I have been to a few customers who have implemented or are implementing Sarbanes-Oxley (SarbOx or SOX) compliance in their development processes using VSTS. Andrew Delin from the VSTS Process team is creating a whitepaper on how to do that with VSTS. In the meantime, here are some reflections based on my personal work with this topic so far.
[The next is a PPT-like intro to the topic. For those who know what SOX, you can skip it].
What is SOX?
- Federal legislation signed into law in July 2002
- It requires higher accounting standards, improved trustworthiness in corporate reporting, and greater financial transparency
- Two key sections of the law that have drawn the most attention
- Section 302: Requires executives to personally certify the validity of financial statements
- Section 404: Requires complete documentation of financial controls and auditor attestation to management's evaluation
Requires “an internal control report, which shall
1) State the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting;
2) Contain an assessment, as of the end of the most recent fiscal year of the issuer, of the effectiveness of the internal control structure and procedures of the issuer for financial reporting.”
[end of introduction]
Ok, given this very brief summary, I can now tell you that the best general guide I have found so far to understand how to implement SOX in an IT environment is "IT Control Objectives for Sarbanes-Oxley, 2nd Edition".
This book explains the rationale for establishing the controls needed from the IT perspective, starting with SEC's own recommendation:
"Historically, assertions on control by an organization have been mostly voluntary and based on a wide variety of internal control frameworks. To improve consistency and quality, the SEC mandated the use of a recognized internal control framework established by a body or group that has followed due-process procedures, including the broad distribution of the framework for public comment. Specifically, the SEC referred to COSO".
"For Sarbanes-Oxley compliance efforts, it is important to demonstrate how IT controls support the COSO framework. An organization should have IT control competency in all five of the components COSO identifies as essential for effective internal control. They are:
• Control environment
• Risk assessment
• Control activities
• Information and communication
How does that relate to the normal IT framework controls that we are used to, such as ITIL/MOF, and SDLCs such as MSF for CMMI Process Improvement?
Here is a short summary plot:
- SOX recommends COSO per SEC
- COSO maps to COBIT (Control Objectives for Information and related Technology) standard
- portions of COBIT map to relevant parts of CMMI
- other parts of COBIT map to ITIL and other IT management standards
Said in this way it would seem that by implementing ITIL/MOF, and by using MSF CMMI as the standard SDLC, we would be covered in SOX compliance. This seems like a lot of overhead. However, you don't need all that, as we will see next.
SOX is about financial reporting
This was very eloquently mentioned by Dave Erickson:
“Sarbox is about assessing risk. While risk assessment is an element of ITIL, it isn’t the framework’s primary focus. Furthermore, CIOs who put ITIL or any other IT framework in place solely to comply with Sarbox will have gone overboard, says Erickson. The Sarbanes-Oxley Act requires only that companies establish controls over the systems relating directly to financial reporting. ITIL, Cobit and other frameworks for IT help companies put in place general controls for IT—a good thing to have, but much broader than the narrow scope required by law.”
So one of the first things that needs to be established from an IT perspective is a control that identifies the application being developed as impacting financial reporting. These type of applications will need to follow SOX constraints. Other types of application do not need all the overhead, especially if you are doing Agile development.
Usually SOX compliance teams will keep their own database of such applications. In VSTS it is possible to create a work item to identify those for reporting purposes. That would be the first of several work items that might be needed for SOX compliance.
So given that part of what is needed in already in the MSF CMMI template, it is clear that a few items need improvement. Remember that this just a sample of what might be needed, not a comprehensive list:
- Strategic planning alignment
- Risk management process
- We need to add risk reports per project and across portfolio (slice risk management by financial management applications)
- We need to implement reports that show traceability of work items that impact financial reporting. This will be easier to do with
- Adding new fields to work items (such as a task work item with a tag “SOX regulation” )
- Adding work items that have have more workflow steps to deal with regulations
- SCM (as part of change management)
- Add work items that correspond to checkpoints for branching (see article by John Jacob et alii on branching guidance)
- Audit trails
- Have additional reportable fields, pivoted with the SOX attribute, and provide more reports for auditors
- Existing process guidance already handles part of this, but it is not enacted in tooling
- We need to implement Secure Development Lifecycle with work items as checkpoints, and corresponding work products and reports
As mentioned above, another big part of SOX compliance is covered by ITIL/MOF. I won't go into the infrastructure topics per se (see the book above for that), but there is one clear common implementation point with VSTS/TFS/MSF CMMI in security groups. Segregation of duties is mandated by SOX. However the currently default process template security groups are loosely defined, allowing persons without the proper authority to review/modify documents.
- The full implementation of security model described in MSDN documentation is a solution.
- Reporting needs enhancement to provide evidence of compliance showing that groups are separated in their duties.
Finally, part of SOX compliance is covered by IT Portfolio Management. Therefore, reporting needs enhancement to provide evidence of compliance using, for instance, a portfolio view of a dashboard showing compliance status. This view could used departments as pivots.
So as I mentioned above, these are just initial thoughts in a very complex topic. Andrew Delin and the VSTS Process team are working on getting more comprehensive guidance on how to tackle this subject.
