Friday, March 24, 2006

SOX Compliance and automated testing

There is an interesting article on IT systems and SOX compliance. It identifies

"three key building blocks required to ensure that IT controls exist and are formalized or structured in a way required by an organization’s management or its auditors, such that their design, assessment and remediation is totally integrated into the Sarbanes-Oxley compliance initiative. A SOX404 compliance application must support all of these three building blocks."

Building Block 1: Seamless integration of the three process-level controls - IT application controls, IT general controls and manual controls.

Building Block 2: Automatic testing of process-level IT application controls and incorporation of its result into the overall results of the test suite.

"In absence of any automation, most organizations end up manually testing hundreds of process-level IT application controls within their environment. For example, let’s take a control that ensures that the orders should only be processed within a customer’s credit limit. This control is typically implemented within an organization’s ERP system, but can be overridden for exceptions with proper authorization. Typically, most companies would print a report that lists out all orders that were processed within the last quarter, their credit limit at that time and if the override was applied, who applied the override and their role/title at the time the override was applied. Then the internal audit team would manually review each and every entry in the report and ensure that the control worked for every situation to score the control test as ‘having passed’. If not, they would score the control test as ‘having failed’ and would have to manually record every instance the test failed, so that proper disclosures and remediation processes could be triggered.

Such a manual process would have to recur every specified period for the testing that control and is repeated for every control within the organization. With hundreds of controls within an organization, manual testing of process-level IT application controls provides a major opportunity for reduction of cost of compliance. In addition, the sheer complexity of manually testing such controls in a large organization with heterogeneous systems increases exponentially.

Next generation of SOX compliance solution enables companies to address this issue and significantly reduce their cost of compliance by providing a framework that performs all of the following activities
Identifies if a control within the test documentation is a manual or application control. As a result, an application control does not need to be documented separately and eliminates the potential nightmare from co-relating application control documentation to test documentation.
Automates the testing of application controls via the ‘push of a button’ by reading the relevant data within the ERP system and applying the testing logic
Reports the results for the entire test – including manual and application controls, in an integrated manner. It captures the detailed scoring from the audit (for manual controls) and specifics details of records read and which records passed and which records failed the test and why (for application controls) as a part of integrated reporting, so the results can be easily reviewed by an internal or external auditor in future to ‘prove’ that the testing occurred and control is working as required. The compliance solution typically leverages the APIs to access the data within the popular ERP systems such as SAP, Oracle and PeopleSoft, as well as legacy/homegrown systems. Such a solution typically provides an out-of-the-box library containing hundreds of tests for automating the testing of application level controls within general ledger, procure-to-pay, order-to-cash, inventory / cost Accounting, asset management and payroll processes."

Building Block 3: Ability to easily define and assess relevant overall IT controls – typically derived from COBIT model - and reconcile them for the selected assessment framework such as COSO

In the final summary it concludes:

"IT systems are inextricably linked to the overall financial reporting process and need to be assessed, along with other important processes, for compliance with the Sarbanes-Oxley Act. In this brief, we have identified three key building blocks to ensure that IT controls exist and are structured in a way required by an organization’s management or its auditors, such that their design, assessment and remediation is totally integrated into the Sarbanes-Oxley compliance initiative. A next generation SOX404 compliance application must support all of these three building blocks."

Friday, March 17, 2006

Agile testing and test driven development

I came across an interesting article on As a taster:

"Agile development methodologies are beginning to drive the idea of test driven development into the consciousness of developers and development managers. Test driven development, in a nutshell, means writing your test cases first. First you decide what the module or object that you're working on should do and then you write tests which test whether that functionality works as you envisioned it—even before creating the object itself.

The net effect on the software development project is that less of the formal construction phase is invested on truly developing the code, and more time is invested in developing testing constructs. The back end formalized testing further reduces the overall construction phase of the project.

Test driven development advocates argue, somewhat successfully, that the additional time spent on testing reduces the overall amount of time necessary to construct the software because fewer bugs or unimplemented features go on to be undiscovered until late in the process – when it is known that bugs are more costly to fix."

For the full article visit

Saturday, March 11, 2006

Software testing FAQ - No. 12

Please provide a definition of migration testing. My boyfriend is trying to write a song about migration testing but I don't really think he knows what it is and I told him so.

That question was sent in by Chantelle. Without the context of the song it is hard to know what type of Migration testing you (or your boyfriend) are interested in. To help you I have provided three different definitions. Take your pick.
  1. Where a system or systems are being completely or partially replaced with a new system, testing the process used to migrate from the old to the new. This can include staggered transfer of data, data cleanse activities, parallel running and synchronisation of old and new, and transfer of users.
  2. Testing, conducted prior to needed regulatory clearances to determine whether a food-contact substance migrates to the food
  3. Testing the migration of wild fowl to determine the spread of avian flu.

Friday, March 03, 2006

Software testing FAQ - No. 11

Has a software testing specialist ever been fired on "The Apprentice" ?

That question was sent in by Charles Kennedy. It is not surprising that Charles should be interested in people who are fired. My great uncle Bert claims he was fired out of a cannon to celebrate the Festival of Britain. I expect that, what with the crowds cheering and everything, this must be very similar to being fired on The Apprentice.
Now Charles, there has never been a software testing specialist fired from The Apprentice. I have checked the titles that the contestants give themselves in both the American version, with the masterfully coiffured Donald Trump, and the UK version with Alan Sugar, who is rightly not famous for any aspect of his hair. Not one made any mention of software testing or even business process testing in their job title. There was an IT consultant who was fired but he was a hopeful political candidate rather than a serious specialist in software testing. Getting used to being fired is a valuable skill for any wannabe politician. Some say he seemed a little too eager to gain this experience by putting in a deliberately poor performance.
So even though the answer is no, I am not suggesting that were a software testing specialist to appear on the show that they would win. Imagine Glenford Myers selling either overripe fruit in Hackney or a calendar of kittens at Harrods. Not only would Mr Myers probably not win, it would probably not be gripping entertainment either. Unlike The Art of Software Testing, though, which is still viewed, even today, as the Norman Wisdom of testing tomes.