Back to Articles

Back to Articles

COMPLIANCE

COMPLIANCE

SOX, ITGC & Change Management in NetSuite

SOX, ITGC & Change Management in NetSuite

SOX, ITGC & Change Management in NetSuite

If your company is SOX-compliant or heading toward an IPO, your ERP needs to support IT General Controls. Here is what that actually means inside NetSuite, and where most teams get it wrong.

If your company is SOX-compliant or heading toward an IPO, your ERP needs to support IT General Controls. Here is what that actually means inside NetSuite, and where most teams get it wrong.

What ITGC Means for Your NetSuite Environment

IT General Controls (ITGC) are the baseline controls that auditors evaluate to determine whether your financial systems can be trusted. In the context of NetSuite, ITGC covers four areas: access controls, change management, computer operations, and program development. If any of these are weak, your auditor cannot rely on the system-generated reports, which means more manual testing, more audit fees, and more risk.

Access Controls in NetSuite

Access control is the most common area where NetSuite environments fail audit. The issues are predictable:


  • Users with Administrator or Full Access roles who do not need them

  • No periodic access review process (quarterly recertification)

  • Segregation of duties violations (same person can create and approve)

  • Terminated employees still active in the system

  • Shared login credentials or generic accounts

The fix is not complicated, but it requires discipline. Custom roles built around least-privilege access, a documented provisioning/deprovisioning process, and quarterly access reviews with sign-off from business owners.

What a Good Methodology Includes

Change management in a SOX context means that any change to your production NetSuite environment (scripts, workflows, custom records, saved searches used in financial reporting, role changes) follows a documented process: request, review, approve, test, deploy.


What auditors look for:

Separation of Environments

Development happens in Sandbox. Testing happens in Sandbox. Production changes are migrated through a controlled process, not built directly in production.

Change Request Documentation

Every change has a ticket. The ticket includes what is being changed, why, who requested it, who approved it, and evidence of testing before deployment.

Segregation of Duties in Development

The person who writes the code should not be the person who deploys it to production. The person who approves the change should not be the person who requested it.

Emergency Change Process

There will be emergencies. The process accounts for them. Emergency changes still get documented, but after the fact, with retroactive approval and a root cause analysis.

Where NetSuite Makes This Hard

NetSuite is not designed with SOX in mind. There is no built-in change management module. There is no native approval workflow for script deployments. The audit trail exists but is not organized in a way that maps cleanly to ITGC control objectives. This means you need to build the process around NetSuite, using a combination of:


  • A ticketing system (Jira, ServiceNow, or even a structured spreadsheet) for change requests

  • Sandbox environments for development and UAT

  • Role restrictions that prevent developers from deploying to production

  • Periodic reviews of the system notes log for unauthorized changes

Getting Audit-Ready Without Slowing Down

The goal is not to create bureaucracy. The goal is to have a process that is lightweight enough to follow consistently, but rigorous enough that your auditor can test it and find it effective. Most teams overcomplicate this. A well-designed change management process adds maybe 15 minutes per change. The alternative is a material weakness finding and a conversation with your board.

How We Support Compliance

Our approach to SOX and ITGC is collaborative. We work alongside your internal audit and compliance teams to design controls that are practical, not just theoretically sound. Every control we recommend has a clear owner, a documented process, and a testing procedure your team can execute independently.


We bring deep expertise in how NetSuite's access model, change management tools, and audit trail capabilities map to ITGC requirements. This is not generic compliance consulting. It is specific to how your instance is configured and how your team operates.


Through StrongSupport, ongoing change management is built into your support model. Every production change follows a documented workflow: request, review, sandbox test, approval, deployment. Your auditors see a clean trail without your team doing extra work.

If you are preparing for SOX compliance, going through an IPO readiness process, or have already received audit findings related to ITGC, the time to fix your NetSuite controls is now. Not during audit season.

Need help with SOX readiness in NetSuite?

Need help with SOX readiness in NetSuite?

We will assess your current control environment, identify gaps, and build the processes your auditor expects to see.

We will assess your current control environment, identify gaps, and build the processes your auditor expects to see.

Bridging the gap between Finance, Operations and Technology. We help scaling businesses optimize NetSuite for measurable growth.

8300 Greensboro Dr LI #241

McLean, VA 22102

© 2026 SixStrong Consulting, LLC. All Rights Reserved.

Bridging the gap between Finance, Operations and Technology. We help scaling businesses optimize NetSuite for measurable growth.

8300 Greensboro Dr LI #241

McLean, VA 22102

© 2026 SixStrong Consulting, LLC. All Rights Reserved.

Bridging the gap between Finance, Operations and Technology. We help scaling businesses optimize NetSuite for measurable growth.

8300 Greensboro Dr LI #241

McLean, VA 22102

© 2026 SixStrong Consulting, LLC. All Rights Reserved.