Measuring Capability Maturity Before Outsourcing Projects to Software Companies

Moving information technology (IT) works to offshore companies is popular and questionable. With 74 percent of purchasers pleased with their outsourcing efforts and 64 percent anticipated to increase their use of service suppliers in the future, according to a 2004 DiamondCluster International survey, IT outsourcing is here to remain. As a result, organizations have to buy handling sourcing risk throughout the life process of their relationships with their external company (ESPs).

Organizations handle sourcing risk by developing a clear understanding of their requirements, designing steps to standardize and keep an eye on vendors’ performance, and integrating these controls with their IT governance and management practices. Being proactive at the vendor option stage is an important success factor that figures out the effectiveness of the sourcing threat management program, the value of outsourcing offers and the possibility of unforeseen issues developing. Trends in ESPs’ adoption of capability maturity models, a popular classification of best practices, supply a helpful illustration– showcasing contributions that IT auditors can make and highlighting practical steps that companies can require successful.


Best practices to lease software development

An instant benefit of moving application development to an offshore ESP is lower labor costs. Outsourcing can also improve versatility by lowering headcount and linking service provider payment to projects with deliverables. Over the next 5 years, relatively high wage inflation for IT specialists will reduce the labor cost advantage that popular overseas locations delight in today. Moreover, language obstacles, travel costs, higher-than-planned overhead to handle outsourcing relationships and other elements can unexpectedly increase outsourcing expenses.

While lots of ESPs use their labor cost benefit as a door opener, they have the tendency to promote sustainable advantages related to provisioning application development from a software factory serving a large client base. Showing superior capabilities assists ESPs overcome skepticism that moving offshore is a long-term danger. Very frequently their marketing strategies stress quality, and an enhancing variety of ESPs are establishing internal quality management programs, basing them on best practices and evaluating their internal controls with an objective of passing a crucial benchmark that the marketplace will recognize and trust.

For any organization, a commitment to quality can have a positive impact beyond adding to brand equity. GE’s adoption of Six Sigma and its contribution to top- and bottom-line performance are legendary. The Software Engineering Institute at Carnegie Mellon University (Pennsylvania, USA) reports that financial investment in adopting software development best practices can pay dividends. It reports that lots of companies experience performance gains of 35 percent, flaw rate decreases as high as 90 percent and favorable return on investment. Realizing these benefits depends upon how adoption of best practices is performed.


An Overview of Capability Maturity Models

Capability maturity models go back to the 1980s when the US Department of Defense contracted with Carnegie Mellon University to develop the Software Engineering Institute (SEI) as a means of enhancing applications developed for defense work. The Software Engineering Institute published the Capability Maturity Model for Software (CMM-SW) in 1991 and various designs since then, culminating in the release of the first version of the Capability Maturity Model Integration (CMMI) framework in 2002. CMM-SW is the most popular capability maturity design today, however many organizations will change to CMMI over the next couple of years since it is the requirement that the Software Engineering Institute will support in the future.

Capability maturity models support process benchmarking and continuous enhancement by defining 5 levels of process maturity:

Level 1: Initial: Application development is ad-hoc or disorderly. Processes are inadequately defined and undocumented. Project success is a result of individual efforts.
Level 2: Managed: Projects employ fundamental processes to track expenses, schedules and performance with processes institutionalized throughout software groups. Official adoption of strategies to determine performance has actually happened and is an input to supervisory activities.
Level 3: Defined: Application development and other IT procedures are documented, standardized and integrated organization broad with projects always utilizing a version of these basic procedures.
Level 4: Quantitatively managed: Application development jobs and procedures are measured quantitatively, and supervisors utilize statistical process control methods to accomplish and keep high levels of quality.
Level 5: Optimizing: Quantitative management tools and strategies allow constant improvement of procedures and development in the shipment of application development services to the business.

Each maturity level has a set of performance requirements. At the highest level, there are crucial process locations. A key process location includes a broad set of internal control criteria that are critical to quality. For instance, the 2nd maturity level in CMMI and CMM-SW has essential process areas for requirements management, project planning and setup management. Each crucial process location has a set of objectives that is specific to a kind of internal control or a general characteristic of having mature procedures. For instance, the CMMI requirements management essential process location has a particular goal for handling requirements and determining inconsistencies with project plans and work products. A generic goal for the 2nd maturity level to make sure procedures are institutionalised as a handled process applies to requirements management and all other essential process.


Lessons Learned for IT Auditors

IT auditors can play an unique and important role in educating application development stakeholders about best practices and promoting the advantages of sourcing threat management when outsourcing is on the management program. In particular, IT auditors can include value by:

  • Serving as an objective, independent threat advisor to audit stakeholders and senior management (e.g., members of the IT steering committee).
  • Overcoming internal audit procedures and with IT supervisors to assist guarantee that outsourcing plans are sensitive to risks inherent in outsourcing and reduced through a sound vendor choice strategy, due diligence and continuous performance monitoring.
  • Carrying out independent verification and recognition of the vendor option strategy that will guide the process of choosing an ESP and the criteria for depending on maturity level ratings divulged by possible provider in their proposals.
  • Taking part in the vendor assessment process in a manner that provides assurance to essential stakeholders that due diligence is well executed, controlled and thorough, and the total vendor selection process is disciplined.
  • Factoring contracted out application development functions and projects into the annual danger assessment and audit plan that guides IT audit activities.
  • Reviewing and offering feedback on performance measures and processes to keep an eye on ESP performance, so that sourcing danger management remains to be effective.
  • Incorporating capability maturity designs into the IT audit methods made use of to review jobs and procedures.


Even more than any other group of IT professionals, IT auditors have a distinct point of view on the value of process discipline, the value of best practices and the requirement for professional uncertainty when ESPs market compliance with best practices as proof of their capability to provide top quality services. Speaking usually, the role of the IT audit function is vital to quality, and its value will grow in the future as enterprises concern depend more on technology while being subject to stricter requirements for internal control, quality and cost-effectiveness.


Source: ISACA

Post a comment