Post on 13-Mar-2018
Retail Audit Forum National Exhibition Centre
PROJECTS AND INTERNAL AUDIT
TIM FOSTER
17 OCTOBER 2013
• How should projects be audited?
• Should internal audit sit on the project team?
• How should audit report their findings?
• Does the traditional approach work?
• How to balance internal audit independence and adding value to the project.
PROJECTS AND INTERNAL AUDIT
“ A unique transient endeavour undertaken to achieve a desired outcome.
ASSOCIATION FOR PROJECT MANAGEMENT (APM) ”
PROJECT CHARACTERISTICS
• One-off activities
• Have a purpose with clearly-defined aims
• Create defined project deliverables
• Aims must be achievable and measurable
• Are limited in time – with a defined beginning and an end
• Require a defined amount of resources
• Need to be managed by a defined organisation with clear roles and responsibilities
• Always involve some uncertainty and risk
PROJECTS CAN BE ASSESSED AND ARE OPEN TO EVALUATION
COST
QUALITY
A PORTFOLIO, PROGRAMME OR A PROJECT?
I
H
F
PROGRAMME
PORTFOLIO
WHAT CAN GO WRONG? • Failure to deliver a project on time and to critical deadlines
• Fail to stay within budget
• Does not meet all of the criteria for success / quality
• Do not achieve the stated benefits
• Balance - completion vs. benefits and benefits vs. time and cost
• Impact:
– Market opportunities
– Growth potential
– Financial performance
– Improved services
– Regulatory compliance
– Reputation
– Confidence
WHY DO PROJECTS FAIL? • Poor estimations and planning
• Missed deadlines
• Scope creep
• Increasingly complexity
• Insufficient resources and budget
• Lack of clarity as to stakeholder needs
• Poor communications
• Weak project governance
• Inferior quality of deliverables
• Collaboration across geographies, differing cultures etc
• Deteriorating motivation
UNWILLINGNESS TO PULL THE PLUG
WHY INDEPENDENT ASSURANCE?
• Provide an unbiased / outside-in view
• Eyes and ears for stakeholders
• A true picture of a project’s status - real time feedback
• Highlight potential issues
• Challenge projects risks - reduce risk exposure
• Assess governance mechanisms
• Help mitigate losses
• Benchmarking and insights – what we have seen work well (and not work well) elsewhere
• Promote transparency
• Provide comfort
WHAT IS PROJECT ASSURANCE? • Business assurance - checking project remains viable in terms of costs and
benefits
• User assurance - checking users' requirements are being met
• Quality assurance - ensuring standards and procedures
• Technical assurance - project is delivering a suitable solution
WHO IS PROVIDING ASSURANCE?
SOURCES OF ASSURANCE
RISK TYPES OF PROJECT ASSURANCE TYPES OF EXTERNAL ASSURANCE
NO. DESCRIPTION RATING Board PMO PMs Techs Plans Project Assurance
Internal Audit Regulator Advisors 3rd parties
1. Risk 1
2. Risk 2
4. Risk 3
5. Risk 4
6. Risk 5
7. Risk 6
• Understand who provides assurance to the project
• Scope of work
• Recipients of assurance
• Quality of the assurance
INTERNAL AUDIT’S ROLE IF PROJECT ASSURANCE EXISTS
• Assurance over reliability of project assurance activities
• Advice to those providing project assurance
– Guidance
– Approaches / testing
– Templates
– Reporting
• Consulting over process and controls design
INTERNAL AUDIT’S ROLE AS PROJECT ASSURANCE • Project governance review (e.g. design and operation of standards
applied to the project)
• Validate business case (e.g. extent, approach, outcomes)
• Assess ongoing financial viability
• Risk assessment (e.g. identification and mitigations)
• Go-live decision (e.g. assessments, testing)
• Benefit realisation (e.g. test success and achievement of requirements)
• Single point in time healthcheck of project processes
• Snapshot of project status
• Validate design of new systems, processes, controls and frameworks
• Provide advice (e.g. benchmarking, insights etc)
• Post implementation review (e.g. lessons learned)
• Continuous monitoring of project status, processes and validation (e.g. embedded project assurance)
QUESTION:
What is your internal audit team’s current role on projects?
PROJECTS AND INTERNAL AUDIT
WHAT SHOULD PROJECT ASSURANCE COVER? • Project governance, including policies, procedures
and controls • Business case - valid, viable, worthwhile • Project planning - critical path, completeness,
suitability • Change management – adherence of control,
timeliness • Risk and issue management – depth, coverage,
resolution • Project costs – actual vs. budget • Sign-off and criteria for stage gates • Approach to vendor management – contracting,
dependencies • Business readiness – pre-go-live • Project communications - accuracy, detail, honesty
• TIME - variance against milestones
• COST - variance against planned budget
• QUALITY - degrees off the quality target
• SCOPE - variance agreed against what will be delivered
• RISK - limits on identified risks as a percentage of the overall budget
• BENEFIT – variance against level of benefit identified as part of the business justification
WHEN SHOULD INTERNAL AUDIT GET INVOLVED? • Dependent on type of assurance
• Get involved as early as possible
• Join project board - opportunity to influence decisions as trusted advisor
• Initiation stage – business case reviews, design of governance controls
• When can add most value (e.g. prior to “go live”)
• Surprise audits – healthchecks, snapshots etc
• End of project life – post implementation reviews
WHEN SHOULD INTERNAL AUDIT GET INVOLVED?
