In-Depth

Fed regs and the return of the IT audit

• By Linda L. Briggs
• March 31, 2005

One trend in software configuration and change management tools is what Gartner analyst Jim Duggan calls “the rediscovery of the IT audit as something you have to worry about.”

New corporate regulations such as Sarbanes-Oxley, which mandate greater corporate accountability, have fallen heavily on IT departments. Those regulations, along with increased security requirements since Sept. 11, 2001, are affecting how companies manage software development.

The ability to trace the trail of software changes was important during the days of mainframe-only development, Duggan says, but that emphasis faded as distributed computing grew. Companies are rediscovering its importance today. That means they’re looking for tools to help monitor, store and recall facts such as when and why a software change was made, who made it, who approved it, and when it went into production.

“We’ve gone through a 15-year period where distributed computing has grown in importance, and suddenly we’re reminded, either by the government or by stockholders, that this is important,” Duggin says.

Corporations are just starting to feel the effects of Sarbox, for example. Although many large companies scrambled to meet the new law’s requirements in 2004 through manual processes, they may be looking for more automated, cost-effective ways to comply in future years. Several SCM companies are aware of that, and are pushing to convince customers that SCM products can be useful for compliance management.

One example is MKS, according to IDC research director Melissa Webster. “Generally, I think MKS has done a very good job connecting their solution…to the needs of IT organizations that are putting the IT controls in place to ensure compliance with [Sarbanes-Oxley] regulations. MKS was out of the gate early with a compliance message, and it appears to have brought them mind-share,” Webster says. Other companies addressing compliance needs in their marketing messages include Serena Software, Mercury Interactive, and Cybermation.

The importance of a tool to help audit and trace software development can vary according to industry. It may be a key SCM feature, for example, for shipping companies, which are especially concerned with security since new fed regs were enacted after Sept. 11.

At a large freight company based in the South, Ben Carr, senior production control analyst, says the need for better audit tools was one reason that the company moved to more robust change management products.

Carr’s company is using three change and configuration management products, all from Serena Software: Serena ChangeMan ZMF, ChangeMan DS, and ChangeMan ZOS for mainframe code. The company also uses Serena’s defect tracking system TeamTrack, which the company brought in to combine its change request and problem tracking system.

According to Carr, the fact the products are from the same vendor and therefore can be tied together is important, because it allows information to be dispersed among its 140 developers more efficiently.

Audit features were key to the company’s choice of SCM software, Carr says. “We need to be able to follow any one single piece of code back to its origin, including what was changed line by line,” he says. That apparently was possible, but more difficult, with a Computer Associates product called Change Control Facility the company replaced. ”We didn’t like how they handled history and accountability,” he says.

Serena’s products also handle temporary emergency changes well, Carr says, along with planned temporary and permanent changes, and unplanned temporary changes. “We can keep those temporary libraries around forever but not in the execution path,” he says. “The software also allows the company to control the changes developers can make, another important audit and control feature.”

Back to feature: Software Configuration Management: New Tools to Streamline Development