Auditing Changes in NetSuite: A Breakdown of the Administrator Guide

NetSuite is an extremely robust platform that handles, and produces, a ton of data. Working with that data effectively, especially when it comes to audit prep, takes a full understanding of both the tools available in NetSuite and the third party solutions that complement them.

To get you started on the first part of this equation, in this post we’ve condensed the relevant parts of NetSuite’s Administrator Guide to tracking and documenting critical activity on the platform. For the second part, watch our recent webinar for a look at some of the ways Strongpoint makes these features even better — and reduces your audit prep time by up to 90%.

Tracking Key Financial Records

NetSuite system notes capture every time a user creates, changes or deletes a transaction. The information available includes: all users involved in the history of this transaction, each user's action, the user’s role, the date and time of that action, whether there was an account impacted, and the amount after the change. 

The Transaction Audit Trail feature searches system notes for this information and provides several ways to view it. Depending on the nature of the transaction and what your auditors want to see, you can filter the results by:

  • User
  • Action taken (create, change or delete)
  • Date range
  • Amount

and other criteria. After you run the search, the results are collected in the Audit Results page, which includes a helpful one-line summary for each transaction.

Other key financial audit records you can track in NetSuite include:

  • Transaction Deletions: To retrieve information about deleted records, use the “Deleted Record” search type. To search for deleted transactions, choose the 'Transaction' filter for the Record Type field of the search.
  • Revenue Recognition Changes: You can access system notes to view advanced revenue management records — including revenue arrangements, revenue elements, revenue recognition rules, revenue recognition plans, and advanced revenue setup records.
  • Changes to Journal Entries: Journal entries in NetSuite include a "System Information" subtab that includes system notes, a list of active workflows on the journal entry, and a history of workflows executed against the journal entry.
  • User Logins: You can use the Login Audit Trail to keep track of account users, when they have logged in, and from where. System notes will also capture password changes for employees, customers, vendors, partners and prospects.

Auditing Data and Configuration Changes

System notes are also highly useful for tracking data and configuration changes, and demonstrating tight change controls to auditors. A general system notes search will display changes to all record types, though this can be filtered to provide more specific results. Individual system notes include a Context field, which describes the specific method used to make the change (ie, whether it was done through the user interface, via a SuiteScript, etc.

Auditing Changes to Enabled Features 

The Enable Features page (Setup > Company > Enable Features) indicates which features are currently enabled for use in a NetSuite account. It should be noted that the Enabled Features page does not have a System Notes tab, so you will have to manually create a system note saved search for the page. You can run this search regularly to track changes to enabled features.

Auditing Changes to Configuration Settings 

Most changes to general configuration settings with a financial impact are logged in system notes. Some of the areas covered include: company information, general preferences, accounting lists and tax setup. 

Auditing Changes to Customization Objects 

System notes also captures information about changes to the following customization objects:

  • Custom Lists and Custom Records
  • Custom Fields
  • Custom Forms
  • SuiteScripts
  • Customized Reports and Saved Searches

Auditing Account Preferences 

The Enable Features, General Preferences and Accounting Preferences configuration pages all include a link to an Audit Trail page. There, admins can use the Audit Trail to review a list of changes, including the names of changed preferences and features, who changed them, when they were changed, what the values of the preference were before and after the change, and whether the changed features were enabled or disabled.

Documenting Changes 

On their own, system notes aren't a substitute for appropriate change documentation. The Administrator Guide specifically recommends that organizations develop and implement a standardized system for documenting change requests. To satisfy audit requirements, a change request form should include the following: 

  • Requestor name 
  • Date of change request 
  • Description of change request 
  • Reason for change 
  • Assignee to implement change 
  • Authorization to begin work to implement change

There are lots of ways to do this — shared folders and Google Docs are common — but if you want to reconcile requests and approvals to system notes, you need a third-party system like Strongpoint. Read about Strongpoint's change management tools for NetSuite here.

Tracking Exceptions

However you capture changes in NetSuite, you must be able to account for exceptions and ensure that the details of your exception have been appropriately documented. For example, a developer may be required to go directly into the production code to quickly correct a problem which then means they would need to work backwards into your test and development accounts. In this example, that emergency change should be documented on the request form, including information about who performed the change in the production account, when it was performed and why it did not follow normal procedures. It is important to capture these details as evidence for auditors.

Exception tracking is another area where Strongpoint can significantly reduce the hassle of audit prep. Our change management system automatically flags non-compliant changes (ie, anything that didn't follow the proper approval policy) and collects them in a single report for easy review and clearance. Here's a quick demo:

 

What NetSuite Can — and Can't — Do

We love to boast about NetSuite — it's a highly customizable, powerful platform with more features than we can count. But, partly as a result of this customizability, the platform leaves most of the work around compliance prep up to its users. This means that in order to set up proper controls for audit, you must first understand your own business processes and NetSuite usage.

In other words, while NetSuite's system notes and related out-of-the-box audit tools lay the foundation for a good governance framework, additional support can help automate the process and eliminate much of the manual work involved. This is something that Strongpoint does really well, and fortunately, you can learn exactly how here.