Case Study: Media
How a global media brand with thousands of employees maintains segregation of duties
“As a compliance framework, [Strongpoint] is fantastic for auditors. We can now show auditors exactly how we’ve resolved any issues detected.”
The fast-paced world of digital media means that employee turnover is frequent, and team members have to be flexible, often wearing many hats as the situation requires. Unfortunately, flexibility is the enemy of compliance — which presents an issue as an upstart company matures and greater oversight is required.
That’s exactly the dilemma one Strongpoint customer found themselves in. The company, a media brand with humble, DIY roots, had grown into a billion dollar business with a global presence and multiple operating divisions.
Running NetSuite as their ERP and Salesforce as their CRM, their systems teams were struggling to maintain an audit-ready segregation of duties and access control framework before they found Strongpoint. Here’s how we helped them.
Our customer came to Strongpoint with an incredibly complex, mature NetSuite account. In the past year alone, they’d created hundreds of new roles in the system. Many of these roles had permissions attached to them that were problematic, like the ability to update exchange rates or review bank reconciliations. And many users retained those permissions even they'd moved on, or should have never had them to begin with.
“There was a lot of stuff that users just didn’t do, yet the permissions were still on the role. It was a huge risk for us,” the company's Director of Global ERP Systems told us.
Unused roles and outdated permissions are huge concerns for auditors — not to mention a considerable fraud risk. Our customer needed to conduct a comprehensive review of their access controls for segregation of duties issues. But just as importantly, they needed a system to prevent this problem from recurring in the future.
"It was a huge risk for us"
"We’re able to see who does what, and then ask the right questions"
Identifying and Prioritizing SoD Violations
Strongpoint is the only NetSuite-native tool for preventing SoD violations and logging access control incidents, making it easy to manage complex accounts like our customer’s. Once they were set up, they could instantly see what violations were happening in their account by user role.
Better yet, they could produce audit-ready reports to get critical insight into who had access to what, and which role and permission assignments had the potential for SoD violations.
“The reporting side of Strongpoint is great. We’re able to see who does what, and then ask the right questions — like why did you do this?”
Cleaning Up Unused/Unassigned Roles
Once they had identified the highest-priority access control issues — ie, SoD violations — we recommended that our customer identify and cleanup unassigned and inactive roles.
In a mature, busy account, keeping this kind of technical debt to a minimum is key to streamlining future reviews and audit prep. But it’s time-consuming, and with a lot of other more pressing priorities, the technical resources needed for it are often tied up elsewhere.
Fortunately, Strongpoint comes with out-of-the-box reporting showing all unassigned user roles, and all assigned roles that haven’t been accessed in the past three months. Normally, getting this information requires extensive review; with Strongpoint, however, our customer instantly eliminated nearly 50% of the work involved.
Our customer couldn’t stop raving about the time saved; “It’s been very powerful for us, it’s very useful,” their Solutions Manager told us.
The "Assigned But Not In Use" report in our test account — note that you can easily see each role's SoD and cleanup status
Prepping for Audit With Intelligent SoD Alerts
Cleaning up unused roles and permissions is important, but it doesn’t solve the underlying issues that led to the problem to begin with. The reality is that in a busy environment, access requirements can change quickly and technical debt will accumulate again, introducing more uncertainty and greater potential for SoD violations.
Enter Strongpoint’s continuous audit framework. As our customer discovered, we build our compliance solutions for the real world, with compensating controls that keep auditors happy without preventing systems teams from responding to evolving business needs.
Strongpoint reviews every change to access controls in NetSuite —and checks it for SoD conflicts. It can also block the assignment of sensitive roles — such as the Admin role — outright, without prior approval. Best of all, all of this is collected in an audit-ready log.
As a result, our customer is notified whenever violations or risky changes occur. They can resolve them instantly, and document the steps they took to do so in an immutable record. Then, they can present that information to their auditors and prove that they are on top of everything that could potentially put compliance in jeopardy.
As our customer put it, “In terms of audits, Strongpoint has put us in a really good position[...] We can go to auditors and be confident in telling them that we know the issues at hand, we’ve worked through them.”
Watch a Demo
Here's Strongpoint's Mark Walker with a brief explainer of our blocking controls for SoD
Get the Ebook
Managing NetSuite roles and permissions was a high priority for our client — as it is for many large and publicly traded businesses. We've put together a crash course on the topic which you can download by registering here.