NetSuite is extremely flexible and extremely customizable. This is one of its biggest selling points: growing businesses evolve quickly — and they need enterprise software that evolves along with them.
However, there’s another side to this. ERP software handles some of a business’ most sensitive data. NetSuite does an excellent job of protecting that data. But if the impact of change isn’t properly understood, it can introduce vulnerability and risk.
Out-of-the-box, NetSuite gives you a wide range of security and impact analysis tools — as well as support from a world-class SecOps team. But those tools, and that support, need to be deployed alongside a comprehensive change management program.
The change paradox
Some changes in NetSuite are safe and simple. Some are more complex, and riskier — think of a workflow that links back to financial reporting.
While NetSuite gives you a lot of flexibility to change and customize the system, the responsibility of determining what’s safe to change and what’s risky ultimately falls on the admin or dev team making the change.
So without accurate insight into risk, you’re left with an ‘all or nothing’ approach: apply scrutiny to every change — something that is virtually impossible in a busy account — or simply guess at what’s risky and what’s safe.
The result is that resources are applied ineffectively — too much time is spent either reviewing simple changes that could be fast-tracked, or correcting issues that arise when complex changes aren’t given enough scrutiny.
In both cases, valuable IT resources aren’t doing what they should be doing — supporting the growth of the business.
What does effective change management look like?
Effective change management should be based on risk. As we mentioned above, not every change is risky. Many — most, even — are simple, and require minimal discovery/investigation before they can be approved. On the other end of the spectrum are complex, risky changes that require a full SDLC.
Complicating the issue is the fact that not all risk is the same. There are business risks — things that could affect financial reporting or regulatory compliance — and there are technical risks, ie., changes that could break something in NetSuite. Both require different scrutiny from different departments — ie. a change with technical risk should be reviewed by IT, whereas something with business risk should be reviewed by a Finance or Accounting head.
Using impact analysis to determine risk
The ERD is just one of the ways Netwrix Strongpoint helps you determine the impact of a change. Watch the webinar to learn how our tools save NetSuite Admins hours of discovery time by automating the hardest parts of their job.
Part one: documentation
Accurate impact analysis — however you do it — requires a comprehensive understanding of how your account is customized and configured, and how it changes over time. You can’t know the impact of a change to a field unless you know where it’s referenced, what reports it feeds into, what automation relies on it, etc.
NetSuite system notes are very, very good at recording this information. We have an entire blog post breaking down how those notes, along with the various audit trails and execution logs, give you a comprehensive set of tools for tracking activity in NetSuite.
But system notes have a few drawbacks that make them difficult to use for impact analysis and change management. For one, there are simply too many of them — a busy NetSuite account can generate hundreds of system notes in a day, and even with NetSuite’s built-in tools, finding the information you need to make informed changes can be time-consuming. Second, system notes don’t track everything, and if a record is deleted, those notes are lost. Finally, system notes have no way of tying back to reviews and approvals — and the work of reconciling what changed with who approved it can be incredibly time-consuming.
Supercharged system notes
Netwrix Strongpoint scans your account on a continuous basis to produce an accurate, up-to-date record of all customizations, critical settings, roles and permissions, and all associated metadata. Every customization is logged in an immutable record, where you’ll be able to see, at a glance, what it’s connected to, who owns it, who last changed it and more — everything you need to assess the level of risk in changing it.
What does Netwrix Strongpoint document?
- Accounting Settings and Lists
- Custom Records and Custom Record Fields
- Other Custom Fields (Body, Item, Entity, Column, etc.)
- Mass Updates
- Saved Searches
- Unlocked and Unencrypted Script Records
- Locked Script Records (without dependencies)
- Critical Settings and Preferences, Forms
- Script Deployments
- Libraries
- SCA folder files and all custom SS, SSP and JS files
- User Roles, Permissions, and Assignments
- Workflows
- Dependencies
- And more
What can you do with Netwrix Strongpoint documentation?
Documentation is the basis for an effective change management system. But that’s not all it can do. Here’s a look at four of Netwrix Strongpoint’s most popular account administration and configuration management features.
- ‘What Changed’ Reports
- Role and Permission Cleanup
- Automated Saved Search Cleanup
- Environment Comparison
Part two: Change Management
Once you have great account documentation to supplement NetSuite’s system notes, and tools to work with it, you can build formal, risk-based policies for how your organization handles change. Because not all proposed changes are risky, not all proposed changes require investigation and approval.
However, you can’t arbitrarily decide what’s risky and what isn’t. Auditors and internal governance teams will want to see that you have a formalized, scalable process in place for measuring risk and elevating complex changes to the proper authority for review. They’ll want to see that you have a system for tracking approvals and identifying anything that didn’t follow the correct process.
In other words, they’ll want to see that you have a comprehensive change management system in place. Which is exactly what Netwrix Strongpoint provides.
