Oracle’s journal approval process allows for a workflow based approval process with pre-defined authorization limits. we will discuss the key setups related to the journal approval process. There are a few key setups when implementing the journal approval process:
Journals: Allow Preparer Approval – this determines whether or not the preparer of the journal enter can also approve the journal if the journal is within their authorization limit. Typically, companies don’t allow preparers to approve their own journals since it may allow an employee to enter and approve a material journal entry.
1. Authorization limits
The authorization limit defines the amount of the journal that can be approved. The Journal Approval process determines the appropriate approver by comparing each potential approver’s authorization limit to the largest net journal line amount in the entire batch.2. Approval hierarchy
The approval hierarchy is based on the HR setups (employee/supervisor relationships must be established) and is outside the scope of this document. However, typically the HR setups follow the reporting hierarchy within the company.3. Profile options
Three key profile options are as follows:Journals: Allow Preparer Approval – this determines whether or not the preparer of the journal enter can also approve the journal if the journal is within their authorization limit. Typically, companies don’t allow preparers to approve their own journals since it may allow an employee to enter and approve a material journal entry.
Journals: Find Approver Method – this determines how the approval is routed and can be configured various ways to meet company’s requirements, depending on how the company wants to define the control. Values that can be set for this profile option are as follows:
- Go Up Management Chain
- Go Direct, and
- One Stop Then Go Direct.
The default is Go Up Management Chain. All options use the supervisor hierarchy defined in the HR module. Any of the options would be acceptable from an internal control perspective as long as management documents and enforces the decision.
GLDI: Journal Source – this is the key setup relating to the client-server version of ADI and will be discussed in more detail below
The Sources for which you want to require journals to go through the Journal Approval process need to be enabled by checking the Require Journal Approval column. Typically, you don’t require Sources such as Receivables and Payables to go through the Journal Approval process because the activities in those subledgers have controls within them. Any meaningful review of these subledger journal entries would lead you back to the details in those modules.
However, most companies have defined as one of their key controls as a secondary/managerial review of any manual journal entries. Therefore, all manual journal entries would need to go through the journal approval process. The security to force all manual journal entries to go through the journal approval process differs by the method by which the journal is entered. There are three primary methods that will be discussed in this document: through the forms, through the client-server version of ADI, and through WebADI (Desktop Integrator responsibility).
Source Journal Approval Required? Justification
Assets N Controls over accounting should be in the subledger. Key setups in FA that relate to the accounting for transactions should be controlled and changes approved. Budgets ? Whether or not you should require budget journals to be approved depends on whether you have defined controls over budgets as a key or non-key control. If it is, this should be enabled.
Consolidation N I believe the only time an entry with a consolidation journal source is created is when subledger GL’s are uploaded to a consolidation layer. Therefore, all such journal entries are system generated and need not go through the journal approval process.
Encumbrance Y Any encumbrances entered via JE should be reviewed Intercompany ? Any journal entries with this source come from the Global Intercompany System. Controls surrounding such journals need to be evaluated in regards to overall controls of JE’s. Inventory N Controls over accounting should be in the
subledger. Manual Y Relates to journals entered in the Journals form MassAllocation ? Depending on where the control point is – could be either in the definition of the Mass
Allocations or once the journal is generated – see further comments below Payables N Controls over accounting should be in the subledger. Payroll N Controls over accounting should be in the subledger. Projects N Controls over accounting should be in the subledger. Purchasing N Controls over accounting should be in the subledger. Receivables N Controls over accounting should be in the subledger. Recurring ? Depending on where the control point is – could be either in the definition of the Recurring Journals or once the journal is generated – see further comments below Revaluation Y Depending on where the control point is – could be either in the definition of the Revaluation process or once the journal is generated – because the unrealized gain/loss accounts need to be defined when running the revaluation process, it would be ‘safer’ to have the journal reviewed. Spreadsheet Y Relates to journals entered via the client-server version of ADI as is typically set in the profile option “GLDI: Journal Source”
If you are using the journal approval process, journals can only be posted once they are approved. The posting process has no control impact since the control point is the approval process (or exclusion of the approval process in the case of some journal sources like subledgers). Therefore, using this form would have no impact on the definition of the control. However, if your company hasn’t implemented the journal approval process and is relying on those that post the journals to perform the review, access to this form should only be granted to those with posting authority. The function name is GLXSTAPO.
Since this form allows a user to define which categories should be automatically reversed and which can be automatically posted, the definition of such could override the review approval process and the access to it should, therefore, be controlled. The function name is GLXSTARV.
basis that any changes to this process are authorized. To do so, it is necessary that all
related setups have a complete audit trail. This will require that tables underlying the key
setups noted about to be audited. These include, but are not limited to:
GL_JE_SOURCES_TL (journal sources), GL_AUTOMATIC_POSTING_OPTIONS
(AutoPost), GL_AUTHORIZATION_LIMITS (Authorization Limits),
GL_AUTOREVERSE_OPTIONS (AutoReverse), and
FND_PROFILE_OPTION_VALUES (profile option values). These tables should be
reviewed for their accuracy as well as their performance impact in your environment. See recommended list of tables to audit by signing up for the Oracle Internal Controls Repository at: http://groups.yahoo.com/group/oracleappsinternalcontrols/. The files are
TTA_GL and TTA_AOL.
