The Sarbanes Effect on Software Development

[article]

One of the most pervasive, and often justified complaints coming from those of us toiling in QA is that senior corporate management seems unaware of our existence, let alone our value. All too often perceived as a necessary evil or discretionary expense, QA is often a target of budget and schedule cuts. When it comes to communicating up the organization, I am reminded of the joke where the testers declare the product as "crap," which the next level of management softens into "manure," which is then further interpreted as "fertilizer," which finally reaches the top levels as "rich and productive."

A large part of the problem is that if QA does a good job, no one hears about it. No one appreciates the complaints that weren't received and the problems that didn't happen. Another part is that if there are problems, QA gets the blame. But all that could change. For those of you still puzzled by the title, the Sarbanes-Oxley Act is the new legislation passed in reaction to Enron, WorldCom, and similar fiascos. As someone who is saddled with degrees in accounting as well as law, but whose career is in QA, this topic is of particular interest to me.

A cursory reading reveals that the SEC is now demanding that corporate officers and directors "certify" (read as take personal responsibility and potential liability for) the accuracy of financial reports. This includes the issuance of an "internal control report" that attests to the effectiveness of the controls and procedures for financial reporting. A more detailed reading of the fine print reveals that these provisions don't just cover areas such as corporate finance and independent auditors, they also cover systems that impact financial results such as information technology and other operational areas. Does it mean that if your ERP system has a bug that affects your financial statements, your chief executives are automatically defendants? Maybe, maybe not.

The violation must be "knowing and intentional" to give rise to liability. This means that the executives must have known that there either was a problem or, at least, a high probability that one might exist, and then intentionally disregarded it. Obviously, if the QA organization uncovers significant errors in the ERP system and management knows there is a potential impact on the financial results but proceeds with the implementation anyway, then there is probably liability.

But what if the ERP system wasn't tested at all? Arguably, in that case, management would have no notice of any issues and therefore could not intentionally disregard them. But this is where the internal control report kicks in. The company must maintain adequate controls to assure that these types of errors don't occur.

Sarbox, as it is fondly called by all the lawyers and accountants licking their chops, doesn't define internal controls directly; it is generally accepted that the definition will be the same one used by auditors and prescribed by the Codification of Statements on Auditing Standards Section 319 ("AU Section 319"). AU Section 319 describes internal controls as including five components:Control Environment
Emphasis on and attitude towards internal controls at the top of the organization. 

Risk Assessment System
Process to analyze and identify risks affecting the achievement of organizational objectives. 

Control Activities
Policies and procedures established to help ensure management directives are carried out. 

Information and Communication System
Process to identify, capture, and report information for decision making. 

Monitoring System
Process to evaluate the effectiveness and efficiency of internal control.

When these components are applied to QA, the environment aspect speaks directly to the corporate culture. Is there such a thing as management commitment to quality? If the prevailing attitude is to let the users test the system in production, this aspect may not be met.

Risk analysis is nothing new, and it has been applied to software testing for years. Typically the risks centered on financial, operational, and customer impact. After Sarbox, there is a new type of personal risk for the big corporate kahunas. This stems all the way from forfeiture of bonuses, up to and including civil and criminal penalties.

Testing is the ultimate control activity, of course, but the key is to assure that the means of communicating salient information about its status and findings is working. This takes us all the way back to the original problem: how do you get management's attention? It is generally agreed that companies must allow confidential submissions by employees of concerns about matters affecting financial reporting. Some are actually implementing hotlines where informants can bypass managers who are either ineffective or obstructive at raising awareness of critical issues. So, if your best QA efforts are being deliberately disregarded or emasculated by your chain of command, you can now take an anonymous shortcut to the top.

Perhaps the requirement for monitoring the internal controls will also help us break through the ceiling. Hopefully we won't have to wait for the first software-defect lawsuit to be filed before corporate executives realize some facts. Software QA is no longer an optional function primarily designed to protect developers from their mistakes, but is an essential one that protects them from SEC sanctions, civil damages, and an all-expense paid vacation to Club Fed.

About the author

AgileConnection is a TechWell community.

Through conferences, training, consulting, and online resources, TechWell helps you develop and deliver great software every day.