Technology Insights HOME | Perspectives from Our Experts on Technology Trends and Risks

Technology Insights HOME

Perspectives from Our Experts on Technology Trends and Risks.

Search

ARTICLE

3 mins to read

Case Study: Senior Living Management Company

Kevin McCreary

Managing Director - Microsoft

Views
Larger Font
3 minutes to read

Building a SOX Compliant and Scalable Microsoft Dynamics 365 Security Framework in a Short Timeframe

Situation

Our client is a national manager of distinctive, independent assisted living and memory care communities throughout the U.S., established less than two years ago and which has grown to manage more than 100 retirement communities caring for more than 5,500 residents across 28 states.

To accommodate the company’s rapid growth, the organization implemented Microsoft Dynamics 365 for Finance and Operations (D365F&O) on an accelerated timeline to rapidly establish a business management platform. In order to implement the solution quickly, the team chose to utilize the out-of-the-box (also known as ‘seeded’) security roles delivered with the application, which inherently contained numerous high-risk segregation of duty (SoD) conflicts.

Due to the amount of revenue under management for a large publicly traded real estate investment trust (REIT), the client would be required to comply with Sarbanes-Oxley (SOX), including controls over functional access in D365F&O. Due to this compliance requirement, the company needed to find a solution that would integrate well with their D365 environment and provide detailed audit reporting, SoD visibility and scalable task-based roles.

Solution: Clearer identification of conflicts and faster issue remediation

The organization decided to leverage Fastpath Assure software, and they asked for implementation partners that could support them in solving their problem within the timeframe allotted. They reached out to Protiviti to assist with the Fastpath implementation, the security redesign and the development and implementation of governance processes to protect their new security architecture while demonstrating strong controls. Management knew it was critical they had the right software and the governance processes in place in order to effectively accomplish their objectives and sustain their security model going forward.

To start building a compliant D365 security architecture, a SoD framework had to be established and configured within the Fastpath software. The framework provided the rules for how the new roles could be built. Once the SoD risk ruleset was configured, the team used Fastpath to help build security roles that aligned with the SoD framework, designed processes for managing their new risk framework, and implemented the new roles throughout the organization. Using software and security analysis tools helped to minimize effort for the iterative build, test, analyze and modify processes. The Fastpath tool, specifically the “Security Designer” module, made it easier to quickly build scalable task-based roles that were free of SoD conflicts and still provided a flexible security framework enabling our client to grow and change over time.

Results: Measurable KPIs around role design and issue remediation

Over the course of 15 weeks, Protiviti built an application security framework to support compliance with Sarbanes-Oxley requirements and drive business ownership of security roles and risks. Before the redesign, the client had roughly 50 critical SoD role conflicts and over 1,200 user conflicts. After the project was completed, all roles were free of unmitigated SoD conflicts and the total number of conflicts at the user level had been reduced by over 97%. The ruleset is more comprehensive with the addition of 69 custom objects that would not normally be captured in the out-of-the-box Fastpath ruleset. Lastly, the number of non-system users who are assigned the “System Administrator” role has been reduced by 60%, ensuring that only the right individuals have this elevated level of access.

To keep the company moving forward, key individuals in audit, IT and the business have been trained on how to leverage Fastpath and perform the new governance processes. Additionally, the organization implemented a role-based access control process and redesigned security within their Microsoft CRM system (aka Dynamics 365 Customer Experience).

Conclusion

Our client needed timely solutions to meet the demands of their ownership partner and their external auditors.  Protiviti organized quickly, brought the right experience and began implementing governance processes, technology, and security structures to meet their needs. There were bumps along the journey and times when the plan had to pivot, but in the end, our client exceeded the requirements of their ownership partner and established a platform for ongoing access management.

 

To learn more about Protiviti’s Microsoft capabilities, please visit our Microsoft consulting solutions site or contact us.

 

 

Was this article helpful to you?

Thanks for your feedback!

Subscribe to The Protiviti View Blog

To face the future confidently, you need to be equipped with valuable insights that align with your interests and business goals.

In this Article

Find a similar article by topics

Authors

Kevin McCreary

By Kevin McCreary

Verified Expert at Protiviti

Visit Kevin McCreary's profile

No noise.
Just insights.

Subscribe now

Related posts

Article

What is it about

Ready to revolutionize your organization with Microsoft 365 Copilot? Before diving in, make sure to have a well-thought-out plan. Even...

Article

What is it about

Microsoft Dynamics 365 Customer Engagement (CE) enables businesses to manage critical customer interactions and experiences. Copilots in Dynamics 365 provide...

Article

What is it about

As the wheel of digital transformation continues to turn, it brings with it profound changes across a myriad of industries....