View
332
Download
0
Category
Preview:
Citation preview
How to Survive a Project Management Audit
Rakhi Henderson
CISA, CGEIT, CRISC
Principal Consultant
Entegrity Consulting Group
December 4, 2014
Entegrity Consulting Group
Today’s Objective
Learn the role of a project auditor and how they help the business.
Share tips on what auditors seek from project managers when conducting
project reviews.
Explore how a project audit can help a PM.
Tips to navigate the audit process so it’s a win/win situation for everyone!
Entegrity Consulting Group
Have you ever felt like this?
“Bob, do you have time for a project audit?”
Entegrity Consulting Group
Definition of Audit
The Institute of Internal Auditors (IIA) definition:
“An independent, objective assurance and consulting activity designed to
add value, and improve an organization’s operations. It helps an
organization accomplish its objectives by bringing a systematic,
disciplined approach to evaluate and improve the effectiveness of risk
management, control, and governance processes.”
“Audit” - Derives from Latin word “audire” meaning “to hear” – implies
objectivity, not inspection and judgement.
An audit under any other name (ie: review or assessment) is still an audit.
Source: www.theiia.org
Entegrity Consulting Group
Types of Project Audits and their Benefits
Process Audit – PMO practices and methods
Financial Audit – expenses, costs of a project, financial impacts to
financially material systems
Regulatory Audit – assuring adherence to regulations (i.e.: AML, FATCA)
Systems Audit – application, infrastructure, security and technology controls
SOX (Sarbanes Oxley) Audit – impacts to business critical systems
Project Management Audit – assessing the Project Life Cycle
All provide assurance to stakeholders that everything is on track.
Assurance: a positive declaration intended to give confidence in something.
Entegrity Consulting Group
So What is a Project Audit?
What is a Project Audit and why is it good for a project?
Project Health Check – like a physical
Recommendations are like vitamins to boost the immunity of the project
Should be like this…
Entegrity Consulting Group
Not like this…
Entegrity Consulting Group
So don’t sweat….
The mere thought of a project audit doesn’t have to bring sweat to
your brow.
Project audits are supposed to help a project manager deliver the
project as smoothly as possible.
Entegrity Consulting Group
Uncertainty is a Certainty
The most certain thing about Project Management is the uncertainty of the
moving pieces.
As projects struggle to keep up with the quicksilver pace of business, there
is always the risk that something won’t go as planned.
Risk Management is at the core of project management.
This is when a Project Auditor can become a Project Manager’s best friend.
Lets see how…..
Entegrity Consulting Group
How Project Audit Came to Be
1950s
1960s
1970s
Businesses and shareholders demanded assurance that their processes were efficient and in control.
1980s
1990s2000s Enron
WorldcomAOL
Lockheed SybaseXerox
= SOX
Entegrity Consulting Group
The Birth of the Project Auditor
Companies were investing millions of dollars in projects to
increase revenue and efficiencies.
A great deal of money and resources were allocated but the
progress of the projects were unclear.
Technology made it easier to commit fraud
Shareholders and stakeholders demanded more assurance.
New role emerged within the Project Management and Internal
Audit professions: the Project Auditor.
Entegrity Consulting Group
Role of the Project Auditor
The Project Auditor provides stakeholders with an impartial assessment of:
the project management function (cost, schedule, scope or quality)
the processes for dealing with project risks
the quality of the work performed by the project management teams.
The goal is to uncover the true status of a project and provide confidence
that it will implement on time while delivering what the business needs.
For the organization, this means cost savings if issues on a major project are
uncovered early.
For the project, the audit helps ensure everything is on track and is an
opportunity to put things in order if they are not.
For the project manager, this can be a learning experience.
Entegrity Consulting Group
What the Project Auditor doesn’t do
The project auditor is an independent assessor. They do not:
Tell the Project Manager how to run the project
Prepare project documentation.
Provide project approvals or sign-offs.
Penalize the project team with the number of findings.
Do anything that compromises the objectivity of the audit.
Many moving parts to a project and many people involved in the
process……
Entegrity Consulting Group
Don’t Take a Project Audit Personally
It isn’t a criticism of the Project Manager but an objective overview of how
the project is doing.
Every area that is involved in the project can come under scrutiny ( includes
project team, business, sponsor, IT, other support areas).
Auditor can escalate issues when necessary so the organization can make
prompt decisions to cancel the project, change the scope or project
manager, or to increase the funds.
Entegrity Consulting Group
The Typical Audit Lifecycle
Planning & Preparation
Report the Findings
AGREEMENT - ACTION - CLOSE OUT
At What is Going On
ASK
LOOKRECORD
CHECK
LISTEN
Open Ended
Questions
The Facts
The Documents
Project Auditors are well
versed in Project
Management best
practices.
A Project Audit duration
varies depending on
scope. Could be 1 week to
2 years. Or more.
