Why Personal Profile Values Form Needs to be Removed

Oracle EBS Personal Profile Values Form

Time to revisit this topic.

This is easy pickins for external auditors to lead to a control deficiency.  Take a look back at this topic I posted on last year:

Effective Governance over Profile Option Values in Oracle E-Business Suite

This blog should give you all the detail you need to understand the risks. Following are several examples of profile options that can be maintained via the Personal Profiles Values form.

As a reminder, if a user can set a profile option at the User level, it overrides all other levels including those set at the Site level.  If the Site level is set to No and the user sets it to Yes through this form, they have the capability provided by the profile option.

Example 1:  The ability to apply or remove Personalizations can be overwritten by the User.

From the Users Guide: Used to enable Oracle Apps Personalization link on JSP pages.

Example 2:  The ability to set a longer session timeout for the user – overriding the corporate policy. This is a favorite profile option for Deloitte to pick on.

Example 3:   Workflow example 1:  There are two profile options that have huge implications on the design of workflow

WF: Guest Access to Notifications
Enables approval of workflow approvals via email – does not require the user to authenticate with their credentials in order to make the approval.
From Oracle Users Guide: This profile option helps control whether users must log in before they can access the Notification Details Web page from a notification. To enable guest access, which does not require an individual login, you must both set this profile option to Enabled and create a grant assigning the “Workflow Guest User permission set” to the GUEST user.

WF: Notification Reassign Mode
This profile option controls how users can reassign notifications. See: Setting the WF: Notification Reassign Mode Profile Option.
Delegate – Provides users access to delegate a notification to another user while still retaining ownership of the notification.
Transfer – Provides users access to transfer complete ownership of a notification to another user.
Reassign – Provides users access to both the Delegate and Transfer reassign modes. This setting is the default value for this profile option.

Oracle EBS Personal Profile Values Form

Example 4: Workflow example 2:
WF: Plain text sign-on – from the book “The ABCs of Workflow for E-Business Suite Release 11i and Release 12”  “Set this profile option to “Yes” to allow electronic signing to only occur on Plain Text notifications”

Oracle EBS Personal Profile Values Form

Example 5: Example related to a few GL profile options.  The profile option GL: Journal Review Required – we’ll let your imagination wonder what this could be controlling…  If the Site level is set to Yes (opposite of screen shot) and the User set theirs to No, this would be a serious control design issue.

Oracle EBS Personal Profile Values Form

Recommended Services from ERP Risk Advisors related to this topic:

We offer a health check that includes reviewing how your organization has set many of the high risk profile options.  See more about this free service at:  http://erpra.net/Services.html.

If you are an auditor, keep in mind that we also do outsourced IT audit work.

We are thorough, risk-based, and will work with you to develop a scope that fits your budget.

Jeffrey T. Hare

Jeffrey Hare, CPA CIA CISA is the founder and CEO of ERP Risk Advisors. His extensive background includes public accounting (including Big 4 experience), industry, and Oracle Applications consulting experience. Jeffrey has been working in the Oracle Applications space since 1998 with implementation, upgrade, and support experience. Jeffrey is a Certified Public Accountant (CPA), a Certified Information Systems Auditor (CISA), and a Certified Internal Auditor (CIA).

  • Kristen Michalko
    Posted at 20:15h, 12 October

    Isn’t removing the entire form a bit extreme? That is also where users can set their individual date format preferences along with other harmless profile options. The risk you identified is very real, but wouldn’t it be better to just disable ability the ability to update those key profile options for the user level and leave the form as is? The prior post you referred to actually shows one of the places that can be done.

  • Jeffrey T. Hare
    Posted at 00:46h, 16 October

    There are many profile options that can be set through the Profile User form that would override Site level settings. This is adds risk from an internal controls perspective. Several of these really outweigh the benefit of allowing users to set these.

Post A Comment