Segregating Responsibilities in Vendor Invoice Processing

SEGREGATING RESPONSIBILITIES IN VENDOR INVOICE PROCESSING

CONTENT Introduction SOD business process flow in Vendor Invoice Processing Prerequisites for Implementing SOD in Vendor Invoice Processing Scenario 1: Processing a service invoice Scenario 2: Processing an inventory invoice Conclusion

Introduction

Segregation of Duties (SOD) is a foundational principle in internal control that ensures critical tasks within business processes are divided among multiple individuals. This division of responsibilities helps prevent fraud, errors, and conflicts of interest by reducing the likelihood of any one person being in control of all parts of a transaction. It is particularly relevant for financial operations, where sensitive transactions such as vendor invoice processing must be handled with care to maintain compliance with regulations such as SOX (Sarbanes-Oxley Act) and safeguard the organization from financial mismanagement.

Microsoft Dynamics 365 Finance (D365 Finance) integrates SOD principles throughout its workflows, ensuring that organizations can enforce these controls systematically. Vendor invoice registration and processing, in particular, benefit from D365 Finance’s robust SOD capabilities, allowing businesses to create clear separation between invoice registration, matching, and final posting activities.

Before going into the technical details of vendor invoice processing in D365 Finance, it is essential to understand why SOD is critical for businesses. By enforcing SOD:

• Risk of Fraud is Minimized: When key duties like approval, execution, and verification are split across multiple individuals, it becomes much harder for anyone to manipulate the system without detection.
• Error Detection is Enhanced: SOD reduces the likelihood of undetected mistakes, as different eyes are involved in various steps of the process, providing opportunities for checks and balances.
• Compliance Requirements are Met: Regulatory frameworks such as SOX mandate SOD as part of their requirements for financial reporting integrity, and failure to implement these can result in penalties or reputational damage.

In vendor invoice processing, SOD plays a key role by ensuring that the registration, approval, and posting of invoices are handled by separate personnel, or at least separate workflow processes, reducing the chance of unauthorized or erroneous payments.

SOD business process flow in Vendor Invoice Processing

Microsoft designed Dynamics 365 Finance screens and workflows with built-in SOD principles to streamline the segregation of duties in processes like vendor invoice registration and approval. Let's explore how this process works within D365 Finance, focusing on the distinct stages of Registering, Matching, and Posting.

1. Registering the Vendor Invoice

The purpose of the invoice registration stage is to capture the invoice details without fully committing them to the financial ledgers. This temporary registration helps organizations maintain an organized workflow where invoices are captured as they arrive but are not yet officially posted. The SOD principle here is that the person responsible for registering the invoice does not have the ability to approve or post it.

In Dynamics 365 Finance, you can either register invoices manually or through automation. The manual registration process involves creating a journal entry, inputting minimal details such as the invoice number, vendor, and total amount.

This flexibility allows businesses to set up Power Automate integrations or other data entities to streamline the registration process. The key benefit of automation here is that it reduces manual data entry, allowing invoices to flow seamlessly into the system while still maintaining SOD principles.

At this stage, there is no need to match the invoice to a purchase order (PO), allowing for a quick and efficient way to capture the total invoice amount without being bogged down by details.

2. Matching the Invoice to Purchase Orders

Matching invoices to purchase orders is crucial for verifying that the goods have indeed been ordered and received. This step not only ensures the accuracy of the invoice but also reinforces SOD principles by requiring different individuals or workflows to handle the verification of the goods or services received.

During the matching phase, the system cross-references the invoice with the relevant purchase order and/or product receipts. In D365 Finance, the system can automatically match these documents, reducing the chance for manual errors. If a discrepancy is detected, it needs to be resolved before proceeding to final posting.

3. Posting the Invoice

Once the invoice has been registered and matched, it moves to the final stage of posting, where it becomes a permanent record in the financial system. Posting invoices involves applying the correct expense accounts and ensuring all relevant checks have been completed. The segregation here ensures that the person posting the invoice is not the same individual who registered or matched it.

In Dynamics 365 Finance, the invoice approval screen facilitates the final posting. The system brings all the required account information automatically, and the user responsible for posting merely needs to review and approve the details.

Prerequisites for Implementing SOD in Vendor Invoice Processing

Before implementing the segregation of duties (SOD) principles in vendor invoice processing within Dynamics 365 Finance, there are a few key configurations that must be set up to ensure a smooth workflow. Below are the essential prerequisites:

• Invoice Register Journal Type Creation: This journal type is necessary for the temporary registration of invoices. It allows the system to capture the invoice details without immediately posting them. Follow these steps to create it: Navigate to General ledger > Journal setup > Journal names. Create and configure the journal for invoice registration.

