Project Management

Please login or join to subscribe to this thread

How have you seen Internal Audit impact, participate or be used as a tool in your Projects?

linkedin twitter facebook   Consulting   Risk Management  
avatar
Drake Morse Manager, Programme Leadership| Deloitte Consulting B.V. Nova Scotia, Canada
Recently had many discussions in the region with PMs and Internal Auditors on how Internal Audit has been engaged or impacted projects. Looking to see if perhaps you agree with the following:

https://www.linkedin.com/pulse/internal-au...e?trk=prof-post

Honestly its been difficult but I have started a culture shift in some IA shops on how they address and "Audit / Assess" projects in their organization. Wondering if you have any thoughts or perhaps can note other ways Internal Audit could support / assess projects outside the typical Audit Opinion area.
Sort By:
avatar
Stéphane Parent Self Employed / Semi-retired| Leader Maker Prince Edward Island, Canada
Having managed mostly software development projects, I find there is usually little to no incentive to do QA activities such as audits. There is so much involved at the QC end, especially testing that there is a lack of appetite for audits.
avatar
Sergio Luis Conte Helping to create solutions for everyone| Worldwide based Organizations Buenos Aires, Argentina
I have been on both sides of the desk: I have been audited and I have been performng audits. What I saw in most of the cases the auditor is performing as a police woman/men instead of performing as a person who is helping people to facilitate their daily work. Most of the auditors behave like they are searching for somebody guity of not follow the process.
...
1 reply by Kgobalale John Malatji
Aug 03, 2016 1:46 PM
Kgobalale John Malatji
...
The shortfall of auditing is that, Auditors usually work with check-sheet and an assumption that all the project activities and processes will fit in the blocks on the check-sheet.
If company procedures do not cater for a particular process or activity and the Project Team do what is rational or very well acceptable in PM world, an inexperienced Auditor will record it as a non-conformance finding.

However it is still essential to conduct audits to keep the project practitioners aligned to company procedures and structures and to review the relevance of the procedures.

A Project Manager who knows the company procedures will proactively raise Concession Request whenever he/she has to deviate from the procedures or processes. This in-turn helps to mature company procedures and processes because the procedures and processes which are always bypassed or set aside with Concession Requests should be amended.
avatar
Scott Sale Program Manager| Kindred Louisville, Ky, United States
This is interesting article and insight that can certainly raise debate. I too have been in both shoes as I am a former CISA(non practicing) and PMP. Having audited (and been audited) on everything from the old SAS70, SSAE16, SOX and HIPAA I feel that I can speak on this subject.

Internal Audits both help and create chaos as they are 99% of the time a PiT audit as described. 99% of the time the auditor is in no way a Project Management Expert. In addition 99% an audit is "reactive" to the "proactive". The auditor and audit committee is there to make sure process is followed is based off of a framework such as COSO or COBIT. As stated in the framework there needs to be a Project methodology that is documented and those documented steps need to be followed. The auditor is looking for evidence the controls are are in place and the provide "reasonable assurance".

The auditor will then fill out the audit report and provide the information back to the audit committee. This is all based off of a Point in time and did the team provide the evidence "it was doing what it said it was doing".

Having been on audit and compliance committees along with leading a PMO it is rare in my opinion an internal audit will help the overall strategy from a PMO and Portfolio standpoint.

The audit reports will typically have the following:

Control: Tollgate to move from Planning to Execution
Evidence: Meeting held with board. Provide meeting notes.
Opinion: Met reasonable assurance.
Recommendation: Develop a meeting template or communication plan as the accounting director was not able to attend.

99% of the time these reports will raise chaos and look at the Micro vs. the Macro. This will then have the trickle down effect and typically cause work to be done for works sake. It will take the efficiency out of already working process.

The other side of the argument is for companies that have a 0 or 1 on the COBIT maturity model. The audit can be a good thing as it will raise awareness to serious process issue or lack there of processes. This is the smaller percentage.

Overall, My thought is the PMO should perform a self audits(internal control) and look at the overall completion rate, time to implement and time to completion based off of project metrics.

