The Sarbanes Effect on Software Development


Control Environment
Emphasis on and attitude towards internal controls at the top of the organization. 

Risk Assessment System
Process to analyze and identify risks affecting the achievement of organizational objectives. 

Control Activities
Policies and procedures established to help ensure management directives are carried out. 

Information and Communication System
Process to identify, capture, and report information for decision making. 

Monitoring System
Process to evaluate the effectiveness and efficiency of internal control.

When these components are applied to QA, the environment aspect speaks directly to the corporate culture. Is there such a thing as management commitment to quality? If the prevailing attitude is to let the users test the system in production, this aspect may not be met.

Risk analysis is nothing new, and it has been applied to software testing for years. Typically the risks centered on financial, operational, and customer impact. After Sarbox, there is a new type of personal risk for the big corporate kahunas. This stems all the way from forfeiture of bonuses, up to and including civil and criminal penalties.

Testing is the ultimate control activity, of course, but the key is to assure that the means of communicating salient information about its status and findings is working. This takes us all the way back to the original problem: how do you get management's attention? It is generally agreed that companies must allow confidential submissions by employees of concerns about matters affecting financial reporting. Some are actually implementing hotlines where informants can bypass managers who are either ineffective or obstructive at raising awareness of critical issues. So, if your best QA efforts are being deliberately disregarded or emasculated by your chain of command, you can now take an anonymous shortcut to the top.

Perhaps the requirement for monitoring the internal controls will also help us break through the ceiling. Hopefully we won't have to wait for the first software-defect lawsuit to be filed before corporate executives realize some facts. Software QA is no longer an optional function primarily designed to protect developers from their mistakes, but is an essential one that protects them from SEC sanctions, civil damages, and an all-expense paid vacation to Club Fed.

About the author

Linda Hayes's picture Linda Hayes

Linda G. Hayes is a founder of Worksoft, Inc., developer of next-generation test automation solutions. Linda is a frequent industry speaker and award-winning author on software quality. She has been named as one of Fortune magazine's People to Watch and one of the Top 40 Under 40 by Dallas Business Journal. She is a regular columnist and contributor to and Better Software magazine, as well as a columnist for Computerworld and Datamation, author of the Automated Testing Handbook and co-editor Dare To Be Excellent with Alka Jarvis on best practices in the software industry. You can contact Linda at

AgileConnection is one of the growing communities of the TechWell network.

Featuring fresh, insightful stories, is the place to go for what is happening in software development and delivery.  Join the conversation now!