Netsuite and Salesforce have long been a great and popular combination, and Oracle/Salesforce have provided a simple and 'elegant' way for the two to integrate seamlessly.
Representatives can create an opportunity and set it to a lead, following the sales process for closing the lead to a customer. At this point the data can transfer to Netsuite to mark the Salesforce account as a new customer. This allows for the process for invoicing and often shipment of goods, while the invoice is distributed from Netsuite. Customer data is transferred to Netsuite without any human interaction.
At this point we must think about the risks that this integration brings, typically we are focused on the risks that users pose within one application. What must we look for when a user has access to more than one application that access combined creates issues such as Segregation of Duties or elevated access?
Let's go back to the process that is often used between the two and ask some questions:
* Can the user that creates the customer also change the data for that customer? If so, there is a risk that a fictitious customer could be created, allowing for goods to be shipped with a possible lack of payment being received due to extended payment.
* Can the user that creates the new customer and their order, also edit the payment terms? This could cause cashflow issues if payment terms are extended beyond the agreed/standard terms your organization employees. Extend this across multiple transactions, and the cashflow issue grows to be a significant problem.
* Can a user who sets up the customer, edit the customer details prior to shipment? If so this could divert the receiving of goods to another address, not associated with the actual customer.
* Could a user who books an order be responsible for changing the pricing of goods sold? In this case lowering the price could allow for gaps between expected sales and those that are actual - changing our forecasts and cash flow expectations.
In times past all you had to worry about was one or two applications, now, many applications have many integration points, and represent greater risks to organizations.
Seecuring provides everything from training through to full evaluation of your application controls. We can provide results and get you on the path to resolving any issues within a week!
Segregation of Duties.
Sensitive Access.
User Access Reviews.
Patch Impact Analysis & Configuration Changes.
If you need help further understanding the implications of this role and the other sensitive access it has access to please reach out, we have reviewed the delivered roles and many of them create segregation of duty and other risks to your processes.