projects and internal audit - iia.org.uk · pdf fileinternal audit’s role as project...

25
Retail Audit Forum National Exhibition Centre PROJECTS AND INTERNAL AUDIT TIM FOSTER 17 OCTOBER 2013

Upload: vokhanh

Post on 13-Mar-2018

234 views

Category:

Documents


3 download

TRANSCRIPT

Page 1: PROJECTS AND INTERNAL AUDIT - iia.org.uk · PDF fileINTERNAL AUDIT’S ROLE AS PROJECT ASSURANCE • Project governance review ... to project assurance? PROJECTS AND INTERNAL AUDIT

Retail Audit Forum National Exhibition Centre

PROJECTS AND INTERNAL AUDIT

TIM FOSTER

17 OCTOBER 2013

Page 2: PROJECTS AND INTERNAL AUDIT - iia.org.uk · PDF fileINTERNAL AUDIT’S ROLE AS PROJECT ASSURANCE • Project governance review ... to project assurance? PROJECTS AND INTERNAL AUDIT

• How should projects be audited?

• Should internal audit sit on the project team?

• How should audit report their findings?

• Does the traditional approach work?

• How to balance internal audit independence and adding value to the project.

PROJECTS AND INTERNAL AUDIT

Page 3: PROJECTS AND INTERNAL AUDIT - iia.org.uk · PDF fileINTERNAL AUDIT’S ROLE AS PROJECT ASSURANCE • Project governance review ... to project assurance? PROJECTS AND INTERNAL AUDIT

“ A unique transient endeavour undertaken to achieve a desired outcome.

ASSOCIATION FOR PROJECT MANAGEMENT (APM) ”

Page 4: PROJECTS AND INTERNAL AUDIT - iia.org.uk · PDF fileINTERNAL AUDIT’S ROLE AS PROJECT ASSURANCE • Project governance review ... to project assurance? PROJECTS AND INTERNAL AUDIT

PROJECT CHARACTERISTICS

• One-off activities

• Have a purpose with clearly-defined aims

• Create defined project deliverables

• Aims must be achievable and measurable

• Are limited in time – with a defined beginning and an end

• Require a defined amount of resources

• Need to be managed by a defined organisation with clear roles and responsibilities

• Always involve some uncertainty and risk

PROJECTS CAN BE ASSESSED AND ARE OPEN TO EVALUATION

COST

QUALITY

Page 5: PROJECTS AND INTERNAL AUDIT - iia.org.uk · PDF fileINTERNAL AUDIT’S ROLE AS PROJECT ASSURANCE • Project governance review ... to project assurance? PROJECTS AND INTERNAL AUDIT

A PORTFOLIO, PROGRAMME OR A PROJECT?

I

H

F

PROGRAMME

PORTFOLIO

Page 6: PROJECTS AND INTERNAL AUDIT - iia.org.uk · PDF fileINTERNAL AUDIT’S ROLE AS PROJECT ASSURANCE • Project governance review ... to project assurance? PROJECTS AND INTERNAL AUDIT

WHAT CAN GO WRONG? • Failure to deliver a project on time and to critical deadlines

• Fail to stay within budget

• Does not meet all of the criteria for success / quality

• Do not achieve the stated benefits

• Balance - completion vs. benefits and benefits vs. time and cost

• Impact:

– Market opportunities

– Growth potential

– Financial performance

– Improved services

– Regulatory compliance

– Reputation

– Confidence

Page 7: PROJECTS AND INTERNAL AUDIT - iia.org.uk · PDF fileINTERNAL AUDIT’S ROLE AS PROJECT ASSURANCE • Project governance review ... to project assurance? PROJECTS AND INTERNAL AUDIT

WHY DO PROJECTS FAIL? • Poor estimations and planning

• Missed deadlines

• Scope creep

• Increasingly complexity

• Insufficient resources and budget

• Lack of clarity as to stakeholder needs

• Poor communications

• Weak project governance

• Inferior quality of deliverables

• Collaboration across geographies, differing cultures etc

• Deteriorating motivation

UNWILLINGNESS TO PULL THE PLUG

Page 8: PROJECTS AND INTERNAL AUDIT - iia.org.uk · PDF fileINTERNAL AUDIT’S ROLE AS PROJECT ASSURANCE • Project governance review ... to project assurance? PROJECTS AND INTERNAL AUDIT

WHY INDEPENDENT ASSURANCE?

