Not enough control of user access to financial system;
Lacked clear role definitions for each user;
Unable to produce a clear, accurate data trail suitable for J-SOX auditors
Sysmex America Tackles J-SOX with Security Weaver
Sysmex America is a leading medical diagnostic instrument manufacturer and laboratory information systems developer. Its hematology instruments are ranked best in industry for reliability and customer satisfaction. A subsidiary of a Japanese company, Sysmex America has facilities in the U.S., South America and Canada.
A small company in small-town America might not seem like a likely target for international financial regulators. But, when that 500-person, Illinois-based firm is actually a subsidiary of a $2 billion, publicly traded Japanese company, it faces regulatory pressures as daunting as those tackled by its parent.
Sysmex America is part of Japan's Sysmex Corporation, a leading maker of medical diagnostic instruments and laboratory information systems. With hematology instruments ranked best in its industry for reliability and customer satisfaction, this is the company you want to know about if you ever need to have a blood sample analyzed. Sysmex's products are used to screen for potentially life threatening diseases like leukemia.
In order to fulfill its mission, Sysmex America must keep its own business systems running smoothly. To do so, in January 2008 it deployed SAP for its financial processes. Most of its employees in the U.S., South America and Canada use the SAP system either as part of their primary duties or to access the employee self-service Web portal. But while that access to SAP lets employees streamline workflow, it also created a potential segregation of duties (SOD) problem. The company needed to make sure that employees performed only authorized transactions and that there was a clear data trail.
That's because just as publicly traded U.S. companies must comply with the Sarbanes-Oxley Act of 2002 (SOX), Sysmex and some 3,800 other Japanese-owned companies must comply with J-SOX, the Financial Instruments and Exchange Law, which, like SOX, was enacted in response to accounting scandals. Adam Brody, director of information systems for Sysmex America, says he saw a demo of Security Weaver at a trade show and decided to deploy it as J-SOX deadlines were looming.
In place now for just six months, he says Security Weaver has given the company better control of user access to its financial system, clearer role definitions for each user, and a clear, accurate data trail suitable for any financial auditor that could come calling.
Brody said he decided against using SAP's own SOD tool because it takes too long and is too difficult to deploy. Also, its scope was larger than Sysmex's needs. As is the case in many small companies, employees of Sysmex America wear different hats and have multiple roles, which can create SOD issues. On the flip side, too-tight SOD could make it hard to get tasks done when one or more of the firm's limited resource pool is on vacation or sick. "We needed something flexible and easy to use. That's Security Weaver", he said.
When he contacted Security Weaver, Brody said they gave him a clear vision of a solution for Sysmex's SOD issues. He simply sent sample data over and Security Weaver came back with helpful analysis and an overview of how the software could help. "Security Weaver was quick and responsive. And the implementation was successful with very few 'hiccups'", Brody said.
With Security Weaver in place Brody is confident that Sysmex is in control of SOD and has an accurate, transparent audit trail. Brody points to two Security Weaver modules that have been particularly useful. "The Separations Enforcer lets us see the history of what users have been doing over a certain period of time. It's an awesome tool", he says. He explained that when a consultant originally assigned roles within SAP, users got access to all associated transactions, which could number in the hundreds. Conflict Analyzer allowed Sysmex to determine that many users only needed to run 20 to 30 transactions, for instance, and didn't need access to so many others. With more precise, streamlined role assignments and transactions, conflicts disappeared.
Brody also singles out Emergency Repair for praise. When Sysmex needs to give users temporary access to certain processes, all their actions are auditable and traceable. "We can show the auditors just what users were doing during a specific period of time", he says. And for Sysmex, being on the auditor's good side is important, just as producing and selling its hematology products is important.
As a company that is heavily regulated and must be J-SOX compliant, we rely on Security Weaver to support those strict requirements.
Security Weaver enables compliance with Sarbanes-Oxley, J-SOX and other regulations via simplified and standardized audit control processes.
Security Weaver protects security definitions and tracks changes to segregation of duties. It offers a precise and comprehensive audit trail.
Security Weaver automates reporting and documentation.
Security Weaver requires no additional hardware and does not impact IT system performance.
Security Weaver is easy to install and configure. Support is provided 24/7 and consultants are rarely needed.
Security Weaver has intuitive user interfaces and easy navigation.