Netsuite has some superb Configuration and Security features for a secure, compliant Environment. For one it was one of the first ERP Systems to introduce two factor authentication on Users who have certain (often Powerful) Roles.
Netsuite also benefits from a more condensed access model, that requires less 'Privileges' for Users to perform Tasks and Transactions compared to many of the other ERP Systems available.
In other Oracle Applications for example, entering a Purchase Order may require a number of Privileges to be granted that open up the complete process, in Netsuite these processes are far more simple and often require just one Security Permission.
Netsuite is not without it's inherent Risks though, just like other ERP Applications, any time Transactions cross lines of Business within one Application there is the Risk of Segregation of Duty and Sensitive Access issues. For example, being able to Create a Supplier and Pay that Supplier from one user login. Another could be the simple process of cashing/banking money and making payments (AR vs AP).
In addition, there are many Configuration Risks available in Netsuite that should be monitored and secured. These Configurations should be secured from the Transactions that they are configuring. For example you wouldn't want someone making payments who can configure the payment process and risk diverting funds to themselves. Some mitigating controls come into effect where Workflow Approval is implemented, and if you are considering this for key Transactions, we highly recommend it.
Example Sensitive Access Risks:
Delete all Data. An obvious one, keep it secure from your Users!
Override Period Restrictions. When an Accounting Period is closed, its closed. Only with this Permission transactions can be posted to a locked period until the end of the period month. This creates the Risk of falsifying the Period close, inflating Revenue and the effects on Financial Reporting. Ideally, Accounting Periods should be opened and closed for accountability
Example Segregation of Duty Risks:
Journal Entry Vs Journal Approval
Expense Reports Vs Expense Setups.
There are over 4,000 Permissions in Netsuite that can be assigned at Role and often User Level. Working through these to line them up with your Risk and Control Matrix is a time consuming job, let alone maintaining them. In order to achieve a successful review of the Application it is important to group these Permissions together in order to form the important Business Processes that you need to review. While Netsuite is a smaller Application than other ERP systems, there are functions that span across Permissions and may encompass customizations and or Workflow approvals that need to be considered too.
If you are struggling to implement a program for effective Controls in your Netsuite Applications (and any others connected to it), Seecuring provides a subscription based service that combines Technology and Services to not only review the issues in your Applications, but help you get through remediation.
Our Reports and Recommendations are delivered by accomplished CPA/CISA and IIA Resources and provide the Data that works for both IT and Business Users unfamiliar with Netsuite technicalities.
We have pre-defined Rules that have grouped together Permissions, that at least creates a head start if you don't already have a set of Rules.
Our services include:
Segregation of Duties
Sensitive Access Risks
User Access Reviews
Configuration Changes
Patch Impact Analysis
We have been working with ERP/HCM Applications since the early 2000's, and work with leading CPA's, Audit staff and Application specialists to deliver a complete solution.
Before you invest in expensive Software, why not look at GRC as a Service? Faster delivery, lower cost, and more than just reports on your issues - we help Organizations achieve their goals for Internal Controls.
To discuss your requirements, you can schedule a call with us: