Professional Documents
Culture Documents
Introduction
One challenge that customers face today is identifying which controls to use to
make sure that their business complies with laws, business rules, policies and
regulations and audit requirements. The Default controls library in Microsoft
Dynamics® AX contains many of the most frequently used controls. This library
provides a resource for customers who are searching for various types of controls
that will help meet their needs.
You can use audit policies to evaluate expense reports, vendor invoices, and
purchase orders for compliance with policy rules that you create. All of the rules
that are associated with an audit policy are run in batch mode according to the
schedule that you specify. Each policy rule is an instance of a policy rule type.
For each policy rule type, only one policy rule can be active at a time.
1
Microsoft Official Training Materials for Microsoft Dynamics®
Your use of this content is subject to your current services agreement
Financials II in Microsoft Dynamics® AX 2012
Customers who have their own control matrix can use the Default controls library
to supplement their control matrix by adding controls in the Compliance Center.
For customers who do not have a control matrix, the Default controls library can
be repurposed and used as a control matrix from which to select the controls to
add to their Compliance Center.
Entries in the Default controls library can be used as a guide for customers who
decide to manually enter controls to the Compliance Center. Customers can also
use the Import and mapping wizard in Compliance Controls to automate the
addition of some or all of the Default controls library controls on the Compliance
Center. A workbook that contains many common compliance controls is
available on the Compliance site in Enterprise Portal. You can refer to this library
when you manually enter controls on the Compliance site; or, you can use the
library as the source file to import controls to the Compliance site.
2
Microsoft Official Training Materials for Microsoft Dynamics®
Your use of this content is subject to your current services agreement
Appendix A: Audit and Compliance Topics
Terminology
The compliance and internal controls process available in Microsoft Dynamics
AX involves several terms and concepts. The following table introduces these
terms and concepts.
Term Definition
Control Refers to a file, almost universally a Microsoft Office Excel
matrix spreadsheet that customers use to list, manage, and keep
track of their controls.
This file can be used as the source file for importing and
mapping a compliance environment and importing activities
into the Compliance Center.
Control A means by which users manage identified elements of their
business to make sure that the policy, regulation, tenet, or
other requirement is followed during normal day to day
business operations.
Control The environment that is set up within the Compliance Center
environment to which controls are associated. Environments are typically
a hierarchical node structure.
The Default Controls Library contains various controls for Microsoft Dynamics
AX users to select from. The Default Controls Library Excel spreadsheet is
installed and stored in the Compliance Center Compliance Resources document
library. For additional information on this topic, refer to the Microsoft Dynamics
AX application documentation.
3
Microsoft Official Training Materials for Microsoft Dynamics®
Your use of this content is subject to your current services agreement
Financials II in Microsoft Dynamics® AX 2012
When the control environment is set up, users will open the Import and Mapping
wizard, open their control matrix, and for every entry they want to import, select
two settings.
4. Select the file to be imported, and then click Next. Review the data
that is displayed from the selected file, and then click Next.
NOTE: The file selected must be in the correct format to import. Use the
Formatting guidelines link on the first page of the wizard for more information
about allowed formats. Use the Back button to return to the first page of the
wizard.
5. Select the column that will be used to map the control matrix
environment data to the Compliance Center environment, and then
click Next.
6. Continue mapping each column from the spreadsheet to the
corresponding Compliance Center control, and then click Next.
7. Select the document template and the template properties (one at a
time), and then select the corresponding control matrix. When you
are finished, click Next.
4
Microsoft Official Training Materials for Microsoft Dynamics®
Your use of this content is subject to your current services agreement
Appendix A: Audit and Compliance Topics
Each policy rule is an instance of a policy rule type. For each policy rule type,
only one policy rule can be active at a time.
Before you can create an audit policy, you must first define the policy parameters
that will be used by all audit policies.
1. Click Compliance and internal controls > Common > Policies >
Audit policies.
