The following ten knowledge categories describe the Common Body of Knowledge that
an individual must master to obtain a certification in software quality assurance (CSQA):
1
• Quality concepts and practices—an overview of the more prevalent concepts,
approaches and practices used by quality professionals to implement and improve
quality. These include:
1. the PDCA Cycle (Plan-Do-Check-Act)
2. the Cost of Quality
3. Six Sigma Quality
4. Baselining and Benchmarking
5. Earned Value
• Quality control and quality assurance—understanding the difference between
quality control and quality assurance, definitions, activities, and processes.
• Quality pioneers approach to quality—includes quality pioneers such as Dr. W.
Edwards Deming, Philip Crosby, and Dr. Joseph Juran.
2
2. Code of Ethics
3. Open communication
4. Implementing a mission, a vision, goals, values and a quality policy
5. Monitoring compliance to organizational policy and procedures
6. Enforcement of organizational policies and procedures
3
application of quality assurance practices in support of the strategic quality direction of
the organization. The quality practitioner should understand the importance of a quality
function, how to implement a quality function and how it matures over time, as well as
how to create a quality plan, the use of quality tools, process deployment, and
differentiating between internal auditing and quality assurance.
• Establishing a Function to Promote and Manage Quality
1. Why an IT Quality Function is Desirable
2. The Challenges of Implementing a Quality Function
3. How the Quality Function Matures Over Time
4. Support in Corporate Quality Management Environment
5. Implementing an IT Quality Function
• Quality Tools
1. Statistical Tools
2. Management Tools
• Process Deployment
1. Getting Buy-in for Change Through Marketing
2. The Formula for Effective Behavior Change
(behavior=individual+environment)
3. The Deployment Process (assessment, strategic, tactical phases)
4. Critical Success Factors for Deployment
4
10. Aligning IT Plans to Organizational and User Plans
11. Strategic Planning Process
5
Knowledge Category 7: Quality Control Practices
Quality control practices should occur during product development, product acquisition,
product construction at the end of development/acquisition and throughout product
change and operation. During development, the quality control process is frequently
called verification and at the conclusion of development, it is called validation. This
category will address the various types of controls and when they are best used in the
process. The quality practitioner should also be familiar with verification and validation
techniques, the framework for developing testing tactics, change control and
configuration management.
• Testing Concepts
1. The Testers’ Workbench
2. Test Stages (Unit, Integration, System, User Acceptance)
3. Independent Testing
4. Static vs. Dynamic Testing
5. Verification vs. Validation
6. Stress vs. Volume vs. Performance
7. Test Objectives
8. Reviews and Inspections
• Verification and Validation Techniques
1. Verification Techniques (reviews, code walkthroughs, requirements
tracing)
2. Validation Techniques (white box, black box, incremental, thread,
regression)
3. Structural and Functional Testing
• Software Change Control
1. Software Configuration Management
2. Change Control Procedures
• Defect Management
1. Defect Management Process
2. Defect Reporting, including metrics
3. Severity versus Priority
4. Using Defects for Process Improvement
6
data is valued and reliable, and presented to management in a timely and easy-to-use
manner. Measurement can be used to gauge the status, effectiveness and efficiency of
processes, customer satisfaction, product quality, and as a tool for management to use in
their decision-making processes. This category addresses measurement concepts, the use
of measurement in a software development environment, variation, process capability,
risk management, the ways measurement can be used and how to implement an effective
measurement program.
• Measurement Concepts
1. Standard Units of Measure
2. Metrics
3. Objective and Subjective Measurement
4. Types of Measurement Data (nominal, ordinal, interval, ratio)
5. Measures of Central Tendency (mean, medium, mode etc.)
6. Attributes of Good Measurement
7. Using quantitative data to manage an IT Function
8. Key Indicators
• Measurement in Software
1. Product Measurement (size, complexity, quality and customer perception)
2. Process Measurement
• Variation and Process Capability
1. Common and Special Causes of Variation
2. Variation and Process Improvement
3. Process Capability
• Risk Management
1. Defining Risk
2. Characterizing Risk (situational, time-based, interdependent, magnitude
dependent, value-based)
3. Identifying, Analyzing, Prioritizing, responding to, Resolving and
Monitoring Risks
4. Software Risk Management
5. Risks of Integrating New Technology
7
Knowledge Category 9: Internal Control and Security
Privacy laws and increased accessibility to data have necessitated increased security.
Accounting scandals and governmental regulation such as the Sarbanes Oxley Act have
placed increased importance on building and maintaining adequate systems of internal
control. The quality assurance function can contribute to meeting those objectives by
assuring that IT has adequate processes governing internal control and security.
• Principles and Concepts of Internal Control and Security
1. Understand internal control and security models. The current model that is
most accepted by US corporations is the COSO (Committee of Sponsoring
Organizations, composed of five major accounting and audit associations)
model. (Note: there is an equivalent counterpart to COSO in Canada called
CoCo, Criteria of Control.) Many IT organizations use CobiT (Control
Objectives for Information and related Technology), which is a popular
and internationally accepted set of guidance materials for IT governance,
developed by the Institute for Security Control and Audit.
2. Build the System of Internal Controls—the process for building the system
of internal controls in software is:
a. Perform risk analysis—determine the risks faced by the
transactions/events processed by the software.
b. Determine the controls that each of the processing segments for
those transactions including:
i. Transaction Origination
ii. Transaction Entry
iii. Transaction Processing
iv. Data Base Control
v. Transaction Results
c. Determine whether the identified controls are adequate to reduce
the risks to an acceptable level.
d. When all components of the control system are present and
functioning effectively, the internal control process can be deemed
“effective.”
• Risk, Internal Control and Security Models
1. COSO Enterprise Risk Management Model (ERM)
2. COSO Internal Control Model (includes security) or equivalent
• Building Controls into Software Systems
1. Controlling Transaction Error Origination
2. Controlling Transaction Entry
3. Controlling Transaction Communication
4. Controlling Transaction Processing
5. Controlling Databases
6. Controlling Transaction Output
• Assuring Adequacy of Internal Control and Security
1. Internal Control and Security Awareness Training
8
2. Creating an Environment that Supports Control and Security
3. Control and Security Policies
4. Identifying Points of Security Penetration
5. Control and Security Practices