37
Help! Your Project has been Selected for an Audit - What Now? Joy Gumz, CPA, CISA, PMP Project Auditors LLC Session Number SIP18 Presentation given at the PMI EMEA Global Congress Madrid, Spain 2006

Your project selected_for_audit_sip18_project_auditors

  • Upload
    jgumz

  • View
    155

  • Download
    2

Embed Size (px)

DESCRIPTION

Project audit: Presentation about auditing project management with Case study view. Presentation given at PMI EMEA Congress 2006 by Project Auditors LLC.

Citation preview

Page 1: Your project selected_for_audit_sip18_project_auditors

Help! Your Project has been Selected for an Audit - What Now?

Joy Gumz, CPA, CISA, PMP Project Auditors LLC

Session Number SIP18

Presentation given at the PMI EMEA Global Congress Madrid, Spain 2006

Page 2: Your project selected_for_audit_sip18_project_auditors

Objectives •  Three primary objectives

– Understand the processes in a project audit – Know the key areas on which auditors often

focus – Be better prepared to respond to auditor

requests •  Eliminate the Fear Factor!

Page 3: Your project selected_for_audit_sip18_project_auditors

About Project Auditors LLC •  Professional consulting and auditing firm

– Professionals certified in accounting, audit & PM •  Experts in project controls: preventative & detective

•  Providing auditing, assessments and reviews –  Construction & Engineering Projects – Oil & Gas Projects –  ICT (Information Communications Technology)

Page 4: Your project selected_for_audit_sip18_project_auditors

A few clients

See more at our website: http://www.projectauditors.com

Page 5: Your project selected_for_audit_sip18_project_auditors

Format •  Terms •  Process •  Focus Areas •  Case Study

– Allow participants to see what happens by participating in a mock audit scenario

•  Q & A

Page 6: Your project selected_for_audit_sip18_project_auditors

About the Session Attendees •  Any auditors in the audience? •  Has anyone been on a project that has been

audited? •  Is there anyone who thinks they might be

audited in the future?

Page 7: Your project selected_for_audit_sip18_project_auditors

“Bare bones” of an auditor

No heart - not essential

Large cheek for keeping tongue in

Strong teeth for getting into things

No bowels to get in an uproar

Hard neck & thick spine

Chest for keeping things close to

Umbrella for self-defence

No shoes - enables walking on thin ice and faster getaways

No knickers to get in a twist

Large knees to handle weight of carrying audit work papers

Audit Department issued laptop

Hat for keeping things under (UK)

Page 8: Your project selected_for_audit_sip18_project_auditors

Learning the Language •  COSO* – Internal Controls Framework

Monitoring

Controls Activities

Risk Assessment

Control Environment

*COSO - Committee of Sponsoring Organizations

Page 9: Your project selected_for_audit_sip18_project_auditors

Learning the Language •  Auditors tend to be

process-oriented –  Methodology –  Policies and Procedures –  Standards –  “Best practice”

•  PM implications –  Show that you follow well-

defined processes or have an approved variance

Page 10: Your project selected_for_audit_sip18_project_auditors

Learning the Language •  Controls activities

–  Actions supported by policies and procedures that help assure management directives to address risk are carried out on a properly and timely basis

•  PM implications –  Risk management plan

Page 11: Your project selected_for_audit_sip18_project_auditors

Learning the Language •  COBiT Framework

–  Information Technology (IT) specific •  Control Objectives for Information and related Technology •  Developed by the IT Governance Institute •  Framework to evaluate IT Operations and Projects

•  PM implications –  IT - Is COBiT being followed? –  Non IT – what standards apply? –  Quality Management Plan

Page 12: Your project selected_for_audit_sip18_project_auditors

Learning the Language •  Controls self-assessment

–  Questionnaire to elicit data about controls, risks, and processes

–  Given to selected individuals by the auditors –  Completed by individuals involved in the

organisation’s operations, rather than by the auditor –  Responses compiled by the auditors –  Used to determine higher risk areas on which auditor

will spend more time •  PM implications

–  Time for team/stakeholders to complete

Page 13: Your project selected_for_audit_sip18_project_auditors

Learning the Language •  Audit Program

–  Defines scope and objectives of an audit –  Defines steps and procedures auditors expect to conduct

