IA’s practical approach to driving success for strategic and transformational initiatives DRAFT...
-
Upload
easter-dickerson -
Category
Documents
-
view
214 -
download
0
Transcript of IA’s practical approach to driving success for strategic and transformational initiatives DRAFT...
IA’s practical approach to driving success for strategic and transformational initiatives
DRAFT
ISACA Geek Week 2014
www.pwc.com
DRAFT
PwC
Agenda
DRAFT
Module
A. Welcome and Introduction
B. Transformational Change
C. Strategic initiatives – the risks
D. Internal Audit’s role
E. Keys to successful transformation assurance
F. Recap & Questions
G. Contact details
2
Welcome and Team Introduction
A
PwC
Welcome & Team Introduction
DRAFT
Antwon Hardwick
• Director- US East Region Project Assurance Leader• Located in Atlanta, GA• Project, Program and Portfolio assurance and management for transformational projects• 13+ years consulting experience with clients in insurance, energy, software, IT services,
construction, and entertainment and media• Led on-going program management office (PMO) oversight activities for global multi-year
$140M ticketing platform transformation for Fortune 500 leading company. Performed a number of risk management and assessment activities to include focused project risk assessments, deep dives, health checks, and periodic status reporting to the client's Audit Committee and senior executives.
4
Transformational Change
B
6PwC
Transformational changeMarket trends
Accelerating investments in significant projects to enable business transformation initiatives.
IT spending has been cut over the last few years resulting in a backlog of IT projects.
Multiple and uncoordinated assurance requirements; IA, external audit, SOX, Compliance, Risk Management.
Organizations are resource-constrained – not adequately staffed to advance projects and maintain existing operations.
Regulatory requirements are expanding, adding to compliance efforts.
Complex dependencies across projects.
DRAFT
6
PwC
What are your experiences with project success rates? Our 2012 survey indicates that 200 global companies were spending over $4.5B on projects to deliver changes required to implement their strategy.
20% of ERP implementation projects are not completed.(Gartner)
71% of ERP projects do not meet the expectations of senior management(CSC Index/AMA Survey)
2%: Companies that had 100% of their projects on time, within budget, to scope and delivering the right business benefits. (PwC Global Survey on State of Project Management)
51% of ERP implementation viewed as a failure(Robbins-Gioia Survey)
84% of projects do not meet all criteria for success(Standish Group)
35%: Number of companies where system projects deliver expected business benefits(PwC Global Survey on State of Project Management)
DRAFT
7
PwC
As a result…
Boards, Audit Committees, and other senior business executives are increasingly recognizing the level of risk posed by large programs and are seeking greater transparency into strategic initiatives to understand if projects will deliver the business outcomes…..
• Are we going to have a positive return on investment?
• Are our people engaged and the business ready to change?
• Is the solution the best we can deliver for the costs we can afford?
• Have we got the skills we need looking at the really important things we need to do?
• Are we on-time, on-budget and on-scope?
• Are we getting the best out of our third parties?
• Is there appropriate governance to ensure project outcomes?
• Are we maintaining the integrity of our control environment?
…..there is increasing demand for project transparency
DRAFT
8
PwC
Reasons for program failures
Poor estimation continues to be the largest contributor to project failures.
Poor estimates, lack of sponsorship and poorly defined scope are 3 primary reasons cited for project under-performance
Source: PwC’s 3rd Global Survey on State of Project Management (2012)
DRAFT
9
10PwC
The state of the Internal Audit profession 2012
92%of CAEs
…consider project risk as either important or very important.
82%of Executives 27%
of CAEs…think large program risk is considered well managed.
37%of Executives
PwC
Transformation change: Internal Audit challenges
11
Building a portfolio risk assessment process which considers the current and emerging risks and evolves with project delivery.01Enhancing existing project audit methodology to consider current techniques and more dynamic application.02Understanding and leveraging the ‘lines of defense’ appropriately.03Acquiring the right resources and skill sets to assemble the team.04Identifying effective methods for communicating and reporting risks timely.05
Strategic initiatives – the risks
C
PwC
Key areas of project riskRisks are not isolated to classic project management artifacts, but extend to a broader ‘risk universe’.
Data• Data Structures• Mapping • Cleansing Effort • Conversion and validation • Data governance• Backup and
recovery• BI and reporting
strategy Organization• Business impacts• Training • Communication• Organizational alignment• Change management • Compliance and controls• Business continuity
Governance• Strategic Alignment• Senior Management
Commitment• Sponsorship / Champions• Governance and Decision
making• Synergy identification and
tracking
Program Management• Time schedules• Budgets• Resources/staffing• Vendors• Knowledge transfer• Issue and Risk
management• Scope management
Technology• Infrastructure• System
architecture• Networking• Security• Availability• Performance• Disaster recovery
Process and Solution• Requirements• Business processes• System Development
Life Cycle• Data• Controls• Bolt-ons• Interfaces/integrations
**
$
$
$$
DRAFT
13
14PwC
Project risk – Inherent, Delivery, Delivered
Inherent Delivery Delivered
Strategy and Governance
No strategic roadmap for IT spend
Project does not align with business strategy
No business owner for realizing project benefits post-implementation
Program Management Organization lacks a project management methodology
Project reporting is inconsistent and inaccurate
Lessons learned are not captured
Organization Organization has little experience with large projects
Business SMEs have limited capacity for involvement in delivery
Organization resists adoption of the new solution
Solution and Process No process maps or metrics impairs ‘case for change’
Interim processes are ad-hoc and labor intensive
Solution does not include robust internal controls (SOX compliance)
Data Data is not ‘clean’ Data conversion is inaccurate Backup and archiving not included in solution
Technology Inconsistent technology platforms, and no vision for rationalization
Insufficient environments to support development, test, and production
No support and maintenance plan for new infrastructure
$
$
$$
**
Note: There are high level examples only. In most cases, there will be many specific risks corresponding to each box above.
DRAFT
PwC
Who plays a part in managing program risk?
PMO monitoring and assurance activitiesExamples of Level 2 activities:• Operational risk teams• Compliance teams• Organizational or independent PMO• Targeted QA activities (from within the
organization but independent of the project)• Product vendor provided assurance
External vendor and internal auditExamples of Level 3 activities:• Internal Audit reviews (part of
the annual plan)• ‘Health checks’ and targeted
specialist ‘Deep Dive’ reviews• External Audit reviews
Work stream monitoring activitiesExamples of Level 1 activities:• Program risk function• Program PMO• Vendor PMO & QA
Large transformation projects typically have a number functions supporting risk and quality management. Understanding the respective roles and levels of assurance provides a holistic view of current assurance levels and helps identify the gaps that may need to be addressed.
15
DRAFT
Internal Audit’s role
D
PwC 17
In 2013, were stakeholders satisfied with IA’s role?
Source: Examining the issues – 2013 IA Global survey
DRAFT
PwC
Stay ahead of the curve
Use Subject Matter Specialists.
Develop an embedded assurance plan.
Get involved early.
Build a ‘three lines of defense model’.
Operate the integrated assurance plan, making responsive changes based on the shifting risks.
Agree how, when and to who you will report.
Focus on value.
How can IA add value to a project?
DRAFT
18
PwC
1. Navigate the integration risk landscape
2. Understand stakeholder perspectives and provide
deeper insights3. Cut through the clutter
Questions
How well aligned is internal audit’splan with the critical risks facing theorganization?
Does internal audit provide a point ofview to help the business improve itsresponses to risk?
How effectively does internal auditcommunicate with stakeholders?
How can IA effectively engage in Transformation initiatives
• Think and act strategically to focus on key integration risksInternal audit understands the organization’s strategy, initiatives, and related risks; project audit activities are derived from a top-down risk assessment and aligned with stakeholder expectations.
• Leverage the second line of defense Internal audit contributes to and coordinates with organization and program risk management efforts, providing insight to the overall risk management process and focusing audit efforts appropriately.
• Understand the business Internal audit is in a unique position to objectively assess perspectives of various integration stakeholders – leverage this to foster the desire for internal audit involvement in integration (and all significant) business initiatives.
• Leverage specialists Internal audit uses specialists —both internal and external—to support work in areas where it does not have the breadth and depth of expertise to effectively provide a point of view.
• Deliver advice and best practices Internal audit provides deep insights in all of its activities, as well as proactively offering advice on the design of future processes.
• Build trust through ongoing dialogue Significant attention is given to face-to-face communication with stakeholders, including the audit committee. In these meetings, additional perspective is provided around the management of critical risks.
• Simplify reporting, make it consumable Internal audit reports contain concise messages clearly linked to underlying business risks.
• Connect the dots Internal audit identifies common themes and trends across the organization, enabling the business to close gaps.
19
How can IA add value to a project?Develop forward looking view
DRAFT
PwC
How can IA add value? Controls are often overlooked
20
Desi
gn
Bu
ild
Bu
ild
UA
T
Imp
lem
en
t
Go L
ive
Project life cycleProject life cycle
During During developmentdevelopment
PostPost imp.imp.
