software Auditing.docx
《software Auditing.docx》由会员分享,可在线阅读,更多相关《software Auditing.docx(15页珍藏版)》请在冰点文库上搜索。
softwareAuditing
SoftwareAuditing
Audit–Definition
Asystematic,independentanddocumentedprocessforobtainingauditevidenceandevaluatingitobjectivelytodeterminetheextenttowhichauditcriteriaarefulfilled.
-ISO9000:
2000
Definitions(contd.)
Auditcriteria:
Setofpolicies,proceduresorrequirementsusedasreference
AuditEvidence:
Records,statementoffactsorotherinformationwhicharerelevanttotheauditcriteria
Players–auditorandauditee
PurposeofAudits
ManagementTool
Positiveandconstructiveprocess
Identifiesproblemareas
Increasesprocesscompliance
Increasesprocesseffectiveness
Aqualitysystemauditassessesthedegreetowhichaqualitysystemcomplieswithspecifiedrequirementsandthedegreetowhichitiseffective.
Audits
NOTtobeusedtoassignblame
DoesNOTreplaceinspection/testingactivities
ShouldNOTbeusedasameanstoacceptorrejectproducts
CANNOTsupportanineffectivesystem
TypesofAudits
FirstParty
SecondParty
ThirdParty
TheAuditSystem
AnnualAuditCycle
AuditPlanningScheduling
Opening
Meeting
Audit
Investigations
Audit
ReportingcorrectiveActions
ObjectiveEvidence
Afactualstatementthatcanbeverified
Notbasedonopinionorpreference
Notbasedonemotion
Basedonactualobservations&statements
Evidence–QualitySystem
QualityManualreferringtoprocedures
Procedurescoveringthestandardbeingfollowed(ISO/CMM)
DepartmentalHandbooks
ProjectProposals/Plans
Instructions
Policyandobjectives
Responsibilitiesandauthorities
Evidence–ImplementationRecords
Reviewrecords
Minutesofmeeting
Auditreports
Testingrecords
Deliverynotes
Trainingrecords
EvidenceofEffectiveness
Records/results
Measurements/metrics
Milestoneachievement
Managementreview
Customerfeedback
Timelycorrectiveaction
Customercomplaints
AuditPlanning
AnnualPlanningAuditCyclePlanning
PlanningRequirement
InternalAuditstobeconductedat“planned”intervals
Planningneedstoconsider
Statusandimportanceoftheprocessesandareasresultsofthepreviousaudit
Selectionofauditorsshouldensureobjectivityandimpartiality(notfromsamearea!
!
)
PrepareLongTermAuditPlan
Typicallyforthewholeyear
Aspectstoplanfor:
.Howmanycycles(typicallyonceevery2-3months)
.Whatunits/departments/areas/projectswillbecoveredineverycycle–thiswoulddependonthestatusandimportanceoftheunit/departmentandtheextentofchangesexpected
SampleAnnualAuditPlan
Unit/SupportArea
表格不画了
ForEveryCycle
Reviewandrevisethelistofauditeeunits/departments/projects
Nominateleadauditorandauditteam
Makeinitialcontactwithauditees
Finalizeauditprogram
AuditorResponsibilities
Communicateauditrequirements
Beeffectiveandefficient
Documentobservations
Reportresults
Verifycorrectiveactioneffectiveness
Remainwithinscope
Supportotherteammembers
AuditeeResponsibilities
Informteammembers
Appointguides
Providelogisticalresources
Cooperatewithauditors
Shareinformation,records
Agreeonnon-compliances
Proposeandimplementcorrectiveactions
FinalizeScheduleforAuditCycle
.Scheduleinterviewsof1-3hoursforeachproject/department
.1-2auditorstoconducttheinterviews(newauditorsmustgoinpairs)
.Schedulingtobecompletedaroundtwoweeksbeforeauditcyclestart
.CirculateandgetconfirmationfromallAuditor’s
Atprojectlevel
Theplanningofauditsdependsonthetypeofprojects
TheauditplanhappensasapartofprojectSQAplanning
SampleAuditSchedule
表格不画了。
Checklists
Benefits,PreparationMethod,Style
ChecklistBenefits
.Ensurescoverageisbalanced
.Assistsinpreparingauditteam
.Helpsmaintaincorrectpace
.Providesarecordoftheauditforfuturereference
.Ensuresnothingisforgotten!
ChecklistPreparation
.Usechecklistofthepreviousauditasastartingpoint
.StudythedocumentedQMS,procedures,guidelines
.ReadRelevantsectionsofoftheModel(e.g.j
.Prepareseparatelistsforeachproject/supportfunction
.Considertimeallocatedandkeyareas
ChecklistStyle
Remember
.Becomefullyconversantwiththeareabeforepreparing/modifyingchecklists
.Makeseparatechecklistsfordifferentsupportfunctions
.Youmayhavetomakedifferentchecklistsfordifferentprojecttypes
.Withmoreexperienceyoucanmakesmallerchecklistsorjustbulletpoints
Remember
Checklistisatoolandshouldbeaservanttotheauditor–CHECKLISTSSHOULDNOTBEALLOWEDTOCONTROLTHEAUDITOR
Checklistsusedinoneauditcanbeusedasastartingpointinthenextaudit
StandardchecklistsmaybeincludedintheQMSafter1-2cycles
TheOpeningMeeting
AuditInvestigations
Approach,Interviewing,andAuditTrail
Approach
Theauditormustkeepcontrol
Theauditormustmanagehis/hertime
Usepreparedchecklistsasaguide
Judgement–isthereaproblemornot?
