SOX compliance requirements are only going up — and cloud-based enterprise systems like NetSuite pose a unique set of challenges. When you need to dedicate IT, finance and accounting resources to meet these requirements, the result is a significant drain on the productivity of your teams.
Netwrix Strongpoint helps you meet some of the more unique audit requirements around ERP systems, giving you complete visibility into your scripts, workflows, user roles and permissions, dependencies, managed bundles, platform changes and NetSuite releases.
It starts with comprehensive documentation of the customizations in your account. From there, we provide a suite of powerful tools for tracking development activity, managing segregation of duties, and monitoring transactional and record-based events.
Documentation and Clean Up
NetSuite accounts can have tens of thousands of customizations; these customizations can be interconnected in as many as a hundred thousand different ways.
Documenting and tracking this is so time-consuming that nobody does it properly. We’ve seen everything from Excel spreadsheets to handwritten notes, but every manual approach has the same problem — it’s time-consuming to collect and impossible to keep up to date.
Ultimately, if you don’t have accurate documentation of your system, your path to passing a SOX audit is much more difficult. Auditors will want to see that you’re aware of if and how changes to your system will affect revenue recognition. And the more complex your account is, the harder it is to be confident about this.
How Netwrix Strongpoint Helps
Netwrix Strongpoint starts by scanning your NetSuite environment and creating a comprehensive record of all your customizations, dependencies and critical settings and preferences. It automatically keeps this information up-to-date, and gives you several out-of-the-box tools for working with it:
Customization Records:
Netwrix Strongpoint creates detailed records for every customization in your account. The Customization Record contains an overview of everything you need to know about a customization — who created it, what it connects to, when it was last changed, and more.
Entity Relationship Diagrams:
The ERD is a graphic representation of the dependencies on a customization. It’s one of our most popular features — Admins and developers, in particular, regularly rave about how much time it saves them.
Impact Analysis
You can’t get SOX compliant without efficient change process. And you can’t get efficient change processes unless you have effective impact analysis. When you know the effect of a change ahead of time, you can build smart policies to review what’s risky and pre-approve what’s safe.
That’s exactly what Netwrix Strongpoint does. We give you access to accurate impact analysis before you make a change, so you no longer have to rely on guesswork to know what requires investigation.
As a result, your IT team saves time and you can go into audit with a verifiable record that everything risky underwent the proper review.
Impact-Based Risk Decisioning
Netwrix Strongpoint logs every change in your system and determines whether it’s safe or risky. From there, you can pre-clear what’s safe, and build custom approval policies that ensure risky changes are reviewed and approved by the right people.
In this clip, Netwrix Strongpoint’s VP of Sales and Marketing, Paul Staz, walks you through how Netwrix Strongpoint’s default policies assess technical risk when making a change via a process issue.
Jira/ServiceNow Integration
If you use Jira or ServiceNow to manage tickets, you can access Netwrix Strongpoint’s impact analysis directly at the ticket level, and get a comprehensive list of related customizations that will be affected by a potential change.
You can also sync Jira/ServiceNow tickets to change requests in Netwrix Strongpoint, so the impact analysis and approval, if required, is collected in an audit-ready report.
Change Management
NetSuite accounts are changing constantly. End users change saved searches; Administrators change fields, forms and list values; developers create and change scripts and workflows. In a typical NetSuite account, this can be hundreds of changes per month — and thousands of system notes.
The problem is that going through these system notes to identify what’s relevant to auditors, and tying those changes back to approvals that took place outside the system is incredibly time-consuming. In fact, it’s one of the biggest pain points for NetSuite teams in the lead up to an audit.
We designed Netwrix Strongpoint to solve this problem. Our change management tools are built on smart, risk-based policies and automation. Inside NetSuite or integrated with your ticketing system, we help you create airtight change controls that make passing an audit easy and stress-free.
How Netwrix Strongpoint Helps
Change Policies:
In NetSuite, some changes — deprecating an unused report, for example — are harmless. Others, such as altering a data model, are high risk, and should be tested in the sandbox or across the development lifecycle.
When it isn’t possible to differentiate between what’s risky and what’s safe, all changes require the same level of investigation. As a result, resources and expertise are applied inefficiently.
With Netwrix Strongpoint’s change management policies, however, expertise can be allocated when and where it’s needed most — and safe changes can be pre-cleared without a time-consuming investigation.
