INSIGHTS

SOX Readiness in NetSuite

SOX Readiness in NetSuite

SOX Readiness in NetSuite

What You Actually Need vs. What Auditors Ask For

What You Actually Need vs. What Auditors Ask For

What You Actually Need vs. What Auditors Ask For

Compliance

October 31, 2024

22 min read

The SOX Compliance Spectrum

Sarbanes-Oxley compliance in NetSuite isn't binary—it's a spectrum. At one end, you have companies doing the bare minimum to satisfy auditors: paper-based controls, annual scrambles for evidence, and constant worry about findings. At the other end, you have companies with robust, automated controls built into their systems: compliance that's nearly effortless because it's embedded in daily operations.

Most companies land somewhere in the middle: manual processes patched together with good intentions, documentation that exists but isn't current, and annual audit preparations that consume weeks of effort that could be spent on actual business activities.

The goal isn't to satisfy auditors—that's a necessary byproduct. The goal is to build controls that genuinely protect your financial reporting while minimizing the operational burden. When that's done right, auditor satisfaction follows naturally.


Understanding SOX Requirements in Plain Language

Before diving into NetSuite specifics, let's demystify what SOX actually requires. The law is about ensuring publicly traded companies have reliable financial reporting. It achieves this through requirements around internal controls over financial reporting (ICFR).

What Section 404 Actually Requires

Section 404 is the heavyweight: management must assess and report on the effectiveness of internal controls over financial reporting. External auditors must attest to that assessment.

In plain language: you need to identify what could go wrong in your financial reporting, implement controls to prevent or detect those problems, test that the controls work, and document the whole thing.

For your ERP, this means:

  • Controls exist to ensure transactions are authorized, recorded correctly, and reported accurately

  • System access is appropriately restricted

  • Changes to the system are controlled and documented

  • The system produces reliable data for financial reporting

IT General Controls vs. Application Controls

SOX audits typically distinguish between IT General Controls (ITGCs) and Application Controls:

IT General Controls

These are foundational controls around the IT environment: change management, access security, computer operations, and data backup. They apply to any significant system, including NetSuite. If ITGCs are weak, auditors can't rely on any application controls that depend on the system.

Application Controls

These are controls embedded in specific applications: input validations, processing controls, and output controls. In NetSuite, application controls include things like approval workflows, three-way matching, and automated calculations.

Both layers matter. Strong application controls on a system with weak ITGCs are unreliable. Strong ITGCs without appropriate application controls leave gaps. You need both.


What Auditors Actually Evaluate in NetSuite

When auditors assess NetSuite for SOX purposes, they focus on several key areas.

Change Management Controls

Every change to NetSuite—configuration changes, script deployments, workflow modifications, role updates—needs to follow a controlled process. Auditors want to see:

  • Changes are documented before implementation

  • Changes are approved by appropriate parties

  • Changes are tested before production deployment

  • Production access is restricted to prevent unauthorized changes

  • An audit trail exists showing what changed, when, and by whom

The Sandbox Reality

NetSuite's sandbox environments are central to compliant change management. The expected pattern:

  • Develop changes in sandbox

  • Test in sandbox

  • Document changes and get approval

  • Deploy to production through controlled process

  • Verify deployment

If you're making changes directly in production, you have a control gap. If sandbox changes don't go through formal approval before production deployment, you have a control gap. If you can't produce evidence of this process for any given change, you have an audit finding waiting to happen.

Script and Customization Controls

Custom scripts require particular attention. A poorly designed script can bypass other controls, corrupt data, or misstate financials. Auditors want to see:

  • Code review before deployment

  • Testing documentation

  • Approval from appropriate parties (often including business process owners, not just IT)

  • Version control or equivalent tracking

  • Documentation of what scripts do and why they exist

Segregation of Duties

The principle is simple: no single person should be able to complete a high-risk transaction from start to finish without oversight. In practice, this gets complicated quickly.

Key Segregation Areas

Critical segregations in NetSuite typically include:

  • Cannot create and approve payments (AP fraud risk)

  • Cannot create customers and apply payments (AR fraud risk)

  • Cannot modify vendors and process payments (vendor fraud risk)

  • Cannot edit chart of accounts and post journal entries (financial manipulation risk)

  • Cannot adjust inventory and approve inventory counts (theft concealment risk)

  • Cannot create/modify scripts and deploy to production without approval (unauthorized change risk)

The Role Explosion Problem

NetSuite's permission structure is granular—which is both a blessing and a curse. You can define precise access, but the sheer number of permissions makes it easy to create unintended conflicts.

Standard roles often have more access than SOX would prefer. Custom roles accumulate permissions over time. Users get added to roles to solve immediate problems without considering segregation implications. Before you know it, you have a web of conflicting access that nobody fully understands.

Auditors will ask for a segregation of duties matrix and expect you to demonstrate that conflicting permissions don't exist, or that compensating controls address them.

User Access Controls

Who has access to what, and is that access still appropriate? Auditors evaluate several aspects:

Provisioning

When someone joins the company or changes roles, how is access granted? Is there an approval process? Is access based on job function rather than individual request?

