objectives software quality & project...
TRANSCRIPT
IT Audit 1
24 November 2003Information Systems Audit and Control Association1
Raymond Tang25 November 2003
Software Quality & Project Management
A Presentation to the ISACA HK Chapter
24 November 2003Information Systems Audit and Control Association2
ObjectivesKnowledge sharingRecognise the challenges when developing an application software Appreciate how quality could help achieve better returns and customer satisfactionNote the proficiencies of a project manager and how he could make an impact on a project
24 November 2003Information Systems Audit and Control Association3
Contents
What is software quality?Error vs defectTesting, quality control and quality assuranceQuality programAchieve quality …. at what costProject management
24 November 2003Information Systems Audit and Control Association4
Instilling Quality Throughout SDLC
Quality Assurance Program
Test LevelAssessment Test Plan
Environ.Set-up
TestDesign
User Acceptance Sign-off
Test ReportStability
DefectManagement
ExecutionPlan
Data Prep
Unit/StringTest
ProjectManagement
ImplementationDefinitionPlanning Development
Feasibility &Analysis
User RequirementsDefinition
SystemDesign
SystemConstruction
SystemTesting
SystemImplementation
SystemOperation and Support
Post-impl
24 November 2003Information Systems Audit and Control Association5
SDLC – Iterative Approach*
*Source: Barry Boehm
CumulativecostPrograssthroughsteps
Determineobjectives,alternatives,constraints
Review Commitment
Evaluate alternatives,identify, resolve risks
Plan next phasesImplementation
Acceptancetest
Integrationand test
Unittest
Code
Develop, verifynext-level product
Detaileddesign
Simulations, models, benchmarks
Prototype 2 Prototype 3Prototype 1
Requirements planlife-cycle plan
Concept ofoperation
Developmentplan
Integrationand testplan
Design validationand verification
Requirementsvalidation
Softwarerequirements Software
productdesign
Riskanalysis
Riskanalysis
Riskanalysis
Operationalprototype
Riskanalysis-
24 November 2003Information Systems Audit and Control Association6
System Project Results
53% of projects overrun their budgets, by as much as 180%
*Source: Standish Group, May 1994
Only 9% of projects are successfully completed
9%
91%
Project Overrun* Project Completed*
53%
47%
IT Audit 2
24 November 2003Information Systems Audit and Control Association7
Source of Rework in the SDLC
Systems Dev Effort
Testing Effort
Rework Effort
0
10
20
30
40
50
60
Rework - A Notional View
RequirementDesignCodingTestingOthers
We need to focus on the areas in the SDLC which often cause us quality problems
SDLC Phases
Others
24 November 2003Information Systems Audit and Control Association8
To A Layman…Quality Could Mean
Defect-freeA degree of excellenceGuarantee return and repairValue for moneyNo breakage
24 November 2003Information Systems Audit and Control Association9
Definition of Quality - Best Practices
*Source: ‘Managing Quality’ by David A. Garvin
Deming – ‘continuous improvement’Juran – ‘fit for use’Crosby – ‘conformance to requirements’….
24 November 2003Information Systems Audit and Control Association10
Why Software Quality?
ProfitCompetitive advantageStay in businessLife and death proposition….
24 November 2003Information Systems Audit and Control Association11
The Result of Quality vs Non-Quality
COST
REVENUETime
Out
flow
$
$$
Inf
low
Planning & Development Post-implementation
COST
REVENUETime
Out
flow
$
$$
Inf
low
Reduce cost by:- improve cycle time- less rework- productivity
Increase revenue by:- product features- operational support- business process- system availability
Planning & Development Post-implementation
24 November 2003Information Systems Audit and Control Association12
When Do We Introduce Quality?Anytime in the development life cycle
Executive supportUser requirement definitionDesignCodingTestingOperation and support…..
IT Audit 3
24 November 2003Information Systems Audit and Control Association13
Issues Related to User Requirements
User has only some ideasUser does not understand how they look likeUser often changes his mindUser often procrastinateUser pretends he is technical and design solution instead of telling what he needs…..
24 November 2003Information Systems Audit and Control Association14
Techniques to Define RequirementsInterviewBrainstormingStory boardPrototypeUse case Joint requirement definition (JRD)Joint application design (JAD)Quality function deployment (QFD)
24 November 2003Information Systems Audit and Control Association15
Quality Design – some examples
Modular vs tightly coupled system designUnique transaction identifierMaster and slave relationshipOne-direction transaction flowSystem checkpoint filesPull and push data …..
24 November 2003Information Systems Audit and Control Association16
Testing, QC and QATesting is the process of operating a system or system component under specified conditions, observing or recording the resultsA systematic series of evaluation activities performed to validate that the software fulfils technical and performance requirementsFor example: – A light bulb– A customer credit limit field would not handle > HK$1 million– FX transaction requires dual entries in order to be valid
24 November 2003Information Systems Audit and Control Association17
Testing, QC and QA QC is the process by which product quality is compared with applicable standards and actions taken when non-conformance is detected*To determine the output meets specifications– in manufacturing, QC uses statistical methods– in software, QC uses inspections and walkthroughs
Depends on the ‘tolerance’ level or quality target, the deliverables could be accepted or rejected
*Source: Quality Assurance Institute
24 November 2003Information Systems Audit and Control Association18
It deals with the processes which would help improve the product qualityIt ensures standards are followedIt performs problem root-cause analysisIt determines problem patterns and trends It assists the deployment of better tools and techniques
Testing, QC and QA
IT Audit 4
24 November 2003Information Systems Audit and Control Association19
Testing, QC and QA
TESTING. comply to specifications. detect defects
QUALITY CONTROL. manage testing. use inspections and reviews
. prevent defects
QUALITY ASSURANCE. manage development processes. metrics and defect root cause analysis
. prevent defects
24 November 2003Information Systems Audit and Control Association20
Types of Tests
Development test – unit, string & sub-systemQC functional test Acceptance and operability tests Volume testStress testRegression testPerformance testPenetration testHacking test ……..
24 November 2003Information Systems Audit and Control Association21
Risk & Test Level Assessments
Define test scopeDetermine the amount of tests requiredImpact / Probabiltity questionnaire4 pre-defined levels of testingCost effective balance between test coverage and risk
24 November 2003Information Systems Audit and Control Association22
Source: Bank of Montreal
24 November 2003Information Systems Audit and Control Association23
Some Pitfalls to Avoid
QC tests the wrong version of the specQC test results not reliable ……UAT repeats almost all the test cases and scenarios of QC testsTime-box testing (not the same as time-box development)
Why are these situations happening?How could we overcome them?
24 November 2003Information Systems Audit and Control Association24
Peer Reviews - typesInspectionReviewWalkthroughAd hoc review
IT Audit 5
24 November 2003Information Systems Audit and Control Association25
Peer Reviews – Benefits
Improve project success through less rework, schedule slippage, cost containment and better qualitySatisfy customers
*Source: ‘Peer Reviews in Software’ by Karl E. Wiegers*Source: ‘Peer Reviews in Software’ by Karl E. Wiegers
Example: IBM reported each hour of inspection could save 20 hours of testing and 82 hours of rework effort*
24 November 2003Information Systems Audit and Control Association26
Reusability vs UsabilityReusability is the building of software from pre-defined components that are designed for reuse. It aims to enhance quality, increase productivity and reduce costUsability is the effectiveness and efficiency of the system product. It aims to satisfy user requirements
24 November 2003Information Systems Audit and Control Association27
Quality Assurance
Where are we in the SDLC – which parts are OK / not OK?How do we start to improve?Do we have a meaningful way to guide use our limited resources and effort?What are the organisation strategy and commitment on quality?….
24 November 2003Information Systems Audit and Control Association28
Error vs DefectError is a problem that is created through the normal course of operation. Error is usual introduced, caught and corrected within the same phaseDefect is a problem that escape the process in which it is inserted ….. and it is found in subsequent phase
24 November 2003Information Systems Audit and Control Association29
Error vs Defect (cont’)
Quality Assurance Program
Test LevelAssessment Test Plan
Environ.Set-up
TestDesign
User Acceptance Sign-off
Test ReportStability
DefectManagement
ExecutionPlan
Data Prep
Unit/StringTest
ProjectManagement
ImplementationDefinitionPlanning Development
Feasibility &Analysis
User RequirementsDefinition
SystemDesign
SystemConstruction
SystemTesting
SystemImplementation
SystemOperation and Support
Post-impl
24 November 2003Information Systems Audit and Control Association30
Process ImprovementAn old saying:‘ A thousand-mile journey starts with a single step’Process Improvement is a journey and is continuous
IT Audit 6
24 November 2003Information Systems Audit and Control Association31
Software Quality Focus
Quality should be considered and built in during the development processOnce quality has been built in, the operating and maintenance processes must not degrade it Use a structure way to influence and determine the level of quality achieved in a software product
24 November 2003Information Systems Audit and Control Association32
Software Quality Focus (cont’)
Establish software quality requirementsDetermine, implement and enforce methodologies, processes and procedures to develop, operate and maintain softwareMeasure and improve
In a bigger scope, some organisations also institutionalize something calls Total Quality Improvement (TQM)
24 November 2003Information Systems Audit and Control Association33
QC Test vs UAT – an example
System readiness testMeet specificationsFunctional test Positive & negative test Volume & stress testPerform by independent third party
Business readiness test System operability test Limited function test Should not duplicate QC test effortPerform by users
Why would some organisations continue to duplicate the UAT and QC test effort???
