White Paper. Executive guide to SYSPRO Security for auditing assurance and control - PDF

Please download to get full document.

View again

of 12
All materials on our website are shared by users. If you have any questions about copyright issues, please report us to resolve them. We are always happy to assist you.
Information Report



Views: 3 | Pages: 12

Extension: PDF | Download: 0

Related documents
Executive guide to SYSPRO Security Introduction Since 2000, two events have demonstrated the need for businesses to have good audit and risk control the Enron scandal in 2001 and the global financial crisis
Executive guide to SYSPRO Security Introduction Since 2000, two events have demonstrated the need for businesses to have good audit and risk control the Enron scandal in 2001 and the global financial crisis of The saying that risk is the new black shows how necessary it is for investors, customers and regulators to ask organizations how they ensure adequate control and monitoring of access to business information and authorization over transactions. This is emphasized by new International Financial Reporting Standards (IFRS), an accounting standard which requires that access control and monitoring of transactions are strict enough to ensure trust and integrity of data in a system. With ERP systems such as SYSPRO becoming the core of business, the issue of ensuring sufficient oversight and control of transactions and operations becomes critical. SYSPRO s governance, risk management and compliance functionality provides organizations with the capability of monitoring and documenting information flows and business transactions to detect and prevent changes that would increase risk and compromise business operations. The following issues are not covered in the scope of this white paper: Physical, infrastructure and system security policies and controls Specific governmental and regulatory reporting for different countries Regardless of the corporate regulatory environment in which a business operates, SYSPRO can provide the necessary controls for segregation of duties, integrity of operations, and auditability to satisfy regulatory requirements. SYSPRO Security Management SYSPRO s security management features fall into four dimensions: 1. Access levels 2. Controls 3. Monitoring 4. Auditing 2 Access Levels SYSPRO incorporates a number of facilities aimed at preventing unauthorized access and ensuring authentication. Security measures include logins and passwords, access levels for programs and transactions as well as activities and fields. The various levels at which security can be defined within SYSPRO, enable companies to implement internal controls according to their specific business and governance requirements. In SYSPRO these can be implemented at: SYSPRO level Company level Module and program level Transaction level Activity level Field level SYSPRO level An operator ID and password is required to access SYSPRO. Company level Access to a SYSPRO company can be restricted in a number of ways: Creating a company password to limit access to specific companies in the SYSPRO environment Preventing further operator logins into the company Locking an operator out of the SYSPRO system Program level Operators must belong to an operator group and these groups can be configured to prevent unauthorized access to SYSPRO. Transaction level Access to certain transactions in SYSPRO can be secured at company, role, operator group and operator level using the Electronic Signatures program. Activity level Access to specific activities in SYSPRO can be restricted at operator level and by defining passwords to specific activities. Field level Access to specific fields in SYSPRO can be restricted by denying operator access to the editing of fields and viewing of sensitive company data and to locations and other entities (e.g. warehouse, branch, bank, salesperson, etc.). 3 Controls Company-wide set-up options enable SYSPRO to be tailored to suit a company s control requirements. Controls include: Operators Groups Roles Passwords Set-up options Power tailoring functionality Electronic signatures Process modeling Workflow Organizations can enhance the level of accountability, maintain segregation of duties, and enable the traceability of activities. Operators The basic control entity in SYSPRO is the operator (user ID). An operator is any person in an organization who requires access to the company data to perform tasks. Operators are typically configured by system administrators, where a login name is assigned to each individual and access rights are configured according to the function the operator performs within the organization. Operators enable system security to be controlled at an individual level, regulating the type of tasks and activities that individuals can perform, as well as certain field access based on the authority granted to them. Other features of operator security control include: Number of login attempts This indicates the number of times the operator can incorrectly enter a password before being locked out of the system. You can print a selective list of operators based on whether a failed login setting