Although you must select at least one organization type to use audit policies, you
do not have to change the order of precedence for those organization types. When
an audit policy is run, all rules in that policy are run. The system does not select
which audit policy rules to run based on the order of precedence.
Policy rule types define the document and query parameters that are used when
you develop specific policy rules.
1. Click Compliance and internal controls > Setup > Audit > Policy rule
type.
5
Microsoft Official Training Materials for Microsoft Dynamics®
Your use of this content is subject to your current services agreement
Financials II in Microsoft Dynamics® AX 2012
4. In the Query name field, select the default Application Object Tree
(AOT) query to use as the starting point for developing policy rules for
this policy rule type. The query indicates the source document that the
policy rule type is defined for.
5. In the Query type field, select the type of database query that users can
build when they create audit policy rules by using this policy rule type.
6. In the Document date reference field, select the field in the source
document that identifies the date to use when documents are selected for
audit.
7. Create any additional policy rule types that your organization needs and
then close the form.
The query determines the source document that the policy rule will evaluate. It
also specifies the field in the source document that identifies the legal entity and
the field that identifies the date to use when documents are selected for audit. The
query type controls the default fields in the query form and in the Audit policy
rule form. The following table shows the query types that are available for audit
policy rules.
When you select the Sampling option, the Audit policy rule form includes an
option that lets you specify the percentage of documents to randomly select for
audit.
6
Microsoft Official Training Materials for Microsoft Dynamics®
Your use of this content is subject to your current services agreement
Appendix A: Audit and Compliance Topics
When you select the Duplicate option, the Audit policy rule form includes an
additional option that allows you to specify the number of days to add to the start
of the document selection date range when documents are evaluated for duplicate
entries.
When you select the List Search option, the root document of the query defines
the document that is being audited. The query must contain a join with the
DirParty table.
The List Search option can be used only with the following (AOT) queries:
When you select this option, specify the monitored entities in the Additional
options form before you create the policy rule.
When you select the Keyword Search option, enter the words to look for in the
Additional options form before you create the policy rule. The Audit policy
rule form includes options that allow you to specify the tables and fields to
evaluate for the words entered.
All of the policy rules for a particular audit policy share the same batch
parameters and the same document selection date range. These parameters are
specified in the Additional options form for the policy.
Before you can define an audit policy, you must create the policy rule types that
will define the document and query parameters for the policy rules. You must
also make sure that the policy parameters have been set up appropriately.
1. Click Compliance and internal controls > Common > Policies >
Audit policies.
3. On the General FastTab, enter a name and description for the audit
policy.
7
Microsoft Official Training Materials for Microsoft Dynamics®
Your use of this content is subject to your current services agreement
Financials II in Microsoft Dynamics® AX 2012
o Enter the starting date and ending date of the document selection
date range. This range determines which version of a policy rule
to use, based on the effective dates of the policy rule. It also
determines which organization nodes were associated with the
policy during that date range
o If you are creating a policy rule that uses the List search query
type to evaluate source documents for specific entities, enter the
entities on the Monitored entity FastTab.
o If you are creating a policy rule that uses the Keyword search
query type to evaluate source documents to determine whether
they contain certain words, enter the words on the Prohibited
words FastTab.
o Each audit policy is run in batch mode. To verify or change the
parameters for the batch job, click the Batch button.
o Click Close to return to the Audit policy form.
6. The organization nodes that have been created for the selected
organization type are shown in the Available organization nodes: list.
Select the nodes to be affected by this audit policy and then click the
Add >> button to move those organization nodes to the Selected
organization nodes: list. The association of the organization node with
the audit policy is effective on the date and time that you add it to the
Selected organization nodes: list.
The association expires when you remove the organization node from the
list. Policy rules cannot be tested for any dates on which there is no
organization node associated with the policy.
7. On the Policy rules FastTab, develop the policy rules that are needed for
this policy.
