Enforcing Item and State Regulations in Dynamics 365 Finance & Operations

ENFORCING ITEM AND STATE REGULATIONS IN DYNAMICS 365 FINANCE AND OPERATIONS

CONTENT Introduction Restricted Products Regional Lists – Enforcing Sales Restrictions Example: Restricting Motorcycle Sales in California Regulated Products Regional Lists – Tracking Compliance Requirements Example: Licensing Requirements for Agricultural Chemicals Product Safety Data Sheet Validity – Managing Hazardous Material Compliance Example: Auto SDS Creation When Packing Slip is Posted Conclusion

INTRODUCTION 

Many organizations operate in industries where product distribution is tightly regulated by geography. These rules may originate from international trade restrictions, environmental standards, safety requirements, or state-level laws. Examples include:

• Blocking exports of controlled chemicals to certain countries
• Restricting motorcycle sales in specific U.S. states
• Requiring a valid safety data sheet before selling hazardous materials

Managing these rules manually is inefficient and risky. To ensure compliance, enforcement needs to be embedded into the ERP system, where controls are consistently applied without relying solely on user awareness.

In Microsoft Dynamics 365 Finance & Operations (D365FO), the Product compliance framework provides several built-in tools to manage these requirements, located under:

Product information management > Setup > Product compliance

The key compliance features include:

• Restricted products regional lists – Blocks or allows sales of certain products in defined regions
• Regulated products regional lists – Tracks regulatory requirements for specific products in specific regions
• Product safety data sheet validity – Manages the validity of safety data sheets to ensure compliance before sale

This article focuses on how these features work together to help organizations enforce jurisdiction-based sales rules, illustrated with real-world scenarios.

RESTRICTED PRODUCTS REGIONAL LISTS - ENFORCING SALES RESTRICTIONS

The Restricted products regional lists feature is used to prevent or permit sales of certain items in specific jurisdictions. These restrictions are validated during sales order entry, based on the shipping address in the order header.

Key Configuration Elements:

• Jurisdiction type: Country/region, State/province, County, or City
• List type
• Inclusive: Only listed items can be sold in the jurisdiction
• Exclusive: All items except those listed can be sold
• Product association: Items explicitly linked to the list

Product information management > Setup > Product compliance > Restricted products regional lists

EXAMPLE: RESTRICTING MOTORCYCLE SALES IN CALIFORNIA

Scenario: A company sells motorcycles nationwide but is prohibited from selling them in California due to regulatory requirements.

Configuration Steps:

Create an exclusive restricted product list for California:

Let's now make sure that related parameter is active. 

Note that compliance check can be done packing slip stage as well.

Expected behavior: Sales orders with California shipping address cannot include the restricted motorcycles. 

Let's create a sales order that includes motorcycle with California address.

Insert restricted product.

Note that system throws an error when the sales line is saved.

Product 'XYZ' is restricted for sale to the delivery address on the sales line. Change the address or the product.

REGULATED PRODUCTS REGIONAL LISTS - TRACKING COMPLIANCE REQUIREMENTS

While restricted product lists block or allow sales, the Regulated products regional lists feature manages regulatory requirements that must be met before a product can be sold in a specific region.

This is essential when:

• A product is legal to sell but requires specific permits or licenses in certain regions
• Compliance documentation must be recorded before shipment
• Different regions impose different regulatory conditions on the same product

Product information management > Setup > Product compliance > Regulated products regional lists

EXAMPLE: LICENSING REQUIREMENTS FOR AGRICULTURAL CHEMICALS

Scenario: A company sells agricultural chemicals across multiple states, but some states/countries require a pesticide applicator license before purchase.

Configuration Steps:

Create a regulated product regional list for each state requiring a license and associate the relevant agricultural chemical items.

This setup can also been seen from the item itself.

Last check, let's now make sure that related parameter is active. 

Expected behavior: Sales orders with Canada shipping address must have an active product safety data sheet when weed killer is sold. If not, system throws a warning.

Let's create a sales order that contains weed killer with Canada address.

Note that system throws an error when the sales line is saved.

Please deliver the latest active product safety data sheet to the customer.

Let's try to post the packing slip.

Note that system throws an error:

No valid product safety data sheet exists for the item on the sales order

PRODUCT SAFETY DATA SHEET VALIDITY - MANAGING HAZARDOUS MATERIAL COMPLIANCE

Some products, especially chemicals, require a Safety Data Sheet (SDS) that must be current and valid at the time of sale. The Product safety data sheet validity functionality ensures that a product cannot be sold if its SDS is expired or missing.

