This article was downloaded by: [Sam Huibers]On: 07 June 2013, At: 13:13Publisher: Taylor & FrancisInforma Ltd Registered in England and Wales Registered Number: 1072954 Registered office: Mortimer House,37-41 Mortimer Street, London W1T 3JH, UK

EDPACS: The EDP Audit, Control, and SecurityNewsletterPublication details, including instructions for authors and subscription information:http://www.tandfonline.com/loi/uedp20

The Role(s) of the Auditor in Projects: ProactiveProject AuditingSam C.J. HuibersPublished online: 16 May 2013.

To cite this article: Sam C.J. Huibers (2013): The Role(s) of the Auditor in Projects: Proactive Project Auditing, EDPACS: TheEDP Audit, Control, and Security Newsletter, 47:5, 1-14

To link to this article: http://dx.doi.org/10.1080/07366981.2013.786940

PLEASE SCROLL DOWN FOR ARTICLE

Full terms and conditions of use: http://www.tandfonline.com/page/terms-and-conditions

This article may be used for research, teaching, and private study purposes. Any substantial or systematicreproduction, redistribution, reselling, loan, sub-licensing, systematic supply, or distribution in any form toanyone is expressly forbidden.

The publisher does not give any warranty express or implied or make any representation that the contentswill be complete or accurate or up to date. The accuracy of any instructions, formulae, and drug doses shouldbe independently verified with primary sources. The publisher shall not be liable for any loss, actions, claims,proceedings, demand, or costs or damages whatsoever or howsoever caused arising directly or indirectly inconnection with or arising out of the use of this material.

EDPACSTHE EDP AUDIT,

CONTROL, AND SECURITY

NEWSLETTER

2013 VOL. 47, NO. 5

THE ROLE(S) OF THE AUDITORIN PROJECTS: PROACTIVEPROJECT AUDITINGSAM C.J. HUIBERS

Abstract. In the era of dynamically changing environments, globalization andincreasing legislation companies need to re-visit their strategy on a continuousbasis. Consequently this requires the redesign of the organization, processes,and systems, all of which are often executed through (large) projects. Withincreasing demands from management on the internal audit profession, thequestion is raised of how the auditor’s role can be redefined, as it shifts fromthe more traditional assurance role to being involved as a proactive partner inprojects, without losing its independent position. Potentially the advisory andparticipative roles might conflict with the assurance role of the auditor.However, if for this reason the auditor’s role is restricted to the complianceaspect only, the added value of the auditor may be substantially reduced. Thisarticle is based on research aiming to provide a practical relevance to auditprofession and industry. It describes the different types of roles that can befulfilled by the auditor, taking into consideration the shift from the traditionalassurance role toward more proactive roles in projects: advisory andparticipative roles without jeopardizing the auditor’s position.

ROLE(S) OF THE AUDITOR IN PROJECTSIn order to gain more insight into the potential roles that the auditorcan play in projects I have divided these roles into three groups:

1. assurance roles,2. consulting roles, and3. participative roles.

Next, I have used a position paper from the Institute of InternalAuditors (2004, 2009)1 to categorize the different types of rolesthat the auditor can play in projects (see Figure 1):

� The core roles of internal audit: traditional assurance roles suchas project reviews.

� Legitimate roles with safeguards: consulting and participative pro-ject roles that can be performed by the internal auditor if certainpreconditions are met.

� Roles that should not be undertaken by internal audit such as themanagement of project-related risks.

IN THIS ISSUEn The Role(s) of the Auditor in

Projects: Proactive ProjectAuditing

n Leveraging IT to Performan Efficient and EffectiveConstruction Audit

n How Loud Can That WhistleBlow?

EditorDAN SWANSON

Editor EmeritusBELDEN MENKUS, CISA

CELEBRATING OVER 3 DECADES OF PUBLICATION!

Dow

nloa

ded

by [

Sam

Hui

bers

] at

13:

13 0

7 Ju

ne 2

013

An important remark to be made is that the roles I furtherdescribe in the next paragraph are generic and can be applied tothe audit profession in general. In this article I have added addi-tional examples that can be applicable to the daily practice of ITauditors who are involved in project audits.

Assurance, Consulting, and Participative Roles inProjectsI have summarized the roles that can be fulfilled by the auditordescribed in Figure 1 and Table 1. Note that this is not a restrictedlist but I have categorized the roles in groups in order to gain more

Figure 1 Summary of core roles, legitimate roles with safeguards androles that the auditor should not undertake in projects (Huibers, 2008,2009, 2010, 2011).

