What ITGC Means for Your NetSuite Environment
IT General Controls (ITGC) are the baseline controls that auditors evaluate to determine whether your financial systems can be trusted. In the context of NetSuite, ITGC covers four areas: access controls, change management, computer operations, and program development. If any of these are weak, your auditor cannot rely on the system-generated reports, which means more manual testing, more audit fees, and more risk.
Access Controls in NetSuite
Access control is the most common area where NetSuite environments fail audit. The issues are predictable:
Users with Administrator or Full Access roles who do not need them
No periodic access review process (quarterly recertification)
Segregation of duties violations (same person can create and approve)
Terminated employees still active in the system
Shared login credentials or generic accounts
The fix is not complicated, but it requires discipline. Custom roles built around least-privilege access, a documented provisioning/deprovisioning process, and quarterly access reviews with sign-off from business owners.
What a Good Methodology Includes
Change management in a SOX context means that any change to your production NetSuite environment (scripts, workflows, custom records, saved searches used in financial reporting, role changes) follows a documented process: request, review, approve, test, deploy.
What auditors look for:
Separation of Environments
Development happens in Sandbox. Testing happens in Sandbox. Production changes are migrated through a controlled process, not built directly in production.
Change Request Documentation
Every change has a ticket. The ticket includes what is being changed, why, who requested it, who approved it, and evidence of testing before deployment.
Segregation of Duties in Development
The person who writes the code should not be the person who deploys it to production. The person who approves the change should not be the person who requested it.
Emergency Change Process
There will be emergencies. The process accounts for them. Emergency changes still get documented, but after the fact, with retroactive approval and a root cause analysis.
Where NetSuite Makes This Hard
NetSuite is not designed with SOX in mind. There is no built-in change management module. There is no native approval workflow for script deployments. The audit trail exists but is not organized in a way that maps cleanly to ITGC control objectives. This means you need to build the process around NetSuite, using a combination of:
A ticketing system (Jira, ServiceNow, or even a structured spreadsheet) for change requests
Sandbox environments for development and UAT
Role restrictions that prevent developers from deploying to production
Periodic reviews of the system notes log for unauthorized changes
Getting Audit-Ready Without Slowing Down
The goal is not to create bureaucracy. The goal is to have a process that is lightweight enough to follow consistently, but rigorous enough that your auditor can test it and find it effective. Most teams overcomplicate this. A well-designed change management process adds maybe 15 minutes per change. The alternative is a material weakness finding and a conversation with your board.
How We Support Compliance
Our approach to SOX and ITGC is collaborative. We work alongside your internal audit and compliance teams to design controls that are practical, not just theoretically sound. Every control we recommend has a clear owner, a documented process, and a testing procedure your team can execute independently.
We bring deep expertise in how NetSuite's access model, change management tools, and audit trail capabilities map to ITGC requirements. This is not generic compliance consulting. It is specific to how your instance is configured and how your team operates.
Through StrongSupport, ongoing change management is built into your support model. Every production change follows a documented workflow: request, review, sandbox test, approval, deployment. Your auditors see a clean trail without your team doing extra work.
If you are preparing for SOX compliance, going through an IPO readiness process, or have already received audit findings related to ITGC, the time to fix your NetSuite controls is now. Not during audit season.
Or email us directly at hello@sixstrong.io


