Most people involved at all in accounting understand that if a user has access to manage vendors and payments that it is pretty easy to create false vendor records and generate payments to those false vendors. In other words, it’s the fast lane to fraudville.
We're reviewing quick fixes to improve NetSuite security, in this blog series.
Security Fixes for NetSuite: Separate Master Records and Transactions
Only slightly more complicated are similar schemes involving customers. Payment redirection fraud can be just as dangerous and harder to detect. All this risk leads to some pretty simple advice, don’t allow users with access to manage vendors to also manage payables transactions. The same advice goes for customers.
In fact, that advice works throughout an accounting system. Separating master record management from transaction processing is a simple and easy way to improve segregation of duties. That’s it. The end.
If only it was that simple. NetSuite often provides a number of roles with master record access. For example, Vendor access is provided by all of these roles: A/P Clerk, Accountant, CEO, CFO, Chief People Officer, Full Access, Human Resources, Administrator, Marketing Administration, and Store Manager. That seems like broad for creating vendors and many of these roles also have access to various vendor related transactions.
Similarly, broad access is also provided to Customers in NetSuite’s included roles. The list includes A/R Clerk, Accountant, Advanced Partner Center, CEO, CFO, Marketing Administration, PM Manager, Product Manager, Retail Clerk, Retail Clerk WS, Revenue Accountant, Revenue Manager, Sales Admin, Sales Manager, Sales Person, Sales VP, Store Manager, Support Admin, Support Person, Administrator, and Sys Admin.
Before we even get to transactions, it’s pretty clear that Vendor and Customer access needs additional restrictions. Ideally, users with access to create or modify master records wouldn’t have any access to transactions. In small companies, that may not be reasonable. One simple answer for smaller organizations is to swap master record access. For example, A/P Clerks could create Customers and process Vendor Transactions. Similarly, A/R Clerks would create Vendors and process Customer Transactions. This at least provides some segregation of duties.
There are also some mitigation options in NetSuite. This could include a workflow approval for customer or vendor changes for example. But mitigating controls are not as good a primary controls, so companies should make a determined effort to separate these functions before turning to mitigation here.
You can find all of the fixes in this series at NetSuite Easy Security Fixes.
Looking for even more useful NetSuite security best practices?
Get our "NetSuite Change Management" paper which examines the native NetSuite functionality available to deploy effective change management in a NetSuite environment, including best practices, the change monitoring process, as well as the change review/sign-off process.