has been defined. Operator locked out This indicates whether a lock has been set against the operator (e.g. the operator s password has expired, or the operator has left the organization). Operator lock out could be preferable to deleting the operator code because, by deleting an operator code, any SYSPRO program that previously displayed that operator s name will no longer do so. 4 Groups and subgroups Within SYSPRO, security groups refer to a collection of operators who have access to the company data. Groups are typically configured by system administrators and access rights are configured according to the function the group performs within the organization ( e.g. production, despatch, etc.). Subgroups enable operators to be assigned to multiple groups. This accommodates the need for certain operators to inherit the program access settings of a number of different groups, without having to configure additional groups. When establishing an operator s level of access to a program, access is denied only if all the groups to which the operator belongs deny access to that program. Roles Roles in SYSPRO enable security and user-interface customization to be configured optionally by organizational role within SYSPRO. Roles provide a simplified means for a system administrator to pre-configure and control the user interfaces, settings, program access, access control and access to activities and fields presented to SYSPRO operators. By default, a set of roles based on the SYSPRO Business Process Management System are imported to a SYSPRO company. This includes a sample organogram which is a visual representation of roles and hierarchies within the company. The default organogram provides a starting point for a company s role management and can be customized or removed if a different hierarchy of roles needs to be defined. SYSPRO has an optional setting which, if selected, means that all operators must be assigned to a role. This ensures that whenever a new operator is added or an existing operator is changed, they must be assigned to at least one role. Up to five roles can be assigned to each operator. If more than one is assigned, an operator can switch between these roles as required. Assigning operators to roles simplifies the process of managing security, because the security settings are defined once against the role, rather than against each individual operator. A company s segregation of duty requirements may necessitate that journals destined for the General Ledger are authorized before they are posted and, by implication, that the role of originator and authorizer must be separated. Passwords SYSPRO passwords form an integral part of establishing system security and enable the restriction of unauthorized access to companies, modules, programs and functions. Passwords and password rules can also be configured against operators to improve the integrity of their use in the system. Operators can be compelled to change their passwords at prescribed intervals and rules that must be adhered to when defining passwords can be specified (e.g. a minimum number of characters, forcing combinations of word and numbers and preventing the recycling of operator passwords). 5 Set-up During implementation, set-up options must be configured for each SYSPRO module. They enable the company-wide settings to be tailored to suit a company s operational environment and requirements. Settings include: Requisition maintenance How requisitions for purchase orders, stores and capital assets are to be managed and processed Stock-take variance How variances during a stock take are detected and reported. Numbering What and how various transaction items (e.g. invoices, sales order, stock codes) are numbered Power Tailoring SYSPRO s Power Tailoring provides the capability to personalize and customize the software to meet specific needs it can be done by operators or administrators using standard SYSPRO functions, or by embedding externally developed programs. Power tailoring, combined with the role-based user access, offers a simplified means for a system administrator to pre-configure and control the user interface that is presented to a SYSPRO operator, and to protect sensitive data from appearing on forms and list views throughout the product. Electronic signatures Electronic signatures (e-signatures) enable the securing of transactions by authenticating the operator performing the transaction. This enables the implementation of access control at transaction level rather than only at program level. Electronic signatures assist in the implementation of the effective segregation of duties. They are commonly used in companies where Sarbanes-Oxley compliance is required because they control access to the processing of specific transactions, as well as provide a trace of who performed each transaction and when. esignature triggers also enable the timely identification of abnormal events which may potentially point to fraudulent activity. Security access is controlled by the entry of a password before an operator is allowed to proceed with a transaction. Business Processes By default, transactions relating to all business processes can be processed to a General Ledger account. You can, however, restrict the business processes that are permitted to post to a specific ledger code using SYSPRO s Business Process feature. Defining valid business processes against a ledger code ensures that the code is only used for appropriate transactions. When an operator processes a transaction and browses on the ledger code, only the ledger codes enabled for the business process related to the transaction being processed are displayed. 