Page 37 - DCOM204_AUDITING_THEORY
P. 37
Unit 2: Auditing Practices
4. Recalculating Notes
5. Reconciliation
6. Inquiry
7. Inspecting
2.7.2 Accumulating and Evaluating Evidence
Reviewing a function point count to insure counting guidelines were followed would be
considered a compliance audit. The purpose of a compliance audit is to determine whether the
function point counts follow specific procedures and guidelines set down for Counting Practices
Committee. The results of a compliance audit are generally reported to someone within the
organizational unit being audited rather than to a broad spectrum of users.
Evidence is defined as any information used by the auditor to determine whether the function point
count being audited is in compliance. Evidence can take many different forms, the function point
count, system documentation, conversations with developers and users, and interviews with
individuals that conducted the original count. The auditor gathers evidence to draw conclusions.
Of course the function point count itself can be used as evidence, but using the function point
count alone would be severely inadequate. It is impossible to determine the accuracy of a
function point count without evaluating additional evidence.
Notes If an auditor was given the task of auditing a company with 500,000 function points
it would be impossible to review every count. The auditor may select only 20 or 30
applications to actually audit. The actual sample size will vary from auditor to auditor and
audit to audit. The decision of how many items to test must be made by the auditor for
each audit procedure. There are several factors that determine the appropriate sample size
in audits. The two most important ones are the auditors’ expectations of the number of
errors and the effectiveness of the clients internal function point counting procedures.
Additionally, the evidence must be pertain or be relevant to the audit. The auditor must be
skilled at finding areas to test or review further. For example, the auditor may determine during
conversations that there was some confusion about external inputs and external interface files.
In this case, the auditor would review the actual system documentation and the function point
count to insure that the all the external input and external interface file were treated correctly.
Another example would be that the function point counter had never counted a GUI application.
The auditor would review a series of screens and determine if the original counter had correctly
counted such items as radio buttons, check boxes, and so on.
The evidence must be considered believable or worthy of trust. If evidence is considered highly
trusty worthy, it is a great help in assisting the auditor with a function point audit. On the other
hand, if the evidence is in question such as incomplete documentation (or old documentation)
then the auditor would have to scrutinize these areas of the count more closely. Additionally,
the auditor should make note in the final report of any evidence they requested and the client
was not able to provide.
All evidence should be evaluated based upon valuation, completeness, classification, rating,
mechanical accuracy, and analytical analysis.
1. Valuation: The objective deals with whether items included in the function point count
should have been included. Perhaps the original function point count included additional
transactions or files that should not have been included.
LOVELY PROFESSIONAL UNIVERSITY 31
