Security by design: Avoiding common pitfalls in Oracle NetSuite ERP

As more organizations embrace NetSuite as their core ERP platform, securing the environment is a foundational element — not just for compliance, but for maintaining the integrity of information and day-to-day operations. When implementing and subsequently expanding ERP usage for wider adoption and scale, functional security is often viewed as a system configuration task rather than a strategic decision. Instead of using the opportunity to increase user productivity and enhance access to critical enterprise data, functional security risk becomes an afterthought.

This mindset can lead to common — but avoidable — missteps that can result in audit findings, control breakdowns, and operational errors. Below, we explore key security vulnerabilities frequently seen in NetSuite environments and highlight the importance of a proactive, business-aligned security design approach to manage enterprise risk.

A frequent shortcut during NetSuite implementations is the use of out-of-the-box (standard) roles to provision user access or create copies of these roles. These roles are designed for broad utility — not for least-privileged access. Often these roles grant more permissions than required for an individual’s job function and do not meet restricted access (RA) and separation of duties (SoD) requirements.

Without tailoring these roles, organizations could be introducing unmitigated violations of SoD controls and providing the opportunity for access to be a root-cause for fraudulent or erroneous transactions that present financial and operational risks.

PwC’s perspective: Our methodology leverages an inventory of security frameworks with key SoD and SA rules that are appropriate by company size, maturity and industry / sector risks to provide the guard rails needed to design sustainable security. We’ve codified each permission and continue to proactively identify changes through both NetSuite Releases (two per year). Our experience allows us to give our clients a demystified point of view on access abilities for each functional area to give a clear perspective on what access should (and shouldn’t) be provisioned and combined. During a security design session, PwC aligns with its clients to tailor and provide clear design documentation templates that provide the following benefits:

• Help drive role build consistency and accuracy
• Increase governance and understanding of role design
• Help reduce overall role design changes and creation of ad-hoc roles

There is always a unique blend of business processes, regulatory obligations, data security, and internal control frameworks within an organization. Organizations tend to struggle to account for these differences in deploying a security design that:

• Supports effective critical transaction and master data record workflows that can't be bypassed.
• Prevents unauthorized access to change custom records, custom fields and custom forms that enhance data quality.
• Abides by data privacy and protection standards around sensitive data across your production and non-production NetSuite environments.
• Helps mitigate the risk of users erroneously processing transactions across geographies, subsidiaries, and departments.
• Addresses SODs to align with your business department structure, ability to operate financial controls and support audit objectives.

PwC’s perspective: When designing security, clearly document an access framework where SOD-free roles are implemented and consider where overall process design and the broader control environment mitigate material risk(s). This strategy is applicable for small high growth companies to mature enterprises and establishes an appropriate risk tolerance for the business through a range of preventive, automated, detective and data analytic controls to reduce time consuming, manual, and often inefficient backend review processes.

As a company expands its NetSuite footprint and business operations due to growth, maintaining the design principles of security and alignment with end user responsibilities becomes increasingly important.

As user responsibilities evolve, role design is frequently adjusted in an ad hoc manner without centralized oversight and control. While incremental changes may initially be minor, they can accumulate over time and lead to significant drift between the original role design and the aggregate of access a user possesses.

Another common tactic used to satisfy role access requests can be cloning another user’s access — i.e. mirroring access from one user to another as an administrative shortcut. This practice often replicates outdated or excessive permissions, compounding risk over time.

Without a defined governance model for access provisioning and regular access reviews, organizations may unintentionally assign inappropriate access to large groups of users. This not only increases the likelihood of SoD violations, but can also drive-up licensing costs due to unnecessary access entitlements.

When this drift goes unchecked, it can create blind spots that undermine the effectiveness of your security strategy and creates potential control gaps. Misaligned access can persist and go undetected, resulting in audit findings, operational errors, security incidents, and material misstatements.

PwC’s perspective: To preserve the integrity of your access model, organizations should implement ongoing monitoring and reconciliation processes. We’ve created a standardized set of solutions that provides insights to monitor any NetSuite environment.

• A bundle of NetSuite searches, reminders and KPI dashboards to assist healthy security maintenance

• Enterprise Control, a PwC product, to analyze and interrogate fine-grain access assigned within roles, permissions and global permissions (if assigned)

• Exception based reporting, to automatically notify when anomalies arise based on your NetSuite account design and control environment
• Consider deploying third party SuiteApps to help manage and continuously monitor your NetSuite account

To build a resilient security posture that mitigates risk, scales with your business and still promotes user productivity, organizations should invest in purposeful role design and continuous monitoring to proactively manage business risk and reduce maintenance efforts and maximize their ROI with Oracle NetSuite.

Let PwC help you establish a NetSuite security framework that’s both secure and sustainable. Contact us to learn how we can support your NetSuite journey with strategic, compliance-aligned security solutions.