Why Role Customization > Standard Roles in NetSuite Matters
in NetSuite by Jeff HareWritten by Connor Thompson, CIA, CISA
In NetSuite, standard roles present significant challenges related to sensitive access risks and segregation of duties (SoD) conflicts.
Why you ask? Because standard roles have many permissions that are not appropriate for that role. Many modules only have one standard role which does not allow for the assignment of secure roles to users. For example, standard roles such as the Accounts Payable (A/P) Clerk, Buyer, and Accounts Receivable (A/R) Clerk, are overprovisioned and assigned a broad range of permissions. These are modules they should not have access to. Over provisioned roles lead to excessive access risks and segregation of duties conflicts. Meanwhile, many of these will not be adequately managed through mitigating controls. Poor role design results in an increase of compliance, cyber security, fraud, financial reporting, data security, and operational risks.
For instance, the standard Buyer role not only has access to create and maintain purchase orders but also has access to enter goods receipts, maintain vendor master data, and enter AP invoices. The Buyer role provides users with complete access over the procure-to-pay cycle, which poses a significant fraud risk. On top of that, the Buyer role has access to other permissions that should not be assigned based on the expected job function of procurement employees assigned the Buyer role.
Examples
The following (Figure 1) shows the permissions assigned to the Buyer role:
Similarly, an A/P Clerk has access to a number of permissions not typically needed by an A/P Clerk. If you look at Figure 2, you will see the A/P Clerk role has “Edit” access to: Items, Classes, Requisition, Purchase Order, Receive Order, and Accounting Lists.
As you can see from these two examples, role customization is essential. If standard roles are leveraged, more manual controls are necessary than would be if you customized the roles.
Mitigating Issues
Manually mitigating controls that would likely have to be implemented might include automated alerts. Or it might look like an employee periodically pulling a population of transactions and master data audit trails to verify the accuracy of data. An example would be pulling a population of inserts, updates, and deletes related to vendor master data to verify there were no unauthorized changes to supplier master data by someone with the intent to commit fraud.
Fortunately, NetSuite has strong system-generated audit trails which can be leveraged to monitor user activities. However, IT dependent manual controls, such as periodic reconciliations and supervisory reviews are not ideal because they increase the work management must do to have an effective control environment and will ultimately increase the cost of your audit.
Although these mitigating controls can help reduce the effects of poor role design, they will lead to greater expenses and a higher risk of fraud and errors than if well-designed, customized roles were implemented.
IT application controls, such as workflow approvals would also serve as mitigating controls, but workflows are not available to address all risks.
Where Custom Roles Come In
Despite the measures mentioned, many organizations may still struggle to maintain a strong set of controls to effectively manage the risks associated with standard NetSuite roles. The complexity and resource-intensive nature of implementing and maintaining comprehensive controls can be overwhelming when access controls are poor. This is especially true for smaller organizations with limited resources. Therefore, to mitigate the inherent risks associated with the lack of standard role granularity in NetSuite, organizations should prioritize the development of custom roles to comply with the principle of least privilege. This involves creating and maintaining customized roles with specific, limited permissions tailored to distinct job functions. This approach minimizes the overlap of duties and enhances overall security.
Another significant benefit of using custom roles is that they remove the risk that a NetSuite release occurs and adds permissions to users not appropriate for them. Standard roles regularly have new features added as part of NetSuite’s semi-annual patch. This may seem like a bonus because users gain new functionalities. But in reality, this could also introduce unwanted risks, allowing a user (or group of users) to undermine your compliance, cyber security, fraud, financial reporting, data security, and operational controls.
One final benefit of using custom roles is that the assignment of Global Permissions should no longer be necessary. This can be a bit tricky in some organizations, but it is possible.
Landing the Plane
In conclusion, while NetSuite offers powerful ERP capabilities, the use of standard roles poses significant challenges. These challenges include managing sensitive access risks and eliminating unmitigated SoD conflicts. Implementing a combination of IT application and manual controls can help mitigate these risks. However, achieving an effective security posture requires continuous effort and resources. Instead, organizations should remain vigilant and proactive. They should refine their role definitions and create customized roles to meet their specific business and control needs.
Need of more information or direction on how you can take next steps with custom roles in your NetSuite environment? We’re here to help! Email us at support@erpra.net.