publication details, including instructions for authors ... of the auditor in... · edpacs: the edp...
TRANSCRIPT
This article was downloaded by: [Sam Huibers]On: 07 June 2013, At: 13:13Publisher: Taylor & FrancisInforma Ltd Registered in England and Wales Registered Number: 1072954 Registered office: Mortimer House,37-41 Mortimer Street, London W1T 3JH, UK
EDPACS: The EDP Audit, Control, and SecurityNewsletterPublication details, including instructions for authors and subscription information:http://www.tandfonline.com/loi/uedp20
The Role(s) of the Auditor in Projects: ProactiveProject AuditingSam C.J. HuibersPublished online: 16 May 2013.
To cite this article: Sam C.J. Huibers (2013): The Role(s) of the Auditor in Projects: Proactive Project Auditing, EDPACS: TheEDP Audit, Control, and Security Newsletter, 47:5, 1-14
To link to this article: http://dx.doi.org/10.1080/07366981.2013.786940
PLEASE SCROLL DOWN FOR ARTICLE
Full terms and conditions of use: http://www.tandfonline.com/page/terms-and-conditions
This article may be used for research, teaching, and private study purposes. Any substantial or systematicreproduction, redistribution, reselling, loan, sub-licensing, systematic supply, or distribution in any form toanyone is expressly forbidden.
The publisher does not give any warranty express or implied or make any representation that the contentswill be complete or accurate or up to date. The accuracy of any instructions, formulae, and drug doses shouldbe independently verified with primary sources. The publisher shall not be liable for any loss, actions, claims,proceedings, demand, or costs or damages whatsoever or howsoever caused arising directly or indirectly inconnection with or arising out of the use of this material.
EDPACSTHE EDP AUDIT,
CONTROL, AND SECURITY
NEWSLETTER
2013 VOL. 47, NO. 5
THE ROLE(S) OF THE AUDITORIN PROJECTS: PROACTIVEPROJECT AUDITINGSAM C.J. HUIBERS
Abstract. In the era of dynamically changing environments, globalization andincreasing legislation companies need to re-visit their strategy on a continuousbasis. Consequently this requires the redesign of the organization, processes,and systems, all of which are often executed through (large) projects. Withincreasing demands from management on the internal audit profession, thequestion is raised of how the auditor’s role can be redefined, as it shifts fromthe more traditional assurance role to being involved as a proactive partner inprojects, without losing its independent position. Potentially the advisory andparticipative roles might conflict with the assurance role of the auditor.However, if for this reason the auditor’s role is restricted to the complianceaspect only, the added value of the auditor may be substantially reduced. Thisarticle is based on research aiming to provide a practical relevance to auditprofession and industry. It describes the different types of roles that can befulfilled by the auditor, taking into consideration the shift from the traditionalassurance role toward more proactive roles in projects: advisory andparticipative roles without jeopardizing the auditor’s position.
ROLE(S) OF THE AUDITOR IN PROJECTSIn order to gain more insight into the potential roles that the auditorcan play in projects I have divided these roles into three groups:
1. assurance roles,2. consulting roles, and3. participative roles.
Next, I have used a position paper from the Institute of InternalAuditors (2004, 2009)1 to categorize the different types of rolesthat the auditor can play in projects (see Figure 1):
� The core roles of internal audit: traditional assurance roles suchas project reviews.
� Legitimate roles with safeguards: consulting and participative pro-ject roles that can be performed by the internal auditor if certainpreconditions are met.
� Roles that should not be undertaken by internal audit such as themanagement of project-related risks.
IN THIS ISSUEn The Role(s) of the Auditor in
Projects: Proactive ProjectAuditing
n Leveraging IT to Performan Efficient and EffectiveConstruction Audit
n How Loud Can That WhistleBlow?
EditorDAN SWANSON
Editor EmeritusBELDEN MENKUS, CISA
CELEBRATING OVER 3 DECADES OF PUBLICATION!
Dow
nloa
ded
by [
Sam
Hui
bers
] at
13:
13 0
7 Ju
ne 2
013
An important remark to be made is that the roles I furtherdescribe in the next paragraph are generic and can be applied tothe audit profession in general. In this article I have added addi-tional examples that can be applicable to the daily practice of ITauditors who are involved in project audits.
Assurance, Consulting, and Participative Roles inProjectsI have summarized the roles that can be fulfilled by the auditordescribed in Figure 1 and Table 1. Note that this is not a restrictedlist but I have categorized the roles in groups in order to gain more
Figure 1 Summary of core roles, legitimate roles with safeguards androles that the auditor should not undertake in projects (Huibers, 2008,2009, 2010, 2011).
