D365FO & SOX Compliance

(0) Share

Report

Posted on by Duc C. Nguyen

Does Microsoft has a mapping of D365FO vs. SOX compliance requirements? is there any GAPs in D365FO vs. requirements of SOX compliance? Appreciate any advice from this!

Thanks.

Duc C. Nguyen

I have the same question (0)

All responses (6)

Answers (3)

Verified answer

André Arnaud de Cal... 299,704 Super User 2025 Season 2 on at

Like (1)

Report

RE: D365FO & SOX Compliance

Hi Duc,

Microsoft does not have a guide on SOX compliance. This is different how to implement it per customer. The basic tools are available to ensure you have a SOX compliant ERP application. You can setup procurement workflows with signing limits, define implementation specific security roles. Limit access to bank accounts, credit card details and setup Segregation of Duties.

There are ISV vendors delivering additional tools and insights, like To-Increase and Fastpath to make life easier and have more control to see if you are SOX compliant. E.g. at To-Increase, we offer an internal security request feature and Segregation of Duties on the level of menu items and privileges next to the duty level which Microsoft has.

Was this reply helpful? Yes No
Verified answer

Ludwig Reinhard Microsoft Employee on at

Like (2)

Report

RE: D365FO & SOX Compliance

Hello Duc C. Nguyen,

This site might help as well: docs.microsoft.com/.../about-compliance

It's for AX2012 and not all features described there have been migrated to D365FO.

Yet, it might give you a starting point.

Best regards,

Ludwig

Was this reply helpful? Yes No
Verified answer

alexmeyer.itguy 648 on at

Like (1)

Report

RE: D365FO & SOX Compliance

I will also agree with what Andre said, Microsoft does not have any formal SOX documentation. They do have audit/compliance tools to help you but it is up to the customer to implement the necessary business processes for them to be successful.

There are some gaps in native functionality from an audit perspective, Andre addressed one already that Microsoft SOD platform does its analysis at a duty level instead of going down to the object level. This can lead to false positive/false negatives in your reporting.

Also the database log that Microsoft includes to track changes is not adequate from an audit perspective. It was built as a troubleshooting/debugging tool and not for audit purposes to be turned on and left on for long periods of time. If you try this, you will notice the performance issues that many others have talked about on this forum. It also has no real functionality to get audit style reports (for example, show me changes to all vendors over the last 90 days).

Feel free to reach out with any further questions about security, audit, or compliance in D365FO and I would be happy to answer them!

Was this reply helpful? Yes No
Duc C. Nguyen 25 on at

Like (0)

Report

RE: D365FO & SOX Compliance

Dear Andrea

Many thanks for your advice. I will contact ISV partner for further advice then.

Thanks

Duc

Was this reply helpful? Yes No
Duc C. Nguyen 25 on at

Like (0)

Report

RE: D365FO & SOX Compliance

Thanks Ludwig for your advice. It's helpful, however it will be a matter of how to map D365FO processes to SOX process/compliance during the implementation.

Thanks

Duc

Was this reply helpful? Yes No
Duc C. Nguyen 25 on at

Like (0)

Report

RE: D365FO & SOX Compliance

Dear Alex

Many thanks for your comprehensive explanation which is very helpful.

Thanks

Duc

Was this reply helpful? Yes No