Module 6

Software Quality Audit

SQAM Course, Proficience, IISc 1

 Basics
An independent examination of a work
product or set of work products to assess
compliance with specifications, standards,
contractual agreements, or other criteria –
IEEE Std 610.12-1990

The goal of a software audit is to provide

an independent determination as to
whether the software, its documentation,
and/or the development and maintenance
processes meet stated requirements.
SQAM Course, Proficience, IISc 2
Audit Value to the business
 Managing risks
 Strengthening internal controls
 Measuring operational effectiveness
 Reducing costs
 Eliminating waste
 Assuring stakeholders business
requirements are satisfied.
 Periodic assessments also provide trend
line data to determine baseline and
benchmark performance improvement.

SQAM Course, Proficience, IISc 3

 A Little story
This is a story about four people named
Everybody, Somebody, Anybody, and Nobody.
There was an important job to be done and
Everybody was sure that Somebody would do it.
Anybody could have done it, but Nobody did it.
Somebody got angry about that, because it was
Everybody's job. Everybody thought Anybody
could do it, but Nobody realized that Everybody
wouldn't do it. It ended up that Everybody blamed
Somebody when Nobody did what Anybody could
have done!

Lesson: Responsibilities and authorities are to be

defined and communicated well before the audit

SQAM Course, Proficience, IISc 4

 Roles and Responsibilities

• The client, person or organization which requests the

audit 
• The auditor or team who performs the audit
• The auditee whose work is being examined.
• Audit can include interested observers and regulatory
agencies
• Lead Auditor and Audit team
- Audit Team Training
- Technical Expertise of the audit
- Team assists LA in checklist preparation,
back ground work
- Team conducts the audit and prepare the
audit reports
SQAM Course, Proficience, IISc 5
 Lead Auditor
Responsibilities
 Overall responsible to organize and direct the audit, Co-
ordinate the preparation and issuance of the audit
report
  Determine the team size
  Brief the team members on the audit scope and areas
to be audited
•   Provide the background about the organization
being audited
  Assign the workload of who will audit what areas
 Determine the audit schedule
 Notify and brief the audited organization on the scope
of the audit and materials that need to be provided
 Ensure that the audit team is prepared to conduct the
audit
 Ensure that the audit plan or procedures are performed
SQAM Course, Proficience, IISc 6
 Issue reports in accordance with the audit plan or
 Auditee Responsibilities
•  Establish a professional, positive attitude
about the audit among the members of
the audited group
 •  Participate well in the audit
 •  Provide all relevant materials and
resources to the audit team
 •  Understand the concerns of the auditors
 •   Provide a response to the audit report,
and
 •   Correcting or resolving deficiencies cited
by the audit team.
SQAM Course, Proficience, IISc 7
Arguing with an auditor is like wrestling with a pig in mud . . .
Sooner or later you realize the pig enjoys it!

SQAM Course, Proficience, IISc 8

 Audit Process
 An audit should be performed in accordance with
documented plans and procedures
 Four Phases - planning, performance, reporting ,
follow-up

SQAM Course, Proficience, IISc 9

 Planning
•    What is the audit's scope?
  •   What should the audit achieve?
  •   Does it cover the total system or
part of the system?
  •   What is the authority for the
audit?
  •   What background information is
needed?
SQAM Course, Proficience, IISc 10
 Planning activities
 Client Requests an audit
 Scope and purpose of the audit are agreed upon by the
client and auditor.
 The auditor forms an appropriate team and contacts the
auditee.
 The auditors convey to the audited organizations the
audit's purpose, scope, and authority
 The auditor will then request preliminary documentation
needed for the audit
 The auditor and auditee agree on the audit schedule,
audit procedures or requirements, responsible people,
and content of the audit.
 An audit plan is developed and documented.
 The auditor then reviews the available information,
including previous audits and corrective actions

SQAM Course, Proficience, IISc 11

 Planning-Preparation
 Audit Coordinator will make
arrangements for the audit.
 People are selected to be principal
points of contact for each task to be
audited
 Escorts are assigned to accompany
the auditor during the audit.
 The auditee conducts a self-
evaluation to prepare the employees
for the audit
SQAM Course, Proficience, IISc 12
 Performance
Consists of auditors interviewing,
reviewing records, observing operations
and collecting information
•         Opening meeting
  •        Performance of the Audit
  •        Closing Meeting