CLOSURE
CONTROL
SETUP
Business Case
Define the programme
Source the Project Managers
Prepare the Programme Initiation Document
Define the programme organisation
Define the project
Set up the project team
Prepare the Project Initiation Document
Define the project organisation
Do Work
Measure progress
Addressdeviations
Identify deviations
THE CONTROL
CYCLESchedule
CostsBenefits
Risks
Opportunities
IssuesChange
Reviews
Terminate project Closecompleted project
Post-Implementation Review
Project removed from project portfolio
Project CompletedProject found to beno longer viable
Business Case Review
Project Initiation Review
Design Consulting / Review
Healthcheck Review
Healthcheck Review
Post Implementation Review
Go-live Review
Benefit Realisation Review
Healthcheck Review
WHAT TO WATCH OUT FOR • Formality and documentation
• Clear links between project and key strategic priorities (lack of clear direction)
• Good understanding of project objectives/rationale
• Effective engagement with users and stakeholders
• Level of ownership, support and leadership (degree of importance)
• Depth of risk management (e.g. lack of a risk register)
• Level properly skilled resources
• High turnover of project resources
• Rising costs
• Keeping to themselves – silence is not golden! (lack of openness)
QUESTION:
How much of your internal audit plan is dedicated to project assurance?
PROJECTS AND INTERNAL AUDIT
THE RISKS OF INTERNAL AUDIT INVOLVEMENT • Compromise independence - audit activities that were the basis of the
project
• Acting on behalf of management - be seen as part of the decision making (auditor sign-off)
• Too much onus on internal audit report and assurance - interpreted as ‘audit approval’
• Unsuitable resources and specialist skills to audit effectively and credibly
• Impact of project delays on internal audit plans
• Replicating project activities (e.g. testing, project assurance etc)
• Assessment findings delay project progress
• Focus on the wrong projects to audit
• Lack of stakeholder buy-in to audit / seen as a hindrance
RESOURCING PROJECT ASSURANCE • Effective planning - enough resource with the right competencies
• Balance with ‘day to day’ internal audit work - fraud, IT, other business operations
• Extended resource model
– External specialists
– Operational secondees
– Peer reviewers
• Required skills:
– project management techniques (e.g. PRINCE2, BS 6079-1:2010 )
– preparation of business cases
– project planning
– project risk management
– precision, clarity, speed, empathy
MOVING AWAY FROM TRADITIONAL AUDITING • Transaction-based vs. process-based
• Financials focus vs. goal focus
• Compliance vs. performance improvement advisor
• Procedures vs. risk management
• Policy adherence vs. strategic change
• ‘What is’, ‘what was’ vs. ‘what will be’
• Balance traditional compliance needs and areas with significant impact to shareholder value
• Link scope to strategic themes and critical processes
• Need to be more dynamic and proactive
HOW SHOULD AUDIT REPORT THEIR FINDINGS? • Needs to be timely
– Depends on project timeline
– When adds most value
• Flash reports vs. full audit reports
• Presentations to project board
• Live upload into issue logs and risk register
• Regular monitoring and follow up
How should projects be audited?
Should internal audit sit on the project team?
How should audit report their findings?
Does the traditional approach work?
How to balance internal audit independence and adding value to the project.
PROJECTS AND INTERNAL AUDIT
QUESTIONS?
Copyright © October 13 BDO LLP. All rights reserved.
Tim Foster DIRECTOR – RISK AND ADVISORY SERVICES BDO LLP e. tim.foster@bdo.co.uk
This publication has been carefully prepared, but it has been written in general terms and should be seen as broad guidance only. The publication cannot be relied upon to cover specific situations and you should not act, or refrain from acting, upon the information contained therein without obtaining specific professional advice. Please contact BDO LLP to discuss these matters in the context of your particular circumstances. BDO LLP, its partners, employees and agents do not accept or assume any liability or duty of care for any loss arising from any action taken or not taken by anyone in reliance on the information in this publication or for any decision based on it.
BDO LLP, a UK limited liability partnership registered in England and Wales under number OC305127, is a member of BDO International Limited, a UK company limited by guarantee, and forms part of the international BDO network of independent member firms. A list of members' names is open to inspection at our registered office, 55 Baker Street, London W1U 7EU. BDO LLP is authorised and regulated by the Financial Conduct Authority to conduct investment business.
BDO is the brand name of the BDO network and for each of the BDO Member Firms.
BDO Northern Ireland, a partnership formed in and under the laws of Northern Ireland, is licensed to operate within the international BDO network of independent member firms.
©2013 BDO LLP. All rights reserved.