IT general controls testing in NetSuite

Auditing NetSuiteJay Swaminathan

Re-use of text under Creative Commons Attribution - Created by Jay Swaminathan

Agenda

• NetSuite architecture

• Logical Access

• Change Management

• Other IT Operations


Introduction to NetSuite

• Cloud ERP

• Multi-tenant

• Includes the following products • NetSuite• One World • Open Air• Quick Arrow (PSA)• Suite Commerce

• SSAE16 Type II and ISAE 3402 & PCI compliance

Our training is focused only on NetSuite and OneWorld


Modules in NetSuite

• Procure to pay

• CRM

• Order to Cash

• Revenue recognition

• General Ledger

• Basic budgets

• Extensive reporting and dashboards

• E-Commerce

• Manufacturing and inventory

• Payroll

• Partner applications

• Highly customizable


Accounting ability

One World

• Multi book

• Multi Currency

• Multi subsidiaries

• Multiple calendars


Help

• Very powerful Help

• Help changes contextually based on the record you are in

• There is also a field_id level help

• Other support venues• Support Center – to review cases, balance, etc

• Suite Answers – has training vides, Knowledge base, Openair and QuickArrow

• Usergroup.netsuite.com

• Internet


NetSuite support access

• NetSuite login generally allows only access to your QA environment and not to your production, sandbox or preview environment.


Other key terms

• Sublists – contain references to other records – example Income account in an item record

• Creating a transaction from a record

• File attachment

• Inactive records

• Lists Vs Transactions

• Ability to create/edit records as you enter transactions

• Voiding, deleting or closing transactions

• Memorizing transactions• Allow posting in locked period


Other key terms

• Inline Editing

• Export options – CSV, Excel and pdf

• Sending search and report results email


Basic Navigation


1 2

31 – Global Search bar2 – Name and role3 – Navigation menu bar4 – Recent records

4


Navigation Continued


Preferences


Around 20 languages supported

Preferences


List View


Records


Preferences

• Example: Date format or currency format

• Can be set at• Individual user

• Role

• Subsidiary

• Company


Accounting Preferences


User Access


Authentication options

• Native NetSuite

• OpenID Single Sign-on

• SAML Single Sign-on

• Token-based Authentication


Other security features

• IP based restrictions


Basic building blocks

• Users

• Roles

• Centers – Page layout

• Records

• Permissions


Access Structure

User

Role

Record Permissions

Global Permissions


Role


Role


Role

• Tied to a Center – more to decide on the menu structure

• Could be assigned to multiple subsidiaries

• Restrict at employee, department, class or location level

• Access level for each permission• View

• Create

• Edit

• Full

• Administrator and Full Access roles


User Setup

• Assigned to a specific subsidiary

• Assigned roles or global permission

• History

• System information


User Setup


Certain key permissions

• Allow Non G/L Changes

• Export Lists

• Invoice Approval

• Journal Approval

• Deleted Records

• Import CSV File

• Workflow


Security Setup

• Username is always an email id

• Email id could be changed by the user itself – preferences field

• Default password policy (Can be changed by the administrator)• Min – 10 characters• At least 3 of these four character types —uppercase letters, lowercase letters,

numbers non-alphanumeric ASCII characters • Not too easy to guess, such as common names, words, and strings like abcd123456• Significantly different from your most recent password

• Can be changed by the administrator at Setup>Company>Preferences>General Preferences

• Password Expiration can also be set there

• Lockout is 30 minutes after 6 consecutive incorrect login attempts


Security Questions

• Security Questions• Three Questions• Setup the initial time or within the first 5 times of login

• Roles exempted• Customer Center

• Web Store Shopper

• Type of access exempted• Web Services• SuiteScript• SuiteAnalytics Connect• Inbound Single Sign-on• Open ID Single Sign-on• SAML sign-on

• Asked if you login from a new browser


Form based restriction

• Customizable forms (say remove button/ fields)

• Role could be restricted only to specific forms

• Need to be cognizant as this is not the most robust access restriction


Workflow based restriction

• Can restrict access to specific actions/fields based on process state or user or role (Example when payment on hold, do not allow change to the $ field)

• May rely on the form, workflow, user, role, subsidiary or state of the record – Treat it as an automated control and test as this is completely configurable.


Reports to aid


Create new searches

• Leverage the following search types• Deleted records

• Employee

• Login Audit Trail

• Role

• System note (All actions by an user)


Change Management


Types of changes

• Data Changes• Lists• Reports and search changes• Workflow changes• Custom record/ field changes• Form changes• Script changes• Integration changes• Version changes• New module implementation


Data Changes• Who does matter – if it is IT, then it should follow ITGC process

• Verify using Audit Trail – Transaction – management – Audit Trail

• Leverage System notes functionality


Lists

• Standard or custom lists – more like meta data

• Can either be used for additional data capture or may have workflow/ script tied to it


Report and Search changes

• Searches can be underlying logic for scripts and workflows

• Easy to make changes and over-write existing report

• Careful to test that the right report is being used for IPE

• Rely on system information for changes to the report

• Report consists of• Columns

• Filters

• Sort


Workflow

• A GUI to make changes

• Very easy to modify

• How to identify changes

• Restricted access is the key

• Workflow states


Workflow


Workflow


Custom record and field changes

• Extensible nature of NetSuite – ability to build applications on top

• Different type of custom fields and records• Transaction

• Lists

• Entity

• Access should be restricted to administrators


Form changes

• Customizing form is very powerful

• The new form generally becomes preferred and should be careful

• Giving access to all the forms to the role will defy the purpose of restricting through form


Form Changes


Script changes

• New Scripts are created


Script changes - Deployment

• A Script needed to be deployed


Script changes – Impact identification


Integration changes

• Out of scope for this training


New Releases

• Typically two releases in an year


Version changes

• Typically six month once

• Every customer has a test instance

• These could impact previous reports, customization, forms, scripts etc.

• Need to understand the release and impact

• If new features are going to be absorbed additional CM process to be deployed


New modules

• Extensible nature of NetSuite

• Additional modules, plug-ins and bundles

• Discussion on bundling as a migration tool

• NetSuite or other third party vendors

• Impact on • Existing modules

• Existing process flow

• Existing reports

• Existing data


Reports to aid

• Standard Search• Analytics Audit Trail

• System notes

• Workflow

• Workflow instance

• Bundle Audit Trail

• Scripted records

• Script Execution logs


Compliance Add-ons


Fastpath

• Comprehensive Segregation of duties• Works with other system too

• Ability to manage conflicts, risks, compensatory controls

• Audit trail/ system notes (similar to Flodocs but only detective)

• Identity manager that incorporates preventive SOD


Flodocs

• Comprehensive change management tool

• Automated analysis of change management – example script relying on a search

• Listing of all changes

• Comparison of accounts


Reports and Searches


Reports

• Standard reports are provided by NetSuite• These cannot be modified and generally a good source of truth

• Summary and detailed report

• Ability to drill down to the actual record

• Ability to customize reports by adding• Additional columns

• Filters

• Sorting

• Concept of Reporting component

• Providing access to user


Searches

• Much more powerful

• More complex

• Could end up with incorrect data

• Difficult to format

• Could be used for alerts, workflow, scripts.

• Very useful for audit purposes


Discussion on Automated Controls


Business

IT general controls testing in NetSuite