Comment by jimnotgym
3 days ago
A lot of responses below talking about what a 'certified' or 'chartered' engineer should be able to do.
I thought it would be noteworthy to talk about another industry, accountancy. This is how it works in the UK, but it is similar in other countries. They are called 'Chartered Accountants' here, because their institute has a Royal Charter saying they are the good guys.
To become a Chartered Accountant has no prerequisites. You 'just' have to complete the qualification of the institute you want to join. There are stages to the exams that prior qualifications may gain you exemptions from. You also have to log practical experience proving you are working as an accountant with adequate supervision. It takes about 2-3 years to get the qualification for someone well supported by their employer and with sufficient free time. Interestingly many Accountants are not graduates, and instead took technician level qualifications first, often the Association of Accounting Technicians (AAT). The accounting graduates I have interviewed wasted 3 years of their lives...
There are several institutes that specialise in different areas. Some specialise in audit. One specialises in Management Accounting (being an accountant at a company really). The Management accountants one specifically prohibits you from doing audit without taking another conversion course. All the institutes have CPD requirements (and check) and all prohibit you from working in areas that you are not competent, but provide routes to competency.
There are standards to follow, Generally Accepted Accounting Practice GAAP, UK Financial Reporting Standards FRS and the International equivalent IFRS. These cover how Financial Statements are prepared. There are superate standards setting bodies for these. There are also a set of standards that cover how an audit must be done. Then there is tax law. You are expected to know them for any area you are working in. All of these are legally binding on various types of corporation. See how that switches things around? Accountants are now there to help the company navigate the legal codes. The directors sign the accounts and are liable for misstatements, that encourages them to have a director who is an accountant...an audit committee etc.
How does that translate to software?
There are lots of standards, NIST, GDPR, PCI, some of which are legally or contractually binding. But how do I as a business owner know that a software engineer is competent to follow them. Maybe I am a diving company that wants a website. How do I know this person or company is competent to build it? It requires software engineers with specific qualifications that say they can do it, and software engineers willing to say, 'I'm sorry I am not able to work in this field, unless I first study it'.
I’m big on increasing accountability and responsibility for software engineering, but I’ve learned about SEI CMMI, and worked in an ISO 9001 shop.
In some cases, these types of structures make sense, but in most others, they are way overkill.
It’s a conundrum. One of the reasons for the crazy growth of software, is the extreme flexibility and velocity of development, so slamming the brakes on that, would have enormous financial consequences in the industry (so … good luck with that …).
But that flexibility and velocity is also a big reason for the jurassic-scale disasters that are a regular feature of our profession. It’s entirely possible for people that are completely unqualified, to develop software full of holes. If they can put enough lipstick on it, it can become quite popular, with undesirable consequences.
I don’t think that the answer is some structured standard and testing regime, but I would love to see improvement.
Just not sure what that looks like.
> but in most others, they are way overkill.
As an accountant I am able to enforce an accounts regime appropriate to my entity, with concepts like 'materiality' to help. I'm not sure about ISO9001, I'm more familiar with PCIDSS, and I found it to be very proscriptive, and 'all or nothing', compared with accounting standards. For instance in a small company, it is perfectly reasonable to state verbally to your auditor that your control over something is that you are close enough to the transactions to see misstatements by other people sat in the same room. Or even that you have too few people to exercise segregation of duties controls. In a larger company it is not ok. I don't see that same flexibility in other kinds of standards
> PCIDSS
Just got a PTSD flashback...