September 28 & 29, 2020 | Virtual
Please login or join to subscribe to this thread
In my four decades of experience, I’ve encountered two full external audits of my projects, so a tiny percentage overall. Both of the projects were international in scope, with my chartered portion of the project being the only one delivered in another country from the parent.
In other words, the external audits were a way for the parent company to do a “sanity check” on all aspects of my portion of the project. Even though we had pre-negotiated spies in place and all the normal project controls, this was still deemed necessary.
It was always painful, but both passed with no material issues, but always know, they will find areas for improvement, as they must justify the multiple six-figure costs associated with such activities.
In retrospect, cultural “risk tolerance” differences were the main contributor to the audit requirements, as the American project manager is a risk-slinging cowboy in disguise.
Hi George, thanks for sharing. A client of mine where I offered PMO project management, would do internal audits on all projects that needed to be SOX compliant (projects that handled revenue, orders, payments, etc..) our internal controls team would check that project managers followed process and documented approvals and captured all needed artifacts should an external audit occur. Those projects were not small in number almost 75% of all projects the organization would engage on a given year. It was a US multinational manufacturing public company.
It depends on industry, region, country, size, etc. You need to be more specific
A lot depends on the industry the company operates in. Banks, for example, have well established internal audit departments which will audit a risk-based sample of projects each year. Usually each line of business's audit department might taken on up to a dozen projects so across a bank you might have quite a few projects audited, but they also have hundreds of projects each year.
The concept of statistically representative sampling doesn't apply - auditing needs to be risk-based to deliver the greatest bang for the buck, so the sample size will vary based on portfolio composition.
In my experience (nowadays), compliance-based standards (e.g., SOX, PCI, HIPAA) are so integrated into day-to-day operations of organizations that internal and external audits/reviews hardly raise an eyebrow. In other words, the word “audit” loses its sting.
So, in the case of regulatory compliance, I believe you can say that there is some type of audit/review 100% of the time – at least if you want to remain a going concern.
I did regular (internal) project reviews and audits for large (starting from 0.5 Mio Euro to multi-million Euro total contract volume) IT systems integration projects and programs as part of my roles. I do not understand what statistics you are looking for here. I can only share my experience.
We reviewed everything, even during project reviews - financials, risks +their financial impact on PM, main contractual obligation of all parties (customer, our part, suppliers), any SLA, penalties, claims, ...
As Kiron pointed out, in some companies it can be well established process.
Please login or join to reply