Software Configuration Management Audits
An audit is a planned and independent evaluation of one or more products or processes to determine conformance or compliance to a set of agreed to requirements. Auditing is an “objective assurance and consulting activity designed to add value and improve an organization’s operations.” [Hutchins-03] Audits provide assurance by validating that the products and/or processes are implemented in accordance with their requirements and objectives. Audits are consulting activities because they provide on-going analysis of the degree to which those implementations are effective and efficient and they identify opportunities for continuous improvement. Audits also visibly demonstrate management’s support for the quality program.
In the case of Software Configuration Management (SCM) audits, three types of audits are typically performed:
Functional Configuration Audit (FCA), which is an evaluation of the completed software products to determine their conformance, in terms of completeness, performance and functional characteristics, to their requirements specification(s).
Physical Configuration Audit (PCA), which is an evaluation of each configuration item to determine its conformance to the technical documentation that defines it.
In-Process SCM Audits, which are ongoing evaluations conducted throughout the life cycle to provide management with information about compliance to SCM policies, plans, processes and systems, and about the conformance of software product to their requirements and workmanship
This paper discusses the purpose of each of these three types of SCM audits. It also provides examples of checklist items that could be used during audit evaluations and suggested evidence gathering techniques for each of the items in those checklists.