If you have information of interest to EDPACS, contact Dan Swanson ([email protected]). EDPACS (Print ISSN0736-6981/Online ISSN 1936-1009) is published monthly by Taylor & Francis Group, LLC., 325 Chestnut Street, Suite 800,Philadelphia, PA 19106. Periodicals postage is paid at Philadelphia, PA and additional mailing offices. Subscription rates:US$370/£224/E297. Printed in USA. Copyright 2013. EDPACS is a registered trademark owned by Taylor & Francis Group,LLC. All rights reserved. No part of this newsletter may be reproduced in any form — by microfilm, xerography, or otherwise —or incorporated into any information retrieval system without the written permission of the copyright owner. Requests topublish material or to incorporate material into computerized databases or any other electronic form, or for other thanindividual or internal distribution, should be addressed to Editorial Services, 325 Chestnut Street, Suite 800, Philadelphia, PA19106. All rights, including translation into other languages, reserved by the publisher in the U.S., Great Britain, Mexico, and allcountries participating in the International Copyright Convention and the Pan American Copyright Convention. Authorization tophotocopy items for internal or personal use, or the personal or internal use of specific clients may be granted by Taylor &Francis, provided that $20.00 per article photocopied is paid directly to Copyright Clearance Center, 222 Rosewood Drive,Danvers, MA 01923 USA. The fee code for users of the Transactional Reporting Service is ISSN 0736-6981/06/$20.00+$0.00.The fee is subject to change without notice. For organizations that have been granted a photocopy license by the CCC, a separatesystem of payment has been arranged. Product or corporate names may be trademarks or registered trademarks, and areonly used for identification and explanation, without intent to infringe. POSTMASTER: Send address change to EDPACS,Taylor & Francis Group, LLC., 325 Chestnut Street, Suite 800, Philadelphia, PA 19106.
‘‘. . .THE REAL ADDEDVALUE OF INTERNALAUDIT IS ITSINVOLVEMENT IN THEPROJECT FROM ANEARLY STAGE AND ITSABILITY TO ACT IN APROACTIVE WAY.’’
E D P A C S 2013
2 ª Copyright 2013 Sam C.J. Huibers
Dow
nloa
ded
by [
Sam
Hui
bers
] at
13:
13 0
7 Ju
ne 2
013
Tab
le1
Th
eR
ole
so
fth
eA
ud
ito
rin
Pro
jects
(Hu
ibers
,2008,2009,2010),
Exam
ple
Ro
le(I
T)
Au
dit
or
inP
roje
cts
(2012)
Typ
eo
fro
leP
roje
ct
role
sD
escri
pti
on
Exam
ple
sp
ecif
icto
the
ITau
dit
or
Ass
ura
nce
Qualit
yA
ssura
nce
(QA
)—P
rogra
m/p
roje
ctre
vie
ws
4le
vels
-In
itia
lpro
ject
-M
ilesto
ne
pro
jectre
vie
ws
-B
usin
ess
readin
ess
or
pre
-im
ple
menta
tion
revie
ws
Giv
ean
opin
ion
on
the
pro
jectdesig
n;th
egovern
ance,
managem
ent,
the
pro
jectpro
cess
and
mile
sto
nes
inclu
din
gth
erisks
asso
cia
ted
with
the
desig
nand
imple
menta
tion
ofan
applic
ation.
-P
ost-
imple
menta
tion
revie
ws.
Qualit
yA
ssura
nce—
deliv
era
ble
sR
evie
wfo
cusin
gon
the
qualit
yofth
epro
ducts
(deliv
era
ble
s).
Revie
wth
eauth
orization
str
ate
gy
and
role
sor
assess
the
syste
mdesig
ndocum
ents
.
Post-
imple
menta
tion
audit
Pro
vid
ean
opin
ion
aboutth
equalit
yofth
ein
tern
alc
ontr
ols
yste
mem
bedded
inth
eopera
tionalp
rocess
es.
Revie
wth
eeff
ective
ness
ofth
eauth
orizations
half
ayear
aft
er
go-liv
e.
Consultativ
ero
les
Qualit
yA
ssura
nce—
advis
or
topro
gra
m/p
roje
ct
managem
ent
Advis
eth
epro
jectm
anagem
enton
pro
jectm
anagem
entand
risk
asse
ssm
entm
eth
odolo
gy.
Advis
ehow
tostr
uctu
reth
epro
jectand
inclu
de
mile
sto
nes
such
as
appro
valo
fth
ebusin
ess
blu
eprint,
transla
tion
into
ate
chnic
al
desig
n,develo
pm
ent,
testing
and
train
ing.
