AX2012_ENUS_FINII_A

Embed Size (px)

Citation preview

  • 8/19/2019 AX2012_ENUS_FINII_A

    1/14

     Appendix A: Audit and Compliance Topics

    1

    APPENDIX A: AUDIT AND COMPLIANCE TOPICS

    Objectives

    The objectives are:

    •  Introduce the Default Controls Library and provide a basic overviewof how to manually create new controls.

    •  Discuss how to import controls from the default library.

    •  Create and view audit policies and policy rule types.

    •  Create and view audit cases.

    Introduction

    One challenge that customers face today is identifying which controls to use to

    make sure that their business complies with laws, business rules, policies and

    regulations and audit requirements. The Default controls library in Microsoft

    Dynamics® AX contains many of the most frequently used controls. This library

     provides a resource for customers who are searching for various types of controls

    that will help meet their needs.

    You can use audit policies to evaluate expense reports, vendor invoices, and

     purchase orders for compliance with policy rules that you create. All of the rules

    that are associated with an audit policy are run in batch mode according to the

    schedule that you specify. Each policy rule is an instance of a policy rule type.

    For each policy rule type, only one policy rule can be active at a time.

  • 8/19/2019 AX2012_ENUS_FINII_A

    2/14

    Financials II in Microsoft Dynamics® AX 2012

    2

    Default Controls Library

    The Default controls library in Microsoft Dynamics® AX contains many of the

    most frequently used controls. This library provides a resource for customers

    who are searching for various types of controls that will help meet their needs.

    Customers who have their own control matrix can use the Default controls library

    to supplement their control matrix by adding controls in the Compliance Center.

    For customers who do not have a control matrix, the Default controls library can

     be repurposed and used as a control matrix from which to select the controls to

    add to their Compliance Center.

    Entries in the Default controls library can be used as a guide for customers who

    decide to manually enter controls to the Compliance Center. Customers can also

    use the Import and mapping wizard in Compliance Controls to automate the

    addition of some or all of the Default controls library controls on the Compliance

    Center. A workbook that contains many common compliance controls is

    available on the Compliance site in Enterprise Portal. You can refer to this library

    when you manually enter controls on the Compliance site; or, you can use the

    library as the source file to import controls to the Compliance site.

  • 8/19/2019 AX2012_ENUS_FINII_A

    3/14

     Appendix A: Audit and Compliance Topics

    3

    Terminology

    The compliance and internal controls process available in Microsoft Dynamics

    AX involves several terms and concepts. The following table introduces these

    terms and concepts.

    Term Definition

    Control

    matrix

    Refers to a file, almost universally a Microsoft Office Excel

    spreadsheet that customers use to list, manage, and keep

    track of their controls.

    This file can be used as the source file for importing and

    mapping a compliance environment and importing activities

    into the Compliance Center.

    Control A means by which users manage identified elements of their

     business to make sure that the policy, regulation, tenet, or

    other requirement is followed during normal day to day

     business operations.Control

    environment

    The environment that is set up within the Compliance Center

    to which controls are associated. Environments are typically

    a hierarchical node structure.

    The Default Controls Library contains various controls for Microsoft Dynamics

    AX users to select from. The Default Controls Library Excel spreadsheet is

    installed and stored in the Compliance Center Compliance Resources document

    library. For additional information on this topic, refer to the Microsoft Dynamics

    AX application documentation.

    Procedure: Manually Add Controls to the LibraryTo manually add new controls types to the Default Controls Library in the

    Compliance center, follow these steps:

    1.  Open the Enterprise Portal website through your web browser.

    2.  Click Compliance.

    3.  Click Compliance resources on the left pane.

    4.  Click the Default Controls Library file and then click Download acopy on the Action pane.

    5.  Enter a Name for the file such as "Default Controls Library".

    6.  Select a location for the file to be saved to.7.  Click Save.

    8.  Browse to the location where the file was saved, and then double-click to open it in Microsoft Office Excel.

    9.  Create a new line in the spreadsheet.

    10. Save the file.

  • 8/19/2019 AX2012_ENUS_FINII_A

    4/14

    Financials II in Microsoft Dynamics® AX 2012

    4

    Import and Mapping Wizard

    The Import and mapping wizard lets you import your internal controls into the

    Compliance Center from an existing, preformatted control matrix spreadsheet

    that your company uses. Before you use the Import and mapping wizard you

    must set up the following:

    •  Establish the document templates

    •  Create the control environment

    When the control environment is set up, users will open the Import and Mapping

    wizard, open their control matrix, and for every entry they want to import, select

    two settings.

