Projects and programs are vitally important to the growth and survival of organizations. They drive the development of new products and services and make it easier for companies to respond to changes in the environment, competitive landscape, and marketplace. In fact, changing business needs often can be satisfied only through the development or upgrade of technology solutions, capital additions, or other initiatives that require projects or programs to implement. Both create value by improving business processes.
Organizations invest large amounts of capital to fund projects, and project teams often are created to manage these efforts. Along with the desired improvement and change, both project and program investments also present a high degree of risk. Consequently, the result of these endeavors can be critical to organizational performance.
Many companies have recognized the need for internal audit involvement as a means of increasing the success of projects and programs. For practitioners, conducting project and program audits offers considerable opportunity to support management and add value to the organization's bottom line. Uncertainty often arises, however, regarding the distinction between a project and a program. In fact, the two terms frequently are used interchangeably, even though there are important differences that distinguish them. Before auditing begins, obtaining clarity on the basic definitions of a project and a program, and what separates the two, is essential. Then, by understanding common pitfalls, audit roles, and recommended practices, auditors can be better prepared to tackle project and program audits and help the organization achieve intended outcomes.
Defining Projects and Programs
Projects can be long or short term, but always constitute temporary undertakings aimed at creating a product, service, or result according to predefined schedule, cost, and quality constraints. Typically, the process involves assembling a temporary project team that works to create a defined output. The project begins when it receives approval and finishes when the output is completed. Examples include building new infrastructure, implementing new business processes, or establishing a new enterprise resource planning system.
Programs comprise a group of related projects coordinated and managed to obtain benefits that would not be realized if managed individually. Typically, programs focus on outcomes — usually a change or improvement — and use project outputs to deliver the benefits the program was designed to achieve. Examples of programs include new product launches, most organizational change initiatives, and most research and development efforts.
In essence, then, projects are intended primarily to deliver solutions or products that enable outcomes to be achieved, whereas programs are aimed at delivering outcomes such as benefits or new capabilities. Moreover, while projects constitute a means of achieving tactical goals, programs are a means of achieving organizational objectives, often in the context of a strategic plan (see "Key Differences Between Projects and Programs" at right for a more detailed comparison).
Nonetheless, projects and programs do share several common elements, including:
- Communication and coordination are critical to both — management needs to be kept informed of project and program status and involved in critical decisions.
- Each project and program is unique — there is no formula or template of practices that can be applied to projects or programs universally.
- The effects of failure are amplified because of the fast-paced, high-cost, high-opportunity environment that typically surrounds any project or program. Moreover, the environment is often politically charged, with high management visibility and intense motivation to control expectations and manage communications.
- Team members often are forced into unfamiliar roles, resulting in inefficiency because new competencies must be developed on the job.
- There is a potential loss of accountability resulting from efforts that often span several years; project and program managers, and even the executive sponsors and original project approvers, might not remain with the organization for the entire process.
Risks and Common Pitfalls
While every project typically has a plan, schedule, and budget, some level of uncertainty and risk always exists, regardless of the circumstances. Projects and programs, in fact, face a variety of risks from both external and internal sources, and performing a risk assessment is a prerequisite for determining how these risks should be managed.
Typical key risks facing projects and programs include underperformance of team members; cost and schedule overruns; and uncertainty regarding design and logistics, objectives and priorities, the basis of estimates, and the fundamental relationships among project parties. Additionally, projects and programs may encounter environmental issues that the organization or project team might not be able to predict or control, such as geopolitical instability, climate-related issues affecting schedule or progress, or the illness or incapacitation of a key project team member.
Creating a risk map can help aggregate and categorize risks across an organization's projects and programs. And while not a definitive or comprehensive representation of all possible risks that may be encountered, the map can serve as a useful guide by providing a broader perspective on the risks that may be applicable to projects and programs (see "Sample Project & Program Risk Map" at right).
Both projects and programs are also subject to numerous pitfalls, regardless of the organization in which they're implemented. Some of the more common pitfalls include:
- Lack or loss of executive support.
- The absence of involvement from key decision-makers.
- Inconsistent vision for attaining project goals.
- A scope that is not clearly defined and managed.
- Insufficient or eroding allocation of business resources.
- A vague sense of time lines and critical path.
- Informal communications and tracking of project risks.
- Informal metrics to measure project success.
- Absence of formal reporting and updates.
Knowledge and Skills
To help the organization address these risks, auditors do not need to possess technical expertise in the projects or programs they audit. Instead, they need to understand the processes used to manage projects and programs successfully. For example, auditors are experts in controls—the assessment of which is frequently part of the audit's objective. Experienced auditors often have worked with a variety of industries and can point out leading practices that might not otherwise be considered. For specialized proficiency, internal auditors commonly work with an external auditor or consultant with expertise in audits of projects and programs.
Another way for auditors to ensure the appropriate skill set is applied to the audit is to establish an integrated audit team, thereby ensuring the project's functional and technical risks are both included in the scope of the review. Collectively, the team should possess business as well as technical skills, and it should become involved in the process as early as possible. Because the financial impact of potential negative issues often increases dramatically as the program and project life cycle progresses, early involvement can help identify issues up front and manage costs effectively.
A Variety of Roles
Unlike their work on traditional cycle audits, internal auditors performing project and program engagements can tailor their role to better establish a value proposition. The IIA's International Standards for the Professional Practice of Internal Auditing(Standards) provides meaningful guidance for the internal audit function on performing audit roles. The internal audit charter, in turn, should include the type and nature of these roles, thus providing the audit department with the ability to perform these types of audits.