PrePre-- implementationimplementation
highhigh
finishfinishstartstart
lowlow
Solu
tion
Blu
ep
rin
t
Test
Imp
lem
en
t
Go L
ive
Cost
of
con
trols
Project life cycleProject life cycle
During During developmentdevelopment
PostPost imp.imp.
PrePre-- implementationimplementation
highhigh
finishfinishstartstart
lowlow
The design of internal controls (configurable, manual, and access/security) during business process design, rather than identifying and correcting control weaknesses after the process and systems are installed, provides the greatest value in terms of process, system, and data integrity, at the lowest cost.
Cost of controls increases as
project progresses
DRAFT
PwC
Developing a Project Assurance Plan
21
Why is a Project Assurance Plan important?
• Helps to understand the roles and sources of assurance available to a project
• Help you to develop a risk-driven integrated assurance plan that is aligned to the three lines of defence.
When should the Project Assurance plan be developed?
• Ideally this occurs from the beginning of the integration program, and makes use of the program’s initial risk assessment activities. However, it can be implemented at any point in the lifecycle.
Who should be involved in developing the Project Assurance plan?
• Key project stakeholders (internal to the project team and business)
• Representatives from each line of defense (the PA plan is often a component of an integrated risk or quality management plan)
DRAFT
PwC
Managing risk over the program lifecycle
• Project governance and mgt review
• Planning and mobilization
• Business case review
• High level target operating model
• Organization change strategy
• Deployment strategy
• Business process design
• Data and reporting design
• Test and data conversion strategies
• Security & controls
• People and Org Design
• Dedicated vendor management
• Solution testing and remediation
• Training plans and execution
• Data conversion• Security and
control configuration
• Business continuity planning
• Benefits management plan
• Support model design
• Test and training results
• Go-live process• Data conversion
process• Transition to
business as usual (BAU) planning
• Stakeholder engagement
• Go-live readiness assessment
• 30-90 day support• Business adoption• Benefits
realization• Compliance and
controls certification
Assess Design Construct Implement Operate & Review
Del
ive
rin
g C
ha
ng
e
Is the ‘case for change’ robust with clear scope, business outcomes and ownership?
Will the organization & technical design deliver the benefits?
Is the solution being built as designed and robustly tested?
Is the business ready to go with detailed go live and support plans in place?
Are the benefits being delivered and what could be improved?
Is the program being effectively governed against guiding principles and managed across all workstreams?
Is delivery of business benefits a key focus throughout the lifecycle?
Is the Change Management approach appropriate and delivering success?
Dri
vin
g C
han
ge
Is the organization engaging key stakeholders (including existing vendors/partners) throughout the change?
$
$
$$
**
22
DRAFT
Keys to successful transformation assurance
E
PwC
Top 10 Keys to success
Key events that may contribute to a successful Project Audit:1. Stakeholder buy-in & tone at the top, understanding & acceptance of engagement
2. Staffing, proper technical skills, qualifications and capabilities allowing the team to quickly establish credibility
3. Understanding project needs and expectations, as well as the level of comfort desired
4. Scoping appropriately, leveraging a risk based approach and delivering upon the agreed scope
5. Up-front communication regarding scope of review, extent of review, timing of review and level of details to be provided in reporting
6. Execution and completion of work within defined budget and schedule
7. Change agility, being able to change with the project needs (adjust timeline, etc.) but avoiding scope creep
8. Communication to all parties
9. Relevance, providing actionable useful and timely deliverables (reporting) – consider requirements of the audience (i.e. Audit Committee, Sponsor, Project Manager, etc.)
10.Monitoring project progress between checkpoint reviews to minimize ramp-up time required at each checkpoint
24
DRAFT
Recap and Closing
F
PwC
Use Subject Matter Specialists.
Develop an embedded assurance plan.
Get involved early.
Build a ‘three lines of defense model’.
Operate the integrated assurance plan, making responsive changes based on the shifting risks.
Agree how, when and to who you will report.
Focus on value.
Recap & Questions
DRAFT
26
Contact Details
G
© 2014 PricewaterhouseCoopers LLP. All rights reserved. PwC refers to the United States member firm, and may sometimes refer to the PwC network. Each member firm is a separate legal entity. Please see www.pwc.com/structure for further details.
Thank you
DRAFT
Team contact information
Antwon Hardwick
(678) 419-8618
Team contact information
Kshipra Pitre
(678) 296-6066