Test Automation Considerations with Regulatory Practices Lunch and Learn October 12, 2016 This session will be recorded

Agenda Sarbanes Oxley (SOX) FDA Requirements ISO/CMMI/Six Sigma “If these tests are executed manually by the business, they may still need to be retested by external auditor. If this is done by a third party, your company will incur the cost of testing and documentation which must be repeated each year. With automation, there is no business intervention in running the tests and documenting the findings. With automation, one person can execute both tests and results, which can then be reviewed/confirmed with business and auditors.” Sarbanes Oxley (SOX) FDA Requirements ISO/CMMI/Six Sigma HIPPA/PCI/GDPR

SOX By mapping existing manual controls to controls that are built into your application, you can take advantage of test automation. Test of Design of the control Test of Effectiveness of the control Control Automation Auditing and logging features can be automated Database Activity Monitoring turned on Automate printing of audit reports Securing privileged accounts Security related to which users could perform which features/functions Test automation allows you to spread out controls testing (samples) Frees-up key resources at key times of the year Continuous testing helps reduce fraud Management control evidence is readily available The Sarbanes-Oxley Act of 2002 (SOX) is an act passed by U.S. Congress in 2002 to protect investors from the possibility of fraudulent accounting activities by corporations. The SOX Act mandated strict reforms to improve financial disclosures from corporations and prevent accounting fraud.

How TurnKey Has Helped with SOX Created test flows for approvals, audits, management, and different views ensuring that different users have different access Login, navigate to page, check page title, frame name and link Negative testing – Add logic to make “failing tests” pass Flip keywords to make it pass when it sees a negative condition Build out hundreds of different data scenarios within the same spreadsheet to test different user logins Data for tests is isolated to only those tests – special users were created to run the tests with varying permission sets Helped establish test development/execution “workflows” to ensure that tests had proper sign-off

FDA Regulatory Requirements Focus on ALM environment – cFactory has to play by the rules! ALM/UFT Permissions must be locked down which can impact automated test creation and execution eApprove Process for all tools is required Installation Qualification (IQ) test plan and execution Verify expected results for all installation software and manual processes for ALM, UFT, cFactory, Accelerator(s), tools and utilities Operation Qualification (OQ) test plan and execution Verify that cFactory, UFT, ALM, Accelerators all worked properly in the installed environment Customized approval workflows must be established for all steps involved in test case development and execution Version control required to strictly lock down test cases and results Nothing can be deleted from ALM Test maintenance needs to be done in “Dev” environment

How TurnKey Has Helped With FDA Regulations Developed IQ and OQ test plans Executed IQ and OQ test plans and reported results Provide documented minimum permissions required for cFactory, UFT and ALM and worked with Customers’ IT to help establish these Helped structuring ALM to keep versions clear, maintenance easy and execution results readily available Helped with versioning (either using HP or cloning baseline in ALM)

ISO/CMMI/Six Sigma/etc. Standards need to be created for: Test case design Test case automation Test case execution Defect tracking standards Test environment standards Review process for test cases must be documented Once all tests are executed, determine if all requirements and standards are met Final review of results ALM versioning often used, or separate major releases by project

How TurnKey Helps with ISO/CMMI/etc. Test case design is simplified with cFactory – no coding standards and standard reviews needed Help identify what components to create and why cFactory works well with HP versioning Assist with cloning environments for archival ALM Best Practices shared at last month’s Lunch-n-Learn are very useful

HIPPA/PCI/GDPR Data regulations General Data Protection Regulation (GDPR) will be required in the EU by 2018 Cannot use customer information in a test environment DBA will take a copy of the production DB or a subset of it, then mask it, and push it to another DB for testers to consume Data sub-setting is important Huge impact for QA/Testers and Application Owners who want to use “realistic” test data while ensuring compliance with Standards Need to make sure data is always available Data is quickly consumed Long wait times for next “batch” of data for testing

How TurnKey helps with HIPPA/PCI/GDPR Test automation can generate consumable data Partnered with CA to sell Test Data Manager (TDM) – creates data pools for use across the business Acquire subsets of data from database Mask and sanitize it according to rules Or, synthesize data according to rules Ability to refresh data frequently TurnKey dataGen™ Synthetic test data can generate realistic test data, ensuring data integrity without using actual customer data