By: Jeffrey T. Hare, CPA CISA CIA
GLDI: Journal Source – this is the key setup relating to the client-server version of ADI and will be discussed in more detail below
4. Journal Sources
When setting up Journal Approval, you determine which sources are subject to the approval process via the Journal Sources form. You can determine that some sources go through the Journal Approval process and some are not required. When Oracle GL is installed, none of the sources are set up to go through the Journal Approval process.The Sources for which you want to require journals to go through the Journal Approval process need to be enabled by checking the Require Journal Approval column. Typically, you don’t require Sources such as Receivables and Payables to go through the Journal Approval process because the activities in those subledgers have controls within them. Any meaningful review of these subledger journal entries would lead you back to the details in those modules.
However, most companies have defined as one of their key controls as a secondary/managerial review of any manual journal entries. Therefore, all manual journal entries would need to go through the journal approval process. The security to force all manual journal entries to go through the journal approval process differs by the method by which the journal is entered. There are three primary methods that will be discussed in this document: through the forms, through the client-server version of ADI, and through WebADI (Desktop Integrator responsibility).
5. Securing Journal Sources
In the process of setting up the Journal Approval process it is imperative that an end user NOT be allowed to select a Journal Source that could be overridden. You secure this as follows:- Via the Journals form: Manual journals entered through the Journals form are defaulted to the Source of Manual. Therefore, it is critical that this source be set to use the Journal Approval process. If desired, the Category can also be defaulted by using the profile option “Journal: Default Category.” However, I see no internal controls implications to this setting.
- Client/server version: Using the client/server version, it is accomplished by setting the profile option “GLDI: Journal Source” The source you enter in this profile option is the source required for all ADI journal entries and the source that is defaulted in the Excel template.
- Web ADI version: In the WebADI (aka Desktop Integrator) version, it is necessary to 'secure' the Journal Source as follows:
- Define a custom layout or update the standard layout - in this template the Journal Source field should have a Placement of "Context". By placing the journal source field in the context section, it prohibits the end user from overriding the control by changing the journal source to a source that doesn’t require the journal approval process. The Default Type should be "Constant" and the Default Value should be a Source that requires Journal Approval, presumably “Manual” since that is likely to be enabled for journal approval.
- This layout should be the only functional layout capable of being used. Any layout that allows users to change the Journal Source should not be made available.
- The definition of new layouts should be removed from any GL user so they can't introduce a new layout or make changes to the layout that would allow them or another user to be able to change the default journal source or otherwise enter a journal entry with a Journal Source that doesn't require it to go through the Journal Approval process. Therefore, the function “Desktop Integrator - Define Layout” which is part of the standard Desktop Integration Menu should not be accessible for any user involved in the journal approval process. Further, since this is an integral part of the setup for this key control, any changes to the layout should go through your company’s change management process and the impact on this key control needs to be considered.
- Define a custom layout or update the standard layout - in this template the Journal Source field should have a Placement of "Context". By placing the journal source field in the context section, it prohibits the end user from overriding the control by changing the journal source to a source that doesn’t require the journal approval process. The Default Type should be "Constant" and the Default Value should be a Source that requires Journal Approval, presumably “Manual” since that is likely to be enabled for journal approval.
- This layout should be the only functional layout capable of being used. Any layout that allows users to change the Journal Source should not be made available.
- The definition of new layouts should be removed from any GL user so they can't introduce a new layout or make changes to the layout that would allow them or another user to be able to change the default journal source or otherwise enter a journal entry with a Journal Source that doesn't require it to go through the Journal Approval process. Therefore, the function “Desktop Integrator - Define Layout” which is part of the standard Desktop Integration Menu should not be accessible for any user involved in the journal approval process. Further, since this is an integral part of the setup for this key control, any changes to the layout should go through your company’s change management process and the impact on this key control needs to be considered.
Typical Journal Source setups:
Here is the list of the most common seeded journal sources and a discussion of each as it relates to the internal controls implications:Source Journal Approval Required? Justification
Assets N Controls over accounting should be in the subledger. Key setups in FA that relate to the accounting for transactions should be controlled and changes approved. Budgets ? Whether or not you should require budget journals to be approved depends on whether you have defined controls over budgets as a key or non-key control. If it is, this should be enabled.
Consolidation N I believe the only time an entry with a consolidation journal source is created is when subledger GL’s are uploaded to a consolidation layer. Therefore, all such journal entries are system generated and need not go through the journal approval process.