Periodic Review

Access should be reviewed periodically—quarterly is typical, annually at minimum. Reviews should verify that access is still appropriate for each user's role. Inappropriate access should be remediated.

Auditors will ask for evidence of these reviews. "We looked at it" isn't evidence. Signed documentation, preferably timestamped, is evidence.

Termination

When employees leave, access should be removed promptly. Auditors may test terminated employee access to verify it was disabled timely.

Privileged Access

Administrator-level access deserves extra scrutiny. Who has full admin? Why? Is that access monitored? Are admin activities logged and reviewed?

Audit Trails

Financial transactions need complete audit trails showing who created them, who modified them, and what changed. NetSuite maintains system notes that capture this information, but you need to:

  • Know how to access and interpret system notes

  • Ensure system notes are capturing the information you need

  • Be able to present audit trails in a format auditors can use

  • Retain audit trail data for required periods

Interface and Integration Controls

If data flows into or out of NetSuite through integrations, those interfaces need controls:

  • Data validation at input (rejecting or flagging bad data)

  • Reconciliation between source and target systems

  • Error handling and exception monitoring

  • Access controls on integration points


Common Struggles and How to Address Them

Certain compliance challenges appear consistently across companies pursuing SOX readiness.

Manual Change Management

Tracking changes in spreadsheets or emails doesn't scale and creates audit headaches. When auditors ask for evidence of change control for a specific script, you're searching through emails from eight months ago hoping someone documented something.

The Solution: Systematic Change Tracking

Implement a change management system—whether a purpose-built tool, a ticketing system, or custom NetSuite records—that captures:

  • What is being changed

  • Why (business justification)

  • Who requested

  • Who approved

  • Testing performed

  • Deployment date and verification

The system should produce auditable records without relying on someone remembering to send an email.

Role Sprawl and Segregation Conflicts

Over time, roles multiply. Users accumulate access. Segregation conflicts emerge that nobody notices until an auditor asks pointed questions.

The Solution: Role Governance

  • Start with a clean role design based on job functions

  • Create a segregation matrix defining incompatible permissions

  • Review roles against the matrix before creating or modifying

  • Implement periodic role audits to check for drift

  • Use reporting to identify users with potentially conflicting access

Custom saved searches can automate conflict detection, flagging users whose role combinations create segregation issues.

Access Review Theater

Some companies go through the motions of access reviews without actually reviewing. They run reports, put them in a folder, and call it done. When auditors test whether inappropriate access was identified and remediated, they find nothing was actually done.

The Solution: Meaningful Reviews

Design access reviews that force engagement:

  • Managers must confirm each user's access is appropriate

  • Anomalies are flagged for investigation (admin access, unusual role combinations, inactive users with active access)

  • Remediation is tracked to completion

  • Review completion is documented with timestamps and signatures

Make the review efficient enough that people will actually do it thoroughly, not so painful that they rubber-stamp to finish quickly.

Incomplete Documentation

Controls exist but aren't documented. Or documentation exists but doesn't match reality. When auditors test, they find gaps between what's written and what's done.

The Solution: Living Documentation

  • Document controls as you build them, not after the fact

  • Review documentation annually for accuracy

  • Update documentation when processes change

  • Keep documentation accessible and current

  • Tie documentation to testing—controls documented should be controls tested

Evidence That Doesn't Exist

The control operates correctly, but you can't prove it. Approvals happened but weren't recorded. Reviews occurred but weren't documented. When auditors ask for evidence, there isn't any.

The Solution: Built-in Evidence

Design controls to automatically create evidence:

  • Approval workflows that create system records

  • System notes that capture key actions

  • Reports that document review completion

  • Timestamps that prove timing

Manual controls that depend on someone documenting after the fact will eventually have gaps. System-enforced controls that create evidence automatically are more reliable.


Building Sustainable SOX Compliance

The goal is compliance that doesn't require heroic effort every year. Here's how to build it sustainably.

Automate Change Management

Use sandbox environments for all changes. Implement approval workflows for production deployments. Build tracking systems that capture change history automatically.

Custom solutions can log all configuration changes, create approval routing, and maintain deployment records without manual intervention. When auditors ask for change management evidence, you run a report—you don't search through emails.

Design Roles for Segregation from the Start

Retrofitting segregation into existing roles is painful. Building it correctly from the start is much easier.

Start with job functions, not individuals. Define what each function needs to do, then what access that requires. Check combinations against segregation requirements before creating roles.

When business needs require access that creates conflicts, document the conflict and the compensating controls. A documented exception with compensating controls is compliant. An undocumented conflict is a finding.

Build Access Reviews Into Regular Operations

Don't wait for audit season. Quarterly reviews catch problems before auditors do. Monthly reviews are even better for high-risk areas.

Custom saved searches and reports can automate much of the review process: flagging terminated employees with active access, identifying users with admin privileges, highlighting unusual access patterns. The review becomes verifying exceptions rather than examining everyone.

Document Controls as You Build Them

Control documentation shouldn't be a separate project after implementation—it should be part of the implementation itself.

When you build an approval workflow, document what it does, why, and how to test it. When you configure a validation, document the rule and its purpose. When you set up roles, document what access each role provides and why.

