Audits for projects

A project audit provides an opportunity to reveal the issues, concerns and challenges experienced in the execution of a project. It delivers the project manager, project sponsor and project team a snapshot of what has gone well and what needs to be improved with the project to successfully complete it. The Project Management Institute (PMI) defines a project audit in its Project Management Body of Knowledge (PMBOK ®, 4th ed.) as “a structured independent review to determine whether project activities comply within organizational and project policies and procedures”. As an audit sponsor mentioned on a major capital project, “It was only until after the audit that we realised that the findings were important and actually much more useful to receive early on in the project, instead of 9 months later, when it would have been too late”.

There are multiple assurance exercises that may take place in a project environment, a Project Delivery framework should list them and they are monitored in the Project Control Plan e.g. various walkthroughs and reviews. The values and benefits of these exercises are different, typically the audit will have Senior Management (up to board level) as customer or sponsor; a longer period of time for planning and execution (4-5 weeks); the impact of the findings and subsequent actions will also be more visible coming from an audit. Internal Audit provides the Audit Committee, the Executive Committee and ultimately the Board of Directors, with an objective and independent assurance on the health of the internal controls that the corporation uses to achieve its business objectives while the reviews and walkthroughs will be more project centric and usually confined to projects’ stakeholders.

Any project is an investment and carries risk. There are advantages to using an experienced project manager to help the project team establish quality standards and processes. The audit can then verify project status at key stages. The project sponsor may have some concerns or doubts about the state of the project. Or there may be one important aspect that is causing concern, such as cut-over planning. A good audit will increase business benefits by diagnosing the health of a project, identifying and prioritizing key issues and propose recovery actions or closure. The high daily running costs of most projects means that a timely audit will deliver the two biggest benefits, time and money. In that case, audits can add value to the business by providing reasonable assurance over the governance, processes, risk management and controls framework in place to ensure that the project is delivered on time, on budget and within the defined specifications. If the audit takes place at the close of a project, it can be used to develop success criteria for future projects by providing a forensic review. This review will provide an opportunity to learn what elements of the project were successfully managed and which ones presented some challenges. This will help the organisation identify what it needs to do so that mistakes are not repeated on future projects and so is added value generated.

One Audit Manager stated the following: “We don’t get to drill wells or open valves, but we do add value. We provide insights on gaps in the controls and the management of risks, and identify inefficiencies in how the business provides assurance. Avoiding costly rework and mishaps can liberate time to focus on core business delivery, or to more quickly assess, mature, and produce hydrocarbons.”. To achieve this, there are multiple approaches depending on the audit scopes (project delivery process or control framework of the solution built by the project) for enabling the business to increase the benefits that the project has to deliver.
The first one is risk-based auditing that focuses upon how an organisation responds to the risks it faces in achieving its goals and objectives, it aims to provide assurance on the management of the identified risks within the context of the organisation. This approach will not be for one specific project but more across a programme or a portfolio as these will be more at business or group level.
The second approach is compliance audits that will ensure conformity and adherence to the organisation policies e.g. frameworks, plans, procedures e.g. usage of reporting and other tools, laws and regulations. These will happen for projects, programmes or even portfolio and will specifically address all divergences from the policies in vigor.
A third one will be about improvements of the framework including the tools e.g. PCP and Toolkit review, the result will then have potential group wide impact. Auditing the delivery process will require more of a compliance approach to ensure the team follows the methodology and use the recommended set of tools but it only makes sense if we keep in mind that this will not suffice to fulfill the triple constraint (Time, Scope and Budget).

Auditing the solution’s control framework will request a risk-based approach to assess the design effectiveness and if it is design effective, whether it is operating effectively.

As a conclusion, audits can adapt the approach based on the scope and so deliver added value to projects by delivering not only targeted findings but fit-for-purpose and relevant actions for managing effectively the triple constraint and achieve the right level of quality

3 replies »

  1. Interesting post. I wonder whether ‘project auditors’ should be full time auditors or rather, peers operating under a structured audit framework. In my experience I would rather go for the second solution, to make sure the audit adds real hand-on value to the project team.

  2. Jeremie,
    Both options are valid but the goal could be different. If we use peers review internally, you run risks of potential conflicts of interest (internal politics, fellowship, etc…) but I agree that for smaller projects where the level of controls is low and do not required specific certification or education in risk and control management, it will be fit for purpose. On the other hand if we think of larger implementation e.g. ERPs where controls is mandatory, regulatory and also critical from a legal, fiscal perspective for the enterprise e.g. SOx, then an independent audit team would be more appropriate but this could come from an internal audit department, not specifically from a 3rd party.
    What is important, at the end of the day, is that the right level of control is implemented and risks are clearly identified and mitigated.
    Hope this clarifies my viewpoint, happy to share further 

Leave a Reply