Banking

Be prepared for a postproject audit

Perhaps every project you work on won't be the subject of an audit, but it doesn't hurt to plan for one. Save your documentation and keep in mind these areas of an IT project that an auditor will most likely examine.

Each week, project management veteran Tom Mochal provides valuable advice about how to plan and manage projects. Tom first describes a common problem scenario, based on a real-life situation. He then offers a solution, using practical project management practices and techniques.

The dilemma
I was pleasantly surprised to receive a call from Mary. She had completed a project almost six months ago for the finance division to help it allocate IT costs back to the business department. My first assumption was that she had been assigned to a new project, but Mary had something else on her mind. It turned out that old project wasn’t quite buried yet. She and I met that afternoon.

Mary started off a little nervously. “I received a call from the finance director yesterday. She said that our outside auditing firm wanted to perform an audit of my cost allocation project. She assured me that this was just standard procedure, but I must say I’m a little uncomfortable.”

“You probably shouldn’t be too nervous,” I assured her. “It’s not uncommon for the auditing firm to look at changes made to the finance environment. In fact, every quarter, they make it a point to look at finance-related initiatives. Sometimes that involves IT projects like yours.”

“Have you been to one of them before?” Mary asked.

“Yes,” I said. “A few years ago, I ran a finance project and had the pleasure of discussing it with the auditors.”

We talked for a few minutes about why the finance department always insists on saving all its project documentation for one year. Its reasoning is that ”you never know when a project might get pulled out for an audit.”

“We like to think of our projects as IT-related,” I continued. “But there are usually business components to the entire initiative. The auditors will look at the IT work as one component. My guess is that you’ll be just one of a number of people that they will talk to.”

Mary then asked me the questions most on her mind. “What will they be looking for?” she asked. “How will I know if I passed or not?”

“The object of the audit isn’t really to pass or fail,” I noted. “The purpose is just to explain what you did and why.”

Mentor advice
Almost all companies have independent auditors that provide an outside, “unbiased” opinion of how the company operates. Although the auditors can look at many aspects of your company, they will focus on your financial processes and accounting practices in particular. Part of the audit may involve a review of certain projects that were completed or are in progress.

Usually the people who get audited have advance warning, or they know that there is a probability that they will be audited. This allows them to save documentation that might otherwise be thrown out as a normal part of project closeout.

The external auditors are performing a quality assurance role. They want to make sure that the processes you use on the project are sound and verifiable. For example, if you don’t have a good testing process to validate your results, you’re at risk of quality problems on any project. If the project also affects your company’s financial records, you’re really asking for trouble.

Generally, the major areas of focus on a project audit should be:
  • The planning process. This is a review of the project definition and project workplan documents.
  • Requirements and analysis. The auditors will review your analysis and ask who participated, who provided requirements, and who approved them.
  • Testing and validation. This is especially scrutinized on financial projects. Auditors will want to examine your test plan to determine how you tested. Then they’ll probably want to spot-check your testing results, including any listings, queries, and before-and-after file images.
  • Overall quality management. Testing is a piece of this, but the auditors might ask about any quality plan you prepared. If you don’t have a formal quality plan, they’ll ask how you validated that the interim deliverables and final solution were of acceptable quality.
  • Client involvement. The auditors may ask about the business client’s involvement in the project life cycle, including the role of the sponsor. They’ll be interested in how interim deliverables and the final solution were approved.
  • Overall project management procedures. This includes how you managed scope, issues, and risk. If you followed organizational standards, you’re in good shape. Otherwise, they’ll ask you to describe the processes you followed.

Final thought
While Mary’s project was viewed as a success, it doesn’t necessarily mean that she used good processes to get the work done. She should be able to show the auditors that the project management processes were rigorous enough based on the size of her project. In her case, she will be able to show them the detailed listings that show how the work was tested and approved by the client.

I believe her discussion with the auditors will go well. This is just one step in their auditing process. If Mary appears to have followed sound processes, it will help reassure the auditors.

Tom Mochal is president of TenStep, Inc., a project management consulting and training firm. Recently, he was Director of Internal Development at Geac, Inc., a major ERP software company. He’s worked for Coca-Cola, Eastman Kodak, and Cap Gemini Ernst & Young. Tom has developed a project management methodology called TenStep and an application support methodology called SupportStep.

0 comments

Editor's Picks