In our last post (DYNAMICS NAV SECURITY AND CONTROLS), we discussed security and controls, why they matter, and some different forms that a risk can take. In this post, we will take a look at how to translate your business risks to key systems, determine who has access, and how to audit your system’s security in a feasible way.
How to Translate Business Risks to Key Systems
The first step in managing your risks is to translate business risks into key systems designed to mitigate them. Start by documenting your business processes with maps, then base your security on the maps. Identify your high risk processes and determine the functionality necessary for them. Then define risks, reviews, reviewers, and periodicity of reviews. Lastly, you’ll need to provide evidence that these reviews are actually occurring for the auditors’ sake.
Determining Systems Access and Reviews
It’s necessary to know where the high-risk access points to your systems are. Instead of auditing every process and access point, use a risk-based approach to monitor the high-risk ones. The average system has over 5,000 access points and 30 to 40 high-risk access points. Identifying these points can reduce the rows in your audit report from over a million to 500 or so, ensuring that the audit is getting done.
It’s also important to understand who has systems access. Your SuperUser is a crucial role, since they can access any part of the system and delete or add any info. Ensure any SuperUsers understand and are respectful of their role.
It’s also important to monitor changes made in NAV, but not excessively. Monitoring every change creates too much data to monitor. Instead, identify and review only high-risk transactions. You can focus on key areas (vendors, configuration, cash receipts) and key fields within each area (payment terms, addresses, pricing). Each time, ask yourself: who changed it, why was it changed, and was it changed correctly.
Your main goal with security and controls should be to understand your risks, make rules accordingly, and know how to address each. Each security risk should have a corresponding control in place to mitigate it. Build an entire worksheet of your risks and how you respond. You can give these to auditors and you can use them internally to help keep your system and your financial information secure.
Read part 3 of our series-