Configuration Audit Checklist
Below is a sample configuration audit checklist (for FCA and PCA). The Project Managers can use the following checklist as a reference for the readiness of the audit or even for doing the audit.
- Does the release documentation clearly define the scope of release, including the CRs that should be incorporated?
- Are all dependencies / bugs been documented?
- Is there adequate documentation that identifies the environment to recreate the release?
- Is there adequate documentation that specifies the components and the versions of those components that comprise the release?
- Are all the items of the release in sync with each other?
- Has the release been created using the right versions of the right components from the right repositories?
Repository/Configuration item audit:
- Are the repositories defined as per the SCM plan?
- Have the items been put into the correct repositories?
- Are the required items present in the repositories?
- Have the items been named according to the conventions specified in the SCM plan?
- Are the version numbers of items according to the SCM plan?
- Have all items been put in the repositories according to the events defined in the SCM plan?
- Do the items have required documentation to identify the item, version and the change history?
Change Implementation Audit:
- Have all the required CRs been closed?
- Do CRs identify all items to be changed?
- Have all items identified for change in the CR been changed?
- Is it possible to isolate the changes between any two versions of the items?
- Is the documentation in the items adequate to trace the changes back to the appropriate CR?
- Is there adequate means to go back to a previous means?
- Are there any changes between two versions of an item that are not traceable to an approved CR?
- Are the CRs documented before making changes in items?
- Are CRs analysed, evaluated and approved prior to making of the change in items?
Other aspects to Audit:
- Are appropriate back ups of repositories been taken?
- Has the recovery from back up been tested?
- Are there any unauthorized components available in the working directories of the team members?
- Is there adequate security/authorization to ensure that only authorized team members perform the check-in and check-out?