As a publicly-traded company, it is imperative that Ball Corporation achieves Sarbanes-Oxley compliance. Upon implementing Roundtable TSMS, this worldwide metal packaging company passed its first Sarbanes-Oxley audit since it became law.
The Sarbanes-Oxley Act of 2002 (SOX) has been called the most comprehensive reform of business practices since President Franklin D. Roosevelt passed the New Deal. In the wake of high-profile financial scandals, such as the Enron Corp. collapse of 2001 and WorldCom’s accounting fraud and subsequent bankruptcy in 2002, the SOX legislation was signed into law to restore investor confidence in the securities market by introducing new policies and procedures on the financial side of publicly held corporations.
SOX also initiated much stricter guidelines for IT departments, whose responsibilities include storing their company’s electronic records. IT departments are now increasingly faced with the challenge of creating and maintaining a corporate records archive in a cost-effective fashion that satisfies auditors working to reinforce requirements put forth by SOX.
For Bill Gee, functional consultant for the IT department at Broomfield, Colorado-based Ball Corporation , SOX has largely resulted in a frustrating, endless series of time- and money-consuming audits that have been practically impossible to pass—until recently.
“We’ve wasted a lot of time going through audit after audit,” says Gee, who’s served eight years in Ball’s division that produces innovative, high-quality packaging for beverage, food and household products. “Then we have to deal with external auditors, who come in to audit what the auditors have done. It seems like it never stops.”
Auditors typically start the process by asking to view documentation of everything the IT department touched in the previous year. Despite efforts to develop an in-house documentation system using such software as UNIX Scripts, Ball Corp. continually failed compliance, as auditors wanted a more thorough, clearer description of what code was worked on. Their external auditors also ruled that the company’s homegrown system was open to corruption.
“We were working on all our source code in the source directory, and if we did an upgrade, we would compile the entire directory, which would bring in changes that hadn’t been approved and things like that,” Gee explains. “So there was not a lot of control because anytime you move a piece of code, or if we do a mass compile, it changes the date-and-time stamp. So it was always messed up.
“No matter what we tried, we were never in compliance.”
Frustrated in his ongoing dealings with auditors, Gee contacted Tugboat Software in March 2012 about using Roundtable® Total Software Management System® (TSMS) to help Ball Corp. meet compliance with Sarbanes-Oxley. In particular, Gee was interested in Roundtable TSMS’s capabilities in automating the documentation of changes throughout the development lifecycle.
Using integrated impact analysis tools, Roundtable TSMS users can instantly see what has changed, who changed it, why it has changed, and what is impacted by the change. Not only that, but Roundtable TSMS also provides increased security, such as access permissions, approvals/gatekeeping tracking and protection of source code.
Gee set up a demo of Roundtable TSMS not only with members of his team but his company’s auditors as well in late summer 2012, as he wanted them to test the Roundtable software upfront to ensure it would meet their needs.
“What’s great about Roundtable is the way it pulls everything into its database and tracks it. It pretty much locks everything down for the auditors, so they trust that they can see that every piece of code has been checked out and checked in. Needless to say, I was pleased when our auditors approved using the Roundtable reports to document everything we do. We have to show auditors our security and how it’s set up. Auditors want that segregation of duties very distinct. Roundtable helps ensure that process is followed.”
After implementing Roundtable TSMS following the successful demo, Ball Corp. passed its Q4 audit in 2012—the first time the company has been in compliance with Sarbanes-Oxley since it became law.
Still, the transition wasn’t exactly seamless. Ball’s IT department has programmers and developers who have been on staff for more than 30 years—employees who worked for decades within their own system of internal documentation and control.
“They can’t come in at 2 in the morning anymore and move code without documenting it,” Gee says. “There’s only one way they can do it now. With Roundtable TSMS, you’ve got to check it out and check it in; there’s no way to circumvent the system. But they’ve learned to adapt. The bottom line is, it’s facilitated the auditing process, and beyond Sarbanes-Oxley compliance, it’s going to make us more efficient in the long run.”
For example, prior to Roundtable TSMS, Ball didn’t properly track revision control, which Roundtable TSMS does automatically.
“In the past, we had to grab the code, go through the notes that we’d made manually, pull out the revisions, recompile it and submit it for production. With Roundtable, we don’t need to create these documents and mark all of the code manually. We’ve already got the revision history. So Roundtable saves a lot of work there, and it also gives us the capability of knowing who’s working on what code, which we couldn’t do before, so we had people stepping on people. We would end up compiling code that wasn’t ready for production because we couldn’t tell what was in there because it was being worked on. Roundtable provides us with much more control over code changes.”
Perhaps most important, the implementation of Roundtable TSMS enables Gee and his staff to focus on their jobs—not audits.
“Roundtable saves us all so much time and hassle. I no longer have to constantly go back and forth, providing explanations to the auditors. Now the auditing process starts, and we’re done with it pretty easily. And we pass.”