    1.  Select the compliance environment(s) node that the control shouldfall under.

    2.  Select the document template that the control will use when it is

    loaded onto the system. This includes mapping template properties tocorresponding data in the matrix.

    Procedure: Importing Controls

    To import controls into the Compliance Center, follow these steps:

    1.  Open the Enterprise Portal website through your web browser.

    2.  Click Compliance.

    3.  Click Import on the left pane, and then click Next.

     NOTE : The wizard cannot be completed unless at least one environment isconfigured and at least one template exists.

    4.  Select the file to be imported, and then click Next. Review the datathat is displayed from the selected file, and then click Next.

     NOTE : The file selected must be in the correct format to import. Use the

    Formatting guidelines link on the first page of the wizard for more information

    about allowed formats. Use the Back  button to return to the first page of the

    wizard.

    5.  Select the column that will be used to map the control matrixenvironment data to the Compliance Center environment, and then

    click Next.

    6.  Continue mapping each column from the spreadsheet to thecorresponding Compliance Center control, and then click Next.

    7.  Select the document template and the template properties (one at atime), and then select the corresponding control matrix. When you

    are finished, click Next.

  • 8/19/2019 AX2012_ENUS_FINII_A

    5/14

     Appendix A: Audit and Compliance Topics

    5

    8.  Click Import to process the import.

    9.  When the import is complete, the system will display a message;click Finish.

    Audit Policies, Rules and Cases

    You can use audit policies to evaluate expense reports, vendor invoices, and

     purchase orders for compliance with policy rules that you create. All of the rules

    that are associated with an audit policy are run in batch mode according to the

    schedule that you specify.

    Each policy rule is an instance of a policy rule type. For each policy rule type,

    only one policy rule can be active at a time.

    Before you can create an audit policy, you must first define the policy parameters

    that will be used by all audit policies.

    Procedure: Creating Audit PoliciesTo create audit policies, follow these steps:

    1.  Click Compliance and internal controls > Common > Policies >Audit policies.

    2.  On the Action Pane, click Parameters to open the Policy parameters form.

    3.  The available organization types are displayed in the Organizationtypes: list. Select the organization types to create policies for and then

    click the Add button.

    Although you must select at least one organization type to use audit policies, you

    do not have to change the order of precedence for those organization types. When

    an audit policy is run, all rules in that policy are run. The system does not select

    which audit policy rules to run based on the order of precedence.

    Policy rule types define the document and query parameters that are used when

    you develop specific policy rules.

    Procedure: Creating Policy Rule Types

    To create audit policy rule types complete the following steps:

    1.  Click Compliance and internal controls > Setup > Audit > Policy ruletype.

    2.  Click New to create an audit policy rule type.

    3.  Enter a name and a brief description of the policy rule type.

  • 8/19/2019 AX2012_ENUS_FINII_A

    6/14

    Financials II in Microsoft Dynamics® AX 2012

    6

    4.  In the Query name field, select the default Application Object Tree(AOT) query to use as the starting point for developing policy rules for

    this policy rule type. The query indicates the source document that the

     policy rule type is defined for.

    5.  In the Query type field, select the type of database query that users can

     build when they create audit policy rules by using this policy rule type.

    6.  In the Document date reference field, select the field in the sourcedocument that identifies the date to use when documents are selected for

    audit.

    7.  Create any additional policy rule types that your organization needs andthen close the form.

    Queries and Query Types

    When you create an audit policy rule, you first select a policy rule type. The

     policy rule type specifies the Application Object Tree (AOT) query to use as thestarting point for creating the policy rule. It also specifies the query type to use

    for the policy rule.