If you have information of interest to EDPACS, contact Dan Swanson (dswanson_2008@yahoo.ca). EDPACS (Print ISSN0736-6981/Online ISSN 1936-1009) is published monthly by Taylor & Francis Group, LLC., 325 Chestnut Street, Suite 800,Philadelphia, PA 19106. Periodicals postage is paid at Philadelphia, PA and additional mailing offices. Subscription rates:US$370/£224/E297. Printed in USA. Copyright 2013. EDPACS is a registered trademark owned by Taylor & Francis Group,LLC. All rights reserved. No part of this newsletter may be reproduced in any form — by microfilm, xerography, or otherwise —or incorporated into any information retrieval system without the written permission of the copyright owner. Requests topublish material or to incorporate material into computerized databases or any other electronic form, or for other thanindividual or internal distribution, should be addressed to Editorial Services, 325 Chestnut Street, Suite 800, Philadelphia, PA19106. All rights, including translation into other languages, reserved by the publisher in the U.S., Great Britain, Mexico, and allcountries participating in the International Copyright Convention and the Pan American Copyright Convention. Authorization tophotocopy items for internal or personal use, or the personal or internal use of specific clients may be granted by Taylor &Francis, provided that $20.00 per article photocopied is paid directly to Copyright Clearance Center, 222 Rosewood Drive,Danvers, MA 01923 USA. The fee code for users of the Transactional Reporting Service is ISSN 0736-6981/06/$20.00+$0.00.The fee is subject to change without notice. For organizations that have been granted a photocopy license by the CCC, a separatesystem of payment has been arranged. Product or corporate names may be trademarks or registered trademarks, and areonly used for identification and explanation, without intent to infringe. POSTMASTER: Send address change to EDPACS,Taylor & Francis Group, LLC., 325 Chestnut Street, Suite 800, Philadelphia, PA 19106.

‘‘. . .THE REAL ADDEDVALUE OF INTERNALAUDIT IS ITSINVOLVEMENT IN THEPROJECT FROM ANEARLY STAGE AND ITSABILITY TO ACT IN APROACTIVE WAY.’’

E D P A C S 2013

2 ª Copyright 2013 Sam C.J. Huibers

Dow

nloa

ded

by [

Sam

Hui

bers

] at

13:

13 0

7 Ju

ne 2

013

Tab

le1

Th

eR

ole

so

fth

eA

ud

ito

rin

Pro

jects

(Hu

ibers

,2008,2009,2010),

Exam

ple

Ro

le(I

T)

Au

dit

or

inP

roje

cts

(2012)

Typ

eo

fro

leP

roje

ct

role

sD

escri

pti

on

Exam

ple

sp

ecif

icto

the

ITau

dit

or

Ass

ura

nce

Qualit

yA

ssura

nce

(QA

)—P

rogra

m/p

roje

ctre

vie

ws

4le

vels

-In

itia

lpro

ject

-M

ilesto

ne

pro

jectre

vie

ws

-B

usin

ess

readin

ess

or

pre

-im

ple

menta

tion

revie

ws

Giv

ean

opin

ion

on

the

pro

jectdesig

n;th

egovern

ance,

managem

ent,

the

pro

jectpro

cess

and

mile

sto

nes

inclu

din

gth

erisks

asso

cia

ted

with

the

desig

nand

imple

menta

tion

ofan

applic

ation.

-P

ost-

imple

menta

tion

revie

ws.

Qualit

yA

ssura

nce—

deliv

era

ble

sR

evie

wfo

cusin

gon

the

qualit

yofth

epro

ducts

(deliv

era

ble

s).

Revie

wth

eauth

orization

str

ate

gy

and

role

sor

assess

the

syste

mdesig

ndocum

ents

.

Post-

imple

menta

tion

audit

Pro

vid

ean

opin

ion

aboutth

equalit

yofth

ein

tern

alc

ontr

ols

yste

mem

bedded

inth

eopera

tionalp

rocess

es.

Revie

wth

eeff

ective

ness

ofth

eauth

orizations

half

ayear

aft

er

go-liv

e.

Consultativ

ero

les

Qualit

yA

ssura

nce—

advis

or

topro

gra

m/p

roje

ct

managem

ent

Advis

eth

epro

jectm

anagem

enton

pro

jectm

anagem

entand

risk

asse

ssm

entm

eth

odolo

gy.

Advis

ehow

tostr

uctu

reth

epro

jectand

inclu

de

mile

sto

nes

such

as

appro

valo

fth

ebusin

ess

blu

eprint,

transla

tion

into

ate

chnic

al

desig

n,develo

pm

ent,

testing

and

train

ing.

