Most people involved in accounting understand that when a user has access to manage vendors and payments it is easy to create false vendor records and generate payments to those false vendors.

In other words, it’s the fast lane to Fraudville.

We're reviewing quick fixes to improve NetSuite security, in this blog series.

Security Fixes for NetSuite: Separate Master Records and Transactions

Only slightly more complicated are similar schemes involving customers. Payment redirection fraud can be just as dangerous and harder to detect. All this risk leads to some pretty simple advice: don’t allow users with access to manage vendors to also manage payables transactions. The same advice goes for customers.

In fact, that advice works throughout an accounting system. Separating master record management from transaction processing is a simple and easy way to improve Segregation of Duties (SoD).

That’s it. The end.

If only it was that simple. NetSuite often provides a number of roles with master record access. For example, Vendor access is provided by all of these roles:

• A/P Clerk
• Accountant
• CEO
• CFO
• Chief People Officer
• Full Access
• Human Resources
• Administrator
• Marketing Administration
• Store Manager

That seems like broad for creating vendors and many of these roles also have access to various vendor related transactions.

Similarly, broad access is also provided to Customers in NetSuite’s included roles. The list includes:

• A/R Clerk
• Accountant
• Advanced Partner Center
• CEO
• CFO
• Marketing Administration
• PM Manager
• Product Manager
• Retail Clerk
• Retail Clerk WS
• Revenue Accountant
• Revenue Manager
• Sales Admin
• Sales Manager
• Sales Person
• Sales VP
• Store Manager
• Support Admin
• Support Person
• Administrator
• Sys Admin

Before we even get to transactions, it’s pretty clear that Vendor and Customer access needs additional restrictions. Ideally, users with access to create or modify master records wouldn’t have any access to transactions. In small companies, that may not be reasonable.

One simple answer for smaller organizations is to swap master record access. For example, A/P Clerks could create Customers and process Vendor Transactions. Similarly, A/R Clerks would create Vendors and process Customer Transactions. This at least provides some segregation of duties.

There are also some mitigation options in NetSuite. This could include a workflow approval for customer or vendor changes for example. However, mitigating controls are not as good as primary controls, so companies should make a determined effort to separate these functions before turning to mitigation here.

Read more in the Easy Security Fixes for NetSuite series:

• Vendor Setup
• NetSuite for Mitigation
• Minimize System Administrators
• Fiscal Periods
• Unnecessary Access
• Account Maintenance