IA’s practical approach to driving success for strategic and transformational initiatives

DRAFT

ISACA Geek Week 2014

www.pwc.com

DRAFT

PwC

Agenda

DRAFT

Module

A. Welcome and Introduction

B. Transformational Change

C. Strategic initiatives – the risks

D. Internal Audit’s role

E. Keys to successful transformation assurance

F. Recap & Questions

G. Contact details

2

Welcome and Team Introduction

A

PwC

Welcome & Team Introduction

DRAFT

Antwon Hardwick

• Director- US East Region Project Assurance Leader• Located in Atlanta, GA• Project, Program and Portfolio assurance and management for transformational projects• 13+ years consulting experience with clients in insurance, energy, software, IT services,

construction, and entertainment and media• Led on-going program management office (PMO) oversight activities for global multi-year

$140M ticketing platform transformation for Fortune 500 leading company. Performed a number of risk management and assessment activities to include focused project risk assessments, deep dives, health checks, and periodic status reporting to the client's Audit Committee and senior executives.

4

Transformational Change

B

6PwC

Transformational changeMarket trends

Accelerating investments in significant projects to enable business transformation initiatives.

IT spending has been cut over the last few years resulting in a backlog of IT projects.

Multiple and uncoordinated assurance requirements; IA, external audit, SOX, Compliance, Risk Management.

Organizations are resource-constrained – not adequately staffed to advance projects and maintain existing operations.

Regulatory requirements are expanding, adding to compliance efforts.

Complex dependencies across projects.

DRAFT

6

PwC

What are your experiences with project success rates? Our 2012 survey indicates that 200 global companies were spending over $4.5B on projects to deliver changes required to implement their strategy.

20% of ERP implementation projects are not completed.(Gartner)

71% of ERP projects do not meet the expectations of senior management(CSC Index/AMA Survey)

2%: Companies that had 100% of their projects on time, within budget, to scope and delivering the right business benefits. (PwC Global Survey on State of Project Management)

51% of ERP implementation viewed as a failure(Robbins-Gioia Survey)

84% of projects do not meet all criteria for success(Standish Group)

35%: Number of companies where system projects deliver expected business benefits(PwC Global Survey on State of Project Management)

DRAFT

7

PwC

As a result…

Boards, Audit Committees, and other senior business executives are increasingly recognizing the level of risk posed by large programs and are seeking greater transparency into strategic initiatives to understand if projects will deliver the business outcomes…..

• Are we going to have a positive return on investment?

• Are our people engaged and the business ready to change?

• Is the solution the best we can deliver for the costs we can afford?

• Have we got the skills we need looking at the really important things we need to do?

• Are we on-time, on-budget and on-scope?

• Are we getting the best out of our third parties?

• Is there appropriate governance to ensure project outcomes?

• Are we maintaining the integrity of our control environment?

…..there is increasing demand for project transparency

DRAFT

8

PwC

Reasons for program failures

Poor estimation continues to be the largest contributor to project failures.

Poor estimates, lack of sponsorship and poorly defined scope are 3 primary reasons cited for project under-performance

Source: PwC’s 3rd Global Survey on State of Project Management (2012)

DRAFT

9

10PwC

The state of the Internal Audit profession 2012

92%of CAEs

…consider project risk as either important or very important.

82%of Executives 27%

of CAEs…think large program risk is considered well managed.

37%of Executives

PwC

Transformation change: Internal Audit challenges

11

Building a portfolio risk assessment process which considers the current and emerging risks and evolves with project delivery.01Enhancing existing project audit methodology to consider current techniques and more dynamic application.02Understanding and leveraging the ‘lines of defense’ appropriately.03Acquiring the right resources and skill sets to assemble the team.04Identifying effective methods for communicating and reporting risks timely.05

Strategic initiatives – the risks

C

PwC

Key areas of project riskRisks are not isolated to classic project management artifacts, but extend to a broader ‘risk universe’.

