Has anyone else dealt with SOX compliance using Alteryx Server? How did you manage it?
Thanks,
Brad
Hi @brad_j_crep
We're just starting down this path ourselves. We're treating it like any other server and setting up governance around access and procedures.
Then when the auditors roll up, we'll just dump the relevant info for what ever they're interested in
Hope this helps
Dan
So going through all the procedures what is the time it takes for an average workflow to go from Thought to publishing on the production server? Is it possible to break it down by area? I'm thing of general numbers not specific.
Thank you! It's great to see how other companies handle there server.
Brad
Like I mentioned in original post, we're just starting down this path with Alteryx and we haven't pushed anything to prod yet. Generalizing from our other changes, .Net, Oracle procs, etc., from the end of UAT to production release generally takes a couple of days. We've been doing this since SOX was first implemented so we have the process running rather smoothly.
Dan
Hi Dani, I realize this post is a month old but wanted to ask if you have made any more progress with respect to the SOX? I work in finance and recently got an Alteryx licence. It is a great tool but my boss has concerns about the compliance aspect. I use it to pull sales and other P&L information that feeds into a report in Tableau. Any information would be greatly appreciated!
Hi @mkbatjnj
The key points about the SOX process are compliance and documentation. The compliance part comes in from the start of the data input process. Are your data source sources certified? Are they secure? Next comes the actual workflow itself. Has it gone through a formal QA/UAT process? What guarantee do you have the transformation processes in your workflow generate the data that you say it does? Then comes promotion to production. Do you have a change management process? Is your prod environment secure? Are you logging access and workflow executions? Wrapping all this is the documentation. You need to document all the steps and be able to answer when an auditor asks "Where did this piece of data come from and how can you be sure you can trust it?"
If you're already doing this for your other finance applications, the main difference will be the ease that Alteryx can be used to pull in almost any data source. This is the area that you'll need to put extra compliance around.
Dan
Dan,
Thank you for your explanation. I am a total newbie to Alteryx and trying to learn as much as possible. I appreciate your quick response.
Mary
@danilang This is super helpful.
Question for you is what do you do inside of Gallery vs outside the gallery? I've struggled to find a good process to "approve" workflows . See below what I've come up with, but I feel its a bit clunky
The process would be this:
If you're looking for guidance on SOX compliance, you may want to reach out to Capitalize Analytics, as they have SOX compliance experience in two primary areas:
Developing Internal Controls
The work they have done in this area begins by outlining process flows related to our clients’ primary business functions. During this process, they identify key controls that must be in place to maintain SOX compliance. These controls are populated into a controls matrix that lists each control along with pertinent information such as whether it is manual or automatic, and whether the control is preventative, detective, or corrective. They also work with their clients on defining system security roles and ensuring proper separation of duties.
Leveraging IT and Systems
One of the most valuable ways that they help clients is by building SOX compliance solutions. Especially when it comes to financial data, it is critical that data can’t be manually manipulated during transmission from one system to another. Too often, clients are relying on Excel processes, which open up many security and compliance concerns. Alteryx has been an excellent tool for replacing these Excel processes. With Alteryx, they can build a workflow that can then be secured to run without manual intervention. Alteryx ensures the integrity of the data is maintained. In one recent example, they built an interface from an operational accounting system to SAP. They used Alteryx to extract invoice data from the operational accounting system, and transformed into the format required by SAP. Alteryx made building and testing the interface significantly more efficient. The workflow now runs through Alteryx Server without any user intervention.
Contact Information: Eric Soden - EricSoden@capitalizeconsulting.com
@danilang a couple years now down the line, would you say that you all have found success in the process you described above? Has anything changed?
We are looking to implement for SOX compliance but having a bumpy start. Any additional color on this you could provide would be so helpful. Feel free to DM m.