Professional Documents
Culture Documents
CONTROL
CONSIDERATIONS
FOR FINANCIAL
REPORTING
TABLE OF CONTENTS
1 2 3
NetSuite Third Customer Control IT General
Party Reports Considerations Controls That
Affect Financial
Reporting
4 5 Conclusion
IT Application NetSuite Audit
Controls over Enablement
Financial
Reporting
NETSUITE CONTROL
CONSIDERATIONS
FOR FINANCIAL
REPORTING
Retail Anywhere (NS POS) is a multi-channel NetSuite TribeHR is the first social human
retail management solution designed to resources management software, enabling
improve the retail customer experience. Retail customers to manage the entire employee
Anywhere technology gives retailers the lifecycle through a powerful Recruiting, core
ability to meet increasing customer demand Human Resource Information Systems (HRIS),
for a system that can unify the online and advanced Talent Management and social
in-store retail experience to better serve Applicant Tracking System (ATS).
cross-channel shoppers, built on NetSuite
Venda is one of the worlds leading innovators
SuiteCommerce and the core NetSuite ERP/
and providers of digital commerce solutions,
financials and CRM solution.
leveraged by manufacturers and retailers to
OrderMotion provides a comprehensive deliver a consistent brand experience across
order management solution for a wide range online, mobile, and in-store channels.
of businesses including B2B, B2C, retail,
NetSuite WMS is a combination of advanced
wholesale distribution and manufacturing.
technology and operating best practices,
OrderMotions technology helps companies
that optimize all functions and resources
that ship products directly to consumers
inside a warehouse or a distribution center
which has become more complex of late,
inventory, space, equipment, and labor.
thanks to ship-to-store programs, where a
This is an optional module available for
customer orders a product online and heads
customers who require a warehouse
to a retail location to pick it up. NetSuite
management system.
NETSUITE THIRD
PARTY REPORTS
To assist its customers, and potential The NetSuite application provides default
customers, NetSuite issues several audit trails across a wide range of ICFR-
independent, third-party, audited reports relevant financial and configuration
that describe the design and operating management records in NetSuite. These
effectiveness of customer-impacting controls default audit trails may further be
in place within NetSuite. Where such reports augmented by custom controls, such as
are not available, or where disclosure of the saved searches and reports, email alerts,
information in such reports would present workflows and scripts. However, because
a potential security conflict in the release these custom augmented audit controls
of the information, NetSuite endeavors to are highly configurable and dependent
issue certificates, attestations of compliance, on data input, which is directly and soley
and/or point customers to our registration within the customers control, they are not
of compliance on government and industry covered by the reports. These include
authority websites and registration lists. master data management and transaction
These reports and certificates are available history, user access administration (for each
by request to all customers, and will user customers NetSuite instance), and IT
typically include: Application Controls (including scripts and
workflows), which are customized by
A well-defined scope, including what
the customer.
applications and/or modules are included or
not included in the report. NetSuite serves thousands of customers with
For in-scope systems, controls that cover different reporting requirements. As such, it
the system development life cycle (SDLC)/ endeavors to cover these differing needs
change management, logical access and by issuing the most relevant and trusted
security, data back-ups and restoration, third party audit reports and certifications.
system availability and uptime, and customer Currently, NetSuites publicly available reports/
data access controls. certifications include, but are not limited to:
The scope of the SOC 1 is especially important provide reasonable assurance over the user
to understand. This is a highly customizable entities financial statements. However, this
report. Companies have control over what will not eliminate said testing.
control objectives are covered, aside from
It is important to understand that even with
specifying the applications that are in scope.
a cloud provider, there will always remain
A SOC 1 report may completely disregard
elements of internal control that are within
the control objectives surrounding change
the responsibility of the customer. It is the
management (how application changes
customers business, and ultimately their
and new features are developed, tested,
responsibility to properly mitigate their risks. A
and released). Or a company can choose
retail store will have a very different business
to cover only how change management is
model and business risk from a security
authorized, but leave out how it is tested
firm. However, both can be using NetSuite.
or released. Even with everything included,
Although there are controls that would come
having sound IT General controls would still
from NetSuite, each of these businesses
require a properly designed internal control
would need to design their own controls in
over business processes. A clean, unqualified
order to fully address their business risk. The
SOC 1 report simply means that customers
retail store may need additional controls
may rely on the in-scope controls, which
over their inventory, or the security firm may
usually results in a decrease in the level of
need greater controls around their data.
substantive or IT application controls testing
The specifics are highly dependent on the
that will be performed by users auditors to
business risk and how each firm decides to
use the NetSuite Service.
CUSTOMER CONTROL
RESPONSIBILITIES
This whitepaper is intended to provide There are five critical areas that should be
guidance on the division of responsibility taken into consideration when reviewing a
between NetSuite and customers, on companys responsibilities for establishing
available financial reporting controls within good IT General Controls (ITGC) for
the NetSuite application, and how users can NetSuite applications.
take advantage of these to strengthen their
own internal controls. 1. Change Management & Source Code
Customization Just as NetSuite has
To achieve effective internal controls, NetSuite controls around how source code is
recommends customers implement a designed, developed, tested, deployed,
combination of both automated and manual and verified, each customer must develop
controls that both prevent and detect similar code change management controls
misstatements or misappropriation of assets. around its NetSuite customizations. Lack of
The level and types of controls depend on controls on custom code creates risks of
the business risks that are being addressed. It fraud, performance issues, and
is also important to determine the costs and security lapses.
