- Best Practice
Hi guys,
Is there any "best practice" for SOX compliance in HFM? Can you do it by using Shared Services? Should I work with the .SEC file?
Have you ever been required to do so? I was asked to do so, but since it's not my field, I'm kind of lost...
Any advice would be greatly appreciated.
Thanks!
JaySOX covers a number of topics. Ask for the request list from the SOX auditors, and then go through each item and determine where in the system is the best source.
The .sec file is likely not going to work. There is a provisioning report that is more helpful for user access. -
Hi,
when I use Manager Self-Service to display and modify financial data over the Enterprise Portal in an Intranet environment, has the conection between the portal and the desktop to be encrypted (SSL/HTTPS) to be SoX compliant?
br,
TobiasHi,
Well, to sum it up:
1. It's up to the auditor. He decides whether my control framework is accurate or not. Worst case: I choose a bad auditor and the SOx compliance won't stand up in the court.
2. What's data integrity and confidentiality is up to the data/process. As all of you are stating:
"data being entered is accurate" [Simon]
"SOx does bother about whether appropriate controls have been defined and are operating effectively" [Vinay]
"The availability,integrity and confidentiality rules will be very much applicable to your context" [Ramesh]
The usage of SSL/encryption depends on the process and on the environment. If the process/data is highly critical, I need all the mechanisms/security necessary to ensure data integrity and confidentiality. These parameters differ from external and internal access and what is already implemented in the organization (SSO, Kerberos, backend system, etc)
3. To ensure point 1+2 I can decide from varios frameworks. If the framework I selected - eg COBIT (PO2.3 & DS5) - and my implementation of this framework mandates security, I have to implement SSL.
Are there any best practices of the varios possibilities available? Like:
1. If the application is available externally, verify at least: Firewall, provide SSL, etc.
2. If the application is available only internally, verify that I&AM is compliant to ISO X, etc?
br,
Tobias -
my requirement is :
SOX compliance will require that there is a record of date and time of when an object is changed.
There has been some report that the record of date and time on some objects are changed, even when the object is used, and not really modified. Need to know more about it. Please list any issues or recommendations.
how do i check this feature.coldfire,
Let's start off with some questions.
1) Define 'object'
2) "There has been some report" - from whom?
3) "some objects are changed, even when the object is used, and not really modified." - define 'changed'.
4) Can you provide an example of this on apex.oracle.com?
Joel -
Oracle SOX patches for SAP platform
Oracle has released many sox patches to implement.
We would like know whether these patches can be installed for oracle databases in SAP.
SAP has given note 1137346 for 10.2.0.4 with all other patches but not outlined the sox patches.
Can any one clarify?I'd open an OSS call.
Those Oracle patches may conflict with SAP patches.
Markus -
SOX Compliance for Oracle Retail
Is oracle retail SOX ( Sarbanes and Oxley) compliance? Under what conditions of implementation will oracle retail ( primarily RMS) be SOX compliant?
Great question. Curious to learn the answer.
-
Hello,
A customer has stated that they need to be "SOX compliant" and I need to confirm whether for that compliancy, a dedicated Guest anchor WLC is required. Can't find any Cisco reference to it other than "Secure Guest Access" which is the tradition Foreign-Anchor WLC architecture.
thanks in advance for any commentsHi,
Below Cisco AP with
software version : 5.2.157.0 , 5.2.178.5
Cisco Aironet Lightweight AP1131, AP1142, AP1242, AP1252, AP1522 Wireless LAN Access Points -
hello Gurus,
Can you please let me know, how to get Training Compliance Report in SAP- HR Training Module.
Also please let me know, wat is the Transaction CODE to know wat is the Total Training imparted list.
Please let me know the Transaction Codes.
Regards
AM.Check
PSVT , PSVR , PSV3 tcodes might be useful
Edited by: Sikindar on Jan 6, 2009 12:31 PM -
Hello,
I am new to Oracle EBS
I would like to know what are the features of Oracle EBS to comply with SOX (Access to data and programs, change control, Operations)
Thanks in advanceHave a look at the following notes/links, it may be helpful:
[Note: 406401.1 - R12 Responsibilities And Roles Based On Business Flows|https://metalink2.oracle.com/metalink/plsql/ml2_documents.showDocument?p_database_id=NOT&p_id=406401.1]
[The SOX Effect On Oracle Apps Technical Development |http://apps2fusion.com/at/pb/264-the-sox-effect-on-oracle-apps-technical-development]
[DBA Guide to Understanding Sarbanes-Oxley (SOX) |http://www.integrigy.com/security-resources/whitepapers/DBA-Guide-to-Understanding-Sarbanes-Oxley.pdf/view]
[Sarbanes-Oxley (SOX)—Impact on Security In Software|http://www.developer.com/security/article.php/3320861]
[Applications Releases 11i and 12|http://www.oracle.com/technology/documentation/applications.html] -
Hi Gurus
In our project a user is doing admin job of BPC as well.He is the sole user.Now auditor has objected to him maintaining the server and being user at same time. I am giving production support to BPC . Now I am supposed to make sox document and make a list of task which he should not do. Security/access is being maintained by me. Can some one give me some ideas or direction on this issue please ?
