PwC’s Oracle NetSuite security and compliance services

Our client is an industry-leading artificial intelligence provider rapidly growing and expanding their global footprint. We helped mature their security posture and improve their ability to grow with Oracle NetSuite.

What was the opportunity?

Our client knew they needed to better define the way they control access to their Oracle NetSuite ERP. While already being live on Oracle NetSuite, the client needed a rapid deployment approach that did not interrupt finance and accounting operations but allowed for new security roles to be tested and deployed within a two-month timeline.

What we did

• Security role enhancements, right-sized the client’s access roles to apply ‘least-privilege’ access principles and reduce risk.
• Established segregation of duties within finance, IT and accounting functions for US and international entities to prevent conflicts of interest.
• Leveraged our “pre-configured” role content to accelerate the design and requirements to assess and analyze roles, security design, configurations and automated controls were configured per design.
• Implemented security authentication protocols that aligned with the company’s enterprise security strategy (e.g. SSO, contractor access and integration accounts).
• Deployed our Oracle NetSuite managed services team to support the client’s ongoing security maintenance and control operation.

How did it go?

Overall, the project was a major success, to not disrupt important business operations but achieve the following:

• The client successfully revised their role design, achieving SOD-free (segregation of duties-free) access.
• Developed a sustainable governance methodology for continuous security management.
• The Controller was able to achieve a positive audit outcome in the first year of external audit review.

Our client provides financing, broker, loan origination and administration services to its customers. We helped them grow their business with their first full-scale ERP Solution.

What was the opportunity?

Our client’s corporate Controller was looking for a collaborator to help increase their investment in their first full-scale ERP solution, Oracle NetSuite. With a gap in their system integrators (SI) security and controls experience, we collaborated with Finance and IT to help address security, ICFR and SOX requirements.

What we did

• Guided the client through the controls implications of their first full-scale ERP implementation, taking multiple entities, new business processes and new application risks into consideration. Identified where the client could gain efficiency by leveraging native Oracle NetSuite functionality and automation.
• Shared an objective perspective to help influence ERP security design (non-audit services).
• Drafted Oracle NetSuite centric RCMs to help the company understand impacts to the control environment when moving to the cloud.
• Leveraged our Enterprise Control accelerator to assess and analyze roles, security design, configurations and automated controls were configured per design.
• Identified numerous misconfigurations and workflow gaps related to the client’s pre-PROD environment.

How did it go?

Enterprise Control was a major success factor in our client successfully achieving their target go-live date and was able to hold their SI accountable to fix errors and gaps before they materialized in production.

• Our client was able to course correct their role design and developed SOD-free access.
• Our client had a strong understanding of their future state risk and controls library, understood their SOC reporting CUECs and the nuance between Oracle’s service provider responsibilities and their own.
• Our client avoided spending on purchasing and implementing third-party GRC tools they couldn’t support and did not understand how to effectively use.
• Our client successfully migrated from a small-scale accounting software to a full-scale ERP solution while maintaining a controlled environment.

Our client is a global manufacturer and distributor of health and beauty products. We helped them assess their security and control environment for SOX compliance.

What was the opportunity?

Our client’s VP of Internal Controls needed a collaborator to help gain confidence that the Oracle NetSuite control environment would meet SOX requirements for their approaching IPO. In a pre-implementation review we assessed the company's security and controls posture. We collaborated with Finance and IT to uncover security, privacy and ICFR risks before go-live.

What we did

• We helped the client document their control environment and identify design gaps.
• We educated IT and the business on automated controls they weren’t taking credit for and gain coverage over financial statement assertions.
• Leveraged our proprietary Enterprise Control (EC) accelerator to identify Oracle NetSuite specific gaps in configuration preferences, security settings and workflows with financial impact.
• Shared an objective perspective on their current state security to help identify and influence future-state ERP security design for the remainder of their global deployments.

How did it go?

Enterprise Control was a major success factor in helping the client identify root causes of issues, accounting errors and undesired activity within their applications. We provided a roadmap of areas to address the gaps noted, suggested native functionality to leverage and worked towards an additional solutioning phase.

We subsequently helped our client course correct their design issues by:

• Remediating roles to remove SOD violations and eliminating access to sensitive access permissions.
• Helped redesign new automated controls and used our tools to assess their effectiveness.
• Establishing the right governance processes to help monitor the environment going forward.
• The client was able to hold their SI accountable to fix errors and gaps before they materialized in production.

Our client is an industry-leader in providing AI software and digital cloud identity verification solutions. They needed to pinpoint their financial close, intercompany and segregation of duties issues.

What was the opportunity?

Our listed client had been using their Oracle NetSuite ERP for several years, but was struggling to perform accounting close, execute SOX controls to meet reporting deadlines and had material weaknesses in the control environment. They looked to PwC to perform an assessment and help identify the root cause of its issues and provide an actionable roadmap of solutions.

What we did

• Mobilized a unique PwC team of Oracle NetSuite and security and control subject matter specialists.
• We helped the client identify gaps in their intercompany close and auto-elimination processes and configurations.
• We identified security vulnerabilities in their domestic and international role deployments, that lead to unmitigated segregation of duties risks; Identified missed data security requirements.
• Highlighted numerous misconfigurations on forms and accounting preferences that allowed users to bypass journal entry processes that were causing accounting errors.
• Identified automated control and workflow requirements that would bring more confidence to the financial statement review processes and advance revenue management reporting.

How did it go?

We provided a roadmap of areas to address the gaps based on impact and suggested solutions that adopted native Oracle NetSuite functionality.

We subsequently helped our client course correct their design issues by:

• Redesigning their roles and permissions, resolved SOD violations and deployed a sustainable security strategy (reducing roles by 30%).
• Helped redesign new automated controls, workflows and change management processes that enhanced data quality and stakeholder transparency.
• Transformed manual entries and manual reconciliations steps into automated elimination and intercompany processes and accelerating their close process.