Internal audit can play a significant role in helping an organisation achieve its strategic objectives in relation to project management. Our guide to auditing projects covers the following key areas:
The above areas are addressed by the sections identified below:
What is a project?
The difference between a portfolio, programme, and a project?
Why are projects important?
Project activities and lifecycle
Key players within portfolios, programmes and projects
Risks and responses
What can internal audit do?
Programme and project (including process) reviews
Project management reviews
Planning portfolio, programme and project reviews
Project auditing resources
A project can be the construction of a new building, the implementation of a computer system, a major staff reorganisation, an acquisition or disposal within a business, the roll-out of a new product or service and much more. This means it is difficult to provide one simple definition.
The Oxford English dictionary definition describes a project as an ‘enterprise that is carefully planned to achieve a particular aim'. The Association for Project Management adds the idea that a project has a limited lifespan by identifying a project as 'A unique, transient endeavour, undertaken to achieve planned objectives, which could be defined in terms of outputs, outcomes or benefits'. Using these and other definitions it is possible to identify the key characteristics of a project.
Distinguishing between a 'portfolio', a 'programme' and a 'project' presents a problem because the terms are often confused with one another.
A good way to avoid confusion is to think in terms of a pyramid hierarchy. At the top of the pyramid is a portfolio, followed by programmes and then projects which are prioritised according to business objectives and needs. As you go up the pyramid from the bottom then the budget, life expectancy, complexity, interdependencies and impact on an organisation all become greater.
Definitions of these terms from the Association for Project Management Body of Knowledge 6th edition are as follows:
Failure to deliver a project on time, within budget and to specification can pose a major threat to the strategic direction and financial viability of an organisation. There are links to a number of examples within the other website references that illustrate this.
Every project is different but the things that go wrong tend to fall into two categories - aspects of completion such as time, cost and delivery and failure to achieve the outcomes and benefits. All too often the completion failures are the ones that grab the headlines but the outcome failures can have the greatest impact.
Managers and internal auditors need to understand which will have the most impact in their organisation. A project that achieves all the delivery criteria but fails to deliver the expected outcomes or one that delivers the expected outcomes but overruns on time and budget?
The success or failure of a project can have a significant impact on the organisation's ability to provide a much needed service, take advantage of a market opportunity or ensure compliance with the law and other important requirements.
Success or failure of a project will also have an impact on the organisation's reputation, the confidence of its stakeholders and financial performance. Benefits should not be an afterthought but a primary consideration when designing and delivering a project.
A project can be split into a number of activities or stages. The lifecycle refers to the overall time span and progress of the project made up of the individual activities and stages.
Not all projects will visit every stage as projects can be terminated before they reach completion but what happens during each of these stages needs to be firmly defined with clear boundaries.
The important thing to appreciate is that it is an orderly process that involves a series of steps and procedures to bring about a successful outcome.
The diagram developed by the internal audit team for projects at Transport for London illustrates the progression through the stages and the sort of activities that may take place within each stage.
It is possible to manage the steps, procedures and stages through a process of project management. It is worth noting that in some cases the 'project' may finish but the 'change' may continue for some time after the project team has disbanded, particularly in terms of the delivery of benefits.
(Click the diagram to expand it)
Project management is the process by which projects are defined, planned, monitored, controlled and delivered to achieve agreed outcomes and benefits. The timescale associated with this process is known as the full project lifecycle.
As there are many people involved with different disciplines and expertise a key task is to ensure that everyone knows what is expected of them. This requires the definition and scheduling of activities in terms of duration, cost, other resources and interdependencies. Once documented, the activity schedule (or project plan) for the project requires review and approval from the Project Sponsor. It is important to keep in mind that the overall aim is to deliver objectives and benefits efficiently and effectively.
Knowledge, skill and experience in project management are critical to achieving successful projects. The organisation will need qualified and competent project managers, either in-house employees or appointed consultants to develop and apply its project management process. It is also important to have good project control knowledge amongst members of the Project Board or Steering Group, who will be primarily responsible for providing assurance over project control and progress.
A successful project requires a wide range of stakeholders to cooperate and work together. The nature of their roles will depend upon the scale of the organisation, the type of projects, and the size of the project portfolio or programme.