• Provide an unbiased / outside-in view

• Eyes and ears for stakeholders

• A true picture of a project’s status - real time feedback

• Highlight potential issues

• Challenge projects risks - reduce risk exposure

• Assess governance mechanisms

• Help mitigate losses

• Benchmarking and insights – what we have seen work well (and not work well) elsewhere

• Promote transparency

• Provide comfort

Page 9: PROJECTS AND INTERNAL AUDIT - iia.org.uk · PDF fileINTERNAL AUDIT’S ROLE AS PROJECT ASSURANCE • Project governance review ... to project assurance? PROJECTS AND INTERNAL AUDIT

WHAT IS PROJECT ASSURANCE? • Business assurance - checking project remains viable in terms of costs and

benefits

• User assurance - checking users' requirements are being met

• Quality assurance - ensuring standards and procedures

• Technical assurance - project is delivering a suitable solution

Page 10: PROJECTS AND INTERNAL AUDIT - iia.org.uk · PDF fileINTERNAL AUDIT’S ROLE AS PROJECT ASSURANCE • Project governance review ... to project assurance? PROJECTS AND INTERNAL AUDIT

WHO IS PROVIDING ASSURANCE?

SOURCES OF ASSURANCE

RISK TYPES OF PROJECT ASSURANCE TYPES OF EXTERNAL ASSURANCE

NO. DESCRIPTION RATING Board PMO PMs Techs Plans Project Assurance

Internal Audit Regulator Advisors 3rd parties

1. Risk 1

2. Risk 2

4. Risk 3

5. Risk 4

6. Risk 5

7. Risk 6

• Understand who provides assurance to the project

• Scope of work

• Recipients of assurance

• Quality of the assurance

Page 11: PROJECTS AND INTERNAL AUDIT - iia.org.uk · PDF fileINTERNAL AUDIT’S ROLE AS PROJECT ASSURANCE • Project governance review ... to project assurance? PROJECTS AND INTERNAL AUDIT

INTERNAL AUDIT’S ROLE IF PROJECT ASSURANCE EXISTS

• Assurance over reliability of project assurance activities

• Advice to those providing project assurance

– Guidance

– Approaches / testing

– Templates

– Reporting

• Consulting over process and controls design

Page 12: PROJECTS AND INTERNAL AUDIT - iia.org.uk · PDF fileINTERNAL AUDIT’S ROLE AS PROJECT ASSURANCE • Project governance review ... to project assurance? PROJECTS AND INTERNAL AUDIT

INTERNAL AUDIT’S ROLE AS PROJECT ASSURANCE • Project governance review (e.g. design and operation of standards

applied to the project)

• Validate business case (e.g. extent, approach, outcomes)

• Assess ongoing financial viability

• Risk assessment (e.g. identification and mitigations)

• Go-live decision (e.g. assessments, testing)

• Benefit realisation (e.g. test success and achievement of requirements)

• Single point in time healthcheck of project processes

• Snapshot of project status

• Validate design of new systems, processes, controls and frameworks

• Provide advice (e.g. benchmarking, insights etc)

• Post implementation review (e.g. lessons learned)

• Continuous monitoring of project status, processes and validation (e.g. embedded project assurance)

Page 13: PROJECTS AND INTERNAL AUDIT - iia.org.uk · PDF fileINTERNAL AUDIT’S ROLE AS PROJECT ASSURANCE • Project governance review ... to project assurance? PROJECTS AND INTERNAL AUDIT

QUESTION:

What is your internal audit team’s current role on projects?