Netwrix Strongpoint’s change logs
As we mentioned, system notes searches are powerful tools for tracking changes in NetSuite. However, they don’t track everything — for example, a system note might tell you that a script file changed, but not how it changed. Certain types of user role changes also don’t fall under the auspices of system notes.
Most critically, however, system notes don’t provide the broader context to a change — what an object is connected to and what could be affected as a result. That’s why, to lay the groundwork for an effective change management system, you need to augment system notes’ capabilities with change logging.
Netwrix Strongpoint’s change logs come with several reports for searching and filtering them, providing your team with simple explanations about what changed and what was affected. Here’s a demo of how the ‘What Changed’ report alerts you to critical information in Netwrix Strongpoint’s change logs:
Change policies, requests, and approvals
Once you have tools for impact analysis and a system in place for tracking changes in your account, you can build policies on top of them. Change policies can be informal, but it’s strongly recommended you use a system like Netwrix Strongpoint to spell out what types of changes require review, who should review them, and how those reviews and approvals should be tracked.
Netwrix Strongpoint comes with standard change policies that can be customized to your requirements. It automatically applies impact analysis to a proposed change, pre-clearing those that are safe, and elevating those that are risky to the proper authority. Here’s how it works:
Reporting and reconciliation
It’s no good to have an Excel doc or email chain approving a change if you can’t connect it to what actually happened in your account. Even the best change policy won’t be enforceable — or auditable — unless it’s reconciled with development activity.
In fact, this is one of the biggest parts of passing a SOX audit — auditors will want to see not only that changes in your system followed policy, but that you’re aware of anything that fell through the cracks.
Netwrix Strongpoint makes this simple. Using our NetSuite-native change management system — or integrating with an external tool like Jira, ServiceNow or ZenDesk — Netwrix Strongpoint reviews every change that took place in your system to see if it required an approval and, if so, if that approval happened. Then, it gives you three reports tracking all activity in your account:
- Changes that followed policy
- Changes that didn’t but were reviewed later
- Changes that didn’t and are still pending
In other words, Netwrix Strongpoint captures everything that went right, everything that went wrong and everything that was caught and resolved. Once an auditor is familiar with how the system works, passing an audit is as easy as printing out these three reports — saving you and your admin team hours of work.
Part 3: change controls
Change management becomes even more important for public and pre-IPO companies, and anyone else subject to SOX compliance requirements.
Section 404 of SOX requires that management put in place internal controls over financial reporting. Since most organizations running NetSuite house their accounting and financial reporting on the platform, SOX auditors will be, for obvious reasons, very interested in seeing evidence that those controls are in place.
A SOX control can be as simple as a requirement that cheques receive sign-offs from multiple team members. However, auditors will want to see that key controls are tight and traceable — in other words, that they can’t be falsified or applied retroactively.
Determining scope
Before you can look at your NetSuite account and build effective SOX controls, you need to step back and look at the big picture. Start with your financial statements or 10-k report, and work backward — what data goes into that? What affects the integrity of that data?
Ultimately, anything that can — either deliberately or accidentally — affect your financial reporting is in scope for SOX. From there, it’s a question of risk mitigation. Anything material will need a control. The level of risk and the potential for consequences will determine the severity of the control.
SOX controls
There is no one-size-fits-all list of SOX controls required for NetSuite. Some areas auditors typically look at include:
- Access Management
- Segregation of Duties
- Financial Exceptions
- Data Security
How your organization uses NetSuite, how your system is configured and, often, the whims of your auditors will all affect whether or not these functions are in scope, and to what degree.
On this page, we’re focusing exclusively on Netsuite account change management — one of the most common areas of scope for public companies running NetSuite.
IT general controls
The ultimate goal of SOX is to ensure that the data feeding into your financial reporting is accurate. In a complex system like NetSuite, how your system is configured and customized plays a big role in that. For example, changing or removing a discount field can affect revenue forecasting — auditors will want to see that any changes like that were reviewed and approved by the appropriate authority.
IT General Controls provide a foundation for SOX compliance in business systems. They apply to any application, operating system or other IT infrastructure — but they’re especially useful as a framework for building SOX controls in NetSuite.
Testing and reporting
During a SOX audit, your audit team will test a random sample of changes to ensure that appropriate controls are in place and working properly. However, before you get to that point, it is strongly advisable to test your controls ahead of time and determine whether they are effective, and what exceptions you can anticipate.
Planning is key. While we’ve had success rapidly deploying SOX programs for our customers, it pays to start early — ideally, even before you go public. But no matter where you are today, approaching the project with a clear understanding of what’s involved will greatly reduce the stress of getting compliance.
Get a free SOX-readiness assessment
Book a consultation with our team to find out where you are on the SOX maturity curve. We’ve helped public and pre-IPO companies build out SOX compliant access and change management programs in as little as 30 days.
Schedule your free assessment to learn how.
