fhs
Volume 6, Number 25 -- June 20, 2006

Cabinet Maker Finds a Silver Lining in SOX

Corrected: June 20, 2006

by Alex Woodie

When the RPG programmers at MasterBrand Cabinets realized they would need to scale back their access to quality assurance and production environments to comply with the Sarbanes-Oxley Act, they weren't exactly thrilled about it. "There were some agitated developers when we went through this change," says William Storey, corporate IT compliance officer for the $2 billion cabinet maker. "They were saying, 'How am I going to do my job if I lose control?'" As it turns out, the upside of SOX, including a change management system from Aldon, outweighed the downside.

As a subsidiary of the publicly traded company Fortune Brands, MasterBrand Cabinets falls under the purview of the Sarbanes-Oxley Act of 2002, which is generally understood to require, among other things, that companies put controls into place to prevent unauthorized access to their financial systems and core business applications. In practice, this has meant implementing a configuration or change management system to automate the handling of changes to source code and provide an auditable record.

In the fourth quarter of 2004, the Jasper, Indiana, company underwent its first internal audit by Fortune Brands corporate auditors, followed closely by its first external audit by PricewaterhouseCoopers (PWC). At that time, MasterBrand didn't have a change management system in place. "We had some issues, but we had enough manual controls in place able to get a favorable opinion," Storey says. The auditors weren't cracking the whip yet, but nobody expected the leniency to continue.

"We were under the gun to come up with a solution for the AS/400 in pretty short order," Storey says. "Everybody knew we should have a formalized change mange system to control software. We'd done it for so long with manual processes in place, including homegrown C Lists, but the first SOX audit showed that it wasn't very well controlled; that it had holes in it."

The SOX remediation program roughly coincided with the migration to Friedman's Frontier, an OS/400-based ERP system developed specifically for make-to-order manufacturers. Over the years, MasterBrand had acquired numerous other cabinet makers running a mish-mash of Baan, PRMS, and other highly-customized ERP systems. When it's all said and done, subsidiaries and divisions in Indiana, Illinois, Alabama, Oregon, Virginia, and Nevada, will use the Frontier system running on a new 32-way System i5 Model 595 that MasterBrand expects to take delivery on soon.

"The driver that makes Friedman attractive to us is they were the only ones who had a front-end dimensionally driven configurator," which is something that neither SAP nor Oracle could offer, Storey says. Frontier had this one key feature, but it lacked some key features that were also important to MasterBrand. This situation led to the creation of a close partnership between MasterBrand and Friedman, where Friedman has written new code for Master Cabinet, including some changes that have made it into subsequent releases of Frontier.

The manual process MasterBrand had in place was designed to help programmers keep from stepping on each others' toes, and didn't offer much in the way of security, auditing, separation of duties, or SOX compliance, Storey says. "We had library lists for the '400 where you could do a little bit of automated check-in and check-out. But it was loose enough that if somebody wanted to check something else they weren't supposed to, they could," he says.

The company set out looking for a change management system, and accumulated a list of eight to 10 products.The selection of Aldon Lifecycle Manager didn't take long. One of the new CIO's new hires, senior analyst Vince Volk, had gone through the same selection process at his previous company, and had researched the products. "He had already documented the strengths and weaknesses of each one," Storey says. "We were kind of in a position where we needed to work quickly. He's very familiar with the products, and knew all the ins and outs. It seemed like a natural choice. We maybe shortcut the processes a little, but we weren't doing it in a vacuum. Vince was an expert with the system to begin with."

With the decision to go with ALM made, the implementation began in April 2005. The primary component used by MasterBrand's 25 OS/400 developers was the Lifecycle Manager for iSeries component. The company also implemented the Lifecycle Manager product, which it uses to manage changes to a Windows-based PeopleSoft application, and, eventually, the Windows-based Community Manager product, which is used to manage workflow among development teams.

The Community Manager product is critical for breaking up employees' duties as part of the application lifecycle management process--a critical element in SOX. When a developer is finished writing or testing a piece of code, he notifies the people responsible for the next stage in the process--a two-person team of former AS/400 operators dubbed "migrators" in MasterBrand's case--using the built-in e-mail-based workflow capabilities in Community Manager.

Storey realized the entire promotion process needed to be overhauled to please the auditors. "Previously, a developer could take the project from cradle to grave, including development, testing, implementing, and supporting," he says. "With SOX, you can't do that. It's way too much access for an individual. Under SOX, programmers can develop and test until the project is ready to promote to the QA [quality assurance] environment. From that point forward, the developer can't touch it. The end users need to sign off from QA."

MasterBrand's RPG programmers, who were already a little miffed they were losing so much control over the development process, initially scoffed at the thought of mere operators participating in this complicated process.

"Initially, some of the programmers kind of dragged their feet. They said 'No way someone with an operations background can understand how to use these things,'" Storey says. However, these developers found that, with the capability for developers to set everything up within Aldon's Library Manger and then push it out to the migrators, these fears about non-programmers hitting the complexity wall turned out to be unfounded. "It did not have near the negative impact we were afraid it would," Storey says of the process.

