Permission Structure Reporting for SOX Compliance

We have recently been purchased by a public-traded company and need to figure out how to comply with the evidentiary requirements for SOX testing. Our permission structure is somewhat complex with controls and access tied to certain fields on the various cards and lines. Is there an easy way to pull this data out for presentation and review to ascertain that our controls - permission structures are working as intended.

Hi Jim and welcome to forum,

Seems that this US specific question (I “asked Aunt Gooooogle” what SOX is…) can’t be answered that easy - maybe you might rephrase the question, what data must be presented, or it is about not certain data but principles of accounting?

Hi Jim,

first what version of Navision are you on?

To become SOX compliant you need to be on at least 3.70 and SQL **. Better would be at least 4.00sp3 and then use Enhanced Security. In fact SOX is the ONLY reason I would ever recommend Enhanced security. The reason is that because all the security is clearly visible in SQL, you can achieve seperation between the IT and ERP roles, much easier.

I was involved in one of the very first SOX implementations, like you the company had just been purchased be a public company, and we had a Go-Live date 2 weeks after SOX was announced. We could not get the auditors to sign off, and had to wait for the release of 3.70 (for change log) and moved from Native to SQL.

Our biggest issue was that the auditors could not really follow the Navision security Schemas, and it was a huge job to show them that the SQL DB was secure, which we could not prove on Native. With Enhanced security you should be able to extract the security schemas direct form SQL and that should satisfy the Auditors.

** By the way, you could become SOX compliant on earlier versions and even on Native, but it will be a lot more work costing you more money.

Hi Modris,

You might have ended up with result such as the unfamous Boston Red Sox [:D]

But it’s in fact the acronym for the Sarbanes Oxley Act

Jim, there are a few white papers about SOX, on Partner Source :

Tarek - nevertheless I found the right ‘SOX’ explanation (Sarbanes-Oxley) But thanks for info that others exist, too… [:D]

The reason to kick in a thread where I haven’t knowledge at all was my moderator’s duty - it was unanswered for a long time, I hoped someone more informed will notice it and it wasn’t in vain - Jim got an answer from you and David…

Hi Jim,

Just came across your question. Out of the box there is no easy way to extract all the information for an audit of security, especially when you get into managing segregation of duties and understanding the rules and then applying them to your organization. Fastpath has a tool designed by former SOX auditors that can do the segregation of duties analysis for you with a rule-set designed for NAV. Additionally, it provides the security reports that will be requested in an audit, ie who has access to create vendors, set up users, etc. Your partner may be able to help or you can contact me for info.