Upload
jgumz
View
155
Download
2
Embed Size (px)
DESCRIPTION
Project audit: Presentation about auditing project management with Case study view. Presentation given at PMI EMEA Congress 2006 by Project Auditors LLC.
Citation preview
Help! Your Project has been Selected for an Audit - What Now?
Joy Gumz, CPA, CISA, PMP Project Auditors LLC
Session Number SIP18
Presentation given at the PMI EMEA Global Congress Madrid, Spain 2006
Objectives • Three primary objectives
– Understand the processes in a project audit – Know the key areas on which auditors often
focus – Be better prepared to respond to auditor
requests • Eliminate the Fear Factor!
About Project Auditors LLC • Professional consulting and auditing firm
– Professionals certified in accounting, audit & PM • Experts in project controls: preventative & detective
• Providing auditing, assessments and reviews – Construction & Engineering Projects – Oil & Gas Projects – ICT (Information Communications Technology)
A few clients
See more at our website: http://www.projectauditors.com
Format • Terms • Process • Focus Areas • Case Study
– Allow participants to see what happens by participating in a mock audit scenario
• Q & A
About the Session Attendees • Any auditors in the audience? • Has anyone been on a project that has been
audited? • Is there anyone who thinks they might be
audited in the future?
“Bare bones” of an auditor
No heart - not essential
Large cheek for keeping tongue in
Strong teeth for getting into things
No bowels to get in an uproar
Hard neck & thick spine
Chest for keeping things close to
Umbrella for self-defence
No shoes - enables walking on thin ice and faster getaways
No knickers to get in a twist
Large knees to handle weight of carrying audit work papers
Audit Department issued laptop
Hat for keeping things under (UK)
Learning the Language • COSO* – Internal Controls Framework
Monitoring
Controls Activities
Risk Assessment
Control Environment
*COSO - Committee of Sponsoring Organizations
Learning the Language • Auditors tend to be
process-oriented – Methodology – Policies and Procedures – Standards – “Best practice”
• PM implications – Show that you follow well-
defined processes or have an approved variance
Learning the Language • Controls activities
– Actions supported by policies and procedures that help assure management directives to address risk are carried out on a properly and timely basis
• PM implications – Risk management plan
Learning the Language • COBiT Framework
– Information Technology (IT) specific • Control Objectives for Information and related Technology • Developed by the IT Governance Institute • Framework to evaluate IT Operations and Projects
• PM implications – IT - Is COBiT being followed? – Non IT – what standards apply? – Quality Management Plan
Learning the Language • Controls self-assessment
– Questionnaire to elicit data about controls, risks, and processes
– Given to selected individuals by the auditors – Completed by individuals involved in the
organisation’s operations, rather than by the auditor – Responses compiled by the auditors – Used to determine higher risk areas on which auditor
will spend more time • PM implications
– Time for team/stakeholders to complete
Learning the Language • Audit Program
– Defines scope and objectives of an audit – Defines steps and procedures auditors expect to conduct
• PM implications – If copy available to PM,
transparency is increased
– If possible, obtain a copy
On the other hand, their audit procedures are impeccable
Learning the Language • Finding / issue / audit point
– A conclusion related to an auditor's examination which identifies problems and provides recommendations for corrective action
– Auditor will generally discuss with PM and document PM’s response
– Often quantified by risk: high, medium, low • PM implications
– Does the auditor have the full story, e.g. have mitigating actions been taken?
– Is risk representation accurate?
