You should typically run the application audit on a dedicated machine forcing the development team to handover all required source code items (dll’s, certificates, …). Even though the purpose of running an application audit is to gain insight into the quality of the application, it turns out that in most cases compilation is an issue in terms of missing components, hardcoding etc. Which is in itself is a bigger risk when teams / ownership changes.
Make sure to use an application auditing platform providing meaningful dashboards to management. Dashboards which are easy to interpret for IT illiterate resources. When doing so you have a sound basis for enabling discussions on the value of IT assurance, which are typically neglected as focus is on creating a product and gaining marketshare.
Most developers have limited ideas on the quality of their code. Quality is typically related to the number of defects, however application quality is much broader and needs to be looked at from different angles: transferability, changeability, robustness, performance and security.
A typical quality assurance process follows a 4 step process, whereby continuous improvement is key. An average exercise requires between 5 and 10 man days of work. This cycle is repeated typically 2 à 3 times a year, however most companies limit it to 1 time a year due to time / budget constraints.
Quality assurance is important throughout the entire investment lifecycle. During the dealflow (investment) phase focus lies on value assessment and risk mitigation, whereby during the growth / scaling phase focus should be on continuous improvement / control and value augmentation. During divestment (exit) quality assurance is of importance to support the value assessment (vendor due diligence).
Several niche tools are available to assess best practices applied in coding, depending on the technology used. However some application quality tooling exists covering multiple technology platforms. Most of them focus only at the code level, and not on the database, nor application level.
Be aware that custom developed code might be a risk in itself in case your local IT boutique would cease to exist. Mitigate risk by assuring the future of your business critical software applications. As a software user, you trust your supplier to provide support and maintenance for your applications. However, this dependence can represent a significant risk, particularly where business-critical applications are concerned. A trusted escrow agency can help you to eliminate these risks. Make sure to select an escrow agency who does perform the necessary validations / checks. The source code for your licensed software, the expertise to implement it and the rights to your software belong to your software supplier or developer. This creates a potentially disastrous situation if the software fails and your software supplier is unable to carry on supporting and maintaining the product due to a merger, acquisition, legal dispute or insolvency.
An escrow agreement is a simple contract between a software supplier, end user and independent third party escrow company designed to mitigate this risk and protect all parties involved.
With escrow you can be sure that you can access the source code of your key software applications should you ever need to do so. This means that you will be able to use that source code to continue to maintain the software either in-house or by engaging with another supplier, whether that be for further bespoke software development or to fix any issues.
Setting up an escrow agreement is easy and done in three simple steps:
From a People / Process / Technology point of view, multiple maturity models can be applied (Cobit, CMMi, ... ). When looking at the functional maturity of your product, a roadmap review or industry benchmarking can be executed together with a SWOT analysis and / or function point analysis. At the technical maturity of your product an application audit can be performed.