The Curious Case of “Which UDO to Use”
David A Fernandez| Senior Solution Consultant Security and Fraud Protection
JD Edwards EnterpriseOne has made available a new way of customizing the user experience. With JD Edwards UDO’s (User Defined Objects), following the OMW process of creation, approval and promotion, a customized display can be created. These new ‘composite short cuts can combine the functionality of multiple pieces of separate programs into one view.
The challenge for the Compliance/Auditing teams is to ensure that while the business is able to leverage these time saving efficiency tools, the system is still in a controlled state maintaining SOX and other regulatory mandates.
A Customer Service Representative is one of the leading points of customer facing contacts in your organization. It is essential to limit how many times customers are transferred with issues. The goal is one call to resolve the issue. To facilitate this, a CSM/UDO is created with common use applications to provide that 1st tier support including the ability to update the Address Book. This would include Contact names, numbers, emails, etc. This JDE UDO needs the security required to perform those activities. Joe in the Accounts Payable group sees the new screens and the great visibility in one location he requests access. In an innocent moment of ‘Wow that will make his life easier’, the access is granted.
Let us take a look at Joe, a clerk in the Accounts Payable group. Joe is responsible to print checks, spot check against the register and send to collating machine to get them stuffed and mailed. The check stock is located in a locked room where the check printers with the MICR toner cartridges are kept. The checks are electronically signed when printed. This would appear to be a pretty secure approach. Now let us imagine Joe received access to the CSM/UDO granting review/maintenance to the Address Book. He then goes to the Address Book entry for one of the payees he knows will have a check issued, probably in a small amount of a few hundred dollars, then changes the Alpha Name in the Address Book. When the check run executes it can print his name or any other name he wishes. He then goes back, reverts the name back to the original and proceeds to close the batch.
When companies issue hundreds or thousands of checks in a month for various purposes, this would be a needle in a haystack event. By the time the actual payee calls to complain they never received the payment. A new check is issued and if reviewed, the old check was found to be forged. Typically, the investigation ends there and because the amount is small it is chalked up to random theft in the mail system and the original check is written off.
There are some tools and techniques that could be used to monitor this type of activity. For Example, if the organization has a group solely to Add or Delete Address Book entries, that is a good control. However, the ability to change Address Book(P01012) entries as in the Customer Service UDO above can be accessed from various Row/Form Exits within EnterpriseOne. Since the Address book is not usually listed as a SOX monitored program for SOD review, this might escape detection.
The foregoing account of a scam perpetrated by an employee is true. I experienced this at a client site many years ago prior to the advent of JD Edwards UDOs. The tools were different, but the outcome was the same with JDE UDOs.
Hopefully, JD Edwards UDOs will prompt some thought and review of your systems to ensure you do not have a Joe in your midst. We here at the GSI Security Team can offer greater in-depth analysis for these types of risks, and provide guidance in how best to resolve any issues that may be found.