Recommendation: Separation of Duties=Disable Transaction Checks
Giving access to the same person to enter an invoice into the system and to cut a payment is a security concern. Best practice recommends separation of duties.
For that reason we recommend withholding access to the alternate window for Mekorma Transaction Checks. This will effectively disable transaction check printing by making any checks printed unusable. The system will offer regular GP check printing but since you are printing checks on blank check stock they will not have the MICR line, signatures or other necessary features.
Option Two: With Secure Approval Workflow Implemented, Transaction Check printing is limited to Approvers
Since Transaction checks are printed on-the-fly, we cannot send them through a workflow. However, the Task-Based Security rules that you have setup still apply. For recommendations about how to setup Task-Based Security with transaction checks in mind, see Setting Security rules for Transaction Checks If you choose to give access to transaction checks, they can be printed if the following conditions hold:
- the GP User entering the transaction and printing is setup as an approver with a security task.
- the check is within the threshold level that that user is allowed to approve.
- only one approver is required.
If two approvers are required for the check in question, the invoice will need to be posted and the payment will need to be submitted through the Approval workflow.
The user who prints the check is recorded as the approver the audit log.
Note that if the vendor being paid has a Threshold ID assigned to their Vendor Class, those rules will override the rules on the checkbook.
Last option: No Security
Finally, if you do not enforce security rules in your setup, for example you use signatures only but no approvers, you will be able to print a transaction check if the user has Alternate window access.