This is a presentation I made to one of the Top 10 CPA firm in their national training on how to audit NetSuite. This is more a companion slide to support in the presentation and demonstration. Hopefully it is useful to the audit community.
2. Agenda
• NetSuite architecture
• Logical Access
• Change Management
• Other IT Operations
Re-use of text under Creative Commons Attribution - Created
by Jay Swaminathan
3. Introduction to NetSuite
• Cloud ERP
• Multi-tenant
• Includes the following products
• NetSuite
• One World
• Open Air
• Quick Arrow (PSA)
• Suite Commerce
• SSAE16 Type II and ISAE 3402 & PCI compliance
Our training is focused only on NetSuite and OneWorld
Re-use of text under Creative Commons Attribution - Created
by Jay Swaminathan
4. Modules in NetSuite
• Procure to pay
• CRM
• Order to Cash
• Revenue recognition
• General Ledger
• Basic budgets
• Extensive reporting and dashboards
• E-Commerce
• Manufacturing and inventory
• Payroll
• Partner applications
• Highly customizable
Re-use of text under Creative Commons Attribution - Created
by Jay Swaminathan
5. Accounting ability
One World
• Multi book
• Multi Currency
• Multi subsidiaries
• Multiple calendars
Re-use of text under Creative Commons Attribution - Created
by Jay Swaminathan
6. Help
• Very powerful Help
• Help changes contextually based on the record you are in
• There is also a field_id level help
• Other support venues
• Support Center – to review cases, balance, etc
• Suite Answers – has training vides, Knowledge base, Openair and QuickArrow
• Usergroup.netsuite.com
• Internet
Re-use of text under Creative Commons Attribution - Created
by Jay Swaminathan
7. NetSuite support access
• NetSuite login generally allows only access to your QA environment
and not to your production, sandbox or preview environment.
Re-use of text under Creative Commons Attribution - Created
by Jay Swaminathan
8. Other key terms
• Sublists – contain references to other records – example Income account in
an item record
• Creating a transaction from a record
• File attachment
• Inactive records
• Lists Vs Transactions
• Ability to create/edit records as you enter transactions
• Voiding, deleting or closing transactions
• Memorizing transactions
• Allow posting in locked period
Re-use of text under Creative Commons Attribution - Created
by Jay Swaminathan
9. Other key terms
• Inline Editing
• Export options – CSV, Excel and pdf
• Sending search and report results email
Re-use of text under Creative Commons Attribution - Created
by Jay Swaminathan
11. 1 2
3
1 – Global Search bar
2 – Name and role
3 – Navigation menu bar
4 – Recent
records
4
Re-use of text under Creative Commons Attribution - Created
by Jay Swaminathan
17. Preferences
• Example: Date format or currency format
• Can be set at
• Individual user
• Role
• Subsidiary
• Company
Re-use of text under Creative Commons Attribution - Created
by Jay Swaminathan
19. User Access
Re-use of text under Creative Commons Attribution - Created
by Jay Swaminathan
20. Authentication options
• Native NetSuite
• OpenID Single Sign-on
• SAML Single Sign-on
• Token-based Authentication
Re-use of text under Creative Commons Attribution - Created
by Jay Swaminathan
21. Other security features
• IP based restrictions
Re-use of text under Creative Commons Attribution - Created
by Jay Swaminathan
22. Basic building blocks
• Users
• Roles
• Centers – Page layout
• Records
• Permissions
Re-use of text under Creative Commons Attribution - Created
by Jay Swaminathan
24. Role
Re-use of text under Creative Commons Attribution - Created
by Jay Swaminathan
25. Role
Re-use of text under Creative Commons Attribution - Created
by Jay Swaminathan
26. Role
• Tied to a Center – more to decide on the menu structure
• Could be assigned to multiple subsidiaries
• Restrict at employee, department, class or location level
• Access level for each permission
• View
• Create
• Edit
• Full
• Administrator and Full Access roles
Re-use of text under Creative Commons Attribution - Created
by Jay Swaminathan
27. User Setup
• Assigned to a specific subsidiary
• Assigned roles or global permission
• History
• System information
Re-use of text under Creative Commons Attribution - Created
by Jay Swaminathan
28. User Setup
Re-use of text under Creative Commons Attribution - Created
by Jay Swaminathan
29. Certain key permissions
• Allow Non G/L Changes
• Export Lists
• Invoice Approval
• Journal Approval
• Deleted Records
• Import CSV File
• Workflow
Re-use of text under Creative Commons Attribution - Created
by Jay Swaminathan
30. Security Setup
• Username is always an email id
• Email id could be changed by the user itself – preferences field
• Default password policy (Can be changed by the administrator)
• Min – 10 characters
• At least 3 of these four character types —uppercase letters, lowercase letters,
numbers non-alphanumeric ASCII characters
• Not too easy to guess, such as common names, words, and strings like abcd123456
• Significantly different from your most recent password
• Can be changed by the administrator at
Setup>Company>Preferences>General Preferences
• Password Expiration can also be set there
• Lockout is 30 minutes after 6 consecutive incorrect login attempts
Re-use of text under Creative Commons Attribution - Created
by Jay Swaminathan
31. Security Questions
• Security Questions
• Three Questions
• Setup the initial time or within the first 5 times of login
• Roles exempted
• Customer Center
• Web Store Shopper
• Type of access exempted
• Web Services
• SuiteScript
• SuiteAnalytics Connect
• Inbound Single Sign-on
• Open ID Single Sign-on
• SAML sign-on
• Asked if you login from a new browser
Re-use of text under Creative Commons Attribution - Created
by Jay Swaminathan
32. Form based restriction
• Customizable forms (say remove button/ fields)
• Role could be restricted only to specific forms
• Need to be cognizant as this is not the most robust access restriction
Re-use of text under Creative Commons Attribution - Created
by Jay Swaminathan
33. Workflow based restriction
• Can restrict access to specific actions/fields based on process state or
user or role (Example when payment on hold, do not allow change to
the $ field)
• May rely on the form, workflow, user, role, subsidiary or state of the
record – Treat it as an automated control and test as this is
completely configurable.
