5 Controls Vital to Effective Governance, Risk and Compliance

Lisa Robinson, CPA and Damien Fairbairn, CRISC

September 29, 2020

An effective compliance program requires a system of controls around people, processes and technology. That requires software that allows you to implement the controls most important to your organization — controls like account reconciliations, approval authority and segregation of duties. Once a business has established those controls, it can ensure the reliability of accounting systems and more easily prepare for audits. What’s more, a strong compliance program(opens in new tab) can facilitate the process of taking the company public.

The most effective software platforms provide features that make audits easier by helping to monitor for critical events, track changes to key financial configurations, delegate authority systematically and allow for risk mitigation and trust in the financial system.

Here are five key embedded features/controls that you should look for when selecting a compliance software system:

  1. Workflows & Subscripts: Imagine all your transactions follow a predictable path. No longer are you looking for paper documents on the AP clerk’s desk or in a plastic purple folder for the IT manager to approve. No longer do you have to wonder where those invoices are in the approval process.  With software that can customize workflow, you can automate approvals for every transaction, build your delegation of authority into the system and keep a reliable audit trail, including a time date stamp of the approval. 
  2. Financial Drill-Through Capability: If you can provide your auditors with a financial statement that is supported with system documentation all the way down to a vendor bill .pdf, an expense report receipt copy, a revenue recognition schedule or a timesheet, they can conduct their audit more effectively and more quickly.
  3. Reporting on Audit Trails and System notes: Audit trails are a critical tool for mitigating risk. A good audit trail allows you to track changes to transactions and master data, including the source of the change, the user initiating the change and the field values before and after the change. A comprehensive compliance software system like NetSuite will have audit support in the form of reports and searches to document master data management, user access administration and transaction history. You can even create alerts to let you know in near-realtime if someone has performed certain changes to sensitive fields or records, allowing you to investigate any anomalies immediately and act quickly.
  4. Roles and Permissions: You  need the ability to build layers of flexible security into your system with a program that allows you to provision users with the least amount of access they need to do their job. The proper system will let you build in a properly segregated set of roles that keeps the business running while at the same time implementing access-based security that protects your company’s assets. In NetSuite, this is supported by system notes and audit trails so that you can show your auditors who has access to which features and if these permissions have changed since the last audit. 
  5. Change Management:  Customization and configuration changes are an important control consideration. Customizations can change the way a sytem works.  Application behavior can be changed by a configuration change, adding forms or fields and scripts. System Development Life Cycle (SDLC) and change management controls are key components to managing customizations. A strong, well-governed and documented SDLC and change management process will ensure only properly authorized, tested and approved changes are pushed into a live environment. In NetSuite, configuration changes are managed through NetSuite’s SuiteCloud Developer Framework (SDF) projects in a sandbox and promoted to production using native functionality. This allows you to track production changes via SDF projects. Change management is a critical aspect of any financial system. 

NetSuite is built for the cloud, equipped with features for securing sensitive data, like credit card information and personally identifiable information. NetSuite is audited to SOC 1 type 2 and SOC 2 type 2 (SSAE18 and ISAE 3402 standards), ISO 27001 and 27018, PCI DSS and PA DSS. The NetSuite SOC 1 and SOC 2  reports are intended to provide users with visibility into the controls over financial reporting and the system controls intended to meet the AICPA Trust Services Principles and Criteria that a user of NetSuite services can rely upon.    

Of course, the act of buying a software solution doesn’t guarantee compliance. It’s always your role to establish governance, analyze risk and determine the appropriate level of controls.  Then follow through by monitoring and reporting on the effectiveness of the controls. With NetSuite, you have the building blocks to build a solid foundation for crucial compliance programs.

Learn more about how NetSuite can assist with governance, risk and compliance(opens in new tab).

NetSuite has packaged the experience gained from tens of thousands of worldwide deployments over two decades into a set of leading practices that pave a clear path to success and are proven to deliver rapid business value. With NetSuite, you go live in a predictable timeframe — smart, stepped implementations begin with sales and span the entire customer lifecycle, so there's continuity from sales to services to support.