Data• Data Structures• Mapping • Cleansing Effort • Conversion and validation • Data governance• Backup and

recovery• BI and reporting

strategy Organization• Business impacts• Training • Communication• Organizational alignment• Change management • Compliance and controls• Business continuity

Governance• Strategic Alignment• Senior Management

Commitment• Sponsorship / Champions• Governance and Decision

making• Synergy identification and

tracking

Program Management• Time schedules• Budgets• Resources/staffing• Vendors• Knowledge transfer• Issue and Risk

management• Scope management

Technology• Infrastructure• System

architecture• Networking• Security• Availability• Performance• Disaster recovery

Process and Solution• Requirements• Business processes• System Development

Life Cycle• Data• Controls• Bolt-ons• Interfaces/integrations

**

$

$

$$

DRAFT

13

14PwC

Project risk – Inherent, Delivery, Delivered

Inherent Delivery Delivered

Strategy and Governance

No strategic roadmap for IT spend

Project does not align with business strategy

No business owner for realizing project benefits post-implementation

Program Management Organization lacks a project management methodology

Project reporting is inconsistent and inaccurate

Lessons learned are not captured

Organization Organization has little experience with large projects

Business SMEs have limited capacity for involvement in delivery

Organization resists adoption of the new solution

Solution and Process No process maps or metrics impairs ‘case for change’

Interim processes are ad-hoc and labor intensive

Solution does not include robust internal controls (SOX compliance)

Data Data is not ‘clean’ Data conversion is inaccurate Backup and archiving not included in solution

Technology Inconsistent technology platforms, and no vision for rationalization

Insufficient environments to support development, test, and production

No support and maintenance plan for new infrastructure

$

$

$$

**

Note: There are high level examples only. In most cases, there will be many specific risks corresponding to each box above.

DRAFT

PwC

Who plays a part in managing program risk?

PMO monitoring and assurance activitiesExamples of Level 2 activities:• Operational risk teams• Compliance teams• Organizational or independent PMO• Targeted QA activities (from within the

organization but independent of the project)• Product vendor provided assurance

External vendor and internal auditExamples of Level 3 activities:• Internal Audit reviews (part of

the annual plan)• ‘Health checks’ and targeted

specialist ‘Deep Dive’ reviews• External Audit reviews

Work stream monitoring activitiesExamples of Level 1 activities:• Program risk function• Program PMO• Vendor PMO & QA

Large transformation projects typically have a number functions supporting risk and quality management. Understanding the respective roles and levels of assurance provides a holistic view of current assurance levels and helps identify the gaps that may need to be addressed.

15

DRAFT

Internal Audit’s role

D

PwC 17

In 2013, were stakeholders satisfied with IA’s role?

Source: Examining the issues – 2013 IA Global survey

DRAFT

PwC

Stay ahead of the curve

Use Subject Matter Specialists.

Develop an embedded assurance plan.

Get involved early.

Build a ‘three lines of defense model’.

Operate the integrated assurance plan, making responsive changes based on the shifting risks.

Agree how, when and to who you will report.

Focus on value.

How can IA add value to a project?

DRAFT

18

PwC

1. Navigate the integration risk landscape

2. Understand stakeholder perspectives and provide

deeper insights3. Cut through the clutter

Questions

How well aligned is internal audit’splan with the critical risks facing theorganization?

Does internal audit provide a point ofview to help the business improve itsresponses to risk?

How effectively does internal auditcommunicate with stakeholders?

How can IA effectively engage in Transformation initiatives

• Think and act strategically to focus on key integration risksInternal audit understands the organization’s strategy, initiatives, and related risks; project audit activities are derived from a top-down risk assessment and aligned with stakeholder expectations.

• Leverage the second line of defense Internal audit contributes to and coordinates with organization and program risk management efforts, providing insight to the overall risk management process and focusing audit efforts appropriately.

• Understand the business Internal audit is in a unique position to objectively assess perspectives of various integration stakeholders – leverage this to foster the desire for internal audit involvement in integration (and all significant) business initiatives.

• Leverage specialists Internal audit uses specialists —both internal and external—to support work in areas where it does not have the breadth and depth of expertise to effectively provide a point of view.

• Deliver advice and best practices Internal audit provides deep insights in all of its activities, as well as proactively offering advice on the design of future processes.

• Build trust through ongoing dialogue Significant attention is given to face-to-face communication with stakeholders, including the audit committee. In these meetings, additional perspective is provided around the management of critical risks.

• Simplify reporting, make it consumable Internal audit reports contain concise messages clearly linked to underlying business risks.

• Connect the dots Internal audit identifies common themes and trends across the organization, enabling the business to close gaps.

19

How can IA add value to a project?Develop forward looking view

DRAFT

PwC

How can IA add value? Controls are often overlooked

20

Desi

gn

Bu

ild

Bu

ild

UA

T

Imp

lem

en

t

Go L

ive

Project life cycleProject life cycle

During During developmentdevelopment

PostPost imp.imp.