    The query determines the source document that the policy rule will evaluate. It

    also specifies the field in the source document that identifies the legal entity and

    the field that identifies the date to use when documents are selected for audit. The

    query type controls the default fields in the query form and in the Audit policy

    rule form. The following table shows the query types that are available for audit policy rules.

    Query Type Purpose

    Conditional Evaluate source document attributes against specified

    values.

    Aggregate Evaluate multiple source documents or source document

    lines against a policy rule by aggregating numeric values.

    Sampling Randomly select a specified percentage of the source

    documents to evaluate for policy violations.

    Duplicate Evaluate source documents to determine whether they

    contain duplicate entries in specified fields

    List Search Evaluate source documents for specific entities

    KeywordSearch

    Evaluate source documents to determine whether theycontain certain words

    When you select the Sampling option, the Audit policy rule form includes an

    option that lets you specify the percentage of documents to randomly select for

    audit. 

  • 8/19/2019 AX2012_ENUS_FINII_A

    7/14

  • 8/19/2019 AX2012_ENUS_FINII_A

    8/14

    Financials II in Microsoft Dynamics® AX 2012

    8

    4.  On the Action Pane, click Additional options.

    o  Enter the starting date and ending date of the document selectiondate range. This range determines which version of a policy ruleto use, based on the effective dates of the policy rule. It also

    determines which organization nodes were associated with the

     policy during that date rangeo  If you are creating a policy rule that uses the List search query

    type to evaluate source documents for specific entities, enter the

    entities on the Monitored entity FastTab.

    o  If you are creating a policy rule that uses the Keyword search query type to evaluate source documents to determine whether

    they contain certain words, enter the words on the Prohibited

    words FastTab.

    o  Each audit policy is run in batch mode. To verify or change the parameters for the batch job, click the Batch button.

    o  Click Close to return to the Audit policy form.

    5.  On the Policy organizations FastTab, select an organization type. This isthe organization type that the audit policy will apply to. A single policy

    can apply to only one organization type. 

    6.  The organization nodes that have been created for the selectedorganization type are shown in the Available organization nodes: list.

    Select the nodes to be affected by this audit policy and then click the

    Add >> button to move those organization nodes to the Selected

    organization nodes: list. The association of the organization node with

    the audit policy is effective on the date and time that you add it to the

    Selected organization nodes: list.

    The association expires when you remove the organization node from the

    list. Policy rules cannot be tested for any dates on which there is no

    organization node associated with the policy.

    7.  On the Policy rules FastTab, develop the policy rules that are needed forthis policy.

  • 8/19/2019 AX2012_ENUS_FINII_A

    9/14

     Appendix A: Audit and Compliance Topics

    9

    Develop Policy Rules

    An audit policy rule consists of a database query that is run against source

    documents. The policy rule types define the document and query parameters that

    are used when you develop policy rules.

    Procedure: Create a Policy Rule

    To create a policy rule, complete the following:

    1.  Click Compliance and internal controls > Common > Policies >Audit policies.

    2.  Double-click the policy to create policy rules for.

    3.  On the Policy rules FastTab, select the policy rule type to develop a policy rule for, and then click Create policy rule. The fields that are

    displayed in the Audit policy rule form depend on the selected policy

    rule type and its associated query.

    4.  In the Effective date and Expiration date fields, enter the date rangewhen this policy rule is effective. If you do not enter values in these

    fields, the policy rule will be effective when it is created, and it will

    never expire.

    5.  Complete other fields as required, depending on the query type that isassociated with the policy rule type.

    6.  Click Select to open a query form. This button is not available for policyrules that are based on the List search or Keyword search query types.

    7.  Use the query form to specify the criteria to use for this policy rule, andthen click OK . The fields that were set up by default in the policy ruleform will also be set up in the query form.

    8.  After the policy rule is set up, click Test. Enter the document selectiondate range to use for the test.

     The dates that you enter in this form are

    used only for the test. They are not saved, and they do not affect the

    document selection date range that is defined in the Additional options 

    form.

    9.  Click Run test. Review the results of the test. If the results are not what

    you expected, modify the database query and repeat the test.

