I have been with Basis Technologies for more than 4 years and in that time have helped some of the world’s largest companies adopt our automation software to help them run their SAP systems. One topic that frequently comes up is audit and compliance, so I thought in today’s blog I would share some of my insights and experiences.
Audit and compliance have become extremely relevant in today’s business landscape and many industries today need to adhere to stringent rules to prove they’re following established guidelines and laws. Some prevalent regulations include Sarbanes-Oxley (SOX), “good practice” quality guidelines and regulations (GxP, where ‘x’ represents the industry of the organization), Model Audit Rule (MAR, a financial audit branch of SOX), and in the USA the Food and Drug Administration (FDA).
Some might argue that MAR and FDA do not apply to IT, but in this context I’m talking about IT representation for client organizations who are compliant with these standards, and therefore expect IT inclusion in their audit reporting.
IT audits are common and they come in two forms: operational or project. Operational audits examine management practices and operations processes and procedures to determine how effectively or efficiently organizations are meeting their objectives. Project audits are an opportunity to uncover issues, concerns and challenges that are encountered during the execution of a particular project. Naturally, both kinds can provide the paper trail needed to prove that the business is following all the relevant rules and regulations.
Clearly auditing is important, but it’s no-one’s favorite topic and people often fail to take account of it in their planning. About five years ago, I was implementing a new IT application where our go-live date was pushed back four times. The client’s high-security requirements dictated that an auditor be permanently onsite and actively engaged in the project. As a result, it took a year longer to implement than was planned. The auditor needed detailed insight into roles and responsibilities, project phases, resource allocations, templates, plans, scenarios and testing, not to mention approval signoff by project and business management at every step. The manual effort was huge.
Beyond causing project delays, failure to comply with audit requirements can have dire business implications. I’ve seen a company’s industry certificates revoked, another face large financial fines, and a third company who was prevented from selling and delivering their products and services.
Automation for Audit & Compliance
One of the many benefits of ActiveControl, Basis Technologies’ DevOps automation solution for SAP systems, is support for automated audit and compliance processes in SAP.
An audit seeks to track validation of work and data. It seems a simple enough proposition. However, the manual effort required to generate the required reports can be a major drain on resources in even the most infrequent release cycles. In a more agile process – where changes might be deployed on a weekly or daily basis, possibly even without any user intervention at all – effective auditing might seem virtually impossible. Luckily, if you’re doing agile or DevOps properly you’ll have adopted automation to help you control and manage the new, higher release cadence.
With DevOps automation driving your change control and regression testing processes, a small number of auto-generated reports can deliver full details of every change, at every stage – who made it, who tested it, who approved it, when it all happened, what the outcomes were, etc. The job of auditing goes form huge resource drain to something much less manual and time consuming. As one of our North American customers put it, ‘With the pre-packed auditing reports, in under two hours we were able to build what was needed. I have not heard a complaint since’.
ActiveControl can do all of this and more, even across highly complex multi-track project landscapes (some of our customers are running up to N+10!). The visibility also extends outside of SAP. As you integrate ActiveControl with wider IT CI/CD pipelines, ActiveControl’s auto-generated reports provide an end to end audit repository of how changes were instigated and every step that follows.
On a couple recent occasions, clients of mine have pre-empted the annual IT audit needs and had specific ActiveControl audit reports ready. In the past the annual audit could take a week or more, but in this case the auditors arrived, were provided the reports and left at the end of the first day. A huge win for everyone.
To learn more about simplifying and streamlining your cumbersome audit and compliance processes with proven automation, schedule a call here.