MasterBrand was able to squeeze even more functionality out of their migrators and the Community Manager product. The company is using the product to manage help desk requests and security issues, while one of the migrators spends part of his time helping out with security issues.

The Aldon software was critical to resolving MasterBrand's issues and preparing it for its next SOX audit, which occurred in the fourth quarter of 2005. This second-time around, it was doubtful that a manual process for controlling access to source code was going to pass muster. With ALM providing automated access control, that wasn't a problem, and PWC gave MasterBrand a passing grade on the SOX audit.

Storey says MasterBrand has definitely received its money's worth (about $150,000, which includes the next three years of maintenance) with the Aldon products. "The best part is that we came to Aldon looking for a SOX remedy and what we found was that and so much more. It's a win-win. We're extremely pleased with our decision to select Aldon," he says.

The company is also happy that its way of complying with SOX hasn't regimented its IT organization to the point where it can't get work done. Previously, its change authorization process was seldom more than a slip of paper in somebody's inbox, if it was documented at all. Now, managers and developers communicate with a unified workflow system, and managers are required to answer e-mail requests in a timely manner. Some of the managers even carry BlackBerrys so they can approve changes from half a world away.

"It's been a terrific tool to solve the workflow process for SOX," Storey says. "By definition, it can't be as fast as if you give all developers wide-open access. But it's almost as good as it was in terms of speed, and its whole lot better in terms of quality and output."

MasterBrand Cabinets started down the change management road as a way to comply with SOX, stay on the right side of the federal penal code, and keep its C-level employees out of the penitentiary. The path was bumpy at times, but somewhere along the way, developers realized the new system brought benefits of its own beyond the realm of compliance.

Storey came up with a unique way of determining the ALM tool's real-world effectiveness (although it's doubtful he will implement it). "Sometimes I think the best judge is, after people are using it for a while, what happens if I took this away? It would cause chaos."


This article has been corrected. The correct names of the Aldon products are Lifecycle Manager for iSeries, Lifecycle Manager, and Community Manager. IT Jungle regrets the error.

Sponsored By
VISION SOLUTIONS

HA Software in Action: Demo Time!

Tired of death by PowerPoint in Webinars???
This one will be 90% PowerPoint-free, with demos of
High Availability (HA) and systems management software.

See Vision's Solutions Director product in action. Learn how it can provide new insights into your HA environment and how it can unlock valuable disk and CPU resources through ongoing system optimization and management. See how Vision's ORION HA solutions, which use the latest in V5R4 functionality, provide turnkey operation, along with cross-platform management and support.

REGISTER NOW for this FREE Webinar sponsored by Vision Solutions.
Editor: Alex Woodie
Contributing Editors: Dan Burger, Joe Hertvik,
Shannon O'Donnell, Timothy Prickett Morgan
Publisher and Advertising Director: Jenny Thomas
Advertising Sales Representative: Kim Reed
Contact the Editors: To contact anyone on the IT Jungle Team
Go to our contacts page and send us a message.

Sponsored Links

iTera:  High availability solution for $50 a day - includes IBM System i5 Hardware
COMMON:  Join us at the Fall 2006 conference, September 17-21, in Miami Beach, Florida
LANSA:  An entirely different approach to application modernization and innovation

 
THIS ISSUE SPONSORED BY:

New Generation Software
Vision Solutions
Asymex
Bytware
Affirmative Computer



TABLE OF CONTENTS
Vision Cuts Downtime Associated with HA Replication

Cabinet Maker Finds a Silver Lining in SOX

Proginet Adds OS/400 Support to File Transfer Suite

RingCentral Provides Virtualization for Phone Calls

News Briefs and Product Shorts:

Key to Sell Q4biz Business Intelligence Software . . . BVS Tools Unleashes SPLTOOL's True PDF Generation Capability . . . Henderson Group Finds Reason to Smile with JDA Planning Solution . . . Teamstudio Officially Launches Consulting Division . . . Datatex Rolls Out Java-Based ERP for Textile Industry . . . Agilysys and Sirius CEO Win Awards . . .

Four Hundred Stuff

BACK ISSUES

The Four Hundred
Happy 18th Birthday, AS/400; Time to Leave the Nest

OS/400 V5R3 PTFs Can Corrupt Licensed Internal Code

OS/400 Shops Share Their Training Experiences

The X Factor: Virtual Server Sprawl

Four Hundred Guru
New in V5R4: OLAP Ranking Specifications

Avoid Locked Display Files/Resetting Page Numbers

Admin Alert: How to Set i5 Library Lists for 5250 and Batch Jobs

Four Hundred Monitor


 
Subscription Information:
You can unsubscribe, change your email address, or sign up for any of IT Jungle's free e-newsletters through our Web site at http://www.itjungle.com/sub/subscribe.html.

Copyright © 1996-2008 Guild Companies, Inc. All Rights Reserved.
Guild Companies, Inc., 50 Park Terrace East, Suite 8F, New York, NY 10034

Privacy Statement