NetSuite change management:
best practices and automated tools
NetSuite is extremely flexible and extremely customizable. This is one of its biggest selling points: growing businesses evolve quickly — and they need enterprise software that evolves along with them.
However, there’s another side to this. ERP software handles some of a business’ most sensitive data. NetSuite does an excellent job of protecting that data. But if the impact of change isn’t properly understood, it can introduce vulnerability and risk.
Out-of-the-box, NetSuite gives you a wide range of security and impact analysis tools — as well as support from a world-class SecOps team. But those tools, and that support, need to be deployed alongside a comprehensive change management program.
Introduction: The Change Paradox
Some changes in NetSuite are safe and simple. Some are more complex, and riskier — think of a workflow that links back to financial reporting.
While NetSuite gives you a lot of flexibility to change and customize the system, the responsibility of determining what’s safe to change and what’s risky ultimately falls on the admin or dev team making the change.
So without accurate insight into risk, you’re left with an ‘all or nothing' approach: apply scrutiny to every change — something that is virtually impossible in a busy account — or simply guess at what’s risky and what’s safe.
The result is that resources are applied ineffectively — too much time is spent either reviewing simple changes that could be fast-tracked, or correcting issues that arise when complex changes aren't given enough scrutiny.
In both cases, valuable IT resources aren’t doing what they should be doing — supporting the growth of the business.
What Does Effective Change Management Look Like?
Effective change management should be based on risk. As we mentioned above, not every change is risky. Many — most, even — are simple, and require minimal discovery/investigation before they can be approved. On the other end of the spectrum are complex, risky changes that require a full SDLC.
Complicating the issue is the fact that not all risk is the same. There are business risks — things that could affect financial reporting or regulatory compliance — and there are technical risks, ie., changes that could break something in NetSuite. Both require different scrutiny from different departments — ie. a change with technical risk should be reviewed by IT, whereas something with business risk should be reviewed by a Finance or Accounting head.
Demo: Using Impact Analysis to Determine Risk
In this clip, watch how we use Strongpoint entity relationship diagram (ERD) to see the dependencies on an object (in this case, 'Company Size' field on the Customer(Standard Record) and determine the level of risk involved in changing it.
WEBINAR: NETSUITE IMPACT ANALYSIS
The ERD is just one of the ways Strongpoint helps you determine the impact of a change. Watch the webinar to learn how our tools save NetSuite Admins hours of discovery time by automating the hardest parts of their job.
Part One: Documentation
Accurate impact analysis — however you do it — requires a comprehensive understanding of how your account is customized and configured, and how it changes over time. You can’t know the impact of a change to a field unless you know where it’s referenced, what reports it feeds into, what automation relies on it, etc.
NetSuite system notes are very, very good at recording this information. We have an entire blog post breaking down how those notes, along with the various audit trails and execution logs, give you a comprehensive set of tools for tracking activity in NetSuite.
But system notes have a few drawbacks that make them difficult to use for impact analysis and change management. For one, there are simply too many of them — a busy NetSuite account can generate hundreds of system notes in a day, and even with NetSuite’s built-in tools, finding the information you need to make informed changes can be time-consuming. Second, system notes don't track everything, and if a record is deleted, those notes are lost. Finally, system notes have no way of tying back to reviews and approvals — and the work of reconciling what changed with who approved it can be incredibly time-consuming.
Supercharged System Notes
Strongpoint scans your account on a continuous basis to produce an accurate, up-to-date record of all customizations, critical settings, roles and permissions, and all associated metadata. Every customization is logged in an immutable record, where you’ll be able to see, at a glance, what it’s connected to, who owns it, who last changed it and more — everything you need to assess the level of risk in changing it.
|Accounting Settings and Lists||Custom Records and Custom Record Fields||Other Custom Fields (Body, Item, Entity, Column, etc.)|
|Mass Updates||Saved Searches||Unlocked and Unencrypted Script Records|
|Locked Script Records (without dependencies)||Critical Settings and Preferences||Forms|
Script Deployments, Libraries
|SCA folder files and all custom SS, SSP and JS files||User Roles, Permissions, and Assignments|
What Can You Do With Strongpoint Documentation?
