CSQA Practice Exam Questions with Answers CSQA Certified Software Quality Analyst Certification

Developing a cause-and-effect diagram requires this series of steps:

1. Identify a problem (effect) with a list of potential causes. This may result from a brainstorming session.

2. Write the effect at the right side of the paper.

3. Identify major causes of the problem, which become “big branches”. Six categories of causes are often used: Measurement, Methods, Materials, Machines, People, and Environment, but the categories vary with the effect selected.

4. Fill in the “small branches” with subcauses of each major cause until the lowestlevel subcause is identified.

5. Review the completed cause-and-effect diagram with the work process to verify that these causes (factors) do affect the problem being resolved.

6. Work on the most important causes first. Teams may opt to use the nominal group technique or Pareto analysis to reach consensus.

7. Verify the root causes by collecting appropriate data (sampling) to validate a relationship to the problem.

8. Continue this process to identify all validated causes, and, ultimately the root cause.

Plan (P): Devise a plan - Define the objective, expressing it numerically, if possible. Clearly describe the goals and policies needed to attain the objective at this stage. Determine the procedures and conditions for the means and methods that will be used to achieve the objective.

Do (D): Execute the plan - Create the conditions and perform the necessary teaching and training to ensure everyone understands the objectives and the plan. Teach workers the procedures and skills they need to fulfill the plan and thoroughly understand the job. Then perform the work according to these procedures.

Check (C): Check the results – As often as possible, check to determine whether work is progressing according to the plan and whether the expected results are obtained. Check for performance of the procedures, changes in conditions, or abnormalities that may appear.

Act (A): Take the necessary action - If the check reveals that the work is not being performed according to plan, or if results are not what were anticipated, devise measures for appropriate action. Look for the cause of the abnormality to prevent its recurrence. Sometimes workers may need to be retrained and procedures revised. The next plan should reflect these changes and define them in more detail.

Environmental controls are the means by which management uses to manage the organization. They include such things as organizational policies, the organizational structure in place to perform work, the method of hiring, training, supervising and evaluating personnel, and the processes provided personnel to perform their day-to-day work activities, such as a system development methodology for building software systems.

Auditors state that without strong environmental controls the transaction processing controls may not be effective. For example, if passwords needed to access computer systems are not adequately protected the password system will not work. Individuals will either protect or not protect their password based on environmental controls such as the attention management pays to password protection, the monitoring of the use of passwords that exist, and management’s actions regarding individual workers failure to protect passwords.

Environmental controls are the means by which management uses to manage the organization.

Examples of environmental controls are the review and approval of a new system, limiting access to computer resources and transaction processing controls.

Review and Approval of a New System

This control should be exercised to ensure management properly reviews and approves new IT systems and conversion plans. This review team examines requests for action, arrives at decisions, resolves conflicts, and monitors the development and implementation of system projects. It also oversees user performance to determine whether objectives and benefits agreed to at the beginning of a system development project are realized.

The team should establish guidelines for developing and implementing system projects and define appropriate documentation for management summaries. They should review procedures at important decision points in the development and implementation process.

Limiting Access to Computer Resources

Management controls involve limiting access to computer resources. It is necessary to segregate the functions of systems analysts, programmers, and computer operators. Systems analysts and programmers should not have physical access to the operating programs, and the computer files. Use of production files should be restricted to computer operating personnel. Such a restriction safeguards assets by making the manipulation of files and programs difficult. For example, assume a bank’s programmer has programmed the demand deposit application for the bank. With his knowledge of the program, access to the files in the computer room on which information about the demand depositors is contained may allow him to manipulate the account balances of the bank’s depositors (including his own balance if he is a depositor).

Transaction Processing Controls

The object of a system of internal control in a business application is to minimize business risks. Risks are the probability that some unfavorable event may occur during processing. Controls are the totality of means used to minimize those business risks.

