Malcolm Davis's Blog: Software IG for Corporate IT

I wager I can walk into any Fortune 500 Company, pull a module of code, and discover that there is no corresponding unit test. Furthermore, the module most likely will not follow the company�s coding standards. Even though many of these companies contain documented processes for unit tests and coding standards, very few have independent auditors that can walk into a group and comprehend what is going on.

To help avoid the fraud, waste, and abuse that can occur inside large organizations, the military uses the concept of an Inspector General or IG. The IG is an independent external auditor that walks behind those in command and monitors if they are doing their job.

The concept is that the people in command are responsible for the actions of the workers. Since the focus of the IG is the individuals in command, not the workers, this puts pressure on the officers to understand what is going, and to follow-up on all activities. This is why when taking over a military platoon; the first duty of a second lieutenant is to have an assessment of all equipment and personnel. The second lieutenant is responsible for everything in the platoon. That lieutenant knows that there will be an IG inspection someday.

I recently asked a technical lead: �is the group following coding standards?'. His reply was, 'They better, I told them to....'. After the conversation with the �technical lead�, the IG would have started pulling sample code, looking for unit test, etc.

The concept of an IG runs through all walks of life, and professions. An example for the banking industry is the Treasury Department�s OCC (Office of the Comptroller of the Currency). One thing the OCC does is review loan procedures for the banks. To validate that banks are following their own loan procedures, OCC inspectors will randomly pull bank loans looking for discrepancies. When discrepancies are found, it is the bank officers whom are responsible. The US Treasury�s external audits are a major contributor to the strength of the US banking system.

Nothing is perfect: Auditors play the major role of attesting that the financial statements of an organization are �true and fair�. Yet, as we have learned through recent corporate scandals, (Enron & Anderson), even independent audit mechanisms can fail.

Bookmark blog post:

del.icio.us

Digg

DZone

Furl

Comments

Comments are listed in date ascending order (oldest first) | Post Comment

But it has to be enforced
Audits are all well and good, but typically it's up to the management teams responsible for the development to actually find some way to enforce them. And, in many situations, there is a decision somewhere along the line that the deadlines and feature sets are more important than code quality - even when it's been demonstrated time and time again that the "sub-par" code (for lack of a better term) has potentially (and not so potentially) detrimental effects.

Auditing becomes even more critical when the project(s) are done in diverse locations, especially with "off-shore" collaboration. However, as I noted above, if there's no management involvement in enforcement (I'm loathe to use "discipline"), the situation persists.

There was an excellent article last year (I believe) in JDJ equating this situation to Mayor Giulani's "broken window" theory.

Posted by: crackers on July 07, 2003 at 09:14 PM

Powered by
Movable Type 3.01D

java.net RSS Feeds