My last post reminded me of another thing that came up during the last audit. The code review process was just beginning, but I already had forms as proof of the process taking place.
The auditor looked at them and asked “why aren’t there names on the forms?”. I said proudly (as it was my idea) “I want people to buy into the process, and if we want them to report bugs and other findings in their code, I’d rather let them stay anonymous and report, rather not report at all”.
“Well, if you told them to do it – they would” he said. Yeah, right. I know my method actually worked, and it was based on showing the developers the value they get from the process, rather than just telling them.
Although you should ask people from different fields to get different view, remember to set your expectations accordingly.