There are two systems in every business application. The first is the system that processes business transactions, and the second is the system that controls the processing of business transactions. From the perspective of the system designer, these two are designed and implemented as one system. For example, edits that determine the validity of input are included in the part of the system in which transactions are entered. However those edits are part of the system that controls the processing of business transactions.

Because these two systems are designed as a single system, most software quality analysts do not conceptualize the two systems. Adding to the difficulty is that the system documentation is not divided into the system that processes transactions and the system that controls the processing of transactions.

Quality is a multifaceted concept driven by customer requirements. The level of quality can vary significantly from project to project and between organizations. In IT, the attributes of quality are examined in order to understand the components of quality, and as a basis for measuring quality. Some of the commonly accepted quality attributes for an information system are described in the following figure.

Rahail HDD:Users:iMac:Desktop:Screen Shot 2015-01-12 at 7.38.30 PM.png

Please check the explanation for detailed answer.

In the prioritization process, risks from the analysis process are ranked from highest to lowest. When possible, they should be ranked quantitatively; otherwise, it is done qualitatively. Items that have similar ranks may need to be ranked separately.

If the high-medium-low method was used to calculate risk, the analyst would need to determine how to rank the two scores of 5, the three scores of 4 and the two scores of 3. In other words, determine whether the value of the frequency or the value of the impact would be more important.

Risks may also be prioritized using a question-and-answer technique to filter out unimportant risks. Four filters are typically used: impact (significant or insignificant), likelihood of occurrence (very likely or not likely), time frame (short-term or long-term), and program control (within control or not within control).

The maturation of the quality management system can be divided into three phases:

Initial Phase

The initiation point of the quality management system can be considered the formalization of quality control activities. An organization in this phase is results-driven, focusing on defining and controlling product quality. It normally takes at least two years in this phase of maturity for management and staff to recognize that quality cannot be tested into a product; it must happen through process maturity.

Intermediate Phase

In this phase an organization's objectives move from control to assurance. The emphasis is on defining, stabilizing, measuring, and improving work processes. While process improvement occurs before and after this phase, it is during this phase that resources are allocated to make process maturity happen. It takes between two and four years for significant process maturity. At this level products and services achieve consistency in product quality (consistency being the prerequisite to improved quality and productivity).

Final Phase

During this phase, objectives such as consulting, motivating, and benchmarking move the organization toward optimization. The MBNQA program defines such an organization as a “world-class” organization. World-class begins when work and management processes are well defined, are being continually improved, and are producing high-quality results that yield high customer satisfaction. These processes are integrated to obtain maximum customer satisfaction at minimum cost.

Most people on a job, and even in management positions, do not understand what the job is, or what is right versus wrong. Moreover, it is not clear to them how to find out.

Many of them are afraid to ask questions or to report trouble. The economic loss from fear is appalling. It is necessary, for better quality and productivity that people feel secure.

Another related aspect of fear is the inability to serve the best interest of the company through necessity to satisfy specified rules, or to satisfy a production quota, or to cut costs by some specified amount.

One common result of fear is seen in inspection. An inspector records incorrectly the result of an inspection for fear of overdrawing the quota of allowable defectives of the work force.

Experience has shown that over 50% of the software developed by offshore organizations fails to meet the expectations of the contractor. Since many of the decisions to have software developed offshore are economic decisions, the differences associated with having the software developed offshore negate the economic advantages in many cases. These offshore differences are:

Cultural differences

There may be a significant difference in the culture and values between the contractor and the offshore organization.

Communication barriers

The language of the offshore organization may be different or difficult to comprehend which causes difficulty in communicating the needs and desires of the contractor.

Loss of employee morale and support

Employees who would like to have developed the software may resent the software being developed offshore and thus make it difficult for the offshore developed software to be successful.

Root cause of the contractor IT organization not addressed

Frequently, offshoring is chosen because there are problems in the contractor organization that executives do not want to address. For example, the problems might include a lack of training for the employees in the contractor organization or other perhaps better options for software development were not explored

While the software may be developed by an outside organization, the responsibility for quality of that software cannot be contracted. The contractor is still responsible for the quality of the organization. There must be a process to monitor the development and validate the correct functioning of the software when it is developed by an outside organization.