Advis
or
(conte
nt)
Actin
an
advis
ory
capacity
ina
narr
ow
sense,answ
ering
quest
ions
and
expre
ssin
gpart
icula
rvie
ws
butno
directin
volv
em
entin
realiz
ation.
Advis
eon
the
desig
nofa
contr
olf
ram
ew
ork
tocom
eto
agood
bala
nce
inapplic
ation
contr
ols
and
pro
cedure
s.
Soundin
gboard
—obje
ctive
observ
er
Rais
equest
ions
tore
flect.
Sound
board
ing
role
and
rais
equestions
tore
flecthow
change
managem
entaspects
will
be
addre
ssed.F
or
insta
nce,ask
how
rele
vantusers
will
be
involv
ed
early
on
inth
epro
ject.
Coach/t
rain
er
Advis
ein
desig
nin
gle
arn
ing
experience
sor
acts
as
coach.
Facili
tate
apro
jectrisk
work
shop
oradvis
ein
the
setu
pofa
train
ing
pro
gra
m.
Part
icip
ativ
ero
les
Pro
act
ive
expert
role
Ow
nspecifi
cknow
ledge
inth
eare
aofin
tern
alc
ontr
ols
yste
ms
and
ITsecu
rity
and
pro
activ
ely
part
icip
ate
sin
apro
jectto
define
altern
atives,pro
vid
ere
com
mendatio
ns
and
solu
tions.
Suggestaltern
ative
solu
tions
toim
pro
veth
esyste
msecurity
and
pro
vid
ere
com
mendatio
ns
how
toim
ple
mentth
ese
.
Pro
ject/pro
cess
coord
inato
rC
oord
inate
pro
jectactivitie
s.
Coord
inate
the
setu
pofso-c
alle
dbusin
ess
contr
olf
ram
ew
ork
sand
pro
vid
ete
mpla
tes
ina
busin
ess
pro
cess
redesig
npro
ject.
Docum
enta
tion
contr
ols
Support
indocum
enta
tion
ofcontr
ols
.S
upport
indocum
enta
tion
ofsyste
mand
end
user
contr
ols
.
Pro
act
ive
QA
part
ner—
facili
tato
rro
leQ
Apart
nerth
atn
oto
nly
identifies
risks
buta
lso
transla
tes
them
into
realb
usin
ess
issues
and
make
sre
com
mendatio
ns.
Identificatio
nofrisks
associ
ate
dw
ith
the
intr
oductio
nofa
new
syste
mand
pro
vid
ere
com
mendations
toim
pro
ve
the
user
accepta
nce.
2013 E D P A C S
3ª Copyright 2013 Sam C.J. Huibers
Dow
nloa
ded
by [
Sam
Hui
bers
] at
13:
13 0
7 Ju
ne 2
013
insight into the potential roles that the auditor can play in projects:assurance, consulting and participative roles.
In the next paragraphs I would like to highlight some points thatcan be of relevance when considering the auditors’ role in a project:programs versus projects, the internal versus the external auditorand the role of the auditor during different phases of the project.
ProgramsAn individual project can be part of a larger program. The programis the ‘‘umbrella’’ under which individual projects have beengrouped in order to contribute to an identical objective. The OGC2
points out that the quality assurance and overall compliance of theprogram—focusing inwardly on the internal consistency of the pro-gram structure; and outwardly on its coherence with infrastruc-ture, interfaceswith other projects and corporate standards—is theprimary responsibility of the programmanager. The program man-ager will define the governance structure and make sure thatappropriate assurance roles are appointed. It is the responsibilityof the project manager to coordinate with the staff assigned to theassurance roles to ensure the overall integrity and coherent struc-ture of the project.
Since quality assurance is relevant at both levels and the wayprojects are grouped and structured depends on the organizationand situation, the roles I describe in this article are both applicablefor programs and projects.
Role of internal and external auditors in projectsVarious variables can be important when deciding if one or moreexternal parties will be involved in a project such as experience,knowledge, independent position, and available resources.
However, the starting point is that an external auditor can fulfillthe same role in projects as the internal auditor. The externalauditor can be the public accountant of the organisation or a differ-ent third party accounting and advisory firm.
When different roles are assigned to various parties it is impor-tant to avoid overlapping roles and inefficiencies. The followingconsiderations might, among others, be taken into consideration:
� Knowledge of the business: the internal auditor is assumed toknow the organization better than the external auditor does.
� Share best practices: on the other hand, the external auditor canshare best practices and experiences gained at projects withother customers.
