Alteryx Server Discussions

Find answers, ask questions, and share expertise about Alteryx Server.

SOX Compliant

brad_j_crep
8 - Asteroid

Has anyone else dealt with SOX compliance using Alteryx Server?  How did you manage it?

 

Thanks,

Brad

14 REPLIES 14
danilang
19 - Altair
19 - Altair

Hi @brad_j_crep

 

We're just starting down this path ourselves.  We're treating it like any other server and setting up governance around access and procedures.

 

  • We've set up 2 separate environments, dev and prod
  • All workflows are developed and tested in our dev environment
  • All workflows are stored in a source-control system throughout the lifecycle
  • All workflows, whether developed by our IT staff or by the business, are reviewed by IT to ensure adherence to corp standards  
  • All workflows go through documented QA/UAT process before promotion.
  • Any workflow promotion or change to the configuration on the prod server goes through our change management procedure.
  • Access to prod is tightly controlled and monitored.  Only admins can access the server.  The Gallery, of course can be accessed in read-only by the users.
  • All queries from the Alteryx server are directed to stored procedures on a link server.
    • These procedures track usage information such as user info, execution time, etc
    • All procedures are strictly parameterized, to control data flow in both directions
    • Write-procedures go through our DB acceptance procedure
  • All of this is documented and tracked

 

Then when the auditors roll up, we'll just dump the relevant info for what ever they're interested in

 

Hope this helps

 

Dan

brad_j_crep
8 - Asteroid

So going through all the procedures what is the time it takes for an average workflow to go from Thought to publishing on the production server?  Is it possible to break it down by area?  I'm thing of general numbers not specific.

 

Thank you!  It's great to see how other companies handle there server.

 

Brad

danilang
19 - Altair
19 - Altair

Like I mentioned in original post, we're just starting down this path with Alteryx and we haven't pushed anything to prod yet.  Generalizing from our other changes, .Net, Oracle procs, etc., from the end of UAT to production release generally takes a couple of days.  We've been doing this since SOX was first implemented so we have the process running rather smoothly.

 

Dan

 

 

mkbatjnj
5 - Atom

Hi Dani, I realize this post is a month old but wanted to ask if you have made any more progress with respect to the SOX?  I work in finance and recently got an Alteryx licence.  It is a great tool but my boss has concerns about the compliance aspect.  I use it to pull sales and other P&L information that feeds into a report in Tableau.  Any information would be greatly appreciated!

danilang
19 - Altair
19 - Altair

Hi @mkbatjnj

 

The key points about the SOX process are compliance and documentation.  The compliance part comes in from the start of the data input process.  Are your data source sources certified?  Are they secure?  Next comes the actual workflow itself.  Has it gone through a formal QA/UAT process? What guarantee do you have the transformation processes in your workflow generate the data that you say it does?  Then comes promotion to production.  Do you have a change management process? Is your prod environment secure? Are you logging access and workflow executions?  Wrapping all this is the documentation.  You need to document all the steps and be able to answer when an auditor asks "Where did this piece of data come from and how can you be sure you can trust it?"

 

If you're already doing this for your other finance applications, the main difference will be the ease that Alteryx can be used to pull in almost any data source.  This is the area that you'll need to put extra compliance around.  

 

Dan

mkbatjnj
5 - Atom

Dan,

 

Thank you for your explanation.  I am a total newbie to Alteryx and trying to learn as much as possible.  I appreciate your quick response.

 

Mary

TimCr
Alteryx Alumni (Retired)

@danilang This is super helpful.

 

Question for you is what do you do inside of Gallery vs outside the gallery? I've struggled to find a good process to "approve" workflows .  See below what I've come up with, but I feel its a bit clunky

The process would be this:

  • User A has “add asset” permission in an IT Approval collection.
  • User A publishes and shares their dev workflow in the IT Approval collection.
  • User B downloads and reviews the dev workflow.
  • User B shares dev workflow into Business Approval.
  • User C reviews the dev workflow in Business Approval.
  • Upon approval, user C goes into Prod workflow landing page on server, selects “replace workflow”, and selects dev workflow.
PhilH
Alteryx Alumni (Retired)

If you're looking for guidance on SOX compliance, you may want to reach out to Capitalize Analytics, as they have SOX compliance experience in two primary areas:

  • Developing internal controls
  • Leveraging IT and systems

Developing Internal Controls

The work they have done in this area begins by outlining process flows related to our clients’ primary business functions. During this process, they identify key controls that must be in place to maintain SOX compliance. These controls are populated into a controls matrix that lists each control along with pertinent information such as whether it is manual or automatic, and whether the control is preventative, detective, or corrective. They also work with their clients on defining system security roles and ensuring proper separation of duties.

 

Leveraging IT and Systems

One of the most valuable ways that they help clients is by building SOX compliance solutions. Especially when it comes to financial data, it is critical that data can’t be manually manipulated during transmission from one system to another. Too often, clients are relying on Excel processes, which open up many security and compliance concerns. Alteryx has been an excellent tool for replacing these Excel processes. With Alteryx, they can build a workflow that can then be secured to run without manual intervention. Alteryx ensures the integrity of the data is maintained. In one recent example, they built an interface from an operational accounting system to SAP. They used Alteryx to extract invoice data from the operational accounting system, and transformed into the format required by SAP. Alteryx made building and testing the interface significantly more efficient. The workflow now runs through Alteryx Server without any user intervention.

 

Contact Information: Eric Soden - EricSoden@capitalizeconsulting.com

justindavis
10 - Fireball

@danilang a couple years now down the line, would you say that you all have found success in the process you described above? Has anything changed?

 

We are looking to implement for SOX compliance but having a bumpy start. Any additional color on this you could provide would be so helpful. Feel free to DM m.