The quality professional is the individual who should accept the quality responsibility for software developed by an outside organization. This may mean that the quality professional needs to visit periodically or during the entire developmental period of the software to ensure the quality. Many of the same practices used to assure quality of in-house developed software are applicable to software developed by outside organizations. For example, conducting reviews at specific checkpoints should occur on contracted software. Acceptance testing should be conducted on all software regardless of how developed.

The quality professional’s specific responsibility for software developed by outside organizations is to assure that the process for selecting COTS software and contracting with an outside organization for software are adequate.

One of the major responsibilities of the quality assurance activity is to oversee the development and deployment of work processes, and then to assure that those work processes are continuously improved.

Without a process for selecting COTS software and a process for contracting for software those processes would be subject to great variability. One contract may work well, one acquisition of COTS software may work well, while other acquisitions may result in a failure.

Target Audience

The target audience for ISO/IEC 12207 is:

Organizations acquiring a system that contains software or a stand-alone software product

Organizations that supply software products

Organizations involved in software operation or software maintenance

The standard is especially applicable for acquisitions, as it recognizes the distinct roles of acquirer and supplier. Its intended use is for the two parties of an agreement or contract that defines the development, maintenance, or operation of software. It does not apply to the purchase of commercial off-the-shelf software products. It is also intended for use with trained, experienced developers, managers, and acquirers of software.

Views of Software Development

Given the target audience, ISO/IEC 12207 includes several different points of view regarding software development:

Acquirers and suppliers see a contract view, which includes the acquisition and supply processes and begins with a contractual relationship to supply software. Depending on the contract, the supply process may use the development process to create new software, the operation process to provide software operation services, or the maintenance process to repair or improve the software.

Operators see an operating view, which includes the operations process. The operations process may use the maintenance process.

Developers and maintainers see the engineering view, which includes the maintenance and development processes. The maintenance process may also use the development process.

The employer of supporting processes sees the supporting view, which includes the eight supporting processes.

Managers see the corporate view, which includes the four organizational processes.

Industry accepted definitions of quality are “conformance to requirements” (from Philip Crosby) and “fit for use” (from Dr. Joseph Juran and Dr. W. Edwards Deming). These two definitions are not inconsistent.

Meeting requirements is a producer’s view of quality. This is the view of the organization responsible for the project and processes, and the products and services acquired, developed, and maintained by those processes. Meeting requirements means that the person building the product does so in accordance with the requirements. Requirements can be very complete or they can be simple, but they must be defined in a measurable format, so it can be determined whether they have been met. The producer’s view of quality has these four characteristics:

Doing the right thing

Doing it the right way

Doing it right the first time

Doing it on time without exceeding cost

Being fit for use is the customer’s definition. The customer is the end user of the products or services. Fit for use means that the product or service meets the customer’s needs regardless ofthe product requirements. Of the two definitions of quality, fit for use, is the more important. The customer’s view of quality has these characteristics:

Receiving the right product for their use

Being satisfied that their needs have been met

Meeting their expectations

Being treated with integrity, courtesy and respect

Level 1 – Validation

Validation is testing the software in an operational state. While there are several iterations of testing, they do not occur until the latter part of the system development life cycle. Thus, validation does not take advantage of the control theory stating that the control should be placed as close as possible to where the defect occurs. The most common types of validation are unit testing, integration testing, and system testing. Unit testing tests the smallest operating module of a system; integration testing tests the connecting logic between the modules/units; and the system testing validates that the system executes in the organization's operating environment.

Level 2 – Verification

Verification is the static testing of the system in a nonoperational status. It primarily tests the documentation produced by the project team. The documentation includes requirements, design,code, test, and operating documentation. Verification is performed through a variety of processes, including code analyzers, walkthroughs, reviews, and inspections. These verification processes also interact with the project team, end users, and other interested parties. Level 2 also incorporates acceptance testing, in which the end users define the criteria, which the system must meet in order to, be acceptable, and then test against those criteria.

