SOX --- Access Control Issue on ERP product (PeopleSoft) 678

  • Hi ,
    Functional module expert (technical person) of ERP(Peoplesoft) has full access to all functional modules in production enviroment . We have restricted the developer’s access to production system. I was wondering whether we need to restrict the access or monitor the access of functional module expert. He is working as technical consultant and he is not from business unit. It would be great if you could clarify this question

  • I would recommend that you look carefully at what this person needs to do and restrict theri access accordingly.
    We have had to restrict access for some of our user support analysts because we have several application key controls related to Peoplesoft configuration settings (e.g. sales tax rates and calculations) that need to be tightly controlled. We need to ensure that these cannot be changed without going through full change control procedures. If people have production access then they could change these at any time.
    In addition if the person has full transactional access in production, you may have a segregation of duties issue. If they have access to all of the transactional functionality, they could process fraudulent transactions, or even make mistakes when investigating problems.

  • Thanks a lot. It certaily helps. We have four or five faunctional experts accessing the production system and changing the configuration. I would recommend that their access is either restricted or monitored.
    I wanted to treat this case as similar to developer’s access to production system . Am I right ?

  • We’re facing a similar issue at my client where SAP support staff are making master data changes (t-codes, cost centers…etc) in production directly. BTW, these folks are developers as well. They’re following a change management system to control development and they have competent administration staff to provide production transports.
    However, there just isn’t anything they can do, from an operating standpoint, to stop IT support staff access to master data, as this would disrupt business greatly.
    We’ve thought about logging their activities and having internal audit reviews on a consistent basis to ensure proper approval was granted, but this may not be feasible in SAP.

Log in to reply