bannerd


Audit results should be reported in a high-level summary and conveyed as part of weekly or monthly SA Status Reports. The high-level summary should provide an overall evaluation of the audit, any associated risks, and thoughts on the health and status of the project or organization audited.

When an audit is conducted, it may be necessary to provide a detailed report of the results to the management team outside of the normal status reporting cycle. This will allow the management team to prioritize and delegate the necessary corrections. If a time-critical issue is uncovered, it should be reported to management immediately so that the affected organization may begin addressing it at once.

When a project has safety-critical software, audits results should be shared with the Software Safety personnel. The results of audits conducted by Software Assurance personnel and those done by Software Safety personnel may be combined into one report, if desired.

Per SWE-201 – SASS Task 1 and SWE-039 – SASS Task 8, all audit findings and observations are documented in a problem/issue tracking system and tracked to closure. These items are communicated to the affected organization’s personnel and possible solutions discussed. 

4.1 Minimum Recommended Content for Audit Summary

When reporting the results of an audit for a SA Status Report, the following defines the minimum recommended content:

  1. Identification of what was audited: Mission/Project/Application
  2. Audit Type/Subject (e.g., Peer Review, Process, CM baseline)
  3. Group or department (Branch, Division, Project or subset, etc.) being audited
  4. Overall evaluation of audit subject, based on audit observations/results. Include thoughts on the health and status of the project or organization audited.
  5. Major findings and associated risk – The detailed reporting should include where the finding was discovered and an estimate of the amount of risk involved with the finding.
  6. Observations – This should include important observations such as any systemic issues
  7. Current status of findings: open/closed; projection for closure timeframe
  8. Optional: include metrics charts showing other details of audit findings

4.2 Minimum Recommended Content for Detailed Audit Report

When reporting the detailed results of an audit, the following defines the minimum recommended content:

  1. Identification of what was audited: Mission/Project/Application

  2. Audit Type/Subject (e.g., Peer Review, Process, CM baseline)

  3. Person or group doing audit(s)

  4. Period/Timeframe/Phase audit performed during

  5. Documents used in audit (e.g., requirements version, etc.)

  6. Group or department (Branch, Division, Project or subset, etc.) being audited

  7. Description of techniques used (Checklists, interviews, comparisons, etc.)

  8. Overall evaluation of audit subject, based on audit observations/results

  9. Major findings and associated risk – The detailed reporting should include where the finding was discovered and an estimate of the amount of risk involved with the finding.

  10. Minor findings

  11. Observations – This should include any systemic issues

  12. Current status of findings: open/closed; projection for closure timeframe

  13. Optional: include metrics charts showing other details of audit finding

  • No labels