Change Policies & Monitoring
The essence of compliance for Sarbanes-Oxley (SOX), ASC 606, 21 CFR Part 11 or similar standards is having a set of rules and following them. This is also the standard for sleeping at night for any Manager of Business Systems at a sizeable or rapidly growing company.
However, auditable compliance is proving that you’ve followed your policies (presuming your policies are sensible). To do that, policies need to be simple and easy to understand.
The benefits of simplicity
When you have quality documentation and automated risk management, you can have simple, easy to understand policies that are efficient and fact-based. But when you are relying on tribal knowledge, you need complex policies to ensure that all possible problems are thought through. This has two huge costs: 1. it requires committees and 2. it depends on skill, time and focus - all of which are in short supply in growing, dynamic companies.
Typically you’ll want a high level of change management scrutiny on scripted or automated objects. What’s typically missed is that you also need to apply the same level of scrutiny to everything that touches those scripted and automated objects. For example, if you change a field that’s already scripted it’s a far riskier change than changing a field that’s not scripted. Similar considerations need to be applied to roles, integrations and many other aspects of the system.
Distinguish functional areas
Policies allow us to distinguish different functional areas of the company that require different levels of scrutiny and agility. You need different approvals for changing things that are part of the finance function that perhaps aren’t needed for things that are part of the marketing function. Marketing is deliberately changing quickly, whereas the finance area is deliberately not changing quickly. This leads to different policies for certain marketing workflows, which may change frequently, compared to financially posting workflows, which need to be tightly protected.
Functional policies allow you to differentiate the pace of change, the change process and the restrictions on change in your business.
Policies need change management
If your policies are to be reliable, they themselves must be subject to change control. You have to document the policies and make sure that those policies cannot be changed, ignored or subverted without proper authorization. This is not just good management. It may also be vital to protecting your data.
Strongpoint policies are automatically enforced through continuous change monitoring. We provide default policies out of the box which you can supplement with specific policies to defend critical reports and controls.