The Audit of the Quality Control System within the Information Technology Field
Robert Gabriel Dragomir
Abstract. The present paper speaks about the audit of the quality control system. First we exposed the general framework; the importance of information technology field under the actual development and challenges of the informatics systems. Then, we presented the national and international laws which regulate the audit of the informatics systems. Thirdly, we exposed the methodology of the audit for the quality system control in IT domain, describing its stages and flux diagram. In the end we jumped at the conclusions.
Keywords: informatics systems, information technology, company management, audit system
JEL Codes: M15, M42
The evaluation of the informatics system performances is a very important research issue. Quality has become a major problem of the company management. So, one imposes the defining of the performance evaluation models, in order to establish the measure so as the report between cost and quality allows both the increase of the users and the guaranty for return on investments.
2. The law framework
The audit of the informatics system develops itself within the context of the following national and international laws:
- COBIT (Control Objectives for Information and related Technology) is a set of good practice for the information technology management, created by ISACA
- (Information Systems Audit and Control Association) and IT Governance Institute;
- Quality standards ISO 9126, ISO 9000-4:2000 regulate the national and international law framework of the products and informatics services quality;
- Guides and procedures as concern the risks and the implementation of the informatics systems control are realized by ISACA (Information Systems Audit and Control Association);
- IT Governance Institute published a series of standards for defining and implementation of the informatics systems control objectives;
- SAC - System Audit ability and Control published by IIARF (Institute of Internal Auditors Research Foundation);
- Internal Control - Integrated Framework published by COSO (Committee of Sponsoring Organizations of the Tread way Commission);
- SAS55 with its further amendment SAS78 (Consideration of the Internal Control Structure in Financial Statement Audit), published by ICPA (American Institute of Certified Public Accountants);
- Chamber of Romania Financial Auditors assimilated totally the International Intern Audit Standards, including the ones for informatics systems media CIS (Computerized Information Systems);
- ISO/IEC 177799 audit standard for information technology;
- INTOSAI – requirements for accepted international audit, International Organization of Supreme Audit Institutions;
- CAATs (Computer Assisted Audit Techniques), techniques of computer assisted audit;
- Guide of the informatics systems, Court of Auditors;
- Manual for Informatics Systems Audit, Court of Auditors.
- Law no. 672/2002 concerning the intern public audit
- Public Finance Ministry Order no. 38/2003
- ISO/IEC 27001:2005 – Information technology – Securities techniques – Information security management systems
- ISO 14000 – EMS Audits. The Audit
- ISO 19011 – Guidelines for quality and/or environmental management systems Information Technology Control and Audit, second edition – F. Gallegos, S. Senft, D. Manson, C. Gonzales, Ed. Auerbach Publications, 2004.
- IT Sandards, Guidelines, and Tools and Techniques for Audit and Assurance and Control Professionals – ISACA, 2010
3. Methodology of the audit for the quality system control in IT domain
The informatics audit, under all its aspects, occupies a well-defined place in informatics society. It represents an essential element for building both complex hardware and software architectures. There are numerous elements that identify the purpose of auditing control systems, such as:
- Evaluation for quality control system conformity in concordance with the specified producers recommendations;
- Evaluation of the quality control system efficiency as concern the established objectives;
- Increasing of the quality control system performances of the company;
- The observing of the rules and also the satisfaction of the company needs;
- Certification of the company quality control system.
- AICPA (American Institute of Certified Public Accountants)[iii] recently launched the initiative of audit quality by consolidating some rules that help the practitioners in reaching the excellence level in auditing process. The audit of the quality control system proposes to measure the companies’ system efficiency.
Within the field of information technology, the audit can be analyzed by observing the following main stages: 1. audit initiation, 2. documents analysis, 3. preparation for the specific audit at a certain place, 4. audit activities specific to the place, 5. the report of the audit results, 6. audit ending and 7. optionally, the following audit, as they are represented in figure no. 1.
Fig.1: Stages of audit process – processing after ISO/FDIS 19011:2002 standard
Each and every audit stage of the quality control system has specific features, exemplified as follows:
The stage of audit initiation
The influential factors at this stage are:
- Customization with the company specifications;
- The unanimous acceptance of the identified objectives; these are contractually assumed;
- The communication of the requirements connected to: exploitation reliability, usage availability, optimization of the execution process;
- Methods for products projection and facts that influence them;
- Technology used for IT components production;
- Clear communication of the content of the audit process;
- Avoiding all incompatibility situations;
- Notification about the starting of the audit procedure;
The role of this stage is an important one, because the success or the failure of the audit process depends on how well this activity is planned and founded.
