Skip to main content
resources

July 2, 2026

The NetSuite security audit checklist (what an auditor actually asks about)

Most NetSuite security problems are not exotic. They are access that accumulated and never got cleaned up. Here is the checklist an auditor works through, and what to look for on each line.

1. Access tokens and integration credentials

Token-based auth credentials bypass two-factor and do not expire on their own. That makes them the most overlooked risk in the account.

  • Is any active token scoped to an Administrator role? That is a standing super-user key with no second factor. If it leaks, it is full account access.
  • Are there tokens tied to a former employee's login? Those should have been revoked at offboarding.
  • Are any tokens years old with no rotation? Long-lived credentials should be rotated on a schedule.

2. Roles and permissions

  • Which roles hold mass update or delete? Those are rarely needed and rarely revoked.
  • Which users have full Administrator who only need report access?
  • Are there Segregation of Duties conflicts, one role that can both create a vendor and pay it, or post and approve a journal? (We cover these in depth in NetSuite Segregation of Duties.)

3. Authentication policy

  • Is SSO (SAML or OpenID) enforced, so joiners and leavers are managed centrally?
  • What is the minimum password length? Under 10 characters is brute-forceable.
  • How long is the idle session timeout? A session that stays alive for hours is full financial-system access for whoever sits down at the machine.

4. Data exposure

  • Are there public saved searches exposing vendor, employee, or financial data?
  • Are any RESTlets or Suitelets deployed with access set to all roles?
  • Are integration users authenticated against a personal login rather than a dedicated integration role?

5. Change management

  • Is configuration being edited directly in production, or promoted from sandbox? Direct production change with no approval trail is the core SOX change-management gap.
  • Who is making those changes, and is anyone reviewing them?

Turning the checklist into a report

You can work this list by hand, or run it automatically. SuiteRX checks every line here read-only, names each finding, maps it to the control an auditor cites (SOX ITGC, SOC 2), and ranks it by severity. The token and access checks alone usually surface something the account owner did not know was there.

See a live sample report with no email required, or run one on your own account.

When you need the findings remediated rather than just listed, the NetSuite consultants at Adaptive Solutions Group can rebuild roles, rotate credentials, and close the gaps with you.

Frequently asked

What should a NetSuite security audit cover?+

Access and identity (roles, permissions, segregation of duties, two-factor and SSO enforcement, password and session policy), integration credentials (token-based auth scope and age), data exposure (public saved searches, open RESTlets and Suitelets), and change management (who is editing production directly). These map to SOX ITGC and SOC 2 access controls.

How often should you run a NetSuite security review?+

At minimum annually for a SOX or SOC 2 cycle, and after any major change: a new integration, a role restructure, an implementation handoff, or an admin turnover. Continuous or quarterly review catches drift before it becomes an audit finding.

What is the most common NetSuite security gap?+

Over-provisioned access. Roles with mass update or delete granted years ago and never revoked, integration tokens scoped to Administrator, and shared admin logins. Access almost always accumulates and rarely gets cleaned up, so it is where most findings are.

See it on your own account.

SuiteRX checks everything in this guide, read-only, and hands you the report.