How to survive a Project Management Audit Dec 2-2014

How to Survive a Project Management Audit

Rakhi Henderson

CISA, CGEIT, CRISC

Principal Consultant

Entegrity Consulting Group

December 4, 2014


Today’s Objective

Learn the role of a project auditor and how they help the business.

Share tips on what auditors seek from project managers when conducting

project reviews.

Explore how a project audit can help a PM.

Tips to navigate the audit process so it’s a win/win situation for everyone!


Have you ever felt like this?

“Bob, do you have time for a project audit?”


Definition of Audit

The Institute of Internal Auditors (IIA) definition:

“An independent, objective assurance and consulting activity designed to

add value, and improve an organization’s operations. It helps an

organization accomplish its objectives by bringing a systematic,

disciplined approach to evaluate and improve the effectiveness of risk

management, control, and governance processes.”

“Audit” - Derives from Latin word “audire” meaning “to hear” – implies

objectivity, not inspection and judgement.

An audit under any other name (ie: review or assessment) is still an audit.

Source: www.theiia.org


Types of Project Audits and their Benefits

Process Audit – PMO practices and methods

Financial Audit – expenses, costs of a project, financial impacts to

financially material systems

Regulatory Audit – assuring adherence to regulations (i.e.: AML, FATCA)

Systems Audit – application, infrastructure, security and technology controls

SOX (Sarbanes Oxley) Audit – impacts to business critical systems

Project Management Audit – assessing the Project Life Cycle

All provide assurance to stakeholders that everything is on track.

Assurance: a positive declaration intended to give confidence in something.


So What is a Project Audit?

What is a Project Audit and why is it good for a project?

Project Health Check – like a physical

Recommendations are like vitamins to boost the immunity of the project

Should be like this…


Not like this…


So don’t sweat….

The mere thought of a project audit doesn’t have to bring sweat to

your brow.

Project audits are supposed to help a project manager deliver the

project as smoothly as possible.


Uncertainty is a Certainty

The most certain thing about Project Management is the uncertainty of the

moving pieces.

As projects struggle to keep up with the quicksilver pace of business, there

is always the risk that something won’t go as planned.

Risk Management is at the core of project management.

This is when a Project Auditor can become a Project Manager’s best friend.

Lets see how…..


How Project Audit Came to Be

1950s

1960s

1970s

Businesses and shareholders demanded assurance that their processes were efficient and in control.

1980s

1990s2000s Enron

WorldcomAOL

Lockheed SybaseXerox

= SOX


The Birth of the Project Auditor

Companies were investing millions of dollars in projects to

increase revenue and efficiencies.

A great deal of money and resources were allocated but the

progress of the projects were unclear.

Technology made it easier to commit fraud

Shareholders and stakeholders demanded more assurance.

New role emerged within the Project Management and Internal

Audit professions: the Project Auditor.


Role of the Project Auditor

The Project Auditor provides stakeholders with an impartial assessment of:

the project management function (cost, schedule, scope or quality)

the processes for dealing with project risks

the quality of the work performed by the project management teams.

The goal is to uncover the true status of a project and provide confidence

that it will implement on time while delivering what the business needs.

For the organization, this means cost savings if issues on a major project are

uncovered early.

For the project, the audit helps ensure everything is on track and is an

opportunity to put things in order if they are not.

For the project manager, this can be a learning experience.


What the Project Auditor doesn’t do

The project auditor is an independent assessor. They do not:

Tell the Project Manager how to run the project

Prepare project documentation.

Provide project approvals or sign-offs.

Penalize the project team with the number of findings.

Do anything that compromises the objectivity of the audit.

Many moving parts to a project and many people involved in the

process……


Don’t Take a Project Audit Personally

It isn’t a criticism of the Project Manager but an objective overview of how

the project is doing.

Every area that is involved in the project can come under scrutiny ( includes

project team, business, sponsor, IT, other support areas).

Auditor can escalate issues when necessary so the organization can make

prompt decisions to cancel the project, change the scope or project

manager, or to increase the funds.


The Typical Audit Lifecycle

Planning & Preparation

Report the Findings

AGREEMENT - ACTION - CLOSE OUT

At What is Going On

ASK

LOOKRECORD

CHECK

LISTEN

Open Ended

Questions

The Facts

The Documents

Project Auditors are well

versed in Project

Management best

practices.

A Project Audit duration

varies depending on

scope. Could be 1 week to

2 years. Or more.


Project Audit Steps

Planning

• Scope of Audit

• Engagement Letter

• Pull List

• Opening Meeting

Fieldwork

• Attend Meetings

• Interviews

• Review documents

• Analyze state of work

Reporting

• Closing Meeting

• Draft Report

• Final Report

• Action Items

An audit is a planned visit and is rarely a surprise.

