Establishing and enforcing user permissions in Dynamics 365 Business Central is key to avoiding loss due to employee theft and/or fraud. EFOQUS has been working with New View Strategies to address this growing concern. Here we walk you through why you may be at risk and explain how to mitigate those risks in Dynamics 365 Business Central.
No matter how much you trust your employees, you can never fully count on the fact that they may not one day be the perpetrators of fraud or theft against your organization. Luckily, there are ways you can mitigate this risk. If your organization is using Dynamics 365 Business Central, we will show you how to use the tools at your disposal (plus some additional tools in the Advanced Cloud Security App) to ensure your financial information is as secure as possible.
Law and Order in Dynamics 365 Business Central
Section 404 of the Sarbanes-Oxley Act (SOX) made it mandatory for management to maintain internal controls over financial reporting including accounting systems that generate numbers for the reports. The bill, enacted in 2002, was in reaction to major corporate and accounting scandals, including Enron and WorldCom. SOX covers the responsibilities of a public corporation’s board of directors.
However, SOX does nothing to mandate controls to privately held companies, even though small and mid-sized businesses are more vulnerable to fraud than larger organizations. And despite the fact that it is not mandated, if your organization does experience a data breach, it is possible that you could be sued for not holding up the standard of SOX. Even if you are not audited by an agency for standards, you need to have them, and you need to follow them.
Theft, or misappropriation of assets, make up the majority of fraudulent activity, according to the Association of Certified Fraud Examiners. Directly stealing cash, claiming bogus expenses, or taking other property are usually unlawful acts executed by employees. Financial statement reporting and general corruption, such as kickbacks or other schemes in which the employee benefits by violating their responsibility to the employer comprise the other types of fraud.
Why are Smaller Companies at Greater Risk?
Aside from the lack of oversight from something like SOX, there are a number of other reasons smaller companies are at greater risk of employee fraud.
- Employees perform many functions across the organization – because there aren’t clearly defined roles, assigning permissions can be difficult or may seem pointless.
- Close relationships between staff lead to less scrutiny – working together on a small team often means coworkers become more like friends or family.
- Few formal oversight procedures are put into place in smaller more close-knit companies.
- Less expertise on financial matters – frequently employees are promoted from different positions within the organization and may not have formal training.
- Large impact to cash flow for even a small fraud event – losing even small amounts of money can really hurt a smaller business.
It’s Time to Call in the Dynamics 365 Business Central Sheriff!
What’s the best way to protect yourself and your organization? Rules! Having defined rules that are written down and enforced is the foundation of setting up strong security in Dynamics 365 Business Central.
Lay Down the Law in Dynamics 365 Business Central
1 – Segregate accounting duties
The person who is creating deposit slips and listing the cheques that go to the bank should not be the same person who is recording them in Dynamics 365 Business Central.
2 – Maintain internal controls
There needs to be three-point checking for purchase orders, receipts and invoicing, along with other controls around the financial activities of your organization to ensure responsibilities are appropriately segregated. Once these controls are set up, maintaining them is key.
3 – Scrutinize business bank accounts
Don’t just rely on Excel spreadsheets that someone downloads and provides to you – those can be altered! You need to inspect the actual bank accounts themselves regularly, be on the lookout for anything that looks unfamiliar and meticulously follow up on inconsistencies.
4 – Audit your books regularly
Even if you don’t require an annual audit, figure out how to incorporate regular audits into your bookkeeping processes. This is an important step that should not be overlooked.
5 – Protect credit card and banking information
Be careful with your financial details, and don’t leave credit card or bank information where employees have access to them. It’s imperative to keep this confidential information under lock and key.
6 – Minimize temptation
Don’t tempt people! Even good employees can be tempted to commit fraud in desperate situations so take the appropriate steps internally to avoid the risk of temptation.
7 – Provide continuous training and a culture promoting ongoing improvement
Always be looking at what you’re doing and seek ways to do it better. As a side bonus, employees will know that you’re always looking at what you’re doing and know that if they do something nefarious, they’re likely to get caught.