Change Requests:
In addition to giving you the ability to create custom change policies based on risk, Netwrix Strongpoint also gives you a complete system for tracking change requests and approvals in accordance with those policies. Requests are automatically sent to the correct approver based on the policy, and their response is recorded in the change log — so you can see, at-a-glance, whether the change followed policy (ie, whether it was approved by the correct person.)
Here’s a short demo showing you how to create a request:
“Closed Loop” Change Management
Netwrix Strongpoint is a true ‘closed-loop’ change management system. Every change is captured in an immutable log. Every completed change is reconciled back to an originating request and, if necessary, an approval.
Every change and approval is checked for compliance with the policies you’ve set out. Anything that doesn’t follow policy is captured in a noncompliant changes report for review and clearance.
The best part? Changes to your policies are logged and monitored using the same process. This makes it impossible to alter an approval after the fact or artificially resolve a noncompliant change.
In other words, the whole process is airtight and fully validated — something that’s critical to security, governance and audit readiness.
Reporting and Reconcilation
When it comes to passing a SOX audit, having a list of changes in your account is only half the battle. NetSuite teams tend to encounter the most difficulty when they’re asked to prove they understand why those changes were made.
Whether you track approvals via email, spreadsheet or an external ticketing system like Jira or ServiceNow, tying those approvals back to the changes that actually took place in the system — and demonstrating that the appropriate policy was followed — is an incredibly time-consuming process that can involve days of reviewing system notes.
Netwrix Strongpoint automatically reconciles changes to approvals and automatically tracks the changes and updates that are the most difficult to capture manually. It continuously audits every change, pre-clearing those that are safe, and automatically alerting Admins and managers when a high-risk change occurs without the proper approval.
This functionality can be easily integrated into Jira and ServiceNow using pre-configured plugins, so that your teams can continue using those platforms while taking advantage of Netwrix Strongpoint’s industry-leading impact analysis and change policies.
Three Reports That Prove Compliance
The ‘closed-loop’ nature of Netwrix Strongpoint’s change management system means that you can go into audit with just three reports showing everything happening in your system:
- Changes that followed policy
- Changes that didn’t but were reviewed and resolved
- Any changes still outstanding
Watch the video for a demo.
Segregation of Duties
The theory behind segregation of duties (SoD) is simple — users should not be able to perform multiple steps in a financial transaction. In practice, however, the realities of managing access in large organizations make it very difficult to enforce.
NetSuite contains 636 distinct permissions, which govern 4923 separate tasks, searches and records. Because of this complexity, managing access effectively takes time and resources most admins and finance teams don’t have. And even if things are clean and streamlined at all times, automation can introduce ‘phantom conflicts’ that auditors will read as control deficiencies.
Netwrix Strongpoint contains out-of-the-box rules, reporting and tools that make it easy to plan a role and permission cleanup — even those ‘phantom conflicts’ we mentioned above. This lays the groundwork for a rapid SoD implementation.
Role and Permission Cleanup
More roles and permissions mean more possibility for SoD violations. Taking steps to clean up, consolidate and tighten access controls is the major part of any SoD project.
Netwrix Strongpoint takes you step-by-step through the process of identifying unused and obsolete roles and permissions — both real and ‘phantom’ conflicts, and removing them safely.
Compensating Controls
Well-defined access controls are a great foundation for minimizing SoD conflicts. But on their own, they can’t prevent violations. What’s important — what auditors will want to see — is that you have systems in place to alert you when conflicts occur.
Netwrix Strongpoint integrates directly at the employee record to give you instant feedback on role and permission assignments. You’ll know if a new assignment has the potential for SoD violations, and can even block certain risky assignments — such as Admin privileges — outright without prior approval.
Master Data and Financial Controls
Configuration changes are not the only important changes to your NetSuite account. Changes to master data can significantly affect financial integrity. Similarly, not all transactional behavior can be managed through roles and permissions alone. To manage these risks, you need a solid system of detective controls.
Some companies use saved search alerts as detective controls, but have difficulty proving that alerts were sent or acted upon. In addition, system notes searches can be difficult to run over a significant time frame. The result is that even with robust processes, staff are often overwhelmed, resources are tied up and auditors are left unsatisfied at audit time.
