A Guest Post by Strongpoint, an Anchor Group Partner
Whether you’re headed towards an IPO or looking to rethink how your organization manages SOX compliance, your ERP system is a key part of the equation. By choosing NetSuite, you have a lot of tools at your disposal that can make passing an audit simpler. But, NetSuite alone can only get you part of the way there. You need to incorporate it into a comprehensive governance, risk and compliance (GRC) framework.
What does that look like for IT and Business Systems teams? In this post, we’ll talk a little bit about what we’ve learned at Strongpoint helping some of the biggest unicorn companies of the past few years prep their ERP systems for compliance.
A ‘Double Audit’: Management vs. External Auditors
SOX compliance for NetSuite starts with a two-tiered review of your systems and controls. First is the ‘Management’ audit: Section 404(a). 404(a) is an annual evaluation of a company’s internal controls over financial reporting (ICOFR). It should involve a thorough review and risk assessment of your processes around financial data and financial reporting. The goal is to identify where controls are needed to mitigate risk.
If that wasn’t fun enough, 404(a) is only the precursor to the full external audit required by Section 404(b). This is where your external auditors will come in and ask: have the risks identified in Section 404(a) been mitigated? Have any risks been overlooked?
As you can imagine, 404(b) is a much more extensive process than the management review. Expect a comprehensive review of the design and implementation of your controls, as well as random record sampling to determine the overall effectiveness of the system.
Audit Prep in Four Steps
One thing we’ve learned is that if you’re proactive in 404(a), and build out appropriate controls and automation, 404(b) will be a lot faster and easier. A process-based, systematic approach is incredibly beneficial here.
To do this effectively, we recommend starting with your key financial reports and working backward. What touches the data going into that reporting? What systems and processes does that data go through?
Step One: Risk Assessment and Scoping
The first step in the audit process is to conduct a SOX risk assessment. Working with your auditor, you’ll determine which processes and systems can affect financial reporting, and identify broadly what’s in scope and where controls need to focus.
Step Two: Design Assessment
In this step, you’ll look closer at your business processes to get a better sense of how financial data flows through the system. Then you’ll work with your auditors to document these processes — typically via flow charts, narratives or a risk and control matrix.
Step Three: Implement Controls
After your auditor has identified any risks and gaps in your processes and built out the appropriate controls, you are now in what we call an ‘implemented control environment.’ Ideally, you should at this stage have tightly managed systems that will make it easy to go into an external audit.
Step Four: Assess Controls
Finally, you’ll want to assess whether your implemented control environment is effective. Testing controls and operations helps you confirm their effectiveness, identify exceptions, remediate any issues found, and re-assess as needed.
A Closer Look at IT Controls
So far, we’ve talked a lot about controls in relation to business processes, but we haven’t looked closely at what makes an effective control from an IT standpoint — and what your auditors will want to see. Here, again, the first question to ask is: what’s in scope?
Answering this question requires asking a few more: Where is data starting and ending? Are there functionalities in the system that mitigate risk? If so, that’s a control and that system is in scope.
Journal entries in NetSuite are a great example. If you have a rule in place (which you should) that prevents a user from creating and approving the same journal entry, that’s a control and it’s in scope for SOX. Auditors will want to see that you can prove that it’s effective and that any changes to it are reviewed and approved by the proper authority.
Auditing Standards
Systems in scope for SOX must be supported by IT General Controls (ITGC). ITGCs are the foundation on which compliance is built. They’re a pervasive set of controls around access, change management, program development and computer operations that ensure accurate, airtight financial reporting and revenue recognition across the whole organization.
NetSuite touches a lot of different business processes — order-to-cash, financial reporting, procure-to-pay — so it’s obviously of serious concern to auditors. By building out automation around change controls and access management, you can eliminate much of the manual work and uncertainty of audit prep.
That’s exactly what we designed Strongpoint to do. To learn more, visit our SOX page or check out the panel webinar we recently held with a group of systems experts who’ve been through IPO before and know what it takes to get ready for an audit.