NetSuite Segregation of Duties: the role conflicts that fail a SOX audit
Segregation of Duties is the first thing an auditor asks about, and the last thing most NetSuite accounts are set up for.
The principle is simple. No single role should be able to run a sensitive process from start to finish. The person who creates a vendor should not also be able to pay it. The person who posts a journal entry should not also approve it. When one role can do both, you have a control gap, and control gaps are where fraud and misstatement live.
The problem is that NetSuite roles accumulate. A role gets a permission for a one-off need and never loses it. A custom role gets cloned, then extended. Five years later nobody can tell you which roles can do what, and at least one of them can quietly do something it should not.
The conflicts that matter
These are the pairs an auditor looks for. If a single role holds both sides at create or edit level, it is a Segregation of Duties conflict.
| One role can... | ...and also | Why it matters |
|---|---|---|
| Create a vendor | Pay bills | Set up a fictitious vendor and pay it. The classic disbursement fraud. |
| Enter a vendor bill | Pay it | Duplicate or fraudulent payments with no second approver. |
| Create a purchase order | Approve it | Self-approved spend defeats purchasing controls. |
| Post a journal entry | Approve it | Undetected general-ledger manipulation. |
| Create a customer | Issue a refund or credit | Misappropriation through fake refunds. |
| Maintain employees | Run paychecks | Ghost-employee payroll fraud. |
| Maintain items | Adjust inventory | Adjustments that conceal shrinkage or theft. |
A healthy account splits each pair across two roles, or gates one side behind an approval workflow. A typical account has several of these sitting live, usually in a custom role that grew over time.
Why it is hard to catch by hand
To check SOD manually you have to open every role, read its permission list, and cross-reference it against every conflict pair. Most accounts have dozens of roles. Miss one line in one role and you miss the conflict. Then you have to check which real users are assigned the conflicting roles, because a conflict on paper only becomes a risk when a person actually holds it.
It is exactly the kind of tedious, high-stakes cross-referencing that gets skipped until an audit forces it.
How SuiteRX finds them
SuiteRX enumerates every role's permissions read-only, checks each role against the full set of conflict pairs, and lists the ones that hold incompatible duties, with the specific permissions named and mapped to SOX ITGC access controls. Administrator roles are excluded, since they are expected to hold everything and are covered separately. What is left is the real SOD exposure, ready to hand to your auditor or your admin.
You can see it in a live sample report, no email required, or run it on your own account.
When you need it fixed, not just found
Finding the conflicts is the fast part. Restructuring roles without breaking someone's daily work is the careful part. If you want hands-on help splitting duties and rebuilding roles cleanly, the NetSuite consultants at Adaptive Solutions Group do exactly that. SuiteRX tells you what is wrong. ADSG can fix it with you.