These are the potential roles which may be part of the project management process. There are likely to be variations between organisations and it is useful to recognise that these are roles and may not necessarily be individual posts. In some cases a role may be combined into part of a person's larger job, in smaller organisations one person may have a number of roles.
This can be an individual or group for whom the project is being undertaken. There is usually a senior manager or executive responsible for identifying the business need, holding the project budget and responsible for delivering the benefits. The named individual should be responsible for providing evidenced approval of the project and evidenced confirmation that the project has successfully completed.
The person or group that provides the expertise to do the actual work on the project (i.e. will be designing and building the outcome) is called the supplier or specialist. This may be an in-house or contracted service.
This is the person responsible for managing the entire project and is ultimately accountable to the project sponsor. The project manager is also responsible for regular reporting of progress to the project board/steering group.
Users help specify operational requirements and are also the people who will ultimately use the end product from the project. User responsibilities usually include helping to identify the project requirements, stating project constraints and testing.
The Project Board or Steering group ensures that the strategic direction of the project is monitored on an on-going basis in accordance with the project requirements. They are responsible for monitoring the progress to plan, managing risk mitigation, making key decisions at defined points, and ensuring that necessary approvals are obtained as the project progresses through the lifecycle to completion. Key responsibilities of the project board orsteering group should be specified in a formal terms of reference document, which is reviewed and approved by the project sponsor.
The Stage Manager is someone appointed by the project manager who has similar roles to the project manager but only for a particular section or stage of the project.
This is a person, group or organisation that is affected by or has an interest in the activities of the project.
The project team is responsible to the project manager or stage manager for undertaking tasks and managing risks within the constraints of the project. Key tasks for a project team may be defined in a schedule of activities, with schedules approved in accordance with the delegated authority assigned to a project.
Some organisations or large projects have project offices, project management offices (PMOs) or corporate PMOs to provide a range of support functions. These are usual for portfolios and programmes to help ensure appropriate project co-ordination from initiation through to completion.
Providing a view of how a project is progressing is known as project assurance and is the responsibility of the project board or steering group.
Project assurance is about checking that the project remains viable in terms of costs and benefits (business assurance), checking that the users' requirements are being met (user assurance), ensuring procedures and rules are being followed (compliance assurance) and that the project is delivering a suitable solution (specialist or technical assurance).
In some organisations specific aspects of assurance may be delegated to, or be supported by, a project assurance manager or project assurance team and may therefore feature in the list of key players. In other organisations assurance over all aspects of a project may remain with individual members of the project board or steering group.
Project assurance therefore means different things in different organisations and is likely to be influenced by the strategic importance of projects, the level of investment and the significance of risk. A key element for all organisations, however, is the need for regular monitoring of project progress against the project plan (in terms of time, cost and successful delivery) by the project assurance provider. The terms of reference for the project board or steering group, for example, should identify the need for the regular review of project progress through a programme of formal meetings. In particular, the terms of reference should stipulate: frequency of meetings; standing agenda items; a requirement for meeting minutes; the attendees required at each meeting; meeting quorum; reports required (those to be tabled and those to be produced following each meeting, so as to provide details of assurance to the key project stakeholder groups).
Project assurance can also involve the design of a framework, provision of advice for those involved in a project, start up reviews at the beginning of each stage in the lifecycle, post-implementation reviews and generally communicating lessons learnt from projects.
It is therefore important for the internal auditor to understand who provides assurance, who it is provided to, how it is provided and the scope of assurance activities as this will influence the nature of what internal audit includes within the annual internal audit plan and the terms of reference for the specific audit.
For instance, internal audit may provide project assurance in organisations where no support exists; provide assurance upon the reliability of the project assurance provided by management; provide advice to managers who have a project assurance role or some combination of these activities. Where internal audit provide full or partial project assurance they are unlikely to be responsible for providing assurance upon the overall reliability of project assurance provision, so as to maintain appropriate independence and objectivity; however, in such circumstances, internal audit may identify and suggest alternative sources of assurance for consideration by the organisation.
