In continuing our discussion of the IT Auditor’s Role in the Project Management Process, we will now look at the auditor’s role in risk assessment. Much of this information comes from the book “Information Technology Control and Audit” and it identifies that the auditor’s role in assessing risk focuses on conducting an assessment of the risks associated with the processes that are being utilized in project management within the organization the risks associated with the project itself.
Audit Risk Assessment
Depending on the organization, auditors may not have enough time to be involved in all phases of every project. Project involvement will depend on the assessment of process risks and project risks.
Process Risks:
-
- Lack of strategic direction
-
- Lack of project management standards
-
- Lack of a formal project management process
-
- Negative organizational climate
-
Project Risks:
-
- Resource unavailability and budget
-
- Project complexity and magnitude
-
- Inexperienced staff
-
- Lack of end-user involvement
-
- Lack of management commitment
-
The level of risk may be a function of the size of the project, scope of organizational change, complexity of the system being developed, the number of people involved, and the importance of the project to the organization.
The scope of the audit involvement will depend on the maturity of project management in the organization. Audit involvement may be minimal if the IT group has a well-established project management lifecycle and project of?ce that perform regular oversight and tracking activities. In this case, the auditor may focus more on project-speci?c risks rather than on project management risks. For less mature organizations, the auditors may take on the role of oversight and tracking for the project.
As discussed in the previous article, the level of auditor involvement will likely also depend on the types of projects being handled. For projects and programs involving a government agency as a customer and formal status meeting presentation process, the need for or requirement of the involvement of a formal auditing process is much higher. In those cases, regular auditing of the PM processes in the organization – no matter how mature the process are – may be required with the findings presented on a monthly or quarterly basis to the customer as well as to executive leadership within your organization.