� Knowledge of the system/process: the external auditor can givean opinion on the design of a system/process using experiencesgained at other clients as a reference.
� Sponsor: the project manager can ask the internal auditor tofacilitate a risk analysis. The (supervisory) Board could ask theexternal auditor to advise and provide recommendations.
The aforementioned examples can influence the decision whenassigning roles in a project. Please note that in some cases thecombination of the involvement of the internal and external auditormay also very well result into synergies.
E D P A C S 2013
4 ª Copyright 2013 Sam C.J. Huibers
Dow
nloa
ded
by [
Sam
Hui
bers
] at
13:
13 0
7 Ju
ne 2
013
The role of the auditor during the different phases of a projectThe role of the auditor might differ per phase of the project. In theproject literature, project phases are described with several levelsof detail that can vary depending on the nature of the project.However on a highly generic level, three levels can be distinguishedas a common denominator to all projects:
� project preparation/start,� project execution, and� project close.
In Appendix 1, I have provided examples of how the role can differper phase of the project. I have used the PRINCE2 project methodol-ogy as a reference. PRINCE (an abbreviation of Projects inControlled Environments) was developed by the OGC in 1989 asthe standard approach to IT projects. Over time the method hasbeen enriched to become a generic, best practice project manage-ment framework covering a wide variety of disciplines and activ-ities for all kinds of projects outside the IT and public sectors. TodayPRINCE2 has been widely adopted by both public and private orga-nizations as the de facto standard for project management and hasa demonstrable track record.
Safeguards (Preconditions) for Consulting andParticipative RolesThe assurance role is the traditional role of the auditor (core role).The consulting and participative roles are typically roles that canbe fulfilled by the auditor but only when certain safeguards (i.e.,preconditions) are put in place. The safeguards are preconditionsnecessary if the auditor is to extend his role beyond the traditionalassurance role:3
� It should be clear that management remains responsible for pro-ject risks and determining the risk appetite.
� The nature of internal audit’s responsibilities should be documen-ted in the audit charter and approved by the Audit Committee.4
� The auditor should not manage any of the project risks and miti-gate those on behalf of the management.
� The auditor should provide advice and support to the manage-ment’s decision making, as opposed to taking management deci-sions themselves or implementing solutions on behalf ofmanagement.
� The auditor should avoid any impairment of independence andobjectivity in fact or appearance. The auditor should not auditactivities in which he or she has been involved in the previousyear. Segregation of duties should be applied and/or tasks betransferred to other governance departments or outsourced.
� Any work beyond assurance activities should be recognized as aconsulting engagement and the implementation standardsrelated to such engagements should be followed.
The most important precondition, both for roles with safeguardsand the roles that should not be undertaken, is that the auditormust refrain from any managerial accountability in all project
‘‘THE AUDITOR MUSTREFRAIN FROM ANYMANAGERIALACCOUNTABILITYINALL PROJECTAREAS, FROMINITIALLY SETTING THEPROJECT RISKAPPETITETOTHEFINALEMBEDDING OFDELIVERABLES IN THESTANDINGORGANIZATION’’
2013 E D P A C S
5ª Copyright 2013 Sam C.J. Huibers
Dow
nloa
ded
by [
Sam
Hui
bers
] at
13:
13 0
7 Ju
ne 2
013
areas, from initially setting the project risk appetite to the finalembedding of deliverables in the standing organization.
A final remark I would like to make here is that the exact bound-aries of the extent to which the auditor can fulfill a consulting andparticipative role without risking any infringement of indepen-dence cannot always be carved in stone. Since the context, objec-tives, and tasks to be performed might differ from project to projectthere will always be an individual judgment to be made. As pointedout by Mautz and Sharaf in their book The Philosophy of Auditingfirst published in 1961, the responsibility of making a judgment inorder to maintain independence in different situations must rest inthe first place with the individual audit practitioner and he mustconstantly be aware of his professional responsibility in all kinds ofsituations.
Role(s) Not to be Undertaken by the AuditorIt is the primary responsibility of the project manager to manageproject risks. The auditor can assist in making risks transparentbut it is up to the business management to determine the riskappetite and define and implement mitigation actions. In addition,the embedding of project deliverables into the standing organiza-tion is a line management responsibility. If the auditor takes onthese roles it has crossed the line and therefore cannot providesufficient safeguards to ensure independence and objectivity (seeTable 2).
