The Business Controls Caddy

Permalink Does Your Organization Ignore Lotus Notes As a Process Management Tool?




Submitted for your approval. The auditors have finished their Sarbanes-Oxley Section 404 audit of controls. Your organization has been cited for not having an approval process for changes to your PeopleSoft HR Financial Systems. They tell you that you have to have management sign-off on all changes before they go into production (especially since the application developers are allowed direct access to the production system). Does the manager of this organization choose to leverage the organization's investment in Lotus Notes/Domino to automate the processing and storage of configuration change aproval requests? No, that would make too much sense. Welcome to the Twilight Zone of a very real story from the front-lines of Sarbanes-Oxley audits, and questionable management responses.

This Is A True Story


The organization is real and is the subsidiary of a multinational corporation. The number of Notes/Domino licenses for this organization is in the thousands. As experienced Notes developers, we know that we could whip out a very basic workflow/approval application that offered robust security and records retention in a few hours or so. But the truth is that the organization in question did not seek out this option.


What The Auditors Said


From my understanding of the situation, the auditors felt that because the application developers had direct access to the production environment, and that there was no 'sign-off' process for configuration/programming changes. So as a compensating control, they 'recommended' that a process be put in place that allowed the developers to submit written change management requests for management signature. The auditors said it had to be done in hard copy, and original documents had to be retained in a locked filing cabinet with limited access.


Missing the Lotus Notes/Domino Solution


Even though this enterprise has thousands of Notes/Domino seats, there is little understanding of how they could have leveraged their current investment to bring additional strategic value to the enterprise. It would have been very simple for the Notes developers to put together a simple form, secured the application with authors and readers field, and had a very simple workflow to handle approvals and archiving of the approved documents. The security of Notes ID files, if adequate, ensures that a valid digital signature is present for the approvals.


There is also an important factor that has been missed here: the ability of the application developers to have access to the change history of applications. Read access to this information can help ensure that new requests are not already in process or have already been done. It would also provide a knowledge base to draw information from. For example, why was a particular change made the year before and what would the impact of this new change be? Could the new change possibly cause a regression error? Are there any dependencies associated with other pending changes?


If the organization had looked at the strategic value their existing Notes/Domino investment would bring to their overall compliance and governance efforts, they would be in a much better position today. But apparently another factor is that the auditors said the documentation had to be in hard copy and they did not push back to the auditors (shame on them!). By only retaining "hard copies", what happens in the event of a disaster such as Hurricane Katrina and the records are lost? If the documentation had been retained in a Notes/Domino application that had been backed-up offsite, it might be easier to recover the information.


What is the Challenge to You?


It is not hard to imagine this scenario in other organizations. If you are part of the Notes/Domino community, are you evangelizing the strategic value you can help bring in the area of enterprise-wide configuration change management? Do you or does your organization take a pro-active approach in preaching how the built in security, workflow, collaboration, and rapid application development nature of Lotus Notes/Domino can help take your organization 'beyond governance' and be even stronger?


Oh and don't ask me who the organization is, because there is no way I will tell. It is also one of the cases where I wish I had a direct connection with/link to the CIO to have a nice lunch and talk about this scenario and how he could make life easier for the organization.



free html hit counter