Level 3 -- Defect Management

This level involves naming defects, counting defects, recording defects in a database, analyzing them, and then managing them throughout the entire life cycle of software. There are two types of defects, just as there are two types of quality. One defect is a variance from requirements/specifications, and the second defect is anything that dissatisfies the end user. For example, if the system was to add A plus B to get C, but in fact added A to X that would be a variance from specification defect. If the output was correct, but hard to use from an end user viewpoint, it would be an ease of use defect. Defects are generally only considered to be defects when they are uncovered in a task beyond the task in which the defect occurred. If the individual who makes the defect finds it during the same task, it is generally not considered to be a defect.

Level 4 -- Statistical Process Control

To be effective, statistical process control needs stabilized processes and defect recording. Some statistical process control techniques will be introduced at Level 3, but their use will be confined more to process improvement than for process management. Good statistical process control techniques require the type of measurement data that is only produced at Level 4. The statistical process control techniques will expand on root cause analysis, use sophisticated statistical tools and analysis, and create dashboards to be used in managing processes.

Level 5 - Preventive Management

This level is focused on preventing defects. It uses the lessons learned from the previous four levels of control/test to address the problems before they can become defects. During the previous four levels, the causes of defects are available and some addressed through process improvement. This level accelerates that trend and in addition provides the professional information staff with methods to modify the way work is performed so that the root causes of defects will not be built into software. This involves building risk models, developing defect expectation charts and/or defect profiles, and processes to customize processes so that the do component of processes can build software that is almost defect free.

Management Tools

These tools are based on logic rather than mathematics, to address idea generation and organization, decision-making and implementation. The examples are brainstorming and affinity diagram.

Statistical Tools

These tools have a mathematical focus, usually related to data collection, organization, or interpretation. They may also be separated into tools used for counting and tools used with measures. The examples are check sheet and histogram.

Presentation Tools

These tools are used during presentations to summarize or graphically illustrate data. These tools may be used in the development of written materials, such as proposals or reports, or to accompany oral presentations. The examples are table and line chart.

At a minimum, the tool selected should support the recording and communication of all significant information about a defect. For example, a defect log could include:

ƒ Defect ID number

ƒ Descriptive defect name and type

ƒ Source of defect - test case or other source that found the defect

ƒ Method – SDLC phase of creation

ƒ Phases – SDLC phase of detection

Inspection involves a step-by-step reading of the product, with each step checked against a predetermined list of criteria. These criteria include checks for historically common errors. Guidance for developing the test criteria can be found elsewhere. The developer is usually required to narrate the reading product. The developer finds many errors just by the simple act ofreading aloud. Others, of course, are determined because of the discussion with team members and by applying the test criteria.

At the problem definition stage, inspections can be used to determine if the requirements satisfy the testability and adequacy measures as applicable to this stage in the development. If formal requirements are developed, formal methods, such as correctness techniques, may be applied to ensure adherence with the quality factors.

Inspections should be performed at the preliminary and detailed design stages. Design inspections will be performed for each module and module interface. Adequacy and testability of the module interfaces are very important. Any changes that result from these analyses will cause at least a partial repetition of the verification at both stages and between the stages. A reexamination of the problem definition and requirements may also be required.

Finally, the inspection procedures should be performed on the code produced during the construction stage. Each module should be analyzed separately and as integrated parts of the finished software.

There are four main testing stages in a structured software development process. They are:

Unit Testing

These tests demonstrate that a single program, module, or unit of code function as designed. For example, observing the result when pressing a function key to complete an action. Tested units are ready for testing with other system components such as other software units, hardware, documentation, or users.

Integration Testing

These tests are conducted on tasks that involve more than one application or database, or on related programs, modules, or units of code, to validate that multiple parts of the system interact according to the system design. Each integrated portion of the system is then ready for testing with other parts of the system.

