I've been preparing for the Capability Maturity Model Integration (CMMI) level 3 audit along with my team for the last year and a half.
Though we were quite comfortable that we would clear the audit, we were still apprehensive when the time finally came. You can never predict the mood of the examiner. He or she may ask some unexpected questions and you'll fail.
The project team was excited before the audit and the process kicked off with a short opening ceremony. But the next five days were eye-opening.
It was like the auditor was showing us a mirror--where we stand, where we need to improve. It forced us to look at our understanding of the fundamental concepts on the software processes and the metrics we utilize.
For instance, he discussed the interdependencies across metrics. When it comes to software defect density, the value is determined by dividing total defects by actual effort. To keep defect density low, the auditor discussed that we would have to put in more time and effort. But that would increase the effort variance of the defect density formula. And it gave us something to consider.
Audits by independent people or groups help us find our weaknessess, areas of improvement and strengths. I also do audits for our internal projects and highly recommend having an audit process every month or at least every quarter.
Have you ever been audited by anybody? Please share your experience.
|Lawrence, New Jersey|
Audits are really helpful in determining the project health but unfortunately most project managers back track the auditable documents just to satisfy the process and not to measure the health.
The delivery pressures, shortening project durations and reduced number of resources especially in FP projects are key obstacles for real audits. Being an auditor myself I have my own apprehensions toward real audits. Probably project managers should be encouraged to furnish real data and not just cooked up data for audits.
It was interesting insights that you shared from the recent CMMI assessment. Recently, I was in the role to follow-up on internal audits arising from the need to meet compliance and information security requirements.
As these were rather IT and technical in nature, on several occasions, the auditors were able to share on the risks of the issues and to propose recommendations.
Through the follow-up cycle, the auditees actually learned from the experience and it gave them time to correct the actions to mitigate those risks.
In the future, for applications and infrastructure teams, these audit inputs provide a platform for them to enhance their applications development projects and infrastructure IT projects.
Balancing with the costs, benefits and risks, there were several occasions where the parties involved need to put in place some factors :
i) communicate better to bring across the issues and ideas
ii) communicate more to understand the various solutions and recommendations
iii) working with vendors to gather their best solutions and to implement
iv) justify to management on the urgency and need for funding.
In this journey, the teams have gained from the experience.
I sincerely acknowledge the role that audits play if undertaken & accepted in a healthy spirit.
I had been raising few concerns with respect to ISMS, CRM, Resource Matrix & Quality in my organization but they were neglected so long on one pretext or another by concerned authorities.
Then one fine day came the auditors & I wholeheartedly took over the onus as a SPOC to aid them.
There reports were refined & detailed all that I'd been updating past almost an year but there analysis was what moved the top brass & I've completed the upgradation over past 4 months in tune with that report once I got the go-ahead after tremors that their report created.
I myself undertake such audits at smaller level for both Projects & Operations encouraging people to accept it as a tool of progressive transitions.
It seems like you weren't really as prepared for the audit as you might have been, particularly in terms of your expectations of the audit and auditor. Thankfully you were very fortunate to have a very collaborative auditor with a very holistic approach.
I'm interested if you had arranged for an external/peer review before the real audit? I ask because I recently completed an external "refresh report" as part of a risk/security review for an IT application project that included sensitive data as part of the preparation for an audit. It really facilitated the audit itself and helped focus on the key areas for improvement/action for both us in the project and the auditor.
We could also benchmark the external findings/suggestions against internal guidelines leading to a more customized outcome arrived at together thus increasing the overall ownership. Essentially the focus could therefore be on customizing the available findings for our needs rather than starting at first base.
Therefore the availability of the external report/perspective (and our draft responses to it based on internal guidelines/standards), was really appreciated by the auditor and showed both welcome proactivity and ownership. This increased overall the confidence we'd act on any findings and were serious about the issues and the audit process in general.
Perhaps PMI could add to best practice here in these situations as audits become more prevalent, by publishing key CMMI "pre-audit checks, guidelines, things to consider" per level so that the "next five days" can be reduced and made more efficient for everyone.
Good luck on your follow-up actions and review!
Please Login/Register to leave a comment.