Upload
jayaraman-swaminathan
View
283
Download
5
Embed Size (px)
Citation preview
Auditing NetSuiteJay Swaminathan
Re-use of text under Creative Commons Attribution - Created by Jay Swaminathan
Agenda
• NetSuite architecture
• Logical Access
• Change Management
• Other IT Operations
Re-use of text under Creative Commons Attribution - Created by Jay Swaminathan
Introduction to NetSuite
• Cloud ERP
• Multi-tenant
• Includes the following products • NetSuite• One World • Open Air• Quick Arrow (PSA)• Suite Commerce
• SSAE16 Type II and ISAE 3402 & PCI compliance
Our training is focused only on NetSuite and OneWorld
Re-use of text under Creative Commons Attribution - Created by Jay Swaminathan
Modules in NetSuite
• Procure to pay
• CRM
• Order to Cash
• Revenue recognition
• General Ledger
• Basic budgets
• Extensive reporting and dashboards
• E-Commerce
• Manufacturing and inventory
• Payroll
• Partner applications
• Highly customizable
Re-use of text under Creative Commons Attribution - Created by Jay Swaminathan
Accounting ability
One World
• Multi book
• Multi Currency
• Multi subsidiaries
• Multiple calendars
Re-use of text under Creative Commons Attribution - Created by Jay Swaminathan
Help
• Very powerful Help
• Help changes contextually based on the record you are in
• There is also a field_id level help
• Other support venues• Support Center – to review cases, balance, etc
• Suite Answers – has training vides, Knowledge base, Openair and QuickArrow
• Usergroup.netsuite.com
• Internet
Re-use of text under Creative Commons Attribution - Created by Jay Swaminathan
NetSuite support access
• NetSuite login generally allows only access to your QA environment and not to your production, sandbox or preview environment.
Re-use of text under Creative Commons Attribution - Created by Jay Swaminathan
Other key terms
• Sublists – contain references to other records – example Income account in an item record
• Creating a transaction from a record
• File attachment
• Inactive records
• Lists Vs Transactions
• Ability to create/edit records as you enter transactions
• Voiding, deleting or closing transactions
• Memorizing transactions• Allow posting in locked period
Re-use of text under Creative Commons Attribution - Created by Jay Swaminathan
Other key terms
• Inline Editing
• Export options – CSV, Excel and pdf
• Sending search and report results email
Re-use of text under Creative Commons Attribution - Created by Jay Swaminathan
Basic Navigation
Re-use of text under Creative Commons Attribution - Created by Jay Swaminathan
1 2
31 – Global Search bar2 – Name and role3 – Navigation menu bar4 – Recent records
4
Re-use of text under Creative Commons Attribution - Created by Jay Swaminathan
Navigation Continued
Re-use of text under Creative Commons Attribution - Created by Jay Swaminathan
Preferences
Re-use of text under Creative Commons Attribution - Created by Jay Swaminathan
Around 20 languages supported
Preferences
Re-use of text under Creative Commons Attribution - Created by Jay Swaminathan
List View
Re-use of text under Creative Commons Attribution - Created by Jay Swaminathan
Records
Re-use of text under Creative Commons Attribution - Created by Jay Swaminathan
Preferences
• Example: Date format or currency format
• Can be set at• Individual user
• Role
• Subsidiary
• Company
Re-use of text under Creative Commons Attribution - Created by Jay Swaminathan
Accounting Preferences
Re-use of text under Creative Commons Attribution - Created by Jay Swaminathan
User Access
Re-use of text under Creative Commons Attribution - Created by Jay Swaminathan
Authentication options
• Native NetSuite
• OpenID Single Sign-on
• SAML Single Sign-on
• Token-based Authentication
Re-use of text under Creative Commons Attribution - Created by Jay Swaminathan
Other security features
• IP based restrictions
Re-use of text under Creative Commons Attribution - Created by Jay Swaminathan
Basic building blocks
• Users
• Roles
• Centers – Page layout
• Records
• Permissions
Re-use of text under Creative Commons Attribution - Created by Jay Swaminathan
Access Structure
User
Role
Record Permissions
Global Permissions
Re-use of text under Creative Commons Attribution - Created by Jay Swaminathan
Role
Re-use of text under Creative Commons Attribution - Created by Jay Swaminathan
