Friday, March 10, 2017

Effective Governance over Profile Option Values in Oracle E-Business Suite


Effective Governance over Profile Option Values



“If only I knew back then what I know now…”  A famous phrase with applicability to many of life’s situations…

If you’ve implemented an ERP system and stuck around for a while, eventually you’ll say those words.  The implementation of a new ERP system for the first time is like drinking from a fire hose. 
If you’ve been live for a couple of years and were part of the implementation team, I challenge you to do just that.  Go back and visit your implementations configurations with the knowledge you now have.  No doubt some of the decisions you made during the implementation you’d make differently now.
Specifically, look at how you set your profile options and what profile option values you have set since you went live.  I am guessing that your governance process related to profile option values has been less than perfect.
Start with these questions to understand if you have in place proper governance relating to the approval and maintenance of profile option values:
1.      Which profile options should be set in Production?  Or… which profile options should NOT be set in Production? (yes this implies that some should not be set).
2.      Who is authorized to approve the setting of new profile options or changes to existing settings?
3.      At what level(s) should each profile option be set (Site, Application, Responsibility, User)
Each profile option has unique characteristics and abilities.  Following is a screen shot of the System Profile Values form where profile option values can be configured:


The above example shows a profile option that can only be set at the Site and User levels. 
The next example “Printer” can be set at any level.

The configuration of each Profile Option is set in the Profiles form.  The box “Hierarchy Type Access Level” defines at which level a Profile Option is Visible and Updatable.  The User Access box identifies whether it can be updated via the User Profile Values form.



Following is a screen shot of the User Profile Values form (aka Personal Profile Values):



Risks and Controls related to the Personal Profile Values form will be covered in another blog.'

You can download a template to use as a starting point for your risk assessment here: http://erpra.net/BookResources.html.   Your organization could used the outcome of the risk assessment as a basis for a desktop procedures for those that have the authority to make profile option value changes in Production.
If you want to know more about Profile Options and why you should care, I’d suggest watching the video for the full webinar we did on this topic at: https://www.youtube.com/watch?v=NGa_rGAetLc. 

One other topic of interest may be how to address the profile option "Utilities: Diagnostics" from a SOX audit perspective.  I covered that in an earlier blog that you can review at: http://jeffreythare.blogspot.com/2017/01/why-utilities-diagnostics-should-not-be.html.

Recommended Services from ERP Risk Advisors related to this topic

We are a free health check that includes reviewing how  your organization has set many of the high risk profile options.  See more about this free service at:  http://erpra.net/Services.html . 
If you are an auditor, keep in mind that we also do outsourced IT audit work.   We are thorough, risk-based, and will work with you to develop a scope that fits your budget.