and Audits What to Expect and What You Need to Know Frank Vukovits Vice President of Strategic Partnerships Fastpath Kelly Kane AXUG Kentucky Chapter Leader Information Systems Specialist Algood Food Company

Objectives  Managing Your Auditor  Discuss what the auditor is looking for  Answer the question: “Why do they need that?”  AX requirements  IT requirements  Share experiences

So, you’re being audited and they’re asking about AX…

OOrg Chart EEmployee Handbook IIT Job Descriptions IIT policies IIT Strategic Plan IIncident Ticket PPatch/Release Sign-off MManagement Change Approval EEmployee Listing NNew Hire Listing TTermination Listing NNew User Form TTermination Form  AX User Listing  AX Administrators  AX Password Parameters  Network Password Parameters  AX Security Logs  AX User Access Level Review  OS Administrators  Database Logs  Remote Access Users  Backup Scheduler  Backup Testing  System Alerts  Error Notifications

Why all of the HR policies?  Org Chart President CIO Developer Support Engineer Business Analyst

Why all of the HR policies?  Employee Handbook  Any type of IT policies  Acknowledgement form signed by all employees  Updates and how communicated  IT Job Descriptions  Employee Listing  New Hire Listing  Termination Listing  AX User Listing  Auditor will compare Employee Listing vs. AX User Listing  Auditor will compare New Hires/Terms vs. AX User Listing

Why all of the HR policies?  New User Form  Auditor is looking for proof of approved AX access  Who the form goes to within your company Form should contain the following: Employee name Department Job Title Supervisor Network Username/ Address System Access (Different systems within your company: AX, MES, WMS, etc.) Any hardware needed (Not a requirement, but nice to have)

Why all of the HR policies?  New AX User Access Form/Change Form  Approved AX access  Signed off by management  For all new users and AX access changes Form should contain the following: Employee name Department Job Title/Responsibilities Supervisor Network Username/ Address System Access

Why all of the HR policies?  Termination Form/  Looking for proof that terminated employees no longer have access to your network/systems  Who gets this information within your company  The auditor WILL compare the termination listing against your active listing and AX active user list to ensure that access is cut off.

IT Policies  Incident Response Plan  Purchase Order Workflow Process  A document detailing the parameters of your purchasing workflow  Source Code Monitoring  Backup Procedures  Password Parameters

Change  Auditors are very focused on changes made to the system  Incident tickets  Patch/release sign offs  Management change approval (BRD)  Database change logs  Source code change logs

Access  Auditors want to know who has access and to what  Sys Admin security in AX  OS Admins  Domain Admins  Remote access users  AX user access  SQL Database Accounts

Backups  Backup scheduler  How often  Where stored  How accessed  Backup Testing  Regular restore tests  Proof of backup restore

Kelly’s Biggest Tip for Audits Don’t overshare!

Managing Your Auditors  No much information currently out there about ‘Auditing AX’  Most auditors tend to follow generic audit programs  Gather critical information for auditors ahead of time, and then ‘dazzle’ them with your controls knowledge  “These aren’t the reports you are looking for”  However, still be careful not to send them down any rabbit holes  There can be control gaps in your Dynamics AX environment, remember it’s okay to accept the risk sometimes