If you have a NetSuite OneWorld account with subsidiaries that transact with each other, chances are that you’ve created a Journal Entry backdoor that results in a segregation of duties violation. This series will help you learn to detect and fix the issue, hopefully before your auditors do or someone exploits it.
- Are you on a NetSuite OneWorld account with multiple subsidiaries?
- Does your Period Close Checklist (
Setup >> Accounting >> Manage Accounting Periods >> Checklist) include an “Eliminate Intercompany Transactions” task?
- Does the role that executes the Period Close Checklist also have the ability to approve journal entries?
If your answer is “yes” to all of the above questions, you most likely have a segregation of duties violation lurking. This series will teach you as a NetSuite Admin how to detect and fix this issue. For auditors, it will teach you how to uncover this situation during your next audit review of a NetSuite account.
NetSuite is primarily a financial system. Good financial systems and processes require (auditable) controls. Auditors have the solemn obligation of periodically reviewing these controls and reporting any violations, possibly resulting in huge penalties. One of such possible violations is a Segregation of Duties (SoD; a.k.a. Separation of Duties) violation.
Segregation of Duties (SoD)[I]Steven Bragg (December 16, 2020). Segregation of Duties Definition. Available at: https://www.accountingtools.com/articles/segregation-of-duties.html. [Accessed: January 28, 2021] is a basic control principle that requires “more than one person to complete certain key duties to prevent fraud and errors” [II]Reciprocity (July 2, 2020). What is Segregation of Duties in Auditing? Available at: https://reciprocitylabs.com/resources/what-is-segregation-of-duties-in-auditing/. [Accessed: January 28, 2021]. NetSuite’s roles and permissions model, which we discussed in a previous article, provides a good foundation for implementing SoD controls. However, as you’ll see shortly, NetSuite could set you up for an SoD situation that is not so straightforward to fix.
Audit Session Gone Sour…
Edet, the NetSuite Admin at Asoville Inc., and the rest of the team entered the annual audit meeting with confidence. However, what looked like a routine exercise quickly went south. Veteran auditor, Alexa Ado, had seen this particular situation often enough to detect it from afar. So while Edet was presenting the internal controls the team had implemented since going live with NetSuite the previous year, Alexa unexpected interrupted her with a short, cold remark: “I think you’ve created a Journal Entry backdoor that constitutes an SoD violation!”. He went ahead to prove it to her in a few easy steps.
So, what exactly was the problem?
Intercompany Journal Elimination
If, like Asoville Inc., your company has more than one subsidiary, you are most likely on a NetSuite OneWorld account. “OneWorld lets you use a single NetSuite account to manage records and transactions for multiple subsidiaries conducting business across multiple tax jurisdictions involving multiple currencies”[III]NetSuite (March 4, 2011). OneWorld Overview. Available at: https://netsuite.custhelp.com/app/answers/detail/a_id/9870. [Accessed: January 28, 2021].
(Advanced) Intercompany Journal Entries (AIJEs) are used to record business activities between subsidiaries. These intercompany transactions result in artificial gains or losses that need to be eliminated from consolidated financial reports. Gladly, NetSuite offers a feature for automating the process of intercompany elimination. Specifically, when the “Automated Intercompany Management” feature (under
Setup >> Company >> Enable Features >> Accounting) is turned on, NetSuite automatically generates elimination journal entries based on the intercompany transaction lines and intercompany journal lines marked to be eliminated[IV]NetSuite (August 21, 2011). Automated Intercompany Management Overview. Available at: https://netsuite.custhelp.com/app/answers/detail/a_id/18858. [Accessed: January 28, 2021]. Furthermore, an “Eliminate Intercompany Transactions” task is added to the Period Close Checklist. And this is where it get interesting…
Period Close Checklist
As the name implies, the Period Close Checklist[V]NetSuite (March 4, 2011). Using the Period Close Checklist. Available at: https://netsuite.custhelp.com/app/answers/detail/a_id/7664. [Accessed: January 28, 2021] is a list of tasks that should be performed in order to close an accounting period. (By the way, closing the accounting period is another key internal control.) The Period Close Checklist is usually executed by the Financial Controller, CFO or similar role in NetSuite. Typically, such a role is also responsible for reviewing and approving regular journal entries.
