<img height="1" width="1" style="display:none;" alt="" src="https://dc.ads.linkedin.com/collect/?pid=523033&amp;fmt=gif">
National Manager of Assisted Living Communities
Case Study/ National Manager of Assisted Living Communities

National Manager of Assisted Living Communities

Start Up Real Estate Management Company Builds SOX Compliant and Scalable D365FO Security Framework in Expedited Timeframe

The Challenge

Our client is a national manager of distinctive, independent assisted living and memory care communities throughout the U.S., established less than two years ago and which has grown to manage more than 100 retirement communities caring for more than 5,500 residents across 28 states. 

To accommodate the company’s rapid growth, the organization implemented Dynamics 365 for Finance and Operations (D365FO) on an accelerated timeline to rapidly establish a business management platform. However, this forced the team to rely only on the standard security roles delivered with the application ‘out of the box’ which inherently contained critical and high-risk Separation of Duties (SoD) Conflicts. 

This was not going to work for much longer. Due to the amount of revenue under management for a large public real estate investment trust (REIT), they soon needed to comply with Sarbanes-Oxley (SOX) and external audit requirements, including controls over security access in D365FO. They needed to quickly find a solution that would integrate well within their D365FO environment and provide detailed audit reporting, SoD visibility, and scalable task-based roles for future growth. 

The solution

The customer acquired Fastpath and asked for implementation partners that could support them and solve their problem within the timeframe allotted. They reached out to Protiviti, a global consulting and internal audit firm, to assist with the Fastpath implementation, the security redesign build process, and establishment of governance processes to protect their new security architecture. 

The customer’s management team understood how critical it was to have the software and the governance processes in place, in order to effectively accomplish their objectives and sustain their security model going forward. Additionally, they wanted a team with the right experience executing these types of projects to help deliver within their expedited project timeline.  

In order to deliver the project requirements, Protiviti recommended which Fastpath products needed to be implemented to support the immediate project objectives. Fastpath has been Protiviti’s GRC, audit, and compliance tool of choice for the Microsoft Dynamics suite of products because of their leadership in the space and experience with the Microsoft ERP solutions.  

To start building a compliant D365FO security architecture, a SoD risk framework had to be established and configured within the Fastpath software. The framework provided the rules for how the new roles can be built. Once the ruleset was configured within Fastpath, the team used the solution to help build security roles that aligned and complied with the SoD framework, designed processes for managing their new risk framework, and implemented the new roles throughout the organization.  

By relying on Fastpath, Protiviti streamlined the iterative build, test, analyze, and modify processes. This made it easier to quickly build scalable task-based roles that were free of SoD conflicts, and still provided a flexible security framework enabling the customer to grow and change over time. 

The results

Over the course of 15 weeks, Protiviti built an application security framework with the assistance of Fastpath to support the customer’s need to comply with SOX regulations, design a security framework focused on the right of least privilege, and drive business ownership of security roles and risks. By building and validating a customized SoD ruleset within Fastpath, and then using the solution for SoD risk analysis, Protiviti rapidly created task-based roles that ensure appropriate access and proper control throughout their D365FO environment.  

Before the redesign, the customer had almost 50 critical SoD role conflicts and over 1,200 user conflicts. After partnering with Protiviti and deploying Fastpath with the customized SoD ruleset, all roles are now free of unmitigated SoD conflicts and the total number of conflicts at the user level has been reduced by over 97% (the remaining 3% are accepted and mitigated through compensating controls). 

The ruleset is more comprehensive with the addition of 69 custom objects that would not normally be captured in the out-of-the-box Fastpath ruleset. Lastly, the number of non-system users who are assigned the System Administrator role has also been reduced from 10 users to 4, making sure that only the right individuals have this elevated level of access.  

Moving forward, key individuals within Internal Audit, IT, and the business at the customer have been trained on how to leverage Fastpath as well as the new governance processes. Thanks to a collaborative approach and good work from the customer, Protiviti, and Fastpath, they’re now able to realize and manage SoD risks into the future.