Systems that generate financial reports, process data, and store master data are necessary for accurate and reliable financial statements. IT general controls (ITGC) are the foundation of your overall control environment. ITGCs determine who has access to the system and how changes are made to the system, computer operations (batch jobs and interfaces), and any system development life-cycle controls.
Without proper IT controls, you do not have control over who can access your systems or how changes are made. As a result, you will not be able to rely on any of your systems for accurate financial reporting or the confidentiality of your company and customer data. This can be detrimental to a company considering issuing an IPO or has recently gone public since Sarbanes-Oxley (SOX) requires reliable financial statements (among other requirements). Other regulations such as GDPR, FDA, and many others have a bearing on the company as well.
Beware of Gotchas in NetSuite
NetSuite is highly flexible and easy to set up – but watch out for these three "gotchas":
1. Built-in security roles create SOD violations and give users too much access
NetSuite provides many out-of-the-box user role definitions. However, these roles are based on outdated design frameworks and do not consider segregation of duties (SOD) risk. Assigning these built-in roles to users without first looking at potential SOD conflicts can lead to fraud and regulatory violations.
But investing the time to develop to create customized roles is costly and tedious. As a result, many companies give all users administrator (or “super-user”) access, sometimes referred to as the “keys to the kingdom”. Other companies keep giving additional roles to a user until they finally have all the access privileges they need to perform their job. This can lead to overprovisioning and typically gives users too much access to the business system(s), violating the principle of least privileged access.
In addition to overprovisioning user access, some companies fail to perform periodic access reviews. There are many examples where a user has quit or was promoted yet still had significant access rights onto the company’s critical business systems.
Another issue related to this problem is having individuals from the accounting or finance granted administrative access rather than leaving these privileges centralized in the IT department.
It would be better if the departments would coordinate together to develop customized user role definitions and have IT administer the business software systems.
2. Controls are often an afterthought when implementing
During an implementation, many companies are focused on making sure functionality supports their processes. But all too often, these same companies don’t consider baking controls into the new system design or process design. NetSuite’s SuiteSuccess deployment program is meant to implement the software quickly, not address compliance.
As a result, many companies are not effectively leveraging NetSuite capabilities to enforce controls. They end up trying to cobble together the necessary controls manually, an exhausting, time-consuming, and error-prone process. Even after this exercise is completed, the company can still have loopholes in its roles and controls.
3. Many automated controls require customization
NetSuite comes with very few built-in controls. These controls must be custom configured for your unique environment. Often, companies hire third-party vendors and consultants to provide these controls and role definitions. Still, these vendors are not always aware of your company’s unique challenges, nor are they always called back to refine these configurations if technology, business processes, or software capabilities change and require these controls to be updated.
These are just a few of the general challenges in NetSuite. In the upcoming installments of this blog series, we will look at several areas of interest for NetSuite system administrators and users to maintain a secure system and avoid headaches when it is time for audits.