Thursday, October 29, 2009

Oracle doesn't have a clue - take 2: Delegated Authority...

Here is another one.... An email from a user to one of the listservers I manage:

"Hi all. Anyone know of a means to report on current user settings for worklist
access and vacation rules? We would like to be able to review which of our
users are using worklist access and vacation rules, and to whom they have
delegated.

Ideally, there would be a seeded report in Oracle. If not, perhaps some SQL or
knowledge of which tables hold this information."

Delegation of approval authority via worklist access or vacation rules could violate company policy and could subject a company to a nasty-gram from their auditors ala a control weakness in their SOX testing. If an auditor really wanted to be nasty about it, they could give an organization a material weakness (or at least a significant deficiency) IMO because this allows someone to delegate their approval authority and, in some cases, the delegation isn't recorded or reflected anywhere in the system. For example, a CFO could delegate their PO approval or Journal Entry approval authority to the janitor, their secretary, or a staff accountant who could act on behalf of the CFO to approve a journal entry, PO, or anything done via Oracle Workflow.

Cool functionality when you look at it on an operational basis. Jane Doe, CFO, takes a week off to ride on her 200 foot yacht and someone needs to approve things when she is gone so that business doesn't come to a screeching halt. Case closed, right? However, in some cases, when Jane delegates to another employee, it still looks AS IF Jane made the approval AND... no record of this delegation is made in the system... or at least there are NO REPORTS out of the box that records the delegation (I suspect the audit trail doesn't even exist...).

Nice job Oracle!!! We wouldn't want that type of information in the case of an audit, would we?

More to come...

Jeffrey T. Hare, CPA CIA CISA

No comments: