TrainingConferencesAbout UsContact UsAdvertiseSQE.comRSS Feed
StickyMinds.com: brain food for building better software

Log In

Search For:
 Clarify Your Search Criteria

Tips on Using Our Search Feature(s)
 
StickyMinds.com Home
ResourcesTopicsCommunityPowerPassBlogs
Home  >  Detail: Hello Up There! The Sarbanes Effect



A StickyMinds.com Original
Article Picture
Hello Up There! The Sarbanes Effect
Will the Sarbanes-Oxley Act Finally Catapult QA to the Boardroom?

By Linda Hayes

Send This Content to a FriendGet a Short Link to This ContentPrint This ContentSee User Comments About This Content

Summary: One of the most pervasive, and often justified complaints coming from QA professionals is that senior corporate management seems unaware of their existence, let alone their value. All too often perceived as a necessary evil or discretionary expense, QA is often a target of budget and schedule cuts. But all that could change with the Sarbanes-Oxley Act. In this week's column, Linda Hayes explains what this new legislation could mean for your QA team.


One of the most pervasive, and often justified complaints coming from those of us toiling in QA is that senior corporate management seems unaware of our existence, let alone our value. All too often perceived as a necessary evil or discretionary expense, QA is often a target of budget and schedule cuts. When it comes to communicating up the organization, I am reminded of the joke where the testers declare the product as "crap," which the next level of management softens into "manure," which is then further interpreted as "fertilizer," which finally reaches the top levels as "rich and productive." 
 
A large part of the problem is that if QA does a good job, no one hears about it. No one appreciates the complaints that weren't received and the problems that didn't happen. Another part is that if there are problems, QA gets the blame. But all that could change. For those of you still puzzled by the title, the Sarbanes-Oxley Act is the new legislation passed in reaction to Enron, WorldCom, and similar fiascos. As someone who is saddled with degrees in accounting as well as law, but whose career is in QA, this topic is of particular interest to me. 
 
A cursory reading reveals that the SEC is now demanding that corporate officers and directors "certify" (read as take personal responsibility and potential liability for) the accuracy of financial reports. This includes the issuance of an "internal control report" that attests to the effectiveness of the controls and procedures for financial reporting. A more detailed reading of the fine print reveals that these provisions don't just cover areas such as corporate finance and independent auditors, they also cover systems that impact financial results such as information technology and other operational areas. Does it mean that if your ERP system has a bug that affects your financial statements, your chief executives are automatically defendants? Maybe, maybe not.  
 
The violation must be "knowing and intentional" to give rise to liability. This means that the executives must have known that there either was a problem or, at least, a high probability that one might exist, and then intentionally disregarded it. Obviously, if the QA organization uncovers significant errors in the ERP system and management knows there is a potential impact on the financial results but proceeds with the implementation anyway, then there is probably liability. 
 
But what if the ERP system wasn't tested at all? Arguably, in that case, management would have no notice of any issues and therefore could not intentionally disregard them. But this is where the internal control report kicks in. The company must maintain adequate controls to assure that these types of errors don't occur.  
 
Sarbox, as it is fondly called by all the lawyers and accountants licking their chops, doesn't define internal controls directly; it is generally accepted that the definition will be the same one used by auditors and prescribed by the Codification of Statements on Auditing Standards Section 319 ("AU Section 319"). AU Section 319 describes internal controls as including five components: 
 
Control Environment 
Emphasis on and attitude towards internal controls at the top of the organization.  
Risk Assessment System 
Process to analyze and identify risks affecting the achievement of organizational objectives. 
Control Activities 
Policies and procedures established to help ensure management directives are carried out. 
Information and Communication System 
Process to identify, capture, and report information for decision making. 
Monitoring System 
Process to evaluate the effectiveness and efficiency of internal control. 
 
When these components are applied to QA, the environment aspect speaks directly to the corporate culture. Is there such a thing as management commitment to quality? If the prevailing attitude is to let the users test the system in production, this aspect may not be met.  
 
Risk analysis is nothing new, and it has been applied to software testing for years. Typically the risks centered on financial, operational, and customer impact. After Sarbox, there is a new type of personal risk for the big corporate kahunas. This stems all the way from forfeiture of bonuses, up to and including civil and criminal penalties. 
 
Testing is the ultimate control activity, of course, but the key is to assure that the means of communicating salient information about its status and findings is working. This takes us all the way back to the original problem: how do you get management's attention? It is generally agreed that companies must allow confidential submissions by employees of concerns about matters affecting financial reporting. Some are actually implementing hotlines where informants can bypass managers who are either ineffective or obstructive at raising awareness of critical issues. So, if your best QA efforts are being deliberately disregarded or emasculated by your chain of command, you can now take an anonymous shortcut to the top. 
 
Perhaps the requirement for monitoring the internal controls will also help us break through the ceiling. Hopefully we won't have to wait for the first software-defect lawsuit to be filed before corporate executives realize some facts. Software QA is no longer an optional function primarily designed to protect developers from their mistakes, but is an essential one that protects them from SEC sanctions, civil damages, and an all-expense paid vacation to Club Fed. 
 
Reference 
For a collection of related articles see CIO magazine site: 
http://www.cio.com/research/government/legal.html#1792 
 
Join the StickyMinds RoundTable discussion on this topic from March 1 - April 2, 2004. Once the discussion closes you can still see what everyone had to say. 
What Impact Has Sarbanes-Oxley Had on You?