• Invoice Approval Journal Type Creation: The invoice approval journal type enables the retrieval and final posting of previously registered invoices. This setup is critical for separating the registration from the approval and posting processes: Go to General ledger > Journal setup > Journal names. Create the appropriate journal for invoice approval.

• Vendor Posting Profile Setup: Vendor posting profiles dictate how the system posts transactions to general ledger accounts. For the invoice registration process, you need to configure a temporary vendor account and offset account: Navigate to Accounts payable > Setup > Vendor posting profile. Set the Arrival account to a temporary vendor account and the Offset account to a temporary offset account.

Let’s consider a typical situation where three different individuals are responsible for the stages of processing a vendor invoice. 

Emma is responsible for registering the invoice.

John handles matching the invoice with the Purchase Order (PO) and Product Receipt.

Sophia is responsible for the final posting of the invoice in the financial system.

SCENARIO 1: Processing a service invoice

Invoice Registration by Emma: Emma works in the accounts payable department, and her role is to register invoices as they arrive. Today, she receives an invoice from a vendor for a batch of products ordered by the company. Emma’s responsibility is to input the invoice details into the system without finalizing the transaction.

In Dynamics 365 Finance, Emma follows these steps:

Go to Accounts payable >> Invoices >> Invoice register

Click on +New and select a (invoice registration) journal name

Create a journal line.

Emma enters the vendor account, invoice number, date, and total amount of the invoice. At this point, she does not match it with any purchase order.

Once the details are entered, she posts the invoice as temporarily registered in the system.

Posted journal voucher is as below

A voucher is created, and the system logs the invoice in a way that allows it to be reviewed and processed later. This voucher’s account setup is done in the vendor posting profile as explained in the prerequisites section.

Emma’s role is now complete. Her responsibilities ensure that invoices are captured in the system quickly but without granting her the ability to finalize or post them.

Invoice Posting by Sophia: Finally, Sophia, who works in the finance department, is responsible for approving and posting the invoice after all checks have been completed. Sophia’s task is to review the details entered by Emma before completing the posting process.

In Dynamics 365 Finance, Sophia performs the following:

Go to Accounts payable >> Invoices >> Invoice approval

Click on +New and select a (invoice approval) journal name

Empty screen comes up, click on Find vouchers to find temporal posted invoices.

Find the invoice by clicking on Find vouchers.

Select the invoice and click on Select button and then OK button.

Once the relevant invoice is found, she reviews the accounts and details automatically populated by the system. She enters the appropriate expense account to which the invoice will be posted.

Click on Post.

Posted voucher is as below:

SCENARIO 2: Processing an inventory invoice

This scenario is different from the previous one. In addition to the steps in the first scenario, this process includes matching the purchase order (PO) and product receipt before posting the invoice.

Invoice Registration by Emma: Emma works in the accounts payable department, and her role is to register invoices as they arrive. Today, she receives an invoice from a vendor for a batch of products ordered by the company. Emma’s responsibility is to input the invoice details into the system without finalizing the transaction.

In Dynamics 365 Finance, Emma follows these steps:

Go to Accounts payable >> Invoices >> Invoice register

Click on +New and select a (invoice registration) journal name.

Create a journal line, enter the vendor account, invoice number, invoice date and invoice amount.

Click on post.

Posted journal voucher is as below.

So far, invoice has been temporarily registered and there is no purchase order relation.

This voucher’s account setup is done in the vendor posting profile as explained in the prerequisites section.

Invoice Matching by John: Next, John, who works in the procurement department, is responsible for ensuring that the invoice details match the relevant purchase orders and product receipts. In this case, the invoice pertains to an order that was placed last month, and the products have already been delivered.

John performs the following actions:

He navigates to Accounts payable > Invoices > Invoice pool, where the temporarily registered invoices are listed.

Click on Purchase order and select the PO number.

John selects the corresponding invoice and then clicks on Find purchase orders to locate the purchase order associated with the invoice.

System creates a pending invoice on the invoice pool screen. Click on Match product receipts.

Match the product receipt by clicking on Match product receipts.

Perform invoice matching by clicking on Update match status.

John's role ensures that the goods or services invoiced are properly matched against what was ordered and received, adding a crucial layer of verification in the process. He does not, however, have the authority to post the invoice.

