ShowDoc

Page 1 of 4

My Oracle Support (the new MetaLink)

Bookmarks

Admin

Profile

Feedback

Sign Out

Help

Headlines Knowledge Browser Advanced Search Bug Search

Knowledge

Service Request

Collector

Patches & Updates

Community

Certify

Quick Find Knowledge Base

Go

Advanced

Saved Searches

Did this article help solve your problem? Select

Would you recommend this document to others? Select

Submit

TIP: Click help for a detailed explanation of this page.

Bookmark

Go to End

Subject: White Paper: OM/AR Separation of Duties Workaround Doc ID: 368758.1 Type: WHITE PAPER Modified Date : 11-SEP-2007 Status: PUBLISHED This document has been authored by an Oracle customer, and has undergone an independent technical review.

Credit Hold Release: OM/AR Separation of Duties Workaround Customer Submitted White Paper
Product: Order Management / Accounts Receivable Minimum Version: 11.5.4 Author: Lori McInnes, Senior Consultant, Deloitte Consulting LLP Created: 26-APR-2006 Published: 05-JUN-2006 Other Information: Oracle Bug No. 3241406 Click here to read comments we have received on this White Paper

Abstract
In order to implement a best practice internal control for Credit Hold Release, a proper separation of duties between Accounts Receivable and Order Management is required. Accounts Receivable (AR) should be able to manually release Credit Sales Order Holds without being able to directly modify a Sales Order. Order Management (OM) should not be able to release a Sales Order from Credit Holds applied by AR. Enhancement request 3241406 was logged to address this issue and was approved for Future Release by Development. The enhancement request actually identifies three specific issues. This white paper defines workarounds for each of these issues. The issues identified in the enhancement request are: 1. Customer Master Credit Hold Flag / Credit Check Flag Access Both AR and OM have access to the Customer Master, which means that they both have access to the Credit Hold Flag and the Credit Check Flag. When the Credit Hold Flag is checked, it automatically places all applicable Sales Orders on Credit Hold. When the Credit Hold Flag is unchecked, it automatically removes the Credit Hold from all applicable Sales Orders. When the Credit Check Flag is checked it triggers automatic Credit Check audit processing against Sales Orders based on Credit Profile amounts. When the Credit Check Flag is unchecked, it assumes an unlimited Credit Transactional Profile amount. 2. Manual Credit Check Failure Sales Order Hold Release When the credit check flag is checked, Sales Orders are automatically validated against Credit Profile Transaction amounts that are set and maintained by AR. When the customer credit balance exceeds the credit profile transaction amount, the Sales Order will automatically be placed on Credit Check Failure Hold. This Hold can be manually released on the Sales Order Organizer an OM Form. 3. OM Holds Setup Configuration All Sales Order holds are configured in Order Management, including the Credit check Failure hold. Standard Oracle Applications functionality is utilized in the workarounds defined for each of these issues.

https://metalink2.oracle.com/metalink/plsql/f?p=130:14:4024695488081550411::::p1... 18-08-2009

ShowDoc

Page 2 of 4

Issue 1: Customer Master Credit Hold Flag / Credit Check Flag Access
As described in the abstract, when AR and OM have full access to the Customer Master, they both have access to the Credit Profile information for the customer. The goal of this workaround is to prevent access from OM while enabling the access for AR. Workaround Detail A best practice solution for preventing full access to the Customer Master Credit Profile information by both OM and AR is to restrict the OM users access via Menu Exclusion configuration changes. Specific Menu exclusions would be applied only to the OM User Responsibility from access to the customer profile information tabs on the Customer Master. This is accomplished by adding two Functions to the Responsibility Menu Exclusion: Customers: Profile Customers: Address Profile Once this exclusion has been performed, the OM User Responsibility will still have access to the Customer Master. However, regardless of which Customer Master access is chosen (Customers Standard, Quick, Summary, Add Customer from the Sales Order screen), the Credit Management Profile Tabs (Profile: Transaction, Profile: Document Printing and Profile: Amounts) will be grayed out and the user will not be able to see or change the information on these tabs. This is true at both the Customer header and the Customer address level.

