How to Prevent Automatic Authorizing of Reqs 1

[Calator]

We need to implement a mechanism that will prevent all purchase requisitions from being automatically authorised by MIMS, and will force them to go up the hierarchy for authorisation instead. Can anybody show us how to achieve that?

We have MIMS41 with Establishment and using MSO14P for raising the purchase requisition.

Note that a middle level manager for eg, needs to be able to authorise his subordinates' reqs up to $50,000, and he also needs to be able to raise reqs himself, but all reqs he raises must be forced up the hierarchy, regardless of their value.

Currently it appears that if this manager is in a position that has authority limit of $50,000 on MSM872A for PRIT/PRTO, any requisition he raises below $50,000 will be automatically authorised by MIMS at the time of creation.

 

[PhantomPhil]

If you have a general rule that any reqn has to be authorised by at least one person (regardless of the Requested By person's authority limits), then this can be achieved by input of an Authorised By person (eg. on the MSM14PA screen).

If the Authorised By person is non-blank, and different from the Requested By person then the reqn is forced to 877 for approval.

You could write a User Exit to automatically search for the user's superior, and default their id into the Authorised By field, and then protect the field so the user can't blank it out.

You would probably want to apply the same logic to other Requisiton creation screens.

 

[Rabl]

Instead of writing a User Exit as per Pil's comment above you could try inserting screen defaults for the User ID in the MSO051 screen for program MSM140A
This could be a work around

 

[praeceptor]

I see that there are technical solutions to this situation, but I have a question for Calator: What is the business logic that justifies that a middle level manager can approve the purchase of a pump or a motor for up to $50,000 without his supervisor's knowing it, but can't approve a $20 stapler for his office?
Thanks.

 

[Calator]

Hi Praeceptor,

I am not sure I understand your question. In our implementation of MIMS the manager could authorise both the $20 stapler and the $50,000 pump that he/she raised.

We needed to change that, for compliance reasons around US Sarbanes-Oxley legislation. The requirement was to totally eliminate situations when the same person authorises a purchase, as the person who requested the item. We have now implemented this using PhantomPhil's idea (thanks!)

I think it is possible that people set up an authority lower limit in MIMS, so that a manager cannot authorise small value items (your $20 stapler) but that was not the case in our business, and I cannot explain the business reasons for it.

 

[praeceptor]

Calator,

Thanks for your answer. I think I expressed my question poorly. Let me try again. You said:
"Note that a middle level manager for eg, needs to be able to authorise his subordinates' reqs up to $50,000, and he also needs to be able to raise reqs himself, but all reqs he raises must be forced up the hierarchy, regardless of their value."

Under this scenario, the following happens:

Let's say that A is B's boss. A can approve req's for up to $50,000. So, B creates a req for $49,000 and A approves it. A's boss does not intervene.
Now, A needs a $20 stapler. But he has to get his boss to approve it, even though he just approved a $49,000 req that his boss never saw.

I admit I haven't read the SOX legislation in detail, but if created this situation, I'd say we have taken a huge step backwards.

 

[Calator]

Hi Praeceptor,
yes your description of possible approval referals under our implementation of SOX is correct.
The idea is that no transaction should be handled by one person only.
This is what auditors asked of us, and my opinion is that it is an appropriate way of introducing controls in the system, and quite a big step forward in that sense.
Consider that if A can raise and approve a transaction for $20 without anyone else's knowledge, he can also do the same for $50,000, and for 10x $50,000 - it's all too easy! However if two persons need to be involved for a transaction to go through, you need collusion of 2 individuals for fraud to occur.
The other point I need to make is that A will probably not raise the requision for the $20 stapler, he'll get his secretary to raise it, and he'll authorise. But again we have 2 persons involved.

 

[praeceptor]

Calator,

Your comments are right on the mark...which takes us to the fact that no amount of controls can prevent dishonest and determined individuals to work around them. Actually, the more cumbersome the procedure, the more loopholes they'll find. And that's where I'm afraid that auditors are using and misusing SOX to put back an inordinate amount of redundant "controls" that the total quality movement of the 90's helped us get rid of.

Thanks again.