Policy rule types define the document and query parameters that are used when you develop specific policy rules.. In the Query name field, select the default Application Object Tree AOT
Trang 1APPENDIX A: AUDIT AND COMPLIANCE TOPICS
Objectives
The objectives are:
• Introduce the Default Controls Library and provide a basic overview
of how to manually create new controls
• Discuss how to import controls from the default library
• Create and view audit policies and policy rule types
• Create and view audit cases
Introduction
One challenge that customers face today is identifying which controls to use to make sure that their business complies with laws, business rules, policies and regulations and audit requirements The Default controls library in Microsoft Dynamics® AX contains many of the most frequently used controls This library provides a resource for customers who are searching for various types of controls that will help meet their needs
You can use audit policies to evaluate expense reports, vendor invoices, and purchase orders for compliance with policy rules that you create All of the rules that are associated with an audit policy are run in batch mode according to the schedule that you specify Each policy rule is an instance of a policy rule type For each policy rule type, only one policy rule can be active at a time
Trang 2Default Controls Library
The Default controls library in Microsoft Dynamics® AX contains many of the most frequently used controls This library provides a resource for customers who are searching for various types of controls that will help meet their needs Customers who have their own control matrix can use the Default controls library
to supplement their control matrix by adding controls in the Compliance Center For customers who do not have a control matrix, the Default controls library can
be repurposed and used as a control matrix from which to select the controls to add to their Compliance Center
Entries in the Default controls library can be used as a guide for customers who decide to manually enter controls to the Compliance Center Customers can also use the Import and mapping wizard in Compliance Controls to automate the addition of some or all of the Default controls library controls on the Compliance Center A workbook that contains many common compliance controls is
available on the Compliance site in Enterprise Portal You can refer to this library when you manually enter controls on the Compliance site; or, you can use the library as the source file to import controls to the Compliance site
Trang 3Terminology
The compliance and internal controls process available in Microsoft Dynamics
AX involves several terms and concepts The following table introduces these terms and concepts
Term Definition
Control matrix
Refers to a file, almost universally a Microsoft Office Excel spreadsheet that customers use to list, manage, and keep track of their controls
This file can be used as the source file for importing and mapping a compliance environment and importing activities into the Compliance Center
Control A means by which users manage identified elements of their
business to make sure that the policy, regulation, tenet, or other requirement is followed during normal day to day business operations
Control environment
The environment that is set up within the Compliance Center
to which controls are associated Environments are typically
a hierarchical node structure
The Default Controls Library contains various controls for Microsoft Dynamics
AX users to select from The Default Controls Library Excel spreadsheet is installed and stored in the Compliance Center Compliance Resources document library For additional information on this topic, refer to the Microsoft Dynamics
AX application documentation
Procedure: Manually Add Controls to the Library
To manually add new controls types to the Default Controls Library in the Compliance center, follow these steps:
1 Open the Enterprise Portal website through your web browser
2 Click Compliance
3 Click Compliance resources on the left pane
4 Click the Default Controls Library file and then click Download a
copy on the Action pane
5 Enter a Name for the file such as "Default Controls Library"
6 Select a location for the file to be saved to
7 Click Save
8 Browse to the location where the file was saved, and then double-click to open it in Microsoft Office Excel
9 Create a new line in the spreadsheet
10 Save the file
Trang 4Import and Mapping Wizard
The Import and mapping wizard lets you import your internal controls into the Compliance Center from an existing, preformatted control matrix spreadsheet that your company uses Before you use the Import and mapping wizard you must set up the following:
• Establish the document templates
• Create the control environment When the control environment is set up, users will open the Import and Mapping wizard, open their control matrix, and for every entry they want to import, select two settings
1 Select the compliance environment(s) node that the control should fall under
2 Select the document template that the control will use when it is loaded onto the system This includes mapping template properties to corresponding data in the matrix
Procedure: Importing Controls
To import controls into the Compliance Center, follow these steps:
1 Open the Enterprise Portal website through your web browser
2 Click Compliance
3 Click Import on the left pane, and then click Next
NOTE: The wizard cannot be completed unless at least one environment is
configured and at least one template exists
4 Select the file to be imported, and then click Next Review the data that is displayed from the selected file, and then click Next
NOTE: The file selected must be in the correct format to import Use the Formatting guidelines link on the first page of the wizard for more information
about allowed formats Use the Back button to return to the first page of the
wizard
5 Select the column that will be used to map the control matrix
environment data to the Compliance Center environment, and then click Next
