AUD 1301

MODULE 5: IT PROJECT
MANAGEMENT
• Discuss what Program Management is and how it differs from Project
Management
• Understand The Auditor’s Role in the Project Management Process
• Keys to Success and Reasons IT Projects Fail
• Project Selection
• Project Metrics
• Project Software
• Identify and explain some Project
• Management Tools/Project Management Software that can help internal auditors
in performing project management
• Understand the System Development Life Cycle and identify the steps that make
the cycle
Ø Development or Maintenance
Ø Testing
Ø Documentation
Ø Risks Implicated
Ø Typical Controls
• The Importance of Project Planning and Control in the Systems Development Life
Cycle

Learning Objectives
 PROGRAM management

“Program management is the process of managing a group of ongoing, interdependent,

related projects in a coordinated way to achieve strategic objectives.

Program management is the process of managing programs mapped to business objectives that improve
organizational performance. Program managers oversee and coordinate the various projects and other strategic
initiatives throughout an organization.

Project management (PM) is defined as the framework used to guide your team to success—this
includes your team objectives, tools, and techniques both over the long-term and your day-to-day
work.
 PROGRAM management
A portfolio is a set of
projects, programs, and
operations, coordinated
to achieve
• Program management entails
managing a program with
multiple, related projects.
• Since programs are linked to
strategic initiatives, they are
often long-running and possibly
permanent.
• Programs continue through
organizational change,
contribute to multiple goals, and
contain many projects that
deliver specific components of
the larger strategic initiative.
 program MANAGER VS.
PROJECTMANAGER

Program Manager Project Manager

Plans strategies Plans projects

Provides advice to stakeholders Tracks progress of projects

Review and advise on projects Allocates Resources

Offers audits and Quality Assurance Manage risks

Mentorship to project teams Communicate

 ESSENTIAL COMPONENTS TO A
SUCCESSFUL IT PROJECT
1. Alignment With Business Objectives
2. Alignment With All Stakeholders
3. Understanding Of The Industry You’re
Serving 4. A Priority List For Features

5. The Right Project Management Platform

6. A Breakdown Of Actionable Tasks

7. Familiarity With All The Components

8. KPIs With Clear Reporting

•Red - The project has hit a serious roadblock(s), and no clear plan is in place to hit the date.
•Yellow - The project has hit a serious roadblock(s), but a plan is in place to finish on time.
•Green - The project is on track. Risks are understood and mitigation plans are in place.
 ESSENTIAL COMPONENTS TO A
SUCCESSFUL IT PROJECT

9. A Good Communication Cadence

10. An Ongoing Project Record

11. A Plan For Failure

12. Documented Requirements And

Expectations

13. A Pragmatic Outlook

14. Team Engagement And Transparency

15. Empowered Teams

16. Smart Delegation

 WHY “IT” PROJECT FAIL?
1 Alignment exists at the top, but not throughout
the organization “If you’re trying to move an organization forward, everyone
should know what it is you’re trying to achieve, why you’re
doing it and what’s the individual’s role in it,” – Greg Stam,
managing director for advisory services, Ahead

2 No clear definitions of success “Not being able to define the outcome fully because the
outcome is changing so much, that’s one of largest points for
not being successful.” - Sunil Kanchi, CIO and chief investment
officer with UST, a digital transformation solutions company.

3 Project tasks aren’t given priority

“The project becomes another series of tasks that are lumped
on top of everything else and it all becomes part of the backlog
of IT tasks to do. Then the CIO gets questions on why the
projects got stuck,” Stam says.
 WHY “IT” PROJECT FAIL?

4 The value of change management is underappreciated

“You can’t give IT a perfect spec to build; IT needs to be flexible to

make projects work and respond to changing markets,” - Thimaya
Subaiya, senior vice president of customer experience, Cisco

5 Potential risks aren’t adequately anticipated

“There’s always chaos that happens with IT projects, so we have to
expect it. You have to anticipate that risks will surface and have a
process to respond,” - Thomas Phelps, CIO, Laserfiche

6 Not really being agile

“Most organizations are still not doing agile well. They’ve
embraced it in concept, but they haven’t embraced it in
execution,” says Robert McNamara, who leads the strategy
practice at the advisory firm Guidehouse.
 WHY “IT” PROJECT FAIL?

7 Dictating too much to IT experts

“Success or failure should be determined by whether a team is
able to fulfill reasonable outcomes that they formally agree to,
rather than outcomes that get forced upon them,” adds Scott
Ambler, vice president and chief scientist of Disciplined Agile at
the Project Management Institute (PMI).

8 Making projects too complex

“They’re trying to do too much too fast, or address all the

process and business changes at once, instead of trying to solve
for the core capabilities that are needed and targeting the
minimum requirements that need to be met,” McNamara
explains.
 WHY “IT” PROJECT FAIL?

9 Inadequate resourcing

The lack of the talent and tight finances can dent an IT

department’s ability to execute, according to Kanchi, the UST
CIO.

10 Holding onto legacy technology

“The company knew [this project] was suboptimal going in,

because they knew they were going to be constrained by their
legacy systems. But in other organizations they might not know
that going in and then the suboptimal performance is counted
as a failure,” McNamara adds.
 project SELECTION
Project selection refers to the process of outlining and choosing the next venture for a
team. Projects typically compete for resources, so we must consider the demands and
goals of each potential project and prioritize them accordingly.

Project Selection Methods

• Constrained optimization methods prioritize numerical and mathematical advantages

• Benefit measurement methods focus on more accessible concepts, such as opportunity cost and payback
periods.
 CONSTRAINED OPTIMIZATION
METHOD

• Integer Programming: This method prioritizes whole

numbers over partial results. For example, a company would
• Nonlinear Programming: More complex than linear
not want to build a partial car, only a whole car, so the
programming, this method involves maximizing a
determination is framed with whole cars in mind.
given variable in a situation when other variables are
not linearly tied to it. In the above car example, you
• Linear Programming: This method focuses on maximizing may need to factor in the increased costs of expedited
a given variable by manipulating other linear variables. bulk shipping and tariffs from multiple countries when
For example, you can reduce the total cost of a project by increasing your output on the assembly line.
reducing the time you take to complete it. If you can sell
cars as fast as you can make them, you can sell more cars
• Multiple Objective Programming: This method is, in
by making them faster.
many ways, a combination of all of the above. Here,
you create a system of functions that can help
• Dynamic Programming: This method breaks down a large mathematically optimize your decisions. By creating
problem into smaller, more manageable pieces. Instead of equations that define the time and costs of each step
“building a car,” a company might focus on first building of making a car, you can adjust variables as needed at
each individual piece of a car, and then putting it all any point and see a model of expected results.
together.
 BENEFIT MEASUREMENT METHOD

• Benefit-Cost Analysis: With this method, you compare the

costs of a project against its benefits. Consider that a coffee
shop wants to open a new location. The costs of inventory,
training, hiring, and running a new location are all
considerable. Still, the benefit of a new location can bring
increased revenue and brand expansion, both of which are
positives for the business.
• Discounted Cash Flow Analysis: The value of a project’s
income in the future (based on factors such as inflation or
the declining need of a product or service) can be an
important consideration. The most beneficial projects are
those that will make money for an organization long past its
initial completion.
Net Present Value (NPV): Net present value is the relationship
between the current cost of a project and the money it brings
in, or the return on investment (ROI). A higher NPV is generally
preferable, and it should always be positive. NPV considers the
time value of money and takes discounted cash flow into effect
over the life of a project, rather than only considering the
payback period.
 BENEFIT MEASUREMENT METHOD

• Internal Rate of Return (IRR): “rate of return that makes the net
present value of all cash flows (both positive and negative) from a
particular investment equal to zero.” This can help determine how
profitable investment into a project can be by comparing the IRR of
projects with the same start-up costs. A project with a higher IRR is
a more profitable venture.
• Payback Period: This is the measure of the time it takes to
be paid back on an initial investment. A project with a
shorter payback period may be preferable to one with a
longer payback period; however, it is also important to
consider the project’s ongoing costs and income potential.
This method is fairly simplistic in its scope, as it focuses only
on cash flow and does not acknowledge any potential risks
involved in the process.

• Opportunity Cost: This figure considers the cost of a project

in its entirety, not just financially. This can include the
physical resources, time spent, and technical training time, as
well as other factors. Opportunity cost aggregates the total
cost of a project, not only the numerical costs.
 project SELECTION

Project selection refers to the process of outlining and choosing the next venture for a
team. Projects typically compete for resources, so we must consider the demands and
goals of each potential project and prioritize them accordingly.

