WHAT IS AUDIT?

IT system audit at BlueSoft consists of gathering and evaluating evidence for safety and integrity of an IT system that is being used or designed. Audits also check if the system uses its available resources optimally, if its physical and logical architecture is optimal and if it shares reliable information, achieving set operational and process goals.

Software design process may also be audited - in such case, evidence is gathered in order to evaluate the efficiency and effectiveness of the designing process of the software provider, as well as the control of quality of IT system development.

EVIDENCE GATHERING

The process of evidence gathering consists of analysis of the project and system documentation, as well as system source code. Surveys, interviews and workshops are held with people involved in the project, as well as with the system users, executive and operational teams.

At this stage, BlueSoft takes care of:

  • conducting interviews with the development team on the side of the Provider and Customer
  • conducting interviews with the operational team
  • conducting interviews with the business system owner
  • testing the security and efficiency of the system
  • analysis of the project's documentation
  • analysis of the project's correspondenceanalysis of the requirements specification
  • analysis of the legal acts
  • analysis of the business procedures
  • analysis of source code from the point of view of compliance with coding standards and use of design patterns
  • static analysis of the code
  • analysis of code documentation method
  • analysis of code in the context of potential errors
  • analysis of code coverage

EVIDENCE EVALUATION

Evidence evaluation stage should give a clear picture of the audited system. The result needs to be transparent, comprehensible and compliant with general standards and customer's expectations. BlueSoft has adopted a methodology based on GQM (Goal, Question, Metric) system. This method provides a flexible approach to audit, enables a clear definition of goals that the audit has to demonstrate. A set of questions is generated for every goal. The questions are aimed at determining if the given goal was achieved and to what degree. Each question needs an answer and evaluation of the gathered evidence. Metrics are used in order to assess the quality of individual areas of the audit.

Metrics can be subjective, designed according to the author's own expert knowledge. BlueSoft also uses assessment metrics based on best practices described in quality policy standards, such as:

  • The ISO 9126 norm that defines the software quality standards (functionality, reliability, ease of use and maintenance, mobility)
  • Libraries of good practices and quality standards (ITIL, CMMI, COBIT, ISO)
  • Design and architecture patterns for corporate solutions
  • Standards and methodologies for IT project management (Prince2, PMBOK, agile methodologies)