To be clear, I’m not an Accountant. But one consistent piece of advice I’ve heard repeated by folks who understand NetSuite and Accounting, is that you should avoid journal entries and instead use NetSuite’s higher-level transaction types (invoices, bills, credit memos, etc.) whenever possible (for instance, see this article by Marty Zigman on the subject). The reality though is that there are situations where journal entries are necessary. In light of the Segregation of Duties principle, the person who creates the journal entry should not have permission to approve it (i.e. post it to the general ledger). Therefore, an Accounting Analyst or similar role would usually create a journal entry which then gets reviewed and approved by the Controller, CFO or similar role.If the NetSuite role responsible for closing the period is also able to approve journal entries and there's an "Eliminate Intercompany Transactions" task on the Period Close Checklist, you're set up for an SoD violation! Click To Tweet
Back at Asoville, Edet and her team had detected this potential SoD violation right after they went live with NetSuite. The “ASO Controller” role was responsible for running the Period Close Checklist. This role was also able to approve journal entries – permission
Transactions >> Journal Approval (Note that if you use a custom journal entry approval workflow, a role may still be able to approve journal entries even if they do not have this permission!).
To avoid SoD violations, the “ASO Controller” role was not granted the permission
Transactions >> Make Journal Entry. However, when the Controller ran the Period Close Checklist, the “Eliminate Intercompany Transactions” task failed with the following error:
"Permission Violation: You need the 'Transactions -> Make Journal Entry' permission to access this page. Please contact your administrator".
Indeed adding the permission
Transactions >> Make Journal Entry with level “Create” or higher to the “ASO Controller” role solved the error in the Period Close Checklist task. However, Edet realized that she now had to solve the SoD issue. Specifically, she needed to ensure that the Controller wasn’t able to create and approve their own journal entries as that would give them too much power and the potential to commit fraud.
With the problem clear in her mind, Edet came up with a solution quite fast. She implemented a simple workflow like the one illustrated below that would prevent anyone logged into the “ASO Controller” role from creating a journal entry from the UI.
She ran a test to confirm that this workflow did not interfere with the Period Close Checklist task. (Although the “Eliminate Intercompany Transactions” task creates elimination journal entries, it does so via a non-UI context. As such, as long as the workflow to prevent journal entry creation is limited to the UI or other end-user contexts, it will not interfere with this system process.)
Edet was left with CSV imports. Since the “ASO Controller” role does not need to import any records into NetSuite, the easiest solution was to remove the permission
Setup >> Import CSV File from the role. She confirmed that this permission change removed the menu item
Setup >> Import/Export which is the standard path to the CSV import functionality. To be somewhat more defensive, she updated her workflow to run on both UI and CSV contexts.
This solution appeared rock solid and Edet was pretty impressed with her work. So you can imagine how surprised she was when Alexa (the auditor) easily poked a hole in her solution.
In part 2, I’ll walk you through why this solution is insufficient and provide better alternatives. In the meantime, I’m curious how you would solve this problem if you were in Edet’s shoes. Share your ideas in the comments section below.
Did you find this story insightful? Share it with someone! Be sure to also subscribe to get notified in your inbox as new NetSuite Insights get published. If you have insights of your own to share with the community, you can become a contributor on this platform.
|↑I||Steven Bragg (December 16, 2020). Segregation of Duties Definition. Available at: https://www.accountingtools.com/articles/segregation-of-duties.html. [Accessed: January 28, 2021]|
|↑II||Reciprocity (July 2, 2020). What is Segregation of Duties in Auditing? Available at: https://reciprocitylabs.com/resources/what-is-segregation-of-duties-in-auditing/. [Accessed: January 28, 2021]|
|↑III||NetSuite (March 4, 2011). OneWorld Overview. Available at: https://netsuite.custhelp.com/app/answers/detail/a_id/9870. [Accessed: January 28, 2021]|
|↑IV||NetSuite (August 21, 2011). Automated Intercompany Management Overview. Available at: https://netsuite.custhelp.com/app/answers/detail/a_id/18858. [Accessed: January 28, 2021]|
|↑V||NetSuite (March 4, 2011). Using the Period Close Checklist. Available at: https://netsuite.custhelp.com/app/answers/detail/a_id/7664. [Accessed: January 28, 2021]|