What Is A Project Metric?

A metric is simply a measurement of something. When managing a project, you can choose to use project
metrics to track progress.

Metrics are selected based on the goals of the project and critical factors for success.

Examples of project metrics include:

• The estimated cost of the project.
• The number of issues that are late.
• The number of open tasks.
• The duration of a project
• Earned Value.
 WHAT ARE THE STEPS IN PROJECT
SELECTION

1. Identify Potential Projects: Meet with the decision makers in your organization and make a list of all the
next potential projects.

2. Compare the Projects: Compare your potential projects using your choice of project selection
method. (You can use a cost benefit template to compare the costs and benefits of the list of
projects from the first step. Assign values for each criteria to compare the total scores of each
project.
3. Analyze Your Findings: Compare the scores of each project to determine which is best for your
team. This example uses negative numbers to display a more “costly” score and positive numbers
to display one that is more “beneficial.” A score near zero describes a cost benefit ratio that is
closer to equal.
4. Select a Project: Choose the project that best fits your team. Often, this will be the highest-scoring
project. Sometimes you will also need to consider things that your model may not consider, such as
budget figures and total cost.
 project management SOFTWARE
Project management software is used to plan, organize, and allocate resources for managing projects.
It helps teams collaborate and keep track of the project’s progress while clearly defining tasks and
responsibilities. It lets project managers control costs and time and allows smooth collaboration
between stakeholders.

Zoho Projects
 SYSTEMS DEVELOPMENT LIFE CYCLE
(SDLC)
• The systems development life cycle (SDLC) is a conceptual model used in project management that
describes the stages involved in an information system development project, from an initial feasibility study
through maintenance of the completed application.

SDLC can apply to technical and non-technical systems. In most use cases, a system is an IT technology
such as hardware and software. Project and program managers typically take part in SDLC, along with
system and software engineers, development teams and end-users.

• This approach to software development is structured and risk averse, designed to manage large projects that
include multiple programmers and systems. It requires a clear, upfront understanding of what the software is
supposed to do and is not amenable to design changes.

• The system development life cycle (SDLC) is a formal way of ensuring that adequate security controls and
requirements are implemented in a new system or application.

• SDLC is a structured approach defining a series of phases or stages a software project goes through from
inception to deployment and often beyond covering hypercare and support. Change management controls
ensure that any changes to existing software systems are properly tested and controlled to minimize risks
(e.g., unauthorized or untested change, etc.).
SDLC
 SYSTEMS DEVELOPMENT LIFE CYCLE
1. Preliminary Analysis

A request for a replacement or new system is first reviewed. The review includes questions such as:
What is the problem-to-be-solved? Is creating a solution possible? What alternatives exist? What is
currently being done about it? Is this project a good fit for our organization? This process is referred
to as a needs analysis. After addressing these questions, a feasibility study is launched (this will
be discussed later). This step is important in determining if the project should be initiated.

2. System Analysis

In this phase one or more system analysts work with different stakeholder groups to determine
the specific requirements for the new system. No programming is done in this step. Instead,
procedures are documented, key players/users are interviewed, and data requirements are
developed in order to get an overall impression of exactly what the system is supposed to do.
The result of this phase is a system requirements document and may be done by someone with
a title of Systems Analyst.
 SYSTEMS DEVELOPMENT LIFE CYCLE

3. System Design

In this phase, a designer takes the system requirements document created in the previous phase
and develops the specific technical details required for the system. It is in this phase that the
business requirements are translated into specific technical requirements. The design for the user
interface, database, data inputs and outputs, and reporting are developed here. The result of this
phase is a system design document. This document will have everything a programmer needs to
actually create the system and may be done by someone with a title of Systems Analyst,
Developer, or Systems Architect, based on the scale of the project.

