It’s The Most Wonderful
Time of the Year!!!
The holiday season is a busy time for everyone. Making plans, buying presents, baking cookies and other tasty goodies, and the list goes on. You've got to fit this around your work schedule and with year end, it is a mad rush to get work done – make your
sales quota for the year, complete your project, balance the books, count the
inventory, and schedule your last days of vacation!
Are the auditors on their way? Do you have processes and procedures in
place? Do you have proper business
controls and have they been followed?
Since it will be over a month before the article will be posted, Dynamics Communities has given me the okay to share it now:
Fiscal year end is a busy time for everyone. It is a mad rush to get work done – make your sales quota for the year, complete your project, balance the books, count the inventory, and schedule your last days of vacation!
Are the auditors on their way? Do you have processes and procedures in place? Do you have proper business controls and have they been followed?
If you are a Security Administrator or Compliance Manager, here are some things to keep in mind:
Who has keys each room and to the entire house?
The rooms – These are the
different functions or modules. Do you
have controlled access to module parameters and set ups? This should be a limited list of trained
super users or managers of each function.
In AX module/process controls are duties that start typically with
“Enable”. When looking at the AX menu
structure, the functions are generally in the “Setup” sub-menu of each module.
The entire house – System
parameters and global functions are typically controlled by the IT
department. This also includes server
and database setups and access. So the
obvious list that comes to mind is who has System administrator access in AX
and admin access to the server and database, but there may be some specific functions
that need to be called out like access to workflows and batch processing.
The keys – These are the
security roles including the set up, maintenance, and assigning to users. Controls should be in place on what each role
should contain, approvals for when updates are made, and approvals for who
should be granted access. The main
security role for this is the Security administrator, but could be as detailed
as the specific duties or privileges related to maintaining security settings.
Who holds the purse strings? It’s not just about who can spend money when it comes to ERP. It is who can perform activity that has financial significance.
There are inventory transactions
that can make material appear and disappear which you
should have controlled. In AX, this is a
movement, inventory adjustment, or physical inventory counting transaction. You may want to review these processes and
determine where your highest risks are for your company. Then put in business controls to monitor
those activities. One example, is a
periodic report of all inventory adjustments that is reviewed.
If a person can do two ends of a transaction
without another person involved, then this is also a way to make material or
dollars disappear. This is typically
referred to as segregation of duty.
Here are a couple of examples: someone can create a sales order and then
ship it -or- someone that has access to create a vendor and print a check. Eliminate any segregation of duty violations
or put a control in place to monitor and ensure no malicious activity was
performed.
Who is the author and publisher of the book? With an ERP system, this would be who has access to the programming code that the application is running on. There should be strict controls around making changes, testing and approvals by business owners, and how code is migrated between environments.
Hopefully you have all this documented in your play
book. These would be your
documented processes and procedures. If
you have been following it all year long, then you should be in good shape for
the auditors. As with any event, you
should do rehearsals. Do an internal audit
of your processes and controls. Take random
samples, follow them through the documented procedures, and insure all steps
have been followed and that have proper evidence to support the process.
The auditors will want to see evidence that the processes
and controls were followed. They will do
their own sampling and walk-throughs of the processes. Be ready!!!
The simple rule to
follow is “DO as you SAY, and SAY as you DO!”
After the auditors have left, I hope you are smiling knowing
that all is in order with your processes and controls. Happy New Year!!!
Since it will be over a month before the article will be posted, Dynamics Communities has given me the okay to share it now. I've updated this post to include the article. I hope you enjoy it!
ReplyDelete