Monday, December 26, 2016

It’s The Most Wonderful Time of the Year!!! - NO! Compliance Audit...

It’s The Most Wonderful Time of the Year!!!
The holiday season is a busy time for everyone.  Making plans, buying presents, baking cookies and other tasty goodies, and the list goes on.  You've got to fit this around your work schedule and with year end, it is a mad rush to get work done – make your sales quota for the year, complete your project, balance the books, count the inventory, and schedule your last days of vacation!

Are the auditors on their way?  Do you have processes and procedures in place?  Do you have proper business controls and have they been followed?

If you are a Security Administrator or Compliance Manager, please check out the next issue of the AXUG Magazine which will come out in February 2017.  In the Viewpoint From the Front Line column, I'll discuss compliance from an ERP system perspective.

Since it will be over a month before the article will be posted, Dynamics Communities has given me the okay to share it now:

Fiscal year end is a busy time for everyone.  It is a mad rush to get work done – make your sales quota for the year, complete your project, balance the books, count the inventory, and schedule your last days of vacation!

Are the auditors on their way?  Do you have processes and procedures in place?  Do you have proper business controls and have they been followed? 

 If you are a Security Administrator or Compliance Manager, here are some things to keep in mind:

Who has keys each room and to the entire house?  

The rooms – These are the different functions or modules.  Do you have controlled access to module parameters and set ups?  This should be a limited list of trained super users or managers of each function.  In AX module/process controls are duties that start typically with “Enable”.  When looking at the AX menu structure, the functions are generally in the “Setup” sub-menu of each module.

The entire house – System parameters and global functions are typically controlled by the IT department.  This also includes server and database setups and access.  So the obvious list that comes to mind is who has System administrator access in AX and admin access to the server and database, but there may be some specific functions that need to be called out like access to workflows and batch processing.

The keys – These are the security roles including the set up, maintenance, and assigning to users.  Controls should be in place on what each role should contain, approvals for when updates are made, and approvals for who should be granted access.  The main security role for this is the Security administrator, but could be as detailed as the specific duties or privileges related to maintaining security settings.

Who holds the purse strings?  It’s not just about who can spend money when it comes to ERP.  It is who can perform activity that has financial significance.  

There are inventory transactions that can make material appear and disappear which you should have controlled.  In AX, this is a movement, inventory adjustment, or physical inventory counting transaction.  You may want to review these processes and determine where your highest risks are for your company.  Then put in business controls to monitor those activities.  One example, is a periodic report of all inventory adjustments that is reviewed. 

If a person can do two ends of a transaction without another person involved, then this is also a way to make material or dollars disappear.  This is typically referred to as segregation of duty.  Here are a couple of examples: someone can create a sales order and then ship it -or- someone that has access to create a vendor and print a check.  Eliminate any segregation of duty violations or put a control in place to monitor and ensure no malicious activity was performed.   

Who is the author and publisher of the book?  With an ERP system, this would be who has access to the programming code that the application is running on.  There should be strict controls around making changes, testing and approvals by business owners, and how code is migrated between environments.

Hopefully you have all this documented in your play book.  These would be your documented processes and procedures.  If you have been following it all year long, then you should be in good shape for the auditors.  As with any event, you should do rehearsals.  Do an internal audit of your processes and controls.  Take random samples, follow them through the documented procedures, and insure all steps have been followed and that have proper evidence to support the process.

The auditors will want to see evidence that the processes and controls were followed.  They will do their own sampling and walk-throughs of the processes.  Be ready!!!

The simple rule to follow is “DO as you SAY, and SAY as you DO!”

After the auditors have left, I hope you are smiling knowing that all is in order with your processes and controls.  Happy New Year!!!

Monday, December 19, 2016

AX 2012 Security Unwrapped Series - Understanding Role Based Security

This post will unwrap the Dynamics AX role based security model that was introduced in version 2012.  It will describe the structure and components.

"Within an organization, roles are created for various job functions.  The permissions to perform certain operations are assigned to specific roles.  Members or staff (or other system users) are assigned particular roles, and through those role assignments acquire the computer permissions to perform particular computer-system functions.  Since users are not assigned permissions directly, but only acquire them through their role (or roles), management of individual user rights becomes a matter of simply assigning appropriate roles to the user's account; this simplifies common operations, such as adding a user, or changing a user's department." (Definition From Wikipedia)

Microsoft created a series of standard Roles.  I've grouped them into 3 categories:
1. General staff - many of these roles have "worker", "clerk", or "agent" in their name.  Examples are: cost clerk, buying agent, warehouse worker.  These roles have the basic functions for the specific functional role.  In many cases they cannot complete the transaction.
2. Management - many of these roles have "supervisor" or "manager" in their name.  Examples are: accounting manager, production supervisor.  These roles have access to the parameters and setups for a functions.  Transaction approval which allows the actual update in the application, typically associated with posting inventory or general ledger transactions.
3. Executives - these roles tend to be specific titles, e.g. chief executive officer, financial controller.  A few key setups or approvals, but mostly inquiry and reports.

Microsoft also defined a series Process Cycles which is an entire business process flow.  Below are the original ones defined in 2012:

Expenditure which is the standard Procure to Pay flow - vendors, purchase orders, receiving, payables
Revenue which is the standard Order to Cash flow - prospects, customers, quotations, sales orders, receivables, project accounting
Conversion is the standard Plan to Produce flow - parts, boms, routes, forecasts, production orders, quality, service
Human capital management - hiring, employees, human resources
Information technology - technical sets like AIF, system parameters, workflow, etc.
Cost accounting - setting up and activating costs, cost accounting, inventory valuation

Several were also added as a part of R2/R3:  Fiscal books, Public sector, Retail, Retail merchandising, Sales operations financial planning, Trade agreement management, Process cycle containing duties related to Multi Channel Retail

Duties and  privileges, and permissions are the building blocks that define access.  As the above diagram indicates, there is a hierarchy.  Roles and Process cycles are comprised of duties and privileges.  Duties contain a set of privileges that typically allow access to a functional process.  Privileges tend to be a single function within a functional process.

Duties and Privileges have a general naming convention, typically starting with an action verb which is very descriptive of the access:

Update: “Maintain…”, “Create…”, “Update…”, “Delete...”, "Add...", "Change/Edit..."
Inquiry: “Inquire into…”, “View…”, "Search..."
Reports: “Review…”, Preview…”, “Generate…”, "Print..."
Parameters:  “Enable…”, “Activate…”
Controls:  “Approve…”. “Complete…”, "Post...", "Reject...", "Cancel..."

Privileges are made up of Permissions which are very specific actions within the application.  I call them the keys to the kingdom.  They define levels of access to tables, menus, functions, etc.  Below is a definition of the access level:
In my next post, I'll dive into the standard AX security menu and its capabilities.

Saturday, December 17, 2016

Dynamics AX Security Unwrapped Series

This series of posts will unwrap the Dynamics AX security model that was introduced in version 2012.  It will be in part what I've presented over the past 3 years at Summit and webinars, but enhanced with learning from experts in the field whom I've met since I've started my journey into AX and the security model.

Please follow me along on this journey.  I hope I can provide some information new to you and suggest an implementation approach.  I welcome feedback both in comments or questions.  This is inspiration for me to embellish my posts!!!