The document discusses key areas for internal audit to focus on when auditing IT projects. It covers the typical risks in IT projects, a project management maturity model, and control considerations at different project phases. The document suggests that internal audit can add value by focusing on governance, risk management, and controls across the entire project lifecycle.
The document discusses key areas for internal audit to focus on when auditing IT projects. It covers the typical risks in IT projects, a project management maturity model, and control considerations at different project phases. The document suggests that internal audit can add value by focusing on governance, risk management, and controls across the entire project lifecycle.
The document discusses key areas for internal audit to focus on when auditing IT projects. It covers the typical risks in IT projects, a project management maturity model, and control considerations at different project phases. The document suggests that internal audit can add value by focusing on governance, risk management, and controls across the entire project lifecycle.
The document discusses key areas for internal audit to focus on when auditing IT projects. It covers the typical risks in IT projects, a project management maturity model, and control considerations at different project phases. The document suggests that internal audit can add value by focusing on governance, risk management, and controls across the entire project lifecycle.
in IT Projects ISACA Geek Week 2013 8/21/2013 1 Introductions and Projects Overview PwC Presenters Charlie Miller and Andrew Gerndt The Coca-Cola Company Principal IT Auditors Atlanta, GA CISA Mike Shipham PricewaterhouseCoopers LLP Project Assurance Director Chicago, IL CISA and PRINCE2 3 PwC Agenda Topic Timing 1. Introductions and Projects Overview 15 minutes 2. IT projects- the risks 15 minutes 3. Key areas to audit 20 minutes 4 PwC Coca-Cola at a glance 5 PwC Project- sharing a Coke 6 PwC Getting to know you 7 1. Are you involved in an IT project at your company? 2. How has Internal Audit been involved in this project? a. Mostly in planning b. Mostly in execution c. Doing a post implementation review d. Not at all
PwC Getting to know you 8 1. What has been the greatest challenge with this project? a. Planning b. Execution c. Post implementation d. Other
PwC 9 Sound familiar? IT Projects the risks PwC Are IT projects successful? PwCs 2012 survey indicates that 200 global companies were spending over $4.5 B on projects to deliver changes required to implement their strategy.
20% of ERP implementation projects are not completed. (Gartner)
71% of ERP projects do not meet the expectations of senior management (CSC Index/AMA Survey)
2%: Companies that had 100% of their projects on time, within budget, to scope and delivering the right business benefits. (PwC Global Survey on State of Project Management)
51% of ERP implementation viewed as a failure (Robbins-Gioia Survey)
84% of projects do not meet all criteria for success (Standish Group)
35%: Number of companies where system projects deliver expected business benefits (PwC Global Survey on State of Project Management)
11 PwC IT project risks In your experience, what IT project risks have you seen?
12 PwC Reasons for program failures
Source: PwCs 3 rd Global Survey on State of Project Management (2012) 13 PwC Key areas of project risk Risks are not isolated to classic project management artifacts, but extend to a broader risk universe. Data Data Structures Mapping Cleansing Effort Conversion and validation Data governance Backup and recovery BI and reporting strategy
Organization Business impacts Training Communication Organizational alignment Change management Compliance and controls Business continuity Governance Strategic Alignment Senior Management Commitment Sponsorship / Champions Governance and Decision making Synergy identification and tracking
Program Management Time schedules Budgets Resources/staffing Vendors Knowledge transfer Issue and Risk management Scope management Technology Infrastructure System architecture Networking Security Availability Performance Disaster recovery
Process and Solution Requirements Business processes System Development Life Cycle Data Controls Bolt-ons Interfaces/integrations * * $ $ $ $ 14 Key areas to audit PwC PM Maturation Model 16 Maturity Levels Characteristics 5. Enterprise Standards and Program Management Culture Exists Strategic resource management crosses the enterprise Program value management occurs through project portfolio management, prioritization and interdependency management Change issues address organizational design and culture change 4. Cross Business Unit Program Management Implemented Measures of process quality are collected and processes are managed Process performance target zones are established 3. Programs Managed with a Strategic Enterprise Focus Management processes address multiple projects A PMO is used for efficiency and risk management is proactive Projects and programs assume a strategic focus with status visibility provided to a wider stakeholder audience 2. Stable Project Management Processes Work projects are controlled and basic PM capability established Management visibility into project status at predefined checkpoints and milestones and react to problems as they occur Initial use of metrics at the project performance level 1. Unstable Project Performance (Ad Hoc) Processes poorly defined Managers have little visibility into status and processes employed Success achieved through "heroics" PwC Who plays a part in managing program risk? PMO monitoring and assurance activities Examples of Level 2 activities: Operational risk teams Compliance teams Organizational or independent PMO Targeted QA activities (from within the organization but independent of the project) Product vendor provided assurance External vendor and internal audit Examples of Level 3 activities: Internal Audit reviews (part of the annual plan) Health checks and targeted specialist Deep Dive reviews External Audit reviews Work stream monitoring activities Examples of Level 1 activities: Program risk function Program PMO Vendor PMO & QA Large transformation projects typically have a number functions supporting risk and quality management. Understanding the respective roles and levels of assurance provides a holistic view of current assurance levels and helps identify the gaps that may need to be addressed.
17 PwC 1. Navigate the integration risk landscape 2. Understand stakeholder perspectives and provide deeper insights 3. Cut through the clutter Questions How well aligned is internal audits plan with the critical risks facing the organization? Does internal audit provide a point of view to help the business improve its responses to risk? How effectively does internal audit communicate with stakeholders?