Issue 2: Manual Credit Check Failure Sales Order Hold Release

The functional authority to remove Credit Check Failure Sales Order holds manually lies with the Credit Management (typically AR) area of a business. The functional authority to create, modify and delete Sales Orders lies with the Order Management area of a business. Currently, Credit Check Failures holds applied to a sales order can only be manually released using the Remove Hold functionality designed in the Sales Order screen in Oracle. The problem is that the AR Department requires access to the Sales Order screen to remove these holds, which also gives them the ability to create, modify and delete Sales Orders. The goal of this workaround is provide AR users access to the Sales Order screen that will allow them to review the order and release the Credit Check Failure holds while at the same time, disabling the ability to create, modify and delete Sales Orders. Workaround Summary A best practice solution for providing a limited access to the Sales Order Screen to personnel with Credit Management responsibility is to limit their access to the Sales Order Screen via custom Responsibility configuration. The complete solution for the configuration of the Custom Responsibility uses all standard Oracle functionality and is summarized in the following activities: 1. Create a Custom Menu for a scaled down version of the Order Organizer that only has 'add in' function access to Remove Holds. 2. Create a Custom Responsibility which points to the new Custom Menu, thus restricting the access to the new Order Organizer Lite 3. Define additional OM Setup Security 'Processing Constraints' that prevent Create, Modify and Delete access for the new Custom Responsibility 4. Configure the OM Setup Order Hold Release assess so that only the new Custom Responsibility can Release the seeded Credit Check Failure Hold Workaround Detail Step 1: Create A Custom Menu for a scaled down version of the Order Organizer called 'Order Organizer - Lite' The custom menu provides a limited access to the Order Organizer and Release Holds function found in the Action Button of the Order Organizer. The table layout detailed below defines: the responsibility used to create the new menu along with the navigation path the menu definition screen field (required) configuration values for the new menu Click here to view the details for creating a custom menu. Step 2: Create a Custom Responsibility which points to the new Custom Menu. The custom responsibility detailed below provides a limited access to the Order Organizer and Release Holds function within the Order Organizer without additional menu exclusions. The table layouts detailed below defines: the responsibility used to create the new responsibility along with the navigation path the responsibility definition screen required field configuration values for the new responsibility:

https://metalink2.oracle.com/metalink/plsql/f?p=130:14:4024695488081550411::::p1... 18-08-2009

ShowDoc

Page 3 of 4

Custom Responsibility Configuration Requirements: Responsibility Navigation Responsibility Application Key Description Menu Data Request Exclusions System Administrator Security > Responsibility > Define Custom Credit Hold Management Oracle Order Management Custom Credit Hold Management Custom Credit Hold Management Custom Credit Hold Management Standard Oracle Order Management n/a n/a

Note: The creation of a custom responsibility is not required but allows for more clearly identified access within an organization. An alternative would be to add the new menu to an existing Credit Management responsibility menu as a submenu item Step 3: Define additional OM Setup Security 'Processing Constraints' that prevent Create, Modify and Delete access for the new Custom Responsibility The custom responsibility created in step 2 will be used in the OM Processing Constraints Security configuration to prevent change access to Sales Orders. The table layouts detailed in the Configuration Requirements defines the responsibility used to create the new OM Setup Security Processing Constraints, along with the navigation path the parent / child Processing Constraint definition screen required field configuration values for the security configurations: The OM Setup Security Processing Constraint Requirements are listed below, in the order they should be performed. Because the requirements are extensive and are in a tabular format, each step contains a link to display the detailed information. For all steps, use the following responsibility and navigation: Responsibility Order Management Super User Navigation Setup > Rules > Security > Processing Constraints a) Sales Order Header Security Access b) Sales Order Line Security Access c) Sales Order Sales Credit Security Access d) Sales Order Price Adjustment Security Access Step 4: Configure the OM Setup Order Hold Release assess so that only the new Custom Responsibility can release the seeded Credit Check Failure Hold The configuration access for the authority to apply and remove Sales Order holds is found in the OM Setup Order Holds screen. Sales Order Holds are manually applied and removed or are automatically applied. In turn, they are manually or automatically removed. The Credit Check Failure hold is seeded or pre-configured to be automatically applied but is not configured with a responsibility assignment to release the hold. When this configuration is left blank, anyone with access to release holds on the Order Organizer can release this key financial hold. This workaround details the requirements to ensure that only the new Custom Credit Management responsibility created in step 2 will have the authority to release the Credit Check Failure Hold. The table layouts detailed below define: the responsibility used to configure the OM Order Hold access along with the navigation path the Order Hold definition screen required field configuration values Responsibility Order Management Super User Navigation Setup > Orders > Holds Order Hold definition screen required field configuration values: Name Credit Check Failure This hold is automatically placed on an order Description invoiced to a customer who fails credit check Type Credit Check Responsibility CUSTOM CREDIT Authorization Action Effective From [today's Effective To leave