PROJECTS AND INTERNAL AUDIT

Page 14: PROJECTS AND INTERNAL AUDIT - iia.org.uk · PDF fileINTERNAL AUDIT’S ROLE AS PROJECT ASSURANCE • Project governance review ... to project assurance? PROJECTS AND INTERNAL AUDIT

WHAT SHOULD PROJECT ASSURANCE COVER? • Project governance, including policies, procedures

and controls • Business case - valid, viable, worthwhile • Project planning - critical path, completeness,

suitability • Change management – adherence of control,

timeliness • Risk and issue management – depth, coverage,

resolution • Project costs – actual vs. budget • Sign-off and criteria for stage gates • Approach to vendor management – contracting,

dependencies • Business readiness – pre-go-live • Project communications - accuracy, detail, honesty

• TIME - variance against milestones

• COST - variance against planned budget

• QUALITY - degrees off the quality target

• SCOPE - variance agreed against what will be delivered

• RISK - limits on identified risks as a percentage of the overall budget

• BENEFIT – variance against level of benefit identified as part of the business justification

Page 15: PROJECTS AND INTERNAL AUDIT - iia.org.uk · PDF fileINTERNAL AUDIT’S ROLE AS PROJECT ASSURANCE • Project governance review ... to project assurance? PROJECTS AND INTERNAL AUDIT

WHEN SHOULD INTERNAL AUDIT GET INVOLVED? • Dependent on type of assurance

• Get involved as early as possible

• Join project board - opportunity to influence decisions as trusted advisor

• Initiation stage – business case reviews, design of governance controls

• When can add most value (e.g. prior to “go live”)

• Surprise audits – healthchecks, snapshots etc

• End of project life – post implementation reviews

Page 16: PROJECTS AND INTERNAL AUDIT - iia.org.uk · PDF fileINTERNAL AUDIT’S ROLE AS PROJECT ASSURANCE • Project governance review ... to project assurance? PROJECTS AND INTERNAL AUDIT

WHEN SHOULD INTERNAL AUDIT GET INVOLVED?

CLOSURE

CONTROL

SETUP

Business Case

Define the programme

Source the Project Managers

Prepare the Programme Initiation Document

Define the programme organisation

Define the project

Set up the project team

Prepare the Project Initiation Document

Define the project organisation

Do Work

Measure progress

Addressdeviations

Identify deviations

THE CONTROL

CYCLESchedule

CostsBenefits

Risks

Opportunities

IssuesChange

Reviews

Terminate project Closecompleted project

Post-Implementation Review

Project removed from project portfolio

Project CompletedProject found to beno longer viable

Business Case Review

Project Initiation Review

Design Consulting / Review

Healthcheck Review

Healthcheck Review

Post Implementation Review

Go-live Review

Benefit Realisation Review

Healthcheck Review

Page 17: PROJECTS AND INTERNAL AUDIT - iia.org.uk · PDF fileINTERNAL AUDIT’S ROLE AS PROJECT ASSURANCE • Project governance review ... to project assurance? PROJECTS AND INTERNAL AUDIT

WHAT TO WATCH OUT FOR • Formality and documentation

• Clear links between project and key strategic priorities (lack of clear direction)

• Good understanding of project objectives/rationale

• Effective engagement with users and stakeholders

• Level of ownership, support and leadership (degree of importance)

• Depth of risk management (e.g. lack of a risk register)

• Level properly skilled resources

• High turnover of project resources

• Rising costs

• Keeping to themselves – silence is not golden! (lack of openness)

Page 18: PROJECTS AND INTERNAL AUDIT - iia.org.uk · PDF fileINTERNAL AUDIT’S ROLE AS PROJECT ASSURANCE • Project governance review ... to project assurance? PROJECTS AND INTERNAL AUDIT

QUESTION:

How much of your internal audit plan is dedicated to project assurance?

PROJECTS AND INTERNAL AUDIT

Page 19: PROJECTS AND INTERNAL AUDIT - iia.org.uk · PDF fileINTERNAL AUDIT’S ROLE AS PROJECT ASSURANCE • Project governance review ... to project assurance? PROJECTS AND INTERNAL AUDIT

THE RISKS OF INTERNAL AUDIT INVOLVEMENT • Compromise independence - audit activities that were the basis of the

project

• Acting on behalf of management - be seen as part of the decision making (auditor sign-off)

• Too much onus on internal audit report and assurance - interpreted as ‘audit approval’

• Unsuitable resources and specialist skills to audit effectively and credibly

• Impact of project delays on internal audit plans

• Replicating project activities (e.g. testing, project assurance etc)

