software Auditing.docx

software Auditing.docx

《software Auditing.docx》由会员分享，可在线阅读，更多相关《software Auditing.docx（15页珍藏版）》请在冰豆网上搜索。

softwareAuditing

SoftwareAuditing

Audit–Definition

Asystematic,independentanddocumentedprocessforobtainingauditevidenceandevaluatingitobjectivelytodeterminetheextenttowhichauditcriteriaarefulfilled.

-ISO9000:

2000

Definitions（contd.）

Auditcriteria:

Setofpolicies,proceduresorrequirementsusedasreference

AuditEvidence:

Records,statementoffactsorotherinformationwhicharerelevanttotheauditcriteria

Players–auditorandauditee

PurposeofAudits

ManagementTool

Positiveandconstructiveprocess

Identifiesproblemareas

Increasesprocesscompliance

Increasesprocesseffectiveness

Aqualitysystemauditassessesthedegreetowhichaqualitysystemcomplieswithspecifiedrequirementsandthedegreetowhichitiseffective.

Audits

NOTtobeusedtoassignblame

DoesNOTreplaceinspection/testingactivities

ShouldNOTbeusedasameanstoacceptorrejectproducts

CANNOTsupportanineffectivesystem

TypesofAudits

FirstParty

SecondParty

ThirdParty

TheAuditSystem

AnnualAuditCycle

AuditPlanningScheduling

Opening

Meeting

Audit

Investigations

Audit

ReportingcorrectiveActions

ObjectiveEvidence

Afactualstatementthatcanbeverified

Notbasedonopinionorpreference

Notbasedonemotion

Basedonactualobservations&statements

Evidence–QualitySystem

QualityManualreferringtoprocedures

Procedurescoveringthestandardbeingfollowed（ISO/CMM）

DepartmentalHandbooks

ProjectProposals/Plans

Instructions

Policyandobjectives

Responsibilitiesandauthorities

Evidence–ImplementationRecords

Reviewrecords

Minutesofmeeting

Auditreports

Testingrecords

Deliverynotes

Trainingrecords

EvidenceofEffectiveness

Records/results

Measurements/metrics

Milestoneachievement

Managementreview

Customerfeedback

Timelycorrectiveaction

Customercomplaints

AuditPlanning

AnnualPlanningAuditCyclePlanning

PlanningRequirement

InternalAuditstobeconductedat“planned”intervals

Planningneedstoconsider

Statusandimportanceoftheprocessesandareasresultsofthepreviousaudit

Selectionofauditorsshouldensureobjectivityandimpartiality（notfromsamearea!

!

）

PrepareLongTermAuditPlan

Typicallyforthewholeyear

Aspectstoplanfor:

.Howmanycycles（typicallyonceevery2-3months）

.Whatunits/departments/areas/projectswillbecoveredineverycycle–thiswoulddependonthestatusandimportanceoftheunit/departmentandtheextentofchangesexpected

SampleAnnualAuditPlan

Unit/SupportArea

表格不画了

ForEveryCycle

Reviewandrevisethelistofauditeeunits/departments/projects

Nominateleadauditorandauditteam

Makeinitialcontactwithauditees

Finalizeauditprogram

AuditorResponsibilities

Communicateauditrequirements

Beeffectiveandefficient

Documentobservations

Reportresults

Verifycorrectiveactioneffectiveness

Remainwithinscope

Supportotherteammembers

AuditeeResponsibilities

Informteammembers

Appointguides

Providelogisticalresources

Cooperatewithauditors

Shareinformation,records

Agreeonnon-compliances

Proposeandimplementcorrectiveactions

FinalizeScheduleforAuditCycle

.Scheduleinterviewsof1-3hoursforeachproject/department

.1-2auditorstoconducttheinterviews（newauditorsmustgoinpairs）

.Schedulingtobecompletedaroundtwoweeksbeforeauditcyclestart

.CirculateandgetconfirmationfromallAuditor’s

Atprojectlevel

Theplanningofauditsdependsonthetypeofprojects

TheauditplanhappensasapartofprojectSQAplanning

SampleAuditSchedule

表格不画了。

Checklists

Benefits,PreparationMethod,Style

ChecklistBenefits

.Ensurescoverageisbalanced

.Assistsinpreparingauditteam

.Helpsmaintaincorrectpace

.Providesarecordoftheauditforfuturereference

.Ensuresnothingisforgotten!

ChecklistPreparation

.Usechecklistofthepreviousauditasastartingpoint

.StudythedocumentedQMS,procedures,guidelines

.ReadRelevantsectionsofoftheModel（e.g.j

.Prepareseparatelistsforeachproject/supportfunction

.Considertimeallocatedandkeyareas

ChecklistStyle

Remember

.Becomefullyconversantwiththeareabeforepreparing/modifyingchecklists

.Makeseparatechecklistsfordifferentsupportfunctions

.Youmayhavetomakedifferentchecklistsfordifferentprojecttypes

.Withmoreexperienceyoucanmakesmallerchecklistsorjustbulletpoints

Remember

Checklistisatoolandshouldbeaservanttotheauditor–CHECKLISTSSHOULDNOTBEALLOWEDTOCONTROLTHEAUDITOR

Checklistsusedinoneauditcanbeusedasastartingpointinthenextaudit

StandardchecklistsmaybeincludedintheQMSafter1-2cycles

TheOpeningMeeting

AuditInvestigations

Approach,Interviewing,andAuditTrail

Approach

Theauditormustkeepcontrol

Theauditormustmanagehis/hertime

Usepreparedchecklistsasaguide

Judgement–isthereaproblemornot?