Role
Re-use of text under Creative Commons Attribution - Created by Jay Swaminathan
Role
• Tied to a Center – more to decide on the menu structure
• Could be assigned to multiple subsidiaries
• Restrict at employee, department, class or location level
• Access level for each permission• View
• Create
• Edit
• Full
• Administrator and Full Access roles
Re-use of text under Creative Commons Attribution - Created by Jay Swaminathan
User Setup
• Assigned to a specific subsidiary
• Assigned roles or global permission
• History
• System information
Re-use of text under Creative Commons Attribution - Created by Jay Swaminathan
User Setup
Re-use of text under Creative Commons Attribution - Created by Jay Swaminathan
Certain key permissions
• Allow Non G/L Changes
• Export Lists
• Invoice Approval
• Journal Approval
• Deleted Records
• Import CSV File
• Workflow
Re-use of text under Creative Commons Attribution - Created by Jay Swaminathan
Security Setup
• Username is always an email id
• Email id could be changed by the user itself – preferences field
• Default password policy (Can be changed by the administrator)• Min – 10 characters• At least 3 of these four character types —uppercase letters, lowercase letters,
numbers non-alphanumeric ASCII characters • Not too easy to guess, such as common names, words, and strings like abcd123456• Significantly different from your most recent password
• Can be changed by the administrator at Setup>Company>Preferences>General Preferences
• Password Expiration can also be set there
• Lockout is 30 minutes after 6 consecutive incorrect login attempts
Re-use of text under Creative Commons Attribution - Created by Jay Swaminathan
Security Questions
• Security Questions• Three Questions• Setup the initial time or within the first 5 times of login
• Roles exempted• Customer Center
• Web Store Shopper
• Type of access exempted• Web Services• SuiteScript• SuiteAnalytics Connect• Inbound Single Sign-on• Open ID Single Sign-on• SAML sign-on
• Asked if you login from a new browser
Re-use of text under Creative Commons Attribution - Created by Jay Swaminathan
Form based restriction
• Customizable forms (say remove button/ fields)
• Role could be restricted only to specific forms
• Need to be cognizant as this is not the most robust access restriction
Re-use of text under Creative Commons Attribution - Created by Jay Swaminathan
Workflow based restriction
• Can restrict access to specific actions/fields based on process state or user or role (Example when payment on hold, do not allow change to the $ field)
• May rely on the form, workflow, user, role, subsidiary or state of the record – Treat it as an automated control and test as this is completely configurable.
Re-use of text under Creative Commons Attribution - Created by Jay Swaminathan
Reports to aid
Re-use of text under Creative Commons Attribution - Created by Jay Swaminathan
Create new searches
• Leverage the following search types• Deleted records
• Employee
• Login Audit Trail
• Role
• System note (All actions by an user)
Re-use of text under Creative Commons Attribution - Created by Jay Swaminathan
Change Management
Re-use of text under Creative Commons Attribution - Created by Jay Swaminathan
Types of changes
• Data Changes• Lists• Reports and search changes• Workflow changes• Custom record/ field changes• Form changes• Script changes• Integration changes• Version changes• New module implementation
Re-use of text under Creative Commons Attribution - Created by Jay Swaminathan
Data Changes• Who does matter – if it is IT, then it should follow ITGC process
• Verify using Audit Trail – Transaction – management – Audit Trail
• Leverage System notes functionality
Re-use of text under Creative Commons Attribution - Created by Jay Swaminathan
Lists
• Standard or custom lists – more like meta data
• Can either be used for additional data capture or may have workflow/ script tied to it
Re-use of text under Creative Commons Attribution - Created by Jay Swaminathan
Report and Search changes
• Searches can be underlying logic for scripts and workflows
• Easy to make changes and over-write existing report
• Careful to test that the right report is being used for IPE
• Rely on system information for changes to the report
• Report consists of• Columns
• Filters
