Alteryx Server Discussions

Find answers, ask questions, and share expertise about Alteryx Server.
Don't forget to submit your entry for the Excellence Awards by October 30! | Need more information about the program? Check out the blog here

SOX Compliant

Highlighted
17 - Castor
17 - Castor

Hi @justindavis 

 

The process that I described at the start of this thread has worked well for us.   We already had a robust change management process in place, so adding Alteryx to it was relatively straightforward.  The challenges that we're facing now are around data provenance.  In traditional systems all data was controlled by IT so it was fairly easy to take a piece of financial data and trace it back through the various systems to the source.  With user designed workflows, the data could come from anywhere, so we're engaging/educating the users to document and approve data sources to make it easier to explain data when the auditors role around.

 

Dan

Highlighted
9 - Comet

I've been around long enough to know that SOX stands for Sarbanes-Oxley and to have earned bookoos of money contracting to make publicly traded companies compliant. The statute drove many many great companies into private ownershipped hedge funds. It sum, SOX has been a POX on American business. 

 

You have to get past the SOX how and understand the minimum root requirements of SOX. Which is authorized signoff of any production changes and a functioning disaster plan.

 

Tools like Alteryx Desktop and Tableau got their start when SOX began making IT changes too costly to be affordable and too slow to be useful. Shadow IT began to be the way innovative companies got things done.

 

I am too working now to allow business to develop new assets using Alteryx and Tableau while re-imagining the compliance how. 

 

Out of the gate, you need to define what is "production". For Alteryx, an asset is production if it is part of a scheduled process and only allow admins to schedule. Also our analysts (short for dispersed Shadow IT) have a sandbox they can develop in and it is periodically checked. If anything is shared outside their team and has been in use for a few months, they are required to make it 'production'.

 

We do a lot of training, support, help, and encouragement to our analysts so keep a good relationship so they understand the why of these boundaries and support our enforcement. SOX compliance is purest form is achieved by assigning a responsible asset owner who approves people's use of the asset which is backed up by reliable server snapshots. Anything more is busy work. We are making a cultural shift and it is working pretty well