The Idea: I try to feature one idea in each blog post, but this time I'm going to go for two:
- First idea: Internal auditors can improve the likelihood of large program success.
- Second idea: Never miss an opportunity to capitalize on a failure.
The Execution: "IT systems development project failures are expensive, with an estimated cost to the world economy of US $6.2 trillion annually. This is not surprising given the dismal success rates — only 32 percent of major systems development projects are reported as completed successfully. It doesn't have to be this way!" No, this quote was not ripped from the headlines — it's from The IIA Research Foundation's (IIARF's) Systems Development Projects: How Internal Auditors Can Improve Success Rates.
Internal audit departments are increasingly getting involved in "large programs" (I define these as strategically vital programs designed to unleash new capabilities within a company, typically enabled by large-scale IT implementations). Because large programs are both strategically important and involve a significant outlay of resources (dollars, people, time/focus), they carry with them significant risks. Risks can occur anywhere in the process, from project inception (soundness of the business case) to project implementation (rigor of the governance process; excellent execution of project management techniques; attention to financial stewardship), to handover to the business (moving from incubation to steady state, at scale).
Internal auditors play a role in large program governance by providing their perspective to project steering committees and executive management on how project risks are being mitigated as the work unfolds — in flight — rather than solely through postmortems after the project has been implemented. Some departments call this a project health check, others do pre-implementation reviews, and many are partially involved through testing around system development life cycle controls for Sarbanes-Oxley. If your department is new to this, the IIARF's book referred to above is a great place to start. It identifies the factors really critical to ultimate project success that internal auditors can assess.
So, once you've decided to engage in these projects, how do you convince the project team and its stakeholders that this is a role internal audit can play? This is where "never fail to capitalize on a failure" comes in. Now that the United States is being educated daily on the catastrophic risks of large program failure, you've got the perfect example to showcase how internal audit can help. I bet there are a lot of folks who would've liked to have heard an objective point of view on how the healthcare.gov website project was going before go-live!