There is a rumor floating around that could have very serious implications for your business. The claim is that “spidering”--a technology that takes an inventory of data on a given website at a specific point in time—is an effective way to continuously monitor changes to NetSuite environments.
Unfortunately, this claim is dead wrong. In an informal poll across the Big 4 and Certified Internal Auditors, 100% didn’t see spidering as a reliable way to completely and accurately track changes in NetSuite.
Here are 3 reasons why:
- Spidering does not provide a complete picture for auditing.
Spiders take a snapshot only, so any change made after the spider passes by is not recorded. It is NOT continuous monitoring. Imagine if you tried to take inventory in a store while the store is open for business. You count a stack of t-shirts and move on, and in the meantime, a customer buys one…and now your count is off.
Think of this from an auditor’s perspective. Without a complete picture (and with no way to monitor how the tool is doing its monitoring), you take the risk of the auditor catching something that wasn’t captured, which translates into the auditor denying reliance on management’s work, an indication of failure of internal controls/material weaknesses, and a substantive rather than a controlled reliance audit.
- Spidering can significantly impact performance—and growth.
The more frequently you run a spidering program, the more accurate the picture you can get, but this comes at the expense of processing power that should be used for other critical business processes. This can also impact your ability to capitalize on your investment in the flexible platform provided by NetSuite. NetSuite users begin to notice the system is slowing down due to the spidering, no one will be happy.
- Spidering can have expensive repercussions.
If there is an issue with your audit, you not only incur the expense of material weaknesses (and having to report them to Wall Street), but also the Increased cost of moving from a control to substantive audit, the lost time and money in implementing a tool that ultimately did not work, and finally, the expense and time required to reimplement continuous monitoring controls.
If you’re a NetSuite user, there is one more important point to note: spidering is redundant. NetSuite includes System Notes, which is an out-of-the-box continuous management tool built directly into core NetSuite functionality that covers all changes in the application that would be financially relevant. It doesn’t cost you any extra and doesn’t affect system performance.
Check out the paper co-authored by Protiviti and Fastpath on "Designing NetSuite Security: Leveraging Access Monitoring Solutions"and the importance of leveraging access management technology, such as Fastpath Assure®, to monitor whether security design requirements and Segregation of Duties (SoD) restrictions are properly maintained throughout the system.