Review process is intended to ensure the completeness and correctness of the work products. Merely performing reviews does not meet the full purpose. Reviews must be followed with

Proper correction

The defects need to be fixed and the completion status of reported defects needs to be logged properly. After rework the work product needs to be labelled suitably.

Verification by reviewers after correction

Reviewer needs to ensure the verification of the work product against the reported defects.


Root cause analysis of defects

Major or repetitive defects needs to be further analysed to determine the root causes.


Taking corrective actions on root causes of defects

Further to root cause analysis, action plans to prevent recurrences of the defects needs to be taken

Review Data Analysis

Review parameters like review speed, review effectiveness etc needs to be analysed and compared against the goal set for those parameters. Further actions needs to be deployed based on the analysis. For more information please refer the post on Review Data Analysis

Making Frequently Committed Defect List (FCDL)

FCDL can be made taking review feedback from the reviewer. And FCDL needs to be continuously updated after each round of review. The key is to learn from faults and consciously avoid repeating them.

Conducting Trainings

Trainings can be triggered to avoid repetition of defects or to improve the depth of review

Communicating the status to stakeholders

Finally, it is important to ensure that the status of review, rework, corrective actions etc. is communicated to all stakeholders.


Reviews can be analysed based on a number of metrics.  A few of the review metrics are given below

  • Review coverage             : Reviewed Size/Total size
    • For example, if 50 pages out of 100 pages of an artefact are reviewed, then review coverage in percentage is 50 % only. In case 100% review is not possible, the Project Manager or concerned person can identify the critical areas in the work product which need to be mandatorily reviewed.
  • Review Speed                   : Reviewed Size/Total time taken for review
    • For example, if a 1000 Lines Of Code (LOC) is reviewed in 5 hours, then review speed is 200 LOC/Hr.
  • Review Effectiveness    : Defects caught in Review/Total number of defects caught in review and testing
    • For example, if 100 defects were caught in a project including user acceptance testing and 50 of those defects were caught during reviews, then Review Effectiveness will be 50 %
  • Review Defect Density: Defects caught in Review/ Reviewed Size
    • For example, if 100 defects were caught during code review (reviewed LOC =1000), then Review Defect Density will be 0.1 defects/LOC or 100 defects/KLOC

Analysis is not limited to defining and evaluating a metric. From the observed data recommendations must be put forth. Sometimes,

Read More

Audits are the mechanisms of ensuring the integrity of the product as well as process. During audits a number of deviations may be revealed. It is extremely important to ensure that the deviations are documented or reported properly. Deviations can be of specific or generic in nature. If it is a generic one, the auditor needs to report multiple instances of the issue. A well-documented deviation should be self-explanatory and should address the following questions.

  • What is the issue?
  • What is the importance of the issue?
  • What is the impact of the issue?
  • When was the issue observed?
  • Where was the issue observed?

A non-conformance could be stated simply as

‘Planned review of a work product is not done ‘.

This statement is not self-explanatory; instead it triggers few other questions like whether any alternative methods were adopted in the absence of review or what could be the impact etc. So a non-conformance needs to be reported completely and correctly.

The above deviation could be made much more self-explanatory if written as below,

“In a Project ‘A’ implementation is done by average skilled resources. Even though independent review was planned, it didn’t happen. Review practices are required as per organizational policies to produce high quality work products. The project team didn’t take any additional measures or alternative mechanism to overcome the issue. In this scenario, absence of review will lead to more testing bugs and thereby causing schedule slippage or poor quality product.

1. Interviewing the Project team

A quality audit can be done easily by interviewing the project manager as well as some of the project team members. Before starting the interview try to understand the project scope, known risks, problems etc. And even can have some quantitative analysis done, on effort variance or schedule slippage (assuming sufficient access permission is provided to pull the data for analysis). At the time of interview, auditor can ask about the project, current status etc. Even auditor can ask some pre-planned general questions to evaluate the knowledge of interviewee. (Generic questions could be based on the management system in the organization). Then observe how the interviewee responds to the questions. From his response itself, definitely there will be an opening to another question. The response might give you hints leading to a different set of questions. So an interview based audit is somewhat easy compared to a remote audit. But auditor has to lead the show; otherwise in order to hide non-conformances, auditor might get misled by the interviewee.

2. Check Tailoring

Project team will define their own process by suitably tailoring the Organizational Set of Standard Process (OSSP). These tailored processes should be submitted to process owners of the organization like Engineering Process Group, Only with their approval, the tailored process can be executed within the project. Auditor has to check the necessity of these tailoring, approval details etc. Also the auditor has to ensure that the tailored process is not a risk to the organizational business needs.

3. Project compliance audit

Normally project activities are executed as per a plan. Plan could be a management plan, test plan, integration plan, configuration management plan, QA plan or an integrated master plan. If there is a template defined for these plans, it would be adhering to the organizational practices. Thereby a plan template will detail all the processes which are supposed to be executed within the project as demanded by the organization complying to specific standards/models. So during a project audit, it is very important to ensure that the project plan used is in line with the template defined in the organization. It has to be ensured that the sections in the template are not removed while taken for the project. Each section in the plan might be a specific practice to be adhered. So there are chances of sections being removed if project team do not want to practice it.

4. Plan based audit

After ensuring that the plans are compliant to the organizational template, go through the plan section by section. Plan will direct you to each artefact in the Configuration Management (CM) tool. Take the respective artefact or Configurable Item (CI) and do a configuration audit on the CI. CM audit cannot be done on the entire CIs, so do it randomly. While checking the CI for process compliance, it may lead to another audit. Say for example, if a requirement document is taken, first check the contents for completeness and correctness. Check whether any legal or regulatory requirements are mentioned. If mentioned, trace it out in the lower level documents like design. If it cannot be traced, it could be a noncompliance. Then ensure other CM aspects of the requirement document like document history. If reviewer column is unfilled in the document history, check whether review is actually done or not, assuming review is not tailored. Likewise, audit goes on. Then go back to project plan and continue with next section.

5. CM audit

Functional and physical configuration management audit needs to be done on work products. Functional configuration audits are a kind of work product audits. It is done to ensure the functional performance of the work products. As a part of Physical configuration audit check the correct versions, ensure properly filled in document history/amendment record, impact analysis document for changes, change tracking sheet traceability document etc.

6. Quantitative Data Audit

Auditor can randomly verify the data collected. If there are some specific measures to be collected as instructed by the organization or customer, ensure the availability of the same. Auditor can check the integrity of collected data. In addition check whether corrective actions planned in the milestone analysis are implemented inside the project or not.

7. Workproduct audit

In addition to process audits, work products are also audited to check compliance. CMMI PA- PPQA talks about the same. Auditor has to do some sample validation of final work products. If it is a product, probably testing might be a mechanism for work product audit. It need not be a regular testing as done by testers. Instead, auditor can take some sample Test Cases, a representative sample Test Cases which are already certified as ‘passed’ by testers and execute those Test Cases to ensure compliance


8. CAPA based audit

As part of internal quality audits, corrective actions are planned for non-conformances. During course of time, those actions/plans are usually ignored. Auditor has to ensure the compliance to those corrective or preventive actions

9. Audit of customer driven points

Inside the project, there may be a lot of customer reported issues, customer feedbacks, complaints etc. Timely analysis and proper actions needs to be taken on all those points. Audit must check and report deviations if the issues are not addressed.

10. Check List based audit

Finally take the audit checklist and ensure coverage. A checklist based audit is not a recommended practice. Checklists may make your audit a machine kind. But checklists can definitely be used to ensure coverage in the final stage of your audit.