In previous blog posts, part 1: Security and Controls in Microsoft Dynamics AXand part 2: Achieving a Proper Security Environment within Microsoft Dynamics AX we covered the definitions of security and controls and why they are important and how business risks relate to key business systems with an eye on access and reviews.
This third post in our series will discuss the difference between application security and database security, segregation of duties in Dynamics AX, as well as how to create appropriate audit trails in Dynamics AX.
Applications Security Versus Database Security
Most businesses focus on applications security within their business systems. Which means they decide who can have access to which tables, windows and menus. But they should also determine how this will affect their database security.
For example, suppose a developer routinely gained access to a database and changed the remit-to addresses on several vendor accounts just before checks were run, then changed them back afterwards. Management would be unable to determine who was actually paid, mainly because there was no way to review what happened in the database. Just because a company has determined appropriate access levels for applications doesn’t mean companies can assume database security. What companies need is a clear audit trail.
An auditor should be able to clearly see where the risks are and what a company has done to mitigate them. In part two of this series we talked about determining security risks and then addressing each risk with a specific control. But this is only useful if there is follow up for each control detailing risks and responses. Auditors want to see this; so, each time an employee responds to a risk, their users should save a PDF or print a report as evidence. Some options to address this include the Activity Tracking tool built into Dynamics AX, or an add-on tool like Fastpath's Audit Trail. For a deeper look at setting up audit trails in Dynamics AX, read our blog post: Five Things To Think About when Setting up Audit Trails.
Segregation of Duties
For instance, the general rule should be that no individual should be able to create a vendor account and also create a purchase order on that account or create a general ledger account and then post a transaction to it. Perfect segregation of duties may be impossible, but segregation of duties conflicts should be documented along with mitigation details for each conflict.
Having a detailed worksheet of risks and controls helps document for auditors that the company recognizes the risks, has provided controls to mitigate those risks, and has justified the assignment of duties. This documentation helps ensure that audits run more efficiently, and having the worksheet available will make certain that employees understand the risks and responses. That will reduce the likelihood of accidents or abuses occurring.
We know companies are concerned with security when it comes to your business systems. At Fastpath, our mission is to deliver software solutions that seamlessly empower our clients to take control of their security, compliance and risk management initiatives. We pride ourselves on delivering high level customer support for all of our solutions. If you are looking to achieve the level of security that will satisfy your auditors and benefit your business, contact our team at Fastpath