#56 | Part 4 – Basic 4 Rules NetSuite Segregation of Duties

Welcome to Part 4 of the Segregation of Duties Analysis for NetSuite. In this session, we will cover the rules. In this case, we boiled it down to four basic ones.
- Credit Memo Versus the Customer Master
- Creating Vendor Versus the Vendor Master
- Create Vendor Bills Versus the Vendor Master
- Create Journal Entry and Approving Journal Entries
I suggest you watch the video. It’s easier to understand if you are a visual/audio learner. The content below is the same as the video. It’s for those who learn by reading.
The Four Basic Rules of NetSuite Segregation of Duties
Here are the four basic rules within NetSuite that we suggest you look at. These are actually the permissions within NetSuite, and we’ll go through why each of these is important to any company.
Credit Memo versus the Customer Master
The first one is authorizing a credit memo versus creating or editing the customer master file. The risk here is anyone with a Credit Memo and has Customer permission in NetSuite can create unauthorized customers and be able to create credit memos to clear the amounts due from that customer.
Essentially, they can sell to friends, and their friends don’t have to pay for it. We don’t want anyone who has Credit Memo permission to also have create, edit, or full customer permission. In this example, we’ve laid out the grid so that you can see the Credit Memo in the D column and the Customer permission in column E so that you can compare the two.
Creating Vendor versus the Vendor Master
The second rule is create or prepare vendor checks versus the edit vendor master file. The permissions Check and Vendors allows a fraudster or a person to create a vendor and create a check to pay the vendor. This is under the assumption that the vendor checks are printed from the system. If you have checks that are physically held somewhere else, you also want to be careful. The person who is holding the check, can’t also create the vendors because they pay them.
If a person has the ability to print a check and create a vendor, they can create a fake vendor and unauthorized check. This is especially dangerous if the company uses pre-signed checks or signature stamps because no one would be able to detect that a fraud occurred. If the fraudster were able to do both of these things, it’s unlikely that someone is going to detect it. In NetSuite, the permissions Check and Vendors allows a person to create a vendor and create a check to pay the vendor.
Create Vendor Bills versus the Vendor Master
In the next scenario, Pay Bills and Vendors are permissions that allow someone to create an unauthorized payment because that’s the pay bill and also create a fake vendor. Similar to the previous situation, a person then has the ability to pay the bills. They could create a fake vendor and make a payment to the fake vendor.
It’s especially dangerous if the company uses ACH or direct deposit, and no check signer is needed because the person is then able to stage the payment and it will go directly to the bank. Now, no one would be able to detect the fraud if this person had both of these permissions, they’ll be able to hide it pretty quickly.
Create Journal Entry and Approving Journal Entries
In the final scenario that we want to avoid, the permissions Make Journal Entry allows a user to create journal entries, and the permission Journal Approval allows a user to approve the journal entries. Our basic rule of segregation of duties is one person should not create the journal entry and also be able to approve it.
Forget fraud for a moment, we often find that calculation errors or just errors happen when one person does everything from creating the journal entry and calculating everything, so it’s helpful to have a second set of eyes to review the work. In NetSuite, permissions Make Journal allows a person to create the journal, and Approve Journal allows them to approve the journal entries.
Sometimes, you need to have a person do both of these things because you only have a small team of 1 – 3 or even 5 people. In those cases, where the systems haven’t implemented an approval workflow, we want to find alternatives. What we’ve done for a lot of our clients is to be able to have approval workflows or automatic notifications. Those are ways to mitigate or monitor the situation.
In this case, automatic notifications will happen when someone creates the journal entry and approves it. A notification goes out to multiple people in the department to let them know. These can get tedious because you get so many of these notifications and sometimes, you don’t read them. Some of our clients have actually put in more of a monitoring control where at the end of the week, run a report. The system can actually run a report of all these instances and push or email those reports out to the approver. That helps you do the monitoring without having to do it on a daily basis.
To recap, we discussed the four basic rules, and they are;
- Credit Memo Versus the Customer Master
- Creating Vendor Versus the Vendor Master
- Create Vendor Bills Versus the Vendor Master
- Create Journal Entry and Approving Journal Entries
Thank you so much for your time. We’ll talk to you in the next session when we go through the next detailed steps to complete the series. Have a great day!
Leave a Reply