CMMI - SQA Audit

SQA audit is the audit conducted by the SQA of the project / function.

From the CMMi point of view below are the four goals:

1. SQA activities are planned.

2. Adherence of software products and activities to the applicable and defined standards, procedures, and requirements are verified objectively.

3. All affected groups and individuals are informed of software quality assurance activities and results.

4. Non-compliance issues that cannot be resolved within the software project are addressed by senior management.

Commitment needed: The project follows a written organizational policy for implementing software quality assurance (SQA). This policy typically specifies that:

1. The SQA function is in place on all software projects and functions.

2. The SQA group has a reporting channel to senior management that is independent of

- Project manager
- Software engineering group
- And other software-related groups

3. Senior management should periodically reviews the SQA activities and results.

Four Abilities:
1. A group that is responsible for coordinating and implementing SQA for the project (i.e., the SQA group) exists.

2. Adequate resources and funding are provided for performing the SQA activities:

- A manager is assigned specific responsibilities for the project’s SQA activities.
- A senior manager, who is knowledgeable in the SQA role and has the authority to take appropriate oversight actions, is designated to receive and act on software non-compliance items.
- Tools to support the SQA activities are made available.

3. Members of the SQA group are trained to perform their SQA activities.

4. The members of the software project receive orientation on the role, responsibilities, authority, and value of the SQA group.

Eight Activities:
1. An SQA plan is prepared for the software project according to a documented procedure. This procedure typically specifies that:

- The SQA plan is developed in the early stages of, and in parallel with, the overall project planning.
- The SQA plan is reviewed by the affected groups and individuals.
- The SQA plan is managed and controlled.

2. The SQA group’s activities are performed in accordance with the SQA plan. The plan covers:

- Responsibilities and authority of the SQA group.
- Resource requirements for the SQA group (including staff, tools, and facilities).
- Schedule and funding of the project’s SQA group activities.
- The SQA group’s participation in establishing the software development plan, standards, and procedures for the project.
- Evaluations to be performed by the SQA group.
- Audits and reviews to be conducted by the SQA group.
- Project standards and procedures to be used as the basis for the SQA group’s reviews and audits.
- Procedures for documenting and tracking non-compliance issues to closure.
- Documentation that the SQA group is required to produce.
- Method and frequency of providing feedback to the software group and other software-related groups on SQA activities.

3. The SQA group participates in the preparation and review of the project’s software development plan, standards, and procedures.

- The SQA group provides consultation and review of the plans, standards, and procedures with regard to compliance to organizational policy, compliance to externally imposed standards and requirements (e.g., standards required by the statement of work), standards that are appropriate for use by the project, topics that should be addressed in the software development plan, and other areas as assigned by the project.
- The SQA group verifies that plans, standards, and procedures are in place and can be used to review and audit the software project.

4. The SQA group reviews the software engineering activities to verify compliance:

- The activities are evaluated against the software development plan and the designated software standards and procedures.
- Deviations are identified, documented, and tracked to closure.
- Corrections are verified.

5. The SQA group audits designated software work products to verify compliance.

- The deliverable software products are evaluated before they are delivered to the customer.
- The software work products are evaluated against the designated software standards, procedures, and contractual requirements.
- Deviations are identified, documented, and tracked to closure
- Corrections are verified.

6. The SQA group periodically reports the results of its activities to the software engineering group.

7. Deviations identified in the software activities and software work products are documented and handled according to a documented procedure. This procedure typically specifies that:

- Deviations from the software development plan and the designated project standards and procedures are documented and resolved with the appropriate software task leaders, software managers, or project manager, where possible.
- Deviations from the software development plan and the designated project standards and procedures not resolvable with the software task leaders, software managers, or project manager are documented and presented to the senior manager designated to receive non-compliance items.
- Non-compliance items presented to the senior manager are periodically reviewed until they are resolved.
- The documentation of non-compliance items is managed and controlled

8. The SQA group conducts periodic reviews of its activities and findings with the customer’s SQA personnel, as appropriate.

Measurement: Measurements are made and used to determine the cost and schedule status of the SQA activities.

Three Verifications:
1. The SQA activities are reviewed with senior management on a periodic basis.

2. The SQA activities are reviewed with the project manager on both a periodic and event-driven basis.

3. Experts independent of the SQA group periodically review the activities and software work products of the project’s SQA group.

Sample Checklist of SQA audit:

1. Is the Work order Amended for the change in PM or extension of Project?

2. Are the latest versions of Development Plans and Estimates Approved?

3. Is the schedule updated?

4. Are the planned efforts for the current phase (from schedule), consistent with the effort distribution on SQAP and the latest approved estimate?

5. Is the actual start and end dates for the activities completed since last SQA audit?

6. Are the Internal Review meetings held and Minutes of Meeting prepared?

7. Are the minutes of meeting circulated to affected support groups?

8. Are the Efforts captured in the effort capturing tool?

9. Is there any evidence for implementing the corrective action identified on the previous metrics sheets?

10. Are the metrics tracked and the metrics sheet updated, as per the frequency of analysis in Software Quality Assurance Plan?

11. Is the Master List of Project Document updated?

12. Are Change Control Forms available for the changes in Configurable Items?

13. Are staffing Plan, Risk Plan updated?

14. Are weekly status reports being sent to Sr. Management?

15. Are status reports being sent to customer as per Software Project Management Plan?

16. Is project back up taken? Is any Back up restoration check conducted?

17. Has DAR (Decision Analysis and Resolution) been performed as planned?

18. Has CAR (Casual Analysis and Resolution) been performed at end pf phases?

19. Is Requirements Trace ability report updated?

20. Are the relevant audits conducted for completed activities?

21. Are peer review records available for the work products developed since last audit? Are the peer review findings tracked to closure?

22. Are updated test cases with actual results available?

23. Are the tools, standards and templates used for the current development activity, identified in the relevant plans?

24. Are the Non compliances for the audits last conducted closed?