Hi Magesh, the Sarbanes-Oxley Act of 2002 generated quite a bit of "activity" with different people having different views on what is required to be in compliance. With respect to SOX and Agile, some people have a tendency to confuse "documentation of the process and documentation of evidence that the process was adhered to" with "project documentation". And, since Agile development places its core focus on working software rather than producing project documents, the next step in this confusion is to jump to the conclusion that an Agile approach to development can't comply with the requirements of SOX.
What emerged as a practical guideline, some say definitive guideline, was the Information Technology Governance Institute (ITGI) IT Control Objectives for Sarbanes-Oxley. In particular, Appendix C - IT Controls, figures 11 through 15, outline control processes for acquiring and implementing new systems, as well as changes and maintenance of existing systems. And, one approach to addressing and managing how well your Agile development process (or Agile approach) meets the requirements of SOX is to create a "SOX-Agile" control spreadsheet with a few columns such as:
- ITGI Control Objectives
- Agile Development Process (Approach) Components
- Evidence of Process Adherence (Note: Project documentation is just one form of evidence of process adherence)
- Management Reviews and Approvals
- etc.
If you are a public company, it would be well worth your time to bring in your public company auditor (PWC, Grant Thornton, etc.) to take you through this exercise. And if you are a software developer that works with large companies where your Agile development process may come under scrutiny, then you might want to bring in a SOX consultant to help you with both ensuring your Agile process complies with the intent and spirit of SOX and whatever communication or presentation material you may want to explain this to your clients.
Great post and good luck..! I hope we hear and learn from others.
