Auditing a Software Code Subcontractor (Supplier)

#1
Dear all,

We are planning to audit a sub-contractor that supplies us software code
Can you help me to build up list of subjects/questions that I should use/ask during my audit at its facility

Thanks
 
Elsmar Forum Sponsor
D

dkusleika

#2
This isn't exhaustive, but here are three points I would hit if I were auditing a software house:

Competence - review resumes or some other evidence that the coders are competent.

Testing - Review the testing procedures and possibly some test results. Beyond just verification and validation tests, are they using regression testing? That is, are they only testing the change they just made or do they subject every change to a battery of test to ensure they didn't break something from a previous change?

Code Review - Review their Code Review procedure. Make sure that someone who didn't write the code is reviewing it. It doesn't have to be a higher-up - in fact, it's probably more effective if someone in the trenches is doing a peer review of the code.
 

yodon

Staff member
Super Moderator
#3
I would ask to see their configuration management procedures, including release procedures. It should be well documented and they should be able to tell you, down to a particular code file what revision went into a release.

Also look at their change management system. Have them walk you through a change. There should be identification of the change (the initial report), a review to assess the impact and to schedule the change, the changes implemented should be readily identifiable in the code and limited to what was authorized, and the changes themselves along with "near" areas should be regression tested (as dkusleika points out).

By the way, I don't know how well competence can be judged by a resume review. Some of the worst programmers I've known had the shiniest resumes. I'm not saying don't do that, just do so with eyes open.

Along those lines, look to how programmers are staying current.
 

Gert Sorensen

Forum Moderator
Moderator
#4
I would try to make sure that their quality system complies with the requirements for EN 62304, and that the developers have received training on this standard. :bigwave:
 
#5
Dear all,

We are planning to audit a sub-contractor that supplies us software code
Can you help me to build up list of subjects/questions that I should use/ask during my audit at its facility

Thanks
Frankly, if you're doing this, and you don't know what to ask (which is why you're here) then you should be very careful about the audit. It's not just a case of asking a few questions around a few topics! You will clearly not understand what the supplier is telling you, they will think you have no credibility and they can tell you anything - you possibly won't know the difference! For example, do you know what a "Waterfall" or "Spiral" or "Vee" lifecycle is? If they tell you they do "Fagan Analysis" what it is, and how it's done?

Auditing software developers is a VERY specialized competency. Indeed, in the UK, there's a whole system which was developed to ensure effective audits, called 'Tick-IT'. This was about CB auditors, it's true, but I learned a lot about auditing the SW development process - it's not for people who don't know the process/terminology/tools etc.

You might be better off to find a contractor who can this, if you want ti to be an effective audit!
 
