Professional Documents
Culture Documents
Internal auditors will need to assess the effectiveness of project management internal
controls in many of their operational reviews, as well as use good project management
techniques in many of their internal audit activities. Internal audit should have a common
body of knowledge (CBOK) understanding of project management best practices.
o Initiating. There should be formal processes in place to launch any project effort,
including a description of the project’s objectives, estimated budgeting, and
appropriate approvals. From an internal audit perspective.
o Planning. Every project requires planning in terms of its time and resource
estimates as well as for the linkages between components and other projects that
require coordination.
o Executing. These are the actual project activities—what needs to be done to
accomplish project goals. From an internal audit perspective, these activities may
range from individual reviews to executing an ongoing program of internal audit
activities.
o Controlling. An ongoing set of processes should be in place to monitor the
appropriate completion of project elements, determining that budgets and
objectives are being met. This is an important component in overall internal audit
management.
o Closing. The final process requires wrapping up the project effort and both
delivering the project components as well as summarizing and reporting the
project results. For many internal audit activities.
PMBOK has defined the project management process in a consistent and well-controlled
manner. In addition to the five basic project management process groups, as discussed,
the PMBOK guidance material defines nine of what are called project management
knowledge areas:
o Project integration management
o Project scope management
o Project time management
o Project cost management
o Project quality management
o Project human resources management
o Project communications management
o Project risk management
o Project procurement management
PMBOK guidance describes each of these knowledge areas, in terms of their inputs,
tools, and outputs, with a considerable level of detail. For example, Exhibit 16.2 shows
the summarized inputs, tools, and techniques and the outputs for PMBOK’s project risk
management, and Exhibit 16.3 shows the data flow for PMI’s risk management
components.
In addition to guidance on general management, the PMBOK contains a fair degree of
detail on the project management tools and processes needed in each of these knowledge
areas. Exhibit 16.4 summarizes these PMBOK processes and knowledge areas. The
purpose of this chapter is not to provide a detailed overview of all of PMBOK’s process
and knowledge areas but to emphasize the role of this tool for planning and implementing
effective project management processes for internal auditors. PMBOK is widely
recognized today as the standard for managing a project.
The PMBOK guidance focuses on individual projects and is useful for performing single
internal audits. However, just as an internal audit function or department will be
responsible for a series of internal audits over a period of time, any function managing a
series of projects needs to think of them as a series of program projects as well as their
relationships with other similar or related projects. Programs generally consist of related
work that may be outside the scope of the individual projects.
If internal audit groups existed for two units of a corporation, perhaps one covering
internal audits in European Union countries and the other for the United States, the
internal audit activities for each could be considered an internal audit portfolio with both
of these classified under a higher-level portfolio at the corporate headquarters. This
portfolio and program approach to project management is described in Exhibit 16.6. The
idea is that reporting relationships should be established when necessary to promote
efficiency and achieve overall objectives.
The PMI Standard for Program Management is a set of best practices for the management
of multiple, related projects that are measured and evaluated as a program. PMI has a
similar standard for portfolio management. This guidance is also useful to internal audit
where multiple but similar internal audit projects can be managed as a program or
considered as a portfolio. Exhibit 16.7 shows this interaction between projects and
program.
The relationship between project, program, and portfolio management practices in terms
of such factors as their scope, change management considerations, planning, success
factors, management, and monitoring.
The idea of such an audit universe document is not to describe everything where internal
audit might launch an internal audit during a current period but to describe the scope of
internal audit’s planned activities.
Exhibit 16.9 is an example of the type of preliminary plan that might be developed for
such a review of these Muddville purchasing and receiving operations. Because the
information here is only very preliminary, the plan does not use specific dates but
assumes that two internal audit staff members will be assigned to do the work. The
preliminary plan shown only uses approximate estimated hours at this time, but care
should always be given to not seal such preliminary plans “in cement,” as more
information may force all planned estimates up or down.
We have stated that our example internal audit function has never performed a review of
purchasing and receiving operations at its Muddville facility but that it has audit
programs and experience in performing similar reviews at other Global Computer
Products facilities.
The documentation may be sparse, out of date, or non-existent. Internal audit may want
to ask some questions to gather more information about these processes.
internal audit needs to identify key internal control areas here and then to develop audit
tests to verify that those controls are working. The size and type of these tests depends
very much on the nature and criticality of the processes reviewed. However, it is usually
not sufficient to select one item to walk through the process, and then to say that
everything is okay as long as those items met this audit test.
After the on-site internal audit team has completed its audit tests and performed other
internal audit procedures, there is a need to wrap up the audit fieldwork before departing
from the audit site. Although the final audit report and even a final draft report may not
be complete prior to internal audit’s completion of their fieldwork, it is almost essential
that the on-site internal auditors provide local management with at least a summary of
their audit observations and potential finding and recommendations as discussed in
Chapter 18 on the importance of internal audit reports.
Exhibit 16.11 is an example of such a point sheet. This would essentially be a discussion-
level document. If management has some significant areas of dispute, internal audit can
document and agree to re-review draft findings or to make potential changes to clear up
any management areas of concern.
Internal audit’s objectives here are not to come home with a dazzling audit report filled
with findings and recommendations but to review an area and to make recommendations
to improve the overall internal control environment there.
Internal auditors should think of virtually every internal audit they plan and perform as a
project similar to the best management practices that we have described on a high level
here and that can be found in the PMBOK standard.
These translate to the process of planning and performing an internal audit, using
PMBOK terminology but from an internal audit perspective, as follows:
o Project integration management. Detailed plans need to be prepared for every
internal audit, including processes to implement changes and alter that audit plan
in light of new findings or other developments during the course of the audit.
o Internal audit project scope management. Every internal audit needs to establish
and document a clear statement of the audit’s scope at the beginning of the
review. This scope will become a baseline for measuring internal audit progress,
accomplishment of the scope’s objectives, and any necessary change control.
o Internal audit project time management. The time and activities of all internal
auditors involved in a review need to be budgeted, recorded, monitored, and
assessed.
o Internal audit project cost management. Internal audit costs need to be budgeted,
collected, and controlled.
o Internal audit project quality management. Every internal audit project needs to
include appropriate quality planning, assurance, and control processes. These
measures assess a particular audit as well as the overall internal audit function.
o Internal audit project human resources management. Proper attention must be
given to all members of the team performing the internal audit, including audit
team organization planning and all levels of staff development and training.
o Internal audit project communications management. Communications factors are
important elements in any internal audit, whether in documenting results in
workpapers, reporting status and results to both enterprise and audit management,
and development of the final audit report.
o Internal audit project risk management. Every internal audit faces a variety of
risks, and the internal audit team needs to have processes in place to formally
identify and quantify those risks as well as to have procedures in place to respond
to and control any risks associated with an internal audit.
o Internal audit project procurement management. Although they are perhaps the
least significant of the PMBOK knowledge areas when compared to other aspects
of an internal audit, processes should be in place during any audit contract for any
outside services and goods as necessary.
Effective project management best practices, as defi ned in PMBOK, are an important
CBOK skill requirement for all internal auditors, both in developing internal audit
projects and in assessing the maturity of project management practices in the course of
their reviews.