Sicheng Liu bio photo

Email

LinkedIn

Github

Quality Assurance

Lecture

Quality Assurance

Definition

Quality Assurance (QA) is a process-centered approach to ensuring that a company or organization is providing the best possible products or services.

Quality Control (QC) is the process to identify whether the quality is achieved.

QC focuses on the end result whereas QA focuses on the process that used to create the end result.

Key concepts

  • Consistently do things right, the first time.
  • Continuous improvement.
  • Avoiding mistakes and defects.

QA Standards

A set of standards that a company chooses to implement to demonstrate to customers that their deliveries are of high quality.

ISO 9000

Seven quality management principles:

  • Customer focus
  • Leadership
  • Engagement of people
  • Process approach
  • Improvement
  • Evidence-based decision making
  • Relationship management
Certification

It take any where from 6 to 18 months for an organization to go through its certification process.

But why need it?

  • Customers require it
  • Powerful marketing tool
  • Reap improvements as a result of meeting the standards
  • An organization needs to determine if ISO is “for them”

Quality Audits

The purpose of IS audit is to review and provide feedback, assurances and suggestions.

The process of collecting and evaluating evidence to determine whether a computer system (information system) safeguards assets, maintains data integrity, achieves organizational goals and consumes resources efficiently and effectively.

Efficiency: getting more output for the same or less effort.

Effectiveness: making sure that the effort achieves the desired outcome.

The process:

  1. Identify problem or issue
  2. Set criteria & standards
  3. Observe practice / data collection
  4. Compare performance with criteria & standards
  5. Implementing change

Why audits - 3 areas

  • Availability - Will the systems be available for the business at all times when required?
  • Confidentiality - Will information in the system be disclosed only to those who need it?
  • Integrity - Will the information provided in the system always be accurate, reliable and timely? What ensures that no unauthorized modifications?

What does audit done?

  • Corporate governance
  • Regulatory requirements
  • Asset owner request
  • Operations review

Scope of an audit:

  • Physical and environmental review
  • System Administration review
  • Application software review
  • Network Security review
  • Business continuity review
  • Data Integrity review

Risk-based approach

Risk can affect each system differently.

  1. Conduct an inventory of the information systems and categories them
  2. Identify which systems impact critical functions or assets
  3. Assess risks that affect the system assign a severity rating to them
  4. Rank Systems and decide audit priority, resources and schedule

Reading

The Difference Between Quality Assurance and Quality Control

  • Quality Assurance - QA is a strategy of prevention.
  • Quality Control - QC is a strategy of detection.

If we only apply QA, then we have a set of processes that can be applied to ensure great quality in our delivered solution, but the delivered solution itself is never actually quality-checked.

If we only focus on QC, then we are simply conducting tests without any clear vision for making our tests repeatable, for understanding and eliminating problems in testing, and for generally driving improvement into means we use to deliver our ICT solutions.

QA focuses on the process of quality, while QC focuses on the quality of output.

The results measured by QC can be used to revise the process defined in QA.

Benefits of quality management:

  • Greater levels of customer satisfaction, which will very likely result in both repeat business, as well as referral business
  • A motivated team that not only understand the policy objectives of the quality management plan, but who also actively participate in executing the plan
  • Elimination of waste by eliminating rework arising from either the need to address bugs, or to address gaps in the solution’s ability to meet customer requirements
  • Higher levels of confidence in planning, since the tasks arising from unplanned rework will fall away
  • Financial rewards for the company, which are a consequence of new projects from existing and referral clients, as well as through the reduction of monies spent on rework tasks.

WHAT IS AUDITING?

The three different types of audits

  • Process audit
  • Product audit
  • System audit - An audit conducted on a management system.

What are first-party, second-party, and third-party audits

  • First-party audit
    • Inside
  • Second-party audit
    • Customer or contracted organization
  • Third-party audit
    • An organization independent of the customer-supplier relationship

Four phases of an audit cycle

  • Audit planning and preparation
  • Audit execution
  • Audit reporting
  • Audit follow-up and closure

What is IT Risk?

Information technology or IT risk basically any threat to your business data, critical systems and business processes.

Categories of IT risks:

  • Security
  • Availability
  • Performance
  • Compliance

Potential Impact of IT Failure on Business

  • Security breach
    • Identify fraud and theft
    • Financial Fraud or theft
    • Damage to reputation
    • Damage to brand
    • Damage to your business’ physical assets
  • Downtime or outages
    • Lost sales and customers
    • Reduced staff or business productivity
    • Reduced customer loyalty and satisfaction
    • A damaged relationship with partners and suppliers
  • IT failure affects your ability to comply with laws and regulations
    • Breach of legal duties
    • Breach of client confidentiality
    • Penalties, fines and litigation
    • Reputational damage

Different types of IT Risk

Examples of IT risks

  • Physical threats
  • Electronic threats
  • Technical failures
  • Infrastructure failures
  • Human error

IT Risk Management Process

Steps in the IT Risk Management Process

  1. Identify risks
  2. Assess risks - Determine how serious each risk is to your business and priorities them.
  3. Mitigate risks - Put in place preventive measures.
  4. Develop an incident response - Set out plans for managing a problem and recovering your operations.
  5. Develop contingency plans - Ensure your business can continue.
  6. Review processes and procedures

IT Risk Controls

Measures to protect your systems and data.

Mitigate IT Risks

  • Setting procedures for detecting problems
  • Getting cyber insurance against the costs of security breaches.