In part one: Security and Controls in Microsoft Dynamics AX, we discussed security and controls and why they are important for your business. We talked about different forms that risk can take. In this post, part two, we will discuss how business risks relate to your key business systems, determine who should have security access and how to keep on top of security and controls in a way that ensures a balanced and workable business environment.
Mitigating risks within your key business systems
The first step in managing risk is to identify where the vulnerable spots are in your business processes. Companies should start by documenting business processes and then basing security on the business process maps. Identify high-risk processes and determine the systems through which those processes are run. Now, define risks, reviews, reviewers, and periodicity of reviews. Instead of auditing every process and access point, use a risk-based approach to monitor the high-risk ones. Identifying these points can significantly reduce the effort required to monitor ongoing controls. Lastly, organizations need to provide evidence that these reviews are actually taking place as scheduled. Without evidence, there is no way to confirm that reviews are actually happening.
Next companies need to define who has access to your system. Admin users have permission to access any part of the system and will have the authority to add or delete information from your Dynamics AX. This is a weighty responsibility and Admin users must understand the enormity of it and respect the trust placed in them.
Microsoft Dynamics AX provides options for monitoring changes made within the solution, but it’s designed for troubleshooting, not auditing, and reporting on changes can be problematic. A better option is to, identify and monitor only high-risk actions and changes to reduce the data being reviewed.
Companies should focus on key areas (vendors, configuration, cash receipts) and key fields within each area (payment terms, addresses, pricing). In each case, audit trails should indicate who changed a particular piece of information, why was it changed, and both the original and new values.
The main goal with security and controls should be to identify potential risks and have a plan for how to address them individually. Each security risk should have a documented corresponding control in place to mitigate it.
Read part three of our series: Effectively Creating and Maintaining a Proper Security Environment in Microsoft Dynamics AX.