Effective Governance over Profile Option Values
“If only I knew back then what I know now…” A famous phrase with applicability to many of
life’s situations…
If you’ve implemented an ERP system and stuck around for a
while, eventually you’ll say those words.
The implementation of a new ERP system for the first time is like
drinking from a fire hose.
If you’ve been live for a couple of years and were part of the
implementation team, I challenge you to do just that. Go back and visit your implementations
configurations with the knowledge you now have.
No doubt some of the decisions you made during the implementation you’d
make differently now.
Specifically, look at how you set your profile options and
what profile option values you have set since you went live. I am guessing that your governance process
related to profile option values has been less than perfect.
Start with these questions to understand if you have in
place proper governance relating to the approval and maintenance of profile
option values:
1.
Which profile options should be set in
Production? Or… which profile options
should NOT be set in Production? (yes this implies that some should not be set).
2.
Who is authorized to approve the setting of new
profile options or changes to existing settings?
3.
At what level(s) should each profile option be
set (Site, Application, Responsibility, User)
Each profile option has unique characteristics and
abilities. Following is a screen shot of
the System Profile Values form where profile option values can be configured:
The above example shows a profile option that can only be
set at the Site and User levels.
The next example “Printer” can be set at any level.
The configuration of each Profile Option is set in the
Profiles form. The box “Hierarchy Type
Access Level” defines at which level a Profile Option is Visible and
Updatable. The
User Access box identifies whether it can be updated via the User Profile
Values form.
Following is a screen shot of the User Profile Values form (aka Personal Profile Values):
Risks and Controls related to the Personal Profile Values
form will be covered in another blog.'
You can download a template to use as a starting point for your risk assessment here: http://erpra.net/BookResources.html. Your organization could used the outcome of the risk assessment as a basis for a desktop procedures for those that have the authority to make profile option value changes in Production.
You can download a template to use as a starting point for your risk assessment here: http://erpra.net/BookResources.html. Your organization could used the outcome of the risk assessment as a basis for a desktop procedures for those that have the authority to make profile option value changes in Production.
If you want to know more about Profile Options and why you should
care, I’d suggest watching the video for the full webinar we did on this topic
at: https://www.youtube.com/watch?v=NGa_rGAetLc.
One other topic of interest may be how to address the profile option "Utilities: Diagnostics" from a SOX audit perspective. I covered that in an earlier blog that you can review at: http://jeffreythare.blogspot.com/2017/01/why-utilities-diagnostics-should-not-be.html.
One other topic of interest may be how to address the profile option "Utilities: Diagnostics" from a SOX audit perspective. I covered that in an earlier blog that you can review at: http://jeffreythare.blogspot.com/2017/01/why-utilities-diagnostics-should-not-be.html.
Recommended Services from ERP Risk Advisors related to this topic
We are a free health check that includes reviewing how your organization has set many of the high
risk profile options. See more about
this free service at: http://erpra.net/Services.html .
If you are an auditor, keep in mind that we also do
outsourced IT audit work. We are thorough, risk-based,
and will work with you to develop a scope that fits your budget.
