Always a difficult question - where do you draw the line between systemic controls vs. training?
At the minimum if we don’t have a security provision, we should have proper auditing of when a PO receipt is backdated or postdated, so someone can figure out While I wasn’t around for the initial decisions to make the dates not editable, in a large organization this could potentially have drastic results for other users in the organization. The scenario I can imagine (and has happened in my org before) is a purchase order contract dispute. Since purchase orders are legal contracts (at least in the USA), there is a potential if a PO is received late, and there is not a proper record of when the PO was received by the company, that you run into a problem. My organization, for example, doesn’t use OFbiz’s inbound package tracking functionality (too complicated and slow). Yeah, better training and supervision would fix this problem, but the reality is that most organizations would overlook a little thing like this, especially if the default old behavior changes between upgrades. Having it available just at a supervisor level at least mitigates that problem. Or at least stubbing it so it’s easy to figure out where to add the security control would be a good start. --Paul ---------- Paul Mandeltort | Marco Specialties Inc +1-512-394-8119 | [email protected] On May 21, 2014, at 7:15 AM, Pierre Smits <[email protected]> wrote: > Paul, > > Are you sure you would add complexity to a system to provision for > avoidance of laziness? Better is it to improve business processes and > procedures to flesh such behaviour out of the organisation. > > Regards, > > Pierre Smits > > *ORRTIZ.COM <http://www.orrtiz.com>* > Services & Solutions for Cloud- > Based Manufacturing, Professional > Services and Retail & Trade > http://www.orrtiz.com
