Software audit review

From Wikipedia, the free encyclopedia

A software audit review ("software audit") is a type of software review in which one or more auditors who are not members of the software development organisation conduct "An independent examination of a software product, software process, or set of software processes to assess compliance with specifications, standards, contractual agreements, or other criteria" (IEEE Std. 1028-1997, IEEE Standard for Software Reviews, clause 3.2).

"Software product" mostly, but not exclusively, refers to some kind of technical document. IEEE Std. 1028 offers a list of 32 "examples of software products subject to audit", including documentary products such as various sorts of plan, contracts, specifications, designs, procedures, standards, and reports, but also non-documentary products such as data, test data, and deliverable media.

Software audits are distinct from software peer reviews and software management reviews in that they are conducted by personnel external to, and independent of, the software development organisation, and are concerned with compliance of products or processes, rather than with their technical content, technical quality, or managerial implications.

The term "software audit review" is adopted here to designate the form of software audit described in IEEE Std. 1028.

[edit] Objectives and participants

"The purpose of a software audit is to provide an independent evaluation of conformance of software products and processes to applicable regulations, standards, guidelines, plans, and procedures" (IEEE Std. 10281997, clause 8.1). The following roles are recommended:

The Initiator (who might be a manager in the audited organization, a customer or user representative of the audited organization, or a third party), decides upon the need for an audit, establishes its purpose and scope, specifies the evaluation criteria, identifies the audit personnel, decides what follow-up actions will be required, and distributes the audit report.

The Lead Auditor (who must be someone "free from bias and influence that could reduce his ability to make independent, objective evaluations") is responsible for administrative tasks such as preparing the audit plan and assembling and managing the audit team, and for ensuring that the audit meets its objectives.

The Recorder documents anomalies, action items, decisions, and recommendations made by the audit team.

The Auditors (who must be, like the Lead Auditor, free from bias) examine products defined in the audit plan, document their observations, and recommend corrective actions. (There may be only a single auditor.)

The Audited Organization provides a liaison to the auditors, and provides all information requested by the auditors. When the audit is completed, the audited organization should implement corrective actions and recommendations.

[edit] Process

The software audit process described in IEEE Std. 1028-1997, clauses 8.4, 8.5, and 8.6, includes the following activities:

0. [Entry Evaluation]. The initiator authorizes commencement of the audit when specified entry criteria have been satisfied to ensure successful and cost-effective conduct of the audit.

1. Management Preparation: Responsible management ensure that the audit will be appropriately resourced with staff, time, materials, and tools, and will be conducted according to policies, standards, professional or legislative requirements, or other relevant criteria.

2. Planning the Audit: The Initiator identifies or confirms the objectives of the audit, identifies the Auditors' responsibilities and activities, and ensures that the team is equipped with all necessary resources for conducting the review.

3. Opening Meeting: To ensure that all parties understand and agree to the audit objectives, responsibilities, and methods.

4. Preparation: Auditors prepare for the audit Examination activity by reviewing all relevant materials and recording their observations.

5. Examination: Auditors "collect evidence of conformance and non-conformance by interviewing audited organization staff, examining documents, and witnessing processes," analyse the evidence, and "document all observations of non-conformance and exemplary conformance"(IEEE Std. 1028-1997, clause 8.5.5.1). The Lead Auditor convenes a closing meeting with the audited organization’s management, which reviews the conduct of the audience against the plan, and arrives at an "overall audit assessment (for example, whether the audited organization successfully passed the audit criteria)" (Ibid., clause 8.5.5.2). The Lead Auditor prepares an Audit Report and delivers it to the initiator.

6. Followup: Acting on the Audit Report, including implementing any rework, is the responsibility of the Initiator and the audited organization.

7. [Exit Evaluation]: The Initiator evaluates whether the Audit has been completed, including completion of all recommended or required actions.

See also: software audit.