Theauditteammustkeepintouch
ObjectiveEvidence
Relevance
Records
AccuracyDocumentExistence
Statements
Observations
Significance
Remember:
onlyobjectiveevidenceispermitted
AuditTrail
Recordthefacts
Isitonyourchecklist?
Istheretimeavailable?
PasstotheappropriateAuditor
ConsulttheLeadAuditor
NOTE:
ifitisimportant,someonemustlookatit.
AuditTrailDocumentation
.Documentreferences
.Itemidentification
.Jobtitles
.Quotations
.Suspectedproblemsforfurtherinvestigationinotherareas
Don’tforget–recordthepositiveaswellasthenegative
IdentifyingProblems
Focusonthekeymatters
DecidewhetherornottheAuditeeistherightpersontoaskthequestion
Consideriftherearefurthersymptoms
Couldthisminorailmentbeasymptomofafatalcondition?
Whereintheprocesscouldtherootcauselie?
Alwaysverifyevidenceofnon-compliance
PurposeofInterview
Elaboration
Explanation
Workstatus–whatreallyhappens?
Basisforevidence
Understanding
Dialogue/rapport
Perspective
StartingtheInterview
.Findasuitablelocationneartheirworkplace
.Introduceyourself
.Explaintheprocess
.“Assessingthesystem–notindividuals”
.Befriendlybutpolite
.Lookinterested
Interviewingisyourmaintool
TheInterview
Theauditormustkeepcontrol
Theauditormustmanagehis\hertime
Splittimebetweenmanagersandstaff
Workthroughthechecklist
Ifnoproblems–goquicklytonextissue
Problems–investigatetogetobjectiveevidence&ideaofmagnitude
Nosensedigginguntilsomethingisfound
UsefulTypesofQuestions
Open(STARTING)
Followup
Probing
Focusing
Closed(ENDING)
DetrimentalTypesofQuestions
Multiple
Leading
Sarcastic
Rhetorical
ExamplesofOpenQuestions
Pleasedescribeyourresponsibilities
Tellmeabout…?
Howdoes…?
Pleaseexplainhow…?
Pleasedescribetheprocess…?
ExamplesofProbingQuestions
Wheredoes..?
Whendid…?
Whatis..?
ExamplesofClosedQuestions
Isthis…?
Doyou…?
Doesthis…?
Pleaseshowme…?
AuditorBehavior
Listen
Usesilence
Showinterest–rephrasetheanswerandgetconfirmation
Takenotes
Documentreferences,jobtitles,recordreferences,quotations,issuestotrace
IfauditorsareinpairsoneasksQsothertakesnotes
AuditorBehavior
PersonalSpace
RegionalConventions
Disabilities
Distractions
ExcessiveFamiliarityversusExcessiveFormality
BereadytohandleAuditeeReactions
Authority
Antagonism,Hostility
DiversionaryTactics
VolunteeredInformation
InternalConflicts
Deception
Stress,nervousness
Remember
Interviewingisyourmaintool
Lookattheevidence
ListentotheAuditees
Makesureyouareaskingtherightperson
WatchoutforAuditeereactions
Knowhowtohandlediversionarytactics
Remember
RecordtheAuditTrail
Verifydetailsofnon-compliance
Passoninformationtoteammembers
Focusonthekeymatters
Opinions&preferencesshouldbesuppressed(i.e.beobjective)
Takehelpfromotherauditors/leadauditor
RecordingFindings
GoodPractices
Non-compliances
TypesofFindings
Goodpractices.Theseareexamplesthatotherscanemulateorcanbebroughtintothestandardsetofpractices(QMS)
Non-compliances.Non-fulfillmentofspecifiedrequirementinoneofthefollowing:
Contract/proposal/ServiceLevelAgreement
QMS
Plans/Handbooks
CMMorISO(thestandardagainstwhichauditisdone)
Non-compliances
Alsocalled
Non–conformities
Non-conformances
Deficiencies
Discrepancies
Deviations
TypesofNon-compliances
Majornon-compliances
Aconsistent,significantbreakdownofthequalitysystemordeviationfromthecontractorISO9001requirement
Minornon-compliances
Isolatedorone-offfailures;localizedimpact
Observations
Warningsaboutpotentialnon-compliances
RecordingNon-compliances
TheNon-compliance
What
AcknowledgedbyAuditee
Atthetimetheyarefound
UsingonlyOBJECTIVEevidence
Where,when,who,(how)
Requirementbeingviolated
RecordingNon-compliances
Non-ComplianceStatementsmustbe
Accurate
Complete
Helpful
Brief
Doesitpassthe‘so-what’test?
Anticipatethecorrectiveaction
Non-complianceStatements
(Why);
However;
(What)
(Where)
(When)
(Who)-Shouldbeavoidedasfaraspossible
PhrasestoAvoidinNon-compliances
Itseemsthat…
Generallyspeaking….
Thecompanyhasfailedtoimplement…
Thereisnocommitment…
Billtheplumbersaid…
EvaluatethisNon-complianceStatement-1
TheProjectPlan(section8)statesthatalldesignchangesmustbeapprovedbytheProjectManagerbeforeimplementation.Howeverchangeforms23and25,whichtheProgrammingTeamLeaderhadalreadyimplemented,werenotappr
升级会员 