•  PM implications –  If copy available to PM,

transparency is increased

–  If possible, obtain a copy

On the other hand, their audit procedures are impeccable

Page 14: Your project selected_for_audit_sip18_project_auditors

Learning the Language •  Finding / issue / audit point

–  A conclusion related to an auditor's examination which identifies problems and provides recommendations for corrective action

–  Auditor will generally discuss with PM and document PM’s response

–  Often quantified by risk: high, medium, low •  PM implications

–  Does the auditor have the full story, e.g. have mitigating actions been taken?

–  Is risk representation accurate?

Page 15: Your project selected_for_audit_sip18_project_auditors

Learning the Language •  Work papers

–  Indexed and cross-referenced documentation of the audit procedures

–  To be in compliance with generally accepted audit standards, must be reviewed and approved by a second auditor

–  Part of the auditors’ internal deliverables, but not generally shared

–  Clear, convincing, complete, accurate, objective and concise

Page 16: Your project selected_for_audit_sip18_project_auditors

Learning the Language •  Audit Report

–  Deliverable of the auditors –  Draft and Final versions –  Parts

•  Background •  Scope and objectives •  Opinion •  Findings and recommendations

•  PM implications –  Does opinion express confidence? –  Is rating color coded – ? red yellow green

Page 17: Your project selected_for_audit_sip18_project_auditors

Audit Process •  Steps 1 through 4

Page 18: Your project selected_for_audit_sip18_project_auditors

Audit Process Steps 5 - 9 •  Field work •  Draft report of findings and

recommendations, and an opinion •  Closing conference •  Final report issued including

management’s response •  Action plan and follow-up

Page 19: Your project selected_for_audit_sip18_project_auditors

PM Implications •  Who can I delegate to response to documentation

requests? •  How should I communicate the audit to my team and

other stakeholders? •  How much time should my staff plan for interviews and

questions? •  Who should I have at the opening conference? The

closing conference? •  How often should I meet with the lead auditor? •  The number/severity of findings can make for a time-

consuming action plan

Page 20: Your project selected_for_audit_sip18_project_auditors

Case Study - Background •  Organisation

–  International Fund for Agricultural Development (IFAD)

•  A United Nations organisation •  Mission

Page 21: Your project selected_for_audit_sip18_project_auditors

Case Study - Background •  Project

–  Strategic Change Programme –  Initiated in 2000 –  Goal

•  Achieve efficiency gains for basic processes –  Scope – integrate its financial and human resource

systems •  Software: Peoplesoft Human Resources and Financials •  Old software

–  Peoplesoft Financials – customised –  Bespoke loan system programmed by consultants –  Mainframe-based Millennium personnel/payroll system

Page 22: Your project selected_for_audit_sip18_project_auditors

Case Study - Background •  Integrator

– Major consulting firm “ABCD” – Fixed price contract

•  Contained clause for a project audit –  At management discretion –  Full cooperation by integrator was mandatory

Page 23: Your project selected_for_audit_sip18_project_auditors

Case Study - Profile •  Challenges

– Aggressive timetable – Aggressive scope –  Integrator did not have much experience in

certain Peoplesoft functional areas – Critical loan system

•  Originally planned to be in Peoplesoft •  Integrator was now unsure and did not have a path

forward

Page 24: Your project selected_for_audit_sip18_project_auditors

Case Study - Profile •  Independent audit contracted

–  Objectives •  Comprehensive review of program – focus areas:

–  Programme planning and monitoring –  Risk and issues management –  Testing –  Data migration –  Integration issues –  Communication –  Training and change management –  Contract performance

