Why life sciences companies face a harder SOX challenge than other industries
Every public company has to run the same annual compliance cycle under SOX Section 404: assess your financial controls, produce evidence that auditors can verify, and fix whatever the assessment finds. Life sciences companies do all of that while also answering to the FDA at the same time, and that second obligation changes what a solid control environment actually requires.
Most public companies build their compliance program around the SEC requirement alone. Biotech, biopharma, CDMO, specialty pharma, and medical device companies also have to meet FDA rules on how electronic records are created, approved, and stored in any system involved in regulated work. Under 21 CFR Part 11, software used to create or modify records the FDA might review — including quality incident reports, batch records, and approval sign-offs on regulated processes — has to meet specific standards for record-keeping, electronic signatures, and who can access what. If NetSuite touches those records, those standards apply alongside the SEC requirements.
That puts a life sciences finance team in an unusual position. The same system has to satisfy 2 sets of record-keeping rules, from 2 different federal agencies, on different inspection timelines. A gap that produces a finding in the annual financial audit can independently produce an observation from FDA inspectors visiting a facility the following month. A CFO at a conventional public company can treat NetSuite as a financial compliance tool. A life sciences CFO cannot.
The good news is that FDA and SEC requirements overlap significantly in practice. Both agencies want the same things from your system: a record of who did what and when, electronic sign-offs that are tied to specific people, and access controls that limit who can touch what. A company that sets up NetSuite properly for one framework covers most of the other at the same time. The companies that pay the most are the ones that treat them as entirely separate projects, build duplicate documentation, and staff separate teams to manage them.
The 6 NetSuite controls auditors check at life sciences companies
When auditors review financial controls at a life sciences company, they follow a fairly consistent checklist when they look at NetSuite. These 6 areas generate the most findings and take the longest to fix when something is missing or broken.
Journal entry approval workflow
Every significant journal entry (typically anything above $10,000 to $25,000, depending on the company's size) needs to be reviewed and approved by someone who did not prepare it, with that approval recorded in NetSuite before the entry is posted to the books. The most common problem auditors find: the person who prepares the entry also approves it, either by working around the system or because no approval step was set up at all. When approvals happen over email, there is nothing for auditors to test. Email threads are not audit evidence.
Purchase order approval workflow
Your approval policy defines who is allowed to commit the company to a purchase, and at what spending levels. NetSuite needs to enforce that automatically rather than relying on people to remember the rules. Auditors pick a sample of purchase orders and check that each was approved by the right person before the order was placed. A purchase order that got approved after the goods already arrived, or one that was routed to the wrong approver because the system was not set up correctly, is a problem regardless of whether the purchase itself made sense.
Vendor bill approval workflow
Approving a vendor bill for payment is a separate step from approving the original purchase order, and auditors check both independently. The purchase order sign-off answers the question: is this person allowed to commit to this purchase? The vendor bill sign-off answers a different question: is this person allowed to release a payment? Both need to be set up in NetSuite. The common gap is that purchase order approvals are configured and vendor bill approvals are not. Auditors find it quickly.
User access review
At least once a year, someone needs to formally review every active NetSuite user, confirm what they can access, verify that a named manager approved that access, and check that it still matches what their job actually requires. Auditors compare the user list against HR records to find people who left the company but still have system access. They also check for cases where the same person has access to steps that are supposed to be done by different people. The review needs to be dated, signed off by a named approver, and kept on file. An undated spreadsheet or a screenshot does not meet the standard.
Accounting period close lock
Once an accounting period is closed, NetSuite needs to block anyone from going back and posting transactions into it. Auditors check whether any entries were dated in a period that was already closed when they were entered. Even one retroactive posting, even a legitimate correction, signals that this control is not working. The block has to be enforced by the system itself, not by a policy that asks the team to avoid posting to closed periods.
Change management for system customizations
Any custom code, automated workflow, or report built inside NetSuite that plays a role in financial processing or approvals falls under financial controls review. Auditors ask for a log of every change made to those customizations during the year, then check that a sample of those changes went through a proper process: someone requested the change, it was tested in a separate environment before going live, a named person approved it, and there is a dated record of when it was deployed. A change pushed directly into the live system with no documentation is a finding. This is consistently the least-prepared control area at life sciences companies, mostly because the developers who build and update these customizations often have no connection to the finance team's compliance process.
How 21 CFR Part 11 and SOX overlap, and how to satisfy both with one control
A lot of life sciences companies treat FDA compliance (21 CFR Part 11) and SEC compliance (SOX) as entirely separate projects, assign them to separate teams, and end up producing 2 sets of documentation that cover most of the same ground. It costs more, takes longer, and creates ongoing maintenance work: every time the system changes, both sets of documents need updating. The reasoning is usually that the FDA and SEC want different things. At the system level, they mostly want the same things.
