BUSINESS RISK SERVICES

Internal Audit and Programme Assurance

By:
Gordon Uba
Programme Management RIA GT
The continued tragic failure rate of Projects requires Internal Audit to be part of the solution and not bystanders.

According to a Gartner report, CEOs want three things: Growth, digitalization and efficiency. Businesses undertake projects to achieve their strategic objectives. However, according to the Standish Group (in the Chaos failure Curve), the failure rate of large-scale projects is an astonishing 42%. This survey is based on over 50,000 recent projects. This number is astounding, even more so because this number relates to projects that are transformational and meant to significantly transform and improve business performance. Depending on the size and nature of the business these projects cost companies hundreds of millions of rands. In many instances, organisations do not derive any value from them when they fail. This is money literally wasted.

These large projects are normally complex, and complexity introduces risk to the business, and risk is Internal Audit’s WORD OF THE CENTURY. With a 42% project failure rate, Internal Audit should be an active participant in the action and not watch from the sidelines waiting for certain audit intervals or stage gates in order to be involved in these projects. Some of these transformational projects present the biggest risk to a business at a point in time. And of course, where there is material risk, Internal Audit need to be present to perform its independent assurance role. This article seeks to highlight the importance of project or programme assurance and to assist Internal Auditors to be better equipped and prepared to perform independent assurance that adds value to the business.

Key Benefits of Project Assurance

Project assurance is the provision of independent assurance over an organisation’s change environment and processes, execution of key projects and their deliverables. Some of the key benefits of project assurance are:

  • Challenging business decisions where they are not aligned with the organisation’s strategy.
  • Provides an objective independent view of the project status.
  •  Real-time feedback on project execution to identify potential delays and challenges.
  •  Early detection of delivery and execution challenges.
  • Review of the “To-be business” or IT processes prior to implementation. This assists the organisation in protecting the living environment.
  • Identification and resolution of control design weaknesses before they are implemented.
  • Assessing and improving the organisation’s execution capability and management of execution risk.
  • Increased focus and accountability to business benefits.
  • Increasing accountability of projects.
  • Improve the benefit realization of the projects.

How can Internal Audit support the achievement of project objectives through Project Assurance? 

Internal Auditors are well placed to perform independent project governance assurance on projects because of their business knowledge. As a result, they can challenge the business case with the documented benefits to be achieved. They also should have insights into the organisation's risk universe and posture which may assist in proactively identifying projects that may introduce significant risk to the organisation. We have highlighted below, some areas Internal Auditors can consider focusing on to increase their project assurance value. 

a.      Challenge Risk Universe 

Projects are undertaken at a point in time, and thus the risks associated with these projects might not have been considered and included in the risk universe normally reviewed periodically. This could render the risk universe incomplete or inaccurate. Internal Auditors must continuously challenge the risk universe not only because of the possible undertaking of new projects but also because Organisations risk posture keeps changing as the business responds to market conditions, applies agility to operations, explores innovative ideas and is challenged by internal or external factors! New risks are emerging, business strategies are evolving, and organisations are experimenting with Technology. Changes to the risk universe may influence Internal Auditors to reconsider the focus areas in the Internal Audit Plan. 

b.     Adopting Agile Audit Planning Approach

The traditional approach of developing an Internal Audit plan over a few weeks, eventually leading to a detailed locked down and extensive 12-month audit plan is no longer the most effective approach because of the potential changes to an Organisation’s risk posture during a 12-month period. Internal Audit departments that have fixed/ locked down 12-month plans should seriously reconsider it. In the current environment, Internal Audit plans should be flexible, agile and responsive to material changes to an Organisation’s risk posture. 

Once you have an agile plan in place, consider having a standard line item on the plan for project assurance reviews. This will ensure that you always stay abreast of ongoing or upcoming projects. These hours can be scaled up or down depending on the project activities on the go. 

c.      Early involvement in projects

Business receives the biggest value from Internal Audit when they are considered business partners. Thus, a business partner needs to be in the “room” when potential key projects are to be undertaken. This will enable Internal Audit to have a bigger picture view of why a project is undertaken and what are the real business objectives. 

We have seen too many times when assurance is performed way too late in the project to make a meaningful impact. For example, even though a post-implementation review is important, it has less value if Internal Audit has not been part of the project during planning and delivery stage. The timing of reviewing certain project artefacts is critical. For example, there is more value in reviewing the business case during its development than reviewing it at post-implementation. Internal Auditors can challenge and influence the business case when it is reviewed timely which can lead to significant savings for an organisation.

d.     Almost Real-Time Feedback

Internal Auditors need to have standing invites and be key participants in the governance forums of these key projects. Risks and issues identified by Internal Audit should be raised on a real-time basis here.

Traditional Internal Audit reports take time to be issued as they go through a number of iterations and stakeholders for commentary. However, for project assurance to be effective the turnaround time from drafting to issuing a report should be shorter and almost real-time. Internal Auditors should consider shorter and dashboard-like reports that can be drafted and finalised much quicker than traditional reports.

e.      Exercising Due Professional Care

Internal Audit departments need to have the right people performing project assurance reviews. Modern Internal Audit departments have a diverse set of skills and they may not need to outsource. However, where there is a skills shortage within the department, the skills will need to be imported to provide value add assurance. For example, an IT Auditor cannot assess data migration strategies, plans and activities for a project as these are specialist areas. Internal Audit should consider co-sourcing experts in respect of technology skills to provide a comprehensive solution

Due to the failure rate of projects, Project Managers continuously try different delivery methods and strategies, thus Internal Auditors need to stay abreast of the global trends and delivery methods best suited for certain projects to provide valuable assurance. Internal Auditors need to learn and speak the project management “lingo”, it goes a long way in developing credibility with the project managers. Trust us, we have done this for years and on large and complex projects. 

Conclusion

The failure rate on projects necessitates a change in the way projects are being planned and delivered by organisations. The importance of Assurance in projects is growing and Internal Auditors cannot be left behind or on the sidelines. We need to be in the thick of things to assist projects to achieve their objectives by providing value add, real-time feedback to the delivery teams and importantly business stakeholders. As assurance providers we need to be bold and call out risks and issues as we identify them without fear or favor. Remember that the end product of a successful and effective project assurance is not the amount of findings raised but the achievement of project objectives.