Working remotely and the increased use of cloud platforms and accounting automation have not only increased accessibility to data for users, but also for those seeking access for more nefarious purposes. Most organizations implement security and protocols to secure banking and other accounting related transactions with external organizations and systems. Are you doing enough to secure your data and other assets internally using Microsoft Dynamics 365 Business Central permissions and user security? If you can’t afford a $200,000 hit to your bottom line read on.
You probably work hard to keep network channels secure, access to servers controlled, and data access related to your systems safe. You maintain and regularly improve network infrastructure. You implement the use of VPNs, force changing of passwords, use password management tools or vaults, and secure data backups. You are diligent when it comes to minimizing or eliminating the risk of data breaches and unauthorized access. Countless stories of data breaches and millions of dollars lost keep these risks top of mind. But is securing your systems and data access enough?
Data breach is not the only threat
More times than I’d like to count, I’ve seen the only control in place for financial assets is trust in hiring the “right” people. Frequently as well, many accounting departments believe they’re small enough that any wrongdoing would be quickly noticed. Both are a guaranteed Achille’s heel. If you provide access to all data in your accounting system to every user and don’t segregate responsibilities for financial transactions, you are putting your company at a greater risk than you may realize. Check out these frightening statistics from the CPA Practice Advisor’s article
Why Business Central is not automatically secure
There are many best practices built into Business Central to support segregated responsibilities, such as Sales Order Shipping & Sales Order Invoicing, Shipments & Receipts, and Workflow Approvals to name a few. Using the functionality and documenting these processes along with other internal controls, auditing books regularly, and scrutinizing bank accounts all help to reduce the opportunity for employee fraud. However, these alone are not enough. Whether to protect sensitive information, restrict access, or just simply remove temptation, setting up permissions to limit employee access should be integral to your security plan. So why do I see so many companies without any permission control in Business Central?
The most common reasons given to me when I find lack of permissions and control in Business Central are
- Needed to implement quickly so we relegated permission setup to the future
- We heard horror stories from other companies that tried to implement permissions only to abort the project after many failed attempts and much user aggravation
- We couldn’t find information on how to plan and implement permissions in BC
- We tried implementing permissions but ran into too many user issues
- We didn’t have permissions set up in Dynamics NAV
Why does this bother me so much? Because I have helped a few companies over the years figure out what employees have stolen from them. One such company, a construction company, lost $200,000 over a period of 2 years. It took months to determine the amount and none of it was recoverable, including the cost associated with determining the extent of the damage. The offender was a trusted employee many called “Mom,” hired based on a recommendation of another trusted employee, and she had no past record of wrongdoing. She was the last person anyone expected to do something like this!
Unfortunately, many companies find themselves in similar situations. Even decent people can make bad choices when the temptation exists. In addition to segregation of responsibilities and other internal controls, setting up permissions and security in Business Central can help to minimize and, in many cases, remove these temptations. Once you understand the master data related to permissions and the tools available to help you implement them, it really is not that complicated. Have I convinced you to take action yet? Good – let’s see how it’s done.
Permissions made easy
I am very excited to say that you don’t need to spend hours reviewing the overly broad default permissions provided in D365 BC for examples (an in fact, if you use any of the default setups, review and test them very carefully). Creating permissions specific to your company’s requirements for a user or a group of users can be as easy as using the permissions recorder, first introduced with Dynamics NAV 2016, to record the work they do as they do it in BC. Business Central does the heavy lifting to assign the appropriate access to the related objects and data. All you need to do is start and stop the recorder from the permission set.
Where to begin
One approach for tackling permissions is to define permission sets based on an activity and assign these permission sets to groups of users based on functional areas. This is where the permission recorder shines. For example, create a permission set for “Create Payment Journal." From the permission set, start the recorder and have the user do their work:
- Go to payment journals
- Select a batch
- Suggest vendor payments
- Print Vendor Prepayment Journal
- Un-apply/apply entries
- Delete lines
- View the vendor card
- View ledger entries
- And anything else they do to prepare the payment journal (e.g., send an approval request)
Once complete, go back to the permission set and stop the recorder. Save the permissions to the permission set. You will assign this permission set to a user group you create for accounts payable processors as well as any other user group that should be allowed to perform this same work.
Continue in this way by creating different permission sets for “Print Checks”, “Export and Send EFT,” “Post Payment Journals,” etc. This approach allows you to be more granular in permission assignment to user groups. You can create and assign as many permission sets as necessary and creating them with the recorder is easy and effective.
Seven steps to effective permissions
How do users get assigned to these permission sets? To keep it organized, I follow a 7-step methodology to create and implement permissions in Business Central. Determining how to group your users, by functional area or responsibility, is a good place to start planning your permission structure. Once the groups are determined, list their responsibilities and what they do in Business Central. The functional groups become the basis for the User Groups in BC and the list of what they do becomes the basis for the Permission Sets. Once these lists are compiled, you are ready to assemble your matrix.
Don’t become a statistic
You don’t want to be the subject of someone’s story about fraud and missing company assets. Take what you have learned here and make sure you are using Microsoft Dynamics 365 Business Central Permissions and User Security to protect your assets. Make all security a priority, not just security focused on outside threats. There is more than one right way to implement permissions in Business Central, but I like to think this is The Righter WayTM for many organizations. If you’d like more insights and guidance please enjoy
Blog by: Cynthia Priebe, New View Strategies - Do more and do it better in less time with your NAV / BC system.