Thread starter Similar threads Forum Replies Date
A What are the pros and cons of using an audit software for internal auditing? General Auditing Discussions 4
F Looking for a free Online Auditing Software / System ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 6
T Auditing software/app for various devices/OS After Work and Weekend Discussion Topics 2
M Auditing Test Management Software such as HP Quality Center (HPQC) Test Tool Internal Auditing 1
C Training Software with Internal Auditing Module Training - Internal, External, Online and Distance Learning 6
N Internal Auditing - IT software hardware selling company Internal Auditing 5
W Internal Auditing Software packages - Seeking Recommendations Quality Assurance and Compliance Software Tools and Solutions 4
E Auditing the Software in a company - What we have installed - Seeking Form Document Control Systems, Procedures, Forms and Templates 1
B Software for handhelds (Palms, Clie') that has ISO internal auditing programs Quality Assurance and Compliance Software Tools and Solutions 4
Marc Internal Auditing in a Software Company Software Quality Assurance 3
C List of MDSAP Auditing Organizations Medical Device and FDA Regulations and Standards News 1
cscalise Suggestions for MDR Auditing tools EU Medical Device Regulations 1
J Auditing of Support Function IATF 16949 - Automotive Quality Systems Standard 9
D ISO 13485, FDA 21 CFR 820 and Auditing the Accounting Department ISO 13485:2016 - Medical Device Quality Management Systems 5
S Risk based internal auditing Internal Auditing 6
Randy Remote auditing (for disaster, disease, disturbance etc...) during the Neo Coronavirus Pandemic and Social Distancing Registrars and Notified Bodies 4
K ANVISA B-GMP Auditing requirements for Contract Manufacturers Other Medical Device Regulations World-Wide 0
F AS9100D Internal auditing requirements Internal Auditing 3
R Does any here use an internal auditing tool that works on different platforms? Internal Auditing 3
W Does anyone have an API Q2 checklist for internal auditing? Oil and Gas Industry Standards and Regulations 1
G Best Practices for IT auditing - Is a session-id necessary for a complete audit trail? IEC 27001 - Information Security Management Systems (ISMS) 0
I Questions to ask when auditing for Organizational Leadership and Planning for the QMS? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 3
C CE marking for general IVD (self-certified) & ISO 13485 QMS requirements - auditing EU Medical Device Regulations 6
blackholequasar Internal Auditing Inspiration - Getting volunteers to perform internal audits. Internal Auditing 22
W Internal Auditing carried out by a 3rd party - Review of previous audits AS9100, IAQG 9100, Nadcap and related Aerospace Standards and Requirements 3
tony s What is the automotive process approach for auditing? IATF 16949 - Automotive Quality Systems Standard 2
S Internal Auditing for API Spec Q1 - auditor qualification requirements Oil and Gas Industry Standards and Regulations 6
R I've been auditing for a CB for 18 years General Auditing Discussions 10
P Consultant Auditing Qualifications Requirements ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 23
E Informational Internal Audits - Wear multiple hats what can and can't I audit (so I'm not auditing my own work) Internal Auditing 144
M We still have not received our certificate due to a 'backlog' with our auditing body Registrars and Notified Bodies 25
N Online Internal Auditing Course for ISO 13485 - Suggestions ISO 13485:2016 - Medical Device Quality Management Systems 8
A Agenda for 8D audit on Supplier's side - Auditing Corrective Actions General Auditing Discussions 5
U Internal auditing - Company employees or contract second party Internal Auditing 10
J Recomended Values - Auditing process in a supplier IATF 16949 - Automotive Quality Systems Standard 18
M Canada - Registrars that allow e-auditing for ISO 9001? Registrars and Notified Bodies 4
K Internal Auditing - Umbrella QMS and Multiple Standards Oil and Gas Industry Standards and Regulations 4
D Auditing Our Outsourced 2nd-3rd Party Internal Audit Company ISO 13485:2016 - Medical Device Quality Management Systems 6
supadrai Auditing Organization dragging their heels on issuing our MDSAP Surveillance Audit Confirmation Letter - everyone is nervous ... are we the only ones? Canada Medical Device Regulations 7
Ed Panek Supplier Auditing - No purchases from our key suppliers in the last 24 months ISO 13485:2016 - Medical Device Quality Management Systems 5
P Auditing "process validation" process 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 2
Q Effective Auditing advice needed ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 16
M Acceptance of remote auditing techniques - Can you help me with my research? General Auditing Discussions 0
GStough Auditing Against Criteria Unfamiliar to Auditee - Yea or Nay? General Auditing Discussions 11
Q Auditing Product and Services doubts ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 3
R Auditing support and management processes General Auditing Discussions 7
F It is acceptable moving remote locations staff to manufacturing plant for auditing? IATF 16949 - Automotive Quality Systems Standard 3
D MSDS / GHS Walk-through / Auditing Occupational Health & Safety Management Standards 6
Pmarszal Supplier Auditing Services (Audit Needed?) General Auditing Discussions 4
S ISO 9001 Audit Observations - Transitioning my career into auditing Career and Occupation Discussions 16
Similar threads


















































Top Bottom