Re-use of text under Creative Commons Attribution - Created
by Jay Swaminathan
34. Reports to aid
Re-use of text under Creative Commons Attribution - Created
by Jay Swaminathan
35. Create new searches
• Leverage the following search types
• Deleted records
• Employee
• Login Audit Trail
• Role
• System note (All actions by an user)
Re-use of text under Creative Commons Attribution - Created
by Jay Swaminathan
37. Types of changes
• Data Changes
• Lists
• Reports and search changes
• Workflow changes
• Custom record/ field changes
• Form changes
• Script changes
• Integration changes
• Version changes
• New module implementation
Re-use of text under Creative Commons Attribution - Created
by Jay Swaminathan
38. Data Changes
• Who does matter – if it is IT, then it should follow ITGC process
• Verify using Audit Trail – Transaction – management – Audit Trail
• Leverage System notes functionality
Re-use of text under Creative Commons Attribution - Created
by Jay Swaminathan
39. Lists
• Standard or custom lists – more like meta data
• Can either be used for additional data capture or may have workflow/
script tied to it
Re-use of text under Creative Commons Attribution - Created
by Jay Swaminathan
40. Report and Search changes
• Searches can be underlying logic for scripts and workflows
• Easy to make changes and over-write existing report
• Careful to test that the right report is being used for IPE
• Rely on system information for changes to the report
• Report consists of
• Columns
• Filters
• Sort
Re-use of text under Creative Commons Attribution - Created
by Jay Swaminathan
41. Workflow
• A GUI to make changes
• Very easy to modify
• How to identify changes
• Restricted access is the key
• Workflow states
Re-use of text under Creative Commons Attribution - Created
by Jay Swaminathan
44. Custom record and field changes
• Extensible nature of NetSuite – ability to build applications on top
• Different type of custom fields and records
• Transaction
• Lists
• Entity
• Access should be restricted to administrators
Re-use of text under Creative Commons Attribution - Created
by Jay Swaminathan
45. Form changes
• Customizing form is very powerful
• The new form generally becomes preferred and should be careful
• Giving access to all the forms to the role will defy the purpose of
restricting through form
Re-use of text under Creative Commons Attribution - Created
by Jay Swaminathan
46. Form Changes
Re-use of text under Creative Commons Attribution - Created
by Jay Swaminathan
47. Script changes
• New Scripts are created
Re-use of text under Creative Commons Attribution - Created
by Jay Swaminathan
48. Script changes - Deployment
• A Script needed to be deployed
Re-use of text under Creative Commons Attribution - Created
by Jay Swaminathan
49. Script changes – Impact identification
Re-use of text under Creative Commons Attribution - Created
by Jay Swaminathan
50. Integration changes
• Out of scope for this training
Re-use of text under Creative Commons Attribution - Created
by Jay Swaminathan
51. New Releases
• Typically two releases in an year
Re-use of text under Creative Commons Attribution - Created
by Jay Swaminathan
52. Version changes
• Typically six month once
• Every customer has a test instance
• These could impact previous reports, customization, forms, scripts
etc.
• Need to understand the release and impact
• If new features are going to be absorbed additional CM process to be
deployed
Re-use of text under Creative Commons Attribution - Created
by Jay Swaminathan
53. New modules
• Extensible nature of NetSuite
• Additional modules, plug-ins and bundles
• Discussion on bundling as a migration tool
• NetSuite or other third party vendors
• Impact on
• Existing modules
• Existing process flow
• Existing reports
• Existing data
Re-use of text under Creative Commons Attribution - Created
by Jay Swaminathan
54. Reports to aid
• Standard Search
• Analytics Audit Trail
• System notes
• Workflow
• Workflow instance
• Bundle Audit Trail
• Scripted records
• Script Execution logs
Re-use of text under Creative Commons Attribution - Created
by Jay Swaminathan
56. Fastpath
• Comprehensive Segregation of duties
• Works with other system too
• Ability to manage conflicts, risks, compensatory controls
• Audit trail/ system notes (similar to Flodocs but only detective)
• Identity manager that incorporates preventive SOD
Re-use of text under Creative Commons Attribution - Created
by Jay Swaminathan
57. Flodocs
• Comprehensive change management tool
• Automated analysis of change management – example script relying
on a search
• Listing of all changes
• Comparison of accounts
Re-use of text under Creative Commons Attribution - Created
by Jay Swaminathan
59. Reports
• Standard reports are provided by NetSuite
• These cannot be modified and generally a good source of truth
• Summary and detailed report
• Ability to drill down to the actual record
• Ability to customize reports by adding
• Additional columns
• Filters
• Sorting
• Concept of Reporting component
• Providing access to user
Re-use of text under Creative Commons Attribution - Created
by Jay Swaminathan
60. Searches
• Much more powerful
• More complex
• Could end up with incorrect data
• Difficult to format
• Could be used for alerts, workflow, scripts.
• Very useful for audit purposes
Re-use of text under Creative Commons Attribution - Created
by Jay Swaminathan