Invoice Posting by Sophia: Finally, Sophia, who works in the finance department, is responsible for approving and posting the invoice after all checks have been completed. Sophia’s task is to review the details entered by Emma and the matching done by John before completing the posting process.

In Dynamics 365 Finance, Sophia performs the following:

Go to Accounts payable >> Invoices >> Invoice approval

Click on +New and select a (invoice approval) journal name.

Empty screen comes up.

Sophia clicks on Find vouchers to locate the invoices that have been matched but are pending approval and posting.

Select the invoice and click on Select button and then OK button.

System automatically brings all accounts to be used for the posting. Enter the expense account here.

Go to pending vendor invoices.

Accounts payable >> Invoices >> Pending vendor invoices.

Find the invoice and click on Post.

Posted voucher is as below.

Conclusion

This clear segregation of duties ensures that no one individual has control over the entire vendor invoice process. By splitting the process into distinct responsibilities—registration, matching, and posting—the organization minimizes the risk of fraud or error. Each person involved has a specific role and responsibility, contributing to the integrity of the financial data and reducing the likelihood of internal control failures.

Securing Dynamics 365 F&O with Azure Active Directory Group Management

SECURING DYNAMICS 365 F&O WITH AZURE ACTIVE DIRECTORY GROUP MANAGEMENT

CONTENT Introduction Enable the Active Directory security groups feature Setup Active Directory security groups Import Active Directory security groups Assign D365FO security roles to Active Directory Groups Managing users in Dynamics 365 Finance and Operations

Introduction

Microsoft Active Directory (AD) Security Groups are a long-established feature in Microsoft’s identity management framework, designed to centralize the management of users, roles, and organizational assignments. By assigning users to specific AD security groups, administrators can map those groups to corresponding roles or permissions within Dynamics 365 Finance and Operations (D365 F&O). This ensures consistent access control across the organization, reducing the manual effort of managing individual user permissions.

A key benefit of AD Security Groups in D365 F&O is Just-in-Time (JIT) provisioning. JIT allows new users to be automatically created and assigned appropriate roles based on their AD group membership when they first sign into the system. This simplifies onboarding and ensures that access is aligned with their organizational role from the start.

While AD Security Groups are a valuable tool, they are considered a legacy option compared to modern identity management solutions like Azure Active Directory (Azure AD). Azure AD offers enhanced features, such as conditional access and multi-factor authentication, which provide more robust security options. However, organizations with existing AD infrastructure can still leverage AD Security Groups for efficient role-based access control in their D365 environments.

The purpose of AD security groups is to streamline access control within a network by allowing administrators to assign rights and permissions to multiple users simultaneously. This method ensures uniform access to resources such as files, folders, and applications. For example, an AD security group for a department like "Finance" can be assigned specific permissions, and all members of that group will inherit the same access rights, simplifying permission management.

Over time, security groups also make it easy to manage changing user roles or onboarding new users. By adding or removing users from a group, administrators can adjust permissions without needing to update each user individually. This helps maintain security, reduces errors, and ensures compliance with regulatory standards.

Administrators can utilize Azure Active Directory (Azure AD) groups to efficiently control user permissions within Dynamics 365 Finance and Operations (D365FO). This guide outlines the process for configuring and managing access in D365FO. It’s important to note that the configuration of Azure AD itself falls under the purview of the IT department.

Enable the Active Directory security groups feature

To enable the feature, go to System administration > Setup > License configuration. You can find the Microsoft Entra ID (Active Directory) security group configuration key in the Administration folder.

Configuration keys can be edited only in maintenance mode.

Note: Microsoft Entra ID is the new name for Azure AD in November 2023. The names Azure Active Directory, Azure AD, and AAD are replaced with Microsoft Entra ID.

• Microsoft Entra is the name for the product family of identity and network access solutions.
• Microsoft Entra ID is one of the products within that family.
• Acronym usage isn't encouraged, but if you must replace AAD with an acronym due to space limitations, use ME-ID.

Setup Active Directory security groups

The next step is to create Azure Active Directory groups and assign members to them. This can be done in the Microsoft 365 admin center, the Office 365 admin center, or the Azure portal. 

Import Active Directory security groups

After the feature is enabled, a new Groups page is available at System administration > Users > Groups. 

Once the group structure and memberships are ready, proceed with the configuration in Microsoft Dynamics 365. Go to System administration > Users > Groups.