I did a presentation for the VSTS Inner Circle in September 11th, and I am still getting requests for the video link and slides. Here they go:
Fundamentals of ALM
Abstract: What you should know to elevate an enterprise to an intermediate or higher level of maturity regarding SDLC and ALM. Includes discussion of the features of VSTS that enable integrated ALM, and an overview of what is coming in the next couple versions of VSTS (Orcas and Rosario).
Subject: Fundamentals of ALM
Recording URL: https://www112.livemeeting.com/cc/microsoft/view
Recording ID: K7K7ZZ
Attendee Key: PFSN5?2$m
This presentation has a five minute delay to start (recording started too soon). I have asked the organizers to edit those minutes out, and I will post the link to the edited version when it is available.
I want to thank Sam Guckenheimer who co-authored an earlier version of this deck which was co-presented at TechReady 4 (an internal Microsoft conference).
Some Agile and/or ALM adoption efforts are canceled midstream because of lack of understanding of the basics of finding a suitable candidate development project. I have seen in more than a single situation that the chosen project is cutting edge in all three aspects of technology, process and people:
- The technology is brand new, or new to the team, sometimes in even more than a single tier (for instance, new database software coupled with new UI development tools and a new programming language)
- The development process is being changed (say from waterfall to Agile)
- New people are being added to the team just after receiving their first training in the new technology
But the biggest mistake with Pilot efforts is to to use a strategic, high profile brand new project as the proofing ground for all these aspects, all at the same time. This is more common than expected. It starts as something like this:
- Business has some urgent need for strategic functionality that allows them to challenge the existing technical architecture
- However, the effort still has to abide by the usual existing waterfall processes that dictate that all must be done in a single pass
- So the project is approved, but no cycle is allowed to try out the new tools and processes in a smaller context , and multiple changes to the environment are bundled together in an insurmountable ticking bomb that will later explode as a "death march" project.
To add insult to injury, sometimes on top of all this no proof-of-concept is ever tried with the new technology and processes (Proof-of-concept differs from pilot in that it is done in a lab environment, with no impact on business). Pilot projects do have business justification, but usually one chooses a minor project instead of betting the "jewels of the crown" on risk upon risk.
The mistake on all these lies usually in the governance management tier(PMO, office of the CIO, etc). It is usually associated with just enforcing the status quo, and it takes some brand new business need to act as a catalyst to challenge it. This governance tier should be the one to understand how to evolve their environment through carefully taken steps, and to know how to spread the risk underlying the business need into preparatory small projects (using proof of concepts and pilots) that will pave the ground for more ambitious ones.
If a governance tier is not active in doing this, the new project decays into a rogue that just reinforces the "didn't tell you so" attitude of those who see governance only as keeping IT madness in straightjackets.
Allowing this to happen is like building on moving sand: the construction might be impeccable but will collapse upon itself if it doesn't have firm ground to support the pressure of adding new layers.
The best practices for selection of a Pilot project are widely known, and for quite a long time. Here is an excerpt from a Microsoft Official Curriculum course from 1993. It is part of Course 124 - Managing the Migration to Client-Server Architectures. I modified the text to fit ALM adoption (the text in brackets  replaces "client-server" and updates the context of other points):
"Start small - with a Pilot Project
We suggest you start your exploration of [new ALM processes and tools] with a pilot project.
- Maintain excitement:
- Sponsors will lose enthusiasm
- Team members will lose enthusiasm
- Reduce risk of turnover
- Need strategic answers quickly to be of value.
- Avoid management problems of large projects:
- Large projects require more layers of management
- Coordination of client developers and server developers is critical
- Coordination will be much easier in a small group that talks to each other
Selection Criteria of Pilot Projects
- Well defined data requirements
- Don't want to get bogged down in data analysis
- Could be existing application
- Could be part of a new application, where data analysis has been completed
- Benchmark available
- If don't have, need to build in-house benchmarking capability
- Performance criteria
- Quantify savings and benefits
- Define ball-park expectation
- Use to validate tool selection
- Use for quality control in future projects
- Decision support application [Business Intelligence in today's jargon] as opposed to data entry application
- More showy, if that's what's needed
- Safe place to start - it won't disrupt business operations
- Usually a simpler system
- Deliverable flexibility - keep concentration on testing the [ALM processes and tools]
- Committed and supportive users
- Might be #1 critical success factor [that includes not only end users of the application in the role of product managers, but also developers, project managers and upper management]
- Willing to work with the team
- Willing to allocate the time required for the project
- Could use internal IT system so "end users" are IT
- Low Cost
- Use equipment you already have [for instance, VPCs]
- Look for idle equipment [for instance, a PC with Windows XP can be a build server for a small project]
- Low Risk
- It's better if this might be considered a throw-away project
- Objective is to evaluate [new ALM processes and tools], not build an application. Concentrate on tools and platform rather than application development"
- If you need to choose a project that is mission critical, at least let it not be time-critical
As you can see, those best practices are nothing more than codified common sense, and I highly recommend you have those in mind when scoping your next ALM project.