Typical risks that may occur in a project are:
1. Absence of clear links between a project and the organisation's key strategic priorities.
2. Lack of clear senior management ownership, support and leadership.
3. Lack of effective engagement with users and stakeholders.
4. Lack of resources, skills and proven approach to project management.
5. Poor communication and lack of openness on the purpose and benefits of the project.
6. Lack of understanding of, and contact with the supply industry.
There is a great deal that internal audit can do in relation to portfolio, programme and project management to help an organisation achieve its strategic objectives. However, the basic role of internal audit remains the same, which is to provide independent assurance and consulting services in relation to governance, risk management and control.
The fact that there may be many interrelated projects spanning several years does present a challenge to some internal audit activities. This necessitates additional time to plan, organise and coordinate the reviews that take place at various management levels, as illustrated in the diagram below.
This type of review focuses upon governance by looking at the extent to which projects are designed and prioritised. These internal audit reviews consider how projects are selected against strategic objectives, how strategic risks are identified and managed and whether benefits and outcomes are realised from projects.
The completion of such reviews also provides an indication of the organisation's maturity in terms of managing and delivering change.
Internal audit activity at the programme level considers how well a programme is being planned and controlled, examining the management of communications, critical dependencies and risks (in particular, those associated with the relationship between the programme and the overall portfolio/specific projects).
Internal audit reviews at the project level can focus on the risks associated with specific projects, by evaluating the controls employed on the journey from problem identification/quantification through to solution delivery/post-implementation review. In addition there are a number of generic processes for managing and delivering projects that can be incorporated into an internal audit plan and be reviewed as specific audit exercises. These include the application of methods, approaches and standards, several of which are included within the Transport for London diagram presented earlier.
For example at the inception stage, an initial business case review can examine the assumptions and justification for projects looking at the accuracy and validity of the information presented to the organisation's decision makers. This might involve evaluating how the business case ties in with the portfolio objectives. By their nature these reviews can represent the more complex elements of project reviews.
The internal auditor can adopt a risk-based approach to the selection and review of individual projects. This requires some initial research to determine relative importance.
For instance, the internal auditor needs to find out what a project is about, who is running it, what are the issues and expected benefits, understand the nature of the risks and determine who, if anyone, is providing assurance. This will enable the internal auditor to consider and agree the scope and level of assurance and consultancy services with management, which might include:
A number of project management reviews within the annual internal audit plan may be combined to provide a process review of the project methodology, noting that this should be agreed at the outset (as part of generic audit planning and change control procedures).
A typical approach to project management reviews is for the internal auditor to join a project board/steering group or team with the inclusion of time in the audit plan for meetings. Anyone who has done this will know that it often involves a considerable time commitment. There are advantages and dangers with this approach:
While an invitation to take part in a project board/steering group is recognition that internal audit has a valuable role to play it is important to be clear about what they will gain from regular attendance. Involvement should have a specific assurance or advisory purpose that is discussed, documented and agreed with senior management (as part of the terms of reference) and then shared with the audit committee.
Internal audit should not be part of the management sign-off process or be part of the decision making. Measures may also need to be taken to ensure that internal audit involvement is understood and does not compromise the independence and objectivity of any future work. These measures might include involving different members of the internal audit activity in future work concerning the project.
An alternative approach would be for the internal auditor to schedule attendance at one or two selected meetings during the audit of a project to consider specific issues such as the management of risk, validation of progress and to observe that appropriate information is being received, scrutinised and challenged.
The full extent of internal audit's involvement in project management reviews will depend upon the number and relative importance of projects to the organisation and how they fit into the overall landscape of risk (as defined by both the business and internal audit themselves). Major initiatives may be something of a rarity, whilst other organisations may be entirely project-based and have multiple projects running simultaneously. This raises a number of questions for internal audit:
Internal audit’s approach to planning portfolio, programme and project reviews should be largely based upon the generic approach of the internal audit team for identifying and prioritising areas for review within an organisation. Therefore, internal audit should engage with management and the audit committee both prior to and throughout the audit year to identify and understand the organisation's profile of portfolios, programmes and projects that are on-going and planned, so as to support the achievement of strategic objectives.
