This third installment of our series will cover the difference between application security and database security, segregation of duties in NAV, and how to create appropriate audit trails in NAV.
In Part 1 & 2's blog posts, (Dynamics NAV Security and Controls) and (Achieving a Proper Security Environment Within Dynamics NAV) we covered the definitions of security and controls and why they are important, as well as translating business risks to key systems and determining systems access and reviews.
Application Security Versus Database Security
Many companies focus on applications security in their systems. They determine who can access which tables, windows and menus, but often don’t spend enough time thinking about how this will translate to database access.
For example, if a developer routinely went into a database and changed the remit-to address on several vendor accounts just before checks were run, then changed it back afterward. The company couldn’t figure out where the checks were going, mainly because no one was reviewing what was happening in the database. Lesson? Just because you’ve determined appropriate access levels for applications doesn’t mean you can assume database security.
Creating Clear Audit Trails
Auditors should be able to clearly see where your risks are and how you’re dealing with them. We spoke in the last post about determining your security risks, then addressing each with a specific control. This is crucial, but insufficient if you don’t then follow up each control with a report detailing where you saw the risk and what you did about it. Auditors want to see this, so each time you respond to a risk according to your business rules, save a PDF or print a report as evidence. You can use the Change Log tool native to Dynamics NAV, or a tool like Fasptath's Audit Trail. For a deeper dive on setting up audit trails in NAV, read our blog post: Five things to think about when setting up audit trails.
Segregation of Duties
Usually, no one person should be able to create a vendor account and then create a purchase order on that account or create a general ledger and then post a transaction to it. If you do break these rules, be sure create a report explaining that you did so knowingly, and detailing which control you used.
An entire worksheet of risks and mitigations provides proof for auditors that you understand your risks, provide controls to mitigate those risks, and have appropriate segregation of duties. This will make your audits run much more smoothly, and keeping the worksheet handy so employees understand your risks and responses will reduce the likelihood of accidents or abuses occurring.
We hope you found our 3 part blog series on proper security and controls in your Dynamics NAV environment to be helpful to your organization. It is our goal here at Fastpath to create solutions that improve audit efficiency and effectiveness in a vast number business environments. We strive to not only provide the most advanced, user friendly auditing tools on the market, but to also provide top notch customer support along any and all processes.
If your company is ready to achieve the level of security auditors hope for, feel free to contact our team today and learn how our tools can help your company achieve and maintain a proper level of security. Not ready to chat yet? Feel free to download our eBook "Selecting Audit Trail Software for Microsoft Dynamics NAV" here.