• Assessment findings delay project progress

• Focus on the wrong projects to audit

• Lack of stakeholder buy-in to audit / seen as a hindrance

Page 20: PROJECTS AND INTERNAL AUDIT - iia.org.uk · PDF fileINTERNAL AUDIT’S ROLE AS PROJECT ASSURANCE • Project governance review ... to project assurance? PROJECTS AND INTERNAL AUDIT

RESOURCING PROJECT ASSURANCE • Effective planning - enough resource with the right competencies

• Balance with ‘day to day’ internal audit work - fraud, IT, other business operations

• Extended resource model

– External specialists

– Operational secondees

– Peer reviewers

• Required skills:

– project management techniques (e.g. PRINCE2, BS 6079-1:2010 )

– preparation of business cases

– project planning

– project risk management

– precision, clarity, speed, empathy

Page 21: PROJECTS AND INTERNAL AUDIT - iia.org.uk · PDF fileINTERNAL AUDIT’S ROLE AS PROJECT ASSURANCE • Project governance review ... to project assurance? PROJECTS AND INTERNAL AUDIT

MOVING AWAY FROM TRADITIONAL AUDITING • Transaction-based vs. process-based

• Financials focus vs. goal focus

• Compliance vs. performance improvement advisor

• Procedures vs. risk management

• Policy adherence vs. strategic change

• ‘What is’, ‘what was’ vs. ‘what will be’

• Balance traditional compliance needs and areas with significant impact to shareholder value

• Link scope to strategic themes and critical processes

• Need to be more dynamic and proactive

Page 22: PROJECTS AND INTERNAL AUDIT - iia.org.uk · PDF fileINTERNAL AUDIT’S ROLE AS PROJECT ASSURANCE • Project governance review ... to project assurance? PROJECTS AND INTERNAL AUDIT

HOW SHOULD AUDIT REPORT THEIR FINDINGS? • Needs to be timely

– Depends on project timeline

– When adds most value

• Flash reports vs. full audit reports

• Presentations to project board

• Live upload into issue logs and risk register

• Regular monitoring and follow up

Page 23: PROJECTS AND INTERNAL AUDIT - iia.org.uk · PDF fileINTERNAL AUDIT’S ROLE AS PROJECT ASSURANCE • Project governance review ... to project assurance? PROJECTS AND INTERNAL AUDIT

How should projects be audited?

Should internal audit sit on the project team?

How should audit report their findings?

Does the traditional approach work?

How to balance internal audit independence and adding value to the project.

PROJECTS AND INTERNAL AUDIT

Page 24: PROJECTS AND INTERNAL AUDIT - iia.org.uk · PDF fileINTERNAL AUDIT’S ROLE AS PROJECT ASSURANCE • Project governance review ... to project assurance? PROJECTS AND INTERNAL AUDIT

QUESTIONS?

Page 25: PROJECTS AND INTERNAL AUDIT - iia.org.uk · PDF fileINTERNAL AUDIT’S ROLE AS PROJECT ASSURANCE • Project governance review ... to project assurance? PROJECTS AND INTERNAL AUDIT

Copyright © October 13 BDO LLP. All rights reserved.

Tim Foster DIRECTOR – RISK AND ADVISORY SERVICES BDO LLP e. [email protected]

This publication has been carefully prepared, but it has been written in general terms and should be seen as broad guidance only. The publication cannot be relied upon to cover specific situations and you should not act, or refrain from acting, upon the information contained therein without obtaining specific professional advice. Please contact BDO LLP to discuss these matters in the context of your particular circumstances. BDO LLP, its partners, employees and agents do not accept or assume any liability or duty of care for any loss arising from any action taken or not taken by anyone in reliance on the information in this publication or for any decision based on it.

BDO LLP, a UK limited liability partnership registered in England and Wales under number OC305127, is a member of BDO International Limited, a UK company limited by guarantee, and forms part of the international BDO network of independent member firms. A list of members' names is open to inspection at our registered office, 55 Baker Street, London W1U 7EU. BDO LLP is authorised and regulated by the Financial Conduct Authority to conduct investment business.

BDO is the brand name of the BDO network and for each of the BDO Member Firms.

BDO Northern Ireland, a partnership formed in and under the laws of Northern Ireland, is licensed to operate within the international BDO network of independent member firms.

©2013 BDO LLP. All rights reserved.