This approach ensures documentation stays current. Controls that don't get documented don't get implemented fully.

Use System-Enforced Controls Where Possible

A control that requires someone to remember to do something will eventually fail. A control enforced by the system is more reliable.

Examples:

  • Required approvals configured in workflows vs. policies that say "get approval"

  • System-enforced segregation vs. policies against conflicting access

  • Automated validations vs. reviewer checklists

  • System-generated audit trails vs. manual logging

Invest in automation that makes the compliant path the only path.

Test Your Own Controls

Don't wait for external auditors to test controls. Internal testing catches problems when they're easier to fix.

  • Test that controls operate as documented

  • Test that evidence is being created

  • Test that exceptions are identified and escalated

  • Test sample transactions through the entire process

Internal testing also builds confidence. If you've tested it and it works, the external audit is validation rather than discovery.


The Role of Customization in SOX Compliance

Custom development can make SOX compliance easier—or harder, depending on how it's done.

Automation That Creates Compliance

Well-designed customizations can automate controls that would otherwise be manual:

  • Approval workflows that enforce segregation and create evidence

  • Validation scripts that prevent data quality issues

  • Change logging that captures configuration modifications

  • Access review automation that flags anomalies

  • Reconciliation tools that verify data integrity

These customizations reduce compliance burden by making controls operate automatically. The investment in building them pays back every audit cycle.

Customization Governance for SOX

Custom code is itself subject to change management controls. You need:

  • Code review before deployment

  • Testing documentation

  • Approval workflows for production changes

  • Version control or equivalent tracking

  • Monitoring for unauthorized changes

The same discipline that applies to NetSuite configuration applies to custom scripts and workflows.

Documentation Requirements for Custom Controls

If a custom solution implements a control, that control needs documentation:

  • What does the control accomplish?

  • What risks does it address?

  • How does it work?

  • How is it tested?

  • Who owns it?

Auditors can't rely on controls they don't understand. Documentation makes custom controls auditable.


Preparing for Your First SOX Audit

If you're approaching your first SOX audit (perhaps post-IPO or due to company growth), here's how to prepare.

Engage Auditors Early

Don't wait until audit season to discover what auditors will focus on. Engage them during planning to understand their approach, their testing methodology, and their expectations.

Auditors are more helpful when engaged proactively. They can point out gaps before they become findings.

Perform a Readiness Assessment

Before the audit, assess yourself honestly:

  • Are controls documented?

  • Is evidence available?

  • Have controls operated consistently throughout the period?

  • Are there known gaps or deficiencies?

Readiness assessments reveal problems you can fix before auditors find them.

Address Gaps Proactively

If the readiness assessment reveals gaps, fix them. Implement missing controls. Create missing documentation. Remediate access issues. Clean up change management records.

A control implemented mid-year is better than no control. A deficiency disclosed and addressed is better than a deficiency discovered by auditors.

Organize Your Evidence

Auditors will request documentation and evidence. Having it organized accelerates the audit and demonstrates operational maturity.

  • Change management documentation by period

  • Access review evidence by quarter

  • User provisioning and termination records

  • Control testing documentation

  • Exception and remediation tracking

Assign Clear Ownership

Know who owns each control area. When auditors have questions, they need someone who can answer. Unclear ownership creates delays and suggests immature processes.


Beyond Compliance: Controls That Make You Better

The best SOX implementations don't just satisfy auditors—they improve operations.

Faster, More Accurate Closes

Controls that ensure data quality throughout the period mean less cleanup at close. Automated validations catch errors when they're entered, not when you're trying to close.

Reduced Fraud Risk

Controls that segregate duties and restrict access genuinely reduce fraud risk. The control isn't just for the auditors—it protects the company.

Better Decision-Making

When controls ensure data integrity, you can trust the data for decision-making. Controls aren't just about financial reporting—they're about having reliable information.

Operational Consistency

Documented, enforced controls create consistent processes. New employees can follow established procedures. Quality doesn't depend on individual heroics.


Bottom Line

SOX compliance isn't about satisfying auditors—it's about building controls that protect your financial reporting while minimizing operational burden. Companies that treat compliance as a checkbox exercise spend more time and money than companies that build it into their operations.

The question isn't "what do auditors want?" It's "what controls do we actually need?" Get that right, and auditor satisfaction follows. Build controls into your systems rather than layering manual processes on top. Automate where possible. Document as you build. Test your own controls before auditors do.

The right customizations can make compliance nearly automatic. The wrong approach—or no approach—means annual fire drills and escalating audit costs.

Invest in sustainable compliance. It's less work over time, and it actually protects your company.

Ready to Work Together?

Ready to Work Together?

Ready to Work Together?

Let us talk about your NetSuite challenges and how we can help. No pressure, no sales pitch. Just a straightforward conversation.

Let us talk about your NetSuite challenges and how we can help. No pressure, no sales pitch. Just a straightforward conversation.

Author

Michael Strong

Michael Strong

Founder & Principal Architect

Founder & Principal Architect

Tags

Compliance

Audience

Compliance Officers

Controllers

IT Directors

About Us

Why SixStrong

Contact

Schedule Discovery Call