3 Replies Latest reply on Jun 8, 2010 11:34 AM by smelanson

    Use of P2P Audit logs in Sox Compliance-P2P On Demand

    smelanson Apprentice

      Looking for Best Practice ideas in the use of the P2P Audit Logs to review and monitor system changes related to ITGC Sox compliance and P2P on Demand.

      Currently our Customer Admin. team consists of Business Process experts and we have our IT team performing User Admin. duties via a

      custom group assignment. 
      How has your enterprise addressed the ITGC Sox controls, and passed any internal/external audits in regards to

      the Customer Admin. group and segragation of duties controls? 
      How do your business experts interact with the On Demand environment if not in the Customer Admin group?

      Any best practice ideas around the whole P2P on Demand?

        • Re: Use of P2P Audit logs in Sox Compliance-P2P On Demand
          Russ Stebbins Master

          Separation of duties is the key consideration for compliance.  That and making sure the people have the minimal permissions needed for their function.

           

          Our CA are split between IT and purchasing but responsibility is data management focused.  They do not belong to any of the business roles like Purchasing Agent or Invoice Manager.  The BA (me) does not belong to the CA group.   Any changes to the configuration and or data goes through a change control process and the CA implements. Since the CA can make changes through the UI, the number users assigned to that group is minimal.  With very few exceptions, all data is imported through csv files with a bias to external systems (ERP, HR) being the source of truth.

           

          By following a well documented Change process, audit is satisfied that the system will remain complaint to approved processes.

           

          To ensure that the CA aren't making unauthorized changes, management reviews the audit logs on a weekly basis.  Any additions/changes to the master data by anyone would be reflected there.  We can also monitor any changes that Ariba makes to the system by this process.

          1 of 1 people found this helpful
            • Re: Use of P2P Audit logs in Sox Compliance-P2P On Demand
              smelanson Apprentice

              Thanks Russ. How are audit logs reviewed and by whom since only the CAs can run these logs? Probably not a real issue since these can not be

              altered in any way.  Do you review all the different types of entries, or do you key on a few that show config. changes, "act as" transactions..etc?

              Scott.

                • Re: Use of P2P Audit logs in Sox Compliance-P2P On Demand
                  Russ Stebbins Master

                  We have the CA export the logs each week and I review them with my managers.  It's less than perfect, the CA could edit the files before passing them along but it isn't easy hiding the alterations (we look at the time stamps on the files as well).  You could also review them on-line which we did initially, but it is time consuming.  It would be preferable having an 'Auditor' group with access to the logs but this process is fairly low risk.  The goal is not to eliminate risk but to mitigate it.

                   

                  We only take a look at a couple of the logs that would contain user activities.  I will leave it as an exercise to determine which ones you need.  I don't want a call from your SOX team asking me "why did you say use only these files?"