NetSuite Auditing and Data Management Features

NetSuite has features for tracking data and configuration changes. This information about NetSuite’s auditing capabilities is intended to assist you in developing a strategy to achieve your control objectives.

Tools for Auditing in NetSuite

NetSuite provides system notes that track many data and configuration changes. In most cases, you can determine whether a record, or a group of configuration settings, supports system notes based on whether a System Notes subtab is available on its NetSuite page.

You can use NetSuite’s search capabilities to access system notes for auditing purposes.

• A general system note search can return system notes for all record types. A system note search can be filtered by record type, so that the results include only system notes for a particular record type.
• Searches of record types that support system notes can include system notes details in results. For example, a customer search can include values for system notes fields related to customer record changes in results. This support is based on a join between system notes records and their related parent records.
• System notes include a Context field. The context describes how the change was made. For example, users and external systems can perform updates through the user interface, web services, SuiteScript, and a variety of other methods. Each method is considered a context.

NetSuite provides predefined audit trails for many frequently used records. Audit trails are searches of system notes, with filters and results already defined.

• An audit trail link, available at the top of most list pages, can return system notes for a particular record type.
• The audit trail for transaction records is available at Transactions > Management > View Audit Trail.

Many record types also include a History subtab where you can track updates to each record, including line-level changes.

The deleted record search type lets you retrieve details about records that have been deleted.

Internal Controls in NetSuite

This section lists internal controls that are readily available in NetSuite. This listing is provided as a reference to assist you in building strong internal controls in your NetSuite implementation.

• Some controls do not require setup after your NetSuite account is operational.
• Other controls require some basic setup in the NetSuite UI before they are available.

No customizations are required for you to utilize any of these general controls in your NetSuite implementation. Audited companies should consider taking credit for the partial or full mitigation of risks provided these internal controls.

Many internal control processes specific to your company may require the creation of some basic customizations, such as custom fields, custom records, workflows, and scripts. These types of custom solutions may be available as NetSuite SuiteApps, or Partner Applications. Or these solutions can be built by NetSuite developers.

Managing Transactions

NetSuite provides several features that enable you to record reasons for deleting transactions and view transaction history.

Recording a Reason for Deleting a Transaction

In some countries, it is a legal requirement to provide the reason why a transaction is deleted. The Use Deletion Reason feature satisfies this requirement because users must record the reason why they deleted a transaction.

The Use Deletion Reason feature impacts all of the transactions listed at Setup > Company > Setup Tasks > Auto-Generated Numbers on the Transaction Numbers subtab. When you use this feature, users must provide a reason for deleting a transaction record. The Transaction Numbering Audit Log provides a list of the deleted transactions. It provides their transaction number, the date on which the transaction was deleted, and by whom. It also provides the reason the user deleted the transaction record and any related memo.

Reviewing Transaction History

NetSuite stores data on each entry that a user makes to create, change, or delete a transaction. This data includes all users involved in the history of this transaction, each user's action, the date and time of that action, if there was an account impacted, and the amount after the change.

This historical data may be referred to as system notes, an audit trail, or as history. NetSuite provides a variety of methods for you to retrieve historical details about changes made to transaction records. See the following topics for information:

Personal Information (PI) Removal

Personal Information (PI) Removal enables NetSuite users with the appropriate permissions to remove personal information from NetSuite fields, records, and audit logs. The main purpose of PI removal is to help customers address privacy regulations related to data subject requests.

The right to be forgotten is one of the key requirements in recent privacy laws, including in General Data Protection Regulation (GDPR). Administrators can use Personal Information Removal to replace the data stored in both the system log notes and the workflow history with a user-defined value. Examples of fields and records that can be addressed by the Personal Information Removal system include: first names, last names, email address, social security number, credit card number, gender, and so on. The functionality is available in 2019.2 on entity records, transactions, and custom records.

The Personal Information Removal feature:

• Improves compliance with privacy regulation
• Supports removing Personal Information data from record field values, notes logs, and workflow history
• Permits a privileged user to remove Personal Information data without contacting NetSuite Customer Support
• Replaces the Audit Trail History field value with a user-defined message
• Does not remove the Audit Trail History logs

You can perform individual information removal requests from within NetSuite. You can view all the requests that have been submitted, including who created the request, when it was created, and the current status of the request. For more complex requests, you can build the request from SuiteScript

Auditing Data Changes using Searches

To monitor changes made to NetSuite data, you can search system notes records.

You can use the following tools to access system notes records:

• A general system notes search can return system notes for all record types. A system notes search can be filtered by record type, so that the results include only system notes for a particular record type.
• Searches of record types that support system notes can include system notes details in results. For example, a customer search can include values for system notes fields related to customer record changes in results. This support is based on a join between system notes records and their related parent records.
• An audit trail link, available at the top of most list pages, can return system notes for a particular record type.
• The audit trail for transaction records is available at Transactions > Management > View Audit Trail.
• System notes are not created by the execution of saved searches, because they do not change data. However, each saved search has a log listing the users who have run or exported the search. This log shows who has used the search in the past 60 days, with the dates and times of each execution. You can also see an audit trail about changes made to each saved search.

Known Limitations: If you search for System Notes Fields and you elect to use Type = Change as a filter, NetSuite will return all results having type Change, Set or Unset as these are all internally considered a change. As a workaround, you can also use the following formula: Formula (text): is change: {systemnotes.type}.

Additionally, the Deleted Record search type lets you retrieve details about records that have been deleted.

Avoiding Duplicate Transaction Numbers

NetSuite provides a number of methods you can use to avoid the entry of duplicate transaction numbers.

• Set a user-level preference to receive a warning when a duplicate transaction number is entered. Go to Home > Set Preferences. On the Transactions subtab, check the Duplicate Number Warnings box.
• Set an account-level preference to receive a warning when a duplicate transaction number is entered.
• Use auto-generated numbering for transactions.

If GSI can assist with any of your NetSuite needs, please visit NetSuite Services.