6 Continue mapping each column from the spreadsheet to the
corresponding Compliance Center control, and then click Next
7 Select the document template and the template properties (one at a time), and then select the corresponding control matrix When you
are finished, click Next
Trang 58 Click Import to process the import
9 When the import is complete, the system will display a message;
click Finish
Audit Policies, Rules and Cases
You can use audit policies to evaluate expense reports, vendor invoices, and purchase orders for compliance with policy rules that you create All of the rules that are associated with an audit policy are run in batch mode according to the schedule that you specify
Each policy rule is an instance of a policy rule type For each policy rule type,
only one policy rule can be active at a time
Before you can create an audit policy, you must first define the policy parameters that will be used by all audit policies
Procedure: Creating Audit Policies
To create audit policies, follow these steps:
1 Click Compliance and internal controls > Common > Policies >
Audit policies
2 On the Action Pane, click Parameters to open the Policy parameters
form
3 The available organization types are displayed in the Organization
types: list Select the organization types to create policies for and then
click the Add button
Although you must select at least one organization type to use audit policies, you
do not have to change the order of precedence for those organization types When
an audit policy is run, all rules in that policy are run The system does not select which audit policy rules to run based on the order of precedence
Policy rule types define the document and query parameters that are used when you develop specific policy rules
Procedure: Creating Policy Rule Types
To create audit policy rule types complete the following steps:
1 Click Compliance and internal controls > Setup > Audit > Policy rule
type
2 Click New to create an audit policy rule type
3 Enter a name and a brief description of the policy rule type
Trang 64 In the Query name field, select the default Application Object Tree
(AOT) query to use as the starting point for developing policy rules for this policy rule type The query indicates the source document that the policy rule type is defined for
5 In the Query type field, select the type of database query that users can
build when they create audit policy rules by using this policy rule type
6 In the Document date reference field, select the field in the source
document that identifies the date to use when documents are selected for audit
7 Create any additional policy rule types that your organization needs and then close the form
Queries and Query Types
When you create an audit policy rule, you first select a policy rule type The policy rule type specifies the Application Object Tree (AOT) query to use as the starting point for creating the policy rule It also specifies the query type to use for the policy rule
The query determines the source document that the policy rule will evaluate It also specifies the field in the source document that identifies the legal entity and the field that identifies the date to use when documents are selected for audit The
query type controls the default fields in the query form and in the Audit policy
rule form The following table shows the query types that are available for audit
policy rules
Query Type Purpose
Conditional Evaluate source document attributes against specified
values
Aggregate Evaluate multiple source documents or source document
lines against a policy rule by aggregating numeric values Sampling Randomly select a specified percentage of the source
documents to evaluate for policy violations
Duplicate Evaluate source documents to determine whether they
contain duplicate entries in specified fields List Search Evaluate source documents for specific entities Keyword
Search
Evaluate source documents to determine whether they contain certain words
When you select the Sampling option, the Audit policy rule form includes an
option that lets you specify the percentage of documents to randomly select for audit.
Trang 7When you select the Duplicate option, the Audit policy rule form includes an
additional option that allows you to specify the number of days to add to the start
of the document selection date range when documents are evaluated for duplicate entries
When you select the List Search option, the root document of the query defines
the document that is being audited The query must contain a join with the DirParty table
The List Search option can be used only with the following (AOT) queries:
• AuditPolicyExpenseList - Expense report monitored employees
• AuditPolicyPurchList - Purchase order monitored vendors
• AuditPolicyVendInvoiceList - Vendor invoice monitored vendors When you select this option, specify the monitored entities in the Additional
options form before you create the policy rule
When you select the Keyword Search option, enter the words to look for in the
Additional options form before you create the policy rule The Audit policy rule form includes options that allow you to specify the tables and fields to
evaluate for the words entered
All of the policy rules for a particular audit policy share the same batch parameters and the same document selection date range These parameters are
specified in the Additional options form for the policy
Before you can define an audit policy, you must create the policy rule types that will define the document and query parameters for the policy rules You must also make sure that the policy parameters have been set up appropriately
Procedure: Set Up Policy Parameters
To verify or set up policy parameters, follow these steps:
1 Click Compliance and internal controls > Common > Policies >
Audit policies
2 On the Action Pane, click Policy to create an audit policy
3 On the General FastTab, enter a name and description for the audit
policy
Trang 84 On the Action Pane, click Additional options
o Enter the starting date and ending date of the document selection date range This range determines which version of a policy rule