4. Programming

The code finally gets written in the programming phase. Using the system design document as a
guide, programmers develop the software. The result of this phase is an initial working program
that meets the requirements specified in the system analysis phase and the design developed in the
system design phase. These tasks are done by persons with titles such as Developer, Software
Engineer, Programmer, or Coder.
 SYSTEMS DEVELOPMENT LIFE CYCLE
5. Testing

In the testing phase the software program developed in the programming phase is put through a
series of structured tests. The first is a unit test, which evaluates individual parts of the code for
errors or bugs. This is followed by a system test in which the different components of the system are
tested to ensure that they work together properly. Finally, the user acceptance test allows those that
will be using the software to test the system to ensure that it meets their standards. Any bugs,
errors, or problems found during testing are resolved and then the software is tested again. These
tasks are done by persons with titles such as Tester, Testing Analyst, or Quality Assurance.

6. Implementation

Once the new system is developed and tested, it has to be implemented in the organization. This
phase includes training the users, providing documentation, and data conversion from the previous
system to the new system. Implementation can take many forms, depending on the type of system,
the number and type of users, and how urgent it is that the system becomes operational. These
different forms of implementation are covered later in the chapter.
 SYSTEMS DEVELOPMENT LIFE CYCLE

7. Maintenance

This final phase takes place once the implementation phase is complete. In the maintenance
phase the system has a structured support process in place. Reported bugs are fixed and
requests for new features are evaluated and implemented. Also, system updates and backups
of the software are made for each new version of the program. Since maintenance is
normally an Operating Expense (OPEX) while much of development is a Capital Expense
(CAPEX), funds normally come out of different budgets or cost centers.
 SUMMARY

Stage Tasks Deliverables

Preliminary Analysis Problem Definition Scope and Project Charter Feasibility Study
Objectives Data Gathering Risk
Assessment Feasibility Analysis
Systems Analysis Data Gathering Systems Modeling User Requirements Specification
User Requirements Definition
Systems Design Make or Buy Decision Physical Detailed Systems Specification
Systems Design Technical Design
Programming & Testing Programming and testing Platform Production System
Implementation
Systems Implementation User Training Data Conversion Live System
Systems Conversion Post-
Implementation Review
Systems Maintenance Fix system “bugs” System Working System
enhancement
 SDLC risks

From an internal control perspective, SDLC provides a guide for managing risks
associated with software development.

Each phase of the SDLC is designed to identify and address potential risks to the
project, such as project failure due to budget constraints, scope creep, missed
milestones, or technical issues that could result in disrupted operations.

By using SDLC, project teams can identify risks early in the project and develop
appropriate mitigation strategies to minimize the impact of these risks.
 CONTROLS IN SDLC

• Establish an oversight committee

• Create a project charter
• Document system requirements
• Secure the project budget
• Define roles and responsibilities
• Identify project risks and controls
• Establish rollback and contingency plans
• Establish development, test, and production
environments
• Connect and test system integrations
• Conduct end-user acceptance testing
• Train end-users
• Communicate Go Live dates
 PLANNING IN SDLC

• The planning stage (also called the feasibility stage) is exactly what it sounds like: the phase in which
developers will plan for the upcoming project.

• It helps to define the problem and scope of any existing systems, as well as determine the objectives for
their new systems.

• By developing an effective outline for the upcoming development cycle, they'll theoretically catch
problems before they affect development. And help to secure the funding and resources they need to
make their plan happen.

• Perhaps most importantly, the planning stage sets the project schedule, which can be of key importance if
development is for a commercial product that must be sent to market by a certain time.
 AUDIT OF PROJECT
The audit of projects has become more complex with the adoption of formal project management
methodologies, and the increased demand for auditing projects real-time as they are being undertaken.
Auditors are often expected to identify problems in projects before the problems cause significant
damage. This expectation by management has the effect of dramatically increasing the audit risk attached
to projects and highlights the importance of using a framework in the audit of projects.

Project Success

The success of a project is traditionally considered in terms of three factors:

1. Completing the project within budgeted costs

2. Not exceeding the time allocation
3. Producing all the promised deliverables to the required quality standard

Other considerations:
1. Are the key stakeholders satisfied with the project?
2. Is the objective or purpose of the project being achieved?
3. Are there shortfalls in the project?
4. Is damage being done to relationships between key parties in the project?
 AUDIT OF PROJECT
Deliverables
Audit considerations might include:
1. Will all the deliverables be produced?
2. Will the quality of the deliverables be at the level
specified?
3. Will the delivery be within the timeframes
promised?
4. Will the deliverables be presented in a manner that
supports their easy use and integration into
operations?
5. Is there adequate flexibility to ensure that
reasonable and worthwhile changes to deliverables
can be made as the project proceeds?
Achievement of the project purpose
Questions the auditor could ask might include:
1. Are the key objectives of the project clearly
stated and realistic?
2. Are there likely important consequences of
the project that have been ignored?
3. Are the objectives of the project aligned to
the organization’s mission, vision, values,
key objectives and strategies?
4. As far as practical, do the key stakeholders
support the objectives, as applied to them?
 AUDIT OF PROJECT
Stakeholder satisfaction Project purpose achievement

