OM/AR Separation of Duties Workaround - White Paper

Abstract

In order to implement a best practice internal control for Credit Hold Release, a proper separation of duties between Accounts Receivable and Order Management is required.

• Accounts Receivable (AR) should be able to manually release Credit Sales Order Holds without being able to directly modify a Sales Order.
• Order Management (OM) should not be able to release a Sales Order from Credit Holds applied by AR.
  

Enhancement request 3241406 was logged to address this issue and was approved for Future Release by Development. The enhancement request actually identifies three specific issues. This white paper defines workarounds for each of these issues.

The issues identified in the enhancement request are:

1. Customer Master Credit Hold Flag / Credit Check Flag Access

Both AR and OM have access to the Customer Master, which means that they both have access to the Credit Hold Flag and the Credit Check Flag.

· When the Credit Hold Flag is checked, it automatically places all applicable Sales Orders on Credit Hold.

· When the Credit Hold Flag is unchecked, it automatically removes the Credit Hold from all applicable Sales Orders.

· When the Credit Check Flag is checked it triggers automatic Credit Check audit processing against Sales Orders based on Credit Profile amounts.

· When the Credit Check Flag is unchecked, it assumes an unlimited Credit Transactional Profile amount.

2. Manual Credit Check Failure Sales Order Hold Release

When the credit check flag is checked, Sales Orders are automatically validated against Credit Profile Transaction amounts that are set and maintained by AR.

When the customer credit balance exceeds the credit profile transaction amount, the Sales Order will automatically be placed on Credit Check Failure Hold. This Hold can be manually released on the Sales Order Organizer – an OM Form.

3. OM Holds Setup Configuration

All Sales Order holds are configured in Order Management, including the Credit check Failure hold.

Standard Oracle Applications functionality is utilized in the workarounds defined for each of these issues.

Issue 1: Customer Master Credit Hold Flag / Credit Check Flag Access

As described in the abstract, when AR and OM have full access to the Customer Master, they both have access to the Credit Profile information for the customer. The goal of this workaround is to prevent access from OM while enabling the access for AR.

Workaround Detail

A best practice solution for preventing full access to the Customer Master Credit Profile information by both OM and AR is to restrict the OM users’ access via Menu Exclusion configuration changes.

Specific Menu exclusions would be applied only to the OM User Responsibility from access to the customer profile information tabs on the Customer Master. This is accomplished by adding two Functions to the Responsibility Menu Exclusion:

• Customers: Profile
• Customers: Address Profile
  

Once this exclusion has been performed, the OM User Responsibility will still have access to the Customer Master. However, regardless of which Customer Master access is chosen (Customers Standard, Quick, Summary, Add Customer from the Sales Order screen), the Credit Management Profile Tabs (Profile: Transaction, Profile: Document Printing and Profile: Amounts) will be grayed out and the user will not be able to see or change the information on these tabs. This is true at both the Customer “header” and the Customer “address” level.

Issue 2: Manual Credit Check Failure Sales Order Hold Release

The functional authority to remove Credit Check Failure Sales Order holds manually lies with the Credit Management (typically AR) area of a business. The functional authority to create, modify and delete Sales Orders lies with the Order Management area of a business.

Currently, Credit Check Failures holds applied to a sales order can only be manually released using the “Remove Hold” functionality designed in the Sales Order screen in Oracle. The problem is that the AR Department requires access to the Sales Order screen to remove these holds, which also gives them the ability to create, modify and delete Sales Orders.

The goal of this workaround is provide AR users access to the Sales Order screen that will allow them to review the order and release the Credit Check Failure holds while at the same time, disabling the ability to create, modify and delete Sales Orders.

Workaround Summary

A best practice solution for providing a limited access to the Sales Order Screen to personnel with Credit Management responsibility is to limit their access to the Sales Order Screen via custom Responsibility configuration.

The complete solution for the configuration of the Custom Responsibility uses all standard Oracle functionality and is summarized in the following activities:

1. Create a Custom Menu for a scaled down version of the Order Organizer that only has 'add in' function access to Remove Holds.

2. Create a Custom Responsibility which points to the new Custom Menu, thus restricting the access to the new Order Organizer – Lite

3. Define additional OM Setup Security 'Processing Constraints' that prevent Create, Modify and Delete access for the new Custom Responsibility

4. Configure the OM Setup Order Hold Release assess so that only the new Custom Responsibility can Release the seeded Credit Check Failure Hold

Workaround Detail

Step 1 : Create A Custom Menu for a scaled down version of the Order Organizer called 'Order Organizer - Lite'

The custom menu provides a limited access to the Order Organizer and Release Holds function found in the Action Button of the Order Organizer.

The table layout detailed below defines:

· the responsibility used to create the new menu along with the navigation path

· the menu definition screen field (required) configuration values for the new menu

Step 2: Create a Custom Responsibility which points to the new Custom Menu.