PrePre-- implementationimplementation

highhigh

finishfinishstartstart

lowlow

Solu

tion

Blu

ep

rin

t

Test

Imp

lem

en

t

Go L

ive

Cost

of

con

trols

Project life cycleProject life cycle

During During developmentdevelopment

PostPost imp.imp.

PrePre-- implementationimplementation

highhigh

finishfinishstartstart

lowlow

The design of internal controls (configurable, manual, and access/security) during business process design, rather than identifying and correcting control weaknesses after the process and systems are installed, provides the greatest value in terms of process, system, and data integrity, at the lowest cost.

Cost of controls increases as

project progresses

DRAFT

PwC

Developing a Project Assurance Plan

21

Why is a Project Assurance Plan important?

• Helps to understand the roles and sources of assurance available to a project

• Help you to develop a risk-driven integrated assurance plan that is aligned to the three lines of defence.

When should the Project Assurance plan be developed?

• Ideally this occurs from the beginning of the integration program, and makes use of the program’s initial risk assessment activities. However, it can be implemented at any point in the lifecycle.

Who should be involved in developing the Project Assurance plan?

• Key project stakeholders (internal to the project team and business)

• Representatives from each line of defense (the PA plan is often a component of an integrated risk or quality management plan)

DRAFT

PwC

Managing risk over the program lifecycle

• Project governance and mgt review

• Planning and mobilization

• Business case review

• High level target operating model

• Organization change strategy

• Deployment strategy

• Business process design

• Data and reporting design

• Test and data conversion strategies

• Security & controls

• People and Org Design

• Dedicated vendor management

• Solution testing and remediation

• Training plans and execution

• Data conversion• Security and

control configuration

• Business continuity planning

• Benefits management plan

• Support model design

• Test and training results

• Go-live process• Data conversion

process• Transition to

business as usual (BAU) planning

• Stakeholder engagement

• Go-live readiness assessment

• 30-90 day support• Business adoption• Benefits

realization• Compliance and

controls certification

Assess Design Construct Implement Operate & Review

Del

ive

rin

g C

ha

ng

e

Is the ‘case for change’ robust with clear scope, business outcomes and ownership?

Will the organization & technical design deliver the benefits?

Is the solution being built as designed and robustly tested?

Is the business ready to go with detailed go live and support plans in place?

Are the benefits being delivered and what could be improved?

Is the program being effectively governed against guiding principles and managed across all workstreams?

Is delivery of business benefits a key focus throughout the lifecycle?

Is the Change Management approach appropriate and delivering success?

Dri

vin

g C

han

ge

Is the organization engaging key stakeholders (including existing vendors/partners) throughout the change?

$

$

$$

**

22

DRAFT

Keys to successful transformation assurance

E

PwC

Top 10 Keys to success

Key events that may contribute to a successful Project Audit:1. Stakeholder buy-in & tone at the top, understanding & acceptance of engagement

2. Staffing, proper technical skills, qualifications and capabilities allowing the team to quickly establish credibility

3. Understanding project needs and expectations, as well as the level of comfort desired

4. Scoping appropriately, leveraging a risk based approach and delivering upon the agreed scope

5. Up-front communication regarding scope of review, extent of review, timing of review and level of details to be provided in reporting

6. Execution and completion of work within defined budget and schedule

7. Change agility, being able to change with the project needs (adjust timeline, etc.) but avoiding scope creep

8. Communication to all parties

9. Relevance, providing actionable useful and timely deliverables (reporting) – consider requirements of the audience (i.e. Audit Committee, Sponsor, Project Manager, etc.)

10.Monitoring project progress between checkpoint reviews to minimize ramp-up time required at each checkpoint

24

DRAFT

Recap and Closing

F

PwC

Use Subject Matter Specialists.

Develop an embedded assurance plan.

Get involved early.

Build a ‘three lines of defense model’.

Operate the integrated assurance plan, making responsive changes based on the shifting risks.

Agree how, when and to who you will report.

Focus on value.

Recap & Questions

DRAFT

26

Contact Details

G

© 2014 PricewaterhouseCoopers LLP. All rights reserved. PwC refers to the United States member firm, and may sometimes refer to the PwC network. Each member firm is a separate legal entity. Please see www.pwc.com/structure for further details.

Thank you

DRAFT

Team contact information

Antwon Hardwick

(678) 419-8618

Team contact information

Kshipra Pitre

(678) 296-6066