Documentation is the basis for an effective change management system. But that's not all it can do. Here's a look at four of Strongpoint's most popular account administration and configuration management features.
One of our most popular features, the "What Changed" report shows you exactly what the name implies — every customization that's been altered or deleted in a given time frame.
It's an easy way to get a top-down overview of development activity, and troubleshoot any problems that arise.
Understanding who has access to what is critical to data security and regulatory compliance. But over time, NetSuite's roles and permissions can get extremely complex.
Strongpoint gives you tools to review access controls in NetSuite and identify redundant roles and permissions that can lead to SOX compliance or segregation of duties violations.
Here's a screenshot of one of our standard reports, showing all role assignments that have no active logins in the last six months — one example of what we call 'low hanging fruit' that can likely be deleted as part of an access cleanup project:
NetSuite saved searches are so easy to create — but deleting them when you're done with them is an extra step most admins don't have time for. The result is that, over time, they accumulate, making them one of the most common forms of technical debt in NetSuite.
Strongpoint comes with out-of-the-box tools for reviewing old saved searches and identifying what's safe to get rid of. Then, we automate the time-consuming parts of cleanup, and collect every step in audit-ready reporting.
Here's a blog post walking you through how it works.
Strongpoint’s out-of-the-box Environment Comparison tool shows you any and all differences between your NetSuite environments. Target newer-than-source for pre-deployment validation or troubleshooting, or run a full diff between your development and production accounts to ensure your latest change or release was deployed properly.
Learn more about NetSuite Environment Comparison, or read a short case study to find out how one Strongpoint customer used it to avoid a problem that would have taken hours to remediate after the fact.
Part Two: Change Management
Once you have great account documentation to supplement NetSuite's system notes, and tools to work with it, you can build formal, risk-based policies for how your organization handles change. Because not all proposed changes are risky, not all proposed changes require investigation and approval.
However, you can’t arbitrarily decide what’s risky and what isn’t. Auditors and internal governance teams will want to see that you have a formalized, scalable process in place for measuring risk and elevating complex changes to the proper authority for review. They’ll want to see that you have a system for tracking approvals and identifying anything that didn’t follow the correct process.
In other words, they’ll want to see that you have a comprehensive change management system in place. Which is exactly what Strongpoint provides.
DEMO: Change logs
As we mentioned, system notes searches are powerful tools for tracking changes in NetSuite. However, they don't track everything — for example, a system note might tell you that a script file changed, but not how it changed. Certain types of user role changes also don't fall under the auspices of system notes.
Most critically, however, system notes don't provide the broader context to a change — what an object is connected to and what could be affected as a result. That's why, to lay the groundwork for an effective change management system, you need to augment system notes’ capabilities with change logging.
Strongpoint's change logs come with several reports for searching and filtering them, providing your team with simple explanations about what changed and what was affected. Here's a demo of how the 'What Changed' report alerts you to critical information in Strongpoint's change logs:
Change policies, requests and approvals
Once you have tools for impact analysis and a system in place for tracking changes in your account, you can build policies on top of them. Change policies can be informal, but it’s strongly recommended you use a system like Strongpoint to spell out what types of changes require review, who should review them, and how those reviews and approvals should be tracked.
Strongpoint comes with standard change policies that can be customized to your requirements. It automatically applies impact analysis to a proposed change, pre-clearing those that are safe, and elevating those that are risky to the proper authority. Here's how it works:
Reporting and Reconciliation
It's no good to have an Excel doc or email chain approving a change if you can't connect it to what actually happened in your account. Even the best change policy won’t be enforceable — or auditable — unless it’s reconciled with development activity.
In fact, this is one of the biggest parts of passing a SOX audit — auditors will want to see not only that changes in your system followed policy, but that you’re aware of anything that fell through the cracks.
