#13 | Part 3 – NetSuite SSAE16 – Practical Tips on How to Review
As part of SOX compliance, if you are using NetSuite, you will need to review the SSAE16 Type II (SOC1) report as proof that you can rely on its controls. In parts 1 and 2, we discussed:
- How to review the report to see if it’s a Type I or Type II. What’s an unqualified opinion?
- How to review the report dates to see how long it’s good for, what a bridge letter looks like and what are user control considerations
In part 3, we show you practical step-by-step how to answer the following questions:
I suggest you watch the video. It’s easier to understand if you are a visual/audio learner. The content below is the same as the video. It’s for those who learn by reading.
What controls am I relying on?
We’ve addressed the end user considerations and now we’re going to talk about NetSuite’s controls. These are NetSuite’s procedures that we are relying on in our company. Looking at the NetSuite report, you see the control objectives.
Scan for control exceptions
The way I review the controls section is I basically scan most of the report. Because I’ve seen so many of these SOC 1 reports, I know that typically they talk about system development, change management and system access objectives. I will scan through the report layout because they list control objectives, specific descriptions of the controls, KPMG’s testing and the results. To quickly do the review, I just scan to see when it says “no exceptions noted”, it’s good. I don’t even read those things.
Now, when you see wording other than “no exception” in the Results column, that’s bad. This is where as a reviewer, we actually need to pay attention. And in this case, we want to note these exceptions and how we would deal with them to ensure that we can still rely on this report.
Here are examples of exceptions in the report:
Let’s read the control description. It says that HR will send an employee termination notification when they occur to the security administrators to make sure that the terminated employee’s access rights to all of the corporate systems have been disabled. And this is done within 3 business days of getting the notice. In this case, if you read this exception, KPMG tested 40 terminations and identified 1 termination that didn’t happen until 16 days after the termination.
NetSuite’s standard says 3 business days to remove access but this employee took 16 days so that’s an exception and KPMG noted that. From my experience, this finding is fairly typical for most SSAE 16 reports. These system access issues happen because as much as you try to have a clean operating environment it’s hard to be 100% perfect.
We continue reviewing this control testing and note the next exception. It says on a quarterly basis, IT will review the list of active users and make sure that anyone unauthorized or any terminated employees or users are off the system. This is a detective control.
The first exception we discussed is a preventative control. When someone leaves the company, you prevent them from coming back into the system to make an error or maliciously do something. You prevent them by locking them out.
If you failed to kick them out, on a quarterly basis, you can also detect it. KPMG noted that 1 of the 4 quarterly user reviews didn’t happen.
Management responses to control exceptions
Whenever there are exceptions, management will have a response. In Section 5 of the report, management responded about the quarterly access review. Management says the cause was an oversight of the process owners during the Q2 process review. The IT Director has discussed it with the process owner. IT also implemented an automated job alert to send reminders so that process owners don’t forget.
To be honest, this response falls a little short of what I would expect for a management response. We know the error occurred but we don’t know the impact. Ideally, management would tell “When we finally did the review, we didn’t find anyone who didn’t have inappropriate access. We didn’t find any exceptions or we found 2 exceptions and here are the reasons why they are not a problem for us”.
An example of a good response is below. 1 out of 40 terminations did not happen timely. They said this was an oversight by the project manager sending the termination notification to HR.
The individual’s access was limited and only permitted onsite using a NetSuite issued laptop. Now NetSuite is saying we know we have one person whose access we didn’t terminate on time but their access was very limited. It was only permitted onsite using a NetSuite issued laptop for a particular project. When the project ended the individual’s badge and laptop were turned in. We also checked their account and it wasn’t accessed after the termination. So management has investigated and determined that there was no significant impact. Therefore it isn’t a problem. This is a good response because you know there was no impact to this control failing.
Document conclusions
Once you note the exceptions in the SSAE16 report, you document it. Below is how we’ve laid out the SSAE controls documentation and it’s a best practice to follow. We write a general note (Note 1) that says “Below is a summary of the exceptions noted in the SOC 1 report and the resolution”.
We have a column for page number and control number reference. Why? Imagine yourself as an independent reviewer and having to fish through the report to find this exception in the 100+ page SSAE report. It helps any reviewer and the external auditors when they re-perform the work.
Next, we copied the exact wording for control description, exception noted, company response to exception to show that we have seen the exception.
I’ve put the 2 exceptions on here. Then as the user, we have to ensure that this doesn’t impact us and that we can still rely on this control. In this case, we say there are various review controls in the procure-to-pay, order-to-cash, financial close, the inventory and the treasury cycle that would have caught this. We also have to put our company’s control descriptions.
How does this impact us as the company? We say that we have controls in place for regular reviews of financial results. Essentially, even though NetSuite had this exception, we’re confident that the manual controls we have in place to review our financials would have caught anything that was suspicious or impacted our financial results.
Okay, we’ve looked at the opinion. We’ve looked at the dates. We’ve looked at the user considerations and we’ve looked at the controls that we’re relying on from NetSuite.
What do you do after you review the SSAE 16 report?
What’s the final touch to it? I’ll show you below.
You write your conclusion so the external auditors know that you’ve looked at the report and that you’re choosing to rely on it. In our work papers, we actually have a conclusion box. If I were the controller doing this review, I would say “I reviewed the SSAE 16 report and it can be relied upon” and then sign and date it.
Summary
To recap, in this session, we showed you how to answer the following questions when reviewing an SSAE16 report for NetSuite:
Leave a Reply