A quality audit can be done easily by interviewing the project manager as well as some of the project team members. Before starting the interview try to understand the project scope, known risks, problems etc. And even can have some quantitative analysis done, on effort variance or schedule slippage (assuming sufficient access permission is provided to pull the data for analysis). At the time of interview, auditor can ask about the project, current status etc. Even auditor can ask some pre-planned general questions to evaluate the knowledge of interviewee. (Generic questions could be based on the management system in the organization). Then observe how the interviewee responds to the questions. From his response itself, definitely there will be an opening to another question. The response might give you hints leading to a different set of questions. So an interview based audit is somewhat easy compared to a remote audit. But auditor has to lead the show; otherwise in order to hide non-conformances, auditor might get misled by the interviewee.
Project team will define their own process by suitably tailoring the Organizational Set of Standard Process (OSSP). These tailored processes should be submitted to process owners of the organization like Engineering Process Group, Only with their approval, the tailored process can be executed within the project. Auditor has to check the necessity of these tailoring, approval details etc. Also the auditor has to ensure that the tailored process is not a risk to the organizational business needs.
Normally project activities are executed as per a plan. Plan could be a management plan, test plan, integration plan, configuration management plan, QA plan or an integrated master plan. If there is a template defined for these plans, it would be adhering to the organizational practices. Thereby a plan template will detail all the processes which are supposed to be executed within the project as demanded by the organization complying to specific standards/models. So during a project audit, it is very important to ensure that the project plan used is in line with the template defined in the organization. It has to be ensured that the sections in the template are not removed while taken for the project. Each section in the plan might be a specific practice to be adhered. So there are chances of sections being removed if project team do not want to practice it.
After ensuring that the plans are compliant to the organizational template, go through the plan section by section. Plan will direct you to each artefact in the Configuration Management (CM) tool. Take the respective artefact or Configurable Item (CI) and do a configuration audit on the CI. CM audit cannot be done on the entire CIs, so do it randomly. While checking the CI for process compliance, it may lead to another audit. Say for example, if a requirement document is taken, first check the contents for completeness and correctness. Check whether any legal or regulatory requirements are mentioned. If mentioned, trace it out in the lower level documents like design. If it cannot be traced, it could be a noncompliance. Then ensure other CM aspects of the requirement document like document history. If reviewer column is unfilled in the document history, check whether review is actually done or not, assuming review is not tailored. Likewise, audit goes on. Then go back to project plan and continue with next section.
Functional and physical configuration management audit needs to be done on work products. Functional configuration audits are a kind of work product audits. It is done to ensure the functional performance of the work products. As a part of Physical configuration audit check the correct versions, ensure properly filled in document history/amendment record, impact analysis document for changes, change tracking sheet traceability document etc.
Auditor can randomly verify the data collected. If there are some specific measures to be collected as instructed by the organization or customer, ensure the availability of the same. Auditor can check the integrity of collected data. In addition check whether corrective actions planned in the milestone analysis are implemented inside the project or not.
In addition to process audits, work products are also audited to check compliance. CMMI PA- PPQA talks about the same. Auditor has to do some sample validation of final work products. If it is a product, probably testing might be a mechanism for work product audit. It need not be a regular testing as done by testers. Instead, auditor can take some sample Test Cases, a representative sample Test Cases which are already certified as ‘passed’ by testers and execute those Test Cases to ensure compliance
As part of internal quality audits, corrective actions are planned for non-conformances. During course of time, those actions/plans are usually ignored. Auditor has to ensure the compliance to those corrective or preventive actions
Inside the project, there may be a lot of customer reported issues, customer feedbacks, complaints etc. Timely analysis and proper actions needs to be taken on all those points. Audit must check and report deviations if the issues are not addressed.
Finally take the audit checklist and ensure coverage. A checklist based audit is not a recommended practice. Checklists may make your audit a machine kind. But checklists can definitely be used to ensure coverage in the final stage of your audit.