Project audit: Presentation about auditing project management with Case study view. Presentation given at PMI EMEA Congress 2006 by Project Auditors LLC.
Your project selected_for_audit_sip18_project_auditors
1. Help! Your Project has been
Selected for an Audit - What Now?
Joy Gumz, CPA, CISA, PMP
Project Auditors LLC
Session Number SIP18
Presentation given at the PMI EMEA Global Congress
Madrid, Spain 2006
2. Objectives
• Three primary objectives
– Understand the processes in a project audit
– Know the key areas on which auditors often
focus
– Be better prepared to respond to auditor
requests
• Eliminate the Fear Factor!
3. About Project Auditors LLC
• Professional consulting and auditing firm
– Professionals certified in accounting, audit & PM
• Experts in project controls: preventative & detective
• Providing auditing, assessments and reviews
– Construction & Engineering Projects
– Oil & Gas Projects
– ICT (Information Communications Technology)
4. A few clients
See more at our website: http://www.projectauditors.com
5. Format
• Terms
• Process
• Focus Areas
• Case Study
– Allow participants to see what happens by
participating in a mock audit scenario
• Q & A
6. About the Session Attendees
• Any auditors in the audience?
• Has anyone been on a project that has been
audited?
• Is there anyone who thinks they might be
audited in the future?
7. “Bare bones” of
an auditor
No heart - not essential
Large cheek for
keeping tongue in
Strong teeth for
getting into things
No bowels to get in an uproar
Hard neck & thick spine
Chest for keeping
things close to
Umbrella
for self-
defence
No shoes - enables
walking on thin ice and
faster getaways
No knickers to
get in a twist
Large knees to
handle weight of
carrying audit
work papers
Audit Department issued laptop
Hat for keeping
things under (UK)
8. Learning the Language
• COSO* – Internal Controls Framework
Monitoring
Controls
Activities
Risk Assessment
Control Environment
*COSO - Committee of Sponsoring Organizations
9. Learning the Language
• Auditors tend to be
process-oriented
– Methodology
– Policies and Procedures
– Standards
– “Best practice”
• PM implications
– Show that you follow well-
defined processes or have
an approved variance
10. Learning the Language
• Controls activities
– Actions supported by
policies and procedures
that help assure
management directives to
address risk are carried out
on a properly and timely
basis
• PM implications
– Risk management plan
11. Learning the Language
• COBiT Framework
– Information Technology (IT) specific
• Control Objectives for Information and related Technology
• Developed by the IT Governance Institute
• Framework to evaluate IT Operations and Projects
• PM implications
– IT - Is COBiT being followed?
– Non IT – what standards apply?
– Quality Management Plan
12. Learning the Language
• Controls self-assessment
– Questionnaire to elicit data about controls, risks, and
processes
– Given to selected individuals by the auditors
– Completed by individuals involved in the
organisation’s operations, rather than by the auditor
– Responses compiled by the auditors
– Used to determine higher risk areas on which auditor
will spend more time
• PM implications
– Time for team/stakeholders to complete
13. Learning the Language
• Audit Program
– Defines scope and objectives of an audit
– Defines steps and procedures auditors expect to conduct
• PM implications
– If copy available to PM,
transparency is
increased
– If possible, obtain a
copy
On the other hand, their audit procedures are impeccable
14. Learning the Language
• Finding / issue / audit point
– A conclusion related to an auditor's examination which
identifies problems and provides recommendations for
corrective action
– Auditor will generally discuss with PM and document
PM’s response
– Often quantified by risk: high, medium, low
• PM implications
– Does the auditor have the full story, e.g. have
mitigating actions been taken?
– Is risk representation accurate?
15. Learning the Language
• Work papers
– Indexed and cross-referenced documentation of the
audit procedures
– To be in compliance with generally accepted audit
standards, must be reviewed and approved by a second
auditor
– Part of the auditors’ internal deliverables, but not
generally shared
– Clear, convincing, complete, accurate, objective and
concise
16. Learning the Language
• Audit Report
– Deliverable of the auditors
– Draft and Final versions
– Parts
• Background
• Scope and objectives
• Opinion
• Findings and recommendations
• PM implications
– Does opinion express confidence?
– Is rating color coded – ?red yellow green
18. Audit Process Steps 5 - 9
• Field work
• Draft report of findings and
recommendations, and an opinion
• Closing conference
• Final report issued including
management’s response
• Action plan and follow-up
19. PM Implications
• Who can I delegate to response to documentation
requests?
• How should I communicate the audit to my team and
other stakeholders?
