Emphasis on and attitude towards internal controls at the top of the organization.
Risk Assessment System
Process to analyze and identify risks affecting the achievement of organizational objectives.
Policies and procedures established to help ensure management directives are carried out.
Information and Communication System
Process to identify, capture, and report information for decision making.
Process to evaluate the effectiveness and efficiency of internal control.
When these components are applied to QA, the environment aspect speaks directly to the corporate culture. Is there such a thing as management commitment to quality? If the prevailing attitude is to let the users test the system in production, this aspect may not be met.
Risk analysis is nothing new, and it has been applied to software testing for years. Typically the risks centered on financial, operational, and customer impact. After Sarbox, there is a new type of personal risk for the big corporate kahunas. This stems all the way from forfeiture of bonuses, up to and including civil and criminal penalties.
Testing is the ultimate control activity, of course, but the key is to assure that the means of communicating salient information about its status and findings is working. This takes us all the way back to the original problem: how do you get management's attention? It is generally agreed that companies must allow confidential submissions by employees of concerns about matters affecting financial reporting. Some are actually implementing hotlines where informants can bypass managers who are either ineffective or obstructive at raising awareness of critical issues. So, if your best QA efforts are being deliberately disregarded or emasculated by your chain of command, you can now take an anonymous shortcut to the top.
Perhaps the requirement for monitoring the internal controls will also help us break through the ceiling. Hopefully we won't have to wait for the first software-defect lawsuit to be filed before corporate executives realize some facts. Software QA is no longer an optional function primarily designed to protect developers from their mistakes, but is an essential one that protects them from SEC sanctions, civil damages, and an all-expense paid vacation to Club Fed.