If dealing with an annual audit feels like inviting an unwanted relative to your Thanksgiving dinner, then these simple NetSuite practices will help you keep your auditors satisfied.
1) Segregation of Duties
It is not uncommon for consultants to assign Administrator roles to employees during the implementation and configuration of NetSuite ERP system. The Administrator access is a very powerful role which allows almost anything and everything within the NetSuite ERP system.
It is very important to remove Administrator access from users other than the system administrator such as the IT department and/or select few super users within the organization. Having a large number of Administrators in the system may raise the alarm to the auditor. Here are some NetSuite ERP system practices you should follow when it comes to segregation of duties:
- Assign Edit access rather than Full access to records. Edit access will allow a user to view, create and edit but not delete.
- Create separate roles and assign multiple roles to a user even if they have to perform conflicting functions within the system. For example, if the warehouse purchases and receives inventory, create a “Buyer” role with access to create and edit Purchase Orders and a “Warehouse” role with view access to Purchase Orders and edit access to Receive Orders and Item Receipts.
- Leverage NetSuite ERP system approval routing using standard configuration or advanced Suiteflow to manage and segregate record entry versus approval.
- Keep proper documentation of users and roles including why they need particular roles or permissions to perform their job duties.
- If several users within the organization require an Administrator type access, consider assigning them a Full User role or create a custom role which has access to every record type in the system.
2) Preventive Controls
Preventive controls are designed to avoid errors or irregular activities within the system. Native NetSuite ERP system has a number of preferences that can serve as preventive controls, but also allow for varying degree of customization that will keep your auditor satisfied. Here are some examples:
- Review and select the correct Accounting Preferences (i.e. should a user be allowed to post outside of the current period)
- Make important fields mandatory when possible when designing entry forms for users so they will not be forgotten
- Customize NetSuite ERP system to validate data quality using Suiteflow or Suitescripts such as returning a pop-up window or automating calculated fields.
3) Compensating Controls
Where preventive controls are not possible or feasible, compensating controls can be implemented to catch exceptions. Saved searches can be a powerful tool to trigger alerts when exceptions occur and configured to instantly send out notifications via email. In addition, email notifications can be scheduled to be sent periodically with a list of records matching a criteria for review purposes. Here are some examples:
- A saved search email notification being sent to the Accounting Manager when department is blank on a Journal Entry
- A saved search email notification being sent out at the end of the week summarizing a list of invoices created and approved
4) System Notes
NetSuite ERP system maintains system notes to track any changes made to a record, System Notes cannot be modified in any shape or form and can be pulled into a saved search for the auditors. System Notes keep track of the following:
- Date of the change
- User who made the change
- Role of the user who made the change
- Type of change
- Old and new value
In addition, NetSuite ERP system also has Transaction Audit Trail that can track the creation, modification and deletion of transaction records as well as Login Audit Trail that can track when users log into the system and what role they used. It is important to review system notes and audit trail regularly as part of internal controls.
5) Sandbox Account
A NetSuite sandbox is an test environment that can be purchased in which customization and system changes can be done without worrying about affecting your production account. Sandbox accounts can be refreshed the same configuration, data, and customization as your production account. Configuration in sandbox can be bundled and pushed to your production account. This will satisfy the common concerns from auditors regarding system changes. The following are examples of activities best executed first in sandbox:
- Testing customization elements before deployment
- Fixing issues with existing customization.
- Trying out third-party integration features.
- Training employees
As you see, NetSuite ERP system comes equipped with a lot of controls that administrators can leverage to keep the auditors satisfied. Some of these controls require additional NetSuite configuration and customization. Therefore, its best to engage a NetSuite partner to help design proper and adequate controls.
As a 100% NetSuite consultancy, at Trajectory we work with a number of clients who need help during and following their NetSuite ERP system implementations. We help with optimizations, system re-evaluations, new module additions and even re-implementations.