To start to import Azure Directory security groups, select Import groups, and then select the groups to import.

The ID field requires custom input.

After the import is completed, you can maintain role and organization assignments on the Groups page. The process resembles the process that's used on the Users page.

Assign D365FO security roles to Active Directory Groups

Next is to assign security roles to the AD groups in D365FO. Users who are members of the Azure Active Directory (AD) groups will inherit the assigned security roles.

• Roles are not directly assigned to the individual users, roles are assigned to AD security groups. 
• A user can belong to multiple groups, and in such cases, they will receive cumulative access across all their group memberships.

Managing users in Dynamics 365 Finance and Operations

If security is set up through AD groups, SOD risk analysis will not work. The solution is to assign security roles directly to users as usual.

If workflows include security roles in their setup, they will not function properly either. The solution is to assign security roles directly to users as usual.

User can have AD security group and security role direct assignment at the same time. In this case, user will grant access to all permissions cumulatively.

Unannounced Sales Returns in Dynamics 365 Finance and Operations

UNANNOUNCED SALES RETURNS

CONTENT Introduction Return details Receive unannounced returned item by the return details Mixed license plate receiving Blind returns Receive unannounced returned item by blind return  Mixed license plate receiving  Required configurations Blind return demo

Introduction

In Microsoft Dynamics 365 Supply Chain Management, the sales return process typically begins with the creation of a Return Material Authorization (RMA) order. The RMA order is crucial for managing returns, particularly when the reason for the return is unclear or not immediately disclosed. It serves as the central document guiding the subsequent steps in the return process, including warehouse arrival and receiving procedures.

However, there are instances where customers may return products without prior notice or an associated order. In such cases, the standard RMA process is bypassed, requiring special handling to manage these unplanned or unannounced returns.

This article will walk you through configuring Supply Chain Management to handle unannounced returns and the procedures for receiving these returns in the warehouse. 

For example, if a customer arrives at the bay door wanting to return an item without having a return material authorization (RMA), it’s considered an unannounced sales return.

This can be handled in 2 ways.

• Return details
• Blind returns

RETURN DETAILS

In this scenario, the customer doesn’t need to contact the seller; simply bringing the RETURN LABEL or providing the RETURN DETAIL ID created at the time of order shipment is sufficient. The RETURN LABEL or RETURN DETAIL ID contains the necessary return details (return ID, original order ID, shipment ID, order lines, return until dates) required to process the return.

A return detail record can be created in two ways:

• Order creation > Order shipment > Packing > Return label creation via the small parcel shipment process
• Order creation > Order shipment > Shipment confirmation > Return details creation

In summary, each shipment process can create either a return label (if containerization is used) or a return details ID with an expiration date (if the expiration date is set up).

Receiving Unannounced Returned Items by Return Details

Assumption: The customer already has the return details.

1. Open the Warehouse Management mobile app.
2. Select Return Details Receiving (You'll need to create menu/menu item first).
3. Scan the Return ID.
4. Scan the Item ID.
5. System generates a License Plate (LP).
6. Enter the Quantity.
7. Select the Disposition Code.

Please note that a "Work Completed" message will appear.

Important: Do not forget to click CANCEL to release the flow and complete the process.

All unannounced returns will go to the Mixed License Plate Receiving screen.

Mixed License Plate Receiving

1. Go to Warehouse Management > Inquiries and Reports > Mixed License Plate Receiving.
2. Note that the received license plate appears on the list page.
3. Select the license plate and click the Complete License Plate button in the License Plate Action pane.

• An arrival journal is automatically posted.
• A "Return Orders" work order is automatically created to move the item from the default receiving location to the destination location, based on the location directives setup.
• A new RMA is created with a line item that has a "Registered" status.

The next steps are to post the packing slip and invoice. This is not in this article's scope.

BLIND RETURNS

In this scenario, the selling company doesn’t maintain return details, which means the customer doesn’t have any reference information like a return label, return details ID, original sales order, shipment ID, RMA, etc. This is considered a complete blind return. In other words, the customer doesn’t need to contact the seller before the actual return.

Receiving Unannounced Returned Items by Blind Return

Assumption: The customer doesn’t have any reference data (e.g., no return label, no order number).

1. Open the Warehouse Management mobile app.
2. Select Blind Return.
3. Scan the Customer ID.
4. Scan the Item ID.
5. The system generates a License Plate (LP).
6. Enter the Quantity.
7. Select the Disposition Code.

Please note that a "Work Completed" message will appear.

