GP Easy Security Fixes: Fiscal Periods

[In this series, we’re looking at quick fixes to improve GP security. ]

The matching principle in accounting requires that a company record expenses in the period in which the related revenues are earned. That means posting transactions in the correct period. Both revenues and expenses can be manipulated by posting them in past or future periods and this results in incorrect financial statements. 

Getting the dates right in Dynamics GP can be more challenging than it seems. (We looked at this in our Controller series.) But just as important is maintaining control of fiscal periods.

GP makes it easy to open and close fiscal periods for various modules. Dig deeper and you’ll see that GP actually provides fine grain control for opening and closing individual transaction types. That’s overkill for most organizations. 

Fiscal Periods Setup

The key is that there should only be one or two individuals with rights to open and close periods and those users should not be allowed to create or change transactions. Otherwise, it’s just too easy to open a month and post backwards or open next year and push a transaction far into the future.

Fiscal Periods are managed via Administration>Setup>Company>Fiscal Periods. The window is Fiscal Periods Setup and by default its assigned to these roles:

  • Accounts Payable Clerk
  • Accounting Manager
  • Power User 

The default task is ADMIN_COMPANY_001*. I would strongly recommend removing this task from the Accounts Payable Clerk role right now. I’ll wait…

Realistically, the Fiscal Periods Setup window should be segregated into a role without transaction access. For example, a role that allows maintaining the chart of accounts and fiscal periods, but not transaction entry, starts to provide a level of effective segregation without imposing a significant burden. 

Also, be careful with two other items: access to the Professional Services Tools library and the Allow Posting to History setting in General Ledger setup. 

The Fiscal Period Modifier tool included with the Professional Services Tools Library can be used to reopen closed years. Imagine posting transactions 10 years back to hide inappropriate transactions. 

Fiscal Period Modifier

Similarly,  Allow Posting to History is a setting that allows posting directly to the last closed year if a fiscal period is open for that year. This is a great feature for closing the year while still being able to make final adjusting entries. It’s also dangerous once year end close is complete. 

 Posting to History

Properly managing fiscal periods help keep closed years closed and current year transactions in the right periods.

You can find all of the fixes in this series at GP Easy Security Fixes.

GP Easy Security Fixes: Account Maintenance

[In this series, we’re looking at quick fixes to improve GP security. ]

Controlling the chart of accounts is about as fundamental as it gets in an accounting system. If the chart can change, the fundamental nature of the resulting financial statements can be changed. Imagine the damage that could be done simply by reclassifying an income statement account to a balance sheet account? That’s before we get into false accounts and transactions (shudder). 

Controlling who has access to the chart of accounts via the Account Maintenance window in Dynamics is an easy way to eliminate a lot of segregation of duties issues. Separating account creation and maintenance from the ability to make entries is a great way to improve control and it is easier than expected. Even in a very small finance organization it’s possible to segregate duties by letting the  controller manage the chart and others make journal entries. It’s not perfect, but it’s an improvement. 

Account Maintenance

The only really pushback is that sometimes users need to see elements in the chart to confirm that they are using the right number, validate that the account was setup correctly, etc. In Dynamics GP, there is no inquiry window for the chart accounts. Frankly, this is a poor reason to grant access. Both the Accounts Navigation List (Financial>Navigation Lists>Accounts) and the Accounts Smartlist (MSDynamicsGP>Smartlists>Financial>Accounts) can show account information including the description, account type, active status, and user defined information without permission to make changes. 

By default, the Accounting Manager, Bookkeeper, Certified Accountant, and Power User roles all have access to the Account Maintenance window. Access is provided via the Card_0101* task. Reducing the roles with access to this task or moving access to Account Maintenance to separate task and tightly controlling the roles it is assigned to will along way in managing access to the chart. 

One additional note, the Mass Modify Chart of Accounts feature (Financial>Cards>Financial>Mass Modify) can also be used to create or change accounts. Security to Mass Modify Chart of Accounts is also included in the Cards_1010* task and in most case should mirror the access granted to Account Maintenance. 

Mass Modify

The chart is the heart of an accounting system and it’s still surprising how often we run into segregation of duties issues where a large number of users have access to make changes to the chart. This is an easy fix, so get things cleaned up today.

You can find all of the fixes in this series at GP Easy Security Fixes.

GP Easy Security Fixes: Journal Entries

[In this series, we’re looking at quick fixes to improve GP security. ]

Controlling access to Journal Entries is a fundamental control point. If users can make and post journal entries without any review, they can do just about anything to the final financial statement numbers.  

