Code audits: how to turn a gut feeling into solid knowledge


Nils Göde from CQSE


» Hier geht's zur deutschen Version des Interviews.

Daniela: What happens during an audit workshop?

Nils: First, we present a wide range of reasons for requesting an audit, then we talk about challenges and strengths that we frequently find when auditing systems. Then we explain our auditing approach and in the fourth part of our workshop we sum up how our clients can benefit from audits.

Daniela: And – how do clients benefit from audits?

Nils: Audits create transparency. Many customers approach us because they have a gut feeling that there might be some kind of problem with their code or their software. But in many cases, this is just an abstract feeling. We transform this feeling into an objective result to create a solid base for our clients’ future decisions.

Daniela: What kind of clients are we talking about?

Nils: We are talking about clients from all industries and organizations of all sizes, from a DAX-listed group to a church. Some of them are clients that want to professionalize their software development. Sometimes they struggle with problems that occur when using or evolving their software. And still others are investors that want to acquire shares in a company but do not have enough know-how when it comes to software engineering, which is why they come to us for support. We have regularly been performing audits for the insurance company LV 1871 for around ten years now to provide them with an extensive overview of their software portfolio. In the investment industry we collaborate with the BayBG investment company, among others.

Daniela: Which misconceptions surrounding audits would you like to clear up?

Nils: People often assume that when we perform audits it goes something like this: “Something’s wrong here! Whose fault is it? How could you let it get this far?” But this is not how we typically operate. Usually, there are good reasons why things went the way they did. Thus, our approach does not entail digging into your past, trying to find somebody to blame. What matters to us is looking towards the future. We look for current challenges and propose matching solutions to ensure our clients’ systems are future-proof.

Daniela: Do you offer tips on how to approach different issues?

Nils: Yes, we outline possible solutions for each challenge we detect. At the end of the day, our audit is the starting point for dealing with quality in the long term. Unlike others, we have consciously decided not to offer modernizing our clients’ software ourselves in order to avoid any impression of a conflict of interest.

Daniela: Are audits consistently full of surprises?

Nils: Not in terms of approach. In order to avoid unpleasant surprises, we explain to our client in detail beforehand how we are going to perform the audit. In terms of results: Yes, very much so. We are often surprised ourselves when we look at the programming languages or technologies being used. Or when we see how frequently code is being tested manually instead of using an automated process. Even stakeholder interviews can be full of surprises. In this context, we guarantee all interviewees that they will remain anonymous. Sometimes issues will arise that nobody had expected – neither we nor our clients.

Daniela: Do clients sometimes give you feedback after an audit regarding next steps?

Nils: We are often told that all challenges detected during our audit are being further discussed at our client’s site and that many of them are being tackled. Naturally, this makes us very happy. One of our clients put it very nicely once: He compared our CQSE audit to a visit to the dentist. He said that at first, it hurts but then you are happy because it turned out to be really helpful. (laughs)

Learn more about our software audits