8
Microsoft Official Training Materials for Microsoft Dynamics®
Your use of this content is subject to your current services agreement
Appendix A: Audit and Compliance Topics
1. Click Compliance and internal controls > Common > Policies >
Audit policies.
3. On the Policy rules FastTab, select the policy rule type to develop a
policy rule for, and then click Create policy rule. The fields that are
displayed in the Audit policy rule form depend on the selected policy
rule type and its associated query.
4. In the Effective date and Expiration date fields, enter the date range
when this policy rule is effective. If you do not enter values in these
fields, the policy rule will be effective when it is created, and it will
never expire.
6. Click Select to open a query form. This button is not available for policy
rules that are based on the List search or Keyword search query types.
7. Use the query form to specify the criteria to use for this policy rule, and
then click OK. The fields that were set up by default in the policy rule
form will also be set up in the query form.
8. After the policy rule is set up, click Test. Enter the document selection
date range to use for the test. The dates that you enter in this form are
used only for the test. They are not saved, and they do not affect the
document selection date range that is defined in the Additional options
form.
9. Click Run test. Review the results of the test. If the results are not what
you expected, modify the database query and repeat the test.
9
Microsoft Official Training Materials for Microsoft Dynamics®
Your use of this content is subject to your current services agreement
Financials II in Microsoft Dynamics® AX 2012
• Verify that an organization node was associated with the policy during
the data selection date range that you specified for the test. Policy rules
cannot be tested for any dates on which no organization node is
associated with the policy.
• Verify that source document records exist that were created on or after
the policy was created. Records that existed before the policy was
created cannot be audited. The only exception is for policy rules that are
based on the Duplicate query type, which can audit records up to 180
days in the past.
Each policy rule evaluates a set of documents and selects those that are in the
document selection date range and match the specified criteria. For example, one
policy rule might select expense reports with meals exceeding 50.00. Another
policy rule might select vendor invoices that are payable to a particular vendor.
For each document in the set that is selected, a violation is generated. That
violation is a record that a particular document, such as invoice 12345, does not
comply with the policy rule. Multiple audit violation records are grouped
together and associated with audit cases. By default, cases for each audit policy
are grouped by the audit policy rule.
If you prefer, you can select other criteria for grouping using the Case grouping
criteria form. You could, for example, group expense headers by project ID and
vendor invoices by vendor account. If you were to do this, all expense header
violations that have the same project ID would be grouped in the same case, and
all vendor invoices that have the same vendor account would be grouped in the
same case. After the audit cases have been generated, they are handled using the
typical processes for case management.
For audit policy rules that are based on a Duplicate query type, violations are not
grouped by policy rule or by the criteria specified on the Case grouping criteria
form. Instead, they are grouped by the criteria that are built into the audit policy
rule. For example, if a policy rule evaluates expense reports for duplicate
expenses of the same amount, merchant ID, and date, all expenses that have the
same values in those fields would be one case. If other expenses had different
values, those would be a separate case.
10
Microsoft Official Training Materials for Microsoft Dynamics®
Your use of this content is subject to your current services agreement
Appendix A: Audit and Compliance Topics
When the policy is run, each policy rule selects documents of the specified type
that have a date that is in the document selection date range. The document
selection date range is specified in the Additional options form. Many
documents have more than one date associated with them. The date field that is
used by the audit policy rule is specified in the Policy rule type form.
• The policy uses the version of each policy rule that is effective on the
last day of the document selection date range. Effective dates for
each policy rule can be seen on the Audit policies list page.
• The policy uses the organization nodes that are associated with the
policy on the last day of the document selection date range. Only the
organization nodes that are currently associated with the policy are
displayed on the Audit policies list page.
• The policy uses the organization nodes that are associated with the
policy on the last day of the document selection date range. Only the
organization nodes that are currently associated with the policy are
displayed on the Audit policies list page.
