Audit Enablement
The NetSuite application has many features that enable user entities to build and manage proper internal controls over its financial reporting. The use of NetSuite as a financial system provides the opportunity for financial process controls to exist in a single system for the organization and then extend that functionality with applications from Fastpath or Strongpoint.
There are several customizations that can be done to help ensure that financial transactions are reasonably free from misstatements due to errors. These include:
-
Workflows to establish dual authorization to address segregation of duties issues
Workflows provide additional segregation of duties controls beyond logical security. For example, workflows can provide approval limits and prevent users from approving their own transactions. Workflows can be designed and built in NetSuite by organizations to meet that company’s specific needs.
-
Scripting
Scripts are another way to establish controls that are not built into NetSuite by default. For example: currently within NetSuite, invoices are required to be reviewed and approved by the person who created the PO and who is the business owner for the expense. This requirement enables the Accounts Payable team to determine whether the invoices from the vendors are appropriate, and to ensure that they are matched against the proper invoice. Currently, this determination is done through scripting. When the Accounts Payable team creates an invoice against a vendor and PO, an email is sent to the business owner requesting approval of the invoice for payment.
-
Audit trail saved searches to monitor specific transactions
For most financial transactions in NetSuite, an audit trail is established and can be tracked and searched. Changes to roles, customizations released into the system, transactions created, as well as other common changes, can all be tracked in the system, with some exceptions. Saved search alerts can be created to identify items outside of ordinary processing. A saved search alert for any transactions initiated by personnel who would not normally be initiating such transactions is an example. A company may want to identify any POs created by Accounts Payable because they are part of the procure-to-pay process. Monitoring POs created by Accounts Payable could allow management to detect any questionable transactions, especially if the user is involved in another part of the process. Monitoring changes to credit levels, terms, and addresses are other examples of changes that can be monitored through saved searches.
-
Manual controls
There are some areas in NetSuite not yet addressed by automatic control. It is important to review these items and ensure that controls outside the system are established to monitor these types of transactions.
-
Audit trails for journal entries post-approval
Currently, there is no audit trail to detect when a journal entry is edited after it has been approved, or when the approver edits the entry prior to approval. Therefore, it is important to establish proper journal entry review and account reconciliations. It may also be prudent to add spending reviews for expense or disbursement accounts to check for any unusual entries. As the reviews are now the key controls, proper segregation of duties should be used for selecting the reviewer.
-
Audit trails for account setup
Account setup is currently not tracked, except for the header information (user who performed an edit, date and time). This tracking does not include details of changes. It is important to establish post-setup reviews by a different person, and also to establish controls for certain significant transactions that can be impacted by changes to the setup. One example is the credit limit for customers. This feature can be turned on or off, which could allow customers to exceed their credit limits. A periodic review of customer balances against their credit limits could be used to detect whether any have exceeded their limits. Because there may be instances where the excess to the credit limit is approved, it is important to carefully lay out and establish how approval is obtained and documented.
-
Three-way matching for PO, invoice, and receipt of goods
It is important to establish a process to monitor purchases. Monitoring, scripting, and evidence of approval may be used to support purchase and invoice authorization. Within NetSuite, the Accounts Payable team monitors and ensures that there is a PO before any transaction is entered into with a vendor, and if this is not the case, a PO violation is reported and monitored. Invoices are approved and validated to ensure that they do not go over the PO amount. Invoices over the PO amount require another approved PO or will result in a reported PO violation. The Accounts Payable team also validates that services or goods are being received.
-
NetSuite is a tool designed to help its customers meet their business needs, but it is up to customers to ensure that they properly understand their requirements and figure out how they can use NetSuite to meet those requirements. The implementation of controls to enable auditing can be customized for each customer’s business needs. Customers should properly understand their risks, how they want to address them, the level of controls to implement, and how they will monitor these controls. They also need to understand their compliance obligations, and the requirements for each of these obligations.