Learning the Language • Work papers
– Indexed and cross-referenced documentation of the audit procedures
– To be in compliance with generally accepted audit standards, must be reviewed and approved by a second auditor
– Part of the auditors’ internal deliverables, but not generally shared
– Clear, convincing, complete, accurate, objective and concise
Learning the Language • Audit Report
– Deliverable of the auditors – Draft and Final versions – Parts
• Background • Scope and objectives • Opinion • Findings and recommendations
• PM implications – Does opinion express confidence? – Is rating color coded – ? red yellow green
Audit Process • Steps 1 through 4
Audit Process Steps 5 - 9 • Field work • Draft report of findings and
recommendations, and an opinion • Closing conference • Final report issued including
management’s response • Action plan and follow-up
PM Implications • Who can I delegate to response to documentation
requests? • How should I communicate the audit to my team and
other stakeholders? • How much time should my staff plan for interviews and
questions? • Who should I have at the opening conference? The
closing conference? • How often should I meet with the lead auditor? • The number/severity of findings can make for a time-
consuming action plan
Case Study - Background • Organisation
– International Fund for Agricultural Development (IFAD)
• A United Nations organisation • Mission
Case Study - Background • Project
– Strategic Change Programme – Initiated in 2000 – Goal
• Achieve efficiency gains for basic processes – Scope – integrate its financial and human resource
systems • Software: Peoplesoft Human Resources and Financials • Old software
– Peoplesoft Financials – customised – Bespoke loan system programmed by consultants – Mainframe-based Millennium personnel/payroll system
Case Study - Background • Integrator
– Major consulting firm “ABCD” – Fixed price contract
• Contained clause for a project audit – At management discretion – Full cooperation by integrator was mandatory
Case Study - Profile • Challenges
– Aggressive timetable – Aggressive scope – Integrator did not have much experience in
certain Peoplesoft functional areas – Critical loan system
• Originally planned to be in Peoplesoft • Integrator was now unsure and did not have a path
forward
Case Study - Profile • Independent audit contracted
– Objectives • Comprehensive review of program – focus areas:
– Programme planning and monitoring – Risk and issues management – Testing – Data migration – Integration issues – Communication – Training and change management – Contract performance
– Scope • Entire Strategic Change Programme since inception
Case Study – Process Overview • Four reviews over 12 month plus
– Opening conference – Onsite review of documentation – Interviews of IFAD staff and ABCD resources – Observations of project activities, e.g. testing, training, meetings – Standards – IEEE
• Software Quality Assurance Planning • Software Project Management Plans • Software Testing
• Draft report with opinion, findings and recommendations • Subsequent reviews analysed degree of action taken
Case Study – Results • Recalibration of program
– Implementation partner relationship terminated and amicable withdrawal arranged
– New programme structure established – Remaining work replanned in two phases
• Goals achieved – Loan system remained outstanding
Areas on which Auditors May Focus • Project governance • Standards and organisation policies
– Deviations from standards • Internal standards, recognized bodies
– Variance process • Management of
– Risk – Changes – Issues
Areas on which Auditors May Focus • Signoffs
– Deliverables • Business case
– Is it reasonable? – Has is been approved?
• Security – What steps to ensure proper design, approval, test, implementation – Process to ensure right people have right access – Separation of duties
• Regulatory/compliance
Mock Audit Scenario 1 • Assume you are the project manager being
audited. • The project has been ongoing for 9 months. • An auditor has sent you an email with a schedule
of planned dates for an audit. • It shows the field work will begin during the user
acceptance period. • The go-live date is planned before the draft report
is completed. • What do you do first?
Mock Audit Scenario 1 A) Tell the sponsor that the auditors are being
unreasonable B) Review the project plan and see how your
team will be impacted C) Call the auditor to determine whether the
dates are “hard” or negotiable D) Put your CV together
Mock Audit Scenario 2 • The auditor has emailed you a request for a
number of documents. You know that this is just the first of several requests the auditors will have.
• What do you do?
Mock Audit Scenario 2 A) Stay late and send as many documents as you can B) Email the auditor that you will send the
documents when you get around to it C) Call a team meeting to discuss the additional
workload and how tasks will be assigned D) Ask the auditor why these documents are needed
Mock Audit Scenario 3 • The auditor is meeting with you daily at 4:30 pm to review
any possible audit points with you. • You are certain one deliverable will be a “hot button”. The
deliverable has already been approved. It has 6 sections. • The methodology states there should be 9. You discussed
this with the Chief Information Officer and he agreed with your approach for this project in an email he sent to you.
• Sure enough, in the 4:30 pm meeting, the auditor asks you why the deliverable doesn’t follow the methodology.
• What do you say?
Mock Audit Scenario 3 A) Explain the methodology is optional B) State that as long as the deliverable is approved, it
doesn’t matter whether the methodology is followed
C) Ask whether the auditor expects the methodology will always be followed
D) Explain that a written variance has been signed by the CIO allowing for 6 rather than 9 sections in this deliverable
Summary • When they audit you, auditors are
following a process • You need to
– Know the language – Understand the process – Negotiate appropriately – Communicate!
Questions?
Contact Information • Joy Gumz / Project Auditors LLC
• Phone: +001 949 452 0578
• Email: [email protected]
• Session #SIP18