Getting through an IT Audit is a Superpower.
Learn it and you're an unstoppable force.
Use these 3 steps to breeze through
your next D365 F&O Audit in 15 minutes.
.png)
Background
My client Terry works for a Brisbane based manufacturer on the east coast of Australia.
He's their D365 F&O Functional Consultant and a member of their Applications Team.
🔴
Last month, Terry helped with the company's annual IT Audit.
After 4 weeks of meetings, his team failed 6 of the 28 controls for D365 F&O.
The Auditors have requested a written response by the end of the week.
Under pressure, unmotivated and unsure, Terry called me.
🟡
Terry has what it takes to be an awesome Consultant.
It's just that he's always distracted by the backlog of tickets.
He doesn't have time to tackle the more complex tickets, so they just sit there.
So, I shared 3 tips to help solve his ticket issues and deal with his Audit failures.
- Take 1 failed audit control and document a Business Rule on how D365 should be operated.
- Configure the D365 Self-Monitoring module to detect exceptions to this Business Rule.
- Engage the business to respond and fix each exception to the Business Rule.
🟢
Terry was chuffed!
The auditors approved his business rule and monitoring approach.
They agreed that it would've prevented this type of failure from occurring this year and the next.
By being proactive, Terry changed how the Auditors viewed his failed controls.
He's found his Superpower!
A way to shift repetitive, mundane tasks to the business.
🪄 Spark your own Superpower by reading Terry's first Business Rule below.
3. How are we reducing risk?
We use the following guidelines to reduce risk.
🟡 Review Security Admins at least monthly.
🟡 Security Admins must be authorised.
🟡 Disable Inactive Users.
🟡 Remove Inactive Users from groups.
Search Criteria
The SQL statement below is a read only query that safely retrieves all users who are Security Administrators at the time that the query is run.
SELECT securityuserrole.user_, userinfo.name, securityuserrole.recid FROM securityuserrole JOIN userinfo ON userinfo.id = securityuserrole.user_ JOIN securityrole ON securityrole.recid = securityuserrole.securityrole WHERE userinfo.enable = 1 AND securityrole.name = '%1' ORDER BY securityuserrole.user_
Parameters
Security Administrator
Creswell Casey
2. What could go wrong?
Security Administrators can elevate themselves or others to the role of System Administrators. With this elevated privilege they can do things like...
🔴 Approve journals.
🔴 Open & close accounting periods.
🔴 Unlock controlled accounts.
🔴 Make payments to anyone.
🔴 Review confidential data.
🔴 Adjust customer balances.
🔴 Steal customised code
🔴 Change system code.
🔴 Change the configuration.
Any one change maybe severe enough to stop the operation of D365 F&O. If there are multiple changes it can be difficult to identify and reverse. If the issues are not fixed, then it may cause irrecoverable harm to the company.
Share with your team and solve more tickets.
D365 F&O Business Process Monitoring FAQs
The D365 F&O Business Process Monitoring module, uses Business Rules to automatically monitor, detect and respond to issues.
🟢 Monitor IT Policy for anomalies.
🟢 Access data from all 20,000 tables.
🟢 Write SQL Queries with ease.
🟢 Change at any time. No recompile.
🟢 No Developer delays or costs.
🟢 Send Alerts to Users.
🟢 Send Notifications for Approvals.
To learn more, click on the button below.
Business Rule
13
1. What are we monitoring?
Manage Users in the Security Administrators security group.
Why is this a problem?
▪️ They have the second highest access.
▪️ Users can upgrade to System Admin.
▪️ No requirement for approval.
▪️ No traceability - who, what and when.
▪️ No notifications from D365 F&O.
▪️ No accountability for changes made.
Important Reminder
Copyright 2022 Mobeez Pty Ltd. All rights reserved.
All information from Mobeez, is provided "as-is." The information and views expressed in this document, including URL and other Internet Web site references, are current as of the publication or revision date and may change without notice. You bear the risk of using it.
All Mobeez information is provided for informational purposes only and cannot be incorporated within, or attached to, any type of an agreement. This document is not intended to be a service contract, and does not commit Mobeez, its partners, or the customer to any features, capabilities or responsibilities mentioned herein. As used in this document, references to “partner” refer solely to marketing relationships and do not refer to or imply a partnership or any other legal relationship.
The furnishing of this information does not provide you with any legal rights to any intellectual property in any Mobeez product or service. You may copy and use this document for your internal, reference purposes only.