About the Author
Linda Hayes is the founder of three software companies including AutoTester in 1986, which delivered the first automated testing program for the IBM PC. Linda has pioneered automated test tools. Her new company, Worksoft, offers Certify, which represents the next generation of enterprise-level test automation. Worksoft also offers a free online newsletter called "Reality Check," which provides links to articles, white papers, and other compelling information on testing. A frequent industry speaker and award winning author, she publishes the monthly Quality Quest column for Datamation, wrote The Automated Testing Handbook, and co-edited Dare To Be Excellent with Alka Jarvis on best practices in the software industry. You can contact Linda at Linda@worksoft.com.

Back to Top 

StickyMinds.com Weekly Column From 7/14/03 

Member Comments
Add Your CommentExpand Comments
 
Comment:    
by Richard Bender 7/24/2003

Linda, There is additional prededence for the SEC's interest in the quality of software. A few years ago they required all publically traded companies to state the status of their Y2K remediation in their annual reports. It was in recognition that software is a "critical success factor" to the on-going health of the companies. In a number of cases they threatened to de-list companies that had not made sufficient progress on their Y2K efforts until the problem was corrected. Over the years I have seen more than a few major corporations fail due to poor quality software. As the software industry matures I expect that the same level of...Read On

 
 
Comment:    
by Suzanne Dwyer 7/19/2003

As a newcomer to software testing I enjoyed your article and the concept of 'real' accountability. Have tried the concept of loss with my financial institution and its not working so far : in Australia we also seem to believe that loss has only occurred when a secondary problem arises. e.g I use faulty banking information for interest received in taxation submission and incurr a tax bill. What's the success rate for billing a company for lost time farting around with a faulty software product?

 
 
Comment:    
by Al Heinze 7/17/2003

It seems that the lack of communications to the CIO and other corporate officers about what we see that is NOT being accomplished to protect their backsides would be of great interest to them! Maybe then we can 'educate' them on the aspects of QA that WILL protect them. Gotta get their attention first. Hopefully SOX is being addressed with some IT committee members. Seek them out!

 
 
Comment:    
by Harold LeDrew 7/15/2003

This legislation may help in providing "visibility" to testing. However, I doubt that it will change the perception that QA is "an unnecessary and expensive waste" to what is actually is -- a valued asset. Has anyone noticed that senior management do not even realize that the word "quality" has become a relative word that need clarification instead of the absolute that it used to be. Typically corporate members are concerned only with whatever will fill their pockets with a minimum of cost. The most common comment/suggestion is that the engineer that developed the item (be it software, widgets or a new mousetrap) is best qualified to...Read On

Author's Response: 7/16/2003    
Harold, I feel your pain. But we can at least be grateful that there is an awakening, however slow...

 
 
Comment:    
by Sheryl Smith 7/15/2003

Thanks for providing these details. Indeed, this could help alert management to the fact that software doesn't always work correctly, and that they may be liable if it doesn't. The connection between that and the existence of s/w test is a bit more tenuous, but there's hope--or there may come to be hope as people sue. You want to believe that banking has tight software, and in some places I suppose it does. But if you've ever gotten off the beaten track with a credit card company, you may soon be convinced that their back-end data handling is dreadful. Nobody requires them to be otherwise--and nobody requires them to reimburse for their...Read On

Author's Response: 7/16/2003    
Good point, Sheryl. Maybe as consumers we should start notifying our service providers when their software is defective or difficult s that we can our part to raise awareness. And you're right - as much as we all say we loathe lawyers and litigation, sometimes that is what it takes to get attention.

 
 
Comment:    
by Srinivasan Desikan 7/15/2003

In automobile industry when a defect is found they retract all vehicles and fix the problem at their cost. In software we issue one more patch that increase load on customers and increases new defects:-)))...but I feel, with recent ruling, the gap will be minized between the matured automobile industry and software industry, eventhough it may take a decade to become a reality. I feel, it will definitely become a reality as the top management can't be "aware of a nasty defect but not to fix it". This increases the ownership levels at top management. Some interesting questions on a different perspective! Can we really achieve anything by...Read On

Author's Response: 7/16/2003    
Thanks, Srinivasan - I like the parallel to vehicles, there are other interesting links like the fact that we almost lost our domestic auto industry over poor quality. As far as QA's own "self esteem" you may be on to something there. I think sometimes we spend to much time lamenting our invisibility instead of actively raising it.

 
 
Comment:    
by Rick Craig 7/14/2003

Linda, Thanks for another thought-provoking article........ Rick

 
 
Comment:    
by Gene Fellner 7/14/2003

Hallelujah. And as any of you who are familiar with my postings and politics already know, I am rarely inclined to cheer new regulations instituted by Big Nanny for Our Own Good.

Author's Response: 7/16/2003    
I'm with you, Gene. You can't legislate morality, fitness, or other virtues - even ethics for that matter - but you can sure legislate punishment for those that sin. Sometimes that is all that works.

 
Back to Top



 
Ads By Google
What's This?
 
 

Home   |   Resources   |   Topics   |   Community   |   PowerPass



© 2010 StickyMinds.com. All rights reserved.
StickyMinds.com is a division of Software Quality Engineering.
Privacy Policy    Terms & Conditions    Link to StickyMinds.com    Feedback
Infosys

Rally Software




STARWEST 

Agile Development Practices