Wait is over. White paper on SOX and Team System published

Stephanie just posted this in her blog. We have published a white paper to answer questions around SOX compliance and Team System. Congratulations Andrew for pulling this paper together.

From the white paper: (http://msdn2.microsoft.com/en-us/library/cc441754.aspx)


Microsoft Visual Studio Team System 2008 can be used to assist a business in collecting information that concerns its software-development practices, which may be of use towards compliance with a regulatory framework, such as Sarbanes-Oxley section 404 ("Sarbanes-Oxley 404") internal-control verification and testing.

Visual Studio Team System 2008 is not a general-purpose compliance package. The Sarbanes-Oxley Act of 2002—and, in particular, Sarbanes-Oxley 404—has a broader scope than software-application development, and Visual Studio Team System 2008 is useful in supporting only a subset of the total compliance activities that a business must undertake. Each business has its own unique combination of Sarbanes-Oxley 404 risks and controls; the scenarios in this article must be considered as examples, instead of as being required for a customer's compliance reporting.

This article provides example scenarios for using Visual Studio Team System 2008 to assist you in supporting corporate compliance with the Sarbanes-Oxley Act of 2002 when you develop software. Sarbanes-Oxley Act compliance is an example of a regulatory framework that spans the enterprise and requires a consistent management approach. The concepts that are described here might apply to the use of Visual Studio Team System 2008 with other frameworks, such as the Control Objectives for Information and related Technology (COBIT), the Committee of Sponsoring Organizations of the Treadway Commission (COSO), and the International Organization for Standardization (ISO).

Visual Studio Team System 2008 is a collection of tightly integrated software-development tools that are designed to help teams be more productive in producing software. Visual Studio Team System 2008 tracks the detailed activities of the software-development team, and can assist in supporting compliance with Sarbanes-Oxley 404 requirements as they relate to software development.

In a compliance environment, Visual Studio Team System 2008:

  1. Can act as a collector of detailed project information, including decisions that are made, artifacts that are produced and actions that are taken.
  2. Can be used to produce at any time ad-hoc reports that detail the past or present state of the project.
  3. Could be useful in the presence of a formal risk-control framework that is defined by a Sarbanes-Oxley 404 expert