Advis

or

(conte

nt)

Actin

an

advis

ory

capacity

ina

narr

ow

sense,answ

ering

quest

ions

and

expre

ssin

gpart

icula

rvie

ws

butno

directin

volv

em

entin

realiz

ation.

Advis

eon

the

desig

nofa

contr

olf

ram

ew

ork

tocom

eto

agood

bala

nce

inapplic

ation

contr

ols

and

pro

cedure

s.

Soundin

gboard

—obje

ctive

observ

er

Rais

equest

ions

tore

flect.

Sound

board

ing

role

and

rais

equestions

tore

flecthow

change

managem

entaspects

will

be

addre

ssed.F

or

insta

nce,ask

how

rele

vantusers

will

be

involv

ed

early

on

inth

epro

ject.

Coach/t

rain

er

Advis

ein

desig

nin

gle

arn

ing

experience

sor

acts

as

coach.

Facili

tate

apro

jectrisk

work

shop

oradvis

ein

the

setu

pofa

train

ing

pro

gra

m.

Part

icip

ativ

ero

les

Pro

act

ive

expert

role

Ow

nspecifi

cknow

ledge

inth

eare

aofin

tern

alc

ontr

ols

yste

ms

and

ITsecu

rity

and

pro

activ

ely

part

icip

ate

sin

apro

jectto

define

altern

atives,pro

vid

ere

com

mendatio

ns

and

solu

tions.

Suggestaltern

ative

solu

tions

toim

pro

veth

esyste

msecurity

and

pro

vid

ere

com

mendatio

ns

how

toim

ple

mentth

ese

.

Pro

ject/pro

cess

coord

inato

rC

oord

inate

pro

jectactivitie

s.

Coord

inate

the

setu

pofso-c

alle

dbusin

ess

contr

olf

ram

ew

ork

sand

pro

vid

ete

mpla

tes

ina

busin

ess

pro

cess

redesig

npro

ject.

Docum

enta

tion

contr

ols

Support

indocum

enta

tion

ofcontr

ols

.S

upport

indocum

enta

tion

ofsyste

mand

end

user

contr

ols

.

Pro

act

ive

QA

part

ner—

facili

tato

rro

leQ

Apart

nerth

atn

oto

nly

identifies

risks

buta

lso

transla

tes

them

into

realb

usin

ess

issues

and

make

sre

com

mendatio

ns.

Identificatio

nofrisks

associ

ate

dw

ith

the

intr

oductio

nofa

new

syste

mand

pro

vid

ere

com

mendations

toim

pro

ve

the

user

accepta

nce.

2013 E D P A C S

3ª Copyright 2013 Sam C.J. Huibers

Dow

nloa

ded

by [

Sam

Hui

bers

] at

13:

13 0

7 Ju

ne 2

013

insight into the potential roles that the auditor can play in projects:assurance, consulting and participative roles.

In the next paragraphs I would like to highlight some points thatcan be of relevance when considering the auditors’ role in a project:programs versus projects, the internal versus the external auditorand the role of the auditor during different phases of the project.

ProgramsAn individual project can be part of a larger program. The programis the ‘‘umbrella’’ under which individual projects have beengrouped in order to contribute to an identical objective. The OGC2

points out that the quality assurance and overall compliance of theprogram—focusing inwardly on the internal consistency of the pro-gram structure; and outwardly on its coherence with infrastruc-ture, interfaceswith other projects and corporate standards—is theprimary responsibility of the programmanager. The program man-ager will define the governance structure and make sure thatappropriate assurance roles are appointed. It is the responsibilityof the project manager to coordinate with the staff assigned to theassurance roles to ensure the overall integrity and coherent struc-ture of the project.

Since quality assurance is relevant at both levels and the wayprojects are grouped and structured depends on the organizationand situation, the roles I describe in this article are both applicablefor programs and projects.

Role of internal and external auditors in projectsVarious variables can be important when deciding if one or moreexternal parties will be involved in a project such as experience,knowledge, independent position, and available resources.

However, the starting point is that an external auditor can fulfillthe same role in projects as the internal auditor. The externalauditor can be the public accountant of the organisation or a differ-ent third party accounting and advisory firm.

When different roles are assigned to various parties it is impor-tant to avoid overlapping roles and inefficiencies. The followingconsiderations might, among others, be taken into consideration:

� Knowledge of the business: the internal auditor is assumed toknow the organization better than the external auditor does.

� Share best practices: on the other hand, the external auditor canshare best practices and experiences gained at projects withother customers.

� Knowledge of the system/process: the external auditor can givean opinion on the design of a system/process using experiencesgained at other clients as a reference.