• How much time should my staff plan for interviews and
questions?
• Who should I have at the opening conference? The
closing conference?
• How often should I meet with the lead auditor?
• The number/severity of findings can make for a time-
consuming action plan
20. Case Study - Background
• Organisation
– International Fund for Agricultural
Development (IFAD)
• A United Nations organisation
• Mission
21. Case Study - Background
• Project
– Strategic Change Programme
– Initiated in 2000
– Goal
• Achieve efficiency gains for basic processes
– Scope – integrate its financial and human resource
systems
• Software: Peoplesoft Human Resources and Financials
• Old software
– Peoplesoft Financials – customised
– Bespoke loan system programmed by consultants
– Mainframe-based Millennium personnel/payroll system
22. Case Study - Background
• Integrator
– Major consulting firm “ABCD”
– Fixed price contract
• Contained clause for a project audit
– At management discretion
– Full cooperation by integrator was mandatory
23. Case Study - Profile
• Challenges
– Aggressive timetable
– Aggressive scope
– Integrator did not have much experience in
certain Peoplesoft functional areas
– Critical loan system
• Originally planned to be in Peoplesoft
• Integrator was now unsure and did not have a path
forward
24. Case Study - Profile
• Independent audit contracted
– Objectives
• Comprehensive review of program – focus areas:
– Programme planning and monitoring
– Risk and issues management
– Testing
– Data migration
– Integration issues
– Communication
– Training and change management
– Contract performance
– Scope
• Entire Strategic Change Programme since inception
25. Case Study – Process Overview
• Four reviews over 12 month plus
– Opening conference
– Onsite review of documentation
– Interviews of IFAD staff and ABCD resources
– Observations of project activities, e.g. testing, training, meetings
– Standards – IEEE
• Software Quality Assurance Planning
• Software Project Management Plans
• Software Testing
• Draft report with opinion, findings and recommendations
• Subsequent reviews analysed degree of action taken
26. Case Study – Results
• Recalibration of program
– Implementation partner relationship terminated
and amicable withdrawal arranged
– New programme structure established
– Remaining work replanned in two phases
• Goals achieved
– Loan system remained outstanding
27. Areas on which Auditors May Focus
• Project governance
• Standards and organisation policies
– Deviations from standards
• Internal standards, recognized bodies
– Variance process
• Management of
– Risk
– Changes
– Issues
28. Areas on which Auditors May Focus
• Signoffs
– Deliverables
• Business case
– Is it reasonable?
– Has is been approved?
• Security
– What steps to ensure proper design, approval, test, implementation
– Process to ensure right people have right access
– Separation of duties
• Regulatory/compliance
29. Mock Audit Scenario 1
• Assume you are the project manager being
audited.
• The project has been ongoing for 9 months.
• An auditor has sent you an email with a schedule
of planned dates for an audit.
• It shows the field work will begin during the user
acceptance period.
• The go-live date is planned before the draft report
is completed.
• What do you do first?
30. Mock Audit Scenario 1
A) Tell the sponsor that the auditors are being
unreasonable
B) Review the project plan and see how your
team will be impacted
C) Call the auditor to determine whether the
dates are “hard” or negotiable
D) Put your CV together
31. Mock Audit Scenario 2
• The auditor has emailed you a request for a
number of documents. You know that this is
just the first of several requests the auditors
will have.
• What do you do?
32. Mock Audit Scenario 2
A) Stay late and send as many documents as you can
B) Email the auditor that you will send the
documents when you get around to it
C) Call a team meeting to discuss the additional
workload and how tasks will be assigned
D) Ask the auditor why these documents are needed
33. Mock Audit Scenario 3
• The auditor is meeting with you daily at 4:30 pm to review
any possible audit points with you.
• You are certain one deliverable will be a “hot button”. The
deliverable has already been approved. It has 6 sections.
• The methodology states there should be 9. You discussed
this with the Chief Information Officer and he agreed with
your approach for this project in an email he sent to you.
• Sure enough, in the 4:30 pm meeting, the auditor asks you
why the deliverable doesn’t follow the methodology.
• What do you say?
34. Mock Audit Scenario 3
A) Explain the methodology is optional
B) State that as long as the deliverable is approved, it
doesn’t matter whether the methodology is
followed
C) Ask whether the auditor expects the methodology
will always be followed
D) Explain that a written variance has been signed
by the CIO allowing for 6 rather than 9 sections in
this deliverable
35. Summary
• When they audit you, auditors are
following a process
• You need to
– Know the language
– Understand the process
– Negotiate appropriately
– Communicate!