18 November, 2019

Project Management Review: A Guide to Project Audit and Assurance

Everyone wants to get their project right. Yet when it comes time for a project audit, we turn our noses up. Yet a project management review is an excellent way to demonstrate your capability and the control you have over your project. It gives assurance to your client, sponsor, and stakeholders. And, it’s a way to learn and give your project and your team a boost towards true excellence.

So, in this article, we’ll be looking at all aspects of project management review – and seeing the different ways people use related terms like project assurance and project audit.


Project Management Review: A Guide to Project Audit and Assurance

We’ll split our article into 6 sections…

  1. Project Audit, Project Assurance, Project Review
    Why we do it and the different forms of project management review.
  2. Who are the Players in Your Project Management Review?
    We’ll look at all three sides of the project assurance process: your Project Team, your Stakeholders, and the project review team.
  3. What to Review
    What are the things you can audit and assess in your project management review?
  4. Outcomes from a Project Management Review
    We’ll see the range of outcomes that will deliver aspects of project assurance, to help you determine what matters for your project review process.
  5. How to Run a Project Management Review Process
    The basics steps for how to conduct your project assurance.
  6. The Secrets of Success
    The two lists we’ll develop are:
    1. Vital criteria for audit credibility
    2. Pragmatic advice to make your project management review work effectively

Project Audit, Project Assurance, Project Review

Let’s start by understanding why we need to review our projects.

First and foremost, it’s an opportunity to find issues and challenge the mis-handling of the execution of a project. It is, therefore, a part of the oversight role of project governance.

Learn more about Project Governance in our feature article:
What has Project Governance Ever Done for Us? [Ans: A Lot]

A project audit will be able to determine the status of work performed by a project and compare it with central planning documents like the statement of work, schedule, and budget.

And finally, project reviews are an opportunity for valuable positive feedback. They also allow the project team and sponsor a chance to see what is working well, and further embed good practices as well as challenge bad ones.

Positive feedback is highly motivating to project team members and can give performace a real boost. A nit-picking approach of focus solely on small, low-significance faults will do nothing to improve performance and much to damage morale.

Three Things We aren’t Talking about…

Number 1…

The first thing we are not talking about explicitly in this article is a Post-Implementation Review.

That said, whether you conduct your project review during or after a project, the process is pretty much the same, so this article will be useful as a basis for planning a post-project review too.

Number 2…

And secondly, we are not talking about the quality processes of Quality Control (QC) or Quality Assurance (QA).

Number 3…

Finally, we are not talking about Gateway or Stage Gate reviews.

Routine and Remedial Project Reviews

The first distinction to draw among the kinds of project review we are talking about is whether it is routine in nature, or remedial.

Routine Project Reviews

These are part of your project process, or part of the organization’s oversight process. Often they will be built into the scope of services that a Project Management Office (PMO) will provide to the organization

Remedial Project Reviews

The alternative trigger for a project review is when someone within the organization has a concern about a project. They would want the project review to:

  • assess the status of the project and so, either
    • put their mind at rest, or
    • confirm their suspicions
  • identify appropriate steps to remedy any problems

This situation can arise in a number of ways. For example:

  • Where no mechanism exists for routine reviews, if the Project Board, sponsor, or project team want independent assurance that they are running the project well, they can commission a project audit
  • The project is clearly failing to meet its milestones, deliver to specification, stay on budget, or suffering other problems.
  • The project Board or Sponsor may have concerns that the reports they receive do not accurately represent the status of the project
  • Likewise, other members of the senior management team may be concerned that the Project Board or sponsor may not be overseeing the project diligently

What Would Trigger a Project Audit Review?

Where you have routine project reviews, projects could either be selected at random, as part of a sampling procedure or receive a review as a matter of course at one or more pre-determined points.

But what might trigger a remedial review if no-one noticed a problem? It can make sense to develop a list of criteria that would trigger an audit. These could identify projects that need additional scrutiny as a result of:

  • Scale
  • Complexity
  • Risk
  • Value or cost, and the past “record of results” of the performing organization.
  • Slippage of key indicators (like spending or schedule)
  • Stakeholder complaints
  • Quality Assurance or Quality Control failures

Three Terms – Multiple meanings

This brings us on to the terms Project Audit, Project Review, and Project Assurance. There is no consensus out there that I can find on definitive uses of these terms nor consistent distinctions between them.

