One of the most pervasive, and often justified complaints coming from those of us toiling in QA is that senior corporate management seems unaware of our existence, let alone our value. All too often perceived as a necessary evil or discretionary expense, QA is often a target of budget and schedule cuts. When it comes to communicating up the organization, I am reminded of the joke where the testers declare the product as "crap," which the next level of management softens into "manure," which is then further interpreted as "fertilizer," which finally reaches the top levels as "rich and productive."
A large part of the problem is that if QA does a good job, no one hears about it. No one appreciates the complaints that weren't received and the problems that didn't happen. Another part is that if there are problems, QA gets the blame. But all that could change. For those of you still puzzled by the title, the Sarbanes-Oxley Act is the new legislation passed in reaction to Enron, WorldCom, and similar fiascos. As someone who is saddled with degrees in accounting as well as law, but whose career is in QA, this topic is of particular interest to me.
A cursory reading reveals that the SEC is now demanding that corporate officers and directors "certify" (read as take personal responsibility and potential liability for) the accuracy of financial reports. This includes the issuance of an "internal control report" that attests to the effectiveness of the controls and procedures for financial reporting. A more detailed reading of the fine print reveals that these provisions don't just cover areas such as corporate finance and independent auditors, they also cover systems that impact financial results such as information technology and other operational areas. Does it mean that if your ERP system has a bug that affects your financial statements, your chief executives are automatically defendants? Maybe, maybe not.
The violation must be "knowing and intentional" to give rise to liability. This means that the executives must have known that there either was a problem or, at least, a high probability that one might exist, and then intentionally disregarded it. Obviously, if the QA organization uncovers significant errors in the ERP system and management knows there is a potential impact on the financial results but proceeds with the implementation anyway, then there is probably liability.
But what if the ERP system wasn't tested at all? Arguably, in that case, management would have no notice of any issues and therefore could not intentionally disregard them. But this is where the internal control report kicks in. The company must maintain adequate controls to assure that these types of errors don't occur.
Sarbox, as it is fondly called by all the lawyers and accountants licking their chops, doesn't define internal controls directly; it is generally accepted that the definition will be the same one used by auditors and prescribed by the Codification of Statements on Auditing Standards Section 319 ("AU Section 319"). AU Section 319 describes internal controls as including five components:
Emphasis on and attitude towards internal controls at the top of the organization.
Risk Assessment System
Process to analyze and identify risks affecting the achievement of organizational objectives.
Policies and procedures established to help ensure management directives are carried out.
Information and Communication System
Process to identify, capture, and report information for decision making.
Process to evaluate the effectiveness and efficiency of internal control.
When these components are applied to QA, the environment aspect speaks directly to the corporate culture. Is there such a thing