Strengthening Internal Controls with User Termination in D365FO

CONTENT Introduction Importance of User Termination in a SOX Environment Terminate User and Remove Their Security Roles Alternative: Disable User and Remove Their Security Roles Address Workflow Delegations Monitor Batch Jobs Monitor Disabled and Deleted Users via Database Logging Conclusion

STRENGTHENING INTERNAL CONTROLS WITH USER TERMINATION IN D365FO

Introduction

User lifecycle management is one of the most critical aspects of securing any ERP system, and Microsoft Dynamics 365 Finance and Operations (D365FO) is no exception. From the moment a user is onboarded to the time their access must be revoked, organizations must ensure that system access aligns with employment status and compliance requirements.

In a Sarbanes-Oxley (SOX) regulated environment, user termination becomes more than just a technical activity—it is a key internal control. When employees, contractors, or consultants leave the organization, their access to the system must be promptly revoked to prevent unauthorized activities, reduce fraud risk, and maintain the principle of least privilege.

This article explains the steps, options, and considerations for terminating users in D365FO. It provides practical instructions, highlights SOX compliance implications, and points out potential pitfalls if termination is not handled effectively.

Importance of User Termination in a SOX Environment

SOX Section 404 requires companies to establish and maintain adequate internal controls over financial reporting. One of these controls is ensuring that only authorized personnel have access to financial systems like D365FO.

Failure to properly terminate users creates several risks:

• Unauthorized Access: Former employees may still be able to log into the system.
• Segregation of Duties (SoD) Violations: Inactive but enabled accounts could be exploited, creating audit findings.
• Workflow Disruption: Unattended approvals may remain pending if workflow delegations are not reassigned.
• Batch Job Failures: Critical scheduled processes may stop running if they are tied to a disabled user account.

Therefore, an effective user termination process in D365FO must include technical steps (role removal, account disabling, workflow reassignment) as well as compliance checks to verify that no residual risks remain.

Terminate User and Remove Their Security Roles

The preferred approach is to terminate users directly in D365FO using the HR framework. If your environment integrates HR and system access, user termination can be initiated from the Employees form.

1. Navigate to Human Resources > Workers > Employees.

2. Select the employee record.

3. In the Action Pane, under Personnel actions, click Terminate.

4. Select the termination action, enter the termination date, and save the record.

If personnel actions workflows are enabled under HR Shared Parameters, the termination can be routed for approval before becoming effective.

5. OPTIONAL: Execute the termination workflow if selected personnel action type requires a workflow approval.

Workflow submission

  Workflow approval  

Workflow completion

Employee determination

Once the termination is processed, you should also ensure the user’s security roles are removed. This step is critical because it directly revokes system privileges and ensures compliance with SOX. 

NOTE: A standard termination workflow in Dynamics 365 for Finance and Operations (D365FO) does not automatically disable a user account. The standard workflow process in Human Resources primarily handles the worker's employment status, moving them from active to terminated. The user account and security roles must be handled separately.

6. User termination and security role removal 

User termination and security role removal - Before

User termination and security role removal - After

Alternative: Disable User and Remove Their Security Roles

In some organizations, HR and IT systems are not fully integrated, or there may be licensing constraints preventing full use of the HR module. In these cases, you can directly disable a user account in D365FO.

1. Go to System Administration > Users > Users.

2. Select the user record.

3. Toggle the Enabled field to Off.

4. Remove all assigned security roles as shown in the previous section.

This approach is faster but less structured compared to personnel action termination. However, it still meets the SOX requirement of revoking access promptly.

Address Workflow Delegations

Terminated users may still be assigned workflow tasks or delegation rules. If these are not reassigned, business processes (such as vendor invoice approvals, purchase requisition approvals, or journal approvals) could stall. There isn’t any screen that shows all delegations in D365FO, but there is a workaround — a table stores that information: WorkflowWorkItemDelegationParameters

To identify active delegations, use the following link in your environment:

<yourD365FOurl>/?mi=SysTableBrowser&tablename=WorkflowWorkItemDelegationParameters

This opens the table browser to review current workflow delegation records.

