{"id":2142,"date":"2015-06-23T10:20:12","date_gmt":"2015-06-23T10:20:12","guid":{"rendered":"https:\/\/processminery.com\/?p=2142"},"modified":"2023-09-27T12:29:11","modified_gmt":"2023-09-27T12:29:11","slug":"checking-segregation-of-duties-conflicts-in-oracle-purchasing","status":"publish","type":"post","link":"https:\/\/staging.processminery.com\/index.php\/2015\/06\/23\/checking-segregation-of-duties-conflicts-in-oracle-purchasing\/","title":{"rendered":"Checking segregation of duties conflicts in Oracle Purchasing"},"content":{"rendered":"\t\t<div data-elementor-type=\"wp-post\" data-elementor-id=\"2142\" class=\"elementor elementor-2142\" data-elementor-post-type=\"post\">\n\t\t\t\t\t\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-634467a4 elementor-section-boxed elementor-section-height-default elementor-section-height-default parallax_section_no qodef_elementor_container_no\" data-id=\"634467a4\" data-element_type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-6328561c\" data-id=\"6328561c\" data-element_type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t\t\t<div class=\"elementor-element elementor-element-361fd053 elementor-widget elementor-widget-text-editor\" data-id=\"361fd053\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t<style>\/*! elementor - v3.17.0 - 08-11-2023 *\/\n.elementor-widget-text-editor.elementor-drop-cap-view-stacked .elementor-drop-cap{background-color:#69727d;color:#fff}.elementor-widget-text-editor.elementor-drop-cap-view-framed .elementor-drop-cap{color:#69727d;border:3px solid;background-color:transparent}.elementor-widget-text-editor:not(.elementor-drop-cap-view-default) .elementor-drop-cap{margin-top:8px}.elementor-widget-text-editor:not(.elementor-drop-cap-view-default) .elementor-drop-cap-letter{width:1em;height:1em}.elementor-widget-text-editor .elementor-drop-cap{float:left;text-align:center;line-height:1;font-size:50px}.elementor-widget-text-editor .elementor-drop-cap-letter{display:inline-block}<\/style>\t\t\t\t<div class=\"post_inner_content\">\n<p>In many administrative processes there is a requirement that different actions are performed by different persons. A typical example of such process is the procurement process. For example you do not want the person who is entering the purchase order is the same person that is entering the receipt of the goods.&nbsp;<\/p>\n<p>Anne Rozinat already described the usage of Disco for checking segregation of duties with the demo dataset in Disco. See&nbsp;<a href=\"https:\/\/fluxicon.com\/blog\/2014\/03\/how-to-check-segregation-of-duties-with-disco\/\">https:\/\/fluxicon.com\/blog\/2014\/03\/how-to-check-segregation-of-duties-with-disco\/<\/a><\/p>\n<p><\/p>\n<p>We will see how we can perform these checks with a dataset from the Oracle EBS Release 12.1.3 Vision instance. We use a data set with the purchase order distribution ID as case ID. The purchase order distribution ID is the lowest level of the Purchase Order in Oracle.<\/p>\n<div class=\"wp-block-image is-style-default\">\n<figure class=\"aligncenter size-large\"><img decoding=\"async\" class=\" ls-is-cached lazyloaded\" src=\"https:\/\/www.processminery.com\/wp-content\/uploads\/2015\/06\/purchase_order_levels.png\" alt=\"\" data-src=\"https:\/\/www.processminery.com\/wp-content\/uploads\/2015\/06\/purchase_order_levels.png\"><\/figure>\n<\/div>\n<p>This dataset contains all the steps in the procurement process in Oracle EBS related to the purchase order distribution ID: requisitions, purchase orders, receipts and invoices.<\/p>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img decoding=\"async\" class=\" ls-is-cached lazyloaded\" src=\"https:\/\/www.processminery.com\/wp-content\/uploads\/2015\/06\/po_distribution_eventlog.png\" alt=\"\" data-src=\"https:\/\/www.processminery.com\/wp-content\/uploads\/2015\/06\/po_distribution_eventlog.png\"><\/figure>\n<\/div>\n<p><strong>Import the dataset in Disco<\/strong><\/p>\n<p>When we open the event log in Disco we see the following columns<\/p>\n<ul>\n<li>Case ID: the purchase order distribution ID in Oracle Purchasing. We mark this column as \u201cCase\u201d<\/li>\n<li>Activity: this is the activity that has taken place. We mark this column as \u201cActivity\u201d<\/li>\n<li>Time Stamp: this is the date and time when the activity has taken place or has started. We mark this column as \u201cTimestamp\u201d<\/li>\n<li>End Date: this is the date and time when the activity has been completed. We can see that this column is only populated for activities where the end date can be determined in Oracle. We mark this column for \u201cTimestamp\u201d as well. Disco will use the ealiest timestamp as start and the latest as end timestamp for the activity.