The IT Auditor’s Role in Project Management Process

In larger organizations or on larger government projects, it may be recommended and even required to conduct audits of the project management processes being utilized in an organization. It may even be necessary to audit individual projects for process adherence.

I have personally been involved in many large government projects and programs that required detailed auditing and the presentation of audit findings to the proper government officials. With the help of the book “Information Technology Control and Audit” (by various authors) I’d like to discuss how this IT audit process might oversee and substantiate the project management process utilized for a given project and for the portfolio of projects your organization is undertaking.

Auditing the Project Management Process

The auditor’s role in project management depends on the organization’s culture, maturity of the information systems function, and philosophy of the auditing department. The objective of a project management audit is to provide an early identification of those issues that may hinder an on-time, within-budget implementation of an application that is controlled, documented, and able to be operated by an adequately trained user community. Auditing project management requires specific knowledge about the project management life cycle and development process. Understanding these allows the auditor to identify key areas that would benefit from independent verification. The scope of a project management audit can include an evaluation of the administrative controls over the project (e.g., feasibility results, staffing, budgeting, assignment of responsibilities, project plans, status reports, etc.) or an evaluation of specific deliverables to validate that the project is following established standards.

By becoming involved at strategic points, the auditor can ensure a project that is well controlled. The following list highlights some of the key tasks the auditor may perform during a project’s development:

• Gain the support and cooperation of the users and IT professionals.
• Check project management tools for proper usage.
• Perform project reviews at the end of each phase.
• Assess readiness for implementation.
• Present findings to management.
• Maintain independence in order to remain objective.

These tasks can help provide early warning of project management issues.

To determine the level of involvement, the auditor should first complete a risk assessment of the project development process and determine the amount of time to be allocated to a particular project. Next, the auditor should develop an audit plan that includes a schedule for the specific review points tied to the project schedule. Finally, the auditor needs to communicate the scope of involvement and any findings to the project manager, users, and IT management. During the early phases, auditors do not determine how controls will be implemented, but they should establish the review points. This helps IT personnel to better understand audit objectives.

In the coming articles, we will look at each of these processes that the auditor must go through when evaluating project management oversight on a project.

Related posts:

1. The IT Auditor’s Role in Risk Assessment
2. Detailing the Project Management Audit Process
3. The IT Auditor’s Role in the Software Development Process
4. Implementation Preparation
5. Knowledge Audits – Determining your Format