Epicor Menu Security - Audits Risk Management and Segregation of Duties

Our company gets frequent audits. One grey area is the segregation of duties. This seems to be very subjective from one Auditor to the next. The current Epicor reports and security structure are not very good for presenting segregation of duties. I was wondering if anyone has tried to either mark security roles as being mutually exclusive or menu items being a conflict of interest and reporting where Users might be in both. Has anyone developed a solution for this?

Examples:
Supplier Maintenance and Posting Invoices
Purchase Order Entry and Approvals
Making Payments to Vendors and Bank Reconciliation
Paychecks and Bank Reconciliation
Journal Entry and JE Approvals
Custody of Cash and A/R Reconciliation
Hiring and Setting of Compensation
Expense entry and Expense Approvals
Requisitions and approvals or setup
Asset Custody & Asset Inventory
Sales and Approvals
Customer Maintenance and posting Credit Notes
Shipping/Receiving and Posting Transactions
Development and Administration
System Access Permissions
Sales Rep/Territory assignments and Quotes/Sales Order Maintenance

Thoughts?
Thanks in advance,
Glen

I think the most straightforward way would be to use Security Groups. Use they business functions you mentioned above, “Supplier Maintenance, Posting Invoices, Purchase Order Entry, PO Approvals, etc…”

Then use Process Security to prevent anyone not in the Sec Group from processing.

One shortfall of Epicor Security, is that a user that is both allowed and not allowed (In a group that should do the process, and also in a group explicitly to disallow, are still allowed.

Hey Glen,

This is my latest thinking on security. It’s tainted by being Multi-Company thinking so take that into account.

The format of a security group would look some thing like this:

< comp-id >-< Object_SubObject >-< access >

where comp-id is your company ID, the object maps to a process or item in Epicor, and access is represented by crudx: create, read, update, delete, or execute. Security Group IDs are limited to 20 characters so you may have to get creative there and you have 30 characters for the description.

Examples:

COMP-Part_Costs-RU
COMP-Part-CRUD
COMP-PO_DUEDATE_RU
COMP-MRP-X
ALL-CUST-R

Make as many security groups as needed to capture the granularity that you want to control - especially one for each of your audit rules. Assign these groups to Menu items and/or Services as required. It’s a big project. Consider using DMT to do the updates, especially for SaaS users.

Use a UD table to record your conflicting security groups. For example:
COMP-VND-CRUD, COMP-CheckRun-X

User assignment would be a nightmare. So…

Grab a UD table to create Roles. For each role, you list the security groups that role requires. You can add one record per security group or put them all in a single record and separate the groups with a tilde (~). A customization on User Account Maintenance would display the roles on User Security Account Maintenance. Selecting one and clicking update would update or append the GroupLst. (And while you’re there, add a “same as other user” to copy the GroupLst from one user to another.)

Finally, the system would look for conflicting items. Use a REGEX to find conflicting groups in the string. I would check on BPM on User.Update and then also create a BAQ looking for the same thing. There may be times you would allow this in which case you may want to put a record in the UD table showing you know of the conflict and list your compensating controls.

Those are my thoughts…at least those the doctors say are appropriate to share here.

Yeah, I only explicitly Allow for that very reason.