Welcome back! Our previous post on ITACs for AP Invoice Controls was so much fun, let’s demonstrate another. We will again be focusing on organizations running Oracle EBS R12 from a configuration perspective as well as audit evidence, and this time addressing risk mitigation of unauthorized journal entries leading to inaccuracies in financial statements by utilizing Oracle’s standard Journal Entry Approval Workflow.
This is an ITAC (Information Technology Application Control) that supports and enforces Segregation of Duties controls (an ITGC – Information Technology General Control) by requiring all non-system subledger created journal entries to be reviewed and approved by someone other than the preparer. Let’s take a look at a standard control objective for this.
There is a lot of information to discover and disclose behind that single sentence control objective.
Before we jump into the details and requirements discovered in your organization’s policies and procedures, let’s again enrich the control objective to support the control owners and the auditors.
We need to look at the following to understand how this control is supposed to perform
From the Control Objective
Oracle JE approval workflow automatically routes journals to an approver….
These are the foundational configurations to enable Journal Entry approval and need to be reported as part of ITAC evidence. You should be reporting the configurations from-
General Ledger Set-Up Ledger configurations for requiring JE approval for the ledger.
Journal Source definitions for the approval required flag AND the “Frozen” flag.
The System Profile settings for-
- “Journals: Allow Preparer Approval”
- When this is set to “No” , you have SoD enforcement without having to create different roles and responsibilities with access restricted to the “Post” function.
- “Journals: Find Approver Method”
- “Go direct” is the most standard here as it references the employee > supervisor hierarchy AND the defined employee approval limits defined in GL to find the approver.
- “GLDI: Journal Source”
- You can head over to ERP Risk Advisors or Seecuring where they go in-depth on why this is important.
Journal Authorization Limits / Employee Limits
Reporting on the Workflow GL Journal Approval Process. This can be achieved in various ways. Contact us if you’d like to find out more.
From the Policies and Procedures
- The policy (and the procedures that support the policy) referenced for-
- What types of journals are considered for this control
- Who can have access to enter journals
- Who can have access to approve journals
- What does the approval matrix look like
- What are the approval levels / amount?
Let’s go through this line by line –
What types of journals are considered for this control?
By standard, the journal entries that will apply to this control can be manipulated after they have been created regardless of source. Journal entries that are generated by a subledger such as Receivables are usually outside the scope of this control as the recommended approach is to have their journal source definition “frozen”. This leaves us with journal sources that are –
- Direct entry through forms
- Uploaded through WebADI
- Interfaced by other systems with no controls in place
Who can have access to enter journals?
Who can have access to approve journals?
What does the approval matrix look like?
What are the approval levels / amount?
Your organization’s corporate policy(ies) should dictate who can enter journals, who can approve them, and if they can be self-approved (not recommended). Alongside of this will usually be an Authority or Approval matrix dictating the approval levels of the people / positions involved in this process.
Need help? HALEY Consulting and Advisory Services are here to support you every step of the way. Is your organization running Oracle EBS R12? We have solutions to get your SOX404 audit reporting up and running, reducing audit burden and fatigue, and effectively reducing time to deliver evidence from months to just in time for audit.