• Sort
Re-use of text under Creative Commons Attribution - Created by Jay Swaminathan
Workflow
• A GUI to make changes
• Very easy to modify
• How to identify changes
• Restricted access is the key
• Workflow states
Re-use of text under Creative Commons Attribution - Created by Jay Swaminathan
Workflow
Re-use of text under Creative Commons Attribution - Created by Jay Swaminathan
Workflow
Re-use of text under Creative Commons Attribution - Created by Jay Swaminathan
Custom record and field changes
• Extensible nature of NetSuite – ability to build applications on top
• Different type of custom fields and records• Transaction
• Lists
• Entity
• Access should be restricted to administrators
Re-use of text under Creative Commons Attribution - Created by Jay Swaminathan
Form changes
• Customizing form is very powerful
• The new form generally becomes preferred and should be careful
• Giving access to all the forms to the role will defy the purpose of restricting through form
Re-use of text under Creative Commons Attribution - Created by Jay Swaminathan
Form Changes
Re-use of text under Creative Commons Attribution - Created by Jay Swaminathan
Script changes
• New Scripts are created
Re-use of text under Creative Commons Attribution - Created by Jay Swaminathan
Script changes - Deployment
• A Script needed to be deployed
Re-use of text under Creative Commons Attribution - Created by Jay Swaminathan
Script changes – Impact identification
Re-use of text under Creative Commons Attribution - Created by Jay Swaminathan
Integration changes
• Out of scope for this training
Re-use of text under Creative Commons Attribution - Created by Jay Swaminathan
New Releases
• Typically two releases in an year
Re-use of text under Creative Commons Attribution - Created by Jay Swaminathan
Version changes
• Typically six month once
• Every customer has a test instance
• These could impact previous reports, customization, forms, scripts etc.
• Need to understand the release and impact
• If new features are going to be absorbed additional CM process to be deployed
Re-use of text under Creative Commons Attribution - Created by Jay Swaminathan
New modules
• Extensible nature of NetSuite
• Additional modules, plug-ins and bundles
• Discussion on bundling as a migration tool
• NetSuite or other third party vendors
• Impact on • Existing modules
• Existing process flow
• Existing reports
• Existing data
Re-use of text under Creative Commons Attribution - Created by Jay Swaminathan
Reports to aid
• Standard Search• Analytics Audit Trail
• System notes
• Workflow
• Workflow instance
• Bundle Audit Trail
• Scripted records
• Script Execution logs
Re-use of text under Creative Commons Attribution - Created by Jay Swaminathan
Compliance Add-ons
Re-use of text under Creative Commons Attribution - Created by Jay Swaminathan
Fastpath
• Comprehensive Segregation of duties• Works with other system too
• Ability to manage conflicts, risks, compensatory controls
• Audit trail/ system notes (similar to Flodocs but only detective)
• Identity manager that incorporates preventive SOD
Re-use of text under Creative Commons Attribution - Created by Jay Swaminathan
Flodocs
• Comprehensive change management tool
• Automated analysis of change management – example script relying on a search
• Listing of all changes
• Comparison of accounts
Re-use of text under Creative Commons Attribution - Created by Jay Swaminathan
Reports and Searches
Re-use of text under Creative Commons Attribution - Created by Jay Swaminathan
Reports
• Standard reports are provided by NetSuite• These cannot be modified and generally a good source of truth
• Summary and detailed report
• Ability to drill down to the actual record
• Ability to customize reports by adding• Additional columns
• Filters
• Sorting
• Concept of Reporting component
• Providing access to user
Re-use of text under Creative Commons Attribution - Created by Jay Swaminathan
Searches
• Much more powerful
• More complex
• Could end up with incorrect data
• Difficult to format
• Could be used for alerts, workflow, scripts.
• Very useful for audit purposes
Re-use of text under Creative Commons Attribution - Created by Jay Swaminathan
Discussion on Automated Controls
Re-use of text under Creative Commons Attribution - Created by Jay Swaminathan