The stage of documents analysis
This stage comprises the following aspects:
- Analysis of the documentation conformity with the company field of action;
- Establishing the competences of the personnel involved in the quality control activity;
- Verifying the documents, recordings and decisions for every hierarchic level;
- Information phase requires collecting specific documents connected to tasks and responsibilities;
- The analysis of the documentation for the quality control system reflects effects as concern the communication with clients, defining the life cycle, continuous adapting of development, products testing, related processes to IT products configuration;
- Presenting the centralized lists with auditable objects;
- Risk evaluation and internal control.
The audit program is elaborated respecting the risks planning and evaluation and also the internal control, when the auditor has a clearer image on the system to be audited. This program represents a guide for the procedures to be realized during the picking prove stage[iv].
Collecting and processing data represents the stage of picking information for risk analysis and also for reaching the objectives of audit mission. The activities realized during this stage have a substantial contribution to the knowing of the auditable domain; these help the auditor to familiarize with the company to be audited[v].
Stage preparation for the specific audit
The specific audit at a certain place is regulated by the standard ISO 19011. Within this stage, we can mention:
- Input data for audit planning (general information about the company, its specific activity, its web page, the identified market segment, hardware and software company capacity, prior audit reports, plans for developing and testing IT products);
- Audit planning (has co comprise proper visibility for all activities, types of projects and used methods for producing IT components and their quality control; a more detailed examination can be solicited by the chief auditor for better and real results)
- Establishing the audit techniques have to be adapted for reaching the purposed aim. The auditing of the activity conformity against its quality control system imposes the auditors’ objectivity and sampling capacity.
Stage specific audit activities
This stage of specific audit at a certain place is the most complex one; it requires the most consistent resources allocation. It can be realized through interviews with the deciders and the executants, documents examination, the products quality, noticing the specific activities for projection and production, the conditions of production activity.
In order to be taken into consideration, information has to fulfill the following requirements: be proved, be sure and demandable, relevant for audit activity, lead to a measurable result.
The audit of means of realizing the IT products can be done through three techniques:
ü Choosing a sample of products and follow their evolution, from the projection to delivery, in order to verify the accuracy of all stages;
ü The second technique is the reverse way, from delivery to projection; here we analyze the outputs at every level;
ü The auditing of every phase of projection, for several implemented projects.
One way to objectively present the reality at a certain place is reflected by the flux diagram for the audit stages, as presented below:
Fig.2: Flux diagram for audit stages
The flux diagram of audit stages will direct the auditor towards the process of collecting and verifying information, in order to establish the audit conclusions. This process evolves continuously, until all the objectives planned in the Audit Plan and Audit Questionnaire are fulfilled.
The audit observations are based on the gathered proves are reflected in conformities and noncompliance of the quality control system. The sources for obtaining pertinent proves are[vi]:
·Prior audit reports;
·A beneficiary complaint, reception refusal, complains during guarantee period;
·Prior corrective actions;
·Activity observation during the audit process;
·Interviews with the employees involved in quality activities.
Stage audit report
In this stage we have to focus all conclusions and establish all necessary measures that lead to noncompliance correction. Every physic and also functional noncompliance has its specific and punctual correction measure; the process of technological flux has to be corrected only by strict interventions. The base for corrections respects the standard ISO 10007 and MIL STD 1521B. The report will present aspects such as:
- Level of knowledge and their relevance of the employees involved in process of production and quality control system
- The way of fulfillment of individual and collective tasks
- Degree of activity conformity
- Documents accuracy
- Company qualified personnel
- Verifying the way in which the internal audit is done
Stage audit ending
The ending audit meeting is rather short; usually it lasts no more than two hours and presents the following documents:
ü presentation material;
ü audit team proves;
ü partial and final conclusions of the audit process.
