Loading ...
Sorry, an error occurred while loading the content.
 

Sarbanes Oxley Question

Expand Messages
  • John Keane
    Hi all, We have been going through a Sox audit (which I am sure most of you have) and I was wondering how people deal with it? Specifically, I was wondering:
    Message 1 of 4 , Jan 28, 2005

      Hi all,

      We have been going through a Sox audit (which I am sure most of you have) and I was wondering how people deal with it?  Specifically, I was wondering:

      1)       What type of narratives do you create to answer Sox questions from auditors which aren’t familiar with agile approaches?  We have some but I was wondering if there is a  Best Practices thing already existing in the community?

      2)       How do you handle the out of band requests for people’s time? My issue mostly centers around audits that are very important to the company but often occur w/o warning and have very short deadlines.  The timing is sporadic and not easily anticipated.

       

      John Keane

      Development Manager

      Phone: (206) 816-8248

      Mobile: (206) 853-4605

      E-Mail: john.keane@...

      MS IM: jfkeane1025@...

       

      atlas DMT™
      "Hailed by many online ad professionals as having
      the best ad server out there." -Media Magazine

      Sign up to get the latest digital marketing research at:
      www.atlasdmt.com/contact/signUp.asp

       

    • ashinw2
      Hi John, The organisation that I m working with have been preparing for a SOX audit. What follows is a perspective from a methods view point and not from a
      Message 2 of 4 , Jan 31, 2005
        Hi John,

        The organisation that I'm working with have been preparing for a SOX
        audit. What follows is a perspective from a methods view point and
        not from a risk or SOX steering group view point.

        1) Auditing agile approaches
        My view is that it shouldn't matter whether you execute using agile
        or traditional; governance must still be implemented. The
        organisation's SOX team for technology have nominated to use COBIT
        for implementation. This team have identified 59 key control
        objectives to be implemented of which 11 key control objectives are
        specific to systems development (ie. my methods view point). Controls
        are designed to implement the objectives and then weaved into the
        processes. In this manner, an auditor can review the control
        objectives supported, what processes are associated with those
        objectives, what controls implement those objectives and when and who
        executes them.

        2) Out of band requests
        The organisation is planning a testing phase by the risk groups pre-
        audit. There is a concerted effort to address both general and
        application controls prior to attestation. The theory is that there
        should be a sufficient body of evidence available and a limited need
        for the out-of-band requests that you describe.

        I elaborate on this governance piece in a paper that I will be
        delivering as a case-study in March at SDWest'05[1]. The paper[2]
        provides our blueprints of how we went about "fostering people and
        knowledge in projects". It documents our recent evolution on process
        improvement, knowledge management, methodologies and governance for
        technology. Hopefully it is of some interest to you.

        1. http://www.sdexpo.com/2005/west/conference.htm
        2.
        http://www.self.com.au/aid/visit/project/nab/adaptiveesp/Wimalajeewa_A
        shin_AdaptiveESP_paper_CD.pdf

        rgds ash


        --- In scrumdevelopment@yahoogroups.com, "John Keane"
        <john.keane@a...> wrote:
        > Hi all,
        > We have been going through a Sox audit (which I am sure most of you
        > have) and I was wondering how people deal with it? Specifically, I
        was
        > wondering:
        > 1) What type of narratives do you create to answer Sox
        questions
        > from auditors which aren't familiar with agile approaches? We have
        some
        > but I was wondering if there is a Best Practices thing already
        existing
        > in the community?
        > 2) How do you handle the out of band requests for people's
        time?
        > My issue mostly centers around audits that are very important to the
        > company but often occur w/o warning and have very short deadlines.
        The
        > timing is sporadic and not easily anticipated.
        >
        > John Keane
        > Development Manager
        > Phone: (206) 816-8248
        > Mobile: (206) 853-4605
        > E-Mail: john.keane@a... <mailto:john.keane@a...>
        > MS IM: jfkeane1025@h... <mailto:jfkeane1025@h...>
        >
        > atlas DMT(tm)
        > "Hailed by many online ad professionals as having
        > the best ad server out there." -Media Magazine
        > Sign up to get the latest digital marketing research at:
        > www.atlasdmt.com/contact/signUp.asp
      • John Keane
        Hi Ash, I don t think I understand your response and, in retrospect, I don t know that I was very clear in my question. SCRUM says that a scrum master
        Message 3 of 4 , Feb 1, 2005

          Hi Ash,

          I don’t think I understand your response and, in retrospect, I don’t know that I was very clear in my question.  SCRUM says that a scrum master shouldn’t allow for outside influences to their sprint.  It is a hard thing to arrange in some cases since there are groups/people that are shared across any organization.  In the case of a shared dev/qa/it resource it is easier to coordinate for us since they are under one umbrella.  However, for sox that happens at our corporate level and has very little exposure to our team from a perspective of timing or goals.  So what I am really looking more for is how other scrum masters handle these requests that affect resources.

           

          John Keane

          Development Manager

          Phone: (206) 816-8248

          Mobile: (206) 853-4605

          E-Mail: john.keane@...

          MS IM: jfkeane1025@...

