SOX Compliant

brad_j_crep

Has anyone else dealt with SOX compliance using Alteryx Server? How did you manage it?

Thanks,

Brad

Best Practices

Accepted answers

All comments

danilang

Hi @brad_j_crep

We're just starting down this path ourselves. We're treating it like any other server and setting up governance around access and procedures.

We've set up 2 separate environments, dev and prod
All workflows are developed and tested in our dev environment
All workflows are stored in a source-control system throughout the lifecycle
All workflows, whether developed by our IT staff or by the business, are reviewed by IT to ensure adherence to corp standards
All workflows go through documented QA/UAT process before promotion.
Any workflow promotion or change to the configuration on the prod server goes through our change management procedure.
Access to prod is tightly controlled and monitored. Only admins can access the server. The Gallery, of course can be accessed in read-only by the users.
All queries from the Alteryx server are directed to stored procedures on a link server.
- These procedures track usage information such as user info, execution time, etc
- All procedures are strictly parameterized, to control data flow in both directions
- Write-procedures go through our DB acceptance procedure
All of this is documented and tracked

Then when the auditors roll up, we'll just dump the relevant info for what ever they're interested in

Hope this helps

Dan

brad_j_crep

So going through all the procedures what is the time it takes for an average workflow to go from Thought to publishing on the production server? Is it possible to break it down by area? I'm thing of general numbers not specific.

Thank you! It's great to see how other companies handle there server.

Brad

danilang

Like I mentioned in original post, we're just starting down this path with Alteryx and we haven't pushed anything to prod yet. Generalizing from our other changes, .Net, Oracle procs, etc., from the end of UAT to production release generally takes a couple of days. We've been doing this since SOX was first implemented so we have the process running rather smoothly.

Dan

TimCr

@danilang This is super helpful.

Question for you is what do you do inside of Gallery vs outside the gallery? I've struggled to find a good process to "approve" workflows . See below what I've come up with, but I feel its a bit clunky

The process would be this:

User A has “add asset” permission in an IT Approval collection.
User A publishes and shares their dev workflow in the IT Approval collection.
User B downloads and reviews the dev workflow.
User B shares dev workflow into Business Approval.
User C reviews the dev workflow in Business Approval.
Upon approval, user C goes into Prod workflow landing page on server, selects “replace workflow”, and selects dev workflow.

PhilH

If you're looking for guidance on SOX compliance, you may want to reach out to Capitalize Analytics, as they have SOX compliance experience in two primary areas:

Developing internal controls
Leveraging IT and systems

Developing Internal Controls

The work they have done in this area begins by outlining process flows related to our clients’ primary business functions. During this process, they identify key controls that must be in place to maintain SOX compliance. These controls are populated into a controls matrix that lists each control along with pertinent information such as whether it is manual or automatic, and whether the control is preventative, detective, or corrective. They also work with their clients on defining system security roles and ensuring proper separation of duties.

Leveraging IT and Systems

One of the most valuable ways that they help clients is by building SOX compliance solutions. Especially when it comes to financial data, it is critical that data can’t be manually manipulated during transmission from one system to another. Too often, clients are relying on Excel processes, which open up many security and compliance concerns. Alteryx has been an excellent tool for replacing these Excel processes. With Alteryx, they can build a workflow that can then be secured to run without manual intervention. Alteryx ensures the integrity of the data is maintained. In one recent example, they built an interface from an operational accounting system to SAP. They used Alteryx to extract invoice data from the operational accounting system, and transformed into the format required by SAP. Alteryx made building and testing the interface significantly more efficient. The workflow now runs through Alteryx Server without any user intervention.

Contact Information: Eric Soden - EricSoden@capitalizeconsulting.com

justindavis

@danilang a couple years now down the line, would you say that you all have found success in the process you described above? Has anything changed?

We are looking to implement for SOX compliance but having a bumpy start. Any additional color on this you could provide would be so helpful. Feel free to DM m.

hroderick-thr

I've been around long enough to know that SOX stands for Sarbanes-Oxley and to have earned bookoos of money contracting to make publicly traded companies compliant. The statute drove many many great companies into private ownershipped hedge funds. It sum, SOX has been a POX on American business.

You have to get past the SOX how and understand the minimum root requirements of SOX. Which is authorized signoff of any production changes and a functioning disaster plan.

Tools like Alteryx Desktop and Tableau got their start when SOX began making IT changes too costly to be affordable and too slow to be useful. Shadow IT began to be the way innovative companies got things done.

I am too working now to allow business to develop new assets using Alteryx and Tableau while re-imagining the compliance how.

Out of the gate, you need to define what is "production". For Alteryx, an asset is production if it is part of a scheduled process and only allow admins to schedule. Also our analysts (short for dispersed Shadow IT) have a sandbox they can develop in and it is periodically checked. If anything is shared outside their team and has been in use for a few months, they are required to make it 'production'.

We do a lot of training, support, help, and encouragement to our analysts so keep a good relationship so they understand the why of these boundaries and support our enforcement. SOX compliance is purest form is achieved by assigning a responsible asset owner who approves people's use of the asset which is backed up by reliable server snapshots. Anything more is busy work. We are making a cultural shift and it is working pretty well

pmaier1971

For future reference, this link may be useful:

Transforming SOX Testing Leveraging Alteryx: A Playbook

Quick Links

This months top contributors

LanisC 335

hhaigh1 280

erich_shiino 280

FláviaB 262

JORGE4900 235