Segregation of Duties & Security Management with D365 F&O
Without a doubt, every company comes across a rigorous onslaught of access risks related to the identity of their employees. One of the most potentially damaging access risks is the lack of control to ensure the appropriate segregation of duties. All through today’s post, we will talk about what it means to segregate roles and their assignments in an organization; what happens if there are insufficient policies and the SOD matrix?
In the functional part, we will guide our users on how they can set up SOD to verify existing roles and their responsibilities. We will also look into how you view and resolve user role assignments using Dynamics 365 Development and System Administration for Finance and Operations Apps.
Let’s understand Segregation of Duties
Segregation or separation of duties is a set of controls within your business compliance management to different responsibilities of people to perform a critical task. Generally, segregation policies cater to the combinations of access and transactions right, jeopardizing your company’s financial integrity. However, these policies are often in place at any given task; nonetheless, it is necessary that your organization impalements these policies across all systems and applications using an ERP system.
When your company does not have appropriate segregation of duties, your business is under threat, and individuals can easily cause damage to your organization.
Think of it as a nuclear weapon system. Now think what happens if a single person controls all keys, codes, and lock? It is a recipe for literal havoc. Yet, when we step into the corporate world, segregation of duties makes our businesses immune to fraud risks, disruptions, and malicious activities.
Now that we have enough basic understanding of what segregation of duties is, we can move onto the practical part of setting up segregation of duties in D365 Finance and Operations.
Set up segregation of duties
- Click New.
- In the Name field, type a value for the rule.
- In the First duty field, click the drop-down button to open the lookup and select.
- In the list, find and select the desired record. Select the second duty that is controlled by the rule.
- In the Severity field, select an option. Select the severity of the risk that occurs when the same user or role performs both duties.
- In the Security risk field, type a value. Enter a description of the security risk.
- In the Security mitigation field, type a value. Enter a description of the actions that you take to mitigate the security risk.
- Click Save.
How to Verify existing roles and duties comply with new rules?
The verification of complying roles and duties is one of the crucial aspects of SOD. Moreover, verification is a substantial challenge for any ERP environment. However, once implemented efficiently, it can help you prevent unauthorized access to key systems and confidential databases. The appropriate verification can help you avert the following potential cases;
- It can help you keep the administration groups small and firmly managed. While you can also employee secure log files and record activities whenever possible.
- You will have the advantage of using a pseudo root log whenever needed.
- Verifying complying roles and their duties will help you enforce the activities with appropriate policies and procedural statements prohibiting admin from going through files and folders with operational and business data.
To help you understand the SOD requirements and how each role is enforced by other, here is SOD enforcement flow.
You can follow the below steps to verify that existing roles and duties comply with the new rules in Dynamics 365 Finance and Operations.
- Go to System administration > Security > Segregation of duties > Segregation of duties rules.
- Select Validate duties and roles. If any roles violate the rules, a message is displayed that contains the name of the rule, the role, and the names of the conflicting duties.
What control mechanisms can help you enforce SOD?
When your company isn’t enabling segregated duties, you should start compensating control. If you have a single person concealing errors and irregularities daily, their duties aren’t aligned with SOD. Several internal control mechanisms can help your organization to enforce segregated duties.
- Audit trails are one of the control mechanisms to help you recreate the actual transaction flow from its source to its actual time through an updated audit file. A fine audit will provide information on who started the transaction, the exact time and date of transaction, its type, fields of information it consists of, and which files were updated.
- Administrators should handle exception reports, reinforced by evidence demonstrating that exceptions are dealt with properly and in time. Usually, it requires the signature of the person on the finalized report.
- Your organization should practice maintaining the system or application transaction log that records all of the processed commands and applications.
- Your company should employ an individual to conduct reviews independently, which can help you detect errors and irregularities in the business’ financial statement.
The above control mechanism can help you enforce and streamline SOD. While it can be challenging to implement the above practices on your own, we at Instructor Brandon | Dynatuners help organizations ensure the effective implementation of control mechanisms and proper alignment of SODs.
Segregation of Duties Matrix
The segregation of duties refers to enhancing security by reducing the risk of fraud and making financial reporting immune to errors. At first, the process of segregating duties may seem like a simple concept, it can become a complex process while implanting correctly.
Therefore, the matrix for SOD can help you ensure that all accounting tasks, roles, and any potential risk is clear to everyone. Conventionally, this matrix is introduced manually, with the help of a pen and a paper, and reviewed for the permission assigned to each role. Today, an advanced ERP system like Dynamics 365 Finance and Operations helps us automate the complete process making SOD more reliable and secure.
SOD Matrix for Revenue and Accounts Receivable Functions
|Revenue and Accounts Receivable Functions||Order Entry||Credit||Shipping||Accounts Receivable||Cash Receipts||IT||Treasurer|
|1.||Preparing Customer Order||
|2.||Receiving Customer Order||
|4.||Completion and Documentation of Shipping Goods||
|5.||Preparing Customer Invoice||
|6.||Update accounts receivable records for sales||.||
|7.||Receiving Customer Remittance||
|8.||Updating Receivable Remittance||
|9.||Preparing Accounts Receivable balance||
|10||Authorization of Accounts Receivable write-offs||
The matrix of duty segregation can track numerous transactional responsibilities. The below chart will help you depict a limited piece of the complete SOD Matrix. Each role in the above figure points toward a specific user group role. You will see that each duty is listed twice, one horizontally and the other one vertically. You can use this layout to point down duties that may overlap each other.
