web
You’re offline. This is a read only version of the page.
close
Skip to main content

Notifications

Announcements

No record found.

News and Announcements icon
Community site session details

Community site session details

Session Id :
Dynamics 365 Community / Forums / Finance | Project Operations, Human Resources, ... / Identifying 'High Risk...
Finance | Project Operations, Human Resources, ...
Suggested Answer

Identifying 'High Risk' tables for audit

(1) ShareShare
ReportReport
Posted on by SR-09121030-0 6
I'm looking for advice on which tables the community consider to be high risk in D365 FO when it comes to monitoring activity for audit.
 
I guess there will be some variance in terms of sector, so looking more in the Finance space than in the Operations space.
 
Any advice gratefully received.
Categories:
Dynamics 365 Finance
I have the same question (0)
  • André Arnaud de Calavon Profile Picture
    André Arnaud de Cal... 301,018 Super User 2025 Season 2 on at
    Hi,

    Can you elaborate on your question? What exact type of answer are you looking for? There are some tables with private or sensitive data. Also, there are important setup tables. 
  • Suggested answer
    Arvind Bharti Profile Picture
    Arvind Bharti 708 Super User 2025 Season 2 on at
    Hi,
     
    can you please specify more details like which type of audit? is it from localization perspective or in general?
     
    In Finance your finance transactions are stored in ledger transaction table.
  • SR-09121030-0 Profile Picture
    SR-09121030-0 6 on at
    Thank you @Arvind Bharti and @André Arnaud de Calavon for responding to my query.
     
    Our External Financial Auditors (IT section) have asked us to monitor what they describe as 'high risk activities' for verification of legitimacy.  They haven't defined 'high risk activities'.  The available tool that we have is the database log, with tables which were identified at the time of deployment of the system (by our support partner organisation with in house staff learning on the job).  
     
    So we are looking for an industry standard selection of tables which are applicable to be monitored, so we can cross reference with our current list and see what we are missing and what is overkill.  We are a manufacturing engineering company assembling a specific product range used in further processing in a business to business environment.  Our risk areas are in the Intellectual Property space alongside typical business areas of supply chain, purchasing and sales, logistics etc.
     
    Would you consider the configuration tables to be top of the risk set, alongside the financial data? Or more in the production space?
  • Suggested answer
    Arvind Bharti Profile Picture
    Arvind Bharti 708 Super User 2025 Season 2 on at
    HI,
     
    Thank you for answering. Here are few points.
     
    1. Firstly we have to be very carefully for enabling data base log for any table specially transaction table because it is going to increase the size , so only enable for non transaction table that too only for acritical ones like in your case may be product creation but still evaluate performance impact
     
    2. First level of defence should be using security roles where you should design your security role carefully so that the access to sensitive or high risk data is access by only authorised users
     
    3. Now security roles design can be a complex topic but Andre who responded above has written lot of blogs and covering different scenario so that can help you to design correct security roles
     
     
    4. Financial transactions also can be your audit required but should manage using teh out of the box audit trail available for each transactions
  • Suggested answer
    André Arnaud de Calavon Profile Picture
    André Arnaud de Cal... 301,018 Super User 2025 Season 2 on at
    Hi,
     
    Arvind provided a great reply. I do agree with his approach. I have seen environments with over 1 TB of database log data. This is insanely high and not required. So, ensure you design the system access with proper security roles and take care of Segregation of Duties. 
     
    Next, check with your external auditors what they define as high risk activities. As they are pushing you, they should be able to guide them from their policies and experiences. Once that is clear, you can check if it is covered by security roles or if you need to log or track changes. The database log is one option, but there are other options as well. In case you log changes, there should also be a process for reviewing and cleaning up.
    High risk activities can be more than just logging changes in the database. 
     
     

Under review

Thank you for your reply! To ensure a great experience for everyone, your content is awaiting approval by our Community Managers. Please check back later.

Helpful resources

Quick Links

Responsible AI policies

As AI tools become more common, we’re introducing a Responsible AI Use…

Neeraj Kumar – Community Spotlight

We are honored to recognize Neeraj Kumar as our Community Spotlight honoree for…

Congratulations to the November Top 10 Community Leaders!

These are the community rock stars!

Leaderboard > Finance | Project Operations, Human Resources, AX, GP, SL

#1
Martin Dráb Profile Picture

Martin Dráb 659 Most Valuable Professional

#2
André Arnaud de Calavon Profile Picture

André Arnaud de Cal... 533 Super User 2025 Season 2

#3
Sohaib Cheema Profile Picture

Sohaib Cheema 289 User Group Leader

Last 30 days Overall leaderboard

Featured topics

End-of-life Announcement for Microsoft Dynamics GP

Product updates

Dynamics 365 release plans