Business Science - Information Management - Security, Control and Reporting

Software audit

   Posted On :  15.12.2016 08:05 am

A software audit review, or software audit, is a type of software review in which one or more auditors who are not members of the software development organization conduct "An independent examination of a software product, software process, or set of software processes to assess compliance with specifications, standards, contractual agreements, or other criteria".

Software audit


A software audit review, or software audit, is a type of software review in which one or more auditors who are not members of the software development organization conduct "An independent examination of a software product, software process, or set of software processes to assess compliance with specifications, standards, contractual agreements, or other criteria".


"Software product" mostly, but not exclusively, refers to some kind of technical document. IEEE Std. 1028 offers a list of 32 "examples of software products subject to audit", including documentary products such as various sorts of plan, contracts, specifications, designs, procedures, standards, and reports, but also non-documentary products such as data, test data, and deliverable media.


Software audits are distinct from software peer reviews and software management reviews in that they are conducted by personnel external to, and independent of, the software development organization, and are concerned with compliance of products or processes, rather than with their technical content, technical quality, or managerial implications.


1 Objectives and participants


"The purpose of a software audit is to provide an independent evaluation of conformance of software products and processes to applicable regulations, standards, guidelines, plans, and procedures".[2] The following roles are recommended:


The Initiator (who might be a manager in the audited organization, a customer or user representative of the audited organization, or a third party), decides upon the need for an audit, establishes its purpose and scope, specifies the evaluation criteria, identifies the audit personnel, decides what follow-up actions will be required, and distributes the audit report.


The Lead Auditor (who must be someone "free from bias and influence that could reduce his ability to make independent, objective evaluations") is responsible for administrative tasks such as preparing the audit plan and assembling and managing the audit team, and for ensuring that the audit meets its objectives.


The Recorder documents anomalies, action items, decisions, and recommendations made by the audit team.


The Auditors (who must be, like the Lead Auditor, free from bias) examine products defined in the audit plan, document their observations, and recommend corrective actions. (There may be only a single auditor.)


The Audited Organization provides a liaison to the auditors, and provides all information requested by the auditors. When the audit is completed, the audited organization should implement corrective actions and recommendations.


2 Three Critical Kinds of Software Audit


          There are many ways to ―audit‖ a software application. Indeed the most basic kinds of software audit examine how the software is functionally configured, integrated or utilized within an organization. This kind of review process can be completed either by internal IT, an outside firm or an independent solution provider – typically as a first step in a bigger development project. However the stakes are much higher in three other classes of software audit – with the first type often instilling confidence and the other two, anxiety.


          Software Quality Assurance Audit - The first kind of software audit is part of the software quality assurance (QA) process. The objective of a QA audit is simple – to improve the software. Everything is fair game in a software review – including code, processes, report output, data, test data and media - and anyone close to the software development organization may be asked to conduct the software QA audit. The goal is to assess technical quality, form and function with the aim of improving aspects such as ease-of use, reliability, security and performance.


Software Compliance Audit – The second kind of software audit, the type that can produce anxiety, measures software‘s level of compliance with regulatory mandates. Compliance audits are always conducted by a body outside of the company such as an industry watchdog

or government regulator. In a compliance audit, an organization is obligated to let the auditor review their software applications for compliance with set specifications, standards, codes, controls and mandated procedures. These are completed often to continually recertify the software is compliant, typically on an annual basis.


          Software Licensing Audit – Finally, software can be audited as part of Software Asset Management or Risk Management practices to determine where the software is distributed and how it is used. A license audit may be required to impose greater controls or find cost savings. The audit may seek to enforce software copyright protections. It can be mandated by the courts as part of a legal dispute. It can be ordered by risk managers who seek to determine the organization‘s level of exposure from continued use of the software.


          The Who, What and Why of Software Audits: Tools, Teams and How to Prepare


          Every kind of software audit essentially seeks to understand the same things. What is the true purpose of the software and its value to the organization? How does it perform, weighed against necessary risk? Likewise, most software audits assign similar roles to participants and rely on technological tools to aid examination.


          Software Audit Team – It takes a team to complete a software audit, and it requires the active participation of the organization. The internal Sponsor or Initiator establishes the need for the software audit, the proper participants, their purpose and scope, evaluation criteria and reporting mechanisms. The Lead Auditor is typically an outside examiner free from bias and influence who can make objective evaluations. This person leads the independent auditing team that actually conducts the software review according to audit objectives. Finally, the person responsible for administrative tasks such as documenting action items, decisions, recommendations and reports is called the Recorder. When the software audit is completed, the audited organization implements corrective actions and recommendations.


          Software Audit Tools – Selecting the right tool for the job cannot be understated. Different software audit tools will generate different views of an organization‘s applications and architecture. Make sure that the audit team includes an expert at using the tool of choice, and that it will return sufficient data to determine appropriate actions. For example, software‘s compliance with application security can be audited using a variety of static analysis and dynamic analysis tools that analyze an application and score its conformance with security standards, guidelines and best practices. Lastly, the software auditing tool should report its findings as part of a benchmarking process for future audits by the audit team.


          Prepare for a Software Audit – Chances are most IT organizations will be subject to some type of software audit. The key to surviving the process is organization. For companies that are unprepared, any software audit can become a painful, lengthy exercise requiring countless man-hours. Budgeting for potential audits in advance will avoid surprise expenses that could impact profitability. As examples: annual software compliance audits are a common occurrence in highly regulated industries such as finance and healthcare. Companies undergoing mergers or acquisitions should expect software license audit requests from vendors and suppliers. Software development teams should plan on application security testing as part of their standard QA process. Organizations that are well prepared can not only survive a software audit but improve the quality, compliance and utilization of their software as a result.


Tags : Business Science - Information Management - Security, Control and Reporting
Last 30 days 33 views