PERFORMING SEGREGATION OF DUTIES (SOD) RISK ANALYSIS IN DYNAMICS 365 FINANCE AND OPERATIONS (D365FO)
CONTENT Introduction Solution Components for SOD in Dynamics 365 Finance and Operations (D365FO) Solution Configuration in Dynamics 365 Finance and Operations (D365FO) SOD Violations Detection and Analysis Summary |
This article series explains how to perform a Segregation of Duties (SOD) analysis using 3 different tools for Dynamics 365 Finance and Operations. The purpose is to provide various options. The entire series will consist of 3 parts, as follows:
Performing Segregation of Duties (SOD) Risk Analysis in Dynamics 365 Finance and Operations (D365FO)
Let's get started with PART 1.
Introduction
In today’s business landscape, ensuring compliance and safeguarding financial systems against fraud and errors are critical objectives for organizations. One of the key practices to achieve this is implementing Segregation of Duties (SOD)—a control measure that prevents a single individual from managing multiple critical tasks within a business process.
Dynamics 365 Finance and Operations (D365FO) provides a tool to help organizations analyze and manage SOD risks effectively. By leveraging its built-in security framework, role-based access controls, and analytical capabilities, businesses can identify potential conflicts and enforce appropriate control measures to maintain compliance.
This article marks the first in a three-part series exploring how to perform SOD risk analysis using different tools. Here, we focus on how Dynamics 365 Finance and Operations can streamline the process, ensuring your financial system remains secure and compliant with industry standards like SOX and COSO.
Solution Components for SOD in Dynamics 365 Finance and Operations (D365FO)
In Dynamics 365 Finance and Operations (D365FO), Segregation of Duties (SOD) revolves around managing duties—a fundamental concept within the security framework. Duties represent a collection of related privileges that define what a user can do within the system, ensuring their access aligns with their responsibilities. Here are the key solution components that support SOD in D365FO:
Security Roles, duties and privileges
Security roles are the top-level entities in D365FO's security model. They are designed to group duties and privileges required to perform specific business tasks. Roles such as "Accounts Payable Manager" or "Inventory Clerk" ensure users can only access features relevant to their job functions.
- Roles are assigned to users, directly linking them to duties and privileges.
- SOD is managed by ensuring that roles do not encompass conflicting duties.
Duties are granular groups of related privileges that correspond to specific responsibilities, such as approving invoices, processing payments, or creating purchase orders. They are key to managing SOD conflicts, as risks often arise when users are assigned duties that conflict with each other.
- Duties allow fine-grained control of system functionality.
- The system's built-in SOD rules help detect when conflicting duties are assigned to the same user or role.
Privileges are the lowest level of access definitions in the security hierarchy. They control access to individual forms, menu items, or actions within the application. By combining privileges into duties, D365FO creates a layered approach to access control.
Segregation of Duties Rules
D365FO includes a framework for defining and enforcing SOD rules. These rules specify which combinations of duties are considered incompatible and must not be assigned to the same user. For example:
Conflict Example: A user assigned to both "Maintain Vendor Invoices" and "Approve Vendor Invoices" duties creates a risk of unauthorized transactions.
The list of these conflicts forms Segregation of Duties (SOD) Framework. It's also known as SOD ruleset.
SOD Violations Detection and Analysis
The system offers tools for detecting and resolving SOD conflicts. Administrators can run diagnostics to identify violations to support compliance with regulatory standards such as SOX.
Conflict Resolution: D365FO provides workflows and configuration options to address identified conflicts, such as reassigning duties or splitting responsibilities across multiple users.
Mitigation / Remediation Tools: Workflows and ITACs
SOD enforcement is closely tied to workflows in D365FO. Approvals and reviews are built into workflows, ensuring that no single individual has control over critical processes.
By leveraging these components, D365FO allows organizations to establish a secure environment that supports operational efficiency while maintaining compliance with internal and external regulations. The next section will delve into the process of configuring these components for effective SOD risk analysis.
ITACs are not separate concepts but complementary mechanisms that enforce Segregation of Duties (SOD) and other security principles in Dynamics 365 Finance and Operations (D365FO). While workflows focus on approvals, ITACs enforce transactional integrity.
Solution Configuration in Dynamics 365 Finance and Operations (D365FO)
Security Roles and their user assignments
Security roles are designed to group related duties and privileges.
System administration >> Security >> Security configuration
Users are assigned to specific security roles.
System administration >> Users >> Users
Segregation of Duties Framework
For demo purpose, our rule is that A user CANNOT perform both "Maintain Vendor Invoices" and "Approve Vendor Invoices" duties at the same time.
Let's create that Segregation of Duties (SOD) rule in the system.
Go to System Administration >> Security >> Segregation of duties >> Segregation of duties rules
Click + New.
Select the first duty.
Select the second duty.
Select the risk rating.
SOD Violations Detection and Analysis
Identifying Internal Role Risks
D365FO offers a tool for detecting and resolving SOD conflicts. You as an admin can run diagnostics to identify violations and generate reports to support compliance with regulatory standards such as SOX.
Go to Security administration >> Security >> Segregation of duties >> Segregation of duties rules
Open the form and click 'Validate duties and roles' to run the analysis.
Role "Accounts payable manager" is in violation of segregation of duties rule "New Segregation of duties rule": The role contains duties "Maintain vendor invoices" and "Approve vendor invoices".
SOD risk analysis tool identifies that and notifies you. Please note this is an internal role risk.
User Risk Analysis: Scenario 1
Let's assign "Accounts payable manager" to a user.
System administration >> Users >> Users.
The system throws an error as shown below:
Cannot create a record in Security user role (SecurityUserRole). The corresponding AOS validation failed.
- The system identifies the conflict and does not allow this role assignment until the message is addressed.
- System asks whether you want to solve this conflict now or not.
Click 'Yes', system takes you to 'Segregation of duties unresolved conflicts form' and asks you to decide:
- Denny assignment: Role assignment is rejected.
- Allow assignment: Role assignment is done. This is an exceptional situation and user needs that role assignment in order not to disrupt business processes.
Click 'Denny assignment'.
Role assignment is rejected and conflict line is moved onto 'Segregation of duties conflicts' as shown below.
Let's assign "Accounts payable manager" to a user and accept the conflict.
System administration >> Users >> Users
Note that a series of actions are taken:
- The system identifies the conflict and does not allow this role assignment until the message is addressed.
- System asks whether you want to solve this conflict now or not.
Click 'Yes', system takes you to 'Segregation of duties unresolved conflicts form' and asks you to decide:
- Denny assignment: Role assignment is rejected.
- Allow assignment: Role assignment is done. This is an exceptional situation and user needs that role assignment in order not to disrupt business processes.
Note that this violation is recorded on the Segregation of duties conflicts screen as below.
ITAC documentation
Let's now assign 2 different roles violating the SOD rule together.
An error message appears:
Cannot create a record in Security user role (SecurityUserRole). The corresponding AOS validation failed.
Please note that system notifies you that the role assignment cannot pass the validation.
System only assigns one of the conflicting roles.
Attention: Please note that system does the risk analysis only after completing SOD ruleset setup.
Summary
Dynamics 365 Finance and Operations (D365FO) provides robust tools to manage Segregation of Duties (SOD) by leveraging its security framework, including roles, duties, privileges, and SOD rules. These components allow organizations to identify and resolve access conflicts, enforce regulatory compliance, and document mitigations through workflows and ITAC integration. By configuring SOD rules and analyzing conflicts, businesses can ensure that critical tasks are segregated effectively, safeguarding operations and minimizing the risk of fraud or errors.
No comments:
Post a Comment