Basics An independent examination of a work product or set of work products to assess compliance with specifications, standards, contractual agreements, or other criteria – IEEE Std 610.12-1990
The goal of a software audit is to provide
an independent determination as to whether the software, its documentation, and/or the development and maintenance processes meet stated requirements. SQAM Course, Proficience, IISc 2 Audit Value to the business Managing risks Strengthening internal controls Measuring operational effectiveness Reducing costs Eliminating waste Assuring stakeholders business requirements are satisfied. Periodic assessments also provide trend line data to determine baseline and benchmark performance improvement.
SQAM Course, Proficience, IISc 3
A Little story This is a story about four people named Everybody, Somebody, Anybody, and Nobody. There was an important job to be done and Everybody was sure that Somebody would do it. Anybody could have done it, but Nobody did it. Somebody got angry about that, because it was Everybody's job. Everybody thought Anybody could do it, but Nobody realized that Everybody wouldn't do it. It ended up that Everybody blamed Somebody when Nobody did what Anybody could have done!
Lesson: Responsibilities and authorities are to be
defined and communicated well before the audit
SQAM Course, Proficience, IISc 4
Roles and Responsibilities
• The client, person or organization which requests the
audit • The auditor or team who performs the audit • The auditee whose work is being examined. • Audit can include interested observers and regulatory agencies • Lead Auditor and Audit team - Audit Team Training - Technical Expertise of the audit - Team assists LA in checklist preparation, back ground work - Team conducts the audit and prepare the audit reports SQAM Course, Proficience, IISc 5 Lead Auditor Responsibilities Overall responsible to organize and direct the audit, Co- ordinate the preparation and issuance of the audit report Determine the team size Brief the team members on the audit scope and areas to be audited • Provide the background about the organization being audited Assign the workload of who will audit what areas Determine the audit schedule Notify and brief the audited organization on the scope of the audit and materials that need to be provided Ensure that the audit team is prepared to conduct the audit Ensure that the audit plan or procedures are performed SQAM Course, Proficience, IISc 6 Issue reports in accordance with the audit plan or Auditee Responsibilities • Establish a professional, positive attitude about the audit among the members of the audited group • Participate well in the audit • Provide all relevant materials and resources to the audit team • Understand the concerns of the auditors • Provide a response to the audit report, and • Correcting or resolving deficiencies cited by the audit team. SQAM Course, Proficience, IISc 7 Arguing with an auditor is like wrestling with a pig in mud . . . Sooner or later you realize the pig enjoys it!
SQAM Course, Proficience, IISc 8
Audit Process An audit should be performed in accordance with documented plans and procedures Four Phases - planning, performance, reporting , follow-up
SQAM Course, Proficience, IISc 9
Planning • What is the audit's scope? • What should the audit achieve? • Does it cover the total system or part of the system? • What is the authority for the audit? • What background information is needed? SQAM Course, Proficience, IISc 10 Planning activities Client Requests an audit Scope and purpose of the audit are agreed upon by the client and auditor. The auditor forms an appropriate team and contacts the auditee. The auditors convey to the audited organizations the audit's purpose, scope, and authority The auditor will then request preliminary documentation needed for the audit The auditor and auditee agree on the audit schedule, audit procedures or requirements, responsible people, and content of the audit. An audit plan is developed and documented. The auditor then reviews the available information, including previous audits and corrective actions
SQAM Course, Proficience, IISc 11
Planning-Preparation Audit Coordinator will make arrangements for the audit. People are selected to be principal points of contact for each task to be audited Escorts are assigned to accompany the auditor during the audit. The auditee conducts a self- evaluation to prepare the employees for the audit SQAM Course, Proficience, IISc 12 Performance Consists of auditors interviewing, reviewing records, observing operations and collecting information • Opening meeting • Performance of the Audit • Closing Meeting
SQAM Course, Proficience, IISc 13
Opening Meeting Scope of the audit is reviewed Schedules are determined Auditor and auditee personnel are introduced Logistics and the time for the closing meeting are determined. Communicate to the auditee the audit's objectives, areas of concentration LA will establish the audit's tone, sense of cooperation, and act as a seeker of information and facts. Describe the audit process, clarify any administrative matters and solicit the auditee's input
SQAM Course, Proficience, IISc 14
Performance of the audit Auditors check compliance with requirements by - reviewing written instructions and procedures, - conducting interviews, checking records, and observing work activities. factual evidence of the auditee's compliance The audit records include - auditors' notes from interviews and observations - photocopies of examples from the record reviews. The facts noted in the audit are reviewed by the lead auditor and conclusions are drawn SQAM Course, Proficience, IISc 15 Closing Meeting The performance phase of an audit ends with the closing meeting or exit interview where the lead auditor reports the audit team's conclusion. This is the last opportunity for the auditee to provide input to the audit.
SQAM Course, Proficience, IISc 16
Reporting The lead auditor is responsible for generating the audit report that is the product of the audit. The lead auditor should start the report the first day of the audit The lead auditor will provide a summary of the written report that allows for factual corrections and explanations. The report usually consists of an introduction, purpose, scope, findings, observations, exemplary practices, and response requirements. The report is mailed to the client, the auditee and the audit team
SQAM Course, Proficience, IISc 17
Follow Up The auditee proposes corrective actions, which may be reviewed by the client or auditor, if there are any problems identified Resolution requires -correction of the specific deficiency found -resolution of the root cause of the problem -setting a date when corrective action will be in place to prevent a recurrence. The follow-up activities include: evaluation of the response, re-audit, closing and documentation The auditor is responsible for requesting a timely response from the auditee. When all the findings have been resolved, the auditee is notified that the audit is closed
SQAM Course, Proficience, IISc 18
Auditors Training Listen actively Observe body language Take notes and explain why Start with open-ended questions- why, when, how, who, what, where, to what extent. Keep questions short and to the point. Move to close-ended questions, answered by yes or no, to start the clarification process Use follow-up questions for more information Use paraphrasing and repeating
SQAM Course, Proficience, IISc 19
Effective Auditor • Establish a rapport with the interviewee, • Avoid nit-picking or judgmental comments about individuals, • Avoid placing blame or fault for problem • Always operate ethically • Rely upon objective evidence and maintain objectivity • Use random sampling to get representative results. • Document results and retain notes. • Report known problems and avoid opinions. • Avoid surprises: keep your contacts informed.
SQAM Course, Proficience, IISc 20
Audit Results Best Practice - A practice, procedure, or instruction that is well above the expected norm of performance Deviation - Inadequacy which results in a product nonconformance to a specified requirement , lack of a system or controls to satisfy a customer or system requirement, any nonconformance to a procedural requirement or inadequate procedure Observation - An opinion regarding a condition not covered by a specific requirement; or a procedure, practice, or instruction whose effectiveness could be improved. SQAM Course, Proficience, IISc 21 NC and CAR Major – Systems failure Minor – Impacts the product quality in short period Corrective Action Report - Corrective action to correct the unresolved deviations identified Cause identification. - Actions to prevent recurrence - Lessons Learnt - Actions taken for improvement SQAM Course, Proficience, IISc 22 CA and PA CorrectiveAction – Non Conformities encountered Preventive Action – Potential Non Conformities
SQAM Course, Proficience, IISc 23
References Mills,Charles A.; The Quality Audit, A Management Evaluation Tool. USA: McGraw-Hill, 1989. Burr John T.; Keys to a Successful Internal Audit.Quality Progress, Vol. 30, No. 4, April 1997.