GUIDANCE AND CONDITIONS PROVIDED IN AFRAMEWORKI have compiled a framework that describes the guidance and con-ditions that enable the internal auditor to fulfill potentially conflict-ing roles in projects. Each quadrant represents a differentperspective: (I) guidance from the Institute of Internal Auditors(IIA), (II) the structure of the internal audit department, (III) inter-changeable roles with other governance departments, and (IV)project governance and de facto project management frameworks.Every quadrant entails two levels, which are described in detail:
1. the organizational level describing guidance that is applicable ina broad company-wide context and,
2. guidance at the individual program/project level.
Table 2 Roles Not to be Undertaken by the Auditor
Description of roles not to be undertaken by the internal auditor
� Setting the project risk appetite.� Imposing the project management process.� Managing risks identified in quality assurance.� Taking managerial decisions regarding the proposed solutions.� Implementing solutions on behalf of the management.� Being accountable for project deliverables� Being accountable for project budget and/or progress against milestones.� Being accountable for embedding project deliverables in the organization.
E D P A C S 2013
6 ª Copyright 2013 Sam C.J. Huibers
Dow
nloa
ded
by [
Sam
Hui
bers
] at
13:
13 0
7 Ju
ne 2
013
Below I will describe the key elements of each quadrant. For a fulldescription of all quadrants I refer to the original thesis (Huibers,2008).
Quadrant I—Guidance of the IIAThe first quadrant provides guidance from the Institute of InternalAuditors (IIA). At the organizational level the purpose, authority,and nature of activities should be clearly defined in the audit char-ter and approved by the board. At the program/project level everysingle assignment beyond the scope of assurance activities shouldfollow the IIA standards starting with a clear understanding aboutobjectives, scope, and activities being established with the client inline with the nature of the activities in the Audit Charter.
Quadrant II—Audit DepartmentWithin the audit department a segregation of duties can avoid jeo-pardizing independence by fulfilling conflicting roles. This can berealized on several levels depending on the size of the departmentsand the number of activities of internal audit: a division of the auditdepartment into consulting/facilitating and assurance-relatedactivities, dividing tasks between existing internal audit sub-
Figure 2 Summary framework of guidance and conditions for the role ofthe internal auditor in projects (Huibers, 2008, 2010). The objective of thisframework is to provide practical guidance on how the internal auditorcan undertake potentially conflicting roles in projects withoutjeopardizing the auditor’s independent position and objectivity.
2013 E D P A C S
7ª Copyright 2013 Sam C.J. Huibers
Dow
nloa
ded
by [
Sam
Hui
bers
] at
13:
13 0
7 Ju
ne 2
013
departments based on specialization (IT audit, financial audit) orby applying a segregation of duties at the project level. In the lattercase the auditor should not audit activities in which he has beeninvolved in the previous year.
Quadrant III—Other Governance DepartmentsIn quadrant III the increasing prominence of risk management andcontrol awareness in organizations gives new possibilities. Theemergence of different governance departments such as RiskManagement, Compliance, and Internal Control, creates a safe-guard to avoid potentially conflicting roles by dividing differentroles between these separate departments. Assigning differentroles across the so-called lines of defense is a way to ensure theinternal auditor’s independence at both the organizational (organi-zation-wide) and program/project level. The ‘‘lines of defensemodel’’ within an organization can be a starting point for dividingroles:
1. First line of defense—management: business and project man-agement have the primary responsibility to monitor and con-trol the operations.
2. Second line of defense—supporting functions: the managementis supported by the staff departments in their monitoringresponsibility, for example Internal Control, RiskManagement, Compliance, and Quality Assurance.
3. Third line of defense—Internal Audit: provide additional assur-ance on top of the activities of the first and second line ofdefense. Different types of audit might be applicable and canoperate in an integrated way: for example, operational, IT, andfinancial audit.
4. Fourth line of defense—external audit: additional assurance toexternal parties (SAS– 70, ISO audits for example).
In case potentially conflicting roles might arise, the activities can besplit among departments:
1. general roles can be defined at organization level following thethree lines of defense model,
2. (conflicting) roles can be divided between different govern-ance/staff departments, and
3. (conflicting) roles might be divided between departmentswithin the audit function (see previous paragraph)
The first step in effective cooperation is to define and agree withthe executive management the roles and responsibilities in theorganizational governance structure. Accordingly, at program/pro-ject level the different roles can be assigned to individuals of differ-ent governance departments to avoid potential conflicts in projectroles. To give an illustrative example, Internal Control is involvedin the design of controls in a process, whereas Internal Auditreviews the completeness of the control design.
An important remark to be made is that some factors mightinfluence the extent to which activities will be divided betweengovernance departments; for example, the business environment
E D P A C S 2013
8 ª Copyright 2013 Sam C.J. Huibers
Dow
nloa
ded
by [
Sam
Hui
bers
] at
13:
13 0
7 Ju
ne 2
013
in which an organization is operating and the maturity of the orga-nizational governance system.
