Quality Assurance Reviews
Abstract
Establishes oversight and reporting procedures for major information system projects, the adoption of a systems development methodology, dedication of project funds for periodic reviews, and the inclusion of the State´s Chief Information Officer in Quality Assurance reviews.
Authority - ORS 291.038
Policy
Project Risk and Oversight
Major system development projects typically promise significant benefits, but may also carry substantial economic, technical, and operational risks. The need for executive involvement, impartial scrutiny, and direction is directly proportional to a project´s development time, visibility, cost, technical difficulty, and impact on system users and clients. This policy formalizes Chief Information Officer (CIO) oversight of major IT projects.
Set Aside Moneys for Periodic Reviews and Project Oversight
To be considered for authorization, major system development projects must set aside at least 4% of the project´s funds for quarterly project reviews by independent commercial evaluators. In addition, 1% of the project´s funds will be paid directly to DAS for Statewide Quality Assurance Oversight. These funds will be unscheduled by the Department of Administrative Services (DAS) as dedicated moneys for project evaluation. To insulate the evaluation firm from undue pressures as much as possible, the evaluation firm shall not be related to any contractor involved in the system development effort.
Representatives from the implementing agency, DAS, and a panel of data processing peers (selected by the IRM Division) will recommend a qualified independent evaluator. The requesting agency and the CIO establish an agreement to address applicable standards and the adequacy of the 4% set aside for commercial evaluators.
Governance and Control Objectives
General requirements for agency governance and control of information and related technology are identified in the Governance and Control Objectives policy. For major system development projects, agencies must satisfy additional governance and control objectives. These additional governance and control objectives are listed here.
The required objectives refer the reader to the 3rd Edition (July 2000) of Control Objectives for Information Technology (COBIT). The Information Systems Audit and Control Foundation (ISACA) publishes COBIT.
Planning and Organization
Acquisition & Implementation
Monitoring
-
1.0 Monitor the Processes
-
2.0 Assess Internal Control Adequacy
-
3.0 Obtain Independent Assurance
Along with the COBIT governance and control objectives for monitoring, agencies with a major IT project must satisfy some specific requirements for management review, management reporting, and contracts.
Management Review
Agencies involved in the development of major system projects shall establish an executive steering committee for the life of the project. The committee ensures that system development efforts stay on schedule, maintain acceptable resource levels, and accomplish their intended purposes. DAS suggests that membership include the agency head or deputy, department heads impacted by the system, DAS Budget and Management Division analyst, and a representative from the DAS/IRM Division.
Either the executive steering committee or the CIO may halt or materially change a project based on the reports prepared by the independent reviewer. This applies to all future projects and to projects currently underway.
The executive steering committee shall consider the following factors before authorizing the start of a major systems project:
-
Has the agency contracted with an independent quality assurance contractor?
-
Is the project team experienced in developing systems of comparable complexity, especially within the chosen hardware/software environment?
-
Is a proven systems development methodology being used to guide the project?
-
Is a proven project management methodology being used to guide the project?
-
Does hardware/software configuration to be acquired have a proven record of performance in the intended application area?
Management Reporting
Regular reports by the independent quality assurance contractor shall be prepared and presented for review to the agency´s executive steering committee and the DAS Enterprise Information Strategy and Policy Division.
Minimum areas to be addressed in the independent review shall include any of the following items as relevant to the project´s current stage of development:
-
Comprehension and validation of data needs
-
Top management commitment and sponsorship
-
Validity and reliability of the feasibility and cost-benefit study
-
Implications and impacts of the system on the using organization and its clients
-
Quality and sufficiency of project staff
-
Requirements definition
-
Detail project plan including budget, schedule, resource status, accomplishments, and risks
-
General or conceptual design
-
Detail design
-
Programming or construction
-
Conversion
-
Testing
-
Change management
-
Training
-
Implementation
-
Post implementation review
-
Quality assurance review
Contract Requirements
The following language shall be included in each quality assurance contract:
|
