This is a question that I asked myself when i moved to Internal Audit years ago! Subsequently I also wondered whether my work there could be taken into account as Project Management practitioner and subsequently get 5 PDUs per year spent in audit. It may sound trivial as a question but it becomes more interesting when you think from a skills transfer viewpoint… Could, in essence, a project manager become auditor and the other way around? This is another way of seeing this question.
In order to analyse this opportunity, we need to go back to the basics and compare definitions. As I mentioned in a previous post:
• The Project Management Institute (PMI) defines a project audit in its Project Management Body of Knowledge (PMBOK®, 4th ed.) as “a structured independent review to determine whether project activities comply within organizational and project policies and procedures”.
• More generically in its 5th edition the PMBOK® defines a project as “a temporary endeavour undertaken to create a unique product, service or result.”.
• ISACA defines an audit as “Formal inspection and verification to check whether a standard or set of guidelines is being followed, records are accurate, or efficiency and effectiveness targets are being met.”
Clearly we can find in the literature plenty of other definitions but at the end of the day they all refer back to same attributes and objectives for these 3 items. It is even remarkable that we have similar vocabulary in both disciplines:
• Audit or project charter
• Audit programme
• Audit or project plan
Both have a defined life cycle PMBOK® 5th edition page 39 fig. 2.8 describes:
1. Starting the project
2. Organizing and preparing
3. Carrying out the work
4. Closing the project
As an example KPMG shows the following steps for an audit:
2. Control evaluation
3. Substantive testing
To go deeper in details per step:
1. The first point is all about getting ready in terms of Charter or Terms of Reference i.e. define the scope of the endeavour and get it approved. This step is key in order to get initial funding and also usually get a project manager or lead auditor appointed to the exercise and move to the next steps with necessary mandate to deliver the objectives.
Having this first step approved will mean that firm sponsorship is secured and main stakeholders have been engaged and are supportive. The main deliverable of this phase will be a Charter or Terms of Reference and to increase your success rate, I would recommend to make sure you do involve all parties as soon as possible in the process. Having a multi-disciplinary approach to build that deliverable will ensure that you bring the brainpower early and also work alignment from day 1.
The audit/project will hugely benefit from this as you mitigate the risk of misunderstanding and bad surprises with stakeholders (sponsors, auditees, …).
2. The second step will be securing all resources including logistics, schedule, audit programme, etc… For instance from an audit perspective, you would typically:
• Prepare the Audit Program (i.e. identify risk and actual controls, confirm existence of actual controls and draft test scripts)
• Review and approve the Audit Program
• Brief Audit Team members not involved in planning process
• Arrange for any additional training that may be required
• Schedule interviews on a timely basis
• Prepare and discuss the document list
• Plan and arrange other logistics
• Schedule regular meetings with Audit Manager
• Schedule regular ‘no surprise’ meetings with Auditee
In other words as for a project, you would go in more details in terms of scope, risks, resources, communication, cost, quality and stakeholders management…
3. Now we are in the “meat”, it is the objectives delivery and meet agreed scope. It does not matter whether your deliverable is a bridge, a piece of software or an audit report. The whole point is keeping the triple constraint under control i.e. “any project has a minimum of three absolute constraints that must be considered: scope, funding and timeline. Any two of these constraints can be held firm as long as one of them remains flexible; if a PM tries to keep all three firm then either the project will fail or a constraint will slip without adequate planning, so the theory goes” (Jumboframe consulted June 7th 2015).
The point here is not to go into the different delivery models or methodologies as I previously already described.
4. Again the 4th and last point is exactly similar for both exercises and PMBOK® 5th edition is descriptive enough for both:
• Obtain acceptance by the sponsor or auditee
• Submit final audit report
• Document lessons learned
• Update all necessary systems to record changes delivered by the endeavour
• Archive all exercise related documents
• Perform all relevant performance assessments and report accordingly
I will not disclose internal processes used in my company in terms of internal audit processes or project delivery framework but the origin of this post is also obviously coming from my personal experience as I did work in both disciplines at senior level for multiple assignments. So in other words it is obvious that the parallel makes sense and as demonstrated above audits can be considered as projects meaning that auditors are also delivering projects and so can claim their yearly 5 PDUs if they are PMP®.