Software Configuration Management (SCM) Audits Part 4 - In-Process SCM Audits

In the first part of this article, we introduced the three different types of Software Configuration Management Audit:

• Functional Configuration Audit (FCA) (discussed in Part 2)
• Physical Configuration Audit (PCA) (discussed in Part 3)
• In-Process SCM Audits (discussed in this part of the article)

In this fourth part of the article, we will discuss In-process Software Configuration Management (SCM) audits are performed throughout the software life cycle to provide management with an ongoing independent evaluation of the:

• Adequacy of the organization’s SCM policies, plans, processes and systems to meet the organization’s objectives
• Ongoing compliance to those documented SCM policies, plans, processes and systems
• Ongoing conformance of the configuration items to their requirements and workmanship standards
• Effectiveness of the SCM plans, processes and systems, and their implementation (e.g., SCM training of personnel and SCM tool capabilities)
• Efficiency of resource utilization
• Identification of areas for continuous improvement to SCM plans, processes, systems and products.

In-process SCM audits are typically focused on either SCM processes or SCM baselines. Table 1 illustrates an example of a checklist for a process-focused in-process SCM audit and lists possible objective evidence-gathering techniques for each item. Table 2 illustrates an example of a checklist for a product baseline-focused in-process SCM audit and lists possible objective evidence-gathering techniques for each item.
While several suggested evidence-gathering techniques are listed for each checklist item, the level of rigor chosen for the audit will dictate which of these techniques (or other techniques) will actually be used.

Table 1 – Example Checklist and Evidence-Gathering Techniques Used During a Process-Focused In-Process Audit

Table 2 – Example Checklist and Evidence-Gathering Techniques Used During a Product Baseline-Focused In-Process Audit

Conclusion

Conducting SCM audits provides management with independent verification that the SCM processes are being complied with and that the software products are being built as required and at production, they are ready to be released. SCM plans for each project/program should include plans for conducting these SCM audits, including schedules and resource allocations.
Standardized checklists, like the example checklists in this article, can be created for SCM audits. The advantage of using standardized checklists include:

• Reduction of effort in recreating checklists for each audit
• Lessons learned from previous audits can be incorporated into the standardized checklists to help improve future audits
• Consistency and continuity of implementation from one audit to the next as well as complete coverage

Prior to each audit, these standardized checklists should be reviewed to ensure that they reflect any changes made in the SCM standards, policies, or plans since the last audit was conducted. These generic checklists should also be supplemented and tailored to the exact circumstances of each individual audit. For example, if the corrective actions against prior audit findings are being verified with the current audit, specific checklist items for those actions may be added to the checklist. Another example might be the auditing of small projects where certain optional processes do not apply and the corresponding items should be removed from the checklist.

References

IEEE-610: IEEE Standards Software Engineering, IEEE Standard Glossary of Software Engineering Terminology, IEEE Std. 610-1990, The Institute of Electrical and Electronics Engineers, 1999.

Kasse-00: Tim Kasse and Patricia A. McQuaid, Software Configuration Management for Project Leaders, Software Quality Professional, Volume 2, Issue 4, September 2000.

Keyes-04: Jessica Keyes, Software Configuration Management, Auerbach Publications, Boca Raton, 2004.

Russell-00: ASQ Audit Division, J. P. Russell editing director, The Quality Audit Handbook, 2nd Edition, ASQ Quality Press, Milwaukee, WI, 2000.

Westfall-07: Linda Westfall, Risk-Based Configuration Control – Balancing Flexibility with Stability, Risk-Based Configuration Control (softwareexcellenceacademy.com)