EBS R12 Manual Journal Approvals and How to Explain to Your Auditor that it Can Be Relied on as a SOX Control

Permalink

By Richard Goddard posted 09-14-2021 12:32 PM

  

Introduction

Many EBS Customers use Oracle’s automated Journal Approval for manual journals and rely on this as a fully automated SOX control, i.e it’s the way the Oracle system works. Journal Approval uses Oracle Workflow to control and monitor the approval process, sending notifications to journal batch preparers and approvers when needed.

For Journal Approval to properly operate, the following configurations need to be completed:

  1. For all in-scope ledgers, check ‘Enable Journal Approval (Accounting Setup)
  2. For all unfrozen journal sources, check ‘Require Journal Approval’
  3. Set two system profile options that control the logic for selecting the approver(s) and whether journal preparers can approve their own journals, subject to their Journal Authorization Limits
  4. Define Journal Authorization Limits for all Users involved in the Journal Approval process

As most EBS Users create custom General Ledger (“GL) responsibilities by copying and editing the seeded Oracle responsibilities, the likelihood that they are separating GL module configuration (e.g. AutoPost Criteria, Data Access Sets, Ledger Sets, etc.)  from GL transactional (e.g. Enter Journals) functionality is very low. Without creating a “GL Configuration only” Responsibility, most EBS organizations will have a scenario where all GL Users can transact, a subset of GL Users can change GL configuration but all who can configure can also transact. Three of the four configurations above are accessible via the traditional, seeded GL Setup submenu; however, profile options are typically not. An auditor will question the effectiveness of the control where some Users have access to disable and later re-enable configurations that govern the transactions they perform. However, it is still possible to demonstrate that the control is effective without a hard separation of duties or creating new Responsibilities. It’s possible by auditing configuration changes to demonstrate the Approval process was in place for the entire period of the review.

Oracle EBS out of the box offers little in terms of tracking configuration changes. If the goal is to track a small set of very specific changes involving few tables, it may be possible to develop custom triggers and reports. If the need is broader and the concept is applied to other configurations that support SOX/Internal controls, then auditing software will be more effective. Existing customers of Oracle GRC/Advanced Controls can use Configuration Controls Governor (CCG) to deploy continuous audit trails on many of the configuration tables. CCG is not moving forward into Fusion Cloud Financials and it is no longer available to EBS organizations that haven’t already licensed Oracle GRC. Organizations that expect to stay on EBS for some time may need to look at third party products such as Fastpath that offer module configuration audit capability in addition to Access and Segregation Of Duties (SOD) management. 

Good practice for Journal Approval Configurations

  1. For all in-scope ledgers, check ‘Enable Journal Approval (Accounting Setup)

This should be enabled for the appropriate Ledgers and once enabled never be disabled, except in the case of some highly unusual workaround for a system problem. An audit report with a continuous log of old and new values should be used to review any changes and be used as “Evidence of Absence” that Users may be gaming the system. When changes are made inform SOX compliance / Internal Audit to evaluate if additional manual review may be necessary for the period in which system approvals are not functioning as described by the SOX Controls.

  1. For all unfrozen journal sources, check ‘Require Journal Approval’

Perform an initial review to confirm Sources for subledger modules (AP AR INV etc.) are frozen , i.e. the system will not let these Journal entries be modified in GL prior to posting. Unfrozen sources which may be modified by an end User should require Journal Approval. Deploy an Audit trail as above. Unfreezing a frozen Journal is extremely unlikely and if performed as a problem workaround should be documented in an IT trouble ticket and Oracle service request.

  1. Set two system profile options that control the logic for selecting the approver(s) and whether journal preparers can approve their own journals, subject to their Journal Authorization Limits

The Journals: Allow Preparer Approval profile option should be set to ‘No’ at ‘Site’ level. EBS does allow the profile option to be set at the Application and Responsibility levels, therefore, it is possible to have exceptions to the general rule. Exceptions should be reviewed with Internal Audit/Compliance teams. Some of the more EBS savvy auditors have developed scripts that will examine key module configurations and whether they have been applied consistently across the entire organization.

  1. Define Journal Authorization Limits for all Users involved in the Journal Approval process

Define a continuous audit trail and review likely low volume changes, annual increases, new hire additions, etc. This will serve as evidence of absence that Users with configuration access are increasing then re-setting limits to circumvent the control.