Both agencies need 4 things from NetSuite. A permanent record of who did what, on which record, and when, including what the record said before and after any change, with no way to alter that history retroactively. Individual login credentials: shared logins are prohibited by FDA rules and create a compliance failure under SOX as well. Access controls that limit what each person can do in the system, with that access formally reviewed on a regular basis. Electronic sign-offs on controlled records that capture who signed, when, and what the signature meant: review, approval, or verification.
A properly configured electronic signature in NetSuite satisfies both the FDA requirement and the SEC requirement for the same approval. Building 2 separate sign-off systems for the same record is duplication, not compliance.
In practice, this means one sign-off configuration in NetSuite can satisfy both agencies at the same time. Take a journal entry that is both a financial record under SEC rules and a record tied to a regulated activity, such as a quality cost entry or a clinical inventory adjustment. A single approval step, tied to a specific person and time, satisfies both requirements. There is no need for 2 separate approval events or 2 separate record-keeping systems for the same underlying action.
The requirement is that the sign-off tool runs inside NetSuite natively, not as a separate external system that produces its own record. An external system creates a verification problem: auditors and FDA inspectors both need to confirm that the external record matches the NetSuite record, and any discrepancy becomes a finding. Archer Insights' 21 CFR Part 11 Electronic Signatures moduleis built directly into NetSuite, so the sign-off and the record it relates to are in the same place, accessible to both a financial auditor and an FDA inspector without any extra reconciliation work.
Where the 2 frameworks do apply to different things, the line is clear. The FDA rules cover records created in regulated activities. The SEC rules cover financial records and the systems that produce them. For records that fall under both at the same time (common in biotech, where quality incidents often produce financial entries) one control covers both. For records that fall under only one, each set of rules applies separately, but the same underlying system configuration handles it either way.
The 3 most common control failures at life sciences companies running NetSuite
These problems show up across biotech, biopharma, CDMO, and specialty pharma companies at every stage: early-stage, newly public, and long-established public companies alike. None are unusual. All 3 are predictable results of setting up NetSuite for speed and convenience, with compliance rigor treated as something to deal with later.
01. Too much system access, particularly giving finance staff full administrator rights
The Administrator role in NetSuite gives whoever holds it unrestricted access to everything in the system. It also bypasses most of the controls that are supposed to catch problems. An administrator can approve their own transactions, post entries into periods that are supposed to be closed, delete records, and change the approval rules themselves. Controllers and finance managers often hold administrator access from early on because it makes day-to-day work faster. By the time auditors review the system, that level of access creates a problem across every financial process simultaneously.
The fix is to redesign who has access to what, so that each person's permissions match their actual responsibilities and no one can both initiate and approve the same transaction. Where the team is too small to split duties fully, compensating controls (a second independent reviewer for transactions above a set threshold, automated reports that flag exceptions) need to be formally documented and demonstrably in use throughout the year.
02. Journal entry approvals handled outside the system
In small finance teams, journal entry review often happens by Slack message, email, or a quick word with the CFO. The Controller prepares the entry, the CFO signs off, and both know the review happened. Auditors do not. They look for a sign-off that is recorded inside NetSuite, tied to a named individual, with a date and time stamp on the entry itself. If that record does not exist in the system, the control does not exist for audit purposes, regardless of how carefully the review was actually done.
The fix is straightforward but has a timing constraint. Approval workflows need to run inside NetSuite for a full quarter before auditors can count them as operating controls for that period. A workflow turned on in November covers November and December. The 10 months before that have no auditable sign-off trail.
03. System customizations updated without a change record
Life sciences finance teams often build custom tools inside NetSuite: automated calculations for clinical trial accruals, templates that pull data from CRO contracts into journal entries, or reports that feed the numbers disclosed in financial statements. These are usually built by a contractor or an internal developer who has no direct involvement in the finance team's compliance process. When something needs fixing or a report needs updating, the change typically goes straight into the live system because testing it in a separate environment first would take time.
From a financial controls standpoint, every undocumented change to a tool that touches financial data is a finding. Auditors ask for a log of every update made to those tools during the year and check that a sample of those updates went through a proper process. If no log exists, or the only record is a developer's internal notes that the finance team cannot access or interpret, the control fails. Fixing it requires both setting up a proper process for future changes and reconstructing, as best as possible, what changed during the year under review and whether those changes were authorized.
A 90-day roadmap to SOX-ready NetSuite
This roadmap applies to any life sciences company that has found gaps in its NetSuite controls, whether through an internal review, an external audit finding, or a decision to get ahead of a period that will be closely examined. It assumes NetSuite has been running for at least 12 months and a finance team of 3 to 8 people. The goal is a control environment that is properly set up, actively running, and producing evidence auditors can use by the end of the 90 days.
Weeks 1 to 4
Clean up who has access to what
Start by removing the access conflicts auditors are most likely to flag.
- Pull a full list of every active NetSuite user and what they can access. Flag everyone with full administrator rights.
- Redesign access levels for each finance team member so that permissions match their actual job. No one person should be able to both initiate and approve the same transaction.
