Skip to main content
CFCX Work
← Back to Insights

When Your System Doesn't Know What's True

When Your System Doesn't Know What's True

The question is why operational work becomes fragile even when no one is “doing anything wrong.” Most chaos isn’t a single outage or a single bad deploy. It’s drift: two systems describe the same thing in two different ways, and each is internally consistent enough to look correct.

What’s at stake is not just accuracy. It’s trust. When finance, ops, and customer support each have a different “truth” for the same customer, invoice, or status, the work slows down. Teams stop automating because they can’t rely on the outputs. They fall back to spreadsheets, screenshots, and meetings. The system becomes a place to record arguments, not resolve them.

From first principles, a system exists to reflect reality so decisions and actions can follow. The failure mode is designing software that is allowed to create its own reality—by copying authoritative data, holding it locally, and then treating that copy as if it remains authoritative.

Drift is a design choice, not an accident

Replication feels pragmatic. Querying a local table is fast. Storing a PDF locally seems safer than relying on a government portal. Building a nightly sync looks like “resilience.”

But the moment you duplicate external truths, you accept a permanent condition: you now have at least two masters. Even if one is “supposed” to be the master, the copy will be used as if it were authoritative because it’s closer, faster, and more convenient.

This is operational debt. Each additional copy creates future work:

  • Reconciliation reports to compare two versions of the same record
  • Exception queues for “mismatches” that require human judgment
  • Support tickets and engineering time spent proving which system is right
  • Policies that tell teams which screen to trust (a quiet sign the architecture has failed)

Fetch, don’t hold: a practical definition of external truth

The core principle is simple: a system should fetch, not hold, external truths. If the authoritative source of a fact is outside your control—government portals, tax engines, payment processors, carrier tracking, identity verification—your system should treat that source as the master for that fact.

This does not mean “never store anything.” It means being explicit about what you store and why:

  • Store references (identifiers, tokens, hashes, timestamps) that let you retrieve the truth.
  • Store inputs you generated (what you submitted, when, and under what version of your rules).
  • Store derived operational state you own (internal workflow status), but don’t confuse it with the external authority’s state.

Why this works

Fetching at the moment of use forces a clean boundary: the truth is what the authority returns now, not what you last copied. It also reduces “split-brain” behavior where teams fix issues by editing the local copy, which only widens the gap.

An example: government-stamped invoices

Consider a global company generating invoices that must be validated or stamped by a government portal. The common implementation looks like this:

  • ERP produces a preliminary invoice.
  • Integration submits data to the government portal.
  • Portal returns a stamped PDF plus a serial number/QR.
  • ERP or a document system stores the stamped PDF.

It feels complete: you have the official document “in your system.” The problem appears later:

  • The portal reissues the document due to a correction or reprocessing.
  • A retry produces a second “official” version.
  • A user downloads the PDF from the portal directly and it differs from the stored copy.
  • Support can’t prove which is correct without manual validation.

A more stable pattern: store the key, fetch the artifact

A better approach treats the government portal as perpetual master:

  • ERP submits the raw invoice data.
  • Portal returns a durable identifier (and possibly a checksum/version).
  • ERP stores the identifier and the submission details.
  • When accounting or the customer needs the official document, the system fetches it using the identifier.

The ERP doesn’t store the final PDF as “truth.” It stores the key that retrieves truth. This removes an entire class of reconciliation work: the document shown is, by definition, the official one.

How to apply this in NetSuite and adjacent systems

Most organizations run this problem into NetSuite because NetSuite becomes the hub: invoices, payments, fulfillment, revenue, and reporting. The temptation is to make NetSuite the master of everything by importing and storing external records as if they are final.

In practice, a cleaner division is:

  • NetSuite masters internal operational intent: what you attempted to do (create invoice, ship order, collect payment), and your internal statuses.
  • External systems master their own facts: tax authority stamp, payment processor settlement status, carrier delivery confirmation, identity verification result.
  • Integrations provide references and retrieval, not bulk copying of authoritative artifacts.

Design methods that reduce drift

  • Reference-first data model: store external IDs, document handles, and “as-of” timestamps instead of storing the authoritative payload.
  • Read-through retrieval: when a user views a record, fetch the external truth on demand (with clear UI cues such as “retrieved at 10:32”).
  • Controlled caching: if latency matters, cache with strict TTL and visible freshness, and treat cache as disposable.
  • Idempotent submissions: ensure repeated sends don’t create parallel truths. Use idempotency keys and store them.
  • Audit the boundary: log what was sent, what was received, and the identifier linking the two. This is more useful than storing the artifact itself.

When you do need to store a copy

There are legitimate reasons to store external artifacts: legal retention, offline access requirements, or vendor availability risk. The mistake is not storing a copy; it is treating the copy as the master.

If you must store, make the copy explicitly secondary:

  • Store it as an archive with retrieval metadata (source, time, checksum).
  • Prefer the live fetch when available; fall back to the archive when not.
  • Display provenance to users so they know whether they’re viewing “official now” or “official as-of.”

Operational signals that your system has lost truth

Drift shows up in repeatable ways:

  • Teams maintain “shadow ledgers” in spreadsheets.
  • Disputes begin with “my report says…” rather than “the authority says…”
  • Reconciliation becomes a standing meeting.
  • Engineers add validations that check one internal table against another.
  • Support asks customers for screenshots because internal screens disagree.

These are not training issues. They are architecture signals.

Ultimately, systems work when they remain anchored to what is authoritative. The moment you let internal copies become “truth,” you trade short-term convenience for long-term disagreement.

What this means in practice is designing around references, retrieval, and clear boundaries of mastery—especially in ERP environments where everything appears to want a single database. The takeaway is simple: stop building systems that try to remember what the world looks like; build systems that know how to ask.