How do you manage Conflicting Roles?
Managing risk conflicting roles or tasks in an ERP environment is not easy. Your ERP system could have thousands of users and their assigned tasks with dozens of different roles, each with its own rights. It can become troublesome to specify who should be doing what. In addition, their duties and privileges are constantly changing their requirements.
A person as a security administrator can create roles with several access privileges, unknowingly impacting the framework of SOD. This is what we call SOD risk in an ERP system. Having defined policies is the best practice to enable you to become aware of probable conflicts and remediate them immediately. Before we begin resolving conflicting user role assignments in Dynamics AX, it is worthwhile to spend a moment understanding the working of SOD tools in Dynamics 365.
Here, at Instructor Brandon we offer, automation and precision to the SOD process. With powerful tools and deep learning, our teams can automatically analyze roles the severity of fraud to help you mitigate the risk. What previously was considered a time-consuming and exhausting task, and could take even weeks to discover with a manual review of workflow, can now be done in minutes with an efficiently employed ERP system.
The below segregation matrix will help you understand the architecture for the conflicting and non-conflicting permissions.
How to View and resolve conflicting user role assignments in Dynamics 365 Framework
- Go to System administration > Security > Segregation of duties > Segregation of duties unresolved conflicts.
- Select a conflict, and then select one of the following actions:
- Deny assignment: This will deny the assignment of the user to the additional security role. If you deny an automatic role assignment, the user is marked as excluded from the role. The excluded user isn’t granted access associated with the role and can’t be assigned to the role until the administrator removes the exclusion.
- Allow assignment: This will override the conflict and allow the user to be assigned to the additional security role. If you override a conflict, you must enter a reason in the Reason for override field. All overridden role assignments can be viewed on the segregation of duties conflicts page.
In today’s technologically advanced world, where nearly every organization looks forward to an efficient ERP system, we help them employ a task-defined ERP system free from all segregation overlaps and errors. A system where every task is matched to the transaction flow procedure makes it possible to group the roles and tasks. Meanwhile, the system will also ensure that no single user has permission to perform more than one task stage in the overall flow.
Checklist to Streamline Segregation of Duties
Streamlining the segregation of duties with expert assistance could become problematic; however, with the help of the checklist below, you can reorganize duties and reduce the chances of conflicting roles.
Specify policies and processes
Make use of identity management tools to outline the policies and enforce them in a consistent way across various applications.
Introduce a central workflow
To monitor the segregated duties, your organization must have a central working dashboard displaying the access and authentication movements across all segregations. If one of your users has the privilege to access multiple tasks, you can task their actions.
Manage privileges on time
The idea of elevated and temporary access might help you get access to the user for a limited amount of time. You could also get conditions on role parameters and remove them when it is no longer required or can become a reason for conflicting duties.
Implement access-based workflow
Your organization should not grant access ad hoc; instead, it should make it a part of the structural workflow. With Dynamics 365 identity management tool, you can define and enforce such workflows and offer an audit trail.
Provision-based access roles
Generally, your organization should not grant access to individual users. Instead, it would help if you assigned individuals to a specific role, which should receive access based on the provision. Such implementation will help you prevent delays in receiving access, which eventually can damage your organization’s productivity.
Employ a collaborative environment
Ensure a robust collaboration between your business management, IT, and HR. The collaboration of these departments should jointly define roles and their approvals. This will ensure that the permission of each role matches their job description and the specific skill of each employee. Whereas your district managers should also encourage and participate in the approval of these business processes.
Do you have an effective SOD policy in place?
Ensuring that your organization has a proper SOD policy and internal control in place requires you to know what is the most vulnerable role in your workflow. It will also require you to take both intelligence and action in command while revealing the inappropriate access existing in your SOD framework.
One thing is evident, you can only manage what you can see in your workflow. So, you should not overlook the importance of dealing with a security risk, especially when it comes to the segregation of duty violations, which could lead to a real threat to your business.
At Instructor Brandon | Dynatuners, we always seek innovative methods to improve your competitiveness and suit your Microsoft Dynamics 365 requirements. Our offerings are founded on defined procedures, industry experience, and product understanding. If you’re interested to consult with our technical solution experts on how to implement segregation polices or resolve conflicting roles, feel free to Contact Us and get more information on it.
How do you mitigate the lack of segregation of duties?
There may be compensating/mitigating procedures in place to reduce the risks associated with a lack of adequate segregation of duties. Audit trails, reconciliation, supervisory reviews, and transaction logs are examples of these controls.
What is the risk of segregation of duties?
When you are not establishing the division of roles you put the firm at risk. It increase the possibility of fraud and significant damages. When one person is given sole responsibility for two incompatible activities, the likelihood of fraud rises. This risk is reduced by delegating these responsibilities to other people.
Is segregation of duties a significant deficiency?
Because accounting functions are not separated, there is a greater chance that the Trust's assets will be misused and that the theft will not be discovered promptly. In such settings, management should always be aware of the possibility of disparity.