On Tuesday 5th of July, Escone Solutions conducted the second webinar of the Financial Management System Focus series. Exploring OpenAccounts User Profiles in-depth to showcase why they are beneficial for an organisation and the importance from an audit perspective.
This webinar began with a presentation from Escone Solutions Business Applications Support Analyst, Jodie Donald discussing the importance and benefits of having them set up. This was followed by The Abellio Group Finance Operations Manager, Mark Smith, who shared how User Profiles had benefitted the team at The Abellio Group especially when it came to audit trails and security.
How many profiles can you setup, is there a limit?
It is recommended that you create as many as you have unique job roles for, although you need to be realistic and recognise that within a small organisation some operators can perform duties that cross over different aspects of OpenAccounts such as Accounts Payable and Accounts Receivable. You should acknowledge the administrative burden of having too many profiles, which may lead to mistakes in assigning the correct one, but balance this against the importance of the correct access to the applications, menus/programs, companies and data.
I have an employee with a specific profile, but they are about to take on additional responsibilities within the business, can their profile be amended?
Profiles can be reviewed and amended at any time when the organisation structure changes for example, or when a user takes on additional duties that don’t currently fit within an existing profile. If a profile is updated, those updates will apply to all users of the profile so care must be taken to ensure that this is acceptable to the business. Otherwise, a new profile may be the solution.
If we want to create new profiles, what kind of information would you need from us?
Information about which modules and programs the profile needs to contain for each role, and the application, printers and companies that the operators should be assigned. Additionally, the operator security allows assigning of particular data such as cash books, ledgers, general ledger cost/expense codes, document types and Purchase Order tolerances. If every user that has the profile structure also has the same security settings, then the security can be applied to the profile. Otherwise, you can have multiple operators with the same profile i.e. they can run the same programs and have the same licences, but they have access to different departments or cost centres within a business. In this example, the user is assigned a profile, and then they have individual operator security assigned if there is no default security for that user role.
Can you restrict Cashbook Access to a profile therefore a user?
yes, company parameters allow a business to set up a number of security settings per Company. Where the database contains more than one financial company, the security parameters do not have to be the same for each company. Cash Book security is one of the security parameters that can be switched on, allowing the system administrators to ‘assign’ cash books to the operators that are allowed access to those transactions.
Can you assign tolerance levels to a profile?
Yes you can, but you must ensure that all operators that have that profile have the same purchase order variance tolerances in order to set the tolerance security at the profile level. Otherwise, you can assign individual tolerances to users that have the same profile. For example, an Accounts Payable team may have one person responsible for processing particular types of purchase order invoices, and they may have a higher tolerance or different matching ‘extras’ allowances to another user with the same profile in the same team.
Are there any programs you would not recommend profiles having?
Profiles should have access to the applications, programs, and companies that they require in order to perform their job role. There may be some programs that will therefore only be applicable to a system administrator type profile such as Document Maintenance, but other maintenance routines may need to be allocated to finance users such as Currency Maintenance where someone in the finance team is responsible for adding exchange rates, rather than this being an IT role. Where different users are required within a business to enter data, and another person has to update the transactions, then profiles should be designed to ensure those requirements are catered for by including or excluding data entry or update programs.
Is there any way to prevent any defined profiles from being changed once applied to a user so they don’t get any more or less than what the profile was set up to have?
Only agreed job roles should have access to the System Utilities application that manages the user menu, program, company and application access. Only agreed job roles should have access to the Operator Security program in OpenAccounts that manages the allocation of data security such as GL codes, cash books and ledgers. Some organisations do not have a dedicated system administrator or Super User personnel, and that is where roles such as system administration and user management can be outsourced to Escone.
Can reports be created to show users/profiles and programs they have once implemented?
System Utilities application comes with a set of reports that can output user information such as profile content, which users have which profiles/programs/companies etc, and also there are audit reports to show when user accounts are amended. These reports can be run by operators with the appropriate profile that gives them agreed on access to this application and its reporting tools.
Can system utilities be limited to a specific company within a database, especially where multiple companies share a database?
System utilities is an application that a user profile may or may not have permissions to run. User profiles are also assigned to one or more companies within the database. It is usually the case that where there are multiple financial companies within the database, the system administration function is performed at a ‘group’ level by dedicated super users or IT type users within or without the organisation.
If multiple companies are in one database if one of those companies does not have profiles, does that mean they can see data in all other companies?
No, it doesn’t. It is recommended that job roles are used to create Profiles which are then assigned to operators, however, the system utilities application does cater for operators being given individual program access. This is one of the issues that is frequently reported during internal and external audits, and one of many reasons why a business may choose to perform a profile/access review. An operator can either be assigned a pre-defined profile (recommended) or they can have individual program/menu access assigned (which is not recommended, as it is uncontrolled and incredibly time-consuming to administer) and then the operator is assigned the financial companies that they have access to. If you are an Accounts Payable Clerk for example as a job role, and there are 3 companies in the database, you could have access to all 3 companies and the same profile access applies across all. You cannot have the same operator within a database that has a different profile per company. Company access is separate to profile access, and in order to run the programs assigned to the job role within the application interface, the user must have been allocated the companies they are allowed to use.
If you would like any information or to make an enquiry regarding anything spoken about in the above questions please get in touch by clicking here > https://bit.ly/2TM0FVK