Let the auditors audit the compliance and security regulation to look for GAP or serious deficiencies. Let the project professionals perform the recommendations based of industry knowledge.
avatar
Kgobalale John Malatji Projects Portfolio Manager | Noko-imp Johannesburg, Gauteng, South Africa
Aug 03, 2016 10:07 AM
Replying to Sergio Luis Conte
...
I have been on both sides of the desk: I have been audited and I have been performng audits. What I saw in most of the cases the auditor is performing as a police woman/men instead of performing as a person who is helping people to facilitate their daily work. Most of the auditors behave like they are searching for somebody guity of not follow the process.
The shortfall of auditing is that, Auditors usually work with check-sheet and an assumption that all the project activities and processes will fit in the blocks on the check-sheet.
If company procedures do not cater for a particular process or activity and the Project Team do what is rational or very well acceptable in PM world, an inexperienced Auditor will record it as a non-conformance finding.

However it is still essential to conduct audits to keep the project practitioners aligned to company procedures and structures and to review the relevance of the procedures.

A Project Manager who knows the company procedures will proactively raise Concession Request whenever he/she has to deviate from the procedures or processes. This in-turn helps to mature company procedures and processes because the procedures and processes which are always bypassed or set aside with Concession Requests should be amended.
avatar
Sergio Luis Conte Helping to create solutions for everyone| Worldwide based Organizations Buenos Aires, Argentina
The audit must not be an expert in the field. In fact, is better when she/he is not an expert. BUT here is the problem, because to follow that basic principle the auditor has to have a checklist and for each item a space to take note about process improvement. And when you see the auditors you can see that most of the time the checklist is not there. I have been working with this including I was painfull involved when the COBiT and COSO crazy world arrives (please, I am not saying that both are not great tools and are necessary). I think the world needs to learn about audit (which is in the field of quality assurance) when is performed in some domains like manufacturing.
avatar
Drake Morse Manager, Programme Leadership| Deloitte Consulting B.V. Nova Scotia, Canada
What it seems that you are all very familiar with the assurance arm of audit where they Ise a simple checklist rather than the Risk Based method of auditing.
...
1 reply by Scott Sale
Aug 03, 2016 4:00 PM
Scott Sale
...
When performing SSAE16, SOX and now ISO is risk based thinking. The checklist come from the established internal controls that are set in place. The risk assessment is based off of the "acceptable" level of risk. What types of controls are in place going from weak to Strong is still based off of the auditor opinion based on subject matter knowledge.

This is good conversation as I am interested in how an internal audit using the risk methodology would help change the perception of the "checklist".
avatar
Scott Sale Program Manager| Kindred Louisville, Ky, United States
Aug 03, 2016 3:44 PM
Replying to Drake Morse
...
What it seems that you are all very familiar with the assurance arm of audit where they Ise a simple checklist rather than the Risk Based method of auditing.
When performing SSAE16, SOX and now ISO is risk based thinking. The checklist come from the established internal controls that are set in place. The risk assessment is based off of the "acceptable" level of risk. What types of controls are in place going from weak to Strong is still based off of the auditor opinion based on subject matter knowledge.

This is good conversation as I am interested in how an internal audit using the risk methodology would help change the perception of the "checklist".
avatar
Sergio Luis Conte Helping to create solutions for everyone| Worldwide based Organizations Buenos Aires, Argentina
Agree with Scott. All you create to perform the risk assessment is based on risk thinking. So risk is implicit addressed inside the audit materials and mainly, as Scott said, in control definitions. And when I am talking about risk (and I think Scott has the same line of thinking) I am referring to organizational/business risk.

Please login or join to reply

Content ID:
ADVERTISEMENTS

If I had only known, I would have been a locksmith.

- Albert Einstein

ADVERTISEMENT

Sponsors







Vendor Events

See all Vendor Events

Newsletters

Jun 3: The Career Problem Facing New PMs
May 20: Your PM Career as a Project Life Cycle
May 13: The Big Lie After Layoffs

See all newsletters