Posted On: May 14, 2020
Monitoring Moment: Fraud Protection in JD Edwards – Find and Eliminate Hidden Threats
Risk. Security. Fraud. Segregation of duties. Most companies place these concerns at or near the top of their management lists. From security consultants to external audits, companies spend time, effort, and money to manage their risk. Training is mandatory, access is reviewed, and security is controlled and approved.
However, when it comes to JD Edwards, access, risk, and security, almost anyone will tell you there can still be room for improvement. Sure, prevention should be priority #1, but detection can be a powerful weapon as well – especially if it monitors for hidden risk.
The invisible threat within JDE is often misuse of valid access: someone has the power, authority, and security access, but there’s little or no oversight of what they are actually doing in JD Edwards. In this blog post we’ll explore some concrete examples of how this threat plays out in actual business scenarios and highlight a solution you can use to protect yourself.
Can users change their own data?
Let’s say you are an HR employee: A good portion of your job involves making changes to employee data, keeping it up to date and correct. However, it’s highly likely that security does not prevent you from performing those same updates on your own record. Think about it:
- Could you give yourself a raise without anyone knowing?
- Give yourself a bonus?
- Change your start date so you get more vacation?
These types of scenarios happen more often than you might think. Sometimes these changes are the product of accidents, sometimes they’re not. Either way, you need to be protected.
Is trust your security mechanism?
Or perhaps you have business analysts or CNCs who have SYSADMIN or other open access to Production. You know (and they know) they shouldn’t be updating transaction or master data in Production… but they use their powers for good, right?
Most likely the answer is “yes.” But even so, ask yourself these questions:
- What mechanisms do you have in place to reassure auditors access isn’t abused?
- Could a user run payroll or voucher payments without anyone knowing?
- Could someone create a new (fake) JDE user without approval and log in as that user to commit fraud?
Even if incidents like this are uncommon, they’re almost always discovered after the fact, when the damage has been done.
Do you know where to look for loopholes and how to find them?
The most common type of fraud, according to the Association of Certified Fraud Examiners, is asset misappropriation. In a JDE system, this would most often translate to issuing invalid or unauthorized payments. Common examples of fraudulent payments include:
- Changes to direct deposit information
- Vouchers issued with an alternate remit to designation
- Employees rehired without authorization from HR
Accounting departments do what they can to guard against these types of activities, but JD Edwards out-of-the-box functionality doesn’t provide many tools for meeting the challenge proactively.
That’s where Syntax steps in.
Syntax EnterpriseCare® Fraud ID – Proactive Fraud Prevention
To help JD Edwards protect themselves against fraud, Syntax has developed FraudID. FraudID is powered by Syntax EnterpriseCare®, our propriety Oracle ERP monitoring system, and guards against these situations and many others. It offers internal SOD controls, so auditors have secure access to configuration and alerts. Alerting can fire in real time, sending proactive notifications to auditors for investigation. Best of all, it’s easy to configure out of the box; we can work with your designated auditor user and have FraudID alerting in less than four hours.
Get Ahead of the Curve
For more information about fraud prevention and detection or to learn more about how you can begin to proactively monitor your entire JD Edwards solution, check out our FraudID and Syntax EnterpriseCare® pages.
If you’d like to suggest a FraudID scenario or enhancement or simply want to talk one-on-one with one of our fraud prevention experts, contact us and we’ll schedule a call.