Thanks
SatyaIt is very specific to client so withdrawing.
-
Product enhancement for SOX compliance to allow multiple email addresses
Currently SBO version 8.8 oly allows a single email address for each contact to synchronize with Outlook.
Contacts routinely have multiple email addresses which should all be enabled to synchronize with Outlook. by limiting to a single address in the contact record, the activities in the contact records will be missing critical history which may be requred for legal requirements onder Sarbanes Oxley and other legal reporting requirments for document retention requirements.
Section 302 of the Sarbanes-Oxley Act requires the CEO and CFO of a public company to personally certify and attest to the accuracy of their company's financial statements contained in periodic reports. Section 404 requires auditors to certify the underlying controls and processes that companies use to reach financial results. Both sections require proof that a company's reported financial information can be relied on - and require companies to invest in procedures that ensure information is recorded and managed in a trustworthy manner, including email. As an organization's dependence on electronic mail continues to grow, the mismanagement of email provides a growing target for litigators and regulators. Companies must ensure that records in digital form are managed with the same care and attention as records in paper form.
Business records must be protected at all times from unauthorized tampering and deletion, more so when a company is involved in audits, investigations, litigation or other formal proceedings. It is therefore of primary importance to copy and archive data before a user has a chance to manipulate it or delete it. Companies must ensure that directors, management and accounting personnel in particular, are informed of their obligation to preserve business recordsyou are correct, the only way to be able to send to multiple addresses for the same person in a group is to create one card per email address, with a code for the name as in john doe1, john doe2, or play with prefix, suffix or middle name fields to differentiate each card. to date there is no other way around this issue.
hope this helps. -
Hi,
I am looking for standard policies during implement Oracle HRMS. Such as:
System architecture and processes to identify issue.
Integration process. What is kind of data encryption while in transit?...
Security Gaps
Sensitive Data Leaks
Non secure/Improper access
Non secure/Improper Files
Potential holes in the Database, OS, Application Layers.
If you have any idea/suggestion, please kindly let me know.
Thanks in advance.
HieuYou can explore GRC 8.6.4 to meet some of your requirements:
1. GRCM for documenting and testing the process, risks and controls
2. AACG for access monitoring and prevention etc.
Thanks -
SAP NW BPM and NW CE in heterogeneous system landscape and SOX
Hi,
Does anybody have experience with implementation of SAP NW BPM in a heterogeneous system environment (SAP, non-SAP, Legacy) in regards to detailed audit requirements (SOX compliance)? SAP Business Workflow is well established regarding SOX compliancy. But, what about NW BPM?
Thanks for you replies in advance.
ShahramHi Shahram,
Not sure about the way you are implementing BPM in SAP/NonSAP scenario, but in BPM you can have detailed reporting and analytics for auditing purpose.
You can also create your own data source and pass data values from the process.
Check : [Real-Time Reporting|http://help.sap.com/saphelp_nw72/helpdata/en/a1/bde4657d1f42e3a7c698d16a699635/content.htm]
-Abhijeet
Maybe you are looking for
-
How to hide iBooks in family sharing?
I am attempting to hide specific books from being downloaded or even being able to be seen in iBooks from family sharing. I really don't want the kids to see the books my wife is downloading and reading, not even the title when they attempt to go in
-
Just recently my ipod nano 4th generation's battery seems to be messed up? I plug it into the charger and the ipod says it's charged, but when I take it off the charger, the screen goes black. What is going on and how can I fix it? I'm really sad bec
-
Is it possible to create an Index in Pages '08?
I've searched the docs and scanned the forum, but I can't find any details (or even a mention) of document index creation. I'm using Pages to create technical books (moving from Word/Quark). Is it possible to generate an index in Pages?
-
Hi i want understand the role of "Management ID" I read that in the BI administration guide but I can not understand the purpose of this parameter Note: The Change Management ID is used for obtaining information related to logging, auditing, job hist
-
External hard drive stuck in keyboard USB port
Hello everyone! Last night, I plugged in an external hard drive to perform my first TimeMachine backup on my iMac (Lion). I plugged it in the USB port of the keyboard (not wireless), but now, I can't get it out of there!! Even hubby couldn't unplug i