Auditing Project Management Practices

            •  RASCI chart — Documents project task assignments and ownership (Responsible, Accountable,
               Supported, Consulted, and Informed).

            Risks Associated with Project Management

            The most common project risk centers around scope creep, which commonly refers to adding
            requirements during the design, coding/configuration, or testing phases of the project.

            Typically, internal auditors and project managers organize the project risks to align with the project
            management triangle:

            Budget Risk — Project costs go up when projects experience scope creep. This also occurs when the
            team underestimates the original cost of activities during the planning process.

            Schedule Risk — Tasks that exceed time estimations, unavailable human resources, delayed
            delivery, or installation of technology typically lead to scheduling risk (and may also increase project
            costs).

            Performance Risk — Poorly constructed business and functional requirements, lack of key
            stakeholder involvement, and inadequate testing can lead to projects failing to meet user
            expectations, and result in performance risk.

            Project Assessment and Risk Categories

            During the project assessment, the internal auditor should also consider traditional risk categories:

            Governance risk — Lack of oversight by the project steering committee or project sponsor/project
            champion can lead to projects being inappropriately prioritized or resources being mismanaged.

            Strategic risk — Selection process could lead to solutions that are not compatible with the current
            technical environment or resource skillsets.

            Market risk — Poorly executed projects can lead to competitor advantage/speed to market.

            Credit risk — Economic down-turns, internal liquidity, and credit worthiness issues can lead to
            funding delays in starting or finishing projects.

            Legal risk — Projects developed without fulfilling legal and regulatory requirements, or that use
            contracts that do not cover probable liabilities adequately can lead to delays due to the revisions to
            project scope, or due to noncompliance with requirements.

            Environmental risk — Projects being delayed due to Mother Nature, vandalism, cyber-crime, or civil
            unrest can lead to delays in the project timeline and increased strain on the project budget.



            Copyright © 2021 by The Institute of Internal Auditors, Inc. All rights reserved.