Commercial Off-the-Shelf Software (COTS)

In addition to developing customized software, users may consider COTS solutions. Using COTS has advantages and disadvantages, and auditors need to understand the risks that come with relying on it. One advantage is that development time can be faster. The software can provide more user functionality than custom software and may be flexible enough to accommodate multiple hardware and operating environments. Also, help desk support can be purchased with the commercial license, which can reduce software operations and maintenance costs.

Among the drawbacks to COTS is the necessary learning associated with its use, as well as its integration into the new program’s environment. In addition, most commercial software is developed for a broad spectrum of users, so it tends to address general functions. More specific functions must be customized and added. Custom code may be required to enable the software to interact with other applications. Because the source code is usually not provided to customers of COTS, it can be challenging to support the software in-house. When upgrades occur, the software may have to be reintegrated with existing custom code. Thus, commercial software will not necessarily be an inexpensive solution.

Estimators tend to underestimate the effort in integrating and implementing off-the-shelf software. For example, requirements definition, design, and testing of the overall system must still be conducted. Poorly defined requirements can result in less than optimal software selection, necessitating the development of new code to satisfy all requirements. This unexpected effort will raise costs and cause program delays. In addition, adequate training and access to detailed documentation are important for effective use of the software.

Commercial software may be released with minimal testing, causing unpredictable problems, such as defects and system incompatibilities. When this happens, additional time is needed to analyze the cause of failures and fix them. While software developers can address these issues, they take time to accomplish. Therefore, adequate planning should be identified and estimated by the cost estimator to ensure that enough time and resources are available for correcting failures.