Auditing Administration Permissions in Netsuite from release 2021.2

Like all Business Applications, Netsuite has a ‘god mode’ Role that was designed to assist you with getting the Application up and running. During the implementation, you want to make sure that those supporting the process can get into the application, move code, observe & remediate issues, and generally support the project.

The problem is that many organizations continue to use these powerful Roles and Permissions once live and in the Production Environment, causing Auditors a real headache! On the one hand, you want your support operations to be able to resolve critical Production issues at (for example) 3 am a week before year-end, but on the other hand, do these people need all access, all of the time?

The outcome of this argument depends on what level of risk your organization is willing to live with. With modern applications, you have the benefit of being able to put auditing on key transactions, workflow approvals, and other compensating controls. We generally argue for a better ‘least privilege’ approach that balances with the right level of access – but it’s rarely perfect.

What does all this have to do with Netsuite’s second update of 2021?

As part of this release, a new feature called Administration Privileges is available which can be granted to your existing Roles in the application. These Privileges mimic the delivered Administrator Role or ‘God mode’ Role, giving access to pretty much everything in the Application.

Why do you need this? Who knows, for those in auditing it is adding another layer of analysis to determine who has the Administrator Role and who these Administrator Privileges. This new functionality can be granted to any existing Roles, so the Account Payable Administrator can now become a full-on system administrator if that’s what you want!

One of the great features of Netsuite is that it allows you to turn on 2 Factor Authentication for Roles. Have a Role that gives sensitive access? Turn on 2 Factor Authentication and have a little more assurance that those using it are the right people at least (this is a key audit point).

So despite this new functionality coming out and creating new risks, there are some features that can help us, including:

* Can view search results not edit them like the Administrator Role.

* A User with this feature cannot edit Users with the Administrator Role, this is a good idea as it stops a user from closing everyone else out of the Application and causing havoc!

* For more details, you can read the release notes HERE

When auditing Netsuite, keep in mind this functionality as part of your ‘Power User’, ‘Hypercare’ review.

Effective Controls

If you are utilizing the delivered Security and Configuration within your Applications, there is a good chance you have Segregation of Duty violations. Seecuring will assist you with establishing and reporting on the issues you have through to helping remediate the issues (which usually represents the biggest and most time consuming aspect of implementing internal controls). Specifically, Seecuring delivers:

We have been working with ERP/HCM Applications since the early 2000's, and work with leading CPA's, Audit staff and Application specialists to deliver a complete solution.

Before you invest in expensive Software, why not look at GRC as a Service? Faster delivery, lower cost, and more than just reports on your issues - we help Organizations achieve their goals for Internal Controls.

To discuss your requirements, you can schedule a call with us:



Contact Us

Resources

Understanding Role Delegations in Oracle ERP/HCM Cloud

Continue Reading...

Fraud and Data Loss - one and the same?

Securing the Financial Close