I am creating a checklist for doing risk based audits for my projects, any ideas on what i should put on this list?
any feedback will be appreciated. Saving Changes...
Risks vary by project type and audits also vary by their function. You could create a risk breakdown structure to organize your risks by categories, and then characterize each category to determine which would merit audits. That will provide you a list of common attributes (safety, schedule, cost, supplier, etc.) that might fit into a checklist. Saving Changes...
There are two questions to answer when doing project audits:
1. Which projects you'd want to sample to do an audit? This assumes you are responsible for the audit of an overall portfolio and hence would want to take a risk-based approach to selecting projects.
2. What control objectives are you hoping are being met by the projects?
Once you have the answers to those questions, you can create questionnaires or similar tools to seek evidence for #2 for the projects falling into #1.
Risk audit themes may be external considerations, such as economic factors, industry competition, the current legislative and regulatory environment, and other variables including the organization’s information security environment.
For internal considerations, you can include: current internal environment, with topics such as the current financial condition of the organization, policies and procedures, the existing internal control structure, staffing levels of employees, and the results of prior audits.
Additionally, consider that risk themes for an audit may vary significantly according to the industry or type of organization. Saving Changes...
Peter RapinSubject Matter Expect; Project Delivery| Independent ConsultantOntario, Canada
Typical audits are process-based - where the appropriate processes applied in delivering the project? By creating a checklist for a risk-based audit you are making it a process-based audit - a check list is a process. The audit becomes - did you follow a preset requirement as defined by the checklist?
You may want to consider starting with a risk analysis identifying and prioritizing potential risks and how these were managed during implementation.
1st risk: cost overrun; was it identified? Were mitigation measured implemented? Were they successful? What could have been done better?
2nd risk: time overrun; etc Saving Changes...
Thomas WalentaGlobal Project Economy ExpertHackenheim, Germany
Hi Carolin,
at IBM we used a comprehensive risk list that was build from lessons learned, especially from troubled projects. Every project closure resulted in feedback to that list.
BTW, while we had audits, this risk list could easily used as a self-assessment.
For project audits, I used IBM's 7 keys to get a quick look at the most relevant aspects of (any) project. This could also be used as a starting point for a risk list.
Dear Carolina, my main recommendation is to prevent that risk becomes an issue, assure that risk mitigation actions are reflected on the procedures to be audited. Saving Changes...
