Achieving SOX compliance with NetSuite begins by conducting a dual-layer review of your systems and controls. The first step is the ‘Management’ audit: Section 404(a). This section involves an annual review of your company's internal controls over financial reporting (ICOFR). It should encompass a thorough evaluation and risk analysis of your financial data and reporting practices. The aim is to pinpoint where controls are necessary to reduce risk.
If that sounds demanding, Section 404(a) is merely the starting point before the comprehensive external audit mandated by Section 404(b). This is when external auditors will step in to inquire: have the risks highlighted in Section 404(a) been addressed? Were any risks missed?
Whether you're preparing for an IPO or reconsidering your organization's management of SOX compliance, your ERP system plays a crucial role. By selecting NetSuite, you gain access to numerous tools that simplify the auditing process. However, relying solely on NetSuite will only take you part of the way; you'll need to integrate it within a broader governance, risk, and compliance (GRC) framework.
What does this mean for IT and business system teams? In this article, we’ll share insights from our experience at Strongpoint, assisting some of the most notable unicorn companies in recent years to prepare their ERP systems for compliance.
A ‘Double Audit’: Management vs. External Review
Achieving SOX compliance with NetSuite begins by conducting a dual-layer review of your systems and controls. First is the ‘Management’ audit: Section 404(a). This section involves an annual review of your company's internal controls over financial reporting (ICOFR). It should encompass a thorough evaluation and risk analysis of your financial data and reporting practices. The aim is to pinpoint where controls are necessary to reduce risk.
If that sounds demanding, Section 404(a) is merely the starting point before the comprehensive external audit mandated by Section 404(b). This is when external auditors will step in to inquire: have the risks highlighted in Section 404(a) been addressed? Were any risks missed?
As you might expect, 404(b) entails a more extensive procedure than the management review. Anticipate a thorough evaluation of the setup and implementation of your controls, coupled with random sampling of records to gauge the overall effectiveness of the system.
Preparing for the Audit in Four Steps
A key takeaway is that being proactive in section 404(a) and establishing necessary controls and automation can make section 404(b) considerably quicker and simpler. Adopting a process-oriented, systematic approach is greatly advantageous.
To implement this effectively, we suggest beginning with essential financial reports and tracing backwards. What data contributes to that reporting? What systems and processes does that data navigate through?
Step One: Risk Evaluation and Scoping
The initial step in the audit procedure involves conducting a SOX risk evaluation. Collaborating with your auditor, you will ascertain which processes and systems may influence financial reporting and broadly identify what falls within scope and where controls must be concentrated.
Step Two: Design Review
Next, a closer examination of your business operations will provide insights into the journey of financial data through the system. You will then collaborate with your auditors to document these processes, usually through flowcharts, narratives, or a risk and control matrix.
Step Three: Implementing Controls
Once your auditor has pinpointed risks and shortcomings within your processes and has developed the necessary controls, you become what we term an 'implemented control environment.' Ideally, at this juncture, you should have well-managed systems in place, facilitating a smoother transition into an external audit.
Step Four: Evaluating Controls
Finally, it’s crucial to assess the effectiveness of your implemented control environment. Testing controls and operations will help confirm their efficacy, detect any exceptions, address issues found, and re-evaluate as needed.
A Detailed Examination of IT Controls
Up to this point, we’ve extensively discussed controls in relation to business processes, but we have yet to delve into what constitutes an effective control from an IT perspective - and what auditors expect to see. Here, again, the initial question to ask is: what’s within scope?
Addressing this query involves asking additional questions: Where does data originate and where does it finish? Are there functionalities in the system that mitigate risk? If so, that constitutes a control, and that system is therefore in scope.
Journal entries in NetSuite serve as an excellent illustration. If you enforce a rule (which you should) preventing a user from both creating and approving the same journal entry, that serves as a control, qualifying it for SOX. Auditors will want proof of its effectiveness and confirmation that any modifications undergo review and approval by the appropriate authority.
Audit Standards
Systems subject to SOX regulations must be underpinned by IT General Controls (ITGC). ITGCs create the foundation for compliance. These controls are a comprehensive set around access, change management, program development, and computer operations that ensure accurate and reliable financial reporting and revenue recognition throughout the organization.
Given that NetSuite impacts various business processes - from order-to-cash to financial reporting and procure-to-pay - it understandably raises significant concerns for auditors. By establishing automation around change controls and access management, you can reduce much of the manual effort and uncertainty associated with audit preparation.
This was precisely the purpose behind designing Strongpoint. To further explore, visit our SOX page or check out the panel webinar we recently hosted featuring systems experts who have navigated IPOs and know what it takes to prepare for an audit.