In terms of evaluating and identifying specific projects for review there needs to be straightforward criteria, questions and measurements to determine priorities. It is possible to highlight audit priorities by using a simple assessment tool such as the following:
While the tool is simple it can easily become more sophisticated by adding or amending the criteria, questions and measurements to suit the organisation's circumstances.
Weightings could also be applied to add further sophistication. Some internal audit activities may already use a similar approach for wider audit planning and the tool may only need slight adaptation to cater for project management. Such measurement criteria can therefore produce a risk-based audit plan that maximises resources.
The outcome will be a list of priority projects for internal audit, senior management and the audit committee to discuss and agree upon.
Planning will also help to determine whether internal audit has enough resource with the right competencies to successfully initiate and complete not only project management reviews but all of the forms of review that we have mentioned.
Some difficult choices may have to be made on how to allocate available time, especially as demands for assurance around other risks such as fraud, financial management, IT and other business operations have to continue to be met.
Where the need for assurance and advice exceeds available audit time (as identified by internal audit either at the audit planning stage or during a review), senior management and the audit committee may judge that additional resources are justified. In order to obtain this, internal audit must be able to demonstrate a solid understanding of project management and its techniques to help explain the benefits/assurance that is to be obtained (and to provide justification for the additional expense).
Project management is a multi-disciplinary subject and internal auditors will require knowledge, skills and experience in a number of areas to demonstrate their competency. This includes:
Some internal audit functions turn to external support for the knowledge, skills and experience they need in the same way that IT auditing skills may be purchased. This can be done on a project-by-project basis or on a more ongoing permanent basis. Since a longer-term relationship with an external supplier of specialist internal audit resource is likely to generate cost benefits (in comparison to engaging external resource on an ad-hoc basis), it is advised that internal audit functions carefully consider the longer-term need for specialist resource before procuring specialist external support.
Other internal audit functions, in predominantly project-based organisations, might create their own multi-disciplinary teams that contain competencies in internal auditing, change management and project management - some of whom may be co-opted into internal audit for short periods of time from other areas with the organisation. However as noted above, internal audit need to be aware of the danger of compromised independence and objectivity and ensure that these risks are not realised through the project work that is completed.
Competency can also be nurtured and developed in the medium to longer-term through training and developing existing internal auditors who have an interest in/display a competency for this type of specialist work.
Portfolio, programme and project reviews enable internal audit to consider whether there is effective risk management at each level - strategic, tactical or operational. This is particularly important where internal audit provides an overall opinion upon the effectiveness of risk management arrangements within an organisation.
For some organisations project risk management may be at an early stage of development and internal audit can provide advice and support as part of its consultancy role. Aspects of project risk management to consider include:
The importance of internal audit in the management of portfolio, programme and project risk will continue to grow as the desire of organisations to use specialist, independent sources of assurance and advice to drive change and operational transformation continues to intensify.
As organisations realise the strategic importance of projects, they are looking to their internal audit activities to provide them with the necessary levels of assurance and advice over their governance and delivery.
Internal audit may not be able to provide full coverage of projects but can initiate reviews at different organisational levels according to their assessed priority, so as to provide an independent opinion on the efficiency and effectiveness of project governance, risk management and control.
However, senior and executive-level management have high expectations and need to be convinced that internal audit can approach the task with confidence and that it has the capacity to deliver assurance around these business critical and potentially risky investments.
Internal audit must be confident it has the right mix of resources and competencies to address different types of projects and different types of review and has the ability to demonstrate that it is the best-placed provider of specialist, independent assurance and advice (for example, through a history of completing successful and highly-valued portfolio, programme and project reviews).
Project management is related to change within organisations and is a complex subject. This list is a good a starting point for further research:
The Association of Project Management UK
APM provides a wide range of information on project management, including the 6th edition of the APM Body of Knowledge. This website also provides details of the APM practitioner qualifications.
British Standards Institute
Standard BS 6079-1:2010 Project Management provides principles and guidelines for the management of projects.
Risk Analysis and Management for Projects (RAMP)
Developed by a partnership of the Institute and Faculty of Actuaries (IFoA) and the Institute of Civil Engineers (ICE), in order to provide a methodology for quantifying and managing risk over the life of a project.