ü This meeting is presided by the chief auditor who has to focus on:
ü presenting the audit team and the manner this collaborated with beneficiary employees
ü the audit scope is that of assuring the IT products quality control
ü the resume of the audit report
ü graphs of audit products and processes are presented
ü audit limits
ü noncompliance are presented and also the way this affects the quality control system
ü an honest auditor can admit that there can be undiscovered noncompliance
ü report signing and final conclusion
The IT products noncompliance of the quality control system is specified by the standard SR EN ISO 9001/2008. The chief auditor presents them. These can be seen as major or minor and simple observations. All these are to be presented in the audit reports and signed by the beneficiary. The role of the auditor is to explain and propose the beneficiary to program the following audit and certification audit.
4. Case study: The analysis of the operation of the software testing systems
The software testing measures the quality of the informatics systems and informatics applications developed by programmers, taking into considerations the code writing, the complete solutions to system requirements and security; it may also include technical requirements described by quality standard ISO 9126, such as: capability, reliability, efficiency, portability, maintainability, compatibility, usability.
ü Testing levels represent the rank of the testing procedures. It can be realized at the level of component or module, it can be an integrated testing, testing at the level of the whole informatics system, testing the system integration, testing the acceptability.
ü Testing at the level of informatics system components verifies the minimal component parts of the system or of the software modules.
ü The integrated testing identifies the drawbacks of the user interface and of the integrated modules interactions.
ü Testing the informatics system represents the requirements accomplishment by the informatics system.
ü Testing the system integration assumes the verification of the implementing procedures.
ü Testing the acceptability can be requested by the final user, client or buyer.
ü Testing the alfa version is a simulated testing or an operational testing done by the possible clients or users, in order to verify the system functionality.
ü Testing beta-versions are offered to a limited number of people, in order to identify possible errors in function.
After the software modifiers, in order to remedy drawbacks, regression tests are to be done for re-launching the initial tests.
The audit activity of quality control system in the field of IT technology is the responsibility of each company which adopted standard ISO 9001/2000. This specific audit activity better quantifies the quality control of an informatics system, by using analysis techniques. Specialized tests will be applied to a sample and depending on their relevance they can be resized in order to lead to pertinent and evident conclusions. One can notice elements belonging to produced systems, analyze and test components of the informatics systems architecture and determine quantitative and qualitative measurement.
The interviews, discussions and questionnaires propose to reflect the quality of the whole execution process; they are based on complex mechanisms of identifying the noncompliance, so that their corrections lead to quality certification.
The basic rule of the audit process is following the activities in their usual succession, such as: contracting, projection, homologation, execution, delivery.
The zone auditing requires every interview to comprise four basic aspects connected to:
ü persons – responsibility and authority, education;
ü procedures – availability, the fulfillment degree of the audit activity, application;
ü equipments – if they are those specified in the procedures , if they require manuals for usage, if those are available;
ü products and materials – if they are those specified in the procedures, if they are identified.
The relevance of the quality system audit consists in: the system competence, the system conformity and performance.
If a premature presentation of some particular details of the audit plan can compromise objective proves, these are not to be communicated to the beneficiary, but only at their time.
Minor noncompliance has to be correctly administrated, so that is treated in a proper way; major noncompliance is that which identifies the lack of quality system or its improper function.
The effect of the proposed and assumed corrective measures is an efficient and performance company, with IT products of a superior quality.
 Eden, Ali, Auditul sistemelor informatice, Editura Dual Tech, Bucuresti, 2001
 Buligiu I, Soava G, Quality research by using performance evaluation metrics for software systems and components, Revista de Informatica, Editura Inforec, Bucuresti, 2006
 Ivan, Ion, BojaCãtãlin, Ciurea Cristian - Metrici ale sistemelor colaborative, Editura ASE, Bucuresti, 2007
 Fatemeh, Z, Quality Information Systems, Thomson Publishing, USA, 1995
 Russel, J.P., Auditing ISO 9001:2000, in „Quality Progress”, iulie 2001
 Titu, M., Statistica tehnica si proiectarea experimentelor – Controlul statistic al calitatii si fiabilitatii, Ed Universitatii „Lucian Blaga”, Sibiu, 2005
 Withrow, C., Error density and size in software, IEEE Software, McGraw Hill, 1999
[i]J.M. Juran, Planificarea calitãþii, Editura Teora, Bucureºti, 2000
[vi]http://projects.aft.hist.no/files/1/5/M5-ABT-QA.pdf on 06.11.2016