Your Recent History Careers | About Us | Contact Us
 

 

 
Search
Featured Article Header
The Elephant in the Room – Understanding the Audit Challenges of Project Risk
By
Amanda Mowat, Protiviti*
Source: Protiviti's KnowledgeLeader

The value of internal audit as a critical component of corporate governance and risk management is an undisputed fact. However, within an increasing audit universe, there is an elephant in the room that often escapes notice during the audit planning process but can have significant implications for the business if left unaddressed. Part one of this two part series, introduces this elephant: the need for oversight and monitoring of project risk. The final part of the series discusses what traps to avoid when reviewing project risk and internal audit’s growing role in this area.

The Elephant in the Room – Understanding the Audit Challenges of Project Risk – Part 1

The value of internal audit as a critical component of corporate governance and risk management is an undisputed fact. Review the annual internal audit plans of any large organization and you will see an outline calling for a comprehensive review of most, if not all, of the organization's core competencies and key support functions.

However, within an increasing universe of organizations, there is an elephant in the room, so to speak, with the audit committee during the planning process, one that often escapes notice but can have significant implications for the organization if unaddressed.

That elephant is the need for oversight and monitoring of a growing inventory of initiatives and projects outside the normal framework of day-to-day business processes and activities. These can account for significant investments in staff time, hard- and soft-dollar costs and the potential for disruption of daily operations. Within many organizations, these investments are considered necessary to achieve important benefits. Unfortunately, since internal audit plans have not consistently addressed project risk, lapses have often resulted in predictable and troubling wastes of time, effort and resources.

Recent studies have demonstrated that just 9.2 percent of all major initiatives are actually completed on time and on budget. Just as disturbing was the finding that the average time overrun on projects and major initiatives was 222 percent. On average, projects scheduled to take one year actually took two, and some overruns went much longer. Other projects saw a doubling of their original budget projections. Approximately 31 percent, note that this is almost a third of all projects, were canceled prior to completion due to a loss of direction and inability to deliver projected benefits.

Statistics such as these prove that, on the whole, projects and major initiatives are not being well managed, nor are they getting the degree of internal audit review and governance that might make a difference. All of which frames the inevitable question: Why is project risk so often not identified and addressed by management and internal auditors?

Defining the Challenges
Project risk has a number of different definitions depending on the audience. The business and its customers have a relatively simple, clear-cut view of a project's success: Did it deliver the benefits? The project manager's concern is more pragmatic: Was the initiative completed on time and on budget? The internal auditor's view must encompass all of those factors besides the traditional concerns of compliance and regulatory standards.

From my experience, several distinct challenges face internal auditors attempting to identify and help manage the elephant in the room.

The first is simply trying to identify potential project risks during the audit planning process, especially when an intended project is in its earliest phases or has yet to launch. For instance what unintended consequences and privacy compliance issues might result from a project aimed at moving customer information from paper to electronic files, or widening access to electronic files that may already exist?

Another challenge is the realization that auditors accustomed to reviewing established business processes may face a steep learning curve when reviewing major new project initiatives. It is tough enough to get a firm grasp on the objectives and direction of a project that has yet to launch or that might already be well underway, while at the same time having to get up to speed on project methodologies and the business processes likely to be affected.

Inadequate expertise in project risk assessment may be another challenge. This is analogous to the lack of expertise internal audit departments once had in the IT area before the deficiency was addressed with appropriate training. No internal audit director today would contemplate assigning an auditor to review a technology-intensive or dedicated IT unit without sufficient training. Likewise, an increasing number of internal audit departments are realizing that project risk assessment is another key area of necessary expertise and are contracting to develop these skills within their teams.

The lack of inclusion on the project team or within the business/customer team anticipating the ultimate project benefits is another challenge for the auditor, making it more difficult to find out and understand what is really going on at any given point. In such situations, a common mistake the auditor might make is to view project management as nothing more than focusing on a status chart or Gantt chart, assuming that if the project appears to be on track everything is all right, without focusing on the business case, scope and expectations of the business and various stakeholders.

Resistance to Auditing Works in Progress
One of the greatest challenges auditors must overcome is project leaders hesitating to involve internal audit in reviewing something that is not tied up in a bow and finished. Many project sponsors simply do not want to be told that something is wrong while a project is still in development. The irony of this view is that many either fail to achieve their stated goals or will be abandoned simply due to the lack of the kind of oversight and governance that internal audit could have provided earlier in the game.

At a minimum, internal auditors should be involved in the project team's pre-implementation meeting to ensure that issues of controls, governance and measurement are addressed from the very beginning. Going forward, three primary audit methodologies can be useful in auditing project risk: 

  1. Pre/Post implementation reviews – This is a simple before and after view of the project, measuring the outcome at the back end against the expectations at the beginning.
  2. Gateway review – This technique relies on point-in-time reviews to assess progress while the project is underway.
  3. Project lifecycle involvement – This is the most comprehensive internal audit engagement, representing the full involvement of the internal audit function from participation on the project steering committee to embedment within the project team for the duration.

Whatever techniques internal auditors may employ to review project risks, they must also be aware of some of the traps that may prevent them from achieving a clear view of what is going on and what progress is or is not being made.

Addressing Project Risk Poll 

The Elephant in the Room – Understanding the Audit Challenges of Project Risk – Part 2

Avoiding Traps
One such trap is simply taking the project team's status reports at face value and accepting that information as gospel in formulating a view of progress and direction. Typically, this happens because auditors may not have confidence in their project management prowess, a deficiency that can be addressed with proper training. Certainly, no one is implying that project managers are trying to mislead auditors; however, a healthy skepticism is always a good thing in our profession.

