As the number and complexity of regulatory rules and guidelines grow across the world, companies are under increasing pressure to find effectives ways to comply. You don’t have to look far to find stories of businesses and company leaders falling foul of regulations resulting in significant fines, bad press and even jail time.
The story of Enron, the most widely known accounting scandal of the past few decades, led to the introduction of Sarbanes-Oxley (SoX) – but there are also other industry-specific regulations out there, such as GxP, FDA and others. Adhering to these requires greater risk management processes, documentation, and visibility across the organization. In this blog, I’m going to look at what some of these regulations and guidelines entail for SAP customers, and how automation can help streamline and simplify the associated audit and compliance processes.
SAP change audits
Before I joined Basis Technologies, I spent nearly 10 years as an SAP change and release manager, and I always dreaded that knock on my door from the auditor asking me to prove that a list of transports followed the documented process from development to production. It wasn’t that I was worried we hadn’t followed the correct procedures, more so that I was going to have to spend the next few days digging through spreadsheets and combing through hundreds of emails to try to find every piece of evidence needed for each of those transports. So, this topic is close to my heart, and I am happy that at Basis Technologies we can help take this pain away for our customers.
If your change management processes are anything like the majority of SAP customers out there, there are quite a lot of touch points involving numerous people throughout the change delivery process. Even in a simple change management environment like the one shown above, with a four-system landscape of Dev, QA, Pre-Prod and Production, there are 11 steps from development to deployment involving eight different people. Trying to manually track down the entire history for multiple transports through this entire workflow 6, 9, or even 12 months after they were deployed takes a significant amount of time and effort – time and effort that could clearly be better spent on other tasks of more strategic value.
The good news is that because so much of this process is manual, it’s a perfect candidate for automation. Now, typically “automation” and “SAP” aren’t two things you hear in the same sentence, but that’s mainly because there haven’t been many tools designed to handle the unique technical environment of SAP. Our ActiveControl DevOps automation solution, however, was built specifically to handle the challenges of SAP, including audit and compliance reporting.
As the Product Manager for ActiveControl, it’s my job to make sure it supports things like:
- Codified workflows to ensure all necessary steps happen – and happen in the correct order.
- Logging each step of the process as it’s executed.
- Tracking every detail such as who did what and when it happened in a central location.
And I must say I’m proud of what ActiveControl offers. Not only does the product do all these things and a lot more, it makes it almost effortless to generate the necessary reports come audit time.
I’ve seen the benefits of this automation first-hand with our customers. One of them, a large North American bank, had over 200 SAP systems in a multi-track configuration and operating in such a highly regulated industry meant their manual audit reporting process was extremely slow, difficult and time consuming. ActiveControl has significantly improved audit reporting for them, at one point enabling them to build and deliver an audit within two hours of when it was requested.
It’s important to note as well that having an automation tool like this in place also introduces its own additional audit requirements, particularly for those who fall under SoX regulations. Again, ActiveControl makes this easy as with a click of a few buttons, it is easy to see what configuration level changes the Administrators of the product have made.
What is Sarbanes-Oxley (SoX) compliance?
Born out of the massive U.S. financial scandals of the early 2000s (Enron, WorldCom, and others), SoX began as a set of financial audit regulations meant to protect investors and public companies from fraudulent activity by regularly assessing how well the company manages and adheres to internal processes and controls. And these rules don’t just apply to American businesses, any company that operates in the U.S. must adhere to SoX compliance. Many other countries are considering or already have similar regulations in place.
When it comes to SoX compliance for SAP, there are essentially four categories:
- a. Change management – this involves things like segregation of duties (SOD) and system change reporting
- b. Data access – password control for users and regular reviews of access rights (at least once a year)
- c. Data security – ensuring databases are secured from unauthorized access and effective monitoring to discover anomalies that might indicate unauthorized or inappropriate use
- d. Data backup – data retention and storing historical versions of documents that could potentially be the target of malicious destruction
Let’s focus in on the change management side of things, starting with segregation of duties.
If we go back to the four-system example above, SOD would ultimately be about making sure the same person isn’t performing multiple steps in the process. For instance, you wouldn’t want the business user who requested the change to be the one to make the change, nor would you want a developer to peer review their own work. Ensuring things like that don’t happen is what SOD is all about. The goal is to have certain steps performed by a different person who is qualified to perform the action, so as to reduce the risk of errors or even intentional bad behavior.
Anyone who’s been around SAP for a while knows it has a quite mature and well-established user access security and authorizations model designed to ensure that users only perform the tasks they need to be able to do as part of their role. Any automation tooling you use, like ActiveControl, should have the same rigidity to ensure it is persona based. For example, most SAP customers would probably only want their Basis Team to be able to import transports (when something has to be deployed manually). And they would almost certainly only want trained Administrators to be able to maintain the configuration of the automation tool, same as with SAP itself.
Just as importantly from an audit perspective, you need to ensure each user’s access is documented and every change is logged so you can demonstrate that proper procedures were followed. ActiveControl makes this all a walk in the park.
What is GxP compliance?
GxP compliance is in some ways quite similar to SoX, but deals more specifically with life sciences organizations, pharmaceutical companies, medical device manufacturers, medical software application developers, and other similar industries. For SAP change management in particular, GxP compliance can be broken down into three key pillars:
- Data integrity – all data, including metadata, is visible, consistent, and accurate as well as regularly backed up and readily available
- Good documentation practices – documentation must be legible, created in a reproducible manner, and stored securely
- Traceability & accountability – demonstrate what each person has contributed to the work and be able to reconstruct the entire history of the work performed
Ultimately, compliance auditing is about knowing who did what when by making sure that end-to-end processes can’t be bypassed and test evidence and approvals are documented, recorded, accessible and auditable. This is again where DevOps automation like ActiveControl can help by codifying workflows and automatically documenting and logging each change in one centralized ‘source of truth’.
Another customer, a leading global retailer with over $20 billion in annual revenue, shared with us how impactful ActiveControl has been on their auditing process: “The transparency in ActiveControl is so much better. If a person is responsible for an IT audit but is not very technical it’s so easy to see who did everything and who approved what. In our previous tool the backtracking was horrible. Now we can find whatever we need to have for an IT audit in one place. Before we had to look it up and find different changes, change documents, etc., so that definitely saves a lot of time.”
Auditors often get a bad rap in the SAP world, but the truth is that everyone involved in the change management process should be an auditor. Every user has a role to play in ensuring processes are followed correctly to protect both the company and everyone who works there. Modern tooling and automation can make it significantly easier to self-govern workflows and identify potential issues.
In our four-system SAP landscape example, ActiveControl’s more than 70 analyzers offer automated checks that can be applied throughout the process, every time a transport is created, approved or deployed. These can be development checks that happen before transports get to QA, sequencing checks to ensure the correct versions of objects are moving in the appropriate sequence, and much more. In QA and Production, this might include critical object checks to ensure the correct changes are deployed at the right time to avoid disruption to the business.
These checks are run automatically within ActiveControl, for every transport, at every step in the process, removing the need for manual effort and the risk associated with it. Best of all, everything is documented, and reports can be generated with just a few clicks, saving lots of time, cost and effort.
Audit and compliance is increasingly important in the modern business world, but for SAP organizations still relying on manual change management processes, it can be tedious, frustrating and time consuming. DevOps automation not only helps to enforce the necessary processes and procedures but also makes documenting and reporting significantly faster, more efficient, and less risky.