System Testing

These tests simulate operation of the entire system and confirm that it runs correctly. Upon completion, the validated system requirements result in a tested system based on the specification developed or purchased.

User Acceptance Testing

This real-world test is the most important to the business, and it cannot be conducted in isolation. Internal staff, customers, vendor, or other users interact with the system to ensure that it will function as desired regardless of the system requirements. The result is a tested system based on user needs.

There is a high correlation between process maturity and cycle time. As shown in the figure below, as processes mature, there is a decrease in the cycle time to build software products. The maturity of processes, people, and controls has associated with it a search for the root cause of problems. It is these problems that lead to rework which, in turn, extends the cycle time. Thus, improvements also focus on facilitating transitions of deliverables from work task to work task, which also significantly reduces cycle time.

Rahail HDD:Users:iMac:Desktop:Screen Shot 2015-01-12 at 12.47.42 PM.png

Quality is a multifaceted concept driven by customer requirements. The level of quality can vary significantly from project to project and between organizations. In IT, the attributes of quality are examined in order to understand the components of quality, and as a basis for measuring quality. Some of the commonly accepted quality attributes for an information system are described in the following figure.

Management needs to develop quantitative, measurable "standards" for each of these quality criteria for their development projects. For example, management must decide the degree of maintenance effort that is acceptable, the amount of time that it should take for a user to learn how to use the system, etc.

Rahail HDD:Users:iMac:Desktop:Screen Shot 2015-01-11 at 2.39.38 PM.png

There are three COQ categories:

Prevention- Money required preventing errors and to do the job right the first time is considered prevention cost. This category includes money spent on establishing methods and procedures, training workers and planning for quality. Prevention money is all spent before the product is actually built.

Appraisal– Appraisal costs cover money spent to review completed products against requirements. Appraisal includes the cost of inspections, testing and reviews. This money is spent after the product or subcomponents are built but before it is shipped to the user.

Failure– Failure costs are all costs associated with defective products. Some failure costs involve repairing products to make them meet requirements. Others are costs generated by failures, such as the cost of operating faulty products, damage incurred by using them and the costs incurred because the product is not available. The user or customer of the organization may also experience failure costs.

The following figure shows a few examples of the three costs of quality that illustrate the types of activities in each of the categories. Experience has shown that a small group of knowledgeable people can develop estimates for the COQ categories. The estimate does not have to be highly precise because the amounts will be so large that even errors of plus or minus 50% would not affect identifying the actions that need to be taken to reduce the COQ.

Rahail HDD:Users:iMac:Desktop:Screen Shot 2015-01-12 at 3.16.26 PM.png

In business and accounting literature, the environment is referred to in many different ways. In accounting literature it is sometimes called the “control environment,” other times the “management environment,” and sometimes just the environment in which work is performed.

For the purpose of this skill category, we will refer to it as the “quality environment.” What is important to understand is that the environment significantly impacts the employee’s attitude about complying with policies and procedures. For example, if IT management conveys that they do not believe that following the system development methodology is important, project personnel most likely will not follow that system development methodology. Likewise, if IT management conveys a lack of concern over security, employees will be lax in protecting their passwords and securing confidential information.

Structural testing is considered white-box testing because knowledge of the internal logic of the system is used to develop test cases. Structural testing includes path testing, code coverage testing and analysis, logic testing, nested loop testing, and similar techniques. Unittesting, string or integration testing, load testing, stress testing, and performance testing are considered structural.

Functional testing addresses the overall behavior of the program by testing transaction flows, input validation, and functional completeness. Functional testing is considered black-box testing because no knowledge of the internal logic of the system is used to develop test cases. System testing, regression testing, and user acceptance testing are types of functional testing.

Structural Testing

Advantages

The logic of the software’s structure can be tested.

Parts of the software will be tested which might have been forgotten if only functional testing was performed.

Functional Testing

Advantages

Simulates actual system usage.

Makes no system structure assumptions.

