NetSuite is a cloud-based enterprise resource planning (ERP) software suite that includes finance and accounting (general ledger), customer relationship management (CRM), and e-commerce core capabilities. In most companies the software is used by multiple employees across different segments of the business, which means many users have direct access to a wide variety of data points, key business information, and financial and operational reports.
Though NetSuite offers controls and security options to further refine user access in accordance with the needs of their job function, many companies don’t take full advantage of these tools. With a little forethought and planning, however, companies can add business rules and configuration settings to better protect financial information, maintain data accuracy, and prevent the likelihood of fraudulent behavior.
Some real-world examples include:
Leverage custom workflows to implement vendor approval processes
- Goal: To prevent newly created or recently edited vendors from being paid prior to their being reviewed and approved.
- Background: A private organization with past issues of fraudulent accounts payable (AP) behavior needed a way to make sure vendors were vetted and authorized before cash transactions were booked to those vendors. The company needed to ensure no vendor bills could be entered for a vendor without all necessary information in place and confirmed—such as correct tax ID number, supporting documentation, and accounting approval.
- Solution: MorganFranklin created a vendor approval process for all vendor records. This process dictated that any vendor additions or edits to an existing vendor record would trigger the need for an approval and prevent new payment transactions from being created for this vendor. This solution incorporated additional process control within the weekly AP payment runs and provided a mechanism to further decrease the likelihood of fraudulent activity.
Leverage custom workflows to use Lock Record actions
- Goal: To provide better financial data control and enhanced data integrity on already posted transactions in accounting periods that were not locked or closed.
- Background: A publicly traded financial services company needed controls in place to prevent user edits on already approved and posted transactions in the general ledger (GL). This continued to be an issue due to a longer accounting close process that saw users editing and revising already posted transactions, which overrode previous efforts and led to varied account balance fluctuations.
- Solution: MorganFranklin trained accounting users on the ability to use Lock Record actions on custom workflows once accounting transactions were approved and posted. This capability prevented edits to already approved transactions and added additional control to the month-end close process.
Develop saved search alerts
- Goal: To automatically alert key accounting personnel whenever critical activities are performed within the accounting system (such as editing accounting periods and adding banking information to vendors or employees).
- Background: The CFO of an investment bank with more than 50 subsidiaries wanted to receive alerts any time accounting periods were locked by accounting managers of individual subsidiaries to foster a more cohesive corporate accounting close process.
- Solution: MorganFranklin configured saved search email alerts that get automatically triggered when accounting periods are locked and reopened. The CFO uses these system alerts to better manage and have visibility into the month-end close process for all business units as the organization works towards a five-day month-end close schedule.
Develop custom workflows to hide sensitive fields from certain users
- Goal: Hide information (such as critical tax IDs, personal identifiable information, and other critical corporate assets) from users who do not need access to this sensitive information.
- Background: A financial services company wanted to reduce risk by protecting corporate sensitive information. Many times, NetSuite is directly integrated with other third-party systems, and key information is passed between the two. With NetSuite as the accounting system, it often does not make practical sense for many sensitive data objects (such as partner compensation, commissions, employee tax IDs and home addresses) to be publicly visible for all users to access. The client in question needed a way to implement field-level internal controls to prevent certain fields from being visible to all NetSuite users.
- Solution: MorganFranklin used a combination of SuiteFlow Set Field Display Type actions in addition to custom field permission settings to explicitly prevent particular user roles from viewing sensitive fields on transactions and in reports. This allowed the accounting team to add a level of privacy and safety to their NetSuite environment, keeping sensitive information secure and reducing company risk exposure.
Implement a governance, risk management, and compliance (GRC) tool, such as StrongPoint, to automate change control processes
- Goal: Implement an automated, auditable change control process directly in NetSuite to support change management leading practices.
- Background: A publicly traded financial services company wanted extremely detailed system controls and auditable application management information within a change control framework that NetSuite couldn’t provide natively.
- Solution: The client, in partnership with MorganFranklin, implemented StrongPoint as the change control framework within NetSuite, expanding NetSuite’s auditable capabilities and application documentation. With StrongPoint implemented, change requests were required to be created and approved prior to making system updates or changes, following a change management best practice of defining the change, assessing change impact, approving the change, testing the resolution, approving the resolution for production migration, and documenting the entire project.
Distinguish audience and access permissions on custom reports and saved searches
- Goal: Better manage users who have edit and view access to custom financial reports, providing edit access to users most equipped to maintain reports while granting other users access to only view the report.
- Background: NetSuite allows reports to be marked private, public, or shared, but many companies ignore this setting and, by default, mark all custom reports public for editing. This can lead to confusion by end users and poses a risk to financial data accuracy if key reports can be edited by a wide population of end users.
- Solution: MorganFranklin provided training to users on distinguishing audience and access permissions when building custom reports and saved searches (with audience defining users who can see, view, and export reports and access defining users who have editing capabilities). In addition, MorganFranklin helped the client further restrict the audience and access of already existing critical reports to further reduce the population of custom reports available and provide a manageable process to building custom reports in the future.
Clean up outdated, single-use reports
- Goal: To increase data accuracy and integrity by ensuring current financial reports are not intermingled with older, single-use reports containing irrelevant or inaccurate data.
- Background: Many companies create reports within NetSuite for specific point-in-time use cases but never return to delete or inactivate these reports once the need is met. This often leads to a large population of custom reports, with specific data sets, still active within the NetSuite environment despite not being run for months or years since the reports were first created and that often contain inaccurate, outdated information.
- Solution: MorganFranklin helped our financial services client develop a report management convention that took a more holistic approach as opposed to creating single-use custom reports. For example, vendor-specific reports were updated to allow the reports to be used for all vendors. Also, a custom department expense register used for one business unit was standardized for use by all business units. In addition, MorganFranklin worked with the client’s NetSuite administrator to develop regularly scheduled intervals during which the population of custom reports gets assessed; reports no longer applicable to the business are archived and deleted from NetSuite.
If your company uses or is considering NetSuite ERP, MorganFranklin can help. Our consultants have deep knowledge of NetSuite leading practices and can help you configure the tool to address your current challenges, scale alongside business growth, and support faster, smarter transaction processing capabilities.