24 November 2003Information Systems Audit and Control Association34
Total Quality ManagementAt the corporate level, it is an organized way to
achieve customer satisfaction:Know what turn your customers onOrganisation commitment and supportEvery employee must contribute …be part of itFocus on certain key areas and processesMeasurement and root-cause analysis Adopt relevant best practices and models– CMM, ISO 9000 etc
Continuous improvement
24 November 2003Information Systems Audit and Control Association35
Total Quality Management (cont’)
Customer-driven qualityCreate satisfied customers– Expected quality– Actual quality– Perceived quality
*Source: The Management & Control of Quality, by James Evans and William Lindsay
Customer needs & expectations (expected quality)
Identified customer needs & expectations
Translate to products & services (design quality)
Output(actual quality)
Customer perceptions(perceived quality)
Measurement & feedback
*
24 November 2003Information Systems Audit and Control Association36
TQM – Hewlett Parckard*
*Source: Hewlett-Packard’s ‘Quest For Total Quality’
IT Audit 7
24 November 2003Information Systems Audit and Control Association37Source: ‘The Capability Maturity Model’
by Carnegie Mellon University, SEI
Level 2
Level 3
Level 4
Level 5
Level 1
CMM Model*Focus
Continuous Process Improvement
Product & Process Quality
Engineering Process
Project Management
Heroes 24 November 2003Information Systems Audit and Control Association38
ISO 9000 Family of Standards*
ISO 9000 - Quality management systems –Fundamentals and vocabulary
ISO 9001 - Quality management system –Requirements
ISO 9004 - Quality management systems –Guidelines for performance improvements
ISO 9000 is not a system. It is a group of document which provides interrelated ideas, principles and rules. It is also a set of interrelated or interacting processes that achieve the quality policy and quality objective.
*Source: ‘ISO 9000 Quality Systems Handbook’, by David Hoyle
24 November 2003Information Systems Audit and Control Association39
B1- CostB2- ScheduleB3- Productivity: DevelopmentB4- Productivity: MaintenanceB5- Quality: Defect DensityB6- Quality: Reduce Rework
C1- Operating CostC2- Quality: Reduce ReworkC3- AvailabilityC4- Responsiveness
A1- Time-to-Market PaybackA2- Cycle TimeA3- External SurveyA4- End-point Services
D1- Customer SurveyD2- Employee SurveyD3- Skill Proficiency
Systems DivisionMetrics Program
Business Partner View
IT View OrganizationView
A.- Business PartnerMetrics
C- OperationalMetrics
B- DevelopmentMetrics
D- OrganizationMetrics
July 15, 96
Bank of Montreal - IT Core Metrics
24 November 2003Information Systems Audit and Control Association40
Bank of Montreal ‘Continuous Quality Improvement’ Methodology CQI focuses on:• Determine the attributes* that will ensure customer satisfaction.• Understand problem root causes. • Conduct continuous quality improvement in project processes.
*There are 6 customer satisfaction attribute groups:1. Usability (product related)2. Effectiveness (product related)3. Customer Service (service related)4. Schedule (service related)5. Cost (service related)6. Additional Opportunities (user defined)
24 November 2003Information Systems Audit and Control Association41
Measurement – an example*
*Source: The Hong Kong Electric Co.,Ltd
24 November 2003Information Systems Audit and Control Association42
Definition of Project Management
It is the application of knowledge, skills, tools and techniques to project activities in order to meet or exceed stakeholders’needs and expectations from a project
IT Audit 8
24 November 2003Information Systems Audit and Control Association43
Fundamental to the Success of a Project
*Source: Information Technology Project Management, by Kathy Schwalbe
24 November 2003Information Systems Audit and Control Association44
Relationship of Project Management to Other Management Disciplines
General Management Knowledge & Practice
General Project Management Knowledge & Practice
Application Area Knowledge & Practice
. Risk
. Integration
. Scope, Time
. Cost, Quality
. HR, Commun.
. Procurement
. Planning
. Organizing
. Staffing
. Executing
. Controlling
. Functional
. Technical
. Managementspecialization
. Industry group
24 November 2003Information Systems Audit and Control Association45
The Making of a Good Project Manager
How technical should he be?How business-oriented should he be?How many project could he manage at one time?
24 November 2003Information Systems Audit and Control Association46
Achieving Quality …. At What CostAdhere to standards, processes, guidelines and methodologiesDeploy more tools and advanced techniquesQuality program Enhance developers, testers and project managers’ proficiencies….
24 November 2003Information Systems Audit and Control Association47
Cost of Quality
Cost of Prevention Cost of Appraisal Cost of Failure
• Training
• Planning
• Risk Management
• Quality Program
• Standard & Process
• Testing
• Peer Review
• Rework
• Delay
• Loss Business
24 November 2003Information Systems Audit and Control Association48
Should We Achieve Zero Defect?Six-sigma is a target to meet …(may be close to zero defect)Achieve zero defect may not be cost justified
Zero defect
Cos
t
IT Audit 9
24 November 2003Information Systems Audit and Control Association49
The On-going Challenges
24 November 2003Information Systems Audit and Control Association50
A Good Project Manager Could Prevent…
24 November 2003Information Systems Audit and Control Association51