IT Controls and SOC Audits with Agile

I had the opportunity while Director of IT at Green River Capital to get the organization in compliance with SSAE-16 (SAS 70 at the time), part of the Service Organization Control (SOC) reporting framework.  We were using Scrum on our software development team, and I was eager to do all the things required to demonstrate operational controls while not imposing burdens or requirements on the team that would be impediments to good Scrum practices and principles.

The SOC-1 audit was required in order for the company to be a vendor to large mortgage lenders and servicers including Bank of America, Chase, Fannie Mae and Freddie Mac.

I didn't know about it at the time, but Gene Kim has worked with the Institute for Internal Auditors to develop the GAIT principles and methodology.  Here are the 4 principles:
The four principles that form the basis for the methodology are consistent with the methodology described in the Public Company Accounting Oversight Board's Auditing Standard No. 5. They are:
  1. The identification of risks and related controls in IT general control processes (e.g., in change management, deployment, access security, and operations) should be a continuation of the top-down and risk-based approach used to identify significant accounts, risks to those accounts, and key controls in the business processes.
  1. The IT general control process risks that need to be identified are those that affect critical IT functionality in financially significant applications and related data.
  1. The IT general control process risks that need to be identified exist in processes and at various IT layers: application program code, databases, operating systems, and networks.
  1. Risks in IT general control processes are mitigated by the achievement of IT control objectives, not individual controls.
The problem that Gene and others address with GAIT is the frustration felt by auditors and management from the IT portions of SOX-404 compliance.  Too often, business and IT management felt that it was necessary to impose on technology groups and individuals heavy process and documentation requirements to achieve a level of compliance.  Those measures worked against efforts to be Agile as well as Scrum principles and practices.

Even though I was not aware of the GAIT principles and methodology, the auditors and I worked together on an approach that was very similar.  We identified critical business processes and systems and worked hard to identify ways that controls could be practiced and demonstrated without putting excessive burdens on the people doing the work, whose primary job was to deliver working software frequently that provided business value.

We used PivotalTracker as our ALM.  Our application stack included Windows Server OS, .Net, and SQL Server DB.  We were on a 2-week Sprint cycle, with schedule code releases every 2 weeks and bug fix releases as needed.  We also had a SQL Server DB data warehouse and SAP BusinessObjects reporting tools.  We wrote light weight descriptions of our planning, prioritization and approval processes, as well as our change management and release management processes involving those tools.

The members of the IT department, roughly 15 people total, demonstrated the controls required to satisfy the audit in the course of their normal work following Scrum practices.  The successful audit outcome was instrumental in the company doubling the size of its portfolio of properties managed on behalf of our clients.


Popular posts from this blog

Severity, Priority, Impact and Likelihood - Managing Defects and Risks

Enterprise Agile Framework: The Entrepreneurial Operating System (EOS)

Chatbot Code of Ethics