Many of us hear about problems with various systems on a regular basis. We report them in Database Weekly far too often, and I'm sure a few of you have been informed (or found) bugs, nagging issues, even vulnerabilities in your systems.
What's a reasonable time to fix a system after an audit?
It's a simple question, but it's not very simple to answer. After all, most of us don't have a lot of slack development time built in to fix issues. Unless the issue is a broken application that doesn't work, the items disclosed in an audit need to scheduled in among other work. After all, most of the time the audit finds something that no one is aware of, or no one has wanted to fix. This is work that no one really planned on completing.
I ran across an interesting piece about the Employment Department for the state of Oregon hasn't fixed a number of issues after an audit last year. While some strides have been made, there are still outstanding issues, the sum total of which it is estimated will take a decade to complete. That's a long time, but in large systems, especially ones where the entire application cannot be rewritten because of resources, it's not unusual. I've worked in a few places where we had large scale systems that we knew had issues, but we couldn't easily re-design and implement fixes in any reasonable length of time. Often this was because of downstream dependencies, but certainly culture and management hadn't made change a priority.
I sympathize with those people dependent on mainframe systems. The power and reach of those systems, the poor documentation, not to mention the complex training required to change clients' habits is huge. I would hope that the government groups using these large scale systems would work together to jointly proceed on development, with politicians also involved to help standardize the requirements across state lines (or countries' borders) and simplify the software needed.
However, no one ever makes software simpler, especially when it's being designed.
