|
Steel Producer Logs High Marks on SOX Audit
Published: January 24, 2006
by Robert Gast
Corporate leaders, once stunned by the draconian implications of the Sarbanes-Oxley Act, are beginning to come to terms with it. In fact, some suggest that SOX may even have its high points. Take MACSTEEL, for example. Pre-SOX, the Michigan steel producer would sometimes test changes to OS/400 applications after they'd been rolled into a live environment. As part of its SOX compliance effort, MACSTEEL implemented a suite of testing tools from the Original Software Group, and now every change is thoroughly documented before going live--much to the relief of its auditors.
SOX has been a thorn in the side of IT shops since it was passed into law in 2002. The legislation--which requires companies to, among other things, demonstrate that information management systems work properly and that changes to these systems do not affect their integrity--has forced IT departments to pull resources off key development projects, hire consultants, learn to ride the wave of evolving SOX regulations, and sweat seemingly impossible deadlines to appease auditors and the Securities and Exchange Commission. In the process, many have uncovered broken business practices, and have sourced new technologies to mend them.
As publicly held companies enter 2006, they seem to have a good handle on their compliance efforts, suggests a new study by AMR Research. The Boston analyst group foresees a shift in overall SOX spending for 2006, which this year is estimated at $6 billion. AMR says companies will begin allocating a bigger slice of their SOX budget for technology-based solutions to lessen the long-term costs associated with compliance, and spend less on other SOX related necessities.
One of the companies getting a handle on SOX is MACSTEEL, which brings in revenue of about a billion dollars per year and is among the top 10 steel bar makers in the U.S. according to industry sources. The company is owned by Houston-based Quanex, and because Quanex is publicly traded on the New York Stock Exchange and boasts a market cap of roughly $1.4 billion, it must comply with SOX guidelines.
A big part of its SOX success can be attributed to the comprehensive electronic and paper audit trails generated by TestBENCH, an automated suite of testing tools developed by Original Software. But the new testing regimen goes beyond compliance, and has had a positive impact on overall software quality at the steel maker.
Culture Shock
David Burgher, group IT manager and SOX compliance officer for IT at MACSTEEL, is in charge of systems at all of the steel giant's locations. The company runs a highly modified version of PRMS on two iSeries Model 820s and on one Model 825. Twenty-two technicians staff its IT operation and six are responsible for all things iSeries, including modifications and updates made to PRMS. Burgher who also oversees RPG development, describes the experience of coming face to face with SOX regulations as "culture shock." "We had controls but not like the ones that Sarbanes-Oxley forced onto us," Burgher says. "We were used to less stringent requirements for development and implementation."
At days end, the objective for most IT departments is to get programs working and rolled into production. When it comes to testing their work, a cursory visual walkthrough is commonplace. Testing is sometimes delegated to departments that use these programs and they too find it tedious. Burgher, a seasoned coder and analyst admits, "Nobody likes to test. Like lots of other shops, we would sometimes test software in a live environment. SOX has done away with that. You don't want to do that now because you're not going to pass your audit."
One year ago, after creating a few test plan forms to verify and document application changes, Burgher called his change management solution vendor to see if they had any suggestions on how to automate and document the software testing process. They recommended TestBENCH. "I'm sure our test plan forms would have worked, but it was not a convenient solution to use," says Burgher. "TestBENCH lets you look at data in the files that have changed. You can scrutinize screen changes and report changes--you can see so much more than the human eye is looking for. If I make a change, I'm looking for one specific thing to happen on one specific screen, and not the ripple effect of my actions. TestBENCH looks at everything."
Burgher's developers use the TestPLAN component of the TestBENCH suite to develop a test plan that itemizes the program functions they need to test. Then, test cases are created in TestBENCH. Unit tests verify that their requirements for certain functionality were met and flag any unwanted results. "All you have to do is change one line of code and before you know it, you're not doing something that you did the day before," Burgher says. "TestBENCH helps us set up tests and make people think about what they are doing. We now have detailed reports on the things we have tested for, and other documentation to prove that we got the right results and that we didn't cause any undesirable things to happen. That's the big benefit to us." TestBENCH allows MACSTEEL developers to score specific features within a program for how close the actual functionality mirrors the intended functionality. MACSTEEL aims for scores of 100 percent.
Aside from having browser-based accessibility to detailed development records, MACSTEEL programmers also print reports that illustrate how a specific program scored and who provided the approvals. This report gets attached to a printed test plan document so auditors can see all of the details relevant to a modification, including test scores, which, in MACSTEEL's case are all 100 percent. "The auditors really like that," says Burgher. "Screen shots, reports, approvals, and everything else is easily accessible through a browser or on paper. They really liked the fact that they don't have to go to a paper file for one thing or a hard drive to get something else." During the audit, one Deloitte auditor commented that MACSTEEL had the best documentation that she had ever seen.
MACSTEEL's CEO and the company's auditor have now signed off on the compliance attestations per SOX guidelines. Assessments from both management and an independent auditor must appear in annual reports to shareholders. "We finished up our audits in late October. Deloitte came back for a second visit and had some small remediation issues they wanted us to address. We may be making it too easy for the auditors but it actually makes it easy for us too."
Silver Lining
Over the course of a year, developers at MACSTEEL have attended three one-week training sessions and Burgher says it has been worth the time and expense. "Our people were much more knowledgeable after the training. They understand the product very well and can put test cases together very quickly." His developers have a better handle on the development process and the lifecycle of projects he says.
And from a manager's perspective, Burgher knows exactly who is doing what, how long projects are taking, and who signed off on which projects. "We have more confidence in our testing and we're implementing better and more reliable solutions. We are not backing things out and redoing them. We have also improved our position with internal users and we're spending less money fixing problems. Although our initial interest in TestBENCH was sparked by the SOX audit process, it is now part of our development cycle."
Burgher says he wants to get to the point were he can run complete system tests automatically. "We want to go from Order Entry all the way through to posting of Receivables by linking together several unit tests. That way, if we make a big change we can test the whole thing automatically in an hour or two to make sure that we didn't cause a problem. We are not there yet but that's what we are working towards."
Robert Gast is the managing partner of Chicago-area based Evant Group, a marketing communications company, and can be reached at bobgast@evantgroup.com.
|