Important: Do not forget to click CANCEL to release the flow and complete the process.

All unannounced returns will go to the Mixed License Plate Receiving screen.

Mixed License Plate Receiving

1. Go to Warehouse Management > Inquiries and Reports > Mixed License Plate Receiving.
2. Note that the received license plate appears on the list page.
3. Select the license plate and click the Complete License Plate button in the License Plate Action pane.

• An arrival journal is automatically posted.
• A Return Order's work order is automatically created to move the item from the default receiving location to the destination location based on the location directives setup.
• A new RMA is created with a line item that has a "Registered" status.

The next steps are to post the packing slip and invoice.

REQUIRED CONFIGURATIONS

Warehouse Parameters: Go to Warehouse Management > Setup > Warehouse Management Parameters > Returns fast tab.

• Default Return Order Journal: Select a journal name.
• Enable Return Details Creation: Set to Yes (Enable this process if it’s used). If this parameter is set to Yes, then activate the Enable Sales Load Line Picking Route parameter on the Loads fast tab. This links sales line inventory transactions and load lines.
• Enable Return Order Creation from Mobile Device: Set to Yes (Always enable this. This is for both "return details" and "blind return").

Number Sequence Configurations:

• Load Line Inventory Pick: This number is used on the load line’s "Load Line Inventory Pick" tab.
• Return ID: Configure the sequence for the Return ID.

Return Item Policies: Go to Warehouse Management > Setup > Return Items > Return Item Policies.

• Determine which items can be returned.
• Set a maximum number of days allowed for returning the selected items, if applicable.

Return Item Receiving Policies: Go to Warehouse Management > Setup > Mobile Device > Return Item Receiving Policies.

• Define what functionality is in use. Options include: Return Details, Blind Returns.

Mobile Device Menu Items: Go to Warehouse Management > Setup > Mobile Device > Mobile Device Menu Items.

• Create a Blind Return menu item to receive return items.
• Mode: Work.
• Work Creation Process: Return Item Receiving.
• Generate License Plate: Yes (since the returned item is placed in the receiving location).
• Display Disposition Code: Yes (select one of the created policies, select Blind here).

Mobile Device Menu: Go to Warehouse Management > Setup > Mobile Device > Mobile Device Menu.

• Create a menu that contains the Blind Return menu item.

Mobile Device Disposition Code: Go to Warehouse Management > Setup > Mobile Device > Disposition Codes.

• Create a new disposition code for mobile device returns.
• Disposition Code: Return Credit
• Inventory Status: Available
• Work Template: Returns (select a return work template).
• Return Disposition Code: Credit (select a disposition code).

BLIND RETURN DEMO

A blind return occurs when a return is made without an existing RMA order or any pre-recorded return details, and there is no need to reference the original sales order or shipment during the receiving process. During the return item receiving process, workers must use the mobile app.

Go to main mobile device menu, select Return > Blind return

All you know about this return is Customer account. Enter or scan the customer account. Hit OK.

Enter the item id.

Scan the license plate if there is any, otherwise, leave it empty.

Enter the return quantity.

Select the disposition code.

Hit OK.

Note that system generates license plate if you leave it empty.

Hit OK.

Note that work is now completed.

DO NOT forget to hit CANCEL to complete the flow. If you don't, generated license plate cannot be processed.

System will take you to previous menu when you hit Cancel.

We already know that "All unannounced returns will go to the Mixed License Plate Receiving screen". Let's review the license plate that we just received. 

Go to Warehouse management >> Inquiries and reports >> Mixed license plate receiving.

Note that the received license plate appears on the list page. Select the license plate and click the Complete License Plate button in the License Plate Action pane.

When the completion ends, LP disappears from this screen.

When "Show completed license plate" is checked, you can now see that RMA number and Work creation numbers are now populated.

Completing License Plate results with below activities:

• An arrival journal is automatically posted.
• A Return Order's work order is automatically created to move the item from the default receiving location to the destination location based on the location directives setup.
• A new RMA is created with a line item that has a "Registered" status.

Posted arrival journal is as below:

Created return order's work order is as below:

Created RMA is as below:

In conclusion, the ability to seamlessly receive unannounced sales returns in Microsoft Dynamics 365 Supply Chain Management showcases the system's flexibility and efficiency, allowing businesses to effortlessly handle unexpected situations while maintaining operational fluidity and enhancing customer satisfaction. This capability underscores the beauty of a well-configured system that adapts to real-world challenges with ease.