- Identify the 3 to 5 highest-risk access conflicts (typically: the same person who sets up vendors can also approve their invoices, or the person who prepares journal entries can also post them) and resolve those first.
- Where the team is too small to fully separate duties, set up compensating controls: automatic reports that flag exceptions, mandatory second-reviewer sign-off above a spending threshold, or monthly reconciliations signed by a named reviewer.
- Conduct the first formal annual access review: list all users, their access levels, and who approved each. Keep the output on file as documentation.
- Remove full administrator access from any accounts used for day-to-day work. Create a separate emergency-only administrator account, with all access to it logged and periodically reviewed.
Weeks 5 to 8
Set up approval workflows inside NetSuite
Move approvals and change control into system-enforced workflows.
- Configure journal entry approvals in NetSuite for all entries above your significance threshold. Route each entry to the right approver based on size, account type, or department. The approval must be completed inside the system, not just triggered by an email that someone clicks past.
- Configure purchase order approvals to match your approval policy: typically 2 to 3 levels based on spending amount, with escalation to a higher approver above a set threshold.
- Set up vendor bill approvals as a separate step from purchase order approvals. The person who can commit to a purchase and the person who can release a payment should not always be the same.
- Lock the most recently closed accounting period and verify that no one, including administrators, can post into it without an explicit documented override.
- Create a formal change process for any updates to NetSuite customizations: a written request, testing in a separate environment before going live, sign-off from a named approver, and a dated log of what changed.
- Run the new workflows for 4 weeks while tracking any failures or workarounds. Resolve those before the formal audit period begins.
Weeks 9 to 12
Build the documentation auditors will ask for
Package the operating evidence into records auditors can inspect.
- Draft a control documentation map: for each significant financial risk, identify the specific control that addresses it, who owns it, how often it runs, and what evidence shows it worked.
- Prepare a system documentation record covering the current live NetSuite setup, including who has what access, how approval routing is configured, how period controls are set, and how the activity log is maintained.
- Prepare an access summary: every active role, what it allows, and which users currently hold it.
- Attach supporting documents to all significant journal entries posted since the new approval workflows went live. Confirm the system shows who prepared each entry, who approved it, and when.
- Run a practice walkthrough using the same 6 areas auditors will test. Identify any gaps and fix them before the formal audit starts.
- Set up a records retention process: confirm the activity log can be exported, that access review records are saved in a format that can be kept for 7 years, and that the customization change log is maintained as a permanent file.
Archer Insights' Approvals Appis in use at more than 80 percent of the publicly traded life sciences companies Archer works with. It handles the weeks 5 to 8 work without requiring custom development for each transaction type. The Delegation of Authority module manages approval coverage when someone is on leave or when a reorganization changes who reports to whom, which is a recurring problem in small finance teams where one person's absence can break a required approval chain. Both run natively inside NetSuite, so the approval record, the activity log, and the supporting documents are all attached to the standard transaction where auditors will look for them.
Frequently asked questions
Q: What NetSuite controls does SOX Section 404 require for life sciences companies?
A: SOX Section 404 requires life sciences companies running NetSuite to maintain 6 controls continuously: journal entry approvals where an independent reviewer signs off inside the system before entries are posted; purchase order approvals that enforce spending authority by dollar threshold; vendor bill approvals as a separate step from purchase order approvals; an annual review of who has access to the system and what they can do; period close locks that prevent anyone from posting entries into an already-closed accounting period; and a documented process for any changes made to system customizations. All 6 need to produce evidence that auditors can pull and verify inside NetSuite itself, not from email threads or external files.
Q: How does NetSuite support SOX compliance for biotech and pharma companies?
A: NetSuite has the features needed to support SOX-compliant financial controls (activity logging, access restrictions, approval routing, period locking) but none of it is turned on for compliance by default. A system set up for speed will leave most of these either switched off or configured too loosely. Building a defensible control environment means deliberately setting up access levels to prevent the same person from approving their own work, configuring approval workflows for every significant transaction type, locking periods after close, and documenting how the controls are designed. Tools like the Approvals App and the 21 CFR Part 11 Electronic Signatures module are built specifically for the approval and sign-off gaps that produce the most common findings in life sciences financial audits.
Q: If we already completed 21 CFR Part 11 validation for NetSuite, how much additional SOX work is left?
A: Considerably less than starting from scratch. A properly run Part 11 validation already produces a document describing how the system is configured, a list of who has access to what, evidence that the activity log works as intended, and documentation that electronic sign-offs are functioning correctly. That is most of what auditors want to see for the technology controls portion of a SOX review. What a Part 11 validation typically does not cover is the financial process side: approval workflows for journal entries, purchase orders, and vendor bills; period close locks; and a written map of which specific control addresses each financial reporting risk. A thorough Part 11 validation usually handles 40 to 60 percent of the total SOX preparation work, depending on how far it went into access management, activity logging, and change control for system customizations.