Minimize
Blogger List

Johannes Ahrends
Toad and Oracle

Ben Boise
Toad SC Discussions

Kevin Dalton
Benchmark Factory

Steven Feuerstein
PL/SQL Obsession

Devin Gallagher
Toad SC discussions

Stuart Hodgins
JProbe Discussions
  Henrik "Mauritz" Johnson
Toad Tips & Tricks on the "other" Toads
  Mark Kurtz
Toad SC discussions
  Michael Lumbard
Toad SC discussions
Daniel Norwood
Toad for Data Analysts,
Toad Extension for Visual Studio
Debbie Peabody
Toad for Data Analysts
Gary Piper
Toad Reports Manager
John Pocknell
Toad for Oracle, JProbe
Kuljit Sangha
Toad SC discussions
Bert Scalzo Indicates Oracle ACE status
Toad for Oracle, Data Modeling, Benchmarking
Jeff Smith
Toad product family
Richard To
SQL Optimization
Jim Wankowski
DB2 - LUW and z/OS
John Weathington
  Toad Data Modeler Opens in a new window
Data Modeling		  
  Real Automated Code Testing for Oracle
Quest Code Tester blog
 
Minimize
Blog Categories
 
Minimize
Blog Tags
toad for oracle (122)
oracle (62)
plsql (46)
sql optimization (37)
toad for data analysts (28)
code tester (19)
toad for ibm db2 (13)
automation (11)
batch optimizer (10)
virtualization (10)
schema browser (9)
toad for sql server (9)
data grid (8)
sql (8)
sql editor (8)
toad data modeler (8)
benchmark factory (7)
excel (7)
query builder (7)
report manager (7)
toad extension (7)
visual studio (7)
11g (6)
configuration (6)
freeware (6)
health check (6)
vmware (6)
connect (5)
dba module (5)
er diagrammer (5)
F4 (5)
linux (5)
refactoring (5)
spotlight (5)
unicode (5)
compare (4)
debugger (4)
export (4)
formatter (4)
make code (4)
rman (4)
strip code (4)
benchmark (3)
bfscript (3)
bulk collect (3)
code templates (3)
code xpert (3)
database browser (3)
db2 (3)
notebook (3)
oem (3)
RAC (3)
session browser (3)
speed (3)
sql optimizer (3)
toad for mysql (3)
tpc-c (3)
9.7 (2)
alert log (2)
app designer (2)
awr (2)
code insight (2)
code snippets (2)
collection (2)
compare and sync (2)
compliance (2)
data generator (2)
data warehouse (2)
database explorer (2)
database monitor (2)
explain (2)
forall (2)
ftp (2)
group execute (2)
handbook (2)
installation (2)
job scheduler (2)
multi-task (2)
nested table (2)
os command (2)
profiler (2)
recovery (2)
release history (2)
save as (2)
schema compare (2)
sql recall (2)
stats pack (2)
subversion (2)
team coding (2)
trace file browser (2)
while loop (2)
10g (1)
64 bit (1)
7zip (1)
action (1)
addm (1)
alter (1)
ansi join (1)
array (1)
ccleaner (1)
code coverage (1)
code road map (1)
CRON (1)
cursor for loop (1)
data browser (1)
data subset (1)
database probe (1)
dbms_flashback (1)
dbms_profiler (1)
ddl (1)
feuerstein (1)
filezilla (1)
flash drive (1)
flow control (1)
for loop (1)
group policy manager (1)
hints (1)
import (1)
index (1)
inheritance (1)
invoker rights (1)
ipad (1)
java (1)
latency (1)
log switch (1)
logical model (1)
ltrim (1)
master-detail browser (1)
monitor (1)
multi-select (1)
naming standards (1)
network (1)
object explorer (1)
OEBS (1)
package (1)
parser (1)
partitioning (1)
performance (1)
pragma (1)
project manager (1)
RAT (1)
revo (1)
REXEC (1)
schema report (1)
script manager (1)
search (1)
set operator (1)
sga (1)
slow (1)
sonarsource (1)
source control (1)
space projection (1)
sql monitor (1)
sql navigator (1)
sql script (1)
sql tracker (1)
sql*plus (1)
standards (1)
statistics (1)
stored procedure (1)
string parser (1)
sub-model (1)
sub-type (1)
synch (1)
synchback (1)
TELNET (1)
toad (1)
trace (1)
unit test (1)
unix (1)
usb (1)
utility (1)
v10 (1)
v9.5 (1)
version control (1)
waits (1)
workload replay (1)
workspace (1)
xml (1)
 
WELCOME, GUEST
 
 

Blogs
Toad and Database Commentaries

Toad World blogs are a mix of insightful how-tos from Quest experts as well as their commentary on experiences with new database technologies.  Have some views of your own to share?  Post your comments!  Note:  Comments are restricted to registered Toad World users.

Do you have a topic that you'd like discussed?  We'd love to hear from you.  Send us your idea for a blog topic.

Keep It Under Control With Approvals

Apr 24

Written by: JohnWeathington
Thursday, April 24, 2008  RssIcon

Last week, we talked about reconciliation, as a control for a variety of risks. This week’s focus is on approvals. There’s no mystery or special compliance context to the word here – it’s simply an approval of some sort. There are different types of approvals, but the most common is a manager’s approval. What we’re talking about here, is making sure a manager approves of the activities that are going on.

