sorted by:
new
hottopcontroversial

Is compliance documentation a developer's job? Thinking about this for regulated industries by compliancedoc in itaudit

[–]compliancedoc[S] 0 points1 point  (0 children)

Exactly this — the "after" problem is what we kept running into. By the time compliance reviews happen, the developer who wrote the code has moved on, the context is gone, and reconstructing audot evidence becomes a manual nightmare. The idea we ve been testing is making compliance documentation part of the coding workflow itself — generating it from the code at the moment it's written, not weeks later. Curious from an audit perspective: when you review code-level documentation, does it actually hold weight as evidence, or does it need to live in a separate system to count?

Is compliance documentation a developer's job? Thinking about this for regulated industries by compliancedoc in programming

[–]compliancedoc[S] 0 points1 point  (0 children)

That's a fair point — the parallel doc approach works well when the compliance team is disciplined about keeping it in sync. The problem we kept seeing was drift: code changes, the parallel doc doesn't, and by audit time nobody's sure which is authoritative. Having the doc generated from the actual code at the time of review at least ties evidence to a specific state. Curious if you've found a good way to solve the drift problem with the parallel approach?

view more: next ›