Case Study: A Recent Tech IPO
How a Strongpoint customer built airtight ITGC and SoD controls ahead of their first audit.
"Now that we have everything inside the system... this is amazing!"
— Head of Finance
Since 2008, our customer has been changing the way large organizations handle DevOps. We knew right away they’d be a good fit for Strongpoint — like them, we’re focused on finding better, smarter ways to maintain powerful enterprise software.
We recently sat down with our customer's head of finance to talk about some of the ways Strongpoint has transformed their change management and compliance processes.
Here are some of the highlights of our conversation.
Like a lot of Strongpoint users, our customer came to us not long after going public. This is typically the point where Finance and IT teams start to worry about SOX compliance — and our customer was no exception.
They needed a tool to build out effective, airtight ITGC change controls and manage segregation of duties across their NetSuite roles and permissions. They demoed a few conventional access controls systems, but found they didn’t offer the full tracking and management capabilities she needed to prove to auditors that SoD was being maintained.
“There are a lot of systems that are focusing on logical access — granting permissions and the approval process regarding users and roles — but what I really liked is your change management. Every time I show it to other NetSuite users or customers, they all say, ‘Why doesn’t NetSuite have this out of the box?’”
Now, our customer can track activity in their system — including role and permission changes that could potentially violate SoD — and prove to auditors that sensitive changes are reviewed and approved properly.
Before Strongpoint, our customer was using daily saved search alerts to track changes to scripts and workflows that could be of interest to auditors. It was a system that worked, but it was time-consuming to set up; “It took weeks” to find the right searches, they told us.
Adding to the complication was the fact that they were using Jira to manage tickets, and there was no way to automatically reconcile approvals in Jira with what was actually happening in NetSuite.
As for SoD, “we managed it in Excel… every change, we had to export it again and compare everything… it was painful!”
Using saved search alerts and system notes might have been sufficient to get our customer through their first audit as a public company; “I could have managed working with that, but I know it’s not the best practice,” they told us. But it wasn’t simply a matter of getting compliant.
While the company may have been initially looking for a tool to help with a small part of audit prep, what our customer found was something much more comprehensive. “I prefer the way that Strongpoint works. And because it has a lot of additional features… now, I have the possibility to add financial controls…. And now that we have everything inside the system, this is amazing.”
Next Steps: SoD
As they approach their first audit, our customer is in the final stages of implementing their SoD program. Most SoD programs are built around Excel spreadsheets and email approvals; with Strongpoint, everything is contained and logged in NetSuite.
Working with our library of nearly 150 rules, the customer's NetSuite team is building out custom controls that will alert them when potential violations occur — and document their resolution in audit-ready reports.
“We like that we have everything out-of-the-box… it’s pretty straightforward — we love it!” they told us.
Bonus Post: Customizing Strongpoint
Our customers use Strongpoint in a lot of different ways — it's no surprise that compliance isn't the only use case for this client. Visit our blog to reach a story about how this company's NetSuite team further customized the system to their own needs.
Get the Guide
Register to download our three-step guide to SOX compliance in NetSuite