Product information management > Setup > Product compliance > Product safety data sheet validity

EXAMPLE: AUTO SDS CREATION WHEN PACKING SLIP IS POSTED

Scenario: A hazardous chemical (weed killer) sales automatically generates an SDS when packing slip is posted.

Configuration steps:

Create a regulated product regional list for each state requiring a license and associate the relevant agricultural chemical items. (Already done in the previous step).

Define SDS validity rules for the chemical product.

Define a safety data sheet (SDS) for the chemical product.

Attach the actual SDS document. 

The last step is the parameter configuration. Navigate to

Inventory management > Setup > Inventory and warehouse management parameters > Product compliance

Remember that system throws an error shown as below when there is no active SDS.

After configurating product safety data sheet validity, attaching a safety data sheet to the product, and configuring compliance parameters properly, system allows user to generate packing slip and safety data sheet simultaneously.

CONCLUSION

This article explains how Microsoft Dynamics 365 Finance & Operations (D365FO) enforces jurisdiction-based product regulations using its Product compliance framework. It covers three key features:

• Restricted products regional lists: Prevents sales of certain items in specified regions (e.g., blocking motorcycle sales in California).

• Regulated products regional lists: Tracks and enforces regional regulatory requirements before sale (e.g., pesticide license requirements for agricultural chemicals).

• Product safety data sheet (SDS) validity: Ensures hazardous materials have a current SDS before shipping, with the option to auto-generate SDS documents during packing slip posting.

Through step-by-step configuration examples, the article demonstrates how these tools work together to automate compliance, reduce manual oversight, and ensure that regional sales restrictions, licensing obligations, and hazardous material documentation requirements are met directly within D365FO.

Enabling the Three Lines of Defense in Dynamics 365 Finance & Operations - LINE2: Risk and Compliance Oversight

ENABLING THE THREE LINES OF DEFENSE IN DYNAMICS 365 FINANCE & OPERATIONS - LINE2: RISK AND COMPLIANCE OVERSIGHT

CONTENT Introduction Line 2 Risk and Compliance Oversight in D365FO-Centric Organizations Governance Through Monitoring: A Functional View Oversight of Security Role Changes and Privilege Escalation Monitoring Segregation of Duties Violations and Exception Approvals Evaluating the Effectiveness of Workflow Controls Analyzing Field-Level Configuration Changes Performing Periodic Risk Reviews and Reporting A Second Line Scenario: From Oversight to Intervention Conclusion

INTRODUCTION 

The purpose of the Second Line of Defense within the Three Lines of Defense (3LoD) framework is not to execute business controls, but to ensure that those controls are functioning consistently, remain aligned with risk tolerance, and are subject to ongoing review. In Microsoft Dynamics 365 Finance & Operations (D365FO), Line 2 does not directly perform journal postings, approve transactions, or assign user roles—that’s the job of Line 1. Instead, Line 2 is accountable for designing policy frameworks, overseeing access governance, monitoring control adherence, and responding when execution deviates from expected behavior.

This article explains how D365FO supports Line 2 professionals—compliance officers, internal control owners, and risk managers—in supervising control environments without directly interfering with operational workflows. It is written for readers who already understand D365FO’s built-in features such as role-based access, segregation of duties (SoD), workflow approvals, and audit trails. Instead of re-explaining these tools, we focus on how Line 2 uses them for governance and monitoring purposes.

LINE 2 | RISK AND COMPLIANCE OVERSIGHT IN D365FO-CENTRIC ORGANIZATIONS

Line 2 functions as the system’s compliance backbone, tasked with embedding internal control principles into application governance. These responsibilities include:

• Establishing risk-aligned access policies
• Defining SoD rules and exception handling criteria
• Monitoring workflow effectiveness across departments
• Reviewing audit trails and configuration changes
• Providing structured guidance to Line 1 users
• Liaising with auditors and reporting on internal control health

In D365FO, these tasks can be performed using native capabilities—augmented where necessary by ISV tools like Fastpath, RSM Guardian, or custom Power BI dashboards. Line 2 does not need to rely on external documentation or manual audits. Instead, the ERP system itself becomes the control environment, enabling real-time oversight of daily operational activity.

