How Does Segregation of Duties (SoD) Help Meet Compliance Requirements in D365 F&SCM?

As per AICPA, Segregation of Duties (SoD) is a basic building block of sustainable risk management and internal controls for a business. The principle of SoD is based on shared responsibilities of a key process, wherein the critical functions of a process are assigned to more than one person or department. Managing fraud and error risks is difficult without this separation in key processes.  

The main purpose of applying segregation of duties is to prevent instances and opportunities for committing or concealing fraud and/or error in the normal course of an organization’s activities. Having more than one person perform a task minimizes the opportunity for wrongdoing and helps in detecting any misconduct or unintentional errors—whatever the real cause.

At STAEDEAN, our Data Security Solution for Dynamics 365 F&SCM has been helping our customers establish policies that enable them to optimize and maintain their licensing, security, user management, and audit processes more efficiently and reliably than ever before.

Data Security Solution comes with separate workspaces for managing your security, audit, and license optimization requirements. It offers an out-of-the-box list of SoD rules designed to help your organization meet their compliance needs. You can define and track all your organizational risks in one place. Moreover, it lets you outline your enhanced SoD rules as well, which is a practitioner’s delight, as it is not possible in the standard product offered by Microsoft.

In this blog, I will explain how you can meet your compliance requirements using our Data Security Solution.

Steps in managing Segregation of Duties in Dynamics 365 Finance and Supply Chain Management

Data Security Solution ensures the segregation of duties is simple and easy. It provides the appropriate level of protection to the key information in your ERP system by controlling who has access to what data.

The solution comes with an out-of-the-box SoD set of rules associated with security risks and mitigations to help advise partners and customers. Designing a management process for the segregation of duties to support the organization’s internal compliance needs is critical in an era where there is an increased legal requirement to be compliant on this aspect.

As an example, companies registered on the U.S. stock exchange have a legal requirement to be compliant with the Sarbanes–Oxley Act (SOX). SOX control 404, the assessment of internal control, deals with the need to define and maintain segregation of duties ruleset. This SOX Act, which was passed in 2002 by the U.S. Congress, protects investors from the possibility of fraudulent accounting activities by corporations. It mandated strict reforms to improve financial disclosures from corporations and prevent accounting fraud. SoD controls are also applicable to EU and U.K. based companies to ensure better internal controls.

ISO 27001 Section 6.1.2 also requires organizations to put proper controls in place for the segregation of duties.

Other key challenges include the ongoing changes to regulatory requirements (GDPR), increased regulatory inquiries, and a rapidly evolving business technology landscape.

Fig 1) SoD rule - Security management workspace

Step 1. Define and list down organization risks

Even if an organization is not pursuing a specific regulatory compliance objective like SOX or GDPR, it’s highly recommended to start with creating a list of applicable SoD conflicts that can either allow fraud or can cause significant security or financial risks.

This can be achieved by revisiting the organization’s GRC objectives together with the organization structure. The final result of this phase is to determine potential risky ERP transactions and categorize them as high, medium, or low severity.

Fig 2) Risk identification matrix based on SCS transaction type

For D365 F&SCM, STAEDEAN's Data Security Solution provides you a predefined list of “SoD” ruleset designed to exclude transactions to the same role, which can cause fraud. This ruleset also significantly enables an organization to pursue their specific compliance requirements like SOX.

It is critical to understand the standard roles provided by Microsoft in D365 F&SCM do not support the SoD principle and leave it for partners and customers to arrive at their own list of custom roles. For most organizations that simply adopt the standard security roles for want of effort and time, this may pose a security risk.

Step 2. Organization risk register and SOD ruleset at duty, privilege, or permission level

It helps you define and track all your organizational risks in one place. Besides, you can also define enhanced SoD rules, which is not possible in the standard product offered by Microsoft.