� Sponsor: the project manager can ask the internal auditor tofacilitate a risk analysis. The (supervisory) Board could ask theexternal auditor to advise and provide recommendations.

The aforementioned examples can influence the decision whenassigning roles in a project. Please note that in some cases thecombination of the involvement of the internal and external auditormay also very well result into synergies.

E D P A C S 2013

4 ª Copyright 2013 Sam C.J. Huibers

Dow

nloa

ded

by [

Sam

Hui

bers

] at

13:

13 0

7 Ju

ne 2

013

The role of the auditor during the different phases of a projectThe role of the auditor might differ per phase of the project. In theproject literature, project phases are described with several levelsof detail that can vary depending on the nature of the project.However on a highly generic level, three levels can be distinguishedas a common denominator to all projects:

� project preparation/start,� project execution, and� project close.

In Appendix 1, I have provided examples of how the role can differper phase of the project. I have used the PRINCE2 project methodol-ogy as a reference. PRINCE (an abbreviation of Projects inControlled Environments) was developed by the OGC in 1989 asthe standard approach to IT projects. Over time the method hasbeen enriched to become a generic, best practice project manage-ment framework covering a wide variety of disciplines and activ-ities for all kinds of projects outside the IT and public sectors. TodayPRINCE2 has been widely adopted by both public and private orga-nizations as the de facto standard for project management and hasa demonstrable track record.

Safeguards (Preconditions) for Consulting andParticipative RolesThe assurance role is the traditional role of the auditor (core role).The consulting and participative roles are typically roles that canbe fulfilled by the auditor but only when certain safeguards (i.e.,preconditions) are put in place. The safeguards are preconditionsnecessary if the auditor is to extend his role beyond the traditionalassurance role:3

� It should be clear that management remains responsible for pro-ject risks and determining the risk appetite.

� The nature of internal audit’s responsibilities should be documen-ted in the audit charter and approved by the Audit Committee.4

� The auditor should not manage any of the project risks and miti-gate those on behalf of the management.

� The auditor should provide advice and support to the manage-ment’s decision making, as opposed to taking management deci-sions themselves or implementing solutions on behalf ofmanagement.

� The auditor should avoid any impairment of independence andobjectivity in fact or appearance. The auditor should not auditactivities in which he or she has been involved in the previousyear. Segregation of duties should be applied and/or tasks betransferred to other governance departments or outsourced.

� Any work beyond assurance activities should be recognized as aconsulting engagement and the implementation standardsrelated to such engagements should be followed.

The most important precondition, both for roles with safeguardsand the roles that should not be undertaken, is that the auditormust refrain from any managerial accountability in all project

‘‘THE AUDITOR MUSTREFRAIN FROM ANYMANAGERIALACCOUNTABILITYINALL PROJECTAREAS, FROMINITIALLY SETTING THEPROJECT RISKAPPETITETOTHEFINALEMBEDDING OFDELIVERABLES IN THESTANDINGORGANIZATION’’

2013 E D P A C S

5ª Copyright 2013 Sam C.J. Huibers

Dow

nloa

ded

by [

Sam

Hui

bers

] at

13:

13 0

7 Ju

ne 2

013

areas, from initially setting the project risk appetite to the finalembedding of deliverables in the standing organization.

A final remark I would like to make here is that the exact bound-aries of the extent to which the auditor can fulfill a consulting andparticipative role without risking any infringement of indepen-dence cannot always be carved in stone. Since the context, objec-tives, and tasks to be performed might differ from project to projectthere will always be an individual judgment to be made. As pointedout by Mautz and Sharaf in their book The Philosophy of Auditingfirst published in 1961, the responsibility of making a judgment inorder to maintain independence in different situations must rest inthe first place with the individual audit practitioner and he mustconstantly be aware of his professional responsibility in all kinds ofsituations.

Role(s) Not to be Undertaken by the AuditorIt is the primary responsibility of the project manager to manageproject risks. The auditor can assist in making risks transparentbut it is up to the business management to determine the riskappetite and define and implement mitigation actions. In addition,the embedding of project deliverables into the standing organiza-tion is a line management responsibility. If the auditor takes onthese roles it has crossed the line and therefore cannot providesufficient safeguards to ensure independence and objectivity (seeTable 2).

