program selection system

Abstract: Sarbanes Oxley is a regulatory requirement for all public listed companies in United States. At its core, SOX requires that an organization maintains adequate controls over financial data and its access across the organization.Current market has been very volatile and business requires application to be delivered in less time and accommodate always changing requirements to gather more business. This brought new ideas of using Agile techniques like (Scrum and Extreme Programming) for application development in a waterfall organization. Agile techniques act as catalyst for development teams to deliver efficiently and effectively to business.In this presentation we will discuss the approach for getting the projects using agile techniques SOX compliant.

What is SOX Sarbanes Oxley is a regulatory requirement for all public listed companies in United States. At it’s core, SOX requires that an organization maintains adequate controls over financial data and its access across the organization. The infamous section 404, requires that CEOs and CFOs sign off on that, with severe penalties if they are wrong. Section 404 Requires “an internal control report, which shall 1) State the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting; and 2) Contain an assessment, as of the end of the most recent fiscal year of the issuer, of the effectiveness of the internal control structure and procedures of the issuer for financial reporting.” “For Sarbanes-Oxley compliance efforts, it is important to demonstrate how IT controls support the COSO framework. An organization should have IT control competency in all five of the components COSO identifies as essential for effective internal control. They are: • Control environment • Risk assessment • Control activities • Information and communication • Monitoring”

Our Experience

Current market has been very volatile and business requires application to be delivered in less time and accommodate always changing requirements to gather more business. This brought new ideas of using Agile techniques like (Scrum and DSDM) for application development in a waterfall organization. Agile techniques act as catalyst for development teams to deliver efficiently and effectively to business.

Organization being a public listed company has to comply with requirements of SOX, and its IT division faces the jaunting task of enhancing Time to Market to business using Agile techniques and getting all the application development SOX compliant.

In this presentation we will discuss the approach for getting the projects using agile techniques SOX compliant.

One area of SOX compliance is making sure the financial info that a company uses is consistent and correct. For software, this is more an issue with what systems are in place, and how these system store and access financial data. These types of requirements would of course feed things into Scrum backlogs, perhaps affecting the Product Owner’s work, but has less to do with the development process itself.

A second area is making sure the systems, once we have the proper requirements figured out, actually function correctly when working with the financial data. Scrum does not specify testing practices, but the spirit of Scrum asks us to provide a measure of completeness for backlog items, which of course implies testing. If we use agile acceptance testing practices to build a solid, automated testing safety net around our backlog items, it makes proving the correctness of financial systems a whole lot easier, and auditing for correctness pretty straightforward. But we have to raise our level of testing to a high level no matter what process.

A third area is controlling changes to the financial software systems, so that we can prove that we’re not altering the functionality or correctness of them without some level of control over those changes. Fortunately, Scrum (and most all agile processes) already provide a pretty good level of scope control via the product backlog and sprint backlog. I think we’d provided more ceremony around backlog change, like sign offs or something, to provide the auditor with the evidence that changes are not being made without controls. It put some extra hoops in place for developers when they want to refactor code—

Fourth area is around maintaining traceability across the system. This was done through implementing traceability matrix in a more efficient manner.

All these approaches led to the following benefits:

Reduction of 50 % in deliverable production Approx 30 % savings of effort spent in developing deliverables Reduction in project life cycle with reduced sign offs