Form these different usages, I will define ours.

And then I’ll abandon the definitions and use them all interchangeably!

Standards Organizations

What matters is that you recognize the different elements that are encompassed by these terms, and also that you can be sensitive to how they are used in your organization. Note, by the way, that PMI has no coverage of these ideas in its Project Management Body of Knowledge 6th edition (the PMBOK Guide).

PRINCE2 talks about Assurance, but in far more general terms. Only the Association for Project Management addresses the topic head-on in its APM Body of Knowledge 7th Edition, the APMBoK.

Project Audit

For me, Project Audit focuses on the status of the project, looking at things like:

  • delivery performance
  • cost against budget
  • progress against schedule
  • clearance of risks and issues

As such, it is often a leading indicator of the extent to which a project can achieve its time, cost, quality, scope, and benefit objectives.

The other aspect of the word ‘audit’ that is important is that of independence. APM says:

A key principle is that the auditor is independent of the area being audited. Auditors are often deployed from a project, programme, or portfolio management office (PMO), from a wider organisational internal audit function or from a third party provider (typically, a consultancy or an accreditation body).

APM Body of Knowledge, 7th Edition, Association for Project Management, 2019.

Project Review

A Project Review typically has more of a focus on the project process, and the conduct of the project. Its emphasis is on learning and documenting lessons that can improve practices on the project and on future projects. You could therefore call it a Project Implementation Review.

At its most sophisticated, a project review can look at the maturity of the project management practices against an agreed Project management Maturity Model.

Also, from APM’s definition of project audit, we might reasonably infer that project reviews may be carried out by people close to – or even a part of – the project team.

Project Assurance

I take project assurance to be a wider term, encompassing all activities that give the sponsoring organization comfort about the conduct of a project. It would therefore take in both:

  • How the project manager and their team are carrying out the project, and
  • The status of the project in terms of measurable performance

Again, this is consistent with APM view:

Assurance is the process of providing confidence to stakeholders that projects, programmes and portfolios will achieve their objectives and realise their benefits.

Assurance focuses on ensuring that the governane, processes and controls that are planned are fit for purpose, and that they are implemented as planned.

APM Body of Knowledge, 7th Edition, Association for Project Management, 2019.

Who are the Players in Your Project Management Review?

There are three tiers of players in the Project Assurance Process.

Three Tiers of Players - Project Management Review

The Project

The players here are:

  • Project Board members (and the Project Board as a group)
  • Sponsor or Senior Responsible Officer (SRO)
  • Project Manager
  • Workstream or Team Leaders
  • Project Team Members

The Stakeholders

My goodness, there are a lot of potential stakeholders. Some of the commonly occurring important (to the project review process) stakeholders are:

  • Users, customers, clients
  • Suppliers, contractors, logistics
  • Organizational senior management and non-executives
  • Organizational governance and compliance, like Health & Safety, or equalities
  • Local community

The Reviewers

The project assurance team – whether internal or external to the project.

What to Review

Whilst a project management review could be all-encompassing, that can sometimes involve too great a resource commitment. It can be more efficient to focus your audit processes on one or more principal aspects of your project.

If the review is remedial, these would reflect the known concerns. If it is routine, you would only widen the review if findings indicated a need. Aspects include:

  • Cost, or budget
  • Time, or Schedule
  • Resources
  • Personnel, or Human Resources
  • Communication and Relationships with Stakeholders
  • Information, Learning, Document Management
  • Project Management Process
  • Software tool integrity

Outcomes from a Project Management Review

One of the first questions to answer is: ‘so what?’

There is no point in conducting any form of review unless you intend to use the knowledge and insights it generates. So, before you carry out a review – indeed, before ever commission one – ask yourself:

What will we do with the findings of the review?

