ENABLING THE THREE LINES OF DEFENSE IN DYNAMICS 365 FINANCE & OPERATIONS - LINE3: INTERNAL AUDIT ASSURANCE
CONTENT Introduction Line 3 Internal Audit in a D365FO-Centric Environment Independent Assurance Through System Evidence
A Third Line Scenario: From Audit Request to Finding Conclusion |
INTRODUCTION
The Third Line of Defense within the Three Lines of Defense (3LoD) model is responsible for independent assurance. Unlike Line 1 (which executes controls) and Line 2 (which monitors and oversees), Line 3 evaluates whether the control framework is designed appropriately, operating effectively, and aligned with the organization’s compliance obligations.
In a Microsoft Dynamics 365 Finance & Operations (D365FO) environment, Line 3 does not create workflows, assign roles, or approve transactions. Instead, Internal Audit uses the system’s data, logs, and reports to test and verify that Lines 1 and 2 are performing their responsibilities and that risks are being managed within tolerance.
This article focuses on how internal audit teams can use D365FO’s capabilities—alongside standard audit methodologies—to perform independent reviews and produce evidence-based assurance for stakeholders such as the audit committee, regulators, and external auditors.
LINE 3 | INTERNAL AUDIT IN A D365FO-CENTRIC ENVIRONMENT
Internal Audit’s primary value lies in its objectivity. It operates separately from both operations and compliance functions, ensuring that its assessment is unbiased and evidence-driven. In D365FO, this objectivity is enhanced by the system’s ability to generate immutable records of transactions, changes, and approvals.
Typical responsibilities of Line 3 include:
- Assessing whether controls designed by Line 1 and monitored by Line 2 are functioning as intended
- Reviewing the completeness and accuracy of transaction data
- Identifying process gaps or control weaknesses not previously detected
- Recommending improvements to strengthen the overall control environment
INDEPENDENT ASSURANCE THROUGH SYSTEM EVIDENCE
1. Reviewing Transaction and Ledger Integrity
Internal auditors frequently begin by validating the accuracy and completeness of financial transactions. In D365FO, this involves:
- Using General ledger > Inquiries > Voucher transactions to trace transactions from source documents to ledger postings
- Verifying that subledger entries (e.g., Accounts Payable, Accounts Receivable, Fixed Assets) reconcile to the general ledger
- Checking for manual journal entries that bypass standard workflows
View of subledger journal of a purchase order invoice (Voucher transactions inquiry showing linkage between subledger and ledger entries)
2. Validating Control Execution and Effectiveness
Line 3 evaluates whether preventive and detective controls are consistently applied. This includes:
- Reviewing workflow history to ensure approvals occurred as designed
- Checking whether SoD violations identified by Line 2 were remediated or mitigated
- Confirming that exception handling processes were documented and followed
D365FO’s workflow history logs and exported SoD violation reports are primary data sources for these validations.
View of workflow history screen with an invoice approval chain
3. Sampling and Testing High-Risk Transactions
Internal Audit applies sampling methods (statistical or judgmental) to test transactions for compliance with policy. Examples include:
- Testing a sample of vendor changes to verify proper approval and supporting documentation
- Reviewing high-value payment transactions for dual authorization evidence
- Confirming that purchase orders over threshold values received required managerial approvals
Sampling can be done by exporting data from D365FO using Data Management > Export into Excel or Power BI for analysis.
4. Auditing Configuration Changes and Access History
Unauthorized or undocumented configuration changes can weaken controls. Internal Audit reviews:
- Database Log entries for high-risk tables (e.g., posting profiles, vendor bank accounts)
- Historical user role assignments to detect privilege escalation
- Removal of access for terminated employees
While D365FO’s native tools provide much of this data, external solutions like Fastpath or Guardian may enhance visibility, especially for historical access reporting.
View of database log entries showing a change to a vendor’s bank account.
5. Leveraging Reporting and Data Extraction Tools
To streamline evidence collection, Line 3 can leverage:
- Task Recorder to document test steps for re-performance by external auditors
- Data entities to pull standardized datasets for repeatable audits
- Power BI integration to visualize trends in control exceptions and workflow performance
By using system-generated evidence, Internal Audit reduces reliance on manual screenshots or user attestations, improving both efficiency and credibility.
A THIRD LINE SCENARIO: FROM AUDIT REQUEST TO FINDING
Imagine Internal Audit is performing a quarterly review of vendor master data changes:
1. Audit extracts vendor bank account changes from the Database Log for the last 90 days.
2. A sample is selected focusing on changes made outside normal business hours.
3. One entry shows a bank account change by a user whose role assignment was supposed to be temporary.
4. Further investigation reveals the role removal was delayed, allowing the user to make changes after their project ended.
5. Audit issues a finding recommending stricter monitoring of role deactivations and improved coordination between HR and IT.
This example illustrates how Line 3 moves beyond detection—providing recommendations that close process gaps and strengthen Lines 1 and 2.
CONCLUSION
The Third Line of Defense in D365FO is not about running the business or overseeing it—it’s about independent validation that both are working as intended. By leveraging D365FO’s inquiry screens, workflow histories, database logs, and data exports, Internal Audit can perform efficient, evidence-based reviews without disrupting daily operations.
When Lines 1 and 2 perform their roles effectively, Line 3’s job becomes one of confirmation and continuous improvement—ensuring that the organization’s control environment is not only compliant, but resilient.
This completes the three-part series on enabling the Three Lines of Defense in Dynamics 365 Finance & Operations. Together, these articles provide a blueprint for embedding operational control, compliance oversight, and independent assurance into your ERP system.