  • 8/19/2019 AX2012_ENUS_FINII_A

    10/14

    Financials II in Microsoft Dynamics® AX 2012

    10

    If you still do not receive expected results, do the following:

    •  Verify that an organization node was associated with the policy duringthe data selection date range that you specified for the test. Policy rules

    cannot be tested for any dates on which no organization node isassociated with the policy.

    •  Verify that source document records exist that were created on or afterthe policy was created. Records that existed before the policy was

    created cannot be audited. The only exception is for policy rules that are

     based on the Duplicate query type, which can audit records up to 180

    days in the past.

    Audit Policy Violations and Cases

    Audit policies are used to identify expense reports, purchase orders, and vendor

    invoices that do not comply with business rules that you define and configure as

    audit policy rules. Audit policies are run in batch mode. When you run an audit

     policy, all the policy rules that are part of that policy are run at the same time.

    Each policy rule evaluates a set of documents and selects those that are in the

    document selection date range and match the specified criteria. For example, one

     policy rule might select expense reports with meals exceeding 50.00. Another

     policy rule might select vendor invoices that are payable to a particular vendor.

    For each document in the set that is selected, a violation is generated. That

    violation is a record that a particular document, such as invoice 12345, does not

    comply with the policy rule. Multiple audit violation records are grouped

    together and associated with audit cases. By default, cases for each audit policyare grouped by the audit policy rule.

    If you prefer, you can select other criteria for grouping using the Case grouping

    criteria form. You could, for example, group expense headers by project ID and

    vendor invoices by vendor account. If you were to do this, all expense header

    violations that have the same project ID would be grouped in the same case, and

    all vendor invoices that have the same vendor account would be grouped in the

    same case. 

    After the audit cases have been generated, they are handled using the

    typical processes for case management.

    For audit policy rules that are based on a Duplicate query type, violations are not

    grouped by policy rule or by the criteria specified on the Case grouping criteria 

    form. Instead, they are grouped by the criteria that are built into the audit policy

    rule. For example, if a policy rule evaluates expense reports for duplicateexpenses of the same amount, merchant ID, and date, all expenses that have the

    same values in those fields would be one case. If other expenses had different

    values, those would be a separate case.

  • 8/19/2019 AX2012_ENUS_FINII_A

    11/14

     Appendix A: Audit and Compliance Topics

    11

    When the policy is run, each policy rule selects documents of the specified type

    that have a date that is in the document selection date range. The document

    selection date range is specified in the Additional options form. Many

    documents have more than one date associated with them. The date field that is

    used by the audit policy rule is specified in the Policy rule type form.

    Document Selection Date Ranges

    The document selection date range has additional functions for an audit policy.

    •  The policy uses the version of each policy rule that is effective on thelast day of the document selection date range. Effective dates for

    each policy rule can be seen on the Audit policies list page.

    •  The policy uses the organization nodes that are associated with the policy on the last day of the document selection date range. Only the

    organization nodes that are currently associated with the policy are

    displayed on the Audit policies list page.

    •  The policy uses the organization nodes that are associated with the policy on the last day of the document selection date range. Only the

    organization nodes that are currently associated with the policy are

    displayed on the Audit policies list page.

    •  For policy rules that are based on a List search query type, the policy evaluates documents for monitored entities that are effective

    on the last day of the document selection date range.

    Case Management

    You can use case management in Microsoft Dynamics AX and in Enterprise

    Portal for Microsoft Dynamics AX to record, update, track, follow up on, andclose issues that are raised by customers, vendors, or employees, or that are

    created through your audit processes. By planning, tracking, and analyzing cases,

    you can develop efficient resolutions that can be used for similar issues.

    For example, when customer service representatives or human resources

    generalists create cases, they can find information in knowledge articles about

    how to work with or resolve a case more efficiently.

    Because you can use case management for customer, vendor, or employee issues,

    the Cases form is located in Home in Microsoft Dynamics AX. Audit cases are

    always managed in Compliance and internal controls, even when they relate to

    documents that are created in other modules.

    Case Setup

    The operations manager wants customer service representatives and human

    resources generalists to be able to create cases for customers, vendors, and

    employees. Before any one of these cases can be created, he must set up case

    categories and case processes.