–  Scope •  Entire Strategic Change Programme since inception

Page 25: Your project selected_for_audit_sip18_project_auditors

Case Study – Process Overview •  Four reviews over 12 month plus

–  Opening conference –  Onsite review of documentation –  Interviews of IFAD staff and ABCD resources –  Observations of project activities, e.g. testing, training, meetings –  Standards – IEEE

•  Software Quality Assurance Planning •  Software Project Management Plans •  Software Testing

•  Draft report with opinion, findings and recommendations •  Subsequent reviews analysed degree of action taken

Page 26: Your project selected_for_audit_sip18_project_auditors

Case Study – Results •  Recalibration of program

–  Implementation partner relationship terminated and amicable withdrawal arranged

– New programme structure established – Remaining work replanned in two phases

•  Goals achieved – Loan system remained outstanding

Page 27: Your project selected_for_audit_sip18_project_auditors

Areas on which Auditors May Focus •  Project governance •  Standards and organisation policies

–  Deviations from standards •  Internal standards, recognized bodies

–  Variance process •  Management of

–  Risk –  Changes –  Issues

Page 28: Your project selected_for_audit_sip18_project_auditors

Areas on which Auditors May Focus •  Signoffs

–  Deliverables •  Business case

–  Is it reasonable? –  Has is been approved?

•  Security –  What steps to ensure proper design, approval, test, implementation –  Process to ensure right people have right access –  Separation of duties

•  Regulatory/compliance

Page 29: Your project selected_for_audit_sip18_project_auditors

Mock Audit Scenario 1 •  Assume you are the project manager being

audited. •  The project has been ongoing for 9 months. •  An auditor has sent you an email with a schedule

of planned dates for an audit. •  It shows the field work will begin during the user

acceptance period. •  The go-live date is planned before the draft report

is completed. •  What do you do first?

Page 30: Your project selected_for_audit_sip18_project_auditors

Mock Audit Scenario 1 A) Tell the sponsor that the auditors are being

unreasonable B) Review the project plan and see how your

team will be impacted C) Call the auditor to determine whether the

dates are “hard” or negotiable D) Put your CV together

Page 31: Your project selected_for_audit_sip18_project_auditors

Mock Audit Scenario 2 •  The auditor has emailed you a request for a

number of documents. You know that this is just the first of several requests the auditors will have.

•  What do you do?

Page 32: Your project selected_for_audit_sip18_project_auditors

Mock Audit Scenario 2 A) Stay late and send as many documents as you can B) Email the auditor that you will send the

documents when you get around to it C) Call a team meeting to discuss the additional

workload and how tasks will be assigned D) Ask the auditor why these documents are needed

Page 33: Your project selected_for_audit_sip18_project_auditors

Mock Audit Scenario 3 •  The auditor is meeting with you daily at 4:30 pm to review

any possible audit points with you. •  You are certain one deliverable will be a “hot button”. The

deliverable has already been approved. It has 6 sections. •  The methodology states there should be 9. You discussed

this with the Chief Information Officer and he agreed with your approach for this project in an email he sent to you.

•  Sure enough, in the 4:30 pm meeting, the auditor asks you why the deliverable doesn’t follow the methodology.

•  What do you say?

Page 34: Your project selected_for_audit_sip18_project_auditors

Mock Audit Scenario 3 A) Explain the methodology is optional B) State that as long as the deliverable is approved, it

doesn’t matter whether the methodology is followed

C) Ask whether the auditor expects the methodology will always be followed

D) Explain that a written variance has been signed by the CIO allowing for 6 rather than 9 sections in this deliverable

Page 35: Your project selected_for_audit_sip18_project_auditors

Summary •  When they audit you, auditors are

following a process •  You need to

– Know the language – Understand the process – Negotiate appropriately – Communicate!

Page 36: Your project selected_for_audit_sip18_project_auditors

Questions?

Page 37: Your project selected_for_audit_sip18_project_auditors

Contact Information •  Joy Gumz / Project Auditors LLC

•  Phone: +001 949 452 0578

•  Email: [email protected]

•  Session #SIP18