Another trap is the failure to talk to some of the key stakeholders who are depending on the success of the project. Their ideas can be a valuable resource in understanding project expectations and their perceptions of what success would look like.

Another common trap in the effective auditing of project risk is simply information overload. A project of any size and complexity will generate a lot of paper. Some of the documents are critical to understanding and measuring progress, while others are of lesser significance. A good audit rule of thumb is to focus on the reporting components the project team leader uses regularly to manage the project, whether its weekly team meetings or weekly reports provided to management. These tools will at least give some assurance that the information is as correct as it can be.

The last potential trap is failing to monitor progress on a regular basis. This can happen when the auditor only shows up at project reviews and then proceeds to get caught up in ancillary issues rather than focusing on core information about where the project stands. It is not unheard of for project team members to state that they could see problems or potential failures coming all along. By that time, an unfavorable audit report may be seen as internal audit "bayoneting the wounded," when corrective actions at an earlier point in the process might have saved the day.

This is the type of situation that tends to drive a negative bias regarding the value of internal audit in the minds of some project managers and team members.

Start by Making Friends
Internal audit has a major role to play in helping organizations to identify and then address the potential pitfalls of project risk management. But to do so, auditors need to become better integrated into the project planning process, and that can only happen by building relationships founded on trust, credibility and the project team's respect for the value that internal audit can bring.

A stronger and more effective partnership between internal audit and the project team must begin by encouraging project management skills within internal audit and forming relationships that will help hone those skills. A good place to start is for the auditor simply to establish friendships with members of the team and with the various stakeholders. Never underestimate the simple value of personal relationships that help unlock and leverage a wealth of information that can be of value to the internal audit process. The flip side is the danger of the auditor getting so close to the project team that he or she comes to rely solely on the team's representations regarding progress and problems without independent, external validation.

Internal auditors also need to make contact with the project team leaders as soon as the project is conceived so that they can explain their roles and help define the expectations. This too will have the added benefit of building vital relationships and communication links so that there is a free flow of information and ideas from the earliest phases.

Establishing credibility is another key factor in forming a productive relationship with the project team. No internal audit department would think of sending an auditor into a technology area without some background or training in that discipline. Likewise, by undertaking effective project management training, auditors will have the gravitas to convince key stakeholders and project managers of their credentials and capabilities, key components in getting the team to listen to their guidance and recommendations.

Auditors must also provide reasonable governance structures for the project team and offer realistic explanations about what constitutes good controls. While most project team members will talk about risk management in general terms, many do not really understand the ins and outs of good controls. In the end, helping team members develop an acceptance and respect for effective controls is another key value internal audit can bring to the table.

Internal Audit’s Role to Grow
The importance of internal audit in the management of project risk will continue to grow as the tendency for large organizations to use initiatives to drive change and operational transformation continues to intensify.

In the past, a typical organization might undertake one major IT project every five years. For example, when the project is completed it would fade comfortably into the background. Today, organizations exist in states of continuous change and improvement. As a result, they tend to develop massive lists of initiatives. These may run the gamut from teams of just two or three employees responsible for driving a simple process change while doing their everyday jobs up to major initiatives engaging scores of people.

Organizations are becoming more project-oriented, and that means more opportunities for project risk and more openings for internal audit to play key oversight and governance roles. Due to the project and task-oriented method by which internal auditors traditionally work, they have a lot of experience in actually delivering projects. As a result, when internal audit is included in the earliest planning phases of a project, it better enables auditors to understand the scope of resources required to do the job and to communicate those observations to the project team managers. More broadly, by including upcoming projects in the organization's annual audit plan, the audit committee will also have a far better grasp of the amount of work they will have to do and what resources may be required to do it.

When internal auditors look at project risk management, they can also provide valuable guidance in the area of expectation management. For example, a project manager may be told that the team will have six months to complete a project, but everyone assigned to the team may sense that it is going to take much longer. This perception may immediately manifest itself in team members feeling as though they are on a losing team and destined to be associated with a project that either will not deliver the promised value or that may even be canceled prior to completion.

The internal auditor can provide the project manager with support in requesting realistic resources and time necessary to successfully achieve the project goals. This, in turn, reduces the chances that the morale and motivation of project team members will be damaged by the perception that they are engaged in a losing proposition and will be branded by their association with a failure.

Finally, the governance recommendations of the internal auditor can help reduce the inevitable "scope creep" that can inject itself into projects during the development phase, with the potential for sending the project off course and again de-motivating the team.

Clearly, internal audit should play a crucial role in first identifying and then taming the elephant in the room: project risk management. It is an area of business risk certain to grow within many corporate and institutional cultures in the years ahead. By being a full partner in the process, internal audit can help reduce the high costs of failure and help organizations truly reap the benefits of creativity, problem solving and transformation through effective project risk management.

* Amanda Mowat recently joined ANZ Banking Group as Senior Manager, Project & Technology Risk.

Training Opportunities Poll
Download the PDF:
 
 
 
 
Related Resources can be found on KnowledgeLeader: Password is required. Free trials are available to non-subscribers.
 
 
 
Site Map | Glossary |Terms of Use | Privacy Policy | Site Feedback | Media Center | Events
Email RSS
© 2012 Protiviti Inc. All Rights Reserved.