Typical outcomes you can expect range from:

  • the project is failing utterly to deliver value and is being grossly mismanaged, so should be closed down immediately, to
  • this project is a shining example of how a project should be, with exemplary practices leading to outstanding delivery performance

In reality, most findings will lie somewhere between these. But you must have a mechanism to handle findings anywhere in that range.

Preparing For Recommendations

In particular, you need to think through questions like:

  • Who will be sponsor for the review and ensure the organization receives and acts upon its report?
  • What resources could be made available to implement significant findings?
  • What mechanisms do you have, to recognize high performance levels from teams and individuals?
  • To what extent are you able to make significant changes to the project mid-stream – and whose authority would you need?

How to Run a Project Management Review Process

Let’s get to practicalities and look at the basic steps for running a project review. I have gone for a simple Five Step Process:

  1. Set-up
  2. Investigation
  3. Analysis
  4. reporting
  5. Follow-up


As with any project, start with generating agreement around the scope and objectives for the review. The previous section on outcomes will also be relevant here.

Before you get into the detailed planning and preparation, there are three ther things to consider:

  1. Success criteria to measure project against
  2. Format for reporting findings
  3. Review team

Review Team

I’d certainly recommended you use an external facilitator to lead your project review. Ideally the team would all be independent of the project. This has the twin benefits of:

  • objectivity
  • confidentiality

The latter means disgruntled or genuinely concerned staff and stakeholders are far more likely to speak freely to the review team.

Planning and Preparation

You will need to plan your review and research interviews with two things in mind. You will need to gather both:

  1. Data and objective evidence
  2. Opinions and perceptive evidence

Here are the main things you’ll need to cover in your planning:

  • Identify project team members and stakeholders to interview
  • Schedule interviews and arrange where to hold them
  • Create interview format and draft core interview questions
  • Create a list of documents and evidence to gather
  • Allocate roles to review team members
  • Finally, review core project documentation: Definition, Planning Documents, Business Case, Status Reports, etc. Some would consider this the first part of the…


Assuming you are familiar with the core project information, the meat of your investigation will be interviews with:

  • Project Sponsor (and other project Board members)
  • Project Manager
  • Workstream or Team Leaders
  • Team Members
    This can be done on the basis of one or a combination of:
    • one-to-one interviews (of a sample)
    • small group facilitated discussions
    • questionnaires – these can be used either in advance of face-to-face approaches, or in addition, to widen your data pool without over-stretch resources
  • Users, Clients, and other Stakeholders
    This too can be done on the basis of one or a combination of:
    • one-to-one interviews (of a sample)
    • small group facilitated discussions
    • questionnaires (as above)

Sequence of Interviews

Some people take the view that you should work down the list in the order I have presented it above (‘top-down’). This allows you to assess the perceptions of senior players and then test them with the people doing the detailed work, and finally with the stakeholders.

The alternative is to work in the opposite direction, to learn how stakeholders and team members perceive the project. Then to see how the perception of increasingly senior people matches up to that reality. This is a ‘bottom-up’ approach.

The latter approach can be more adversarial. So, my own preference is to start top-down, but reserve the right to meet again with senior people if you discover mismatches that you want to explore with them further.


Carry out a full review of the documentary evidence you have gathered. This can include:

  • Project organization chart
  • Definition documents and project mandates
  • Business requirements and functional specifications
  • Project planning documents
  • Status reports
  • Budgets and financial reports
  • Tender and procurement documentation
  • Meeting minutes and action items
  • Quality (QC and QA) documentation
  • Risk and issue logs
  • Communications logs
  • Change logs

Collate what you learned and look for patterns and exceptions. Index and store original copies of interview records.

From the information you have, you can:

  • Identify key findings of fact
  • Agree interpretational findings
  • Look for causes of issues and problems
  • Also look for opportunities for positive improvement
  • Above all, seek out success stories and cause for praise and recognition
  • Formulate recommendations


Your report will contain your findings and your conclusions.


Document and prioritize your findings and recommendations. I’d also suggest you allocate priorities to each, using a simple system like High-Medium-Low or Red-Amber-Green.


Remember to give credit and praise where it is due.