8 – Make employees take vacation
When someone is on vacation, have another employee perform the job. Knowing someone else will be doing their job means employees know if they are doing something wrong, it is more likely to be discovered. Additionally, vacation time means your employees are less likely to feel stressed out and overworked.
There are also specific tools that can be used in Dynamics 365 Business Central to help keep the outlaws at bay, and someone in your organization needs to be in charge of them – this person is your sheriff! Your sheriff needs to be the one who sets, owns and enforces the rules in Microsoft Dynamics 365 Business Central.
Permissions in Dynamics 365 Business Central
When we talk about Permissions in Dynamics 365 Business Central, it makes sense to talk about permission sets first.
Dynamics 365 Business Central Permission Sets
Permission Sets are collections of permissions related to performing tasks or activities, or even a group of tasks, in Dynamics 365 Business Central. They can be very targeted or more general. The more targeted they are the better, as very general permissions can be too broad. Permissions apply to all objects in Dynamics 365 Business Central. If you provide permissions to Table Data, for example, you can limit those permissions to reading, inserting, modifying, deleting, or any combination thereof.
However, if you give an AP person access to the general ledger (GL) accounts, they’re going to have access to all GL accounts. This means if you have an accountant that has access to GL accounts, they’ll have access to the GL account with payroll data as well. Does that AP person really need access to the payroll information? It’s important to stop and think carefully about who needs access to what information!
This can seem very complex – how do you even know what permission sets you need? Fortunately, Dynamics 365 Business Central comes with 74 pre-configured permission sets to help you get started. Unfortunately, they are much too broad and provide too much access for most small businesses. For example, the accounts payable permission set includes the ability to delete sales documents and modify the general ledger setup. For most of us, that is way too much access, so you can see that you’re going to have to create your own permission sets.
User Groups in Dynamics 365 Business Central
Another thing to consider when configuring permission sets is user groups. User groups are collections of permission sets. Put another way, user groups are who has permission, and permission sets are what they have access to. Dynamics 365 Business Central does come with user groups, but, like the permission sets, they are way too broad for most organizations, so you will also need to create your own user groups.
Recruit Your Dynamics 365 Business Central Deputies
Now that you have your rules established, you need to put everything in writing. Figure out who’s who in your organization, what they do, what they must have access to, what they should have access to, and what they shouldn’t have access to. Don’t rely on IT to set this up – it is a whole organization task so get as many people involved as possible.
Once you do that, you’re going to be able to figure out how to create permission sets and how you’re going to assign those to different users. Get everything in place and test, test and test again!
One of the newer features in Dynamics 365 Business Central that will make getting everything in place easier is the ability to record your actions to create or modify permissions.
- In the Permission Sets window, click ‘New’ to create a new Permission Set and fill in the Permission Set and Name fields.
- Click on ‘Permissions’ and click ‘Start’ to start the recording. A recording process starts and captures all your actions.
- Without closing the Permission screen, go to the various pages and complete activities in Dynamics 365 Business Central you want to allow the user to access or carry out an activity task to record the permissions for that user.
- When you’ve completed all the actions that user will have access to, go back to the permission screen and click “Stop” and click “Yes” in the dialogue box that pops up to add the permissions.
The Advanced Cloud Security App for Dynamics 365 Business Central
Advanced Cloud Security for Dynamics 365 Business Central is designed to extend the capabilities of the out of the box permission sets and security features. It’s designed to be very simple to configure and roll out. The Advanced Cloud Security App gives you additional capabilities around data privacy and elevates user controls, provides localized access, and enhances information security. This means you can apply filters to limit what a specific user and/or user group can see. It also gives you extra control around the field levels. You can make fields viewable, but not editable, for example.
Advanced Cloud Security lets you take Dynamics 365 Business Central security that final mile, really letting you lock down your security to an appropriate level. Advanced Cloud Security is available for Dynamics 365 Business Central Cloud Version on a subscription basis.