1. The structural problem: an ERP that is used, but not governed
In most organisations, the ERP is the operational core — yet its internal control model is largely opaque:
Legacy roles inherited from old implementations.
Excessive permissions granted “to avoid blocking operations”.
Approval workflows that no one has reviewed in years.
Audit processes based on screenshots, Excel exports and verbal explanations.
The company operates — but cannot demonstrate that it operates under control.
Microsoft’s new APIs directly address this governance gap by turning what used to be hidden configuration into queryable, analysable and repeatable evidence.
2. APIs for analysing permissions: evidence of who can do what
Based on: Use new APIs for analysing permissions for auditors and IT staff
Utilizar nuevas APIs para analizar permisos para auditores y personal de TI | Microsoft Learn
These APIs allow organisations to extract, in a structured and automated way:
Which users have access to which objects.
Which roles are assigned to each user.
The effective permissions resulting from combined roles.
Which users hold high‑risk privileges (e.g., modifying vendors, approving payments, changing financial parameters).
Concrete example for a CEO or business owner
A permissions report generated through these APIs can answer questions such as:
“How many users can modify the chart of accounts?”
“Who can create vendors and also approve payments?”
“Which users hold permissions that do not match their actual job role?”
This enables the detection of:
Business value
For a CEO: real control over who can touch critical parts of the business.
For a CIO: independence from the partner and a clear map of risk.
For auditors: verifiable, repeatable evidence instead of ad hoc explanations.
3. APIs for analysing approval workflows: traceability of the control process
Based on: Use new APIs for analysing approval workflows for auditors and IT staff
Utilizar nuevas APIs para analizar los flujos de trabajo de aprobación de auditores y personal de TI | Microsoft Learn
These APIs allow organisations to review:
Which approval workflows exist in the system.
Which conditions trigger each workflow.
Which users or groups approve each document type.
Approval limits and escalation rules.
Which workflows are active, inactive or misconfigured.
Concrete example for a CFO or auditor
Using these APIs, a CFO or internal auditor can identify:
Approval workflows that never execute, indicating potential bypass.
Users with approval limits far above their organisational role.
Documents that should be approved but are not passing through any workflow.
Recent changes to approval rules that may weaken financial control.
Business value
For a CFO: stronger assurance that money does not move without proper oversight.
For internal audit: full traceability of the approval chain.
For business owners: protection of cash, assets and reputation.
4. What changes for senior leadership
These APIs are not a minor technical enhancement; they represent a governance shift.
Before
Dependence on the partner for critical information.
Manual, slow and inconsistent audit processes.
Roles and workflows left unreviewed for years.
Hidden operational and fraud risks.
Now
Structured, automatable evidence of permissions and approvals.
Continuous review of the ERP’s control model.
Integration with Power BI, GRC tools and internal dashboards.
Governance based on data, not assumptions or trust alone.
For CEOs, CIOs and CFOs, this means the ERP can finally be treated as part of the formal governance architecture, not just as an operational system.
5. What CEOs, CIOs and auditors should do next
For CEOs and business owners
Request a full effective permissions report using the new APIs.
Review who can approve payments and modify master data.
Demand a risk map of the ERP that highlights high‑risk roles and workflows.
For CIOs
Integrate these APIs into IT and governance dashboards.
Automate alerts for changes in critical roles or approval rules.
Establish quarterly ERP governance reviews with Finance and Audit.
For internal audit
Incorporate these APIs into the annual audit plan.
Define standard segregation‑of‑duties tests based on permissions data.
Monitor changes in approval workflows as part of continuous auditing.
6. To Conclude: from ERP usage to ERP governance
The real transformation here is conceptual:
Business Central stops being merely “the system where transactions are recorded” and becomes a source of structured governance evidence.
Senior leadership gains the ability to measure and demonstrate control, rather than simply assuming it.
Auditors and IT teams can move from manual, reactive checks to systematic, proactive and data‑driven oversight.
In practical terms:
Organisations can quantify their segregation of duties.
They can trace changes in critical configuration.
They can prove, not just claim, that their ERP is aligned with their internal control framework.
For CEOs, CIOs, CFOs and business owners, this is the difference between trusting that the ERP is under control and knowing — with evidence — that it is.