6 SYSPRO Process Modeling SYSPRO understands that strategy, risk, performance and sustainability are inseparable. SYSPRO Process Modeling provides a model-driven architecture that supports management by aligning IT with company strategy, business objectives and sustainability. It also provides a transparent view of your uniquely modeled processes and organizational roles. SYSPRO Workflow Services A built-in workflow engine (SYSPRO Workflow Services) enables you to streamline end-to-end business process activities in SYSPRO, as well as create efficient interactions between SYSPRO and external touch points. You can apply rules-based control over business processes as well as design and visualize the workflow processes (which may include conditions, actions and alerts). The Workflow Monitor provides workflow status and performance information, helping to identify the progress and status of any particular instance of a workflow. Monitoring Monitoring allows observers to be aware of the state of a system so that action can be taken if any changes or irregularities occur. SYSPRO s monitoring functions include dashboards that provide a visual indication of what is happening, as well as systems which can be automated so that continuous controls monitoring can be implemented. 7 Event Management You can configure events that must be monitored in SYSPRO as they occur, and invoke third-party applications when this happens (e.g. stock falls below zero). The actions that can be associated with an event include launching programs, sending messages to specified persons, or writing the occurrence of the event to the Event Log. Triggers Triggers are used to invoke third-party applications when a particular trigger is activated in SYSPRO (e.g. after adding a customer). Several of the available triggers can be used to highlight potentially abnormal transactions that may indicate fraudulent activity. Electronic signatures can be configured to maintain a transaction log for auditing purposes, as well as activate triggers for integration to thirdparty systems or notification via . The Trigger options enable the configuration of multiple actions to be executed automatically when an electronic signature transaction is successfully completed. Electronic signatures enable the configuration of VBScripts that can be invoked when a trigger is fired. This caters for almost unlimited triggering capability, since virtually any type of application can be invoked using VBScript. Electronic signatures also enable SYSPRO Reporting Services (SRS) reports to be invoked when a trigger is fired. Dashboards SYSPRO Dashboards provide an interactive visual presentation of realtime data in the ERP system. They allow managers and executives to see current status and trends of specific organizational metrics and to gauge how business operations are performing. Role Conflicts SYSPRO provides system controls to help companies ensure the segregation of duties between different staff members. One of these controls is the Role Conflict file which can be configured to contain a list of userdefined pairs that are considered to be in conflict within the organization. 8 Auditing Together with risk and compliance management, the role of auditing is to analyse and assess business data, transactions and processes and provide insight and recommendations for changes, as well as notification of breaches of policies and procedures. System Audit Log System audit logs enable the company to track any changes made to the system that affect system security. As well as enabling more effective system security maintenance, the audit log traces logins to allow system administrators to make more accurate recommendations about the purchase of additional licenses. Job logging The Job Logging program maintains a log file of all programs that have been accessed by operators. The log file stores information regarding the program accessed, the date and time that the program was accessed, the length of time that the program was in use, the operator who loaded the program, and the computer name and process ID (PID) from which the program was run. Amendment Journals Amendment journals track changes made to master files, company setup and operator information. You can report on these changes using SYSPRO Reporting Services. 