The roles from which practitioners can choose include: consultant, valued team member, and traditional practitioner. Depending on the type of project or program under audit, some overlap may exist among the three. Regardless, the nature of work typically falls into two categories:
- Compliance-oriented engagements — verification of approvals, business requirements, project charter, go-live, planning and execution of testing, and U.S. Sarbanes-Oxley Act of 2002-like testing procedures.
- Value-added engagements — focus on determining whether business objectives are achieved on time, within budget, and in alignment with organizational strategy.
The consultant role usually allows for the most flexibility, but it also requires the most knowledge and skill. Clients typically expect consultants to serve as an adviser and to engage in an expert capacity. The scope of work and means of reporting are usually unlimited. Often auditors serve as consultants early in the life of a project or program to help management better focus on its priorities and assist in defining the objectives of the project or program to ensure consistency with organizational strategy. The auditors provide an independent or impartial viewpoint to the project or program. Later on in the life cycle, consultants can help set up the project management office (PMO) or provide expertise in areas where the organization is deficient.
The valued team member role combines solid internal audit skills with the need for business acumen, strong communication, and an understanding of basic project management techniques. To serve in this capacity, the internal auditor needs to obtain complete buy-in from the project management office (PMO). The embedded auditor will have to gain the PMO team's trust to help ensure that his or her input is accepted and that suggestions are implemented. One key strategy for gaining project management's buy-in is to gain familiarity with the issues currently facing the organization and to anticipate future potential issues in control, risk, and governance. The auditors must focus on priorities that matter most to the organization, and they must be prepared to work as part of the PMO team to improve the management of the project or program.
The traditional role is the most common form of audit participation in projects and programs. Examples include evaluating the PMO organization, structure, and planning; assessing the program's charter and mission in relation to organizational requirements; and determining whether appropriate approval has been granted. A traditional audit may also involve evaluating the PMO's diligence, robustness, and reporting to senior sponsors and key stakeholders to determine whether the office is discharging its responsibilities as required.
Audit Scope and Approach
Regardless of the role auditors play in projects and programs, codeveloping the audit scope with management is essential to achieving client buy-in. First, the auditors must agree with management on the organization's objectives. Too many auditors provide a scope that focuses on what the auditor wants to accomplish rather than reflecting the interests of management. After reaching agreement, internal audit must then use its professional judgment, as guided by The IIA'sInternational Standards for the Professional Practice of Internal Auditing, to plan the engagement.
When reviewing projects and programs, auditors should use a structured approach. Several steps should be considered:
- Interviews.Conduct interviews with all levels and stakeholders — executive management, steering committee members, project team members, and end users — to ensure the project and program business needs, requirements, and scope are aligned correctly from initial concept to execution.
- Governance Structure. Review the project and program organizational and governance structure, and determine whether roles and responsibilities have been identified and communicated.
- Documentation Review. Review project and program documentation to ensure the initial design, documentation, and controls are actually being executed and reviewed.
- Risk Assessment. Be sure that controls are designed into the process and systems. Focus on risks with high impact and likelihood.
- Observations. Note and record your preliminary observations; confirm observations before reporting them.
A Valuable Guide
The IIA's GTAG 12: Auditing IT Projects,
while technology focused, serves as a valuable reference even for
non-IT work and highlights five of the most common types of project- and program-related audit approaches or methodologies to consider:
- Project or program risk assessment to gauge likelihood of success.
- Readiness assessment during key phases or prelaunch.
- Post-implementation reviews.
- Audit of a key project phase during the life of the project or program (gateway reviews).
- Overall project and program management methodology assessment.
Resistance from clients is inevitable during the course of project or program work, but it can be minimized. To establish an effective partnership with the project or program team and help ensure audit work proceeds smoothly, internal audit must begin by developing solid relationships with team members and with any other relevant stakeholders.
One of the greatest project/program challenges auditors must overcome is the reluctance some project leaders may have to involve internal audit during the implementation. Managers often do not want to be told that a problem exists while a project or program is underway. Ironically, many of these managers fail to achieve their goals due in part to the lack of oversight and governance that internal audit could offer.
Internal auditors need to explain their roles early on and help define expectations. Effective communication will help generate interest and aid buy‑in among clients, enabling auditors to address potential concerns much more quickly. Finally, auditors should not overlook that most organizations are highly matrixed — for example, departments may have dual reporting relationships to both the operations and finance organizations. While one organization may provide resistance to the auditor, the other may be very supportive.
At the end of the engagement, internal audit will need to issue an audit report that summarizes the auditors' findings and presents recommendations for further project or program development. Internal auditors typically use the conventional report format, presenting the issue, risk, standard, root cause, and recommendation, as well as management's response. This model, whether presented in narrative form or as PowerPoint slides, lends itself to use in traditional audits. For consulting or valued team member engagements, auditors have an opportunity to use more creativity in their reporting and even codevelop the report with management.
Before issuing their report, auditors should carefully gauge key stakeholders' expectations. Some clients seek basic feedback or an assessment conveyed in a memo or a brief presentation; others want internal audit to present a full analysis. If a disconnect exists between the client's wishes and the auditors' approach, the gap must be explored and resolved. Auditors should determine the preferred communication method and format, and deliver feedback accordingly. Agreeing on a reporting approach will lead to a better understanding and acceptance of the results.
Contributing to Success
Project and program audits enhance organizational governance. They help prevent common performance failures and provide learning opportunities to improve management competence. Including projects and programs in the audit risk universe and annual audit plan constitutes a value-added activity, demonstrating the internal audit function's desire to partner with both project and program managers, as well as senior management. More importantly, it illustrates that the internal audit function is focusing on the bigger and broader picture of the organization and its strategy.