I am sure that Project Assurance and Project Audit are not favorite topics for many Project Managers. But they are important. And they do cause an amount of confusion.
Not least, people ask:
- ‘What are Project Assurance and Project Audit?’
- ‘What’s the difference?’
And…
- ‘How do we conduct either Project Assurance or Project Audit?’
So, I’ll give you the answers you need.
Structure of this Article
The structure of this article will be very simple. There are only four main sections:
- Project Assurance and Project Audit: What are they and Why do We Need Them?
- How to Carry out Project Assurance: A Basic Process
- How to Carry out Project Audit: A Basic Process
- The Way to Think of Project Assurance and Project Audit, as a Working Project Manager
Project Assurance and Project Audit: What are they and Why do We Need Them?
You’ll need to know what they are about and how we define each of: project assurance and project audit. And you’ll also want to know, pretty quickly, why they are important.
So, I will start with an outline of what they are about and why they are important, then we’ll move on to definitions.
What are Project Assurance and Project Audit about?
Project Assurance and Audit are all about giving confidence in the Project and the work the team is doing. As a result, they contribute to two vital areas of Project Management:
- Governance
And, in particular, the element of governance that is concerned with oversight. This said, it is often the role of assurance and audit to assess the effectiveness of the wider governance processes.
More on Governance: What has Project Governance Ever Done for Us? [Ans: A Lot] - Risk Management
Among the major risks on any project or program are the threats that we may, for example, be:- Doing the wrong things
- Misusing resources
- Breaching regulations or standards
More on Risk Management: Ultimate Guide to Project Risk Management
It is the role of assurance to give comfort on these, and of audit to look into them in detail.
The ‘So What?’ Why we need Project Assurance and Audit
There are many reasons to support the value of assurance and audit in Project management. And, remember, we must be able to demonstrate value, because there are costs to them, in:
- The time, materials, and work of carrying out project assurance and a project audit
- Loss of work time when project team members are collaborating with the audit and assurance process
- Procurement costs, if you commission a truly external project audit
- Management time in reviewing the outcomes of the assurance and audit process
So, here is my starter list of the principal benefits of Project Assurance and Project Audit. They:
- Ensure we work to a rigorous definition of project success from the outset
- Provide an objective assessment of success against that definition
- Create a culture of diligence and shared responsibility among the project team
- Enhance confidence among stakeholders that we are where we should be
- Provide essential governance oversight for the organization
- Give input for lessons learned and process improvement
Project Assurance vs Project Audit: what’s the Difference?
I’ll offer some formal definitions of Project Assurance and Project