<\/li>\n<li>Resource ID: this is the id from the user in Oracle who performed the activity. We mark this column as \u201cResource\u201d<\/li>\n<li>User name: this is the user name of the user in Oracle who performed the activity. We can mark this column as \u201cResource\u201d as well so that Disco will concatenate both the user id and the user name as the resource in Disco.&nbsp;<\/li>\n<li>Event ID: this is the id of the activity in the source table in Oracle. We mark this column as \u201cOther\u201d attribute and will do the same for all remaining columns<\/li>\n<\/ul>\n<p>The event log has the following case attributes:<\/p>\n<ul>\n<li>Org ID: the id of the operating unit in Oracle. We mark this column as \u201cOther\u201d.<\/li>\n<li>Operating Unit: the name of the Operating Unit in Oracle. We mark this column as \u201cOther\u201d.<\/li>\n<li>PO Number: the Purchase Number in Oracle Purchasing. We can use the Purchase Order number to query the purchase order in the Buyer Work Center or the Purchase Order Summary form.<\/li>\n<\/ul>\n<p>The event log from the Vision instance only has a limited number of additional, activity specific, attributes. These attributes are all related to the \u201cCreate Purchase Order Distribution\u201d activity and we mark these all as \u201cOther\u201d:<\/p>\n<ul>\n<li>Buyer: the buyer who is entered on the purchase order header.<\/li>\n<li>Linetype: the purchase order line type, like Goods or Services<\/li>\n<li>PO Category: the purchasing category from the order line, indicating what category of goods or services are being purchased. In the Vision instance the category contains out of two segments.<\/li>\n<li>Supplier: the supplier on the purchase order header<\/li>\n<li>Item description: the description from the purchase order line<\/li><li><br><\/li>\n<\/ul>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img decoding=\"async\" class=\" ls-is-cached lazyloaded\" src=\"https:\/\/www.processminery.com\/wp-content\/uploads\/2015\/06\/eventlog.png\" alt=\"\" data-src=\"https:\/\/www.processminery.com\/wp-content\/uploads\/2015\/06\/eventlog.png\"><\/figure>\n<\/div>\n<p><br><\/p><p>Now that we have marked all the columned we can import the data. Let\u2019s have a closer look at what we see in Disco once we have imported the data.<\/p>\n<p>With the \u201cActivities\u201d slider at the top we see the process map with all activities from the event log.<\/p>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img decoding=\"async\" class=\" ls-is-cached lazyloaded\" src=\"https:\/\/www.processminery.com\/wp-content\/uploads\/2015\/06\/process_map_oracle_po_eventlog_vision.png\" alt=\"\" data-src=\"https:\/\/www.processminery.com\/wp-content\/uploads\/2015\/06\/process_map_oracle_po_eventlog_vision.png\"><\/figure>\n<\/div>\n<p>Because of the number of different activities this is not very easy to understand.<\/p>\n<p><strong><br><\/strong><\/p><p><strong>Apply filters<\/strong><\/p>\n<p><br><\/p>\n<p>We click on filter and we see what different activities are in the event log. If we want to check a specific segregation of duties conflict we can limit the number of activities to only those two that are part of the check: \u201cCreate Purchase Order Distribution\u201d and \u201cReceipt Receive\u201d.