Quadrant IV—Project GovernanceThe Office of Government Commerce (OGC) provides standards andguidance on best practices with respect to project management thathave globally been adopted across industries (i.e., PRINCE2). TheOGC de facto standard role description does not explicitly mentionthe role of internal audit but their guidance regarding quality assur-ance and advisory roles is mutually supportive of the IIA view.
The internal audit function can support the implementation ofstandard project and audit methodology. Often organizations adapta general common used framework/methodology and tailor this tothe needs of the organization. For instance, with respect to IT-driven projects, COBIT (Control Objectives for Information andRelated Technology) is a framework created by ISACA and includesa section on program and project management.5 By supporting thedefinition and embedding of a standard project methodology a safe-guard is created and this enables the project management to man-age projects in a controlled way. The quality criteria for projectgateways and deliverables can be made explicit and transparentand can serve as a reference model for project reviews.
At the organizational level the purpose of quality assurance is toprovide an assurance that the project has adequate plans and mea-sures, in line with the established project methodology, to ensurethat the project processes are suitably controlled and are likely toresult in products that meet explicit quality criteria. Audit cansupport the design of the quality assurance and standard auditproject methodology in the organization, including clearly definedroles and responsibilities of both line management, internal auditand other governance functions. At project level audit can consultand facilitate the embedding of quality assurance in the project byassisting the project management with implementing the qualityassurance system in an effective way. In this case advising meansto make the audit reference framework explicit in advance in orderto ensure that an adequate review is undertaken.
Steering committeeFinally, I have argued, supported by the insights of psychologicaland organizational theory (group decision-making processes)(Beach & Connolly, 2005; Janis, 1972), that the internal auditorshould be extremely reluctant to participate in Steering Committeemeetings even as a non-voting member.
If a decision is taken in the presence of the auditor, it might inhindsight be unclear what the role of the auditor in a particulardecision had been. Even if he or she had not expressed an opinion,once the results turn out to be different from what was expected, itcould always be used against the internal auditor that he or she‘‘could or should have known’’ or had at least been part of thedecision by being present in the meeting at which the decision wastaken. Therefore it is important to document in writing what therelationship of the auditor is toward the Steering Committee. If the
2013 E D P A C S
9ª Copyright 2013 Sam C.J. Huibers
Dow
nloa
ded
by [
Sam
Hui
bers
] at
13:
13 0
7 Ju
ne 2
013
internal auditor does participate in the meeting by expressing asecond opinion it should be clear in the project charter that:
� The auditor acts completely independently and has no manage-rial responsibility whatsoever for themanagerial decisions takenby the Project Board.
� There is no formal reporting line to the Project Board and ProjectBoard chairman. In line with the Audit Charter and IIA AttributeStandards (2013) the internal auditor should report indepen-dently to the senior business management.
� Following good audit practices as described in the IIA PerformanceStandards (in particular IIA 2300–Performing the Engagement)the auditor should document advice and opinions given and main-tain an audit trail based on retention requirements.
CONCLUSIONIn this article I have described the different types of roles that can befulfilled by the auditor, taking into consideration the shift from thetraditional assurance role toward more proactive roles in projects.In order to gain more insight into the potential roles that the auditorcan play in projects, I have divided these roles into three groups:
1. assurance roles,2. consulting roles, and3. participitive roles.
Subsequently, I have categorized the different types of roles follow-ing a paper of the IIA:
1. The core roles: traditional assurance roles such as projectreviews.
2. Legitimate roles with safeguards: consulting and participativeproject roles that can be performed by the internal auditor ifcertain preconditions are met.
3. Roles that should not be undertaken by internal audit such asthe management of project-related risks.
The most important precondition, both for roles with safeguards andthe roles that should not be undertaken, is that the auditor mustrefrain from any managerial accountability in all project areas,from initially setting the project risk appetite to the final embeddingof deliverables in the standing organization. In order to guaranteeunambiguous mutual understanding of the role of the auditor inprojects it is of crucial importance to define, formalize, and commu-nicate the agreed roles and responsibilities at all organizationallevels.
To conclude, I have argued in this article, supported by theinsights of psychological and organizational theory (group deci-sion-making processes), that the internal auditor should be extre-mely reluctant to participate in Steering Committee meetings evenas a non-voting member.