18 How can audit add value to a project? PwC How can audit add value? Controls are often overlooked
19
D e s i g n
B u i l d
B u i l d
U A T
I m p l e m e n t
G o
L i v e
Project life cycle Project life cycle During During development development Post Post imp. imp. Pre Pre - - implementation implementation high high finish finish start start low low S o l u t i o n
B l u e p r i n t
T e s t
I m p l e m e n t
G o
L i v e
C o s t
o f
c o n t r o l s
Project life cycle Project life cycle During During development development Post Post imp. imp. Pre Pre - - implementation implementation high high finish finish start start low low
Cost of controls increases as project progresses PwC Managing risk over the program lifecycle Project governance and mgt review Planning and mobilization Business case review High level target operating model Organization change strategy Deployment strategy Business process design Data and reporting design Test and data conversion strategies Security & controls People and Org Design Dedicated vendor management Solution testing and remediation Training plans and execution Data conversion Security and control configuration Business continuity planning Benefits management plan Support model design Test and training results Go-live process Data conversion process Transition to business as usual (BAU) planning Stakeholder engagement Go-live readiness assessment 30-90 day support Business adoption Benefits realization Compliance and controls certification Assess Design Construct Implement Operate & Review D e l i v e r i n g
C h a n g e
Is the case for change robust with clear scope, business outcomes and ownership? Will the organization & technical design deliver the benefits? Is the solution being built as designed and robustly tested? Is the business ready to go with detailed go live and support plans in place? Are the benefits being delivered and what could be improved? Is the program being effectively governed against guiding principles and managed across all workstreams? Is delivery of business benefits a key focus throughout the lifecycle? Is the Change Management approach appropriate and delivering success? D r i v i n g
C h a n g e
Is the organization engaging key stakeholders (including existing vendors/partners) throughout the change? $ $ $ $ * * 20 PwC Further reading and Appendix Slides Internal Audits Role in Transformational Change http://www.pwc.com/en_US/us/risk-assurance-services/publications/internal- audit-transformational-change.jhtml
Insights and Trends: Current Portfolio, Programme, and Project Management Practices (our 3 rd global survey) http://www.pwc.com/en_US/us/public-sector/assets/pwc-global-project- management-report-2012.pdf
Reaching Greater Heights: Are You Prepared for the Journey? 2013 State of the Internal Audit Profession Study (our 9 th
21 PwC For more information: Contact 22 Mike Shipham PricewaterhouseCoopers LLP Director 312-298-4188 [email protected] Andrew Gerndt The Coca-Cola Company Principal IT Auditor 404-676-4897 [email protected] Charlie Miller The Coca-Cola Company Principal IT Auditor 678-516-8149 [email protected] 2013 PricewaterhouseCoopers LLP. All rights reserved. PwC refers to the United States member firm, and may sometimes refer to the PwC network. Each member firm is a separate legal entity. Please see www.pwc.com/structure for further details. Thank you PwC Video
24 PwC Appendix Slides- Examples of control considerations by project phase
25 PwC Top 10 Keys to success Key events that may contribute to a successful Project Audit: 1. Stakeholder buy-in & tone at the top, understanding & acceptance of engagement 2. Staffing, proper technical skills, qualifications and capabilities allowing the team to quickly establish credibility 3. Understanding project needs and expectations, as well as the level of comfort desired 4. Scoping appropriately, leveraging a risk based approach and delivering upon the agreed scope 5. Up-front communication regarding scope of review, extent of review, timing of review and level of details to be provided in reporting 6. Execution and completion of work within defined budget and schedule 7. Change agility, being able to change with the project needs (adjust timeline, etc.) but avoiding scope creep 8. Communication to all parties 9. Relevance, providing actionable useful and timely deliverables (reporting) consider requirements of the audience (i.e. Audit Committee, Sponsor, Project Manager, etc.) 10. Monitoring project progress between checkpoint reviews to minimize ramp-up time required at each checkpoint 26 PwC Project assurance Control considerations 27 ITGCs Business Process Interfaces Define Design Build & Test Maintain Data Quality Deliver Imp. Support A clear understanding of Business Processes in Scope. A clear understanding of the current status of controls and the proposed change. A clear understanding of the control risks to be addressed: - Operational - Compliance - Financial Reporting Understanding of the efficiency improvements required Appropriate expertise assigned to deliver appropriate controls Appropriate activities included in project plan to deliver appropriate controls PwC Project assurance Control considerations 28 ITGCs Business Process Interfaces Define Design Build & Test Maintain Data Quality Deliver Imp. Support Design appropriate ITGCs based on the risks identified Determine what the key controls are Ensure specifications of ITGCs are produced for input into the next phase. PwC Project assurance Control considerations 29 ITGCs Business Process Interfaces Define Design Build & Test Maintain Data Quality Deliver Imp. Support Ensure there is a clear understanding of current interfaces and interface controls and how these may be changing A high level plan has been developed to show interface development activities, priorities, and contingency plans should desired interfaces be unavailable when needed by business teams. PwC Project assurance Control considerations 30 ITGCs Business Process Interfaces Define Design Build & Test Maintain Data Quality Deliver Imp. Support Ensure appropriate business process controls are developed (in line with the specifications from the previous phases) Make sure controls that are developed are tested appropriately
PwC Project assurance Control considerations 31 ITGCs Business Process Interfaces Define Design Build & Test Maintain Data Quality Deliver Imp. Support Setup of integration test environment should include execution of data conversion procedures to validate completeness and accuracy of conversion procedures. Data conversion reconciliation specifies tests to prove that the converted data is sufficiently clean to be used within the new environment and data inaccuracies have not been introduced during the conversion process PwC Project assurance Control considerations 32 ITGCs Business Process Interfaces Define Design Build & Test Maintain Data Quality Deliver Imp. Support In instances where data has not been converted or migrated (i.e., only summary data is in new system), is the historical data available in a read only environment for reference purposes?