to use, based on the effective dates of the policy rule It also determines which organization nodes were associated with the policy during that date range
o If you are creating a policy rule that uses the List search query
type to evaluate source documents for specific entities, enter the
entities on the Monitored entity FastTab
o If you are creating a policy rule that uses the Keyword search
query type to evaluate source documents to determine whether
they contain certain words, enter the words on the Prohibited
words FastTab
o Each audit policy is run in batch mode To verify or change the
parameters for the batch job, click the Batch button
o Click Close to return to the Audit policy form
5 On the Policy organizations FastTab, select an organization type This is
the organization type that the audit policy will apply to A single policy can apply to only one organization type
6 The organization nodes that have been created for the selected
organization type are shown in the Available organization nodes: list
Select the nodes to be affected by this audit policy and then click the
Add >> button to move those organization nodes to the Selected organization nodes: list.The association of the organization node with the audit policy is effective on the date and time that you add it to the
Selected organization nodes: list
The association expires when you remove the organization node from the list Policy rules cannot be tested for any dates on which there is no organization node associated with the policy
7 On the Policy rules FastTab, develop the policy rules that are needed for
this policy
Trang 9Develop Policy Rules
An audit policy rule consists of a database query that is run against source documents The policy rule types define the document and query parameters that are used when you develop policy rules
Procedure: Create a Policy Rule
To create a policy rule, complete the following:
1 Click Compliance and internal controls > Common > Policies >
Audit policies
2 Double-click the policy to create policy rules for
3 On the Policy rules FastTab, select the policy rule type to develop a policy rule for, and then click Create policy rule The fields that are displayed in the Audit policy rule form depend on the selected policy
rule type and its associated query
4 In the Effective date and Expiration date fields, enter the date range
when this policy rule is effective If you do not enter values in these fields, the policy rule will be effective when it is created, and it will never expire
5 Complete other fields as required, depending on the query type that is associated with the policy rule type
6 Click Select to open a query form This button is not available for policy rules that are based on the List search or Keyword search query types
7 Use the query form to specify the criteria to use for this policy rule, and
then click OK The fields that were set up by default in the policy rule
form will also be set up in the query form
8 After the policy rule is set up, click Test Enter the document selection
date range to use for the test.The dates that you enter in this form are used only for the test They are not saved, and they do not affect the
document selection date range that is defined in the Additional options
form
9 Click Run test Review the results of the test If the results are not what
you expected, modify the database query and repeat the test
Trang 10If you still do not receive expected results, do the following:
• Verify that an organization node was associated with the policy during the data selection date range that you specified for the test Policy rules cannot be tested for any dates on which no organization node is
associated with the policy
• Verify that source document records exist that were created on or after the policy was created Records that existed before the policy was created cannot be audited The only exception is for policy rules that are
based on the Duplicate query type, which can audit records up to 180
days in the past
Audit Policy Violations and Cases
Audit policies are used to identify expense reports, purchase orders, and vendor invoices that do not comply with business rules that you define and configure as audit policy rules Audit policies are run in batch mode When you run an audit policy, all the policy rules that are part of that policy are run at the same time Each policy rule evaluates a set of documents and selects those that are in the document selection date range and match the specified criteria For example, one policy rule might select expense reports with meals exceeding 50.00 Another policy rule might select vendor invoices that are payable to a particular vendor For each document in the set that is selected, a violation is generated That violation is a record that a particular document, such as invoice 12345, does not comply with the policy rule Multiple audit violation records are grouped together and associated with audit cases By default, cases for each audit policy are grouped by the audit policy rule
If you prefer, you can select other criteria for grouping using the Case grouping
criteria form You could, for example, group expense headers by project ID and
vendor invoices by vendor account If you were to do this, all expense header violations that have the same project ID would be grouped in the same case, and all vendor invoices that have the same vendor account would be grouped in the same case.After the audit cases have been generated, they are handled using the typical processes for case management
For audit policy rules that are based on a Duplicate query type, violations are not grouped by policy rule or by the criteria specified on the Case grouping criteria
form Instead, they are grouped by the criteria that are built into the audit policy rule For example, if a policy rule evaluates expense reports for duplicate expenses of the same amount, merchant ID, and date, all expenses that have the same values in those fields would be one case If other expenses had different values, those would be a separate case