The custom responsibility detailed below provides a limited access to the Order Organizer and Release Holds function within the Order Organizer without additional menu exclusions.

The table layouts detailed below defines:

· the responsibility used to create the new responsibility along with the navigation path

· the responsibility definition screen required field configuration values for the new responsibility:

Custom Responsibility Configuration Requirements:

Responsibility	System Administrator
Navigation	Security > Responsibility > Define

Responsibility	Custom Credit Hold Management
Application	Oracle Order Management
Key	Custom Credit Hold Management
Description	Custom Credit Hold Management

Menu	Custom Credit Hold Management
Data	Standard Oracle Order Management
Request	n/a
Exclusions	n/a

Note : The creation of a custom responsibility is not required but allows for more clearly identified access within an organization. An alternative would be to add the new menu to an existing Credit Management responsibility menu as a submenu item

Step 3 : Define additional OM Setup Security 'Processing Constraints' that prevent Create, Modify and Delete access for the new Custom Responsibility

The custom responsibility created in step 2 will be used in the OM Processing Constraints Security configuration to prevent “change” access to Sales Orders. The table layouts detailed in the Configuration Requirements defines

· the responsibility used to create the new OM Setup Security Processing Constraints, along with the navigation path

· the parent / child Processing Constraint definition screen required field configuration values for the security configurations:

The OM Setup Security Processing Constraint Requirements are listed below, in the order they should be performed. Because the requirements are extensive and are in a tabular format, each step contains a link to display the detailed information. For all steps, use the following responsibility and navigation:

Responsibility	Order Management Super User
Navigation	Setup > Rules > Security > Processing Constraints

a) Sales Order Header Security Access

b) Sales Order Line Security Access

c) Sales Order Sales Credit Security Access

d) Sales Order Price Adjustment Security Access

Step 4 : Configure the OM Setup Order Hold Release assess so that only the new Custom Responsibility can release the seeded Credit Check Failure Hold

The configuration access for the authority to apply and remove Sales Order holds is found in the OM Setup Order Holds screen. Sales Order Holds are manually “applied and removed” or are “automatically applied”. In turn, they are manually or automatically removed. The Credit Check Failure hold is “seeded” or pre-configured to be automatically applied but is not configured with a responsibility assignment to “release” the hold.

When this configuration is left blank, anyone with access to release holds on the Order Organizer can release this key financial hold. This workaround details the requirements to ensure that only the new Custom Credit Management responsibility created in step 2 will have the authority to release the Credit Check Failure Hold.

The table layouts detailed below define:

· the responsibility used to configure the OM Order Hold access along with the navigation path

· the Order Hold definition screen required field configuration values

Responsibility	Order Management Super User
Navigation	Setup > Orders > Holds

Order Hold definition screen required field configuration values:

Name	Credit Check Failure
Description	This hold is automatically placed on an order invoiced to a customer who fails credit check
Type	Credit Check

Responsibility	Authorization Action	Effective From	Effective To
CUSTOM CREDIT MANAGEMENT	Remove Hold	[today's date]	leave blank

As mentioned above, when an Order Hold Responsibility Authorization is left blank, anyone with Release Hold access to the Order Organizer can release the hold. This workaround assumes that all other active holds have been aligned with a Responsibility assignment and an Authorization Action. This will limit the release hold access for the new responsibility specifically to the Credit Check Failure hold.

Issue 3: OM Order Hold Setup Access

When Order Management users have the authority to create sales orders and have the ability to setup, configure or determine which responsibilities have access to release the Credit Check Failure hold, there is a concern around separation of duties. The goal of this work around is to limit the access to the OM Hold Setup Access.

Workaround Detail

A best practice solution regarding access to Order Management setups is to use a common operational model for Order Management Responsibility rollout with an Oracle implementation that provides: 1)OM Super User Responsibility, 2) OM User Responsibility and 3) OM Inquiry Responsibility.

• OM Super User Responsibility
  
  This is not a transactional responsibility; it is a setup / maintain / support responsibility for Oracle Order Management. This would be the only responsibility with access to the OM Setup Order Hold screen .
• OM User Responsibility
  
  This responsibility would have the authority and access to create, modify and delete Sales Orders, along with all other transactional OM access.
• OM Inquiry Responsibility
  
  This would be a very limited, view only and report only access to Order Management information.
  

With the OM Access defined as mentioned above, the issue is alleviated. An additional audit trail is also available in that Oracle captures the USERID of the person who releases the Sales Order Holds, along with the date it was released and a release reason. This information is stored with the sales order automatically when the hold is released and cannot be controlled/changed by the user.

Summary

This solution details one approach to separate the OM and AR duties associated with Credit Management using standard Oracle functionality.

The workaround detail is meant to describe one best practice approach. Variations on that approach could include the addition of Menu Items for the Credit Hold Management responsibility (Customer Master access, reports, more OM “View” Functions). Also, more detailed Processing Constraint Security could further enhance the solution.