“You’ve been selected for an audit.” are not the words most project managers want to hear. Their fears are understandable. An audit means scrutiny. Coordination and time is required when the project manager’s plate is often already full. There are concerns about the outcome and its effect on the team and current work as well as careers and advancement. As with many topics related to project management, the solution to overcome this apprehension is proper planning and preparation. A project manager who knows what the audit process entails is more likely to have a positive audit report. This paper will present an overview of what a project audit is and describe a case study to illustrate key points.
Why the Interest in Project Audits?
Two events have contributed to more organisations conducting project audits than in the past: regulatory compliance and pressure on corporate profits. Laws such as Basel II, the EU 8th Company Law Directive (84/253/EEC), and Sarbanes-Oxley mandate organisations to put effective risk management processes and internal controls in place. Both Sarbanes-Oxley and the 8th Directive require publicly listed companies to have an independent Audit Committee and monitor the effectiveness of internal controls. Sarbanes-Oxley goes further than the 8th Directive in that it requires internal control deficiencies be reported to the Audit Committee and that an internal control report to the company’s shareholders be issued. Although Sarbanes-Oxley is a U.S. law, it affects international companies that are listed on U.S. stock exchanges. In 2004, the New York Stock Exchange required all listed companies to, “maintain an internal audit function to provide management and the audit committee with ongoing assessments of the company’s risk management processes and system of internal control.” (NYSE, 2003, p.1) Management is increasingly using a project audit as verification that they have such a system in place. An audit examines areas where management has the most concern: risk management procedures and the business benefits case.
Scrutiny of project benefits is another reason why project audits may be occurring more regularly. For-profit companies are under pressure to provide earnings growth of 15% and higher. Projects are required to contribute to that growth and show a return on investment. At the same time, executives are keeping a closer watch on spending, especially for information technology projects. There is also an increasing emphasis on good governance, in both for profit and not-governmental entities, and project audits are viewed as a useful tool in these efforts.
Three W’s: What, Who, When
What is a project audit? A Guide to the Project Management Body of Knowledge (PMBOK® Guide) defines it as, “a structured independent review to determine whether project activities comply with organisational and project policies, and procedures.” (Project Management Institute, 2004, p. 189) In short, it is a quality management tool. There are several variations of a project audit: in-process quality assurance review, gateway review, project management audit and post-implementation audit. The project manager should realise that each can have a different set of objectives. By ascertaining what these objectives are, the project manager will better understand the direction in which the auditors are headed – and better anticipate the types of questions the auditors will ask. We’ll discuss two methods of determining the audit focus, the announcement letter and the audit programme, later in this paper.
Who will conduct the audit? This depends on the organisation and project. To ensure the audit is unbiased, the reviewers should have no conflict of interest and be independent, i.e. not related to or controlled by the party being audited. Organisations may use a combination of project management office staff, internal audit staff, external auditors and/or external third-party experts. The audit team should include functional as well as subject matter experts, e.g. if the project is information systems related, the business viewpoint must be represented as well as information technology. For post-implementation reviews, some businesses include team members from the project implementation team, but then ensure the audit team lead is independent.
A third party firm may be used when the internal audit function lacks bandwidth or expertise in a particular subject matter area. Some prescient organisations even plan for such possibilities as part of their procurement – see the case study for details.
When the audit is conducted often depends on the type of audit. Gateway reviews are conducted at the end of a project phase and prior to progressing on to the next phase. A project audit may be conducted at any time, but is often timed so that sufficient deliverables are available for review, or when a project sponsor seeks an independent assessment of project progress. Post-implementation reviews occur after the end of a project, but the exact timing could be from a few weeks to a year, depending on what is to be examined. It can be difficult to assess benefits unless enough sufficient time has elapsed and the proper benefits realisation processes built. Ideally, the auditors should be able to examine the already implemented benefits measurement procedures and compare initial benchmarks with ongoing results.