NetSuite Access Review
A proper NetSuite access review is incredibly time-consuming.
However, regular access reviews are essential for preventing fraud and maintaining data security. Most auditors or internal oversight boards will recommend that you do this, at the very least, annually — if not more often.
Why Conduct NetSuite Access Reviews?
An estimated 34% of all data breaches are caused by internal actors. Controlling who can see and do what is the best way to prevent theft/fraud caused by employees (or, for example, former employees who haven’t been properly offboarded).
Implementing the principle of least privilege (POLP) is a recognized best practice for cloud-based systems. Strictly controlling exposure to sensitive information or transactional behavior will greatly reduce your risk. For this reason, access reviews are often a requirement of SOX compliance for public companies, or for other industry-specific or internal regulations.
Why Is Access Review So Difficult?
NetSuite roles and permission can be incredibly complex. Going through every user to determine what roles they’ve been assigned, and what they can see and do as a result of them, requires an intimate understanding of the permission structure in your account. And even when you have that information, you still need to communicate it to the right people, track their approvals and log everything in an audit-ready report.
The result is a serious drain on IT resources. And even if you take the time to do everything right, you still have to prove it to your auditors — which can involve hours of searching through system notes.
What Should a NetSuite Access Review Look Like?
A NetSuite access review typically involves two components:
- Membership reviews: Who has what role, and why? Do users have access that is appropriate to their job responsibilities? Are there any users with unused roles that can be decommissioned?
- Permission reviews: What does each role allow users to do? What can they see, edit, create or delete?
Membership reviews are straightforward, but time-consuming. Permission reviews, on the other hand, are both more complicated, and more important to get right. If your reviewer agrees that User X should have Role Y, but doesn’t fully understand what Role Y does, their approval is basically meaningless.
Access in NetSuite: A Primer
For a closer look at how NetSuite's access controls work, use the form to download our Crash Course: NetSuite User Roles and Permissions eBook.
.png "ebook image (2)")
So What’s The Solution?
Strongpoint automates the most time-consuming parts of access review, gives reviewers the information they need to make informed decisions, and tracks everything in an audit-ready log. Here’s how.
Step One: Assign Owners and Reviews
With Strongpoint, you can quickly and easily assign ownership and User Access Reviews to key stakeholders — Approvers are automatically alerted when a review is due, becomes visible in their dashboard, and Admins can keep tabs on the progress and any tasks that result from the review, such as removing access.
Step Two: Give Owners Actionable Information
Strongpoint will automatically provide owners with detailed visibility into access - who has the roles, what other roles they have, access to global permissions, and any Segregation of Duties violations that they may have. It will also provide a detailed summary of all permissions, categories, and permission levels for all permissions in a role that's under review — making it easy to make an informed decision.
Step Three: Provide Alerts for Potential Conflicts
Strongpoint takes permission review one step further and automatically alerts the approver to any potential issues — such as roles with permissions that have access to PII, or segregation of duties violations.
Step Four: Show What Isn’t In Use
During the course of the review, Strongpoint will flag assigned roles that haven’t been used recently and can be deleted. This helps streamline the system and reduces the work involved in future reviews.
Step Five: Track and Report
Every step of the review process — from the impact analysis to the approval — is captured by Strongpoint in an audit-ready log. Best of all, everything takes place in our Built for NetSuite app, making it easy to satisfy compliance requirements.
Who Uses Strongpoint?
An access review involves three main stakeholders: the NetSuite admin who plans the review, the business owner who conducts it, and the (internal or external) auditor who reviews everything. Strongpoint's access tools greatly simplify the process for each of these stakeholders — here's how.
Admins
Plan and schedule reviews, automate recurring reviews, assign owners and manage everything from a dashboard giving you a high-level overview of everything in progress and upcoming.
Owners
Conduct membership and permission reviews; get the information you need to make an informed decision and assign follow-up action items.
Auditors
Use the view-only auditor dashboard to see all access reviews and approvals in one place. Get instant insights and in-depth reporting into who approved what, and why.