SQAM Course, Proficience, IISc 13

 Opening Meeting
 Scope of the audit is reviewed
 Schedules are determined
 Auditor and auditee personnel are introduced
 Logistics and the time for the closing meeting are
determined.
 Communicate to the auditee the audit's objectives, areas of
concentration
 LA will establish the audit's tone, sense of cooperation, and
act as a seeker of information and facts.
 Describe the audit process, clarify any administrative
matters and solicit the auditee's input

SQAM Course, Proficience, IISc 14

 Performance of the audit
 Auditors check compliance with requirements by
- reviewing written instructions and
procedures,
- conducting interviews, checking records,
and observing work activities.
 factual evidence of the auditee's compliance
 The audit records include
- auditors' notes from interviews and observations
- photocopies of examples from the record
reviews.
 The facts noted in the audit are reviewed by the
lead auditor and conclusions are drawn
SQAM Course, Proficience, IISc 15
 Closing Meeting
 The performance phase of an audit
ends with the closing meeting or exit
interview where the lead auditor
reports the audit team's conclusion.
 This is the last opportunity for the
auditee to provide input to the audit.

SQAM Course, Proficience, IISc 16

 Reporting
 The lead auditor is responsible for generating the
audit report that is the product of the audit.
 The lead auditor should start the report the first
day of the audit
 The lead auditor will provide a summary of the
written report that allows for factual corrections
and explanations.
 The report usually consists of an introduction,
purpose, scope, findings, observations, exemplary
practices, and response requirements.
 The report is mailed to the client, the auditee and
the audit team

SQAM Course, Proficience, IISc 17

 Follow Up
 The auditee proposes corrective actions, which may be
reviewed by the client or auditor, if there are any
problems identified
 Resolution requires
    -correction of the specific deficiency found
         -resolution of the root cause of the problem
-setting a date when corrective action will be in
place to prevent a recurrence.
 The follow-up activities include: evaluation of the
response, re-audit, closing and documentation
 The auditor is responsible for requesting a timely
response from the auditee.
 When all the findings have been resolved, the auditee is notified 
that the audit is closed 

SQAM Course, Proficience, IISc 18

 Auditors Training
 Listen actively
 Observe body language
 Take notes and explain why
 Start with open-ended questions- why, when,
how, who, what, where, to what extent.
 Keep questions short and to the point.
 Move to close-ended questions, answered by yes
or no, to start the clarification process
 Use follow-up questions for more information
 Use paraphrasing and repeating

SQAM Course, Proficience, IISc 19

 Effective Auditor
•   Establish a rapport with the interviewee,
  •  Avoid nit-picking or judgmental comments about
individuals,
  •  Avoid placing blame or fault for problem
•  Always operate ethically
•   Rely upon objective evidence and maintain objectivity
•   Use random sampling to get representative results.
•   Document results and retain notes.
•   Report known problems and avoid opinions.
•   Avoid surprises: keep your contacts informed.

SQAM Course, Proficience, IISc 20

 Audit Results
 Best Practice - A practice, procedure, or
instruction that is well above the expected norm
of performance
 Deviation - Inadequacy which results in a product
nonconformance to a specified requirement , lack
of a system or controls to satisfy a customer or
system requirement, any nonconformance to a
procedural requirement or inadequate procedure
 Observation - An opinion regarding a condition
not covered by a specific requirement; or a
procedure, practice, or instruction whose
effectiveness could be improved.
SQAM Course, Proficience, IISc 21
 NC and CAR
 Major – Systems failure
 Minor – Impacts the product quality in
short period
 Corrective Action Report
- Corrective action to correct the
unresolved deviations identified
­ Cause identification.
- Actions to prevent recurrence
- Lessons Learnt
- Actions taken for improvement
SQAM Course, Proficience, IISc 22
 CA and PA
 CorrectiveAction – Non Conformities
encountered
 Preventive Action – Potential Non
Conformities

SQAM Course, Proficience, IISc 23

 References
 Mills,Charles A.; The Quality Audit, A
Management Evaluation Tool. USA:
McGraw-Hill, 1989.
 Burr John T.; Keys to a Successful
Internal Audit.Quality Progress, Vol.
30, No. 4, April 1997.

SQAM Course, Proficience, IISc 24