Any delegations tied to the terminated user should be reassigned to active employees.

Monitor Batch Jobs

Another critical check is to monitor background batch jobs. Many automated processes in D365FO—such as periodic invoicing, financial consolidations, or integrations—run under a specific user account. If a terminated user owns a batch job, the process may fail after their account is disabled.

To monitor this:

1. Go to System Administration > Inquiries > Batch Jobs.

2. Review the Run by field for each job.

3. Recreate critical jobs with a valid service account or another active user.

This review is especially important during offboarding to prevent system disruptions.

Monitor Disabled and Deleted Users via Database Logging

As a detective control, organizations can enable Database Logging in D365FO to track changes to user accounts. This ensures auditability of user termination activities and provides evidence during SOX testing.

Recommended logging events include:

• User creation
• User deletion
• User enabled/disabled changes
• Security role assignments and removals

For example user activation/deactivation can be followed as below:

Note that the above screen shows enabled and disabled users, giving admins full visibility to take necessary actions.

Database logging not only provides assurance but also strengthens the organization’s ability to demonstrate compliance during external audits.

Conclusion

User termination in D365FO is not just about removing access—it is about safeguarding financial data, preventing fraud, and ensuring compliance with SOX requirements. By following a structured process that includes terminating or disabling users, removing security roles, reassessing workflow delegations, monitoring batch jobs, and tracking changes through database logging, organizations can significantly reduce risk.

An effective termination process bridges the gap between IT operations and compliance, providing assurance to management, auditors, and regulators. Whether you use the HR-driven personnel action approach or the direct disablement method, what matters most is consistency, timeliness, and proper documentation.

In short, closing the door properly when a user exits is just as important as granting them access in the first place.

Enabling the Three Lines of Defense in Dynamics 365 Finance & Operations - LINE3: Internal Audit Assurance

ENABLING THE THREE LINES OF DEFENSE IN DYNAMICS 365 FINANCE & OPERATIONS - LINE3: INTERNAL AUDIT ASSURANCE

CONTENT Introduction Line 3 Internal Audit in a D365FO-Centric Environment Independent Assurance Through System Evidence Reviewing Transaction and Ledger Integrity Validating Control Execution and Effectiveness Sampling and Testing High-Risk Transactions Auditing Configuration Changes and Access History Leveraging Reporting and Data Extraction Tools A Third Line Scenario: From Audit Request to Finding Conclusion

INTRODUCTION 

The Third Line of Defense within the Three Lines of Defense (3LoD) model is responsible for independent assurance. Unlike Line 1 (which executes controls) and Line 2 (which monitors and oversees), Line 3 evaluates whether the control framework is designed appropriately, operating effectively, and aligned with the organization’s compliance obligations.

In a Microsoft Dynamics 365 Finance & Operations (D365FO) environment, Line 3 does not create workflows, assign roles, or approve transactions. Instead, Internal Audit uses the system’s data, logs, and reports to test and verify that Lines 1 and 2 are performing their responsibilities and that risks are being managed within tolerance.

This article focuses on how internal audit teams can use D365FO’s capabilities—alongside standard audit methodologies—to perform independent reviews and produce evidence-based assurance for stakeholders such as the audit committee, regulators, and external auditors.

LINE 3 | INTERNAL AUDIT IN A D365FO-CENTRIC ENVIRONMENT

Internal Audit’s primary value lies in its objectivity. It operates separately from both operations and compliance functions, ensuring that its assessment is unbiased and evidence-driven. In D365FO, this objectivity is enhanced by the system’s ability to generate immutable records of transactions, changes, and approvals.