GUIDANCE AND CONDITIONS PROVIDED IN AFRAMEWORKI have compiled a framework that describes the guidance and con-ditions that enable the internal auditor to fulfill potentially conflict-ing roles in projects. Each quadrant represents a differentperspective: (I) guidance from the Institute of Internal Auditors(IIA), (II) the structure of the internal audit department, (III) inter-changeable roles with other governance departments, and (IV)project governance and de facto project management frameworks.Every quadrant entails two levels, which are described in detail:

1. the organizational level describing guidance that is applicable ina broad company-wide context and,

2. guidance at the individual program/project level.

Table 2 Roles Not to be Undertaken by the Auditor

Description of roles not to be undertaken by the internal auditor

� Setting the project risk appetite.� Imposing the project management process.� Managing risks identified in quality assurance.� Taking managerial decisions regarding the proposed solutions.� Implementing solutions on behalf of the management.� Being accountable for project deliverables� Being accountable for project budget and/or progress against milestones.� Being accountable for embedding project deliverables in the organization.

E D P A C S 2013

6 ª Copyright 2013 Sam C.J. Huibers

Dow

nloa

ded

by [

Sam

Hui

bers

] at

13:

13 0

7 Ju

ne 2

013

Below I will describe the key elements of each quadrant. For a fulldescription of all quadrants I refer to the original thesis (Huibers,2008).

Quadrant I—Guidance of the IIAThe first quadrant provides guidance from the Institute of InternalAuditors (IIA). At the organizational level the purpose, authority,and nature of activities should be clearly defined in the audit char-ter and approved by the board. At the program/project level everysingle assignment beyond the scope of assurance activities shouldfollow the IIA standards starting with a clear understanding aboutobjectives, scope, and activities being established with the client inline with the nature of the activities in the Audit Charter.

Quadrant II—Audit DepartmentWithin the audit department a segregation of duties can avoid jeo-pardizing independence by fulfilling conflicting roles. This can berealized on several levels depending on the size of the departmentsand the number of activities of internal audit: a division of the auditdepartment into consulting/facilitating and assurance-relatedactivities, dividing tasks between existing internal audit sub-

Figure 2 Summary framework of guidance and conditions for the role ofthe internal auditor in projects (Huibers, 2008, 2010). The objective of thisframework is to provide practical guidance on how the internal auditorcan undertake potentially conflicting roles in projects withoutjeopardizing the auditor’s independent position and objectivity.

2013 E D P A C S

7ª Copyright 2013 Sam C.J. Huibers

Dow

nloa

ded

by [

Sam

Hui

bers

] at

13:

13 0

7 Ju

ne 2

013

departments based on specialization (IT audit, financial audit) orby applying a segregation of duties at the project level. In the lattercase the auditor should not audit activities in which he has beeninvolved in the previous year.

Quadrant III—Other Governance DepartmentsIn quadrant III the increasing prominence of risk management andcontrol awareness in organizations gives new possibilities. Theemergence of different governance departments such as RiskManagement, Compliance, and Internal Control, creates a safe-guard to avoid potentially conflicting roles by dividing differentroles between these separate departments. Assigning differentroles across the so-called lines of defense is a way to ensure theinternal auditor’s independence at both the organizational (organi-zation-wide) and program/project level. The ‘‘lines of defensemodel’’ within an organization can be a starting point for dividingroles:

1. First line of defense—management: business and project man-agement have the primary responsibility to monitor and con-trol the operations.

2. Second line of defense—supporting functions: the managementis supported by the staff departments in their monitoringresponsibility, for example Internal Control, RiskManagement, Compliance, and Quality Assurance.

3. Third line of defense—Internal Audit: provide additional assur-ance on top of the activities of the first and second line ofdefense. Different types of audit might be applicable and canoperate in an integrated way: for example, operational, IT, andfinancial audit.

4. Fourth line of defense—external audit: additional assurance toexternal parties (SAS– 70, ISO audits for example).

In case potentially conflicting roles might arise, the activities can besplit among departments:

1. general roles can be defined at organization level following thethree lines of defense model,

2. (conflicting) roles can be divided between different govern-ance/staff departments, and

3. (conflicting) roles might be divided between departmentswithin the audit function (see previous paragraph)

The first step in effective cooperation is to define and agree withthe executive management the roles and responsibilities in theorganizational governance structure. Accordingly, at program/pro-ject level the different roles can be assigned to individuals of differ-ent governance departments to avoid potential conflicts in projectroles. To give an illustrative example, Internal Control is involvedin the design of controls in a process, whereas Internal Auditreviews the completeness of the control design.

An important remark to be made is that some factors mightinfluence the extent to which activities will be divided betweengovernance departments; for example, the business environment

E D P A C S 2013

8 ª Copyright 2013 Sam C.J. Huibers

Dow

nloa

ded

by [

Sam

Hui

bers

] at

13:

13 0

7 Ju

ne 2

013

in which an organization is operating and the maturity of the orga-nizational governance system.

