It has been stated that IT controls are the foundation of the overall control environment. Without proper IT controls, it will not be possible to rely on the system to produce accurate and valid financial reports.
Without careful consideration of role design (including the assignment of permissions via roles) and the implementation of additional controls, there is a high risk associated with creating or modifying vendors and payments to those vendors.
One solution is to utilize SuiteFlow to enforce approvals on vendor changes and payments.
Workflows can be created using SuiteFlow for approving changes or additions to the vendor master and will help ensure that vendors and their bank accounts are valid.
Similarly, workflows for vendor bill payments can help to make sure that bill payments are made to vendors for valid goods and services. For example, a two- or three-way match process can help to ensure that payments link to valid purchase orders.
In discussing the procure to pay cycle, the fraud risks related to vendors and payments must be addressed. This is something that NetSuite does not provide out of the box. Therefore, it will be necessary to consider how to customize the configuration of the environment.
Quite simply, without any controls in place this poses a real opportunity for fraud. The ability to create and modify vendors and to make payments to those vendors as well is a risk for any company, regardless of the application being used. Therefore, it is important to determine how this fraud risk will be addressed, taking into account the limitations of NetSuite.
Using SuiteFlow, an approval process can be established to ensure that risk is well-controlled. An option may exist to have a detective review control in the short term while a longer term solution is to implement a preventative workflow to lock down potential risks.
The first recommended solution would be to enforce approval on changes to vendors, including changes and additions to the vendor master. Not every record on the vendor master necessarily carries the same risk associated with vendors generally. In that case, a workflow might be designed that will check changes only in certain key fields, such as bank accounts, the vendor's name, or the vendor's address.
The second recommended solution is a workflow over vendor bill payments. This is to ensure that payments are made to valid vendors and that these payments are made for valid goods and services that have been received. An efficient solution would be to implement a two- or three-way match to aid in this process.
Either of these solutions are excellent in combatting fraud. Additional considerations would include the volume of vendor payments the company is making and whether certain vendors are riskier than other vendors.
A threshold might be determined whereby payments under a certain amount would not require all the approvals a larger amount may need, or perhaps would require no approvals at all. Amounts over this threshold would then conceivably require two or three approvers. These determinations would depend on the company’s risk tolerance and its interaction with various types of vendors. Certain vendors potentially carry more associated risk than other vendors, and so it is advisable to assess the fraud risks in dealing with vendors and payments.
A client may want to know how to identify all the workflows that exist in NetSuite. Although this is fairly common, most clients do not know how to pull a population of changes by type. Under the Customization menu of Suite, there is a menu called Workflow. From there, the person with the correct access to view that page will see the inventory of all the workflows that exist in the account. Workflows that are provided from third-party bundles must be obtained from the Suite app store. Searches may be made by functionality, for example, or by vendor to find the options that work best for your company.
Read Part 1 of this series, Gotchas in NetSuite.
Read Part 2, Journal Entries in NetSuite.
Fastpath has published an eBook describing best practices for change management in NetSuite, from change request to audit review, including IT General Controls, the Software Development Lifecycle (SDLC), and ticketing systems. Download your copy of NetSuite Change Management: Recommended Tools and Best Practices.