• For policy rules that are based on a List search query type, the
policy evaluates documents for monitored entities that are effective
on the last day of the document selection date range.
Case Management
You can use case management in Microsoft Dynamics AX and in Enterprise
Portal for Microsoft Dynamics AX to record, update, track, follow up on, and
close issues that are raised by customers, vendors, or employees, or that are
created through your audit processes. By planning, tracking, and analyzing cases,
you can develop efficient resolutions that can be used for similar issues.
Because you can use case management for customer, vendor, or employee issues,
the Cases form is located in Home in Microsoft Dynamics AX. Audit cases are
always managed in Compliance and internal controls, even when they relate to
documents that are created in other modules.
Case Setup
The operations manager wants customer service representatives and human
resources generalists to be able to create cases for customers, vendors, and
employees. Before any one of these cases can be created, he must set up case
categories and case processes.
11
Microsoft Official Training Materials for Microsoft Dynamics®
Your use of this content is subject to your current services agreement
Financials II in Microsoft Dynamics® AX 2012
The internal auditor wants audit cases to be generated automatically when the
audit policy is run against expense reports. Each audit case contains a group of
audit policy violations. She also wants to have the option to create audit cases
manually. For these cases, she can use the categories that are created when an
audit policy is run, or she can create special categories to use for cases that are
manually created.
For more information about how to create case processes and categories, see the
Create case processes and categories topic in Microsoft Dynamics AX product
documentation.
The first thing the operations manager must do is create categories for cases.
Case categories provide the ability to group similar case types together. For
example, the operations manager might create categories for sales, employee
benefits, or deliveries. He might also create child categories that group the cases
at a more detailed level. For example, under a sales category, he could add child
categories for pre-sale issues and post-sale issues.
The internal auditor can decide to create categories for cases that are created
manually. She does not have to create categories for audit cases that are created
automatically. Every case must be assigned to a case category. Grouping cases by
category can help employees identify known solutions, such as knowledge
articles, if similar issues occur over time.
The following table describes tasks that employees can perform when they work
with case management.
Task Description
Create a case Create a new case record for a customer, vendor, or
employee, or for the results of an audit of business
documents.
Add details to a Add detailed information such as activities to a case.
case
Close a case Change the status of an open case to Closed to
indicate that the issue has been resolved.
12
Microsoft Official Training Materials for Microsoft Dynamics®
Your use of this content is subject to your current services agreement
Appendix A: Audit and Compliance Topics
Task Description
Store a knowledge Create and store a knowledge article that includes
article tips, solutions, and other important information about
an issue.
Rank a knowledge Rate a knowledge article to indicate if it was
article successful in helping to close a case.
After you create a case, you can add activities, dependent cases, associations,
case log information, documents, and responsibilities to the case. You can add
these details when you first create the case or you can add them later as needed.
3. Select the tab that corresponds to the information that you want to add to
the case.
• Case log tab - Click Add to create a new case log information
line and enter the appropriate information. Click Details to open
the Source type form to view source types for lead and
opportunity records.
When a case has been resolved, either internally with an employee or externally
with a customer or vendor, you can close the case. The case record is saved, but
the record is removed from the case list.
13
Microsoft Official Training Materials for Microsoft Dynamics®
Your use of this content is subject to your current services agreement
Financials II in Microsoft Dynamics® AX 2012
3. In the Maintain group, click the Change status button and select
Closed.
When you close a case, the service level agreement (SLA) associated with the
case is also closed. If a follow up activity is required for the case, an activity is
created and you will receive a prompt to complete the activity.
Summary
This appendix provides some basic information about a few of the Microsoft
Dynamics AX audit and control features. To learn more about these topics and
any additional audit and compliance related topics, refer to the Microsoft
Dynamics product documentation. The topics discussed in this appendix
included:
14
Microsoft Official Training Materials for Microsoft Dynamics®
Your use of this content is subject to your current services agreement