Quadrant IV—Project GovernanceThe Office of Government Commerce (OGC) provides standards andguidance on best practices with respect to project management thathave globally been adopted across industries (i.e., PRINCE2). TheOGC de facto standard role description does not explicitly mentionthe role of internal audit but their guidance regarding quality assur-ance and advisory roles is mutually supportive of the IIA view.

The internal audit function can support the implementation ofstandard project and audit methodology. Often organizations adapta general common used framework/methodology and tailor this tothe needs of the organization. For instance, with respect to IT-driven projects, COBIT (Control Objectives for Information andRelated Technology) is a framework created by ISACA and includesa section on program and project management.5 By supporting thedefinition and embedding of a standard project methodology a safe-guard is created and this enables the project management to man-age projects in a controlled way. The quality criteria for projectgateways and deliverables can be made explicit and transparentand can serve as a reference model for project reviews.

At the organizational level the purpose of quality assurance is toprovide an assurance that the project has adequate plans and mea-sures, in line with the established project methodology, to ensurethat the project processes are suitably controlled and are likely toresult in products that meet explicit quality criteria. Audit cansupport the design of the quality assurance and standard auditproject methodology in the organization, including clearly definedroles and responsibilities of both line management, internal auditand other governance functions. At project level audit can consultand facilitate the embedding of quality assurance in the project byassisting the project management with implementing the qualityassurance system in an effective way. In this case advising meansto make the audit reference framework explicit in advance in orderto ensure that an adequate review is undertaken.

Steering committeeFinally, I have argued, supported by the insights of psychologicaland organizational theory (group decision-making processes)(Beach & Connolly, 2005; Janis, 1972), that the internal auditorshould be extremely reluctant to participate in Steering Committeemeetings even as a non-voting member.

If a decision is taken in the presence of the auditor, it might inhindsight be unclear what the role of the auditor in a particulardecision had been. Even if he or she had not expressed an opinion,once the results turn out to be different from what was expected, itcould always be used against the internal auditor that he or she‘‘could or should have known’’ or had at least been part of thedecision by being present in the meeting at which the decision wastaken. Therefore it is important to document in writing what therelationship of the auditor is toward the Steering Committee. If the

2013 E D P A C S

9ª Copyright 2013 Sam C.J. Huibers

Dow

nloa

ded

by [

Sam

Hui

bers

] at

13:

13 0

7 Ju

ne 2

013

internal auditor does participate in the meeting by expressing asecond opinion it should be clear in the project charter that:

� The auditor acts completely independently and has no manage-rial responsibility whatsoever for themanagerial decisions takenby the Project Board.

� There is no formal reporting line to the Project Board and ProjectBoard chairman. In line with the Audit Charter and IIA AttributeStandards (2013) the internal auditor should report indepen-dently to the senior business management.

� Following good audit practices as described in the IIA PerformanceStandards (in particular IIA 2300–Performing the Engagement)the auditor should document advice and opinions given and main-tain an audit trail based on retention requirements.

CONCLUSIONIn this article I have described the different types of roles that can befulfilled by the auditor, taking into consideration the shift from thetraditional assurance role toward more proactive roles in projects.In order to gain more insight into the potential roles that the auditorcan play in projects, I have divided these roles into three groups:

1. assurance roles,2. consulting roles, and3. participitive roles.

Subsequently, I have categorized the different types of roles follow-ing a paper of the IIA:

1. The core roles: traditional assurance roles such as projectreviews.

2. Legitimate roles with safeguards: consulting and participativeproject roles that can be performed by the internal auditor ifcertain preconditions are met.

3. Roles that should not be undertaken by internal audit such asthe management of project-related risks.

The most important precondition, both for roles with safeguards andthe roles that should not be undertaken, is that the auditor mustrefrain from any managerial accountability in all project areas,from initially setting the project risk appetite to the final embeddingof deliverables in the standing organization. In order to guaranteeunambiguous mutual understanding of the role of the auditor inprojects it is of crucial importance to define, formalize, and commu-nicate the agreed roles and responsibilities at all organizationallevels.

To conclude, I have argued in this article, supported by theinsights of psychological and organizational theory (group deci-sion-making processes), that the internal auditor should be extre-mely reluctant to participate in Steering Committee meetings evenas a non-voting member.