Source Journal Approval Required? Justification
Elimination Y Depending on the controls put in place regarding the definition of elimination sets, these journals should probably be reviewed before being postedEncumbrance Y Any encumbrances entered via JE should be reviewed Intercompany ? Any journal entries with this source come from the Global Intercompany System. Controls surrounding such journals need to be evaluated in regards to overall controls of JE’s. Inventory N Controls over accounting should be in the
subledger. Manual Y Relates to journals entered in the Journals form MassAllocation ? Depending on where the control point is – could be either in the definition of the Mass
Allocations or once the journal is generated – see further comments below Payables N Controls over accounting should be in the subledger. Payroll N Controls over accounting should be in the subledger. Projects N Controls over accounting should be in the subledger. Purchasing N Controls over accounting should be in the subledger. Receivables N Controls over accounting should be in the subledger. Recurring ? Depending on where the control point is – could be either in the definition of the Recurring Journals or once the journal is generated – see further comments below Revaluation Y Depending on where the control point is – could be either in the definition of the Revaluation process or once the journal is generated – because the unrealized gain/loss accounts need to be defined when running the revaluation process, it would be ‘safer’ to have the journal reviewed. Spreadsheet Y Relates to journals entered via the client-server version of ADI as is typically set in the profile option “GLDI: Journal Source”
Special note regarding Mass Allocation and Recurring:
If you were considering place the control point at the definition of Mass Allocation or Recurring journals (Journals -> Define -> Allocation or Journals -> Define -> Recurring) then it would be necessary to audit these tables and have a process to review and approve changes to these. Further, from a change management process, it would also be necessary to validate (for completeness and authorization) that all changes were approved. The easier path would be to have these journals reviewed once they are generated.AutoPost
In the AutoPost form an end user could define certain sources to be automatically posted. Here is the form by which the criteria are defined.If you are using the journal approval process, journals can only be posted once they are approved. The posting process has no control impact since the control point is the approval process (or exclusion of the approval process in the case of some journal sources like subledgers). Therefore, using this form would have no impact on the definition of the control. However, if your company hasn’t implemented the journal approval process and is relying on those that post the journals to perform the review, access to this form should only be granted to those with posting authority. The function name is GLXSTAPO.
AutoReverse
This form allows you to define which categories (not sources) should be automatically reversed and could also be automatically posted. Here is the form by which the criteria are defined:Since this form allows a user to define which categories should be automatically reversed and which can be automatically posted, the definition of such could override the review approval process and the access to it should, therefore, be controlled. The function name is GLXSTARV.
Change Management Impact
Since the journal approval process is often a key control and is usually defined as an application / system control, it will be necessary to prove to your auditors on an on-goingbasis that any changes to this process are authorized. To do so, it is necessary that all
related setups have a complete audit trail. This will require that tables underlying the key
setups noted about to be audited. These include, but are not limited to:
GL_JE_SOURCES_TL (journal sources), GL_AUTOMATIC_POSTING_OPTIONS
(AutoPost), GL_AUTHORIZATION_LIMITS (Authorization Limits),
GL_AUTOREVERSE_OPTIONS (AutoReverse), and
FND_PROFILE_OPTION_VALUES (profile option values). These tables should be
reviewed for their accuracy as well as their performance impact in your environment. See recommended list of tables to audit by signing up for the Oracle Internal Controls Repository at: http://groups.yahoo.com/group/oracleappsinternalcontrols/. The files are
TTA_GL and TTA_AOL.
Conclusion
Oracle provides the functionality of the workflow based Journal Approval process, a powerful tool to help companies automate a key control for their SOX 404 compliance. However, if not properly configured and maintained, many companies could find themselves in a difficult position with their auditors. By following the above advice, hopefully, the pitfalls mentioned can be avoided.Open Issues
One reviewer indicated that the Stat currency journal entries can be approve their own journal entries even when the profile option “Journals: Allow Preparer Approval” is set to “No”. This has not been confirmed. However, if true, could have some internal control implications where stat entries are being used in MassAllocations. A report for management to review the stat entries each month will documented approvals would be a detective control you may want to consider.About the Author
Jeffrey T. Hare, CPA CISA CIA is one of the world’s leading experts on the development of internal controls in an Oracle Applications environment. Jeff founded ERP Seminars and the Oracle Users Best Practices Board and is leading the efforts for the development of a public domain internal controls repository. See a full bio for Jeff at http://www.erpseminars.com/providers.html.By: Jeffrey T. Hare, CPA CISA CIA
Thanks for sharing this blog. The content is beneficial and useful. Very informative post. Visit here to learn more about Data Mining companies and Data analytics Companies.
ReplyDeleteIt's really a great and helpful piece of info. I'm glad that you just shared this useful information with us. Please keep us up to date like this. Thank you for sharing.Here is the right place to Submit Guest Post Big Data.
ReplyDelete