Strongpoint makes this simple. Using our NetSuite-native change management system — or integrating with an external tool like Jira, ServiceNow or ZenDesk — Strongpoint reviews every change that took place in your system to see if it required an approval and, if so, if that approval happened. Then, it gives you three reports tracking all activity in your account:
- Changes that followed policy
- Changes that didn’t but were reviewed later
- Changes that didn’t and are still pending
In other words, Strongpoint captures everything that went right, everything that went wrong and everything that was caught and resolved. Once an auditor is familiar with how the system works, passing an audit is as easy as printing out these three reports — saving you and your admin team hours of work. Here's Strongpoint's Paul Staz with a quick explainer:
WEBINAR: NETSUITE Change Management
For a closer look at how Strongpoint's change management system fits into the audit process, watch our webinar, "Proactive Audit Prep in NetSuite."
Case Study: BANDWIDTH
Learn how a public CPaaS company running NetSuite used Strongpoint's change management tools to reduce their audit prep time from hours to minutes.
Part Three: Change Controls
Change management becomes even more important for public and pre-IPO companies, and anyone else subject to SOX compliance requirements.
Section 404 of SOX requires that management put in place internal controls over financial reporting. Since most organizations running NetSuite house their accounting and financial reporting on the platform, SOX auditors will be, for obvious reasons, very interested in seeing evidence that those controls are in place.
A SOX control can be as simple as a requirement that cheques receive sign-offs from multiple team members. However, auditors will want to see that key controls are tight and traceable — in other words, that they can't be falsified or applied retroactively.
Before you can look at your NetSuite account and build effective SOX controls, you need to step back and look at the big picture. Start with your financial statements or 10-k report, and work backward — what data goes into that? What affects the integrity of that data?
Ultimately, anything that can — either deliberately or accidentally — affect your financial reporting is in scope for SOX. From there, it’s a question of risk mitigation. Anything material will need a control. The level of risk and the potential for consequences will determine the severity of the control.
Here's Spencer Roundy, Managing Director of Moss Adams, with a quick overview:
There is no one-size-fits-all list of SOX controls required for NetSuite. Some areas auditors typically look at include:
How your organization uses NetSuite, how your system is configured and, often, the whims of your auditors will all affect whether or not these functions are in scope, and to what degree.
On this page, we’re focusing exclusively on Netsuite account change management — one of the most common areas of scope for public companies running NetSuite.
IT General Controls
The ultimate goal of SOX is to ensure that the data feeding into your financial reporting is accurate. In a complex system like NetSuite, how your system is configured and customized plays a big role in that. For example, changing or removing a discount field can affect revenue forecasting — auditors will want to see that any changes like that were reviewed and approved by the appropriate authority.
IT General Controls provide a foundation for SOX compliance in business systems. They apply to any application, operating system or other IT infrastructure — but they’re especially useful as a framework for building SOX controls in NetSuite. Here's Roundy again with a short explainer:
Testing and Reporting
During a SOX audit, your audit team will test a random sample of changes to ensure that appropriate controls are in place and working properly. However, before you get to that point, it is strongly advisable to test your controls ahead of time and determine whether they are effective, and what exceptions you can anticipate.
Planning is key. While we've had success rapidly deploying SOX programs for our customers, it pays to start early — ideally, even before you go public. But no matter where you are today, approaching the project with a clear understanding of what's involved will greatly reduce the stress of getting compliance.
Download our Three Steps to NetSuite Compliance ebook for more information.
WEBINAR: Prepping for your first — and best — audit
We recently sat down with a group of SOX experts and systems leadership who've been through the IPO and audit processes. Check out the presentation for a discussion on what worked, what didn't and what they'd do differently next time.
Get a free sox readiness assessment
Book a consultation with our team to find out where you are on the SOX maturity curve. We've helped public and pre-IPO companies build out SOX compliant access and change management programs in as little as 30 days.
Schedule your free assessment to learn how.