With that agreement in hand, she and her team implemented two things: one, a report that would show what had changed over a set period of time, so they only had to test what had changed; and two, integration of the controls tests as part of the automated test arsenal, including the right set of roles and process combinations in the test suite to be sure the more than seventy controls were executed each time. The test results were reported and saved in an "audit ready" format. What had taken months to do before could now be done in seventy-two hours and by only one person. For a relatively minor incremental effort, this approach saved her company a quarter of a million dollars a year and put big smiles on the business owners' faces.
Think Outside the Traditional Box
Think about it. We all have to scramble to justify investment in testing and automation, often producing laborious ROI analyses. The problem with most of these is that, unless your test coverage is comprehensive to begin with (and whose is?), at best you are going to increase quality without increasing testing costs. Reducing testing costs is hard to argue, since enough likely isn't being spent anyway. But, with this approach, you are displacing actual hard costs and tedious effort.
SOX applies only to public companies, of course, but that doesn't mean smaller or private companies don't care about compliance or have exposure to audit requirements.
The larger lesson is that we need to learn to think outside of the traditional feature/function box and realize that the systems we test may have far-reaching financial and operational consequences to our company or those that use the software we may sell. We can use this new perspective in the ongoing battle to justify additional investment in testing and automation and to get the right kind of attention from senior levels of management.