The role-and-permission review every CFO should commission annually

NetSuite roles are built once and rarely revisited. Permissions are added in response to specific requests — 'can you give Sarah access to the vendor payment screen?' — and almost never removed. The result is a permission structure that reflects every exception ever granted, rather than the least-privilege principle it was supposed to enforce.

Segregation of duties conflicts are the most common finding in any NetSuite role review. SOD requires that no individual can both initiate and approve a transaction. In practice, the most common violations are in AP: the same user can create a vendor, create a purchase order, enter a vendor bill, and approve a payment. In smaller finance teams this is often a practical necessity — but it should be a documented, risk-accepted exception, not an unknown gap discovered during an external audit.

The mechanics of a role review are straightforward. Export the permission matrix for every role in use. Map each role to the users who hold it. Identify where the same user holds two roles that create an SOD conflict. The hard part is deciding what to do about it: redesigning roles to eliminate conflicts often requires changing how work is assigned, which has operational implications beyond the NetSuite configuration.

Orphaned access is a related problem that's easier to address. Users who have left the organisation, changed roles, or moved to a different system are routinely left in NetSuite with active roles. They represent both a security risk and an audit finding. A clean user access review — matching active NetSuite users against current HR records — is a quick-win that most accounts can complete in a day.

Our recommendation: a structured role and permission review at least annually, and within 90 days of any significant organisational change (acquisition, restructure, system expansion). The review should produce a documented finding, a remediation action for each gap, and an accepted-risk register for conflicts that can't be resolved without operational disruption. That documentation is what auditors and regulators want to see — evidence that you know what the risks are and have made deliberate decisions about them.