IT Compliance Institute, November 1, 2005:

Best Practices

Case Study: Tracking Software Changes for Compliance

"We've considered getting badges and guns, but the company frowns on the guns," explains the director of configuration management for ADP, a financial services software company. Certainly, tracking software changes can be a problem. Getting rid of the paper trail was a big first step.

By Mathew Schwartz

How can a financial services firm track changes to its software, and keep all interested parties—including senior management, regulators, and internal project teams—up to date on the status of its projects?

That was the dilemma facing ADP Securities Industry Software (ADP/SIS), which provides software and processing services for brokerage firms. In particular, the Securities Industry Software business unit runs a service bureau that provides back office, point-of-sale, and Internet capabilities for clients.

"We make changes to that software on a regular basis, primarily due to client requests and regulatory requirements," notes John Krug, director of configuration management for ADP/SIS. All told, ADP must comply with regulations from such organizations as the Depository Trust and Clearing Corp., Internal Revenue Service (IRS), National Association of Securities Dealers (NASD), National Securities Clearing Corp. (NSCC), and Securities and Exchange Commission (SEC).

The service bureau uses over 4,000 software modules written in COBOL and produces or revises another 250 modules annually, which requires collaboration between different groups inside ADP/SIS.

"To coordinate the work of those various groups, you need to have some procedures in place," notes Krug. One of those procedures included using paper-based sign-off forms to track projects from start to finish. Such forms, however, are easy to lose. And the forms must be physically passed from one approver to another, which can slow projects.

Nevertheless the paper-based system held—at least until 2002, when the development team moved to a new building a block away from the configuration management team. That was a catalyst for shelving paper forms. "We didn't want people to have to walk a block to track down signatures," notes David Holland, who's also director of configuration management for ADP/SIS.

To help, ADP/SIS began implementing Remedy Action Request System (which it was already using in-house) from BMC Software to create an electronic paper trail. Now, nothing happens unless the Remedy ticket has been properly filled out and signed off. "All those sign-offs are electronic," says Krug. "It's our way of enforcing compliance with our procedures."

Here's how the new approach works. After a project ticket is created, a developer finishes making the relevant coding changes, using the appropriate program. Then the developer clicks the sign-off button in Remedy, which e-mails the configuration management group that the code has been checked in. That group compiles and installs the software and signs off in Remedy. The software generates an e-mail back to the developer, who's responsible for auditing the installation to ensure it was correct. After auditing, the developer signs off in Remedy, which e-mails the quality assurance tester, so he or she can start testing. The automatic notifications continue until the code goes through beta testing and into production.

ADP/SIS chose to use Remedy because its help desk had already been using the application since the 1990s. In preparation for the Y2K crisis, ADP/SIS had also used Remedy to allow customers to log in to a Web page, file a trouble ticket, and track it. The system was so popular that ADP/SIS maintained it in perpetuity, allowing clients to make requests, ask questions, or file trouble tickets.

Such tickets are often used directly to create new projects. When they are, the original ticket is linked to the project request. "If a change is being made because of a help desk ticket, then that ticket number is carried on the release management ticket. By clicking a button, you can see the original help desk ticket," says Krug. That's so someone can reconstruct why a change was made.

Improving Accountability

Anyone can open Remedy and get a project status—right down to the name of who needs to sign off next. The software also time-stamps every sign-off; it can't be backdated. "It forces people to be accountable," notes Holland, "and people can withhold sign-offs until they receive needed information."

Such an approach also helps executives stay informed. "At any time, senior management can pull up the ticket and see the status, which saves a lot of phone calls," he says.

To prevent projects from getting out of control, and to maintain naming conventions, only Holland or Krug can create a new project in Remedy. "It's important for us that we know exactly what's being planned and about to come into our own process," says Krug. "In fact, we added a Remedy form so our associates could request a new ticket."

Not all requests become projects, however. First, "we require [requesters] to clearly state what they want to do," says Holland. That way, "there's no mystery down the road"—which simplifies life for everyone.

The project has been a success. "We knew we'd turned a corner when we went into a meeting and a term that hadn't been used before became prevalent: 'Did you click your button?'" says Krug. As soon as someone signs off on a part of the process by clicking the sign-off button, then Remedy automatically e-mails the next person in the sign-off chain that it's ready. Without a button click, a stage isn't officially complete.

As noted, electronic paper trails also help ADP/SIS track all changes to its software. "We undergo an SAS-70 Type II audit every six months, and our auditors love this sort of thing," says Krug. "We simply take them to the screen and show them the electronic sign-offs, the dating, the flow—all the steps."

Remedy also helps maintain the ADP/SIS group's ISO 9001 certification. "If you're familiar with ISO 9001 certification, there are detailed procedures on how things are done, and this aids in that kind of an audit as well," says Krug. "This is a living document as far as people following the proper procedures."

No Silver Bullet

Despite ADP/SIS's success using Remedy to drive project tickets, Holland says it's no silver bullet. "As I say to people all the time, it really doesn't do anything. It doesn't cause the movement of code, it doesn't compile. It simply actuates the process."

In other words, the organization as a whole has to buy in to such a product, though of course executive buy-in helps too. "Senior management realizes that if you maintain procedures properly, there's really no extra time involved, which is the criticism someone might make," says Krug. In fact, he notes some tickets move through all 14 steps—from ticket generation to project completion—in just an hour.

Effective project management often requires practicing the art of motivation, and Remedy is "sort of the traffic cop of the organization," says Krug. "We've considered getting badges and guns, but the company frowns on the guns." With electronic paper trails, however, such measures aren't necessary.

Mathew Schwartz is a former contributing editor for the IT Compliance Institute. You can contact him about this and other articles at Mat@PenandCamera.com.

This article originally appeared in IT Compliance Insitute and is reprinted by permission of 1105 Media, Inc.