 |
|||
Journal "Source" when uploading an ADI journal
By: Manoj | 06 Sep 2008 4:06 pm
I have been working to close a loophole that allows a user to specify any Source when uploading an ADI journal.
In a general ledger journal, the Source field should specify where a
journal came from. A source of Payables means the journal came from
the AP subledger. I think I've seen Oracle SQL that relies on a
correct value in the Source field to retrieve data from a subledger
(ie, a union query which gets certain data from AP if the Source is
Payables, certain data from AR if the Source is Receivables, etc).
But ADI allows a user to specify any source when uploading a journal
to Oracle. I think this is a potential control issue which could
allow someone to make fraudulent entries to the GL and specify an
incorrect Source to cover their tracks. I have seen companies that
set up journals to AutoPost depending on the Source. A user could
create an ADI journal with a source of Payables, upload the journal,
and it would get automatically posted without any review. And it's
unlikely anyone would catch it if the volume from Payables is high
enough. It's true that the GL Payables account wouldn't match the
total in the Payables subledger, but I've also seen companies where
the number in GL doesn't match the subledger due to data corruption
issues (orphan transactions in AP, etc).
I know that the profile option "GLDI: Journal Source" will allow you
to control the journal source when uploading an ADI journal. This
profile option works OK with the client version of ADI, but with the
web version of ADI there is a possible work-around: If user has an
old Excel file with a previous layout then the user can upload a
journal with a different Source in Web ADI.
The profile option "GLDI: Journal Source" is only for ADI not WEB
ADI.
Oracle doesn't provide a "system control" which addresses the web
version of ADI. Since an Excel file is outside the control of
Oracle, I am concerned about a "solution" that Oracle gave us that
relies on protecting a hard-coded value in the Excel file. And, as
mentioned above, a user could still use an "old Excel file" and
specify any Source.
We created a Metalink ticket with Oracle to request a solution that
allows us to control the journal source in the web version of ADI,
but we got Oracle's standard response: "there is no estimated date
of completion for an Enhancement Request as they are reviewed by
Development to determine their feasibility and if it is decided
that they can be implemented, they are implemented in a future
release".
Has anyone else identified this issue as a possible control
concern? Have you been able to implement any solution that would
force a specific source when uploading an ADI journal (using either
the client or the web version)?
Jeff - have you seen this issue before? I know you have worked with
Oracle to address control issues. Is this something you would
consider passing on to Oracle as a control concern? Comments
I don't have my notes in front of me, but what I remember is the use of templates to solve the web ADI issue.
I believe that you can define a template and require the Source to be defaulted to Manual and then require the use of that particular template for all users. Take a look at the user guide and see if you can figure it out based on that.
By: Hari | 06 Sep 2008
Thanks for the feedback. I asked someone in my IT department to test
the possibility of requiring the use of a specific template for all users. Her testing results were: Web ADI uses the layout only to create the worksheet (Excel file). When uploading a journal, the application does not validate if the Excel file is equal to one of the available layouts. We can create a new layout and delete all old layouts. But if a user has an old Excel file with the old layout, Web ADI will permit the user to upload the Excel file with the old layout (and with any Source). I didn't find anything in the Oracle Web Applications Desktop Integrator User Guide that says the application can validate if the Excel file is equal to one of the available layouts. Based on this information, it doesn't look like there is a solid method to control the Source field when uploading a journal using the Web version of ADI. Even if the application did validate the layout when uploading a journal, I would still wonder if the Source field could have been modified in the Excel file before upload. Give me an Excel file with a hard-coded value, and I can probably figure out a way to change that value. I think Oracle needs to validate the Source field on the server side for Web ADI journals - just like they do for the client version of ADI - when the profile option "GLDI: Journal Source" is set. |