GOVERNANCE THROUGH MONITORING: A FUNCTIONAL VIEW

While Line 1 users rely on D365FO to execute controls, Line 2 uses the same system to oversee them. Below, we explore how this oversight manifests in the application.

1. Oversight of Security Role Changes and Privilege Escalation

Access provisioning is handled by IT or business operations (Line 1), but Line 2’s responsibility is to monitor whether those assignments adhere to policy.

In practice, this involves:

• Reviewing changes in user role assignments on a regular cadence
• Identifying users who have gained elevated privileges outside of standard provisioning processes
• Investigating any deviation from the principle of least privilege

While D365FO does not natively provide historical change tracking for user-role assignments, organizations often implement supporting tools or audit reports to capture this activity. Alternatively, Database Log can be enabled to track changes in the underlying security tables.

2. Monitoring Segregation of Duties Violations and Exception Approvals

Line 2 does not create SoD rules—that’s a shared responsibility between compliance and system administrators. But Line 2 governs how these rules are enforced and how exceptions are handled.

Typical activities include:

• Reviewing SoD violation reports and understanding the business context behind them
• Approving or rejecting temporary access exceptions requested by Line 1 users
• Validating that approved exceptions have compensating controls in place (e.g., increased monitoring or dual approval)

The objective is not to prevent the business from operating efficiently, but to ensure that risk-acceptance decisions are conscious, documented, and periodically re-evaluated.

3. Evaluating the Effectiveness of Workflow Controls

While Line 1 users initiate and participate in workflows (e.g., invoice approvals, vendor edits), Line 2 has a supervisory role to play: Are those workflows functioning as intended?

Key evaluation points include:

• Are workflows consistently routing to the correct approvers?
• Are approvals happening within expected timeframes?
• Are any steps being auto-approved due to escalation thresholds?
• Is there evidence of override behavior (e.g., approval by system administrators)?

These checks are often performed using the Workflow history log in D365FO or through exported workflow datasets analyzed in Power BI.

4. Analyzing Field-Level Configuration Changes

Control failures are not always transactional—they often begin in setup and master data. A well-designed workflow or SoD policy can be rendered ineffective if a key configuration setting is changed.

Line 2’s responsibility is to track changes to sensitive fields and ensure that:

• Only authorized users are making changes to configuration records (e.g., vendor bank account, posting profiles)
• All changes are traceable and explainable
• Recurring or off-hours changes are flagged for further review

D365FO’s Database Log feature supports this type of oversight. When enabled for the appropriate tables, it records the user ID, timestamp, and before/after values for each change.

5. Performing Periodic Risk Reviews and Reporting

Line 2 is accountable for translating system data into actionable risk insight. This typically includes:

• Monthly or quarterly reports on SoD exceptions, workflow behavior, and sensitive field changes
• User access reviews for high-risk roles (e.g., system administrators, finance approvers)
• Assessment of policy violations and recurring control issues
• Recommendations to IT or Line 1 leaders for control remediation or enhancement

Tools like RSM Guardian or Fastpath streamline this process by aggregating control data into prebuilt dashboards. However, even without ISVs, D365FO’s native data entities, export functions, and logging capabilities enable meaningful review cycles—if structured properly.

SAMPLE SCENARIO: FROM OVERSIGHT TO INTERVENTION

Consider this common use case:

A temporary SoD exception was approved last month, allowing a user to both create and approve vendors.

During a monthly review, Line 2 notices that this exception is still active—even though the stated expiration date has passed.

Further investigation reveals the same user submitted and approved three vendors, one of which was used in a high-value payment.

Line 2 flags the issue, revokes the role combination, and recommends a retrospective review of the payment by Internal Audit.

This type of oversight intervention highlights the true value of Line 2 in D365FO—not just spotting violations, but ensuring controls remain active, relevant, and risk-aligned.

CONCLUSION

The Second Line of Defense brings structure, oversight, and assurance to the control environment. In Dynamics 365 Finance & Operations, Line 2 professionals are not responsible for day-to-day transactions—but they are accountable for ensuring that the system itself enforces compliance principles.

By continuously monitoring role changes, SoD conflicts, workflow behavior, and audit logs, Line 2 can enforce risk policies without disrupting operations. The end result is a governance model where compliance is embedded within the ERP—not layered on top of it.

The final article in this series will focus on Line 3: Internal Audit, where we examine how independent assurance can be delivered using D365FO’s data and reporting capabilities.