Theauditteammustkeepintouch

ObjectiveEvidence

Relevance

Records

AccuracyDocumentExistence

Statements

Observations

Significance

Remember:

onlyobjectiveevidenceispermitted

AuditTrail

Recordthefacts

Isitonyourchecklist?

Istheretimeavailable?

PasstotheappropriateAuditor

ConsulttheLeadAuditor

NOTE:

ifitisimportant,someonemustlookatit.

AuditTrailDocumentation

.Documentreferences

.Itemidentification

.Jobtitles

.Quotations

.Suspectedproblemsforfurtherinvestigationinotherareas

Don’tforget–recordthepositiveaswellasthenegative

IdentifyingProblems

Focusonthekeymatters

DecidewhetherornottheAuditeeistherightpersontoaskthequestion

Consideriftherearefurthersymptoms

Couldthisminorailmentbeasymptomofafatalcondition?

Whereintheprocesscouldtherootcauselie?

Alwaysverifyevidenceofnon-compliance

PurposeofInterview

Elaboration

Explanation

Workstatus–whatreallyhappens?

Basisforevidence

Understanding

Dialogue/rapport

Perspective

StartingtheInterview

.Findasuitablelocationneartheirworkplace

.Introduceyourself

.Explaintheprocess

.“Assessingthesystem–notindividuals”

.Befriendlybutpolite

.Lookinterested

Interviewingisyourmaintool

TheInterview

Theauditormustkeepcontrol

Theauditormustmanagehis\hertime

Splittimebetweenmanagersandstaff

Workthroughthechecklist

Ifnoproblems–goquicklytonextissue

Problems–investigatetogetobjectiveevidence&ideaofmagnitude

Nosensedigginguntilsomethingisfound

UsefulTypesofQuestions

Open（STARTING）

Followup

Probing

Focusing

Closed（ENDING）

DetrimentalTypesofQuestions

Multiple

Leading

Sarcastic

Rhetorical

ExamplesofOpenQuestions

Pleasedescribeyourresponsibilities

Tellmeabout…?

Howdoes…?

Pleaseexplainhow…?

Pleasedescribetheprocess…?

ExamplesofProbingQuestions

Wheredoes..?

Whendid…?

Whatis..?

ExamplesofClosedQuestions

Isthis…?

Doyou…?

Doesthis…?

Pleaseshowme…?

AuditorBehavior

Listen

Usesilence

Showinterest–rephrasetheanswerandgetconfirmation

Takenotes

Documentreferences,jobtitles,recordreferences,quotations,issuestotrace

IfauditorsareinpairsoneasksQsothertakesnotes

AuditorBehavior

PersonalSpace

RegionalConventions

Disabilities

Distractions

ExcessiveFamiliarityversusExcessiveFormality

BereadytohandleAuditeeReactions

Authority

Antagonism,Hostility

DiversionaryTactics

VolunteeredInformation

InternalConflicts

Deception

Stress,nervousness

Remember

Interviewingisyourmaintool

Lookattheevidence

ListentotheAuditees

Makesureyouareaskingtherightperson

WatchoutforAuditeereactions

Knowhowtohandlediversionarytactics

Remember

RecordtheAuditTrail

Verifydetailsofnon-compliance

Passoninformationtoteammembers

Focusonthekeymatters

Opinions&preferencesshouldbesuppressed（i.e.beobjective）

Takehelpfromotherauditors/leadauditor

RecordingFindings

GoodPractices

Non-compliances

TypesofFindings

Goodpractices.Theseareexamplesthatotherscanemulateorcanbebroughtintothestandardsetofpractices（QMS）

Non-compliances.Non-fulfillmentofspecifiedrequirementinoneofthefollowing:

Contract/proposal/ServiceLevelAgreement

QMS

Plans/Handbooks

CMMorISO（thestandardagainstwhichauditisdone）

Non-compliances

Alsocalled

Non–conformities

Non-conformances

Deficiencies

Discrepancies

Deviations

TypesofNon-compliances

Majornon-compliances

Aconsistent,significantbreakdownofthequalitysystemordeviationfromthecontractorISO9001requirement

Minornon-compliances

Isolatedorone-offfailures;localizedimpact

Observations

Warningsaboutpotentialnon-compliances

RecordingNon-compliances

TheNon-compliance

What

AcknowledgedbyAuditee

Atthetimetheyarefound

UsingonlyOBJECTIVEevidence

Where,when,who,（how）

Requirementbeingviolated

RecordingNon-compliances

Non-ComplianceStatementsmustbe

Accurate

Complete

Helpful

Brief

Doesitpassthe‘so-what’test?

Anticipatethecorrectiveaction

Non-complianceStatements

（Why）;

However;

（What）

（Where）

（When）

（Who）-Shouldbeavoidedasfaraspossible

PhrasestoAvoidinNon-compliances

Itseemsthat…

Generallyspeaking….

Thecompanyhasfailedtoimplement…

Thereisnocommitment…

Billtheplumbersaid…

EvaluatethisNon-complianceStatement-1

TheProjectPlan（section8）statesthatalldesignchangesmustbeapprovedbytheProjectManagerbeforeimplementation.Howeverchangeforms23and25,whichtheProgrammingTeamLeaderhadalreadyimplemented,werenotappr