While assisting an IT department through a Sarbanes-Oxley (SOX) audit, I had to document an organization's Systems Development Life Cycle (SDLC). The SDLC includes activities and functions that systems developers typically perform, regardless of how those activities and functions fit into a particular methodology. Many assume SDLC is referring to a software development process. In turn, there's a lot of debate about different development practices and approaches. For example, when I lead Scrum teams for an organization, as part of an overall SDLC, all of the Scrum activities took place during the Implementation phase. When changes were deployed to the Production environment, the Support team leveraged Kanban. From Planning to Analyzing to Designing, they leveraged a Waterfall process. It all began with a request for a change. Because a picture is worth a thousand words, Pictofigo has created a SDLC poster, with a little input from me. You can either purchase it from CafePress as a poster or you can download it from the Premium Pictofigo site.
Meeting with GAO
After finding out the Government Accountability Office (GAO) was coming to pay our program a visit, I was also told to work with a small cross-functional team to collect all of the data to meet their requests. There was a list of recommended executive actions and we had to prove how we were satisfying those recommendations. To visualize our progress of collecting the data, I used a physical task board and sticky notes. I would call it a Kanban but we really didn't have any work in progress (WIP) limitations. The board was comprised of 4 columns: Backlog, WIP, Blocked, Done.
As of last night, everything was in the done column and I even had one team member come up and shake my hand. For some reason, I think there may have been a lack of confidence that we could identify and collect the data requested. With some leadership, inspiration and clear goals, we got it done. Though I'm not at liberty to say exactly what we supplied them, the requests they made were not unreasonable.
I've been through a SOX audit before so I understood how an audit works. Provide proof that you do what you say you do. Be able to explain why you do it. Now, what you do and how it aligns with how others think you should do it is another story. But, if the auditor is not satisfied with how you do it, they will make a recommendation on how you can meet their expectations. Here is the important thing. An auditor does not care what you say you are going to do. They care what you say you've done or do.