The aim of this article and my research is to provide a practicalrelevance to the internal audit profession and industry. The resultshave been confirmed and enriched by interviews with the Chief AuditExecutives/Managers of large multinational organizations. Theshared view is that the real added value of internal audit is its

‘‘THE REAL ADDEDVALUE OF INTERNALAUDIT IS ITSINVOLVEMENT IN THEPROJECT FROM ANEARLY STAGE AND ITSABILITY TO ACT IN APROACTIVE WAY.’’

‘‘ONE SHOULD SEETHE OPPORTUNITIESFOR THE INTERNALAUDIT DISCIPLINERATHER THANFOCUSING ON THETHREATS.’’

E D P A C S 2013

10 ª Copyright 2013 Sam C.J. Huibers

Dow

nloa

ded

by [

Sam

Hui

bers

] at

13:

13 0

7 Ju

ne 2

013

involvement in theproject fromanearlystageand itsability toact inaproactive way. This is not perceived to be in conflict with the indepen-dentpositionandobjectivityof theauditor.On thecontrary, oneof theexecutives stated that: ‘‘one should see the opportunities for theinternal audit discipline rather than focusing on the threats.’’

Notes1. In 2004 the Institute of Internal Auditors (IIA) published a

position paper that elaborated on the roles of the internalaudit function in Enterprise-wide Risk Management.

2. The Office of Government Commerce (OGC), an independentoffice of the U.K. government, provides standards and gui-dance on best practices with respect to project managementsuch as PRINCE2 that have been globally adopted acrossindustries.

3. In the IIA position paper of 2004 safeguards with respect toERM have been described that I have adapted for projectmanagement.

4. The IIA, IPPF, Attribute Standard 1000.A1/C1.5. COBIT 5, Chapter 5, Process reference guide contents,

BAI01.01–14.

APPENDIX 1: THE ROLES OF THE AUDITOR DURINGDIFFERENT PHASES OF THE PROJECT

Table A1 Relation Generic Project Phases, OGC PRINCE2 Processes andComponents

Generic projectphases PRINCE2—Process PRINCE2—Component

Project preparation/start

Project initiation Plans, Management of Risk,OrganizationBusiness Case

Project start-up Plans, Quality, Management ofRisk, Business Case,Controls

Project execution Controlling a stage Controls, Change Control,Configuration Management

Managing project delivery Change Control, Plans,Controls

Managing stageboundaries

Plans, Business Case,Management of Risk,Controls, Organization

Project close Closing a project Controls, ConfigurationManagement,Business Case

2013 E D P A C S

11ª Copyright 2013 Sam C.J. Huibers

Dow

nloa

ded

by [

Sam

Hui

bers

] at

13:

13 0

7 Ju

ne 2

013

REFERENCESBeach, L.R., & T. Connolly (2005). The psychology of decision mak-

ing: People in organizations, 2nd edition, The Psychology ofDecision Making: People in Organizations. Thousand Oaks, CA:Foundation for Organizational Sciences, A Sage PublicationsSeries.

Huibers, Sam C.J. (2008). The role (s) of the internal auditor inprojects, thesis Amsterdam Business School, Executive Master ofInternal Auditing, University of Amsterdam, The Netherlands.

Huibers, S.C.J. (2009). Rol van de internal auditor in verandering-sprojecten, Finance en Control, issue 5, October 2009, Alphen aanden Rijn, the Netherlands: Kluwer.

Huibers, S.C.J. (2010). Proactiviteit en onafhankelijkheid van deauditor in projecten: contradictio in terminis? Audit Magazine,issue March 2010, Institute for Internal Auditors in theNetherlands, Beekbergen, the Netherlands: VM Uitgevers.

Huibers, S.C.J. (2012). Rol(len) van de (IT-)auditor in projecten,Handboek EDP Auditing, 5313 – Informatiesystemen, issue 43,June 2012, Alphen aan den Rijn, the Netherlands: Kluwer.

Janis, I.L. (1972). Victims of groupthink. Boston: Houghton Mifflin.Mautz, R.K. and Sharaf, H.A. (1985). The philosophy of auditing,

12th edition. Sarasota, FL: American Accounting Association.The Institute of Internal Auditors. (2004, 2009). Position paper:

The role of internal audit in enterprise-wide risk management. TheIIA-UK and the IIA Inc. Retrieved from www.theiia.org

Table A2 Examples Role(s) of the Auditor in Different Phases of the Project

Genericprojectphases

PRINCE2process Component PRINCE2

Examples of the role of anauditor

Examples (with reference tothe safeguards)

Projectpreparation/start

Project initiation Plans, Management of Risk,Organization,Business Case

-QA assurance to program/project management

Review if project objectives areconsistent with the overall valuesand goals of the organization.

