Why do we need assurance?
...I need to know that everything is
...I need to know whether what I am
being told is correct”.
...I need to be confident that I am going to
get what I want”.
...I need to know whether the project is going to
finish on time and within budget”.
Who is it for?
Audit Committee &
Anyone who operates or
owns a control
What is project auditing?
According to the Chartered Institute of Internal Auditors it is ‘an
independent, objective assurance and consulting activity designed to add
value and improve an organisation’s operations.
It helps an organisation to evaluate and improve the effectiveness of risk
management, control, and governance processes.’
Risk – The risk of something bad happening.
Control - Any action taken to manage risk and increase the likelihood that
goals will be achieved.
A Guide to Integrated Assurance identifies the following principles for
3 lines of defence
An established accountable
risk and control framework
Risk Management specialists
Strategic risk management
Policy & procedure setting
Independent assurance –
Independent challenge and
1st line assurance 2nd line assurance 3rd line assurance
Another question round…
A couple of questions about your relationship with internal audit
Go to www.menti.com
Use code:26 90 05
Flip the script
▪ Don’t have assurance done to you
▪ Welcome it and make it work for you
▪ Why not design an assurance approach at the start of your project
▪ Use 1st, 2nd and 3rd line of defence (if required)
▪ Maintain an effective working relationship with internal audit
Let’s demystify the audit process…
Scope & Plan
Review the position of the
Review current risks
Define the scope and plan
Produce a Terms of
Assess design adequacy of
Define test plan for
Assess the operational
effectiveness of key
Discuss control gaps and
Analyse root cause
Agree factual accuracy of
findings with management
Obtain sufficient evidence
of action completion
Close management actions
Scope & Plan
Raise risks and issues
Have input into the scope
Help define the plan
Present current controls
Highlight any known gaps
Gain insight from audit
Recognise the opportunity
What’s in it for me?
Project organisation and governance
Project definition and requirements management
Commercials and procurement
Organisational capability and culture
And many more…
When assessing the level of assurance and the scope of assurance required for a project
▪ The level of risk posed by the project – assess it against your organisations risk
▪ Which operational risks might be affected
– IT, Supply Chain, Financial Crime, Information Security
▪ Which change controls are in scope of the current lifecycle stage
– Business Case, Benefits Register, Design Documentation, Testing
▪ The project’s Risk Register
A few ways to maximise benefit
▪ Conduct a risk-based audit
▪ Collaborative planning
▪ Focus on key risks first, in case you run out of time
▪ Can you report or provide feedback iteratively?
▪ Discuss your approach with stakeholders, they may provide useful insight
How to deliver the best outcome
The output of any audit is a final audit report but the level of quality can vary.
▪ Make it concise and to the point
▪ Ensure it provides valuable insight
▪ Write clear findings explaining the impact and root cause
▪ Agree management actions that will improve control and reduce risk
Please write any questions in the chat box.
If you any more questions or would be interested in joining a Project
Management User Group please contact us.