Typical responsibilities of Line 3 include:

• Assessing whether controls designed by Line 1 and monitored by Line 2 are functioning as intended
• Reviewing the completeness and accuracy of transaction data
• Identifying process gaps or control weaknesses not previously detected
• Recommending improvements to strengthen the overall control environment

INDEPENDENT ASSURANCE THROUGH SYSTEM EVIDENCE

1. Reviewing Transaction and Ledger Integrity

Internal auditors frequently begin by validating the accuracy and completeness of financial transactions. In D365FO, this involves:

• Using General ledger > Inquiries > Voucher transactions to trace transactions from source documents to ledger postings
• Verifying that subledger entries (e.g., Accounts Payable, Accounts Receivable, Fixed Assets) reconcile to the general ledger
• Checking for manual journal entries that bypass standard workflows

View of subledger journal of a purchase order invoice (Voucher transactions inquiry showing linkage between subledger and ledger entries)

2. Validating Control Execution and Effectiveness

Line 3 evaluates whether preventive and detective controls are consistently applied. This includes:

• Reviewing workflow history to ensure approvals occurred as designed
• Checking whether SoD violations identified by Line 2 were remediated or mitigated
• Confirming that exception handling processes were documented and followed

D365FO’s workflow history logs and exported SoD violation reports are primary data sources for these validations.

View of workflow history screen with an invoice approval chain

3. Sampling and Testing High-Risk Transactions

Internal Audit applies sampling methods (statistical or judgmental) to test transactions for compliance with policy. Examples include:

• Testing a sample of vendor changes to verify proper approval and supporting documentation
• Reviewing high-value payment transactions for dual authorization evidence
• Confirming that purchase orders over threshold values received required managerial approvals

Sampling can be done by exporting data from D365FO using Data Management > Export into Excel or Power BI for analysis.

4. Auditing Configuration Changes and Access History

Unauthorized or undocumented configuration changes can weaken controls. Internal Audit reviews:

• Database Log entries for high-risk tables (e.g., posting profiles, vendor bank accounts)
• Historical user role assignments to detect privilege escalation
• Removal of access for terminated employees

While D365FO’s native tools provide much of this data, external solutions like Fastpath or Guardian may enhance visibility, especially for historical access reporting.

View of database log entries showing a change to a vendor’s bank account.

5. Leveraging Reporting and Data Extraction Tools

To streamline evidence collection, Line 3 can leverage:

• Task Recorder to document test steps for re-performance by external auditors
• Data entities to pull standardized datasets for repeatable audits
• Power BI integration to visualize trends in control exceptions and workflow performance

By using system-generated evidence, Internal Audit reduces reliance on manual screenshots or user attestations, improving both efficiency and credibility.

A THIRD LINE SCENARIO: FROM AUDIT REQUEST TO FINDING

Imagine Internal Audit is performing a quarterly review of vendor master data changes:

1. Audit extracts vendor bank account changes from the Database Log for the last 90 days.

2. A sample is selected focusing on changes made outside normal business hours.

3. One entry shows a bank account change by a user whose role assignment was supposed to be temporary.

4. Further investigation reveals the role removal was delayed, allowing the user to make changes after their project ended.

5. Audit issues a finding recommending stricter monitoring of role deactivations and improved coordination between HR and IT.

This example illustrates how Line 3 moves beyond detection—providing recommendations that close process gaps and strengthen Lines 1 and 2.

CONCLUSION

The Third Line of Defense in D365FO is not about running the business or overseeing it—it’s about independent validation that both are working as intended. By leveraging D365FO’s inquiry screens, workflow histories, database logs, and data exports, Internal Audit can perform efficient, evidence-based reviews without disrupting daily operations.

When Lines 1 and 2 perform their roles effectively, Line 3’s job becomes one of confirmation and continuous improvement—ensuring that the organization’s control environment is not only compliant, but resilient.

This completes the three-part series on enabling the Three Lines of Defense in Dynamics 365 Finance & Operations. Together, these articles provide a blueprint for embedding operational control, compliance oversight, and independent assurance into your ERP system.