Does anyone have a process that would leave an audit trail for customizations?
See my current process below, but the auditors asked me “That’s all nice, but what’s stopping you from NOT following that procedure?” *Queue deer-in-headlights look*
Hmm… Well nothing! Lol… ( Don’t worry, I didn’t say that to an auditor )
Does anyone have a method that has some checks and balances?
I’m not sure there’s an air-tight method of preventing one who is a security manager from doing whatever they want in the system…
Current Process:
User fills out SmartSheet form with request and other details
Based on the department selected, a workflow kicks off an approval request email to the department’s manager.
I screen the request for feasibility and further approve or deny it.
If approved, all changes being made get logged to that SmartSheet (BPM Groups, UI changes, UD Fields needed, etc.)
All development gets done in our development app server, never in Live. [Gap. How to enforce that?]
Current versions (if modifying) of items get exported to a network drive and date-stamped. [Gap. How to enforce that?]
Once development is done on the request, the SmartSheet task moves from “Development” to “Pending User Approval” which sends out an email notification that their request is ready to be tested by them.
Once the user approves the functionality, it gets deployed to live.
In the end… The auditors want to know what’s stopping me from ignoring all of that and doing whatever I want. They’re looking for automated logs and whatnot and documented changes within customizations. I’m not really sure how to do all of that without ME doing it.
What we did was created a BAM on each table… xxxDef, BAQReport, ect that logs every time the tables are either modified or a new record is created… We then send an email out to specific people. This allows us to know when a change was made to our production system that way if something ever caused it to go down we can trace it. We don’t use it for auditing purposes from what i understand as we have other sox policies for that… but from the sounds of it that may suffice for your auditors…
that is correct it wont tell you what changed, but there is a possibility to show your auditors the date things where changed in production … what you could also do is add a modification log in the customization that tracks the date request number and what was added/changed…
I don’t see a change log available on those tables.
How are you capturing that? Are you just sending out the email and that’s it?
Or is it actually logging somewhere like a UD table or outputting to a server log?
In our Production no one has Security Manager and only Infrastructure knows the manager password. When we do database copies everyone who needs Sec Manager will get it in DEV, TST.
We must abide to SOX (Segregation of Duties) so the Developer never deploys, instead he writes instructions for Infrastructure to deploy. A Request is put in to get access to Production for X Y Z Activities, after that is done - access is revoked (even for the Inf individual).
Same goes for the ERP Governance Team - they “Deploy” setting changes, but a request which must be approved to get access to Production is put in.
Basically follow the ITIL Process Framework.
PS: Check out on Company Config or Company Maintenance there is a Track System Activities Checkbox.
let me correct myself… We use UD09. We have BPM’s on each of those tables, xxxDef, BAQReport, etc which will create a record each time something is Added or Modified on UD09. We capture the table name, date, user, etc. then there is BAM on UD09. which we forward to a .p file which sends the email… Unfortunately these are screens that you can’t create customization on that will allow you to capture what you did… but a mod log will work for customization…
we also have a dashboard that we split out into tabs depending on if its a customization, BPM, Dashboard, etc. so the changes are available to us to track and see if a problem occured with the system and to see what has been changed…
Your problem is that you have a procedure… if you didn’t have a procedure, the Auditors would have nothing to audit (that was an attempt at humor: )
That said… the auditor is simply trying to catch you… no matter how many controls you have, there will always be a way around it, especially for an IT Person. It takes an honest person to keep within the boundaries of a procedure. A Dishonest person can always get around it.
One (very large) company I worked with in the past would always look for the controls/procedure within the system… and when there was not an adequate control, they would say: "We need a Compensating Control"
Their definition of a compensating control was anything that would allow tracing of something happening after the fact. This could be a Query, Report, Manual tracking, anything so that they could give the “Compensating Control” to the auditor.
I worked for a publicly traded software company in the IT department as a programmer… one of our compensating controls was that a programmer was NOT allowed to deliver their own software to the production environment. Programmers were only allowed to do steps 1-7… we had a separate group (called Computer Room Operators) that deployed the change. The operator was our stopgap. Because it was a separate person, it was our firewall.
This is no different from any other separation of duties… Purchasing should not be allowed to Receive or enter invoices… AP should not be allowed to enter POs or Receive… Receiving should not be allowed to enter POs or Invoices. (and in my opinion, AP should not be allowed to create their own supplier records).
My answer to the Auditors… We have safeguards in place to make sure that changes to Production are not allowed until all the paperwork is done. The Software is not designed to do that on its own. End of story.
)
)