Monday, December 26, 2016

It’s The Most Wonderful Time of the Year!!! - NO! Compliance Audit...

It’s The Most Wonderful Time of the Year!!!
The holiday season is a busy time for everyone.  Making plans, buying presents, baking cookies and other tasty goodies, and the list goes on.  You've got to fit this around your work schedule and with year end, it is a mad rush to get work done – make your sales quota for the year, complete your project, balance the books, count the inventory, and schedule your last days of vacation!

Are the auditors on their way?  Do you have processes and procedures in place?  Do you have proper business controls and have they been followed?

If you are a Security Administrator or Compliance Manager, please check out the next issue of the AXUG Magazine which will come out in February 2017.  In the Viewpoint From the Front Line column, I'll discuss compliance from an ERP system perspective.

Since it will be over a month before the article will be posted, Dynamics Communities has given me the okay to share it now:

Fiscal year end is a busy time for everyone.  It is a mad rush to get work done – make your sales quota for the year, complete your project, balance the books, count the inventory, and schedule your last days of vacation!

Are the auditors on their way?  Do you have processes and procedures in place?  Do you have proper business controls and have they been followed? 


 If you are a Security Administrator or Compliance Manager, here are some things to keep in mind:

Who has keys each room and to the entire house?  


The rooms – These are the different functions or modules.  Do you have controlled access to module parameters and set ups?  This should be a limited list of trained super users or managers of each function.  In AX module/process controls are duties that start typically with “Enable”.  When looking at the AX menu structure, the functions are generally in the “Setup” sub-menu of each module.

The entire house – System parameters and global functions are typically controlled by the IT department.  This also includes server and database setups and access.  So the obvious list that comes to mind is who has System administrator access in AX and admin access to the server and database, but there may be some specific functions that need to be called out like access to workflows and batch processing.

The keys – These are the security roles including the set up, maintenance, and assigning to users.  Controls should be in place on what each role should contain, approvals for when updates are made, and approvals for who should be granted access.  The main security role for this is the Security administrator, but could be as detailed as the specific duties or privileges related to maintaining security settings.

Who holds the purse strings?  It’s not just about who can spend money when it comes to ERP.  It is who can perform activity that has financial significance.  


There are inventory transactions that can make material appear and disappear which you should have controlled.  In AX, this is a movement, inventory adjustment, or physical inventory counting transaction.  You may want to review these processes and determine where your highest risks are for your company.  Then put in business controls to monitor those activities.  One example, is a periodic report of all inventory adjustments that is reviewed. 

If a person can do two ends of a transaction without another person involved, then this is also a way to make material or dollars disappear.  This is typically referred to as segregation of duty.  Here are a couple of examples: someone can create a sales order and then ship it -or- someone that has access to create a vendor and print a check.  Eliminate any segregation of duty violations or put a control in place to monitor and ensure no malicious activity was performed.   

Who is the author and publisher of the book?  With an ERP system, this would be who has access to the programming code that the application is running on.  There should be strict controls around making changes, testing and approvals by business owners, and how code is migrated between environments.


Hopefully you have all this documented in your play book.  These would be your documented processes and procedures.  If you have been following it all year long, then you should be in good shape for the auditors.  As with any event, you should do rehearsals.  Do an internal audit of your processes and controls.  Take random samples, follow them through the documented procedures, and insure all steps have been followed and that have proper evidence to support the process.

The auditors will want to see evidence that the processes and controls were followed.  They will do their own sampling and walk-throughs of the processes.  Be ready!!!

The simple rule to follow is “DO as you SAY, and SAY as you DO!”

After the auditors have left, I hope you are smiling knowing that all is in order with your processes and controls.  Happy New Year!!!

1 comment:

  1. Since it will be over a month before the article will be posted, Dynamics Communities has given me the okay to share it now. I've updated this post to include the article. I hope you enjoy it!

    ReplyDelete