Wondering if anyone has found a way to set up Epicor so you can have true system based controls without mitigating manual controls?
As far as I know, there is no way to actually do this. The second you give a user Security Manager access, you need mitigating manual controls to ensure that they are not transacting inappropriately.
Please, someone prove me wrong!
To the best of my knowledge, you are correct. The “Security Manager” flag on User Account Security Maintenance overrules most menu security settings and therefore takes real work to undermine the overruling. It has been ever thus.
@Ernie , thanks for responding, even though I strongly dislike your answer. 
That is my experience too, there is no way to implement SOX through Epicor without a truckload of customization and manual based controls. And as currently designed, you can never get to true system-based controls. Extremely disappointing.
Just Menu Securities and Logging to be honest. I went down the path of BO Security and Field Security, it was not good.
Epicor’s security structure is based on the Windows NT security hierarchical model, and the “Security Manager” flag is a blunt instrument designed to essentially ignore that. The BO Security and Field Security features have been added and tweaked since then, so there is SOME ability to approach SOX compliance, but until the entire security architecture is replaced (or some gollywog NEW security layer is designed and implemented) we’re sorta stuck.
Which is the issue. As long as Security Manager has God level access, you need to prove that someone with that access did not inappropriately perform a transaction.