benefits when establishing controls by asking
questions. Does a control truly address a Having procedures and tools in place to
particular risk? What impact do controls have control access to source code, document
on business operations? Are the errors or customization requests, record changes
misstatements that the control environment and testing of those changes, along
is trying to prevent or detect worth the with recording deployment of code, are
additional resources or effort required? essential in providing effective controls
Questions like these need to be taken to ensure changes are not made and
into consideration to determine the overall deployed to the NetSuite environment
effectiveness and efficiency of controls. without proper approval and SOD. This
is particularly important when scripts and
IT GENERAL CONTROLS
THAT AFFECT
FINANCIAL REPORTING
2. Logical Access, Network and Database 3. Data back-up and restoration These
Security These are controls that provide are controls that provide reasonable
reasonable assurance that logical access assurance that system and application
to data, IT resources, applications, system data is backed up on a timely basis and
data, and networks/network devices is appropriately stored in a secured facility.
restricted to properly authorized individuals, Since this area is primarily within NetSuites
and that security violations are identified, control, it will not be discussed in detail in
followed up, and resolved on a timely basis. this whitepaper.
As a cloud-based system, NetSuite houses This whitepaper focuses on the SDLC/Change
all customer data in a customer-specific Management, Logical Access, and relevant IT
instance of NetSuite. As such, it is within Application Controls since these controls are
NetSuites purview and control to ensure managed by the customer. Choices made by
that the application properly secures organizations in these areas have significant
access, and that any security issues that impact on internal controls. Other areas, like
are encountered are properly managed. It backup and restore, may require review, but
is important for customers to take this into not the same level of participation. For the
consideration when assessing their risks other control objectives noted in the prior
since they have to rely on NetSuite to keep section, it is important to note what customers
data safe. need to consider for these areas, and refer to
the relevant reports for more details.
However, user security and access levels
are the responsibility of the customer.
Therefore, it is important for customers to
System Development Life Cycle (SDLC)
Compliance and risk-focused companies will
implement their own controls which provide
place significant importance on the design
appropriate user access, protect important
of controls in their system development
Logical Security
Exceptions
Perhaps the most visible control point
As with any process, exceptions may occur,
in NetSuite is logical security. Logical
and when they do the process needs to
security, also referred to as application
document how to handle these exceptions
security, is designed to ensure that users
and capture appropriate evidence. For
can only perform actions relevant to their
example, in response to a high severity
organizational function. There are two
production issue, a developer may be
overriding considerations for logical security.
required to go directly into the production
First, security needs to be balanced against
environment to quickly correct the problem.
user productivity, as application security
That change would then be worked
becomes a negative if it prevents users from
backwards into the other environments, like
doing their jobs. Second, users should be
test and development. In this example, that
setup using the principle of least privilege.
emergency change would be documented
Following least privilege, users are not
IT APPLICATION
CONTROLS OVER
FINANCIAL REPORTING
NETSUITE AUDIT
ENABLEMENT
The NetSuite application has many features 2. Scripting. Scripts are another way to
that enable user entities to build and manage establish controls that do not come out
proper internal controls over its financial of the box within NetSuite. For example:
reporting. The use of NetSuite as a financial Invoices are required to be reviewed and
system provides the opportunity for financial approved by the person who created the
process controls to exist in a single system PO and who is the business owner for the
for the organization and then extend that expense. This enables the AP team to
functionality with either custom developed determine whether the invoices from the
applications, or with partner applications vendors are appropriate, and to ensure
offered on SuiteApp.com. that they are matched against the proper
invoice. Currently, this is done through
There are several customizations that can be
scripting. When the AP team creates an
done help to ensure that financial transactions
invoice against a vendor and the PO, a
are reasonably free from misstatements due
script could be used to generate an
to errors. These include, but are not limited to:
email which is sent to the business owner
1. Workflows to establish dual requesting approval of the invoice for
authorization to address SOD issues. payment. Scripting could also be used
Workflows provides additional segregation to capture the business owner approval
of duties controls beyond logical security. directly from email.
For example, workflows can provide
3. Saved Searches on Audit Trail to
approval limits and prevent users
monitor specific transactions. For
from approving their own transactions.
most financial transactions that happen
Workflows are designed and built in
in NetSuite, an audit trail is established
NetSuite by organizations to meet that
and can be tracked on monitored, and
companys specific needs.
are searchable. Changes to roles,
customizations released into the system,
transactions created, etc., can all be
tracked in the system, with some limitations.
CONCLUSION
A system of good internal controls is Des Moines, Iowa, Fastpath delivers easy-to-
necessary in any organization to minimize use business solutions that offer customers
errors, misstatements and fraud. Public a rapid return-on-investment. Fastpath
companies in particular are required to applications include Assure, Audit Trail and
establish effective IT general control Config AD and are sold directly and via
frameworks to comply with regulatory authorized resellers around the world.
requirements such as the Sarbanes-Oxley For more information, visit
Act (SOX), regardless of whether a cloud- www.gofastpath.com.
based business management software is
being utilized. As a cloud-based solution, the About Protiviti Inc.
infrastructure portion of a companys control Protiviti is a global consulting firm that
framework is managed by NetSuite. NetSuite helps companies solve problems in finance,
provides a host of options for customers to technology, operations, governance, risk and
develop, maintain, and monitor their portion internal audit, and has served more than 60
of the control framework from within the percent of Fortune 1000 and 35 percent
NetSuite system. Third party applications of Fortune Global 500 companies. Protiviti
are also available that provide additional and its independently owned Member Firms
tools for control environment management. serve clients through a network of more than
A cloud-based environment doesnt remove 70 locations in over 20 countries. The firm
the responsibility for good controls, instead it also works with smaller, growing companies,
shares the burden to allow firms to focus on including those looking to go public, as well
their portion of the control framework. as with government agencies.
.
#1 Cloud ERP