Skip to main content
resources

July 3, 2026

NetSuite Segregation of Duties: the role conflicts that fail a SOX audit

Segregation of Duties is the first thing an auditor asks about, and the last thing most NetSuite accounts are set up for.

The principle is simple. No single role should be able to run a sensitive process from start to finish. The person who creates a vendor should not also be able to pay it. The person who posts a journal entry should not also approve it. When one role can do both, you have a control gap, and control gaps are where fraud and misstatement live.

The problem is that NetSuite roles accumulate. A role gets a permission for a one-off need and never loses it. A custom role gets cloned, then extended. Five years later nobody can tell you which roles can do what, and at least one of them can quietly do something it should not.

The conflicts that matter

These are the pairs an auditor looks for. If a single role holds both sides at create or edit level, it is a Segregation of Duties conflict.

One role can... ...and also Why it matters
Create a vendor Pay bills Set up a fictitious vendor and pay it. The classic disbursement fraud.
Enter a vendor bill Pay it Duplicate or fraudulent payments with no second approver.
Create a purchase order Approve it Self-approved spend defeats purchasing controls.
Post a journal entry Approve it Undetected general-ledger manipulation.
Create a customer Issue a refund or credit Misappropriation through fake refunds.
Maintain employees Run paychecks Ghost-employee payroll fraud.
Maintain items Adjust inventory Adjustments that conceal shrinkage or theft.

A healthy account splits each pair across two roles, or gates one side behind an approval workflow. A typical account has several of these sitting live, usually in a custom role that grew over time.

Why it is hard to catch by hand

To check SOD manually you have to open every role, read its permission list, and cross-reference it against every conflict pair. Most accounts have dozens of roles. Miss one line in one role and you miss the conflict. Then you have to check which real users are assigned the conflicting roles, because a conflict on paper only becomes a risk when a person actually holds it.

It is exactly the kind of tedious, high-stakes cross-referencing that gets skipped until an audit forces it.

How SuiteRX finds them

SuiteRX enumerates every role's permissions read-only, checks each role against the full set of conflict pairs, and lists the ones that hold incompatible duties, with the specific permissions named and mapped to SOX ITGC access controls. Administrator roles are excluded, since they are expected to hold everything and are covered separately. What is left is the real SOD exposure, ready to hand to your auditor or your admin.

You can see it in a live sample report, no email required, or run it on your own account.

When you need it fixed, not just found

Finding the conflicts is the fast part. Restructuring roles without breaking someone's daily work is the careful part. If you want hands-on help splitting duties and rebuilding roles cleanly, the NetSuite consultants at Adaptive Solutions Group do exactly that. SuiteRX tells you what is wrong. ADSG can fix it with you.

Frequently asked

What is Segregation of Duties in NetSuite?+

Segregation of Duties (SOD) is the control principle that no single role should be able to complete a sensitive process end to end. In NetSuite it means splitting incompatible permissions across roles, for example separating the ability to create a vendor from the ability to pay it, so no one person can both set up a payee and disburse funds.

Why do auditors care about SOD in NetSuite?+

SOD is a core SOX IT general control. A role that combines incompatible duties is a direct fraud path and an audit finding. Auditors ask which roles hold conflicting permissions and whether any real user is assigned a conflicting role, because that is where financial misstatement and misappropriation start.

How do I find SOD conflicts in NetSuite?+

Enumerate every role's permissions, then check each role against a list of known conflict pairs (create-vendor plus pay-bills, post-journal plus approve-journal, and so on). Doing it by hand across dozens of roles is slow and error prone. SuiteRX runs the check automatically and lists every conflicting role.

See it on your own account.

SuiteRX checks everything in this guide, read-only, and hands you the report.