https://metalink2.oracle.com/metalink/plsql/f?p=130:14:4024695488081550411::::p1... 18-08-2009

ShowDoc

Page 4 of 4

MANAGEMENT

Remove Hold

date]

blank

As mentioned above, when an Order Hold Responsibility Authorization is left blank, anyone with Release Hold access to the Order Organizer can release the hold. This workaround assumes that all other active holds have been aligned with a Responsibility assignment and an Authorization Action. This will limit the release hold access for the new responsibility specifically to the Credit Check Failure hold.

Issue 3: OM Order Hold Setup Access

When Order Management users have the authority to create sales orders and have the ability to setup, configure or determine which responsibilities have access to release the Credit Check Failure hold, there is a concern around separation of duties. The goal of this work around is to limit the access to the OM Hold Setup Access. Workaround Detail A best practice solution regarding access to Order Management setups is to use a common operational model for Order Management Responsibility rollout with an Oracle implementation that provides: 1)OM Super User Responsibility, 2) OM User Responsibility and 3) OM Inquiry Responsibility. OM Super User Responsibility This is not a transactional responsibility; it is a setup / maintain / support responsibility for Oracle Order Management. This would be the only responsibility with access to the OM Setup Order Hold screen . OM User Responsibility This responsibility would have the authority and access to create, modify and delete Sales Orders, along with all other transactional OM access. OM Inquiry Responsibility This would be a very limited, view only and report only access to Order Management information. With the OM Access defined as mentioned above, the issue is alleviated. An additional audit trail is also available in that Oracle captures the USERID of the person who releases the Sales Order Holds, along with the date it was released and a release reason. This information is stored with the sales order automatically when the hold is released and cannot be controlled/changed by the user.

Summary
This solution details one approach to separate the OM and AR duties associated with Credit Management using standard Oracle functionality. The workaround detail is meant to describe one best practice approach. Variations on that approach could include the addition of Menu Items for the Credit Hold Management responsibility (Customer Master access, reports, more OM View Functions). Also, more detailed Processing Constraint Security could further enhance the solution.

References
Oracle Support Bug 3241406, Oracle Order Management Suite Implementation Manual, Oracle Applications System Administrators Guide.

Please email us with any questions, comments or feedback you have about this document.
Copyright 2003 Oracle. All rights reserved. Oracle is a registered trademark of Oracle. Various product and service names referenced herein may be trademarks of Oracle. All other product and service names mentioned may be trademarks of their respective owners.

Disclaimer: This document is provided for information purposes only and the contents hereof are subject to change without notice. Oracle does not warrant that this document is error-free, nor does it provide any other warranties or conditions, whether expressed orally or implied in law, including implied warranties and conditions of merchantability or fitness for a particular purpose. Oracle specifically disclaims any liability with respect to this document and no contractual obligations are formed either directly or indirectly by this document.

.
My Oracle Support (the new MetaLink)
Copyright 2006, Oracle. All rights reserved.

Bookmarks

Admin

Profile

Feedback

Sign Out

Help
Legal Notices and Terms of Use | Privacy Statement

https://metalink2.oracle.com/metalink/plsql/f?p=130:14:4024695488081550411::::p1... 18-08-2009