Enhancing ITGC with Automation

Designing solutions for compliance reviewer

Overview

The internal ITGC SOD compliance platform for enterprises, used for managing personnel permissions, ensuring segregation of duties, and supporting compliance control of IT operations. This platform significantly improves the efficiency and accuracy of audits and reporting.

Problem

Every month, compliance auditors need to contact various product teams, requesting members to manually export compliance-related data for auditing. This process is not only time-consuming but also raises issues with data accuracy and security. Due to the large volume of data, auditors are prone to omissions and errors during long-term review processes. Different compliance conditions and data standards across products also cause significant inconvenience for auditors.

Solution

Through user interviews and observation of audit work, we gained a deep understanding of user pain points and needs. Our goal is to build a compliance audit platform that can automatically retrieve data from various product systems on a regular basis. According to the standards set by auditors, the platform will implement automated audits, significantly improving the efficiency of auditors' work. Moreover, this approach can ensure data accuracy and security.

Understanding the User

This is a typical B2B project, with the target users being not a large group, but specific business roles—compliance auditors. Through interviews and observing the specific work of auditors, we learned that within the vast audit data, this is inherently a tedious and error-prone job. Auditors need to spend 6-8 hours daily immersed in data sheets exported by various teams, and long periods of fatiguing work can easily lead to mistakes. From the auditors' perspective, they strongly desire for the data standards across teams to be unified. This way, audit standards can also be unified, making it easier to identify patterns and improve audit efficiency.

Industry Research Findings

From industry research, we understand that IT permission segregation of duties can be divided into several different categories. Combining this with our business, we should establish SOD monitoring and reporting in the following four dimensions: production migration SOD, batch job management SOD, database management SOD, and access management SOD. This lays a solid foundation for our business logic.

Personas

To facilitate a common understanding among the team and stakeholders, I created a user persona to visualize the target user. This persona is crucial throughout the entire compliance process, with her thoughts and decisions reflecting the importance and priorities of the business.

Design

First, we will provide a dashboard page. This page allows auditors to see at a glance the automated audit results for all products within a specific time period, including the number of SODs generated in each category.

The SOD report page provides users with a convenient way to view the current SOD review data list, which includes both generated and non-generated SOD content. This allows users to comprehensively understand the status of SOD reviews.

The generated SOD content report will be sent to the corresponding team. After receiving the information, team members can leave comments or provide evidence on the platform to eliminate the SOD. Once evidence is submitted, auditors will receive corresponding notifications, and the process will gradually progress.

We created a unified process for different user roles to collaboratively handle SOD, consisting of 5 stages: Under investigation, Waiting for review, In review, Waiting for approval, and Closed. The diagram below shows the collaborative process interface from the perspectives of the Reviewer, product team members, and Compliance lead.