In Dynamics AX 2012 and Dynamics 365 for Finance and Operations (D365FO), there is an out-of-the-box piece of functionality which allows you to set up segregation of duties (SoD). We are going to look at comparing this native functionality to the features and methodology that Fastpath uses to review and administer segregation of duties.
Methodology – SoD Analysis at Duty Level vs. Object Level
In Dynamics AX/D365FO segregation of duty rules are done at the duty level within the role, duty, privilege security hierarchy. So, if a user has access to duty 1 and duty 2, that would be considered a SoD conflict.
If you perform a SoD analysis at the duty level, the following problems are introduced:
- Leaving potential gaps, as there are ways to circumvent the rules
- Assigning privileges directly to roles (which bypasses the duty layer all together).
- Changing security of a duty not currently in scope of the SoD ruleset (ex: assigning full control to a View/Inquiry duty) and then assigning it to a role/user.
- Introducing false positive/false negatives with security changes
- Changing security at a duty or privilege level can result in new conflicts being created or removed.
- This means that any time a change is done at a duty or privilege level, the SoD ruleset must be reanalyzed to make sure it is still valid.
- The churn of having to constantly review SoD after every change at the duty or privilege level can make the administration of SoD using the native functionality unmanageable.
At Fastpath our approach is different, we review and administer segregation of duties at a functional/object level, or what we call a business process. We define a business process as a group of objects that allow a user or role to perform a task or process. In Dynamics AX/D365FO, these business processes would be made up of menu items, data entities, tables, services operations, etc., that allow a user to edit, create, or delete a particular business idea or area. We then take these business processes to form our segregation of duty conflicts.
If you perform a SoD analysis at the object level:
- There is no way to circumvent the rules set up
- Because we do our analysis at the object level, there is no way to get around whether a user or role is assigned a particular object or not.
- You eliminate false positive/false negatives with security changes
- It doesn’t matter what changes you make to roles, duties, or privileges. We process all those changes and extract out what objects that user or role has access to, and use that in our SoD analysis.
As audit partners have become more versed in auditing Dynamics AX/D365FO, they have started looking for a more detailed functional/object SoD analysis, instead of the native duty-based analysis offered by Microsoft, because they understand the problems these gaps present from a control perspective. Furthermore, once these native gaps are known, auditors are not placing reliance on the SoD reviews which use these native controls, causing customers to have audit findings issued around SoD in their audit reports.
Out of Box Ruleset
There is no out of box ruleset available natively within Dynamics AX/D365FO, so a customer must build a ruleset from the ground up. Customers are required to identify and add their own rules one by one. Within Fastpath Assure®, there are almost 100 rules delivered automatically with the deployment of the tool. These rules have been developed by our internal audit team and audit partners over the past 14 years, to provide a cross-industry best practice ruleset based on ISACA principals and COSO framework. Additionally, the Fastpath Assure ruleset is the same one used by many of the worlds leading accounting firms, to support their audit testing around SoD for their clients.
Customizable SoD Ruleset
The SoD ruleset provided by Fastpath Assure can also be added to, removed from, or modified at the conflict or business process level, making it very flexible to fit your business needs. The platform also allows for more than two business processes to be in conflict, so if you have a 3-way match, 4-way match, or more, it can be supported. That is important, as no two customers are exactly alike in their design and use of internal controls, including compensating controls.
User and Role Conflict Reporting
Dynamics AX/D365FO has a SoD conflict report, which can only be produced at the user level. On this report you can see what conflict(s) exist and you are able to apply mitigations to those conflicts, but it is a manual process for each mitigation entry. Almost all customers have some level of conflicts, and having to document mitigations manually can be a very time consuming process, not only to document the mitigation, but later to then provide evidence of all mitigations for the auditors. Additionally, without the ability to natively schedule these types of reports for review, the process to review conflicts becomes very manual and time consuming, not to mention the review is incomplete because the review is taking place only at the user level.
Within Fastpath Assure, we have detailed conflict reporting at both a user and role level, allowing you to report on the entire role, duty, privilege hierarchy of how that access is being assigned. Seeing this level of detail can prove valuable when explaining to an auditor the exact details around a conflict.
At the user conflict level, mitigations can be applied using a built in control library, that again can be customized by the user. This allows for multiple mitigations to be easily applied, and for a mitigation to go through an approval process with the history of the user conflict mitigation approval being documented. Auditors frequently ask to see a controls library, and the time saved to document mitigations directly from the control library is also extremely helpful.
Additional Features within Fastpath Assure
- Signature Log Report Signoff
- Every report can be executed and signed off on, and the signature log captures the user executing the report, date and time the report was ran, any parameters of the report, and any notes included.
- This can be used as part of audit cycle to provide evidence that reports are being run, reviewed, and signed off on.
- Scheduled delivery of reports in multiple file formats
- Reports can be scheduled to be sent to users on a periodic basis in XLSX, PDF, and CSV files formats.
- Reports can also be delivered directly to a user’s inbox, and by clicking on a simple link inside the email, the user is taken inside Fastpath Assure where they can review and sign off on the report.
- Access Certifications
- Allows for scheduling of periodic review of user’s access and SoD conflicts.
- Full and rolling reviews can be done to help speed up the review process.
- All reviews are documented within Fastpath Assure to demonstrate to auditors as evidence that they have been completed.
These additional features enable additional time savings and efficiencies that do not exist within the native Dynamics AX/D365FO functionality. The effective management and review of SoD is critical to any Dynamics AX/D365FO environment, but requires the correct approach to SoD. It must be focused at the right level from a security perspective, to ensure the reviews are taking place accurately and reflect the security assigned.
Whenever possible, best practices around SoD also recommend automating the processes behind these reviews, including the sign off on the reports being reviewed. Controls like SoD management are a part of any internal control system, and the effective and efficient use of these reviews can help ensure your company is managing risk in this critical area.
If you're interested in learning how Fastpath can help with D365FO security, download our eBook "Develop and Implement Least Privilege Security for D365 with Fastpath".