1. 8
  1.  

  2. 2

    I had never heard of the SOX Act before this, so I’m pretty curious what people here think of this strategy with regards to the “we started doing this for SOX compliance” angle. Is it possible the employees were subject to gaslighting by lawyers?

    1. 1

      Wow, you’re young ;)

      SOX was a HUGE issue about a decade ago. Any (US) publicly traded company had to do a ton of internal processes to ensure (for example) that devs weren’t introducing code paths that would skim revenue.[1]

      If you’re not publicly traded, SOX doesn’t apply to you (of course, if you plan on going public in the future, you need to have these processes in place, so it “bleeds over”).

      Is it possible the employees were subject to gaslighting by lawyers?

      Not sure what you’re referring to. Do you think corporate lawyers are inventing rules to mess with company’s employees for the hell of it?

      [1] amusingly enough, the act was written in reaction to the dismal failures of some of the Big 5 auditing firms in keeping fraudulent companies in check - but who was responsible for ensuring compliance with the new rules? Auditing firms!

      1. 3

        I helped with my company’s efforts to get to SOX compliance. Admittedly, I haven’t looked at our mobile app repositories, but I don’t think it was extremely painful for them. Most of the work was in ensuring the right set of teams had reviewed changes to parts of the codebase that fall into SOX criteria.

        SOC and SOX compliance is actually a pretty low bar imo. Requirements like audit logs to ensure you only push deployments that have been tested - are actually fairly reasonable. They’re also always negotiable too - for example, you can make an argument that in emergencies, you can’t run your 2 hour test suite to push out a small hotfix, so you will ensure that the tests pass within 24 hours at the revision that was pushed, and you will track this via a Jira ticket. Lawyers are okay with that.

        1. 1

          Not sure what you’re referring to. Do you think corporate lawyers are inventing rules to mess with company’s employees for the hell of it?

          I’m not sure either, I was simply repeating this question in hopes of an answer not constrained by character length. I’m assuming what Pierre meant is that their own process at Square is much simpler so he thought that the apparent complexity of Trello’s new strategy was a result of lawyers doing lawyer things.

          1. 3

            Lawyers and auditors tend to err on the side of caution. No-one wants to be the defendant in a SOX-related lawsuit and find out that the judge’s reading of the statute requires you to have an immutable copy of your source code throughout all time.

            Square is publicly traded too, and they might have made another decision with regards to this. If it ever goes to court we’ll get clarification. Ain’t US legislation fun?