Many organizations prefer to present findings along with an overall score for one or both of:

  • Project status
    How well it matches where it should be according to an approved plan
  • Project process
    How wee the project management process conforms to the practices and procedures that the organization considers appropriate

Whilst a RAG status can work, I prefer something more acutely attuned to the impact of the findings. A framework like this can work well, if you adapt it to fit your organization’s culture:

  • Critical Concerns
    The review has found serious failings in either process or outcomes
  • Significant Concerns
    Material issues that need attention
  • Satisfactory
    The project process/outcomes meet minimum standards, but substantial recommendations remain
  • Good
    No significant concerns – processes are in line with good practice and outcomes are consistent with the plan
  • Excellent — the
    The project process represents best practice and outcomes are in line or ahead of all planning expectations


Typically, this is where the project management review process starts to become political. How, where, and to whom you present your findings will be a matter of policy and practice, culture, and political judgment.

Remember the vital importance of transparency: an audit document that is swept under the corporate carpet is nothing more than a deceit. A good project audit process must have a mechanism for raising an alert at the highest levels of the organization.


Determine a follow-up régime to ensure that the project team acts on the recommendations you make in your report.

Ensure that the final report and the record of follow-up becomes part of the formal record of your project, according to your internal procedures.

The Secrets of Success

The first element of success are less ‘secrets’ and more essential criteria.

Essential Criteria for Audit Integrity

Independence and Objectivity

True audit needs the ability to seek out findings without fear or favor.

Senior-level and Institutional Enterprise Support

Both the audit process and the implementation of any findings need full organizational commitment to provide adequate resourcing. this means people, materials, time, and budget.

But the starting point for enterprise support is a clear intent to pay attention to the project management review results… and act on them.

Alignment to the Enterprise Processes

Any form of assurance process, whether project assurance or full audit must not be just a check-box activity. And neither must it be purely about holding people to account in an adversarial manner.

Rather, it must be part of the business cycle and integrated into all organizational processes.


Finally, the methodology must be publicly available. This means either working from a standard process, or the review team publishing their process.

And, of course, the team needs a mechanism to publish its findings to an appropriate audience.

Practical Advice for Effective Project Management Reviews

Finally, I’d like to offer some practical tips from my experience of carrying out project management reviews of other project managers’ projects, as a senior project manager.

Tip 1: Anything Else?

Whatever questions you have in any structured interview, your last questions should always be:

Is there anything else you think I need to know, which we haven’t covered?

This is the question that allows for the fact that, in preparing for your meeting, you don’t know what you don’t know.

Tip 2: The Secret is in the Process

As with so many things, success will flow from a good process, executed well. Once you have worked diligently to design an appropriate project review process (or adapt an existing one to the circumstances), trust that process.

Tip 3: Start with the Data

Always start with the data and draw conclusions from it. Never start with a hypothesis and look for data to support it. If you must start with an hypothesis, then look for evidence to falsify it, and then find a new hypothesis that fits the data you have.

Tip 4: Checklists Prevent Mistakes and Templates Make your life easy

Regular readers will know how fond I am of a ‘checklist and template’ approach. I’ll be working on additional content for our Project Management Template Kit and Project Management Checklists, to support the Project review process. We also sell a super-value Productivity Bundle with both packs at a reduced price.

What Are Your Thoughts About the Project management Review Process?

I’m interested in your experience. How do you define project review, project assurance, or project audit, and what have you learned for making them effective processes. Please leave your comments below and I’ll look forward to reading them and responding.

Never miss an article or video!

Get notified of every new article or video we publish, when we publish it.

Mike Clayton

About the Author...

Dr Mike Clayton is one of the most successful and in-demand project management trainers in the UK. He is author of 14 best-selling books, including four about project management. He is also a prolific blogger and contributor to ProjectManager.com and Project, the journal of the Association for Project Management. Between 1990 and 2002, Mike was a successful project manager, leading large project teams and delivering complex projects. In 2016, Mike launched OnlinePMCourses.
{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}

Never miss an article or video!

 Get notified of every new article or video we publish, when we publish it.