Project governance in D365 Project Operations: approvals and audit

Professional services firms - consultancies, engineering firms, system integrators - have specific project-governance needs that generic ERP features don't carry. Project creation needs approval. Budget changes need audit trails. Contract scope adjustments need multi-level sign-off. Internal control policies need enforcement at the record level, not as after-the-fact reviews.

Firms standing up Dynamics 365 for project management often evaluate three paths. Only one fits the requirement without years of custom maintenance.

The tempting wrong answers

Manual approval workflows via Outlook + SharePoint. Email threads for approval, project documents attached. Works for ten projects; falls apart past fifty. Auditors ask "show me the approval for this budget change" and the answer is "somewhere in Outlook, hopefully". No enforcement, no audit trail, no segregation of duties.

Custom Power Apps to route project change forms. Looks like automation. In practice, each form change needs a release cycle, integrations with F&O break on platform upgrades, and the firm ends up maintaining what is essentially a custom project module parallel to the standard one. Support costs balloon.

Excel for project details with manual submission to finance. The status quo at many firms before migration. Migration is the opportunity to fix this, not replicate it.

The pattern that fits

The Project Management and Accounting module in D365 F&O (or D365 Project Operations for more sales-integrated scenarios), configured with workflow approvals, budget control policies, and change order tracking.

What each piece does:

Project workflows. Standard project-creation workflow routes new projects through approval (capability-based, role-based, or hierarchy-based). Before a project can accept time or expense, it's been approved.

Budget control policies. Budgets set at the project, category, or resource level. When a transaction would exceed the budget, the policy blocks or warns based on configuration. No custom "budget check" code needed.

Change order tracking. Budget changes, contract scope changes, and resource re-plans all go through formal change-order records. The change order carries the rationale, the financial impact, and the approvers. Auditors get a complete lineage.

Multi-level approval. Workflow approval can be N-level with conditional branching - a small budget change goes to the project manager, a large one adds the account executive, a very large one adds the CFO. Configured, not coded.

Database audit logging. Audit trail covers project creation, budget changes, approval events, transaction posting. Combined with LCS's process modeler, the firm has documented controls plus system traceability.

What makes Project Operations vs Project Management & Accounting the right choice

Two Microsoft products cover this space:

Project Management and Accounting (PMA) in F&O - the deeper finance and accounting capabilities. Right for firms where project financial management is the primary use case (WIP accounting, revenue recognition, inter-company project billing).

Dynamics 365 Project Operations - unifies the Project Management module in Dataverse with F&O's accounting backend. Right for firms where the sales-to-project-to-delivery flow is the primary concern (opportunity → quote → project → deliver → invoice).

Many firms use both, with Project Operations for the CE-side workflow and PMA for the F&O accounting. Dual-write handles the data coexistence.

Internal control policies

Beyond workflows, the PMA module supports:

• Category-level approvals - some project categories need extra sign-off (e.g., fixed-price vs T&M)
• Posting controls - who can post time, who can post expenses, who can approve vendor invoices against a project
• Resource assignment policies - who can be booked on what project type
• Billing controls - who can generate invoices, who can write off unbilled amounts

Each is configuration in the standard module, not custom code.

Audit and regulatory documentation

For firms with SOX or ISO audit requirements:

• Database logging on the project-critical tables tracks every change at the row level
• LCS Business Process Modeler documents the business processes as they run in F&O, linked to the system's actual behavior
• Security Diagnostics report pulls the current security setup for audit review
• Audit trail forms in F&O surface change history to auditors without custom reporting

The combination satisfies most standard audit questions without a separate governance documentation layer.

Integration with time and expense

Project governance only works if time and expense flow into the same system. PMA integrates with:

• Employee self-service for time entry with validation against approved projects
• Expense management for project-billed expenses with approval routing
• Procurement for project-specific purchase requisitions with budget checks
• Resource scheduling for bookings that respect the project's resource plan

All standard. All within the same module's governance umbrella.

Reporting and visibility

The governance data feeds executive visibility:

• Project scorecards on budget vs actual, margin by project, resource utilization
• Analytical workspaces for project health across the portfolio
• Power BI on top of BYOD/Data Lake for customer-specific dashboards

The point: if the governance data is clean, the reporting is free. If the governance data is in email threads and Excel, reporting is a data-archeology project.

What ships with the pattern

A working governance implementation on PMA/Project Operations has:

• Project creation workflow configured with role-based approvals
• Budget control policies at the right granularity for the firm
• Change order types matched to the firm's internal controls
• Database logging and LCS process documentation for audit
• Time, expense, procurement, and billing integrated
• Dashboards feeding executive visibility

This is standard functionality. The PSA firms getting this wrong are the ones who tried to build around the module instead of using it.