13. Regulations & Auditing

Regulations & Auditing

Governance, Risk management, and Compliance (GRC) is a familiar term to many organizations that are regulated by government agencies or industry coalitions. Some of these regulations apply directly to software that is developed and implemented, but most of the regulations apply to the processes used to develop software along with many non-software related processes performed by businesses. Some software development processes may be directly affected and limited in companies that must follow the regulations; but most of the impact is upon tracking activities performed and the secure and correct implementation of technologies. The internal auditing department of some companies may also require specific activities that affect the software development process. In many cases, these activities provide value and assurance of accuracy; but in some cases the regulations or auditing requirements may appear to create waste, often due to delay, in software delivery. Teams that perceive waste should work with their auditors and regulators to see if the guidance could be revised to maintain compliance while eliminating waste. The regulations and auditing rules seem to evolve slowly over time, but practices and tools available to developers evolve more quickly and may enable adherence to rules in ways not previously available with older practices. Of course many, if not most, software development teams operate without the need to adhere to any regulation or auditing rules. The rules that probably have the broadest impact are those regarding protecting personally identifiable information (PII) and Europe’s GDPR for consumer protection as well as ADA & WCAG compliance for the development of many web sites.

Some industry regulations require that you demonstrate you are sufficiently securing application data and tracking access to that data. In order to comply with the regulations, you may find great value in some practices such as code reviews and automated Devops and SCA tools that instantly report the state of your compliance. The requirements often have value and merit on their own, but your need to report on them encourages you to adopt practices that make it easy to do so.