  • 8/19/2019 AX2012_ENUS_FINII_A

    12/14

    Financials II in Microsoft Dynamics® AX 2012

    12

    The internal auditor wants audit cases to be generated automatically when the

    audit policy is run against expense reports. Each audit case contains a group of

    audit policy violations. She also wants to have the option to create audit cases

    manually. For these cases, she can use the categories that are created when an

    audit policy is run, or she can create special categories to use for cases that are

    manually created.

    For more information about how to create case processes and categories, see the

    Create case processes and categories topic in Microsoft Dynamics AX product

    documentation.

    Case Grouping and Categories

    The first step is to determine how audit violations should be grouped into cases.

    By default, each audit case contains all of the audit violations that were created

    for a particular document type and audit policy rule. You can specify other case

    grouping criteria if necessary.

    The first thing the operations manager must do is create categories for cases.Case categories provide the ability to group similar case types together. Forexample, the operations manager might create categories for sales, employee

     benefits, or deliveries. He might also create child categories that group the cases

    at a more detailed level. For example, under a sales category, he could add child

    categories for pre-sale issues and post-sale issues.

    The internal auditor can decide to create categories for cases that are created

    manually. She does not have to create categories for audit cases that are created

    automatically. Every case must be assigned to a case category. Grouping cases by

    category can help employees identify known solutions, such as knowledge

    articles, if similar issues occur over time.

    Working with Cases

    After setup is complete, employees with the appropriate permissions can create

    cases as issues are raised. Cases can be created in Microsoft Dynamics AX and in

    Enterprise Portal.

    The following table describes tasks that employees can perform when they work

    with case management.

    Task Description

    Create a case Create a new case record for a customer, vendor, or

    employee, or for the results of an audit of business

    documents.

    Add details to a

    case

    Add detailed information such as activities to a case.

    Close a case Change the status of an open case to Closed to

    indicate that the issue has been resolved.

  • 8/19/2019 AX2012_ENUS_FINII_A

    13/14

     Appendix A: Audit and Compliance Topics

    13

    Task Description

    Store a knowledge

    article

    Create and store a knowledge article that includes

    tips, solutions, and other important information about

    an issue.

    Rank a knowledge

    article

    Rate a knowledge article to indicate if it was

    successful in helping to close a case.

    After you create a case, you can add activities, dependent cases, associations,

    case log information, documents, and responsibilities to the case. You can add

    these details when you first create the case or you can add them later as needed.

    Procedure: Add Details to a Case

    To add details to a case complete the following steps:

    1.  Click Home > Common > Cases > All cases.

    2.  Double-click the case that you want to update.

    3.  Select the tab that corresponds to the information that you want to add tothe case.

    Use the following information to complete this task:

    •  Case log tab - Click Add to create a new case log information

    line and enter the appropriate information. Click Details to open

    the Source type form to view source types for lead and

    opportunity records.

    •  Associations tab - Click Add to create a new line and addinformation about an entity that is associated with the case that

    you are currently working on.

    •  Knowledge article tab - Click Add to add knowledge article

    information to the case. Click Details to open the Knowledge

    article form.

    When a case has been resolved, either internally with an employee or externally

    with a customer or vendor, you can close the case. The case record is saved, but

    the record is removed from the case list.

  • 8/19/2019 AX2012_ENUS_FINII_A

    14/14

    Financials II in Microsoft Dynamics® AX 2012

    14

    Procedure: Close a Case

    To close a case, complete the following steps:

    1.  Click Home > Common > Cases > All cases.

    2.  In the list, select the case that you want to resolve.

    3.  In the Maintain group, click the Change status button and selectClosed.

    When you close a case, the service level agreement (SLA) associated with the

    case is also closed. If a follow up activity is required for the case, an activity is

    created and you will receive a prompt to complete the activity.

    Summary

    This appendix provides some basic information about a few of the Microsoft

    Dynamics AX audit and control features. To learn more about these topics and

    any additional audit and compliance related topics, refer to the Microsoft

    Dynamics product documentation. The topics discussed in this appendix

    included:

    •  The control library

    •  Manually create new controls

    •  How to Import controls from the default library

    •  Audit policies and policy rule types

    •  Audit cases