Entegrity Consulting Group
Project Audit Steps
Planning
• Scope of Audit
• Engagement Letter
• Pull List
• Opening Meeting
Fieldwork
• Attend Meetings
• Interviews
• Review documents
• Analyze state of work
Reporting
• Closing Meeting
• Draft Report
• Final Report
• Action Items
An audit is a planned visit and is rarely a surprise.
Plenty of lead time is given for both the PM and Auditor to prepare.
Entegrity Consulting Group
Engagement during the Project Lifecycle
Source: http://onbridge.com/project-lifecycle-management/
Governance & Control
Auditor participates throughout the
Project Lifecycle and looks for:
• Whether the right people are at the
table
• Variance from the plan/scope
• Significant “slippage”
• Discrepancies in perspectives
• Adherence to best practices or
standards
• Completion of project documents
• Level of cooperation between
stakeholders
It is easier to "survive" a project audit when the auditor comes in early!
Entegrity Consulting Group
Typical Documentation Requested
Business Case, Project Charter, Statement of Work, Schedule & Plan,
Budget
Project Risk Management and Mitigation Plan
Communication and Business Change Management Plans
Evidence of Project Controls – Minutes, Agendas, Risk Assessments,
Change Requests, Issues Tracking, Status Reports
Documents approved by the correct authorizer
Access to project collateral storage area – SharePoint, Network Drive,
project management tool.
Entegrity Consulting Group
The Audit Report
The goal is to identify areas that work well and areas where improvements can
be made – not to focus on past mistakes.
There may be several versions of the audit report before it’s finalized.
Nothing in the audit report should be a surprise to the PM or management.
Surprise Audits are rare. They could occur when:
Management thinks the project is in trouble, heading for trouble or if they
are uncertain of its status.
There is a change in project management midstream.
There is suspicion of fraudulent or inappropriate activity.
Entegrity Consulting Group
Project Audit “IF” Statement
IF the project has a good foundation (ie: Project Charter) and
IF the project manager has a grasp of the schedule and budget required
to complete the work and
IF the project manager is proactively managing the schedule,
budget, risk, scope, quality, communication, etc.
» there is a HIGH PROBABILITY the project will be
successful.
Entegrity Consulting Group
Common Project Risks
Unclear Accountability and Sponsorship
Poor / slow decision making
Poor / no scope definition, scope creep, scope changes
Lack of Communication
Failure to manage project risk - unknown interdependencies
Inadequate attention to change management
Unrealistic deadlines and expectations
Failure to engage End-User and other departments upfront
Lack of co-operation between business areas / departments
Poor vendor management and use of consultants
Team inexperience / competence
Inadequate knowledge transfer to business
Entegrity Consulting Group
How Project Audits Can Help
Help identify when a project is about to go off-course.
Provide early problem diagnostics.
Point out scope creep.
Save costs by uncovering issues upfront.
Objectively evaluate performance of the project team.
Reconfirm feasibility of and commitment to project.
Increase customer and stakeholder confidence that the project is on track.
A second set of eyes can….
Entegrity Consulting Group
Risk Management
Two areas that project auditors can assist Project Managers are Risk
Management and Information Security.
This may be less of a benefit in organizations like banks that have very
mature project processes and ensure those skill sets are already available
to the project. But for other organizations, such as government, the project
team may be missing these skills sets.
Projects tend to treat Risk Management as a one time activity... they identify
risks, make an assessment but don’t put mitigation plans in place. The risk
assessment just sits there gathering dust.
Entegrity Consulting Group
Information Security
Auditors can assist in getting Information Security involved early so there
are no surprises later.
Retrofitting information security controls is more expensive and less
effective than if the project included Information Security controls in Project
Requirements and Design documents.
Observation: the later Information Security is involved in a project, the
greater the chance the project will be late and exceed budget.
Entegrity Consulting Group
How to Make the Auditor Happy
1. Understand the purpose of the audit.
Increasing shift to focus on business outcomes.
A project can deliver what's been approved but may not meet the business
needs if the business asked for the wrong thing.
2. Keep your story straight.
Project Managers are not our only source of information.
It doesn’t look right when the Project Managers is communicating one thing but
we are hearing a different story from others (i.e., the line of business or other
executives).
3. Make time for the Auditor:
If Project Managers aren’t making the time, auditors will use other sources of
information, including escalating to the sponsor.
Entegrity Consulting Group
Tips for a Successful Project Audit
Think about how the Audit will help you.
You can leverage a project audit to bring attention to issues and risks so
management can supply the necessary resources to address them.
Review the Pull List to understand what the Auditor is looking for.
Make adjustments to your management and documentation style so you can
answer “yes” to any of the questions.
If one of the questions is “Are regular meetings held that review status,
financials and issues?” then make sure your minutes have those points listed.
Reach out and say Hi.
Meet with the Auditor beforehand to get a better understanding of what they are
looking for.
Prepare the team that the Auditor is coming. Shouldn’t be a surprise.
Be positive and explain the process to them.
