Business public listing protocols compliance with NetSuite
Many NetSuite customers are publicly traded in the US or gearing up towards a public listing and as such will be governed by the reporting requirement outlined by the Sarbanes–Oxley Act (SOX).
Whilst NetSuite can issue independently audited SOC 1 Type 2 reports (which cover general IT controls within NetSuite and outside of customers control) auditors often need to understand internal controls, processes, and change management that a company is also responsible for.
SOX requires a company's financial data to be accurate (a small variance is permitted) and that appropriate and adequate controls within a company’s ERP are in place to ensure that the data is secure.
Ensuring that your internal process and customer specific controls are compliant can be a daunting task which requires collaboration across Finance, IT and Compliance departments. Identifying areas which need improvement is the first step, but implementing the required changes pre and post listing requires specialist NetSuite consulting expertise which is where we come in.
Our team at 3RP, has extensive experience in supporting businesses in advance of and after listing to ensure they are compliant through the implementation of identified change requests.
Often the areas which require focus can split into two groups, internal controls and change management and monitoring:
The phrase ‘Internal controls’ is an umbrella term which encompasses various aspects of the system, it is a collection of mechanisms, rules, and procedures implemented by a company to ensure the integrity of financial and accounting information, promote accountability, and prevent fraud.
Within ‘internal controls’ there are several areas which each need to be reviewed to ensure compliance.
Roles and Permissions
NetSuite is a role-based system, what a user can view, create, edit, and delete is based predominantly on the role which they have been assigned. Each role has a set of permissions which fundamentally dictates what they can and cannot do within the system.
Whilst NetSuite ERP offers adaptable bespoke solutions, often businesses create custom roles. Without oversight an increase in the number of custom roles used within the system can easily become a maintenance issue and importantly, a conflict of duties and responsibilities within a single role may be overlooked.
Through an analysis of team structures and the responsibilities of each user with access to NetSuite, a review of the existing roles within NetSuite can be undertaken to identify the potential conflict of duties, or access to areas or data within the system which are not compliant with SOX.
This analysis can be used to produce a document detailing each of the roles required within the system and importantly the permissions which underpin their functionality, enforcing segregation of duties, eliminating any conflict of duties.
Data Entry and Approval Mechanisms
By identifying the responsibilities of each user, creating, and then assigning compliant roles companies can be comforted that the data entered into the system is done so by the relevant people.
However, creating systematically enforced approval mechanisms which tie to the requirements of your company is often an unexplored step.
NetSuite is a powerful tool which can be adapted through the use of Suiteflows or SuiteScripts to enforce control and checks on both transactional and master data being entered into the system. Identifying who entered data, who approved the entry and when that approval occurred.
In addition, these tools can be used to enforce rules which prevent people from approving their own data entries, amending transactions following approval and ensuring specific approval hierarchies are followed.
A selection of the type of data which can have approval mechanisms created within NetSuite can be found below:
- Journal Entries
- Procure to Pay Transactions:
- Purchase Orders
- Supplier Invoices
- Supplier Return Authorisations
- Supplier Payments
- Payment Administration Files
- Order to Cash Transactions:
- Sales Orders
- Sales Invoices
- Return Authorisations
- GL Accounts
- Custom Segments
- Supplier Bank Details
3RP has demonstrable experience in adding the necessary controls to each of the data records above, creating a control framework which not only meets audit requirements but also your companies' unique demands.
Change Management and Monitoring
Best practice surrounding change management should be introduced, creating a framework which can determine if a change request is appropriate and compliant.
Like approval mechanisms on data entered into the system, an approval process on changes to the system can also be implemented through NetSuite or external tools.
Processes and the system can be setup to ensure that all controls are documented, easily shared and explained to an auditor as and when required. Moving forward any customisations which are approved should be documented clearly and stored appropriately to share when required in the future.
In addition to supporting your audit, the documentation of internal processes and controls empowers companies to take accountability and control of their system without the fear of losing knowledge when department experts leave the business.
This is supported by the suite of system audit reports available as standard in NetSuite which document configuration and data changes. Saved searches can also be setup to track specific changes, which could include:
- Users and those removed from NetSuite during a specific period.
- Identification of users who have been given a new or additional roles.
- Identification of roles which have permissions changes.
How can 3RP help?
We have a proven track-record of working with customers to ensure they are compliant for public listing. Combine this with our NetSuite integration expertise and we are in a unique position to work collaboratively with businesses, helping identify areas to address, proposing and implementing workable solutions tailored to each companies’ unique needs.
Our workshop led approach ensures each area within a business and all relevant stakeholders are consulted during the process.
If your business is gearing up for a listing or needs support to ensure you are compliant with SOX guidelines, feel free to reach out and we would be happy to run through how we can help.