Software Excellence Academy
Home About Us Consulting Webinars Membership Questions
Courses
On-Demand Live, Open-Enrollment In-House Training
Resources
Quality Management Systems (QMS) System and Software Engineering Software Verification and Validation (V&V) Software Project Management Software Risk Management Metrics, Measurement & Analytical Methods Software Configuration Management (SCM) Software Auditing Soft Skills

Software Configuration Management (SCM) Audits Part 1: Introduction to SCM Audits

by Linda Westfall

An audit is a planned and independent evaluation of one or more products, processes, projects, or systems to determine conformance or compliance to a set of agreed to requirements. Auditing is an “objective assurance and consulting activity designed to add value and improve an organization’s operations.” [Hutchins-03] Audits provide assurance by validating that the product, process, project and/or system are implemented in accordance with their requirements and objectives. Audits are management information activities because they provide ongoing analysis of the degree to which those implementations are effective and efficient, and they identify opportunities for continuous improvement. Audits also visibly demonstrate management’s support for the quality program.

In the case of Software Configuration Management (SCM) audits, three types of audits are typically performed:

  • Functional Configuration Audit (FCA), which is an evaluation of the completed software products to determine their conformance, in terms of completeness, performance, and functional characteristics, to their requirements specification(s).
  • Physical Configuration Audit (PCA), which is an evaluation of each configuration item to determine its conformance to the technical documentation that defines it.
  • In-Process SCM Audits, which are ongoing evaluations conducted throughout the life cycle to provide management with information about compliance to SCM policies, plans, processes, and systems, and about the conformance of software products to their requirements and workmanship standards.

Parts 2 through 4 of this article will discuss the purpose of each of these three types of SCM audits. They will also provide examples of checklist items that could be used during audit evaluations and suggests evidence-gathering techniques for each item in those checklists.

When Are Configuration Audits Conducted

At a minimum, FCA and PCA should be conducted just before the final Ready to Beta Test or Ready to Ship review to provide input information into those reviews. In addition, these audits can also be conducted at other major milestones throughout the software development cycle as inputs into milestone reviews or other management oversite activities. 

In traditional software development, as illustrated in Figure 1, the FCA and PCA activities should be conducted as part of creating the Product Baseline. Depending on the level of rigor, FCA and PCA activities could also be conducted at other major milestones (baselines), including:

  • The Functional Baseline
  • One or More Allocated Baselines
  • One or More Development Baselines

In agile software development, as illustrated in Figure 2, the FCA and PCA activities should be conducted as part of the software release milestone. Depending on the level of rigor, FCA and PCA activities could also be conducted at the end of each sprint (iteration).

In-process SCM audits can be conducted throughout development as needed. Plans for any in-process SCM audits should be specified in the Software Quality Assurance (SQA) plans.

 

 

References

 Hutchins-03: Greg Hutchins, Value Added Auditing: The Standard Manual of Risk-Based, Process-Auditing, Quality Plus Engineering, Portland, OR, 2003.

Click Here to Download this Article

The Westfall Team Posts Metrics, Measures & Analytical Methods Resources.

These resources are free to anyone who wants to read or download them. Subscribe to the Software Excellence Academy to be notified when new resources are added.