Soft Audit overview・Target 1: Audit the development process
- 1. Software development audit audits development process, test technology, requirement understanding, design and implementation.
- 2. 1. CMM level 2 items are extracted and used for auditing the development process
- 3. Is the requirements management process good and reliable?
- 4. Does the development plan have a mechanism for creation and review?
- 5. Is there a mechanism for progress management to trace the results by volume?
- 6. Does Quality Assurance have a mechanism to check the quality of the development process?
- 7. Does configuration management have a mechanism to manage design documents, source code, and development environment?
- 8. Is there a mechanism for selection and outsourcing management for outsourcing management?
- 9. What is lacking from the perspective of the development process is from the perspective of development technology
Software development audit audits development process, test technology, requirement understanding, design and implementation.
Software development audit is a mechanism created by Gutara’s father as a method for evaluating and instructing improvement of the competence of software development contractors , in other words, development process quality and product quality. that . Introduced on the top page. Software development auditing is a task that Gutara’s father named himself, so it’s hard to tell what it is. In the previous article, I explained from the perspective of the purpose of auditing, but in this article, I will try to explain it in an easy-to-understand manner by organizing and introducing software development auditing from the perspective of auditing.
When conducting a software development audit, the audit targets are broadly divided into the development process and development technology. Since the development technology is divided into three, it can be divided into the following four as a whole. There are various categories of development technology other than the three listed here, but it is these three that Gutara’s father has focused on in the software development audit.
- Development process (Is the development process used for software development good?)
- Development technology / test technology (Is the technical ability of the test conducted by the time of release sufficient?)
- Understanding development technology and requirements (Is the technical ability to materialize development requirements and share them with the contractor?)
- Development technology / design and implementation (Is the technical strength of software design and implementation sufficient?)
Now, let’s take a look at what we are checking from what perspective for each audit target.
1. CMM level 2 items are extracted and used for auditing the development process
The development process in software development is the work procedure of the activities performed by the software development organization in order to realize the life cycle of the software , which starts from the planning and examination of the software and continues to the design, implementation, testing, release, and maintenance. of the . .. The basic idea is that if the development process, that is, the work procedure, is good, good software will always be produced. The quality improvement method focusing on the development process is to create good quality software by judging the good or bad of the development process or finding the bad part of the development process and improving it.
The general auditing methods for judging the quality of a process and finding improvements are ISO9001 second-party audits and CMMI certification of the maturity level of an organization. The basic idea of both methods is similar, the necessary process is defined a little abstractly, (1 ) whether there is a rule that embodies the process as the work procedure of the company , (2) Whether the development process is good or bad is judged from the three viewpoints of whether the actual development work is carried out according to the rules and the work record remains, and (3) whether the work result is confirmed by the administrator .
Gutara’s father’s software development audit is created by combining the ISO9001 audit procedure and CMMI audit items, but the development process items are created based on the CMMI level 2 confirmation items. This CMMI Level 2 divides software development into the following six areas, so I will briefly explain these six areas first. (If you know CMMI, you can skip this section.)
- Require Management
- Project Planning
- Tracking and Oversight
- Quality Assurance
- Configuration Management
- Subcontract Management
Is the requirements management process good and reliable?
Looking at requirements management from the perspective of the software development process, (1) review with the development contractor of the requirements, (2) sharing the requirements within the in-house development team, (3) dealing with changes in the requirements, and (4) the process for realizing the commitment of the development department. The existence, rule making, and implementation status will be checked.
Because it is a process audit is not possible to confirm that intrusive to the contents of the requirements, the specific contents of the development requirements mechanism to notify undoubtedly to the development team whether there is a body, it is the subject confirmation of a party point of view.
Does the development plan have a mechanism for creation and review?
Development planning is very important for software development projects. However, this item does not go deep into the contents of the development plan, but the planning work such as whether the work procedure for drafting the development plan is proper and whether the method for estimating man-hours is carried out by a fixed method. We will focus on the mechanism of. However, there are some items to check, such as risk management methods and baseline quality confirmation methods, which are important as software development plans, by going into a little concrete content.
Is there a mechanism for progress management to trace the results by volume?
The software is invisible, so you need to be careful about the progress. It is necessary to have a system to confirm the progress of development by using not only the report from the engineer in charge but also the volume of the design product. In software development audits, we manage the performance of design documents and source code, which are the deliverables of software development, whether we manage the performance of the volume, whether we manage the risks and concerns of development projects, and the implementation status of design reviews. Check items such as whether it can be done. Both, for the plan that was drafted in the creation stage of the plan plan, track record is what going on or a trace if there is a mechanism corresponding if there is a problem, properly if there is a mechanism whether the running , that It will be a confirmation from the viewpoint.
Does Quality Assurance have a mechanism to check the quality of the development process?
Since Software Quality Assurance activities in software development process audits are SQA activities defined by CMMI, they mainly refer to monitoring activities by the SQA team that monitors the implementation status of the development process . Whether the development team monitors whether the development work is proceeding according to the specified process and reports the result, whether the test is performed according to the specified procedure, whether the release is possible or not is performed according to the rules It will be confirmed from the viewpoint of whether it is done.
Does configuration management have a mechanism to manage design documents, source code, and development environment?
The term configuration management is often used in the field of software development to mean configuration management of source code , but in addition to source code, design documents, test results, and the development environment itself are actually objects of configuration management. Roughly speaking, the management of versions of various information used to generate a certain version of software is called configuration management.
For example, suppose A-design version 2.3 and B-design version 1.5 were used, and C-source file version 3.2.43 and Build environment version 4.0 were used to generate version 1.1 of the software. If you use a different version of any one of these versions, you will not be able to generate exactly the same software as version 1.1. In a situation where multiple software engineers are collaborating on development, it will not be a job unless everyone can generate exactly the same software. Therefore, a mechanism to ensure that all software engineers are working on the development work using the correct version of the design document, source code, and Build environment. is required only.
In this way, configuration management is the activity to maintain the correct version of the original information for generating software. In the software development audit, we check whether there is any excess or deficiency in the design document, source code, and configuration management method of the development environment.
Is there a mechanism for selection and outsourcing management for outsourcing management?
If the contracted company that received the development consignment from our company outsources part or all of the software development to another company (subcontracting), it is necessary to pay attention to the outsourcing management mechanism of the development consignee. .. The mechanism of outsourcing management, such as how to select the development contractor , how to manage the progress and quality during development, and under what conditions the development contracted deliverables are inspected. We will confirm the implementation status.
What is lacking from the perspective of the development process is from the perspective of development technology
So far, we have introduced the target areas for development process audits for the six areas based on the CMMI level 2 confirmation items. Do you feel like something is missing?
Certainly, the areas of the six development processes that have come up so far are also important, but there are some parts that are insufficient for the purpose of estimating the competence of software development. Testing ability, ability to incorporate non-functional requirements into development, software design and implementation technical ability software, and other important parts that affect the quality of the finished software are missing.
Therefore, in Gutara’s father’s software development audit, these contents were organized as development technology capabilities , and audits were conducted from a perspective different from the development process to estimate the capabilities of the development contractor. From the next article, we will explain these development technologies in three parts: test technology, requirement grasping, design and implementation.