Quality Council

A Quality Council is composed of the organization’s top executive and his or her direct reports. It may also be referred to as an Executive Council. The Quality Council acts as the steering group to develop the organization’s mission, vision, goals, values, and quality policy. These serve as critical input to process mapping, planning, measurement, etc. Some large companies opt for more than one level of Quality Council. When multiple levels exist, each organization’s mission and vision tie into that specified by the top council.

Management Committees

Management committees (also called Process Management Committees) are composed of middle managers and/or key staff personnel, and are responsible for deploying quality management practices throughout the organization. One or more committees may be needed depending on the organization’s size and functional diversity. Committees should represent all the skills and functions needed to work on the specific processes or activities.

Teams and Work Groups

Teams are formed under any number of names depending on their purpose. Common names and functions are:

Process Development Teams develop processes, standards, etc.

Process Improvement Teams improve existing processes, standards, etc.

Work Groups perform specific tasks such as JAD, inspection, or testing.

The process teams are composed of a representative group of process owners. Members of work groups will vary depending on the purpose, but suppliers and customers are likely to participateas team members or as reviewers. It may also be desirable for a QA analyst to participate on the team.

Process teams use standard approaches (such as flowcharts, checklists, Pareto analysis) to define, study, and improve processes, standards, procedures, and quality control methods. They may pilot new or revised processes help deploy them to the rest of the organization, and provide process training. They may also serve as process consultants to process owners and others using the process. Approaches and tools used by the team depend on its purpose.

Vision:

It states what the organization intends to achieve.

Senior Management (CIO)

“To become Global Top 10”

Value:

It states how to run the business.

Senior Management

“Will satisfy customer needs”

Goal:

It states how the vision will be achieved.

Senior Management

“Establish a customer vision group”

CobiT is generally applicable and an accepted standard for IT security and control practices that provides a reference framework for management, users, and IS audit, control and security practitioners. CobiT enables an enterprise to implement effective governance over IT that is pervasive and intrinsic throughout the enterprise.

The checklist must contain the following items to determine necessary management security controls placed over online software systems:

Ensure that staff knows who does what relative to security—the security dos and do nots.

Ensure that staff has sufficient resources and skills to exercise its security responsibilities.

Ensure that security is considered in job performance appraisals and results in appropriate rewards and disciplinary measures.

Ensure awareness of the need to protect information; provide training to operate nformation systems securely and be responsive to security incidents.

Ensure that security is an integral part of the systems development life cycle process and explicitly addressed during each phase of the process.

Ensure that staff with sensitive roles has been vetted.

Ensure that the organization is not dependent on one individual for any key security task (i.e., appropriate segregation of duties).

Ensure that privacy and intellectual property rights, as well as other legal, regulatory, contractual and insurance requirements, have been identified with respect to security and processes in your area of responsibility.

Ensure that applicable security measures have been identified and implemented (e.g., effective backup, basic access control, virus detection and protection, firewalls, intrusion detection and adequate insurance coverage).

Ensure that a suitable technical environment is in place to support security measures

Independent monitoring are those monitoring activities, which are performed by individuals not employed by the organizational unit responsible for the work. Independent monitoring can be performed by:

An organizational unit established for the purpose of monitoring

For example, in health care units, an “HIPAA compliance group” might be established to monitor compliance to HIPAA requirements.

Internal auditors

An audit activity within the organization who is independent from the organization they monitor or audit, and generally independent from the management over the activity being monitored.

External auditors

Auditors engaged by the Board of Directors to evaluate the adequacy of the organization’s system of internal control and other activities governed by auditing standards.

The extensiveness of independent monitoring is normally determined by the adequacy of the organization’s system of internal controls. If those performing independent monitoring believe that the system of internal control is effective, the extent of their monitoring will decrease. On the other hand, if there’s significant weakness in the system of internal control, monitoring will be increased.

Vision:

It states what the organization intends to achieve.

