The NetSuite security audit checklist (what an auditor actually asks about)
Most NetSuite security problems are not exotic. They are access that accumulated and never got cleaned up. Here is the checklist an auditor works through, and what to look for on each line.
1. Access tokens and integration credentials
Token-based auth credentials bypass two-factor and do not expire on their own. That makes them the most overlooked risk in the account.
- Is any active token scoped to an Administrator role? That is a standing super-user key with no second factor. If it leaks, it is full account access.
- Are there tokens tied to a former employee's login? Those should have been revoked at offboarding.
- Are any tokens years old with no rotation? Long-lived credentials should be rotated on a schedule.
2. Roles and permissions
- Which roles hold mass update or delete? Those are rarely needed and rarely revoked.
- Which users have full Administrator who only need report access?
- Are there Segregation of Duties conflicts, one role that can both create a vendor and pay it, or post and approve a journal? (We cover these in depth in NetSuite Segregation of Duties.)
3. Authentication policy
- Is SSO (SAML or OpenID) enforced, so joiners and leavers are managed centrally?
- What is the minimum password length? Under 10 characters is brute-forceable.
- How long is the idle session timeout? A session that stays alive for hours is full financial-system access for whoever sits down at the machine.
4. Data exposure
- Are there public saved searches exposing vendor, employee, or financial data?
- Are any RESTlets or Suitelets deployed with access set to all roles?
- Are integration users authenticated against a personal login rather than a dedicated integration role?
5. Change management
- Is configuration being edited directly in production, or promoted from sandbox? Direct production change with no approval trail is the core SOX change-management gap.
- Who is making those changes, and is anyone reviewing them?
Turning the checklist into a report
You can work this list by hand, or run it automatically. SuiteRX checks every line here read-only, names each finding, maps it to the control an auditor cites (SOX ITGC, SOC 2), and ranks it by severity. The token and access checks alone usually surface something the account owner did not know was there.
See a live sample report with no email required, or run one on your own account.
When you need the findings remediated rather than just listed, the NetSuite consultants at Adaptive Solutions Group can rebuild roles, rotate credentials, and close the gaps with you.