IT Controls and SOC Audits with Agile

By -
I had the opportunity while Director of IT at Green River Capital to get the organization in compliance with SSAE-16 (SAS 70 at the time), part of the Service Organization Control (SOC) reporting framework.  We were using Scrum on our software development team, and I was eager to do all the things required to demonstrate operational controls while not imposing burdens or requirements on the team that would be impediments to good Scrum practices and principles.

The SOC-1 audit was required in order for the company to be a vendor to large mortgage lenders and servicers including Bank of America, Chase, Fannie Mae and Freddie Mac.

I didn't know about it at the time, but Gene Kim has worked with the Institute for Internal Auditors to develop the GAIT principles and methodology.  Here are the 4 principles:
The four principles that form the basis for the methodology are consistent with the methodology described in the Public Company Accounting Oversight Board's Auditing Standard No. 5. They are:
  1. The identification of risks and related controls in IT general control processes (e.g., in change management, deployment, access security, and operations) should be a continuation of the top-down and risk-based approach used to identify significant accounts, risks to those accounts, and key controls in the business processes.
  1. The IT general control process risks that need to be identified are those that affect critical IT functionality in financially significant applications and related data.
  1. The IT general control process risks that need to be identified exist in processes and at various IT layers: application program code, databases, operating systems, and networks.
  1. Risks in IT general control processes are mitigated by the achievement of IT control objectives, not individual controls.
The problem that Gene and others address with GAIT is the frustration felt by auditors and management from the IT portions of SOX-404 compliance.  Too often, business and IT management felt that it was necessary to impose on technology groups and individuals heavy process and documentation requirements to achieve a level of compliance.  Those measures worked against efforts to be Agile as well as Scrum principles and practices.

Even though I was not aware of the GAIT principles and methodology, the auditors and I worked together on an approach that was very similar.  We identified critical business processes and systems and worked hard to identify ways that controls could be practiced and demonstrated without putting excessive burdens on the people doing the work, whose primary job was to deliver working software frequently that provided business value.

We used PivotalTracker as our ALM.  Our application stack included Windows Server OS, .Net, and SQL Server DB.  We were on a 2-week Sprint cycle, with schedule code releases every 2 weeks and bug fix releases as needed.  We also had a SQL Server DB data warehouse and SAP BusinessObjects reporting tools.  We wrote light weight descriptions of our planning, prioritization and approval processes, as well as our change management and release management processes involving those tools.

The members of the IT department, roughly 15 people total, demonstrated the controls required to satisfy the audit in the course of their normal work following Scrum practices.  The successful audit outcome was instrumental in the company doubling the size of its portfolio of properties managed on behalf of our clients.

Comments

Post a Comment

Popular posts from this blog

Severity, Priority, Impact and Likelihood - Managing Defects and Risks

By -
Defects and Risks are often dealt with in a subjective, emotional way.  That's unfortunate, because among all the things a software development team deals with, those are two that can be handled in a more constructive and empirical way. First, a couple definitions. Defect Severity: the degree of impact a defect has on system operation. A defect is something observed, so impact can be empirically quantified. Risk Severity: the degree to which a hypothetical event, should it occur, would impact system operation. A risk event is something that has not occurred, so impact must be estimated or extrapolated. The common element in both Risk Severity Assessment and Defect Severity is Impact on Revenue.  The FMEA framework that AKF recommends uses 1 = Low, 3 = Med, and 9 = High, to represent the exponential effect of a high impact risk or defect Impact on Revenue No payments being collected and/or payment data security compromised (Critical) Payment collection being de
Read more

Enterprise Agile Framework: The Entrepreneurial Operating System (EOS)

By -
Image
Brian Rabon introduced me to the Entrepreneurial Operating System (EOS) as the framework he uses to manage his company, The Braintrust Consulting Group (TBCG). EOS is the missing element in organizations that are having some success with Agile at the team level, but not succeeding with change at higher levels or outside software development. As Charlie Rudd points out in his post The Third Wave of Agile , there is broad consensus on the value of Agile practices at the team level, but all types and sizes of businesses are struggling to scale Agile and to increase agility across their organization.  I think EOS addresses those challenges. EOS is comprised of the EOS Model : Having a model like this in place allows teams to function optimally as self-organized units that share the vision and goals of the organization.  Teams are able to align themselves with the organization's objectives, and can see how their outcomes affect the organization's performance. The EO
Read more

Chatbot Code of Ethics

By -
A  NYTimes article  describes efforts by a consortium of the largest technology companies to create ethical standards for AI. A related article in MIT Technology Review is titled  AI Wants to Be Your Bro, Not Your Foe . Artificial Intelligence has reached a level of sophistication, and is on the brink of being so pervasive, that we can have these serious conversations. In my work developing AI-powered chatbots to assist with learning, I work within the bounds of these 7 precepts: Right View - our chatbots honor humanity, human dignity, and the human quest for knowledge, understanding and technological innovation Right Intention - our chatbots promote human progress in the areas of intellectual pursuits and personal ethical development Right Speech - our chatbots use encouraging, prudent, and situationally appropriate language Right Action - our chatbots perform with integrity toward the aforementioned right view and intention Right Live
Read more