Index: Date Index | Thread Index

[Date Prev] | [Date Next] | [Thread Prev] | [Thread Next]

[OAUGNet]-Journal entries / KEY control risk in Release 12

All, 

I posted this to the two listservers I manage, but thought I should post
it to the OAUGnet listserver as well since it is such a significant issue for those upgrading to Release 12: 

The function "SLA: Create Subledger Journal Entry" is a subfunction to the Journal Entries form introduced by Oracle in the SLA (sub-ledger architecture) in Release 12.  This function allows for a MANUAL journal
entry to be created by a user with access to the menu which is part of the
Payables, Purchasing, and Receivables menus (and may be on others).  Generally, auditors and management would NOT allow a manual journal entry to be created in a subledger because it likely violates one or more key controls. 

The navigation path in Receivables is Inquiry-> Subledger Accounting -> Journal Entries - an INQUIRY menu path that allows access to enter a Journal Entry...

In Payables Manager the path is Accounting -> Subledger Accounting -> Journal Entries; in Purchasing Super User the path is Accounting -> SLA: User Main Menu -> Journal Entries. 

If you have upgraded to Release 12 or are in the process of upgrading to Release 12 and use standard menus or standard responsibilities for
your security, you likely have a significant security risk related to your
journal entry / approval key control and might want to take a look at this
issue. 

This is a PERFECT example of what you should NOT use standard menus or responsibilities in the design of your application security. 

If you are using an 'SOD' monitoring tool you will need to add this function to your conflict definitions when you get to Release 12. 

Let me know if you have any questions on this issue. 

Regards, 
Jeffrey T. Hare, CPA CISA CIA
Industry Analyst ∙ Author ∙ Consultant

Phone: 970-785-6455 Cell: 602-769-9049
Website: www.erpseminars.com
Blog: www.erpseminars.com/blog.html
Email: jhare@erpseminars.com
Oracle Users Best Practices Board (www.oubpb.com)



#############################################################
This message is sent to you because you are subscribed to the mailing list <OAUGNet@oaug.com>.
To unsubscribe, E-mail to: <OAUGNet-off@oaug.com>
To switch to the FEED mode, send any message to <OAUGNet-feed@oaug.com>
To switch to the DIGEST mode, E-mail to <OAUGNet-digest@oaug.com>
To switch to the INDEX mode, E-mail to <OAUGNet-index@oaug.com>
Send administrative queries to  <OAUGNet-request@oaug.com>
  • Prev by Date: [OAUGNet]-Adding lines to an existing standard PO thru API/Interface
  • Next by Date: [OAUGNet]-AP: Request Groups rationale
  • Previous by thread: [OAUGNet]-Adding lines to an existing standard PO thru API/Interface
  • Next by thread: [OAUGNet]-AP: Request Groups rationale

    • Index: Date Index | Thread Index

    Thank you for using the OAUG Listserver Archive.