Plenty of lead time is given for both the PM and Auditor to prepare.


Engagement during the Project Lifecycle

Source: http://onbridge.com/project-lifecycle-management/

Governance & Control

Auditor participates throughout the

Project Lifecycle and looks for:

• Whether the right people are at the

table

• Variance from the plan/scope

• Significant “slippage”

• Discrepancies in perspectives

• Adherence to best practices or

standards

• Completion of project documents

• Level of cooperation between

stakeholders

It is easier to "survive" a project audit when the auditor comes in early!

http://onbridge.com/project-lifecycle-management/


Typical Documentation Requested

Business Case, Project Charter, Statement of Work, Schedule & Plan,

Budget

Project Risk Management and Mitigation Plan

Communication and Business Change Management Plans

Evidence of Project Controls – Minutes, Agendas, Risk Assessments,

Change Requests, Issues Tracking, Status Reports

Documents approved by the correct authorizer

Access to project collateral storage area – SharePoint, Network Drive,

project management tool.


The Audit Report

The goal is to identify areas that work well and areas where improvements can

be made – not to focus on past mistakes.

There may be several versions of the audit report before it’s finalized.

Nothing in the audit report should be a surprise to the PM or management.

Surprise Audits are rare. They could occur when:

Management thinks the project is in trouble, heading for trouble or if they

are uncertain of its status.

There is a change in project management midstream.

There is suspicion of fraudulent or inappropriate activity.


Project Audit “IF” Statement

IF the project has a good foundation (ie: Project Charter) and

IF the project manager has a grasp of the schedule and budget required

to complete the work and

IF the project manager is proactively managing the schedule,

budget, risk, scope, quality, communication, etc.

» there is a HIGH PROBABILITY the project will be

successful.


Common Project Risks

Unclear Accountability and Sponsorship

Poor / slow decision making

Poor / no scope definition, scope creep, scope changes

Lack of Communication

Failure to manage project risk - unknown interdependencies

Inadequate attention to change management

Unrealistic deadlines and expectations

Failure to engage End-User and other departments upfront

Lack of co-operation between business areas / departments

Poor vendor management and use of consultants

Team inexperience / competence

Inadequate knowledge transfer to business


How Project Audits Can Help

Help identify when a project is about to go off-course.

Provide early problem diagnostics.

Point out scope creep.

Save costs by uncovering issues upfront.

Objectively evaluate performance of the project team.

Reconfirm feasibility of and commitment to project.

Increase customer and stakeholder confidence that the project is on track.

A second set of eyes can….


Risk Management

Two areas that project auditors can assist Project Managers are Risk

Management and Information Security.

This may be less of a benefit in organizations like banks that have very

mature project processes and ensure those skill sets are already available

to the project. But for other organizations, such as government, the project

team may be missing these skills sets.

Projects tend to treat Risk Management as a one time activity... they identify

risks, make an assessment but don’t put mitigation plans in place. The risk

assessment just sits there gathering dust.


Information Security

Auditors can assist in getting Information Security involved early so there

are no surprises later.

Retrofitting information security controls is more expensive and less

effective than if the project included Information Security controls in Project

Requirements and Design documents.

Observation: the later Information Security is involved in a project, the

greater the chance the project will be late and exceed budget.


How to Make the Auditor Happy

1. Understand the purpose of the audit.

Increasing shift to focus on business outcomes.

A project can deliver what's been approved but may not meet the business

needs if the business asked for the wrong thing.

2. Keep your story straight.

Project Managers are not our only source of information.

It doesn’t look right when the Project Managers is communicating one thing but

we are hearing a different story from others (i.e., the line of business or other

executives).

3. Make time for the Auditor:

If Project Managers aren’t making the time, auditors will use other sources of

information, including escalating to the sponsor.


Tips for a Successful Project Audit

Think about how the Audit will help you.

You can leverage a project audit to bring attention to issues and risks so

management can supply the necessary resources to address them.

Review the Pull List to understand what the Auditor is looking for.

Make adjustments to your management and documentation style so you can

answer “yes” to any of the questions.

If one of the questions is “Are regular meetings held that review status,

financials and issues?” then make sure your minutes have those points listed.

Reach out and say Hi.

Meet with the Auditor beforehand to get a better understanding of what they are

looking for.

Prepare the team that the Auditor is coming. Shouldn’t be a surprise.

Be positive and explain the process to them.


Tips for a Successful Project Audit

Evidence, evidence, evidence. Ensure documentation is up to date and

readily available.

Don't be afraid of showing other evidence which meets the intent (or spirit) of the

control.

For example, a charter may not follow a standard template but if the same

information is documented somewhere else it can be an acceptable alternative.

Understand the findings and negotiate the finding level.

