ENABLING THE THREE LINES OF DEFENSE IN DYNAMICS 365 FINANCE & OPERATIONS - LINE2: RISK AND COMPLIANCE OVERSIGHT

ENABLING THE THREE LINES OF DEFENSE IN DYNAMICS 365 FINANCE & OPERATIONS - LINE2: RISK AND COMPLIANCE OVERSIGHT

CONTENT Introduction Line 2 Risk and Compliance Oversight in D365FO-Centric Organizations Governance Through Monitoring: A Functional View Oversight of Security Role Changes and Privilege Escalation Monitoring Segregation of Duties Violations and Exception Approvals Evaluating the Effectiveness of Workflow Controls Analyzing Field-Level Configuration Changes Performing Periodic Risk Reviews and Reporting A Second Line Scenario: From Oversight to Intervention Conclusion

INTRODUCTION 

The purpose of the Second Line of Defense within the Three Lines of Defense (3LoD) framework is not to execute business controls, but to ensure that those controls are functioning consistently, remain aligned with risk tolerance, and are subject to ongoing review. In Microsoft Dynamics 365 Finance & Operations (D365FO), Line 2 does not directly perform journal postings, approve transactions, or assign user roles—that’s the job of Line 1. Instead, Line 2 is accountable for designing policy frameworks, overseeing access governance, monitoring control adherence, and responding when execution deviates from expected behavior.

This article explains how D365FO supports Line 2 professionals—compliance officers, internal control owners, and risk managers—in supervising control environments without directly interfering with operational workflows. It is written for readers who already understand D365FO’s built-in features such as role-based access, segregation of duties (SoD), workflow approvals, and audit trails. Instead of re-explaining these tools, we focus on how Line 2 uses them for governance and monitoring purposes.

LINE 2 | RISK AND COMPLIANCE OVERSIGHT IN D365FO-CENTRIC ORGANIZATIONS

Line 2 functions as the system’s compliance backbone, tasked with embedding internal control principles into application governance. These responsibilities include:

• Establishing risk-aligned access policies
• Defining SoD rules and exception handling criteria
• Monitoring workflow effectiveness across departments
• Reviewing audit trails and configuration changes
• Providing structured guidance to Line 1 users
• Liaising with auditors and reporting on internal control health

In D365FO, these tasks can be performed using native capabilities—augmented where necessary by ISV tools like Fastpath, RSM Guardian, or custom Power BI dashboards. Line 2 does not need to rely on external documentation or manual audits. Instead, the ERP system itself becomes the control environment, enabling real-time oversight of daily operational activity.

GOVERNANCE THROUGH MONITORING: A FUNCTIONAL VIEW

While Line 1 users rely on D365FO to execute controls, Line 2 uses the same system to oversee them. Below, we explore how this oversight manifests in the application.

1. Oversight of Security Role Changes and Privilege Escalation

Access provisioning is handled by IT or business operations (Line 1), but Line 2’s responsibility is to monitor whether those assignments adhere to policy.

In practice, this involves:

• Reviewing changes in user role assignments on a regular cadence
• Identifying users who have gained elevated privileges outside of standard provisioning processes
• Investigating any deviation from the principle of least privilege

While D365FO does not natively provide historical change tracking for user-role assignments, organizations often implement supporting tools or audit reports to capture this activity. Alternatively, Database Log can be enabled to track changes in the underlying security tables.

2. Monitoring Segregation of Duties Violations and Exception Approvals

Line 2 does not create SoD rules—that’s a shared responsibility between compliance and system administrators. But Line 2 governs how these rules are enforced and how exceptions are handled.

Typical activities include:

• Reviewing SoD violation reports and understanding the business context behind them
• Approving or rejecting temporary access exceptions requested by Line 1 users
• Validating that approved exceptions have compensating controls in place (e.g., increased monitoring or dual approval)

The objective is not to prevent the business from operating efficiently, but to ensure that risk-acceptance decisions are conscious, documented, and periodically re-evaluated.

3. Evaluating the Effectiveness of Workflow Controls

While Line 1 users initiate and participate in workflows (e.g., invoice approvals, vendor edits), Line 2 has a supervisory role to play: Are those workflows functioning as intended?

Key evaluation points include:

• Are workflows consistently routing to the correct approvers?
• Are approvals happening within expected timeframes?
• Are any steps being auto-approved due to escalation thresholds?
• Is there evidence of override behavior (e.g., approval by system administrators)?

These checks are often performed using the Workflow history log in D365FO or through exported workflow datasets analyzed in Power BI.

4. Analyzing Field-Level Configuration Changes

Control failures are not always transactional—they often begin in setup and master data. A well-designed workflow or SoD policy can be rendered ineffective if a key configuration setting is changed.

Line 2’s responsibility is to track changes to sensitive fields and ensure that:

• Only authorized users are making changes to configuration records (e.g., vendor bank account, posting profiles)
• All changes are traceable and explainable
• Recurring or off-hours changes are flagged for further review

D365FO’s Database Log feature supports this type of oversight. When enabled for the appropriate tables, it records the user ID, timestamp, and before/after values for each change.

5. Performing Periodic Risk Reviews and Reporting

Line 2 is accountable for translating system data into actionable risk insight. This typically includes:

• Monthly or quarterly reports on SoD exceptions, workflow behavior, and sensitive field changes
• User access reviews for high-risk roles (e.g., system administrators, finance approvers)
• Assessment of policy violations and recurring control issues
• Recommendations to IT or Line 1 leaders for control remediation or enhancement

Tools like RSM Guardian or Fastpath streamline this process by aggregating control data into prebuilt dashboards. However, even without ISVs, D365FO’s native data entities, export functions, and logging capabilities enable meaningful review cycles—if structured properly.

SAMPLE SCENARIO: FROM OVERSIGHT TO INTERVENTION

Consider this common use case:

A temporary SoD exception was approved last month, allowing a user to both create and approve vendors.

During a monthly review, Line 2 notices that this exception is still active—even though the stated expiration date has passed.

Further investigation reveals the same user submitted and approved three vendors, one of which was used in a high-value payment.

Line 2 flags the issue, revokes the role combination, and recommends a retrospective review of the payment by Internal Audit.

This type of oversight intervention highlights the true value of Line 2 in D365FO—not just spotting violations, but ensuring controls remain active, relevant, and risk-aligned.

CONCLUSION

The Second Line of Defense brings structure, oversight, and assurance to the control environment. In Dynamics 365 Finance & Operations, Line 2 professionals are not responsible for day-to-day transactions—but they are accountable for ensuring that the system itself enforces compliance principles.

By continuously monitoring role changes, SoD conflicts, workflow behavior, and audit logs, Line 2 can enforce risk policies without disrupting operations. The end result is a governance model where compliance is embedded within the ERP—not layered on top of it.

The final article in this series will focus on Line 3: Internal Audit, where we examine how independent assurance can be delivered using D365FO’s data and reporting capabilities.