The aim of this article and my research is to provide a practicalrelevance to the internal audit profession and industry. The resultshave been confirmed and enriched by interviews with the Chief AuditExecutives/Managers of large multinational organizations. Theshared view is that the real added value of internal audit is its
‘‘THE REAL ADDEDVALUE OF INTERNALAUDIT IS ITSINVOLVEMENT IN THEPROJECT FROM ANEARLY STAGE AND ITSABILITY TO ACT IN APROACTIVE WAY.’’
‘‘ONE SHOULD SEETHE OPPORTUNITIESFOR THE INTERNALAUDIT DISCIPLINERATHER THANFOCUSING ON THETHREATS.’’
E D P A C S 2013
10 ª Copyright 2013 Sam C.J. Huibers
Dow
nloa
ded
by [
Sam
Hui
bers
] at
13:
13 0
7 Ju
ne 2
013
involvement in theproject fromanearlystageand itsability toact inaproactive way. This is not perceived to be in conflict with the indepen-dentpositionandobjectivityof theauditor.On thecontrary, oneof theexecutives stated that: ‘‘one should see the opportunities for theinternal audit discipline rather than focusing on the threats.’’
Notes1. In 2004 the Institute of Internal Auditors (IIA) published a
position paper that elaborated on the roles of the internalaudit function in Enterprise-wide Risk Management.
2. The Office of Government Commerce (OGC), an independentoffice of the U.K. government, provides standards and gui-dance on best practices with respect to project managementsuch as PRINCE2 that have been globally adopted acrossindustries.
3. In the IIA position paper of 2004 safeguards with respect toERM have been described that I have adapted for projectmanagement.
4. The IIA, IPPF, Attribute Standard 1000.A1/C1.5. COBIT 5, Chapter 5, Process reference guide contents,
BAI01.01–14.
APPENDIX 1: THE ROLES OF THE AUDITOR DURINGDIFFERENT PHASES OF THE PROJECT
Table A1 Relation Generic Project Phases, OGC PRINCE2 Processes andComponents
Generic projectphases PRINCE2—Process PRINCE2—Component
Project preparation/start
Project initiation Plans, Management of Risk,OrganizationBusiness Case
Project start-up Plans, Quality, Management ofRisk, Business Case,Controls
Project execution Controlling a stage Controls, Change Control,Configuration Management
Managing project delivery Change Control, Plans,Controls
Managing stageboundaries
Plans, Business Case,Management of Risk,Controls, Organization
Project close Closing a project Controls, ConfigurationManagement,Business Case
2013 E D P A C S
11ª Copyright 2013 Sam C.J. Huibers
Dow
nloa
ded
by [
Sam
Hui
bers
] at
13:
13 0
7 Ju
ne 2
013
REFERENCESBeach, L.R., & T. Connolly (2005). The psychology of decision mak-
ing: People in organizations, 2nd edition, The Psychology ofDecision Making: People in Organizations. Thousand Oaks, CA:Foundation for Organizational Sciences, A Sage PublicationsSeries.
Huibers, Sam C.J. (2008). The role (s) of the internal auditor inprojects, thesis Amsterdam Business School, Executive Master ofInternal Auditing, University of Amsterdam, The Netherlands.
Huibers, S.C.J. (2009). Rol van de internal auditor in verandering-sprojecten, Finance en Control, issue 5, October 2009, Alphen aanden Rijn, the Netherlands: Kluwer.
Huibers, S.C.J. (2010). Proactiviteit en onafhankelijkheid van deauditor in projecten: contradictio in terminis? Audit Magazine,issue March 2010, Institute for Internal Auditors in theNetherlands, Beekbergen, the Netherlands: VM Uitgevers.
Huibers, S.C.J. (2012). Rol(len) van de (IT-)auditor in projecten,Handboek EDP Auditing, 5313 – Informatiesystemen, issue 43,June 2012, Alphen aan den Rijn, the Netherlands: Kluwer.
Janis, I.L. (1972). Victims of groupthink. Boston: Houghton Mifflin.Mautz, R.K. and Sharaf, H.A. (1985). The philosophy of auditing,
12th edition. Sarasota, FL: American Accounting Association.The Institute of Internal Auditors. (2004, 2009). Position paper:
The role of internal audit in enterprise-wide risk management. TheIIA-UK and the IIA Inc. Retrieved from www.theiia.org
Table A2 Examples Role(s) of the Auditor in Different Phases of the Project
Genericprojectphases
PRINCE2process Component PRINCE2
Examples of the role of anauditor
Examples (with reference tothe safeguards)
Projectpreparation/start
Project initiation Plans, Management of Risk,Organization,Business Case
-QA assurance to program/project management
Review if project objectives areconsistent with the overall valuesand goals of the organization.
