Beating the Compliance Clock with Documentation
Every publicly held company faces the challenge of a Sarbanes-Oxley audit. No two audits are the same, one central thread runs throughout all successful audits, in my experience: Documentation is king. In a manufacturing company, the following steps will increase your chances of passing a SOX audit:
- Document workflows showing how each major transaction of your system interacts with all others and how the integration points are secure. One manufacturer calls this their Best Practices Manual, because it shows in swim-lane fashion each of the steps required to complete a transaction for both build-to-stock and configure-to-order products, for example. These workflows are vastly different; showing how both workflows are monitored and managed from the database side was exactly what the auditors wanted.
- Pricing has to be locked down. Audits also focus on the level of security around pricing tables—and for many manufacturers these tables are located in multiple databases throughout the company. Be sure to do a pre-audit of your integration points—whether those are adapters, connectors, or even an entire EAI application—as the auditors probe on how to gain access to pricing tables, even from inside your firewall.
- Certification of homegrown integration adapters helps. In addition to ensuring that homegrown adapters stay current with a given ERP vendor's programming and integration requirements, certification helps with SOX audits. Certifying your company's custom code may alleviate the need for extensive testing to show auditors how secure your adapters are.
- Scorecard system performance for transactions versus content. Having this level of analysis is invaluable in showing auditors the security of transactions—a core focus during many SOX audits. Scalability around content is also critical, as this will show "headroom for growth" in your current system architecture.