June 22, 2004

Sarbanes-Oxley and Agile Methods

I've just read several articles describing how Sarbanes-Oxley affects IT. In short, this new law requires CEO's and CFO's to sign their financial statements, attesting that they are accurate. It is an open issue as to what kinds of assurances they should expect from their organizations before they affix their signatures.

It's an open issue: the law does not specify what kinds of controls, documentation, or processes should be in place. But there are plenty of standards in these areas, many of which are being touted as solutions to this aporia. As such, ISO 9000, CMM, and an accounting framework called COSO have all been suggested as frameworks for assuring conformance with Sarbanes-Oxley.

Of course almost all corporations now use computers to collect and compute the figures used in their financial statements. Sarbanes-Oxley focuses principally on the potential for fraud and secondarily on the potential for error. How do they know that the numbers are correct? The biggest impact apparently will be on the design of financial systems, assuring full auditability of transactions.

But Sarbanes-Oxley's purpose is to decrease the ability of executives to deny knowledge of frauds conducted under their watch -- as happened at Enron and other companies. It makes them more accountable. And this will make many executives more fearful. The challenge for agile methods will be to directly address this fear, rather than allow it to fuel the imposition of fear-based processes and blame-avoidance methods.

In fact, the degree to which agile methods can help build trust could be a strong point in their favor.

Ben Worthen reports: "Dupont ... recently gave 1,400 IT employees a half-day crash course in internal controls, says Linda Johnson, global financial manager for IT at the chemical company. The training emphasized key internal control concepts, for example, the need to assign different employees to code the program changes, test them and then move them into production. A different person performing each task helps prevent errors or fraud, Johnson has found."

This would seem to suggest that pair-programming could be cited as a fraud-control practice.

References

Summary of Sarbanes-Oxley Act of 2002, AICPA

Your Risks and Responsibilities, Ben Worthen

Hello Up There! The Sarbanes Effect, Linda Hayes

Sarbanes-Oxley and the Need to Audit Your IT Processes, Jeff Smith

Posted by bret at 10:16 AM | Comments (1)