Whether administration of the financial systems is handled by accounting personnel or by IT personnel, there are a few things about that system the person filling the Controller’s role should keep track of. My purpose here isn’t to tell the accountants they should also be IT experts, but to raise awareness of system safety.
Data loss is devastating to a company. Whether the result is loss of profits, reputation or intellectual property, no one wants to go through a major data loss event. I have never heard of anyone that has gone through it report that they enjoyed it.
By my estimation, there are three things we need to have the system administrators show us. If they can satisfactorily demonstrate them, it is a good bet the rest of the operation is being run well.
1. Prove Our Backups (And our recovery plan) Work
Data loss does not happen because of a human or mechanical failure.
- Data is lost when it has not been backed up.
- Data is lost when we cannot restore it properly
I know that sounds oversimplified, but people are going to make mistakes and servers are going to fail. These events do not have to be an emergency if good disaster planning and backup systems are in place.
A default Dynamics installation is set up to allow restoration to any point in time as long as the system administrator has a proper plan in place. The database server logs every transaction in such a way that log can be “replayed” from backups to a certain point in time. If the AP Manager accidentally closes the AP module before we are ready, we can actually restore it back to the minute just prior to that act and continue on our way.
Ask the system administrator to see the backup plan and have them explain the various reactions they would take if:
- An associate makes an irreversible mistake
- Corrupt data is discovered
- The server hardware fails
From the answers we get, we can determine how much downtime we can expect and how many hours of work will be lost.
2. Show Me the Test Plan for Changes
This is a tough one. When we ask for changes to be made to some part of our financial system, the temptation is always there to make it right in the production environment. We should never allow ourselves to get in such a hurry that we are willing to make a systemic change without testing it.
The simple changes often have the worst results in data loss and the most experienced technicians are often the worst offenders!
A test environment can range from a simple copy of your financial database to a fully redundant set of computers and software. We recommend the fully mirrored test setup, but at a minimum, a copy of the test database should be available for testing proposed changes. The routine should always be something like:
- Make the change in the test environment
- Have another user test it by running related reports and inquiries.
- Verify the results
- Promote the change to the production environment
3. Show Me Who Has Access
There are two points of entry for Dynamics data. Through the application and through the database by accessing the tables directly. By default, whoever has system administrator access on the database’s server has direct access to the database’s tables. This might not be a policy issue in your organization, but I recommend remaining aware of it through regular access audits.
While the IT personnel should be able to explain the security measures in place at your company, it is important to remember that security takes many forms:
- Physical access to the server equipment
- Environmental effects to the servers (heat, moisture, etc.)
- Network access both locally and via the Internet
- Role and duty separation (Can a check writer also set up vendors?)
- Access by personnel other than accountants
There are laws of unintended consequences out there that we can never fully insulate ourselves from. Through planning and testing, we can do a lot to minimize the damage. Begin with these three exercises and start building a strong system audit.