<\/p><p><br><\/p>\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" class=\" ls-is-cached lazyloaded\" src=\"https:\/\/www.processminery.com\/wp-content\/uploads\/2015\/06\/filter_activity_1.png\" alt=\"\" data-src=\"https:\/\/www.processminery.com\/wp-content\/uploads\/2015\/06\/filter_activity_1.png\"><\/figure>\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" class=\" ls-is-cached lazyloaded\" src=\"https:\/\/www.processminery.com\/wp-content\/uploads\/2015\/06\/filter_activity_2.png\" alt=\"\" data-src=\"https:\/\/www.processminery.com\/wp-content\/uploads\/2015\/06\/filter_activity_2.png\"><\/figure>\n<p>This results in a process map with only those two activities. The number indicates the number of times each activity has taken place in the event log. The same applies to the paths.<\/p>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img decoding=\"async\" class=\" ls-is-cached lazyloaded\" src=\"https:\/\/www.processminery.com\/wp-content\/uploads\/2015\/06\/process_map_oracle_po_eventlog_vision_2.png\" alt=\"\" data-src=\"https:\/\/www.processminery.com\/wp-content\/uploads\/2015\/06\/process_map_oracle_po_eventlog_vision_2.png\"><\/figure>\n<\/div>\n<p>But we are only interested in the case where the user who entered the purchase order is the same as the user who entered the receipt. So we apply an additional filter. We select the \u201cFollower\u201d filter and select that \u201cCreate Purchase Order Distribution\u201d is \u201ceventually followed\u201d by \u201cReceipt Receive\u201d and require \u201cthe same value\u201d of \u201cResource\u201d.<\/p><p><br><\/p>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img decoding=\"async\" class=\" ls-is-cached lazyloaded\" src=\"https:\/\/www.processminery.com\/wp-content\/uploads\/2015\/06\/filter_follower.png\" alt=\"\" data-src=\"https:\/\/www.processminery.com\/wp-content\/uploads\/2015\/06\/filter_follower.png\"><\/figure>\n<\/div>\n<p>The result is the following process map:<\/p>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img decoding=\"async\" class=\" ls-is-cached lazyloaded\" src=\"https:\/\/www.processminery.com\/wp-content\/uploads\/2015\/06\/process_map_oracle_po_eventlog_vision_3.png\" alt=\"\" data-src=\"https:\/\/www.processminery.com\/wp-content\/uploads\/2015\/06\/process_map_oracle_po_eventlog_vision_3.png\"><\/figure>\n<\/div>\n<p>This indicates that there are 46033 purchase order distributions where the user who entered the purchase order is the same as the user who entered the receipt. We now want to know who entered all these purchase orders and receipts. We can see this when we select the \u201cStatistics\u201d tab and select \u201cResource\u201d.<\/p><p><br><\/p>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img decoding=\"async\" class=\" ls-is-cached lazyloaded\" src=\"https:\/\/www.processminery.com\/wp-content\/uploads\/2015\/06\/statistics_resource.png\" alt=\"\" data-src=\"https:\/\/www.processminery.com\/wp-content\/uploads\/2015\/06\/statistics_resource.png\"><\/figure>\n<\/div>\n<p>We see that in total 183 users entered at least once both the purchase order and the receipt. The user SSCNEWALL is on top of the list. Now let\u2019s have a closer look at the purchase orders where SSCNEWALL was involved. We apply a filter that selects only cases where SSCNEWALL is a resource.<\/p>\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" class=\" ls-is-cached lazyloaded\" src=\"https:\/\/www.processminery.com\/wp-content\/uploads\/2015\/06\/filter_resource.png\" alt=\"\" data-src=\"https:\/\/www.processminery.com\/wp-content\/uploads\/2015\/06\/filter_resource.png\"><\/figure>\n<p>We can see in the Statistics tab the values for the different attributes, like Operating Unit, Buyer, Supplier, PO Category and Item description.<\/p><p><br><\/p>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img decoding=\"async\" class=\" ls-is-cached lazyloaded\" src=\"https:\/\/www.processminery.com\/wp-content\/uploads\/2015\/06\/item_description.png\" alt=\"\" data-src=\"https:\/\/www.processminery.com\/wp-content\/uploads\/2015\/06\/item_description.png\"><\/figure>\n<\/div>\n<p><br><\/p><p>If we want to see the individual case we use the \u201cCases\u201d tab.