           

          atlas DMT™
          "Hailed by many online ad professionals as having
          the best ad server out there." -Media Magazine

          Sign up to get the latest digital marketing research at:
          www.atlasdmt.com/contact/signUp.asp

           


          From: ashinw2 [mailto:ashinw2@...]
          Sent: Monday, January 31, 2005 5:36 PM
          To: scrumdevelopment@yahoogroups.com
          Subject: [scrumdevelopment] Re: Sarbanes Oxley Question

           


          Hi John,

          The organisation that I'm working with have been preparing for a SOX
          audit. What follows is a perspective from a methods view point and
          not from a risk or SOX steering group view point.

          1) Auditing agile approaches
          My view is that it shouldn't matter whether you execute using agile
          or traditional; governance must still be implemented. The
          organisation's SOX team for technology have nominated to use COBIT
          for implementation. This team have identified 59 key control
          objectives to be implemented of which 11 key control objectives are
          specific to systems development (ie. my methods view point). Controls
          are designed to implement the objectives and then weaved into the
          processes. In this manner, an auditor can review the control
          objectives supported, what processes are associated with those
          objectives, what controls implement those objectives and when and who
          executes them.

          2) Out of band requests
          The organisation is planning a testing phase by the risk groups pre-
          audit. There is a concerted effort to address both general and
          application controls prior to attestation. The theory is that there
          should be a sufficient body of evidence available and a limited need
          for the out-of-band requests that you describe.

          I elaborate on this governance piece in a paper that I will be
          delivering as a case-study in March at SDWest'05[1]. The paper[2]
          provides our blueprints of how we went about "fostering people and
          knowledge in projects". It documents our recent evolution on process
          improvement, knowledge management, methodologies and governance for
          technology. Hopefully it is of some interest to you.

          1. http://www.sdexpo.com/2005/west/conference.htm
          2.
          http://www.self.com.au/aid/visit/project/nab/adaptiveesp/Wimalajeewa_A
          shin_AdaptiveESP_paper_CD.pdf

          rgds ash


          --- In scrumdevelopment@yahoogroups.com, "John Keane"
          <john.keane@a...> wrote:
          > Hi all,
          > We have been going through a Sox audit (which I am sure most of you
          > have) and I was wondering how people deal with it?  Specifically, I
          was
          > wondering:
          > 1)       What type of narratives do you create to answer Sox
          questions
          > from auditors which aren't familiar with agile approaches?  We have
          some
          > but I was wondering if there is a  Best Practices thing already
          existing
          > in the community?
          > 2)       How do you handle the out of band requests for people's
          time?
          > My issue mostly centers around audits that are very important to the
          > company but often occur w/o warning and have very short deadlines. 
          The
          > timing is sporadic and not easily anticipated.

          > John Keane
          > Development Manager
          > Phone: (206) 816-8248
          > Mobile : (206) 853-4605
          > E-Mail: john.keane@a... <mailto:john.keane@a...>
          > MS IM: jfkeane1025@h... <mailto:jfkeane1025@h...>

          > atlas DMT(tm)
          > "Hailed by many online ad professionals as having
          > the best ad server out there." -Media Magazine
          > Sign up to get the latest digital marketing research at:
          > www.atlasdmt.com/contact/signUp.asp





          To Post a message, send it to:   scrumdevelopment@...
          To Unsubscribe, send a blank message to: scrumdevelopment-unsubscribe@...



        • ashinw2
          Hi John, It seems that your root question is more a fundamental Scrum question and others on this list are better qualified to answer... Whilst SOX may be a
          Message 4 of 4 , Feb 1, 2005
            Hi John,

            It seems that your root question is more a fundamental Scrum question
            and others on this list are better qualified to answer...

            Whilst SOX may be a current high business priority for your
            organisation, your problem remains the same for any other priority. I
            think that your root question is:

            How should a scrum team, scrum of scrums or currently executing
            sprints be managed when the organisation experiences a significant
            priority change that the product owner(s) have little or no
            visibility of until impact?

            Indeed, this is a very different question from what I interpreted
            your original question to be. My response was attempting to guide you
            with how the bank is assembling its body of evidence prior to audit.
            The bank uses a variety of system development approaches including
            Serialised and Iterative-evolutionary. All approaches must
            demonstrate that sufficient governance is in place and followed.

            Good luck with your audit<g> Any chance of publishing any lessons
            learnt post audit?

            rgds ash


            --- In scrumdevelopment@yahoogroups.com, "John Keane"
            <john.keane@a...> wrote:
            > Hi Ash,
            > I don't think I understand your response and, in retrospect, I don't
            > know that I was very clear in my question. SCRUM says that a scrum
            > master shouldn't allow for outside influences to their sprint. It
            is a
            > hard thing to arrange in some cases since there are groups/people
            that
            > are shared across any organization. In the case of a shared
            dev/qa/it
            > resource it is easier to coordinate for us since they are under one
            > umbrella. However, for sox that happens at our corporate level and
            has
            > very little exposure to our team from a perspective of timing or
            goals.
            > So what I am really looking more for is how other scrum masters
            handle
            > these requests that affect resources.
            >
            > John Keane
            > Development Manager
            > Phone: (206) 816-8248
            > Mobile: (206) 853-4605
            > E-Mail: john.keane@a... <mailto:john.keane@a...>
            > MS IM: jfkeane1025@h... <mailto:jfkeane1025@h...>
            >
            > atlas DMT(tm)
            > "Hailed by many online ad professionals as having
            > the best ad server out there." -Media Magazine
            > Sign up to get the latest digital marketing research at:
            > www.atlasdmt.com/contact/signUp.asp
          Your message has been successfully submitted and would be delivered to recipients shortly.