Project start up Plans, Quality, Risk Management,Business Case, Controls
-QA advise to projectmanagement
Advise in the setup andorganization of the projectmanagement and qualityassurance processes.
Projectexecution
Controlling astage
Controls, Change Control,Configuration Management
-QA independentassurance
Milestone review ofprogress and quality ofdeliverables.
Managingprojectdelivery
Change Control, Plans,Controls
-Advisor on content- Sounding board- Proactive expert role- Project/process
coordinator- Documentation controls
Advise in setup of the securitydesign of a process.
Facilitate in the definition anddocumentation of process controls.
Provide support in the coordination ofdefining controls.
Managing stageboundaries
Plans, Business Case,Management of Risk,Controls, Organization
- QAproactivesupport
Provide support inidentifying and loggingproject risks.
Project close Closing a project Controls, ConfigurationManagement,Business Case
- QA assurance to program/project management
Project evaluation to generatelessons learned for future projects.
E D P A C S 2013
12 ª Copyright 2013 Sam C.J. Huibers
Dow
nloa
ded
by [
Sam
Hui
bers
] at
13:
13 0
7 Ju
ne 2
013
The Institute of Internal Auditors. (2010). Project Auditing,Handvatten voor de internal auditor, Institute for InternalAuditors in the Nederlands, Naarden, 2010. Retrieved fromhttp://www.iia.nl/Sitefiles/project-auditing.pdf
The Institute of Internal Auditors. (2013). The professional prac-tices framework. Altamonte Springs, Florida: The IIA ResearchFoundation.
Websites Usedwww.prince2.org.ukhttp://www.cabinetoffice.gov.ukArchived OGC information:http://webarchive.nationalarchives.gov.uk/20110822131357/http://www.ogc.gov.uk/index.aspPMBOK: http://www.pmi.org/PMBOK-Guide-and-Standards.aspxwww.theiia.orgwww.isaca.orgCOBIT 5: http://www.isaca.org/COBIT/Pages/default.aspx
FURTHER READINGS
International Project Management Association (2006). ICB-IPMACompetence Baseline Version 3.0, International ProjectManagement Association.
Kubr, M. (1996). Management consulting, A guide to the profession,3rd (revised) edition. Geneva, Switzerland: Internal LabourOffice Organization.
Sawyer, L.B., Dittenhofer, M.A., Scheiner, J.H., Graham, A,Makosz, P. (1995). Internal auditing, the practice of modern inter-nal auditing, 5th edition. Altamonte Springs, FL: The Institute ofInternal Auditors.
The Institute of Internal Auditors. (2013, January). Positionpaper: The three lines of defense in effective risk management andcontrol. Altamonte Springs, FL: The Institute of Internal Auditors.
Websiteswww.gov.uk/government/organisations/cabinet-officewww.ipma.chwww.pmi.orgwww.theiia.orgwww.icmci.orgwww.iia.nl
For an extensive list of all references, please refer to the full version of the thesis:
Huibers, Drs. EMIA RO, S.C.J., CRMA, The role (s) of the internal auditor in
projects, Amsterdam Business School, Executive Master of Internal Auditing,
University of Amsterdam, 2008. Published by Kluwer; http://financebase.kluwer
financieelmanagement. nl/ and available for download at site of the IIA
Netherlands; http://www.iia.nl/educatie/universiteiten/scripties. Thesis and var-
ious related articles based on an ongoing research are published by the IIA
Netherlands and the professional bodies for registered IT auditors and certified
accountants in the Netherlands (NBA and NOREA).
2013 E D P A C S
13ª Copyright 2013 Sam C.J. Huibers
Dow
nloa
ded
by [
Sam
Hui
bers
] at
13:
13 0
7 Ju
ne 2
013
Drs. Sam C.J. Huibers, EMIA RO, CRMA, has vast experience in various interna-
tional managerial business, audit, and advisory functions. He has led large
international projects in the areas of finance, governance, internal control, and
audit. He is currently employed by Heineken International and has a managerial
position in the Global Audit Function. He holds an Executive Master of Internal
Auditing degree and is a certified member of the IIA. He also holds a certification
in Risk Management Assurance. He is a member of the Dutch IIA Professional
Practice Committee and the Dutch Sounding Board on Risk Management. He’s
the owner of the LinkedIn Group: Project Auditing; join his discussion group to
exchange views on this subject. He can be reached at his private email:
E D P A C S 2013
14 ª Copyright 2013 Sam C.J. Huibers
Dow
nloa
ded
by [
Sam
Hui
bers
] at
13:
13 0
7 Ju
ne 2
013