LogicalApps: Tweaking the Rules
LogicalApps excels in the Sarbanes-Oxley compliance realm and can help keep companies fraud-free, though some customers using previous versions of its software say the high number of access conflicts it flags resulted in heavy lifting.
Emulex, a networking storage adapter and switch maker, found LogicalApps' AppsAccess software very straightforward to implement. Every one of the company's 528 employees uses its Oracle applications, from filing expense reports to placing purchase orders. For Pat Moran, Emulex's senior Oracle application developer, granting appropriate access to those systems became a top priority three years ago, as the company pushed to get in compliance with Sarbanes-Oxley.
Moran used LogicalApps to manage financial controls while weeding out potential fraud or impropriety. He says one advantage of AppsAccess was its ability to generate a report for auditors, instead of his team having to manually compile it, which cut down on time needed to complete an internal review.
Using the LogicalApps tools, Emulex finished its segregation-of-duties project in three months, without any custom programming or new procedures. Without the software, Moran figures it would have taken twice as long.
"It's good to know a lot of data-entry errors didn't happen" because the LogicalApps software is in place to prevent employees from making them, he says. "It makes for a good night's sleep."
But others have hit bumps in the road. Christopher Aanes, senior director of internal audit for hard-drive maker Western Digital, had high hopes when he deployed LogicalApps' AppsAccess program to control access to functions in his company's Oracle systems for 1,500 employees.
Aanes, though, didn't realize the software would require extensive configuration before it could be useful. Out of the box, the LogicalApps program identified 450 types of potential conflicts; for example, if an employee has privileges to both generate and approve invoices. However, Aanes didn't consider many of these to be problematic, because Western Digital employees are frequently granted access to complete multiple tasks in the Oracle system.
"Did we know we needed to tailor it?" Aanes says. "Maybe we had kind of a Pollyannaish view, but we didn't expect it."
Aanes says he would have rather seen a "Top 30" list of conflicts, ranked in order of risk. Still, he acknowledges that he could have done more to speed up the configuration of the software by dedicating more staff to the project.
Paul Kaminski, manager of internal controls at Millipore, a biosciences company based in Billerica, Mass., ran into another frustrating problem. When the LogicalApps program finds a conflict, it generates an identification code, which gets sent to an administrator. But if one employee has six conflicts, six separate codes are created, producing both multiple reports and confusion.
"That's the kind of user inconvenience we'd like to eliminate as quickly as possible," Kaminski says.
Mike Rudolph, LogicalApps' vice president of product management, says version 7.0 of AppsAccessavailable in the first quarter of 2006provides improved controls that make administrative tasks easier. For example, the new version can group similar conflicts into umbrella categories for easier management, and allows additional information to be associated with each conflict (like labeling it a high, medium or low risk).