Accelerating SOX compliance with SAP automation
Ahhh - the great Sarbanes–Oxley Act of 2002.
I remember it as if it was yesterday. I was working in IT with a US investment bank around the time of the Enron and Worldcom accounting scandals in the early noughties (naughties?), and it’s fair to say there were a number of pained expressions and uncomfortable gaits amongst some of those high-flying financiers at the time.
Fast forward a couple years, and I was just starting my first SAP role as the full impact of what the newly passed Sarbanes-Oxley act was going to mean for US-regulated companies (and their SI partners) was starting to be understood. More process controls. More rigor. And for a while, some more pained expressions amongst my new consulting colleagues as they realised how SOX was going to affect their day-to-day working lives.
Roll on twenty years, and SOX controls and governance are just as important as ever for companies operating in the US. I hear the powers-that-be are even talking about introducing a UK version of Sarbanes-Oxley in an attempt at reducing corporate skullduggery closer to (my) home.
Here at Basis Technologies we have hundreds of customers around the globe, many of whom operate in the US market, so it’s not enough for us to simply provide great automation software. It’s also our duty to ensure those products help our clients comply with regulations like SOX, and indeed other guidelines and regulations like GxP and FDA.
Within ActiveControl, our SAP DevOps automation tool, we achieve this in three main ways: workflow, analysis and reporting.
At its core, ActiveControl provides the means to enforce a robust approvals workflow, making sure that every change follows the correct approvals and testing processes from Development all the way through to final deployment to Production.
This workflow helps to ensure that only authorised users have the ability to perform certain approvals in the system, and avoids any risk of an untested or unapproved change getting through to QA, let alone Production systems.
Sitting on top of the workflow is a suite of almost 70 ShiftLeft analysis checks that can be set up to run automatically at appropriate points in the process. These analyzers ensure that every SAP change - and indeed every individual transport - meets all relevant quality and governance standards.
Amongst the extensive range of ShiftLeft analysis checks are two that are specifically aimed at helping customers ensure segregation of duties (SOD) - an important aspect of a Sarbanes-Oxley Section 404 control strategy - within their workflow.
ShiftLeft: Approver SOD Check automatically prevents the same user from performing two specific (configurable) approvals within the overall workflow, while ShiftLeft: Check Own Changes - as its name suggests, can be used to prevent a user from approving their own transports - are both popular at SOX-regulated customers.
To illustrate how these analyzers can be used, a couple of simple examples: they can automatically ensure that a Developer cannot also peer-review their own change, and that a Basis resource cannot import their own transports to any system.
Sure, these are quite simple principles, but enforcing them without automation can be a real headache. They show why ActiveControl’s analyzers are so popular at SAP customers who have to govern their SOD controls, and demonstrate them to internal and external auditors.
For many years, two reports within ActiveControl have also played a key part in helping our customers fulfil their SOX and audit requirements.
From a general auditing perspective, the Transport / Task Activity & Event Audit report has long been the stuff of an auditor’s dreams. Gone are the days of SAP teams being sent a list of random transports from the past 12 months by their external auditors, and having to spend hours (or days!) digging into historical tickets and email threads to provide evidence that each transport followed the agreed change & release management processes.
With a cut & paste and a click of a button in the aforementioned report, an auditor can generate their own ‘who did what/when’ version showing every important event that was performed on a set of transports, from creation through to Production go-live.
From a SOX compliance perspective, the Change Document Report is also crucial. This report helps Basis Technologies customers easily track and report on configuration level changes performed within ActiveControl. This includes Target configuration changes such as Approvers and Import Schedules, and also, in more recent versions, ShiftLeft Analyzer and User Roles configuration.
Talking of Approvers and User Roles, there’s another important segregation of duties capability coming soon that’s related to the administration of Approvers and User Role assignments.
In response to customer feedback, a new automation feature will enable ActiveControl customers to make their ActiveControl administrators (often SAP basis resources) responsible for maintaining the core configuration of the product, while separately allowing their Securities & Authorisation teams to be responsible for the assignment of Inbox/Outbox approvers.
This capability will be introduced in the next version of ActiveControl (v8.4 - watch this space for more info), via a new program that can be used to automatically add/remove a user as an Approver if they have a particular (configurable) SAP role (either standard or custom) assigned via SU01. It’s a new feature that I know is going to be well-received at many of Basis Technologies larger enterprise customers (and definitely their ActiveControl administrators!).
If you are interested in finding out more information on how ActiveControl can help achieve SOX-compliance in your delivery of SAP change, or indeed about all the new features coming in our upcoming ActiveControl 8.4 release, please get in touch with Basis Technologies.