Senior Management (CIO)

“To become Global Top 10”

Value:

It states how to run the business.

Senior Management

“Will satisfy customer needs”

Goal:

It states how the vision will be achieved.

Senior Management

“Establish a customer vision group”

Principle:

It states the quality attribute of the organization.

Quality council

“Need for a quality function”

Preventive controls are located throughout the entire IT system. Many of these controls are executed prior to the data entering the computer programs. Following are three of the 8 preventive controls:

Source-data authorization- Once data has been recorded properly, there should be control techniques to ensure that the source data has been authorized. Typically, authorization should be given for source data such as credit terms, prices, discounts, commission rates, overtime hours, and so forth.

Data input -Data input is the process of converting data in non-machine-readable form (such as hard-copy source documents) into a machine-readable form so that the computer can update files with the transactions. Since the data input process is typically a manual operation, control is needed to ensure that the data input has been performed accurately.

Source-data preparation -In many automated systems, conventional source documents are still used and, therefore, no new control problems are presented prior to the conversion of source documents into machine-readable form. Specially designed forms promote the accuracy of the initial recording of the data. A pre-audit of the source documents by knowledgeable personnel to detect misspellings, invalid codes, unreasonable amounts, and other improper data helps to promote the accuracy of input preparation.

In order to participate in the various aspects of contracting for software development, it is necessary to establish an acquisition life cycle for contracted software. This life cycle contains the following three activities:

Selecting an Outside Organization

Selecting a contractor is similar to systems design. It is a time of studying alternative contractors, costs, schedules, detailed implementation design specifications, and the specification of all the deliverables, such as documentation. The selection of an outside organization may involve the following individuals in addition to the quality control reviewer:

Systems analysts

User personnel

Internal auditor

Purchasing agent

Legal counsel

Contract Negotiations

In some organizations, the purchasing agent conducts all the negotiations with the contractor; the other parties are involved only in the needs specification. In other organizations, there is no purchasing agent, so the data processing department deals directly with contractors for the acquisition of application systems.

Operations and Maintenance

The maintenance and operations of purchased applications may be subject to contractual constraints. For example, some contracts limit the frequency with which an application can be run without paying extra charges, and limit an organization’s ability to duplicate the application system in order to run it in a second location. In-house personnel can maintain some purchased applications, but others do not come with source code and thus are not maintainable by in-house personnel. There may also be problems in connecting a purchased application from one contractor with purchased or rented software from another contractor. It is important that software from multi contractors be evaluated as to its capability to work in the same operating environment.

The Check process incorporates the process controls needed to be assured the “Do process” was performed correctly. Process control identifies the appropriate types of quality controls needed within a process, and designs and incorporates them as Check procedures into the process. Check procedures describe how to evaluate whether the right work was done (output meets needs) and whether the work was done right (output meets standards). Controls should be designed based on the criticality of the process and what needs to be checked.

Check procedures are defined in the same way as Do procedures. If the playscript format is used, Check procedures should be incorporated to the taskflow diagram or flowchart at the appropriate spot. For example, a quality control checklist associated with programming would have questions such as, "Was a flowchart produced that describes the processing of the program?" or “How much quality control is enough?”

The challenge is to install the appropriate amount and types of controls to minimize cost, effort, and cycle time; and to minimize the risk that defects will go undetected and "leak" into other processes.

SEI CMM Model:

It is a staging model.

All processes have to be followed in order.

Designed specifically for software organizations.

It has 5 stages:

Initial – Level 1

Repeatable – Level 2

Defined – Level 3

Managed – Level 4

Optimizing – Level 5

ISO 9000:

It is a continuous model.

Processes can be followed independently.

Not specific to software organizations.

The most important prerequisite for successful implementation of any major quality initiative is commitment from executive management. It is management’s responsibility to establish strategic objectives and build an infrastructure that is strategically aligned to those objectives. This Skill Category describes the management processes used to establish the foundation of a quality-managed environment including leadership concepts, the quality management infrastructure, and the quality environment.