How to perform a Technical Audit on a software project ?

What is a Technical assessment or Audit?

An assessment on whether the project meets the required standards in terms of architecture & design, code quality, code maintainability, security as well as visibility about the project quality & potential risks.

What is the output of the technical assessment?

A summary of the findings, Opportunities for improvements, Recommendations, Risks. Basically a report that presents the findings from the assessment as well as actionable recommendations and opportunities to improve the software project.

What should the technical assessment cover?

Architecture & design review
Review the existing project architecture, database structures, libraries that are used in the project. Identify potential risks with the existing project architecture.

To review if the following is available and evaluate the quality & detail level:

• Architecture Goals, Risks, Constraints
• System level requirements
• Data level requirements
• System architecture overview
• Components overview
• Data flow between software components
• Interfaces of software components
• Data Security objectives

Code review
Review the codebase, understand the complexity / technical debt / quality of the codebase (if the codebase is reliable & maintainable or refactoring / code cleanup is required).

To review if the following is available and evaluate the quality & detail level:

• Coding standards, coding style, code formatting
• Unit Testing
• Design patterns, code modularisation, clear separation of UI and business logic
• Code documentation
• Code reusability, maintainability, testability (e.g. the ability to unit test properly)
• Branching strategies

Static code analysis & Software security check
Run the code through static code analysis using industry standard tools (e.g. SonarQube) with the goal to identify critical code bugs, code smells, the amount of code duplication, code security issues and other aspects related to code quality.

Run the code through a security scan using industry standard tools with the goal to identify security risks & vulnerabilities, concerns related to storing sensitive user data, data encryption, error handling, logging requirements, cryptography and session management.

To review if the following is available and evaluate the quality & detail level:

• Code coverage and analysis
• Unit test coverage percentage
• Technical debt, number of code bugs and code smells
• Code documentation percentage
• Length of classes, methods
• Code duplication percentage
• Number and criticality of code security issues and vulnerabilities