In some projects, all specified deliverables are
produced, yet some key stakeholders are
dissatisfied with the project. Reasons for
stakeholder dissatisfaction are varied and could
include poor understanding of the project and
deliverables, unreasonable expectations, project
staff not understanding stakeholder needs
adequately and not producing what they want, and
changes to stakeholder needs being ignored during
the project through inflexible change
management.
Questions the auditor could ask might include:
1. Are the key objectives of the project clearly
stated and realistic?
2. Are there likely important consequences of the
project that have been ignored?
3. Are the objectives of the project aligned to the
organization’s mission, vision, values, key
objectives and strategies?
4. As far as practical, do the key stakeholders
support the objectives, as applied to them?

At each stage of the project, the auditor should consider

whether the project is on track to achieve the project
purpose.
 AUDIT OF PROJECT
Cost

Projects should ideally be completed at or below budget. However, it is important when auditing this
factor to take into account changes to the quantity and quality of deliverables, and events that could not
reasonably have been anticipated. In many cases, cost overruns are indicative of poor project risk
management, and a failure to learn lessons from other projects.

Time

Time management is an essential component of project management, and is therefore an important audit
concern. The comments made above about costs may also apply to time. Shortfalls Shortfalls may occur at
any time in the project lifecycle. There may be shortfalls in the quantity or quality of the deliverables, the
testing of deliverables, the ability of deliverables to work together to achieve the project purpose, in
reporting and meeting governance requirements, in communications, and in other areas of internal
control.
 AUDIT OF PROJECT
Shortfalls

Shortfalls may occur at any time in the project lifecycle. There may be shortfalls in the quantity or quality
of the deliverables, the testing of deliverables, the ability of deliverables to work together to achieve the
project purpose, in reporting and meeting governance requirements, in communications, and in other
areas of internal control.

Even though many of the potential shortfalls are implicitly addressed under other headings, it is useful to
have shortfalls as a separate category to remind the auditor to give them adequate attention.

Relationship damage

As projects progress, it is important project managers adequately address relationships, particularly those
between the project team and key stakeholders, the project governance team, project sponsors,
operational management, and others. It is important for the smooth functioning of the project for
relationships within the project team to be well- managed.

If relationships are well-managed, the consequences of relationship damage may be avoided.

 AUDIT OF PROJECT
Audit procedures

It is recommended that additional audit procedures be considered, including:

1. Interviews with people from the project team, key stakeholders, project governance, users, supply
chain and others.
2. Surveys.
3. Facilitated control self-assessment (CSA) workshops.
4. Internal control questionnaires (ICQs).
5. Directional testing for overstatement and understatement.
6. Examining the adequacy and readability of reporting

In summary, audit factors for a project should typically include:

1. Deliverables
2. Stakeholder satisfaction
3. Project purpose achieved
4. Cost
5. Time
6. Shortfalls
7. Relationship damage
 REFERENCES

Excerpt From Project Management: the Managerial Process Larson, Erik W.;
https://itunes.apple.com/WebObjects/MZStore.woa/wa/viewBook?id=0

https://www.atlassian.com/agile/project-management/program-management

https://ecampusontario.pressbooks.pub/informationsystemscdn/chapter/7-3-systems-development-life-cycle/

https://www.cio.com/article/230427/why-it-projects-still-fail.html

https://www.smartsheet.com/content/project-selection

https://www.forbes.com/sites/forbestechcouncil/2021/09/10/16-keys-to-successful-it-project-
management/?sh=25cdcbf74661

https://www.auditboard.com/blog/sdlc-vs-change-management-controls/

https://www.brightwork.com/blog/using-project-metrics-for-successful-project-
management#:~:text=Examples%20of%20project%20metrics%20include,The%20number%20of%20open%20tasks.