Fig 3) Organization Risk Register in Integrated Risk Management Workspace

Fig 4) Defining enhanced SoDs in integrated risk management workspace

Step 3. Fine-tune the SoD Ruleset

Based on the Data Security Solution out-of-the-box ruleset, the internal key controls and risks are identified. Then, you can arrive at a final set of SoD rules with appropriate severity, risks, and mitigation information for each record. The finance head, internal auditor, IT head, and the external auditor should be a part of the team that prepares this list.

Step 4. Analyze risks

Analyze the risks against the ruleset to identify conflicts. Any conflicts should be highlighted, and recommendations escalated, to the appropriate department, such as Internal Controls/Finance. This may require further interaction with the business to find a suitable solution to eliminate risk.

Fig 5) SoD conflicts in security management workspace

Step 5. Finalize the security roles according to the role-based access control in D365 F&SCM

A review of the D365 F&SCM security model should be undertaken to implement the required change to either a conflicting role or role assignment. The risk assessment will lead to redefining and recreating many standard D365 F&SCM security roles. Data Security Solution helps you create, modify, or merge multiple roles as required by the organizational structure. This is done in a way to identify different ways of performing segregation of duties to the business process within various functional areas and departments.

Step 6. Security Mitigation

It’s not always possible to strictly go by the SoD ruleset either due to business setup, low employee count, or other organizational constraints. Then the best practice would be to have appropriate control in place to mitigate the risk.

Fig 6) Example of SoD rules security management workspace with associated risk and mitigation

Step 7. Continuous audit and compliance – SoD Dashboard

A continuous process should be set up to review all new user access requests and changes to the D365 F&SCM security model against the SoD ruleset. This should be focused more upon during the following events:

• Before moving any new role definition to live environment
• Defining new roles in D365 F&SCM based on a new user job profile
• New business processes arising out of M&A, reengineering, digital transformation, or process improvement initiatives
• Changes to an existing role
• Merging roles
• Assigning temporary or stand-in permissions

In the transactions above, Data Security Solution ensures that proper warning and prompts are sent to the security officer or system administrator, whenever any violation of the SoD rules is detected.

Data Security Solution provides SoD dashboard (actionable insights) to assist you in all conflicts and violations at all times, both at the role definition and user role assignment levels.

Fig 7) Resolved and unresolved SoD conflicts Dashboard in Security Management workspace

Fig 8) Incompliant roles and user assignment Dashboard in Security Management workspace

Best practices for implementing SoD

One has to remember that “out-of-the-box” SoD ruleset presents the transactions that pose a theoretical risk of fraud. However, this has to be balanced with an internal assessment of the actual compliance needs based on the key controls required for the compliance requirements being pursued.

The benefits of implementing segregation of duties to security must be balanced with the increased cost and effort required. This will help organizations to fix an optimal budget and not overdo in these areas.

To put it simply, you need to just focus on the most legal requirements, like SOX, towards the risk of material misstatement and not on covering all possible scenarios of theoretical risks in various ERP transactions. The risk of material misstatement is the one that the financial statements of an organization have been misstated to a material degree.

As an example, a typical procurement cycle for a large enterprise-class organization using D365 F&SCM with high focus on security and compliance to SOX404/ISO 27001 may have the following segregation of duties:

However, for practical reasons based on how departments and human resources are structured, the same person may perform more than one procurement cycle steps with the approving authority’s consent on the assignments.

Would you like to consider Data Security Solution for your Dynamics 365 security and compliance needs?

If you’re a user of Dynamics 365 Finance & Supply Chain Management or are considering upgrading to this ERP, Data Security Solution can prove to be a great asset to your organization. This unique solution can help you take charge of your data security and streamline your audit, risk, and compliance management processes with ease. Moreover, this feature-rich solution also helps you migrate to Dynamics 365 F&SCM, integrate D365 with your application landscape, prepare and extract data for analytics, and create, enrich, and distribute master data for centralized master data management in D365.

To learn more about the in-depth features this solution offers, download our solution factsheet below.