Principles for managing access
Each department should set up authorised signatories for Oracle access. Their role is to manage the department’s Oracle access in line with two key principles:
- Access must only be granted to those that need it (and removed as soon as it is not needed).
- Access must be limited to the minimum needed to deliver the role, including appropriate purchasing approval and journal limits. Edit access should only be granted where the user needs to carry out transaction activity; otherwise enquiry (read-only) access should be used.
When approving access authorised signatories should also consider segregation of duties – the principle that no one member of staff completes all steps in a process to prevent the risk of error or fraud.
Responsibilities of authorised signatories
Authorised signatories are responsible for monitoring Oracle Financials access and authorising the department’s access requests. Authorised signatories should:
- Ensure that all roles and responsibilities authorised are appropriate for a user’s job
- Ensure that they understand the impact of any request they are approving
- Undertake appropriate monitoring of access within their unit
- Ensure that financial limits are appropriate to a user’s job and the department’s budget
- Ensure that staff changing role, leaving the unit or going on a long term break have access terminated in a timely fashion
- Check all changes to user access or department are accurate and appropriate before approval
- Check segregation of duties conflicts. If segregation of duties conflicts are unavoidable, compensating controls must be in place and documented
- Please note all users should understand their responsibilities with regards to Data Protection, University IT Policy and Financial Regulations before accessing Oracle Financials
Selecting an authorised signatory
Authorised signatories for Oracle access should have sufficient financial experience and seniority to make decisions about processes for departmental financial administration and translate that into Oracle responsibilities. They are expected to be senior members of the department, e.g. Head of Administration and Finance (or equivalent) or senior finance managers (or equivalent).
Divisional finance teams can form back-up for the department’s authorised signatories. For example, a divisional authoriser should be selected if the authorised signatory is on leave.
- It is generally not recommended that Heads of Department are selected as authorised signatories for Oracle access as they ordinarily do not have the level of familiarity with Oracle Financials required to ensure access requests are appropriate;
- It is not advisable to add additional departmental signatories for holiday cover;
- It is good practice to seek divisional approval for Head of Administration and Finance access.
Appointing authorised signatories
New authorised signatories for Oracle access should complete the Authorised Signatory for Financial Systems form. Please note that they need to complete it themselves as it includes a declaration that they understand the responsibilities they are accepting. Their request form should be approved by another departmental authorised signatory for Oracle access.
For help on completing the form, please see the guidance.
Departments can review their list of authorised signatories by:
- Reviewing the drop-down list of authorised signatories on a draft request.
- Requesting a list from FSSC
Removing authorised signatories
The authorised signatory for Oracle access can complete the form themselves requesting that they are removed from the list. Alternatively, another authorised signatory can email FSSC and request removal.