Entegrity Consulting Group
Tips for a Successful Project Audit
Evidence, evidence, evidence. Ensure documentation is up to date and
readily available.
Don't be afraid of showing other evidence which meets the intent (or spirit) of the
control.
For example, a charter may not follow a standard template but if the same
information is documented somewhere else it can be an acceptable alternative.
Understand the findings and negotiate the finding level.
Ask for clarifications to avoid miscommunications.
Honesty is the best policy - always be truthful.
Entegrity Consulting Group
When dealing with Project Auditors
Make sure auditors know the full story. For example, if company procedures
weren’t followed, written documentation showing approval for the variance
can go a long way in making your case.
Document decisions and action items from Audit meetings.
Ask for a copy the audit program that defines the scope, objectives and
steps the auditors will follow. They may provide it!
Establish the lines of communication between your team and the auditors
and how you will delegate tasks
Schedule periodic meetings to discuss their observations and present your
viewpoint.
Be ready when the auditor follows up on action plans. Depending on the
quantity and severity of the findings, corrective action plans can be time-
consuming.
Entegrity Consulting Group
Red Flags
Do not try to underestimate the project auditor or pull the wool over their eyes!
Auditors are trained to sense this and doing so will raise immediate suspicion.
Personally, I can tell if a project is challenged in my first meeting, without
looking at any documentation.
My Red flags
Refused access or given limited view to a project's document repository (e.g.
SharePoint). Assumption: the project is trying to hide something, or that the
repository does not exist or is mess.
Not invited to key project meetings. Assumption: The project is hiding
something.
The Green Dashboard. Project Managers tend to be perpetually optimistic as to
what they can accomplish and are reluctant to report anything as "yellow" let
alone "red". If I see a project reporting every category as "green", that is a "red"
flag for me.
Entegrity Consulting Group
Project Audit Observations
Poor project planning – lack of or minimal Project Charter and Plan
Poor Risk management – lack of issues tracking; issues not escalated
Lack of Accountability: Stakeholders and decision makers absent from key
meetings and don’t sign-off on decisions
Poor Project Morale - overworked, vacation, stress leaves
The Green Dashboard Syndrome
Failure to Disclose: Fudging reports
Executive status reports are different from Project status reports
Poor Vendor Selection & Management process
Poor financial management – lack of overtime tracking, no cost benefit
analysis, earned value not present
Entegrity Consulting Group
Project management methodology and tools – either too complicated to
follow or too busy to try.
Project Management Tracking System was not current – unreliable.
Poor project collateral management: poor version control, red-marked,
drafts, no final versions, collateral is on C:drives rather than shared area,
absence of supporting documentation.
Poor communication and transparency – team doesn’t know who is working
on what.
Lack of minutes and action item tracking.
Project starts before stakeholder sign-off.
Projects are in development before requirements are finalized.
Design starts before business sign-off.
Lack of Lessons Learned – continue to make the same mistakes.
Project Audit Observations
Entegrity Consulting Group
Collaboration Wins
Auditors, like Project Managers, want to complete the audit on time and
move on. Be available for them so they can move things along quicker.
The more Internal Audit and Project Management collaborate, the more
chance the project will implement on time within the established controls.
The payback of an audit is likely to exceed costs if the recommendations
are acted upon on time.
As the Project Management industry standardizes and grows, the
partnership of Audit and Project Management will enable profitable results
for employees, businesses and shareholders alike.
The result is a win/win solution for everyone!
Entegrity Consulting Group
Leverage the Benefits of Your New Relationship
RECAP:
Think about how Project Audit could help you
Communicate with the Auditor and the team
Honesty is the best policy
Learn from the experience
Keep in touch even after the audit – you may cross paths again!
Entegrity Consulting Group
PM Proverbs
The bitterness of poor quality lingers long after the sweetness of meeting
the date is forgotten.
What is not on paper has not been said.
If you fail to plan you are planning to fail.
If you don't attack the risks, the risks will attack you.
A little risk management saves a lot of fan cleaning.
The most valuable and least used word in a project manager's vocabulary is
"NO".
The most valuable and least used phrase in a project manager's vocabulary
is "I don't know".
Entegrity Consulting Group
Recommended Reading
McKinsey Report – Failure of Large Projectshttp://blogs.gartner.com/mark_mcdonald/2012/10/29/mckinsey-report-highlights-failure-of-large-
projects-why-it-is-better-to-be-small-particularly-in-it/
Gartner Group – 3 Reasons why Government Projects Failhttp://www.gartner.com/newsroom/id/2790817
Oracle White Paper: The Benefits of Risk Assessment for Projects,
Portfolios, and Businesses
http://www.oracle.com/us/products/applications/042743.pdf
Entegrity Consulting Group
Questions?
For more information, contact
Rakhi Henderson, CISA, CRISC, CGEIT
Principal Consultant
Entegrity Consulting Group
rhenderson@entegrityconsulting.org
www.entegrityconsulting.org
Recommended