What are the continuous assurance auditing activities that the organization will need to implement to help achieve CMMI Level 3
The word "auditing" doesn't appear in the model, other than "configuration audits."
The CMMI’s Process Area “Process and Product Quality Assurance” in v1.3, and “Process Quality Assurance” in V2.0, provide the primary guidance in the CMMI for continuous quality evaluations.
PPQA/PQA calls for “Objective Evaluation” of Processes and Work Products
(SP1.1 and SP1.2), and then management of the remediation, data collection, and corrections (SP2.1 and SP2.2).
In addition, the CMMI calls for a clear policy, resources, training, metrics, improvement, tailoring, and evaluation of the process/performance itself.
In this context, “Process” is behavior, and “Work Products” are artifacts/systems. You can’t perform these activities by just looking at documents - you’ll need to observe, interview, or talk with people.
As to scope, frequency, and duration, it depends on the context. Complex, high-risk projects should have broad, frequent evaluations, whereas long-term static programs probably can do something lighter.
The key to success on this is to focus on “how” people are doing their work. This is the most likely thing to help you success (or fail).
Jeff Dalton is author of Great Big Agile: An OS for Agile Leaders, and is a CMMI SCAMPI Lead Appraiser, AgileCxO Assessor, and Leadership Coach.