So if you remember, a control is put in place to mitigate a risk. Here are some key risks that we are trying to control with an approval control:

    • The risk that an inexperienced subordinate accidentally processes something incorrectly
    • The risk that an experienced subordinate purposely processes something incorrectly
    • The risk that unusual or questionable activity makes its way through the system
    • The risk that a company policy is violated by improper employee processing
    • The risk that company policy is violated by system generated processing
    • The risk of an employee committing fraud

If you read last week’s blog, you’ll notice that a lot of these are similar to the risks that are controlled by reconciliation. This highlights an important point. There can be multiple ways to control a risk. However in practice, it’s best to limit the amount of controls in your system, as this is the point where a lot of recurring cost for your company comes ( e.g. controls need to be tested on a regular basis ).  That said, it’s good to know that you have some options, because all controls need to be effective. If you have an ineffective reconciliation control, then perhaps an approval control might be appropriate to bridge the gap.

Here are some key tips for designing approvals into your compliance data system.

Tip # 1 – Downstream the Correct Data From Your HR Database

Downstreaminging from your HR database always makes people nervous, due to privacy issues. The information that you need should not violate any privacy policies, but you will probably have some explaining to do.

Here’s the data that you need from your HR Database. I’m going to use Oracle ERPish column names in case they are familiar to you, however you should be able to translate if you’re not using Oracle ERP:

    • USER_ID – You need some way to link in your employee to your transactional data. For obvious reasons, you need to bring this in.
    • EMPLOYEE_ID –This is only optional in very small companies or in companies where the EMPLOYEE_ID and USER_ID are the same. Employee ID is important to distinguish different people that have the same name.
    • EMPLOYEE_NAME – Duh. Make sure you bring in the full name of the employee. You do not want to be in the middle of an audit, trying to decipher what “JAMESF” means.
    • PHONE – The employee’s phone extension. Very handy when you need on the spot answers.
    • EMAIL – The employee’s email address. Once again, if the employee doesn’t answer the phone, it’s nice to be able to shoot off a quick email. These kinds of things demonstrate to the auditor that you are running an efficient compliance operation.

I suggest you denormalize this information out to every data point that references an employee. Or if you are building a star schema, have at least two dimensions that contain this data; one for worker bee, and one for approving manager.

Tip # 2 – Store Images of Physical Approvals

If there are hard-copy manager approvals available in digital format, downstream from this system and attach them along with the approval. In my blog entry “Prove It or Lose It!” I demonstrated the need for evidence in a compliance data system. Here’s a perfect example of where that comes in handy.

Pulling this off can be tricky, if your infrastructure has a hard time with BLOBs ( Binary Large OBjects ). Obviously, a database like Oracle can handle the storage, but what about your retrieval system? If you find this to be a challenge, one trick is to just store a reference ( i.e. website URL ) to the approval. Although this is not ideal, it’s 1000 times better than having no physical record to access. If your physical documents aren’t currently web accessible, suggest building it. It shouldn’t be that hard if you keep the scope under control (look out when they start saying, “Great idea! We can actually build a general purpose system for approval retrieval that will work for the whole company!” This will be a nightmare and your basic function will be put on hold until it’s done).

Tip # 3 – In The Absence Of An Approval System, Create One

The best approval control is executed before the transaction(s) occurs. This can only be done in the transactional system, and I’m not suggesting you try to interject there. The second best thing is to have the approval done after the transaction(s) has occurred. Although this is not ideal, it’s better than not having any control at all, and this is something you might have control over building.

In last week’s blog, I suggested that you consider an auxiliary system to support data you cannot downstream. This is the appropriate place for an approval control that is after the fact. As an example, you could have a report ready for a manager that details a number of related transactions. The manager would review the report, then submit an approval through your system. This doesn’t need to be complicated, just some acknowledgement that somebody looked it over and approved it. This approval data point would then be captured, and attached to the rest of the data. Like I said, not ideal, but much better than not having the control at all.

Tip # 4 – Design With The Auditor In Mind

This should be the common theme for the design of your entire compliance data system. Imagine your user sitting in front of an auditor, trying to answer questions. What is the quickest way I can get my user the information?

To demonstrate control, you will want a comprehensive report that lists all approvals, and what they’re for. From a tactical perspective, a specific approval control needs to be immediately accessible when a transaction is under investigation. With the response should come all the data on the approving manager ( name, phone, email, etc. ), when the approval was done, and physical evidence of the approval. This is powerful! Two or three times down this road, and the auditor is going to leave your users alone.

Approval controls are another way to control common key risks in the company, so plan on building systems that incorporate them. Making sure you have good approval disclosure built into your system is vital. Keep in mind the important data points that you need on approving managers, and always design with the audit in mind. With infrastructure like this, your compliance data system will be bulletproof!

Trackback Print
Tags:
Categories:
Location: Blogs Parent Separator John Weathington's Blog
Minimize
Most Popular
 
Search Blog Entries
 
Blog Archives