Ask for clarifications to avoid miscommunications.

Honesty is the best policy - always be truthful.


When dealing with Project Auditors

Make sure auditors know the full story. For example, if company procedures

weren’t followed, written documentation showing approval for the variance

can go a long way in making your case.

Document decisions and action items from Audit meetings.

Ask for a copy the audit program that defines the scope, objectives and

steps the auditors will follow. They may provide it!

Establish the lines of communication between your team and the auditors

and how you will delegate tasks

Schedule periodic meetings to discuss their observations and present your

viewpoint.

Be ready when the auditor follows up on action plans. Depending on the

quantity and severity of the findings, corrective action plans can be time-

consuming.


Red Flags

Do not try to underestimate the project auditor or pull the wool over their eyes!

Auditors are trained to sense this and doing so will raise immediate suspicion.

Personally, I can tell if a project is challenged in my first meeting, without

looking at any documentation.

My Red flags

Refused access or given limited view to a project's document repository (e.g.

SharePoint). Assumption: the project is trying to hide something, or that the

repository does not exist or is mess.

Not invited to key project meetings. Assumption: The project is hiding

something.

The Green Dashboard. Project Managers tend to be perpetually optimistic as to

what they can accomplish and are reluctant to report anything as "yellow" let

alone "red". If I see a project reporting every category as "green", that is a "red"

flag for me.


Project Audit Observations

Poor project planning – lack of or minimal Project Charter and Plan

Poor Risk management – lack of issues tracking; issues not escalated

Lack of Accountability: Stakeholders and decision makers absent from key

meetings and don’t sign-off on decisions

Poor Project Morale - overworked, vacation, stress leaves

The Green Dashboard Syndrome

Failure to Disclose: Fudging reports

Executive status reports are different from Project status reports

Poor Vendor Selection & Management process

Poor financial management – lack of overtime tracking, no cost benefit

analysis, earned value not present


Project management methodology and tools – either too complicated to

follow or too busy to try.

Project Management Tracking System was not current – unreliable.

Poor project collateral management: poor version control, red-marked,

drafts, no final versions, collateral is on C:drives rather than shared area,

absence of supporting documentation.

Poor communication and transparency – team doesn’t know who is working

on what.

Lack of minutes and action item tracking.

Project starts before stakeholder sign-off.

Projects are in development before requirements are finalized.

Design starts before business sign-off.

Lack of Lessons Learned – continue to make the same mistakes.

Project Audit Observations


Collaboration Wins

Auditors, like Project Managers, want to complete the audit on time and

move on. Be available for them so they can move things along quicker.

The more Internal Audit and Project Management collaborate, the more

chance the project will implement on time within the established controls.

The payback of an audit is likely to exceed costs if the recommendations

are acted upon on time.

As the Project Management industry standardizes and grows, the

partnership of Audit and Project Management will enable profitable results

for employees, businesses and shareholders alike.

The result is a win/win solution for everyone!


Leverage the Benefits of Your New Relationship

RECAP:

Think about how Project Audit could help you

Communicate with the Auditor and the team

Honesty is the best policy

Learn from the experience

Keep in touch even after the audit – you may cross paths again!


PM Proverbs

The bitterness of poor quality lingers long after the sweetness of meeting

the date is forgotten.

What is not on paper has not been said.

If you fail to plan you are planning to fail.

If you don't attack the risks, the risks will attack you.

A little risk management saves a lot of fan cleaning.

The most valuable and least used word in a project manager's vocabulary is

"NO".

The most valuable and least used phrase in a project manager's vocabulary

is "I don't know".


Recommended Reading

McKinsey Report – Failure of Large Projectshttp://blogs.gartner.com/mark_mcdonald/2012/10/29/mckinsey-report-highlights-failure-of-large-

projects-why-it-is-better-to-be-small-particularly-in-it/

Gartner Group – 3 Reasons why Government Projects Failhttp://www.gartner.com/newsroom/id/2790817

Oracle White Paper: The Benefits of Risk Assessment for Projects,

Portfolios, and Businesses

http://www.oracle.com/us/products/applications/042743.pdf

http://blogs.gartner.com/mark_mcdonald/2012/10/29/mckinsey-report-highlights-failure-of-large-projects-why-it-is-better-to-be-small-particularly-in-it/

http://www.gartner.com/newsroom/id/2790817

http://www.oracle.com/us/products/applications/042743.pdf


Questions?

For more information, contact

Rakhi Henderson, CISA, CRISC, CGEIT

Principal Consultant


[email protected]

www.entegrityconsulting.org

mailto:[email protected]

http://www.entegrityconsultinggroup.org/

How to survive a Project Management Audit Dec 2-2014

Documents

Transcript of How to survive a Project Management Audit Dec 2-2014