In Dynamics GP, there are actually three different ways to enter a journal entry and an easy security fix is to turn off two of them. 

In Dynamics GP, a journal entry can be created using the Transaction Entry, Quick Journal Entry, or Clearing Entry windows. 

Transaction Entry is the primary journal entry option. It supports batches for review, approval of batches, and workflow approval by batch. This is what most people think of when they think of creating a journal entry in GP. It’s also the area where organizations are most likely to place controls.

Quick Journals were designed to be journal entries created via templates where the accounts were similar from month to month, but the amounts  would change. There are a couple of problems with Quick Journals:

  • They don’t use batches making them difficult for others to review prior to posting
  • They don’t support approvals
  • They don’t support workflow
  • They are rarely used.

This last one is actually the biggest issue. Because many companies barely know that Quick Journals exist, they don’t restrict them in security. It’s a journal entry hole big enough to drive a truck through. 

On top of that, Quick Journal functionality can be duplicated using recurring batches in Transaction Entry. The Recurring Batches feature provides equivalent functionality with approval and review options using the Transaction Entry window.

There is a simple fix, turn Quick Journals off. In a base GP install, the Accounting Manager, Bookkeeper, and Power User roles have access to the Quick Journal Entry window. It is a part of the TRX_FIN_001* task. Simply remove the window from the task to remove access using Setup>System>Security Tasks.

Finally, we come to the odd little feature known as Clearing Entries. Clearing entries are designed to clear the balance of an account (either year-to-date or for a specific period) to a different account, hence the name. The odd part is that these entries don’t show any amounts. Users simply select Year-to-Date or Trx Period and they are left hoping the amount is correct. While a report can be run to show the amount, that’s extra time and effort just to see the amounts on a journal entry. 

This is another feature that is rarely if ever used. Most users prefer to validate the balance to be moved and then process a regular journal entry.

Clearing entries do support batches, but there is so little benefit to clearing entries that most users avoid them. Turning them off is a great way to ensure that they can’t be used as a back door to an inappropriate journal entry.

Clearing entries are also part of the Accounting Manager, Bookkeeper and Power User roles and they are a member of the TRX_FIN_001* task by default. Simply remove the window from the task to turn it off using Setup>System>Security Tasks.

With just a couple of simple tweaks, it’s easy close off access to alternative journal entry options and focus control on the main Transaction Entry window.

You can find all of the fixes in this series at GP Easy Security Fixes.

New Series: Easy Security Fixes for GP.

It’s a new year and time for a new weekly series. This one takes a look at easy security fixes for Dynamics GP.

Security gets a lot of attention around year-end, and many companies know that their GP security settings aren’t the best that they could be. There are plenty of good reasons for this, but I’m not here to point fingers, I’m here to help.

Realistically, there are lots of things companies should do to setup security the right way in GP. These include understanding processes, mapping processes to job functions, tying job functions to Roles and Tasks in GP and reviewing the whole pile for segregations of duties conflicts. But not everyone understand the incredible value built when you setup security the right way, and sometimes, you just need to make some progress now. 

This series isn’t about doing everything right, it’s about doing something now that makes you safer tomorrow than you were yesterday. It’s the “I know I should I should eat right and exercise, but how do I lose 5 pounds by Friday?” approach to GP security. 

In this series I’m going to focus on fast security fixes around:

We’ll do one a week for eight weeks and then we’ll play with something new. Links to each item will be added once the post is up. 

Hands On With Microsoft Dynamics GP 2018 R2 New Features: Duplicate Check Numbers Option Extended


Ian Grieve is Hands On With Microsoft Dynamics GP 2018 R2 New Features: Duplicate Check Numbers Option Extended. Ian’s new feature series is fantastic, make sure to check out all the items. This one was particularly important, so I wanted to highlight it here. 

Quick Journals

Jen Kuntz looks at Quick Journals. My attitude has changed toward Quick Journals. I used to like them, and I used them as a controller, but they are clunky to set up and use and two other features are now better options. Recurring batches are easier to use, setup, and change than Quick Journals. They also allow batch approvals, which Quick Journals do not. The other feature that dips into Quick Journal territory is Copy/Paste from Excel. 

Copy/Paste from Excel lets users maintain their recurring entries in Excel and simply paste in the current month’s numbers. Since this is done via a Journal Entry there are fewer entry points to manage. Also, preparation of the numbers on the Excel sheet can be separated from the user who actually does the entry. 

Quick Journals work fine, I just think that Recurring Batches and Copy/Paste from Excel have made the feature redundant.