9 SYSPRO Data Dictionary The data dictionary is a catalog of the files and databases in the SYSPRO system. The Data Dictionary Viewer shows the properties of the tables including columns, primary and alternate keys, and data. SQL Diagnostics The SQL Diagnostic Query program identifies potential problems with the SQL Server database used by SYSPRO companies. It also identifies any differences between the existing database and the standard SYSPRO tables, columns and indexes that should exist as well as missing user-defined tables, columns and indexes. Reporting Reports A wide range of reports can be used to audit the security and integrity of an installation. Control account reconciliation In addition to reports that can be used to reconcile control accounts manually, a SYSPRO partner application provides automated control account reconciliations that allow accountants and auditors to check, prove and maintain the integrity of the General Ledger control accounts for current and prior periods. SRS Report Archiving SRS Report Archiving enables reports to be electronically archived in the version that was produced at the time they were run. Besides assisting organizations in reducing their carbon footprint through the reduced consumption of office stationery, archiving provides secure electronic access to transaction audit trails and financial statements. Operators have access to reports that they have archived and, depending on the activity settings against their operator code, to archives performed by members of their operator group. A Report Archive menu system enables archives to be viewed (along with the reports) in both.rpt and PDF formats. It also facilitates the purging of archived documents up to a selected date. Number Tracking All SYSPRO transactions can use a numbering method so that items such as invoices and purchase orders can be tracked and reported. 10 Conclusion SYSPRO offers the following auditing assurance, control and reporting solutions. Audit requirement Segregation of duties, authentication, access control Control of transactions, data Process control User interface control Continuous monitoring Secure reporting Audit trails Traceability Notification SYSPRO solutions Electronic signatures, operator/group security, role security, passwords, program macros General Ledger control accounts, SYSPRO Workflow Services, SYSPRO Analytics ETL log SYSPRO Workflow Services, Requisition system, Capex system Customized panes, program macros Electronic signatures SYSPRO Reporting Services Distribution reports, registers, journals, electronic signature logs, amendment journals Numbering of invoices, purchase orders, etc., Lot control, serial number tracking Electronic signatures triggers, role conflicts, events An organization s maturity in terms of governance and controls influences how security is implemented and the effectiveness of the controls and monitoring that are put in place. Although SYSPRO can assist in controlling, alerting and tracking activities and transactions, it cannot guarantee security and controls unless the organization itself is committed to these objectives. About SYSPRO SYSPRO software is an award-winning, best-of-breed Enterprise Resource Planning (ERP) software solution for cost-effective on-premise and cloud-based utilization. Industry analysts rank SYSPRO software among the finest, best-in-class enterprise resource planning solutions in the world. SYSPRO software s powerful features, simplicity of use, scalability, information visibility, analytic/reporting capabilities, business process and rapid deployment methodology are unmatched in its sector. SYSPRO, formed in 1978, has earned the trust of thousands of companies globally. SYSPRO s ability to grow with its customers and its adherence to developing technology based on the needs of customers is why SYSPRO enjoys one of the highest customer retention rates in the industry. 11 Africa and the Middle East SYSPRO (Pty) Limited Block A Sunninghill Place 9 Simba Road Sunninghill Johannesburg 2191 South Africa Tel: +27 (0) Fax: +27 (0) Canada SYSPRO Software Limited 4400 Dominion Street Suite 215 Burnaby (Vancouver) British Columbia Canada V5G 4G3 Tel: +1 (604) Fax: +1 (604) USA & Americas SYSPRO Impact Software, Inc. 959 South Coast Drive, Suite 100 Costa Mesa, (Los Angeles region) California USA Tel: +1 (714) Fax: +1 (714) Toll free: Asia Pacific SYSPRO Software Pty Ltd Suite 1102, Level Miller Street North Sydney NSW 2060 Australia Tel: +61 (2) Fax: +61 (2) Eu Tong Sen Street #19-91 The Central Singapore Tel: (65) Fax: (65) All enquiries: Australia: (Local call) UK & Europe K3 Business Technology Group Baltimore House 50 Kansas Avenue Salford Quays Manchester United Kingdom M50 2GL Tel: Fax: Copyright 2013 SYSPRO. All rights reserved. All brand and product names are trademarks or registered trademarks of their respective holders. No part of this material may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or by any information storage or retrievel system, without prior written permission from the publisher.
View more...
We Need Your Support
Thank you for visiting our website and your interest in our free products and services. We are nonprofit website to share and download documents. To the running of this website, we need your help to support us.

Thanks to everyone for your continued support.

No, Thanks

We need your sign to support Project to invent "SMART AND CONTROLLABLE REFLECTIVE BALLOONS" to cover the Sun and Save Our Earth.

More details...

Sign Now!

We are very appreciated for your Prompt Action!