Software audit
A
software audit review, or software audit, is a type of software review in which
one or more auditors who are not members of the software development
organization conduct "An independent examination of a software product,
software process, or set of software processes to assess compliance with specifications,
standards, contractual agreements, or other criteria".
"Software
product" mostly, but not exclusively, refers to some kind of technical
document. IEEE Std. 1028 offers a list of 32 "examples of software
products subject to audit", including documentary products such as various
sorts of plan, contracts, specifications, designs, procedures, standards, and
reports, but also non-documentary products such as data, test data, and
deliverable media.
Software
audits are distinct from software peer reviews and software management reviews
in that they are conducted by personnel external to, and independent of, the
software development organization, and are concerned with compliance of
products or processes, rather than with their technical content, technical
quality, or managerial implications.
1 Objectives and participants
"The
purpose of a software audit is to provide an independent evaluation of
conformance of software products and processes to applicable regulations,
standards, guidelines, plans, and procedures".[2] The
following roles are recommended:
The
Initiator (who might be a manager in the audited organization, a customer or
user representative of the audited organization, or a third party), decides
upon the need for an audit, establishes its purpose and scope, specifies the
evaluation criteria, identifies the audit personnel, decides what follow-up
actions will be required, and distributes the audit report.
The Lead
Auditor (who must be someone "free from bias and influence that could
reduce his ability to make independent, objective evaluations") is
responsible for administrative tasks such as preparing the audit plan and
assembling and managing the audit team, and for ensuring that the audit meets
its objectives.
The
Recorder documents anomalies, action items, decisions, and recommendations made
by the audit team.
The
Auditors (who must be, like the Lead Auditor, free from bias) examine products
defined in the audit plan, document their observations, and recommend
corrective actions. (There may be only a single auditor.)
The
Audited Organization provides a liaison to the auditors, and provides all
information requested by the auditors. When the audit is completed, the audited
organization should implement corrective actions and recommendations.
2 Three Critical Kinds of Software Audit
There are many ways to ―audit‖ a
software application. Indeed the most basic kinds of software audit examine how
the software is functionally configured, integrated or utilized within an
organization. This kind of review process can be completed either by internal
IT, an outside firm or an independent solution provider – typically as a first
step in a bigger development project. However the stakes are much higher in
three other classes of software audit – with the first type often instilling
confidence and the other two, anxiety.
Software Quality Assurance Audit - The
first kind of software audit is part of the software quality assurance (QA)
process. The objective of a QA audit is simple – to improve the software.
Everything is fair game in a software review – including code, processes,
report output, data, test data and media - and anyone close to the software
development organization may be asked to conduct the software QA audit. The
goal is to assess technical quality, form and function with the aim of
improving aspects such as ease-of use, reliability, security and performance.
Software
Compliance Audit – The second kind of software audit, the type that can produce
anxiety, measures software‘s level of compliance with regulatory mandates.
Compliance audits are always conducted by a body outside of the company such as
an industry watchdog
or
government regulator. In a compliance audit, an organization is obligated to
let the auditor review their software applications for compliance with set
specifications, standards, codes, controls and mandated procedures. These are
completed often to continually recertify the software is compliant, typically
on an annual basis.
Software Licensing Audit – Finally,
software can be audited as part of Software Asset Management or Risk Management
practices to determine where the software is distributed and how it is used. A
license audit may be required to impose greater controls or find cost savings.
The audit may seek to enforce software copyright protections. It can be
mandated by the courts as part of a legal dispute. It can be ordered by risk
managers who seek to determine the organization‘s level of exposure from
continued use of the software.
The Who, What and Why of Software
Audits: Tools, Teams and How to Prepare
Every kind of software audit
essentially seeks to understand the same things. What is the true purpose of
the software and its value to the organization? How does it perform, weighed
against necessary risk? Likewise, most software audits assign similar roles to
participants and rely on technological tools to aid examination.
Software Audit Team – It takes a team
to complete a software audit, and it requires the active participation of the
organization. The internal Sponsor or Initiator establishes the need for the
software audit, the proper participants, their purpose and scope, evaluation
criteria and reporting mechanisms. The Lead Auditor is typically an outside
examiner free from bias and influence who can make objective evaluations. This
person leads the independent auditing team that actually conducts the software
review according to audit objectives. Finally, the person responsible for
administrative tasks such as documenting action items, decisions,
recommendations and reports is called the Recorder. When the software audit is
completed, the audited organization implements corrective actions and
recommendations.
Software Audit Tools – Selecting the
right tool for the job cannot be understated. Different software audit tools
will generate different views of an organization‘s applications and
architecture. Make sure that the audit team includes an expert at using the
tool of choice, and that it will return sufficient data to determine
appropriate actions. For example, software‘s compliance with application
security can be audited using a variety of static analysis and dynamic analysis
tools that analyze an application and score its conformance with security
standards, guidelines and best practices. Lastly, the software auditing tool
should report its findings as part of a benchmarking process for future audits
by the audit team.
Prepare for a Software Audit – Chances
are most IT organizations will be subject to some type of software audit. The
key to surviving the process is organization. For companies that are
unprepared, any software audit can become a painful, lengthy exercise requiring
countless man-hours. Budgeting for potential audits in advance will avoid
surprise expenses that could impact profitability. As examples: annual software
compliance audits are a common occurrence in highly regulated industries such
as finance and healthcare. Companies undergoing mergers or acquisitions should
expect software license audit requests from vendors and suppliers. Software
development teams should plan on application security testing as part of their
standard QA process. Organizations that are well prepared can not only survive
a software audit but improve the quality, compliance and utilization of their
software as a result.
Related Topics
Privacy Policy, Terms and Conditions, DMCA Policy and Compliant
Copyright © 2018-2023 BrainKart.com; All Rights Reserved. Developed by Therithal info, Chennai.