It has been a busy year, and as any Agilista will tell you, it is time for a retrospective. Here is a picture of what my mind has been over the last year - all nice and fun, but very busy:
Well, that's not actually the picture - my mind is more organized than that J. So here is what I have been up to (BTW thanks Steven Borg for the photo).
Last November I presented at TechEd Brazil on MSF CMMI, and wrote a chapter on MSF Agile (in Portuguese) for a VSTS book led by Brazilian MVP Fábio Câmara, plus several other authors.
Besides consulting engagements, I worked with the creator of MSF Agile, Randy Miller (now with MCS) on a MSF Agile training course, and helped my team create an "ALM Assessment", a version of which is now online at www.microsoft.com/almassessment.
Then in January I presented at TechReady (an internal Microsoft conference) with Sam Guckenheimer on "Fundamentals of ALM", and learned about the latest and greatest in upcoming Microsoft technologies in sessions raging from VSTS Orcas and Rosario, to WCF and others.
Soon after that I embarked on a 8-month stint with the MSF Team (now called "VSTS Process" team) as one of their product planners, while we were waiting to get Andrew Delin on board.
In February I had fun at SEPG 2007 in Austin (where I live - it's nice to have a major conference in your city once in a while). I was at the Microsoft booth talking about MSF CMMI and TFS, and also had interesting conversations with other booth presenters: Osellus (on the future of process enactment and authoring), Fujitsu (on how Macroscope for VSTS uses VSTS/TFS/Project), and Personify Design (with the new products to manage work items from Outlook, and requirements from Word).
At the conference I had the opportunity to talk a lot with David Anderson, the Architect of the MSF CMMI process template (now at Corbis), as well as Mike Konrad and Paul Nielsen from SEI on the past, present and future of MSF CMMI. I also met Hillel Glazer, one of the few fully certified assessors who also works with Agile development in depth.
In March I was at the SxSW Music and Media conference. I helped at the Microsoft booth for the Happy Hour sponsored by Microsoft Expression Studio where I had the opportunity of again talking to the Usability guru Chris Bernard about creating a UX whitepaper for MSF Agile (which is the only Agile methodology AFAIK to explicitly adopt Personas and Scenarios for User Experience).
While with the MSF product team my focus was especially on getting customer feedback. I helped to coordinate a workshop on Reporting in March, monthly calls to the MSF Council members, and hundreds of discussions on how to enact process in VSTS. I have also been in the MSF Forum a lot. After all this and two SDRs (Software Design Reviews) we got great feedback on how we can create better process templates for VSTS.
Then in June I presented at TechEd 2007 on MSF CMMI, helped at the Patterns and Practices booth, and rubbed shoulders with Ivar Jacobson from IJC, Sam Guckenheimer and Ajoy Krishnamoorthy while talking on the cool ESSup implementation for VSTS, Mike Azocar (creator of a lightweight Scrum process template), Colin Bird from Conchango (one of the authors of the first and most widely used Scrum process template), and a host of other VSTS MVPs, among them Chris Menegay, Steven Borg, Will Stott, Martin Donnell, Joel Semeniuk, Richard Hundhausen, Jeff Levinson, Jean-Luc David, Juan Perez, and customers from the MSF Council such as Brian Hinton and Wayne Miller.
Then at the end of the June/early July I worked from London for a week and a half on the process templates redesign with Ian Spence from IJC, and Alan Wills. We also worked on the CMMI 1.2 update and SOX for the next version of TFS (Rosario time frame). A second session on this work was done in September, this time with Andrew Delin as well. I couldn't travel for this latter one, so I worked with the London team from 2:00 AM to 11:00 AM CST every day - an interesting experience of remote work using Live Meeting.
In August I followed the "Scaling Agile" topic at Agile 2007 in Washington DC - an interesting topic which I am still working on with a few other attendees and customers. The best presentation was from Sanjiv Augustine on "Transitioning to Agile Project Management" as he showed how to avoid the friction between PMs using traditional techniques, and the new agile thinking as a company scales Agile from small teams to reach the whole enterprise.
Then I switched gears back to the ALM business - this time with a nation-wide ALM Business team. Last September I did a talk to the VSTS Inner Circle, again on "ALM Fundamentals" (recording started too early - you will have to wait 5 minutes for it to begin. I might post a trimmed version later).
October was the "bug month", not of the software kind, but of the "being sick" kind, which put me out of work for two weeks (one of them with a continuous migraine that now makes me see with even more sympathy those that have this condition).
Finally, in early November I participated of the Alt.Net conference in Austin - a great forum for users who want to use OSS tools for .NET development.
So what is the latest? I will be doing the keynote in São Paulo on the 4th of December on "Delivering Value Through Application Lifecycle Management" at the Simpros (International Symposium of Process Improvement for Software) event, meet a few customers and then if I still have time, pass by TechEd Brazil.
I am now working on a couple of workshops on MSF Agile and MSF CMMI Project Management, and a webcast on "Using KPIs to Streamline Development" with VSTS on the 13th of December, all that while engaged on a few VSTS ALM Projects. I can't complain of not having work to do J....
All in all, in retrospective it has been a very productive year, and hopefully I will repeat the dosage as I delve even more on implementing Software Engineering best practices with Visual Studio Team System.