<\/p><p><br><\/p>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img decoding=\"async\" class=\" ls-is-cached lazyloaded\" src=\"https:\/\/www.processminery.com\/wp-content\/uploads\/2015\/06\/cases.png\" alt=\"\" data-src=\"https:\/\/www.processminery.com\/wp-content\/uploads\/2015\/06\/cases.png\"><\/figure>\n<\/div>\n<p><br><\/p><p>In this example we do not see a good reason why this user should be allowed to enter both the purchase order and the receipt so this is a candidate for further investigation. We remove the filter that only selected the two activities to get some more information about the complete process.<\/p>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img decoding=\"async\" class=\" ls-is-cached lazyloaded\" src=\"https:\/\/www.processminery.com\/wp-content\/uploads\/2015\/06\/process_map_oracle_po_eventlog_vision_4.png\" alt=\"\" data-src=\"https:\/\/www.processminery.com\/wp-content\/uploads\/2015\/06\/process_map_oracle_po_eventlog_vision_4.png\"><\/figure>\n<\/div>\n<p>We see something strange here. We would expect that all the purchase orders are initiated by a requisition but here we see that almost all purchase orders are not related to a requisition. We also see that all the purchase orders are approved, are received and have an invoice. Let\u2019s see if user SSCNEWALL has performed any of the other activities in this process as well. We apply an additional \u201cFollower\u201d filter to get only the cases where SSCNEWALL is also the user who entered the invoice.<\/p><p><br><\/p>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img decoding=\"async\" class=\" ls-is-cached lazyloaded\" src=\"https:\/\/www.processminery.com\/wp-content\/uploads\/2015\/06\/filter_follower_21.png\" alt=\"\" data-src=\"https:\/\/www.processminery.com\/wp-content\/uploads\/2015\/06\/filter_follower_21.png\"><\/figure>\n<\/div>\n<p>The result is that user SSCNEWALL is also the user who entered the invoice. This really shows that the segregation of duties controls did not work in these cases and action needs to be taken to prevent this in future.<\/p>\n<\/div>\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t\t\t\t<\/div>\n\t\t","protected":false},"excerpt":{"rendered":"<p>In many administrative processes there is a requirement that different actions are performed by different persons. A typical example of such process is the procurement process. For example you do not want the person who is entering the purchase order is the same person that is entering the receipt of the goods.<\/p>\n","protected":false},"author":2,"featured_media":2194,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[63],"tags":[81,49,50,51,75,59,53,54,80,79,74,52],"class_list":["post-2142","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-machine-learning","tag-ap-invoice","tag-celonis","tag-celonis-ems","tag-celonis-ibc","tag-celonis-process-connector","tag-machine-learning","tag-oracle","tag-oracle-cloud-erp","tag-payment-date","tag-predict-payment-date","tag-process-connector","tag-process-mining"],"_links":{"self":[{"href":"https:\/\/staging.processminery.com\/index.php\/wp-json\/wp\/v2\/posts\/2142","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/staging.processminery.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/staging.processminery.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/staging.processminery.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/staging.processminery.com\/index.php\/wp-json\/wp\/v2\/comments?post=2142"}],"version-history":[{"count":11,"href":"https:\/\/staging.processminery.com\/index.php\/wp-json\/wp\/v2\/posts\/2142\/revisions"}],"predecessor-version":[{"id":3495,"href":"https:\/\/staging.processminery.com\/index.php\/wp-json\/wp\/v2\/posts\/2142\/revisions\/3495"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/staging.processminery.com\/index.php\/wp-json\/wp\/v2\/media\/2194"}],"wp:attachment":[{"href":"https:\/\/staging.processminery.com\/index.php\/wp-json\/wp\/v2\/media?parent=2142"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/staging.processminery.com\/index.php\/wp-json\/wp\/v2\/categories?post=2142"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/staging.processminery.com\/index.php\/wp-json\/wp\/v2\/tags?post=2142"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}