Search the Elsmar Cove!
**Search ALL of Elsmar.com** with DuckDuckGo including content not in the forum - Search results with No ads.

Auditing a Software Code Subcontractor (Supplier)

#1
Dear all,

We are planning to audit a sub-contractor that supplies us software code
Can you help me to build up list of subjects/questions that I should use/ask during my audit at its facility

Thanks
 
D

dkusleika

#2
This isn't exhaustive, but here are three points I would hit if I were auditing a software house:

Competence - review resumes or some other evidence that the coders are competent.

Testing - Review the testing procedures and possibly some test results. Beyond just verification and validation tests, are they using regression testing? That is, are they only testing the change they just made or do they subject every change to a battery of test to ensure they didn't break something from a previous change?

Code Review - Review their Code Review procedure. Make sure that someone who didn't write the code is reviewing it. It doesn't have to be a higher-up - in fact, it's probably more effective if someone in the trenches is doing a peer review of the code.
 

yodon

Staff member
Super Moderator
#3
I would ask to see their configuration management procedures, including release procedures. It should be well documented and they should be able to tell you, down to a particular code file what revision went into a release.

Also look at their change management system. Have them walk you through a change. There should be identification of the change (the initial report), a review to assess the impact and to schedule the change, the changes implemented should be readily identifiable in the code and limited to what was authorized, and the changes themselves along with "near" areas should be regression tested (as dkusleika points out).

By the way, I don't know how well competence can be judged by a resume review. Some of the worst programmers I've known had the shiniest resumes. I'm not saying don't do that, just do so with eyes open.

Along those lines, look to how programmers are staying current.
 

Gert Sorensen

Forum Moderator
Moderator
#4
I would try to make sure that their quality system complies with the requirements for EN 62304, and that the developers have received training on this standard. :bigwave:
 
#5
Dear all,

We are planning to audit a sub-contractor that supplies us software code
Can you help me to build up list of subjects/questions that I should use/ask during my audit at its facility

Thanks
Frankly, if you're doing this, and you don't know what to ask (which is why you're here) then you should be very careful about the audit. It's not just a case of asking a few questions around a few topics! You will clearly not understand what the supplier is telling you, they will think you have no credibility and they can tell you anything - you possibly won't know the difference! For example, do you know what a "Waterfall" or "Spiral" or "Vee" lifecycle is? If they tell you they do "Fagan Analysis" what it is, and how it's done?

Auditing software developers is a VERY specialized competency. Indeed, in the UK, there's a whole system which was developed to ensure effective audits, called 'Tick-IT'. This was about CB auditors, it's true, but I learned a lot about auditing the SW development process - it's not for people who don't know the process/terminology/tools etc.

You might be better off to find a contractor who can this, if you want ti to be an effective audit!
 
Top Bottom