Project start up Plans, Quality, Risk Management,Business Case, Controls

-QA advise to projectmanagement

Advise in the setup andorganization of the projectmanagement and qualityassurance processes.

Projectexecution

Controlling astage

Controls, Change Control,Configuration Management

-QA independentassurance

Milestone review ofprogress and quality ofdeliverables.

Managingprojectdelivery

Change Control, Plans,Controls

-Advisor on content- Sounding board- Proactive expert role- Project/process

coordinator- Documentation controls

Advise in setup of the securitydesign of a process.

Facilitate in the definition anddocumentation of process controls.

Provide support in the coordination ofdefining controls.

Managing stageboundaries

Plans, Business Case,Management of Risk,Controls, Organization

- QAproactivesupport

Provide support inidentifying and loggingproject risks.

Project close Closing a project Controls, ConfigurationManagement,Business Case

- QA assurance to program/project management

Project evaluation to generatelessons learned for future projects.

E D P A C S 2013

12 ª Copyright 2013 Sam C.J. Huibers

Dow

nloa

ded

by [

Sam

Hui

bers

] at

13:

13 0

7 Ju

ne 2

013

The Institute of Internal Auditors. (2010). Project Auditing,Handvatten voor de internal auditor, Institute for InternalAuditors in the Nederlands, Naarden, 2010. Retrieved fromhttp://www.iia.nl/Sitefiles/project-auditing.pdf

The Institute of Internal Auditors. (2013). The professional prac-tices framework. Altamonte Springs, Florida: The IIA ResearchFoundation.

Websites Usedwww.prince2.org.ukhttp://www.cabinetoffice.gov.ukArchived OGC information:http://webarchive.nationalarchives.gov.uk/20110822131357/http://www.ogc.gov.uk/index.aspPMBOK: http://www.pmi.org/PMBOK-Guide-and-Standards.aspxwww.theiia.orgwww.isaca.orgCOBIT 5: http://www.isaca.org/COBIT/Pages/default.aspx

FURTHER READINGS

International Project Management Association (2006). ICB-IPMACompetence Baseline Version 3.0, International ProjectManagement Association.

Kubr, M. (1996). Management consulting, A guide to the profession,3rd (revised) edition. Geneva, Switzerland: Internal LabourOffice Organization.

Sawyer, L.B., Dittenhofer, M.A., Scheiner, J.H., Graham, A,Makosz, P. (1995). Internal auditing, the practice of modern inter-nal auditing, 5th edition. Altamonte Springs, FL: The Institute ofInternal Auditors.

The Institute of Internal Auditors. (2013, January). Positionpaper: The three lines of defense in effective risk management andcontrol. Altamonte Springs, FL: The Institute of Internal Auditors.

Websiteswww.gov.uk/government/organisations/cabinet-officewww.ipma.chwww.pmi.orgwww.theiia.orgwww.icmci.orgwww.iia.nl

For an extensive list of all references, please refer to the full version of the thesis:

Huibers, Drs. EMIA RO, S.C.J., CRMA, The role (s) of the internal auditor in

projects, Amsterdam Business School, Executive Master of Internal Auditing,

University of Amsterdam, 2008. Published by Kluwer; http://financebase.kluwer

financieelmanagement. nl/ and available for download at site of the IIA

Netherlands; http://www.iia.nl/educatie/universiteiten/scripties. Thesis and var-

ious related articles based on an ongoing research are published by the IIA

Netherlands and the professional bodies for registered IT auditors and certified

accountants in the Netherlands (NBA and NOREA).

2013 E D P A C S

13ª Copyright 2013 Sam C.J. Huibers

Dow

nloa

ded

by [

Sam

Hui

bers

] at

13:

13 0

7 Ju

ne 2

013

Drs. Sam C.J. Huibers, EMIA RO, CRMA, has vast experience in various interna-

tional managerial business, audit, and advisory functions. He has led large

international projects in the areas of finance, governance, internal control, and

audit. He is currently employed by Heineken International and has a managerial

position in the Global Audit Function. He holds an Executive Master of Internal

Auditing degree and is a certified member of the IIA. He also holds a certification

in Risk Management Assurance. He is a member of the Dutch IIA Professional

Practice Committee and the Dutch Sounding Board on Risk Management. He’s

the owner of the LinkedIn Group: Project Auditing; join his discussion group to

exchange views on this subject. He can be reached at his private email:

sam.huibers@proactiveprojectauditing.info

E D P A C S 2013

14 ª Copyright 2013 Sam C.J. Huibers

Dow

nloa

ded

by [

Sam

Hui

bers

] at

13:

13 0

7 Ju

ne 2

013