Security Logging

Hi, I would agree, not too happy to hear that it's not fixed in 8.03
either.

I'm using Vantage 6.10.543, and I've received a few reported cases of
missing Invoices, the problem with the ChangeLog for me, is it doesn't
log Delete activities!

For example here's our an excerpt from our ChgLog.

admin 16:25:18 Unit Price: 0.14851 -> 0.14850
yinnee 16:32:48 New Record.
yinnee 16:32:48 Ext. Price: 0.00 -> 148.50
yinnee 16:32:48 Ext. Price: 0.00 -> 148.50

Immediately after my Updating the price, Yinnee deleted the invoice
off and created a new one. But there's no logging of the delete
activity at all in the ChangeLog.

I don't understand why Vantage can't write
yinnee 16:32:40 Deleted Record.

....

--- In vantage@yahoogroups.com, "Sweny, Matt" <matts@...> wrote:
>
> While we are not a public entity, our outside auditors continue to adopt
> SOX requirements every year for all their clients. We are told,
> eventually there will be very little auditing differences between public
> and private and non-profit entities.
>
>
>
> We have identified that there are some transactions which Vantage does
> not seem to have a log to activate in the BAM.
>
>
>
> One good example is Invoices.
>
>
>
> Any power user who has AP Invoice entry access can change an AP invoice,
> make the transaction be a zero variance..........and there is no log to
> tell who, changed what, when.
>
>
>
> There are "change Logs" for: Requisitions, PO's, Suppliers, Parts,
> Customers, Labor, Sales Orders, Quotes & Jobs.
>
>
>
> Also, there is no Change Log for Receipt Entry that I can see (needed
> because while receipts can not be changed after they are matched to the
> invoice, the match can always be backed out and the receipts updated
> then re-matched)
>
>
>
> The logs as Craig mentioned can get massive, and it would be nice to
> have the ability to archive (without customization) individual or a list
> of BAM logs using a date range. This would make reporting more flexible,
> faster and take less server resources as the log database builds.
>
>
>
> Perhaps there is a SOX advisory group out there, anyone know about that?
>
>
>
> I would be willing to accumulate users suggestions for SOX then submit
> to Epicor / EUG etc. Although, it sure would be nice if Epicor already
> had some documented plan........would rather not do their work but if
> that's what it takes....
>
>
>
> Version 8.03.305L
>
>
>
> Matt
>

Has anyone out there been subject to SOx security reporting
requirements? What features are available in Vantage/SQL that can
monitor user activity like logins, failed logins, etc. We have a need
to monitor powerful user activity, especially direct writes to the
database.

Love to hear from anyone who has conquered these same issues.

Jim Pratt

Ameridrives

We have had quite a joy dealing with this issue. Epicor hasn't been
very helpful either. They gave us one reference to another public
company, but they don't use Vantage for their accounting. The only
Epicor documentation on the topic basically says you should follow
good accounting practices, and we are 404 compliant (although I would
debate this point).

The chglog table contains logs for records that have been changed. I
believe there are some fields that are monitored by default, but you
will need to use Business Activity Manager to configure new fields
for logging. The biggest issue is that the logtext field, which
contains all of the pertinent data, is too large for most reporting
tools. BAQs error out, Excel won't read it, and Crystal won't read
it. We finally got the data by using MS Access to read the data and
generate reports based on specific criteria of our controls.

I wrote several reports as 8.03.305 doesn't have any security
reports. There is a Crystal report in the files section of this group
that will list the security of your menu objects, group memberships,
and some other related info.

We are on a Progress DB, but I don't think it will make any
difference. Keep me posted on any solutions you come up with.

Good Luck,
Craig

--- In vantage@yahoogroups.com, "jmpratt7" <james.pratt@...> wrote:
>
> Has anyone out there been subject to SOx security reporting
> requirements? What features are available in Vantage/SQL that can
> monitor user activity like logins, failed logins, etc. We have a
need
> to monitor powerful user activity, especially direct writes to the
> database.
>
> Love to hear from anyone who has conquered these same issues.
>
> Jim Pratt
>
> Ameridrives
>

While we are not a public entity, our outside auditors continue to adopt
SOX requirements every year for all their clients. We are told,
eventually there will be very little auditing differences between public
and private and non-profit entities.



We have identified that there are some transactions which Vantage does
not seem to have a log to activate in the BAM.



One good example is Invoices.



Any power user who has AP Invoice entry access can change an AP invoice,
make the transaction be a zero variance..........and there is no log to
tell who, changed what, when.



There are "change Logs" for: Requisitions, PO's, Suppliers, Parts,
Customers, Labor, Sales Orders, Quotes & Jobs.



Also, there is no Change Log for Receipt Entry that I can see (needed
because while receipts can not be changed after they are matched to the
invoice, the match can always be backed out and the receipts updated
then re-matched)



The logs as Craig mentioned can get massive, and it would be nice to
have the ability to archive (without customization) individual or a list
of BAM logs using a date range. This would make reporting more flexible,
faster and take less server resources as the log database builds.



Perhaps there is a SOX advisory group out there, anyone know about that?



I would be willing to accumulate users suggestions for SOX then submit
to Epicor / EUG etc. Although, it sure would be nice if Epicor already
had some documented plan........would rather not do their work but if
that's what it takes....



Version 8.03.305L



Matt

________________________________

From: vantage@yahoogroups.com [mailto:vantage@yahoogroups.com] On Behalf
Of Craig Weiss
Sent: Tuesday, June 24, 2008 9:47 AM
To: vantage@yahoogroups.com
Subject: [Vantage] Re: Security Logging



We have had quite a joy dealing with this issue. Epicor hasn't been
very helpful either. They gave us one reference to another public
company, but they don't use Vantage for their accounting. The only
Epicor documentation on the topic basically says you should follow
good accounting practices, and we are 404 compliant (although I would
debate this point).

The chglog table contains logs for records that have been changed. I
believe there are some fields that are monitored by default, but you
will need to use Business Activity Manager to configure new fields
for logging. The biggest issue is that the logtext field, which
contains all of the pertinent data, is too large for most reporting
tools. BAQs error out, Excel won't read it, and Crystal won't read
it. We finally got the data by using MS Access to read the data and
generate reports based on specific criteria of our controls.

I wrote several reports as 8.03.305 doesn't have any security
reports. There is a Crystal report in the files section of this group
that will list the security of your menu objects, group memberships,
and some other related info.

We are on a Progress DB, but I don't think it will make any
difference. Keep me posted on any solutions you come up with.

Good Luck,
Craig

--- In vantage@yahoogroups.com <mailto:vantage%40yahoogroups.com> ,
"jmpratt7" <james.pratt@...> wrote:

>
> Has anyone out there been subject to SOx security reporting
> requirements? What features are available in Vantage/SQL that can
> monitor user activity like logins, failed logins, etc. We have a

need

> to monitor powerful user activity, especially direct writes to the
> database.
>
> Love to hear from anyone who has conquered these same issues.
>
> Jim Pratt
>
> Ameridrives
>

This e-mail transmission and any attachments to it are intended
solely for the use of the individual or entity to whom it is
addressed and may contain confidential and privileged
information. If you are not the intended recipient, your use,
forwarding, printing, storing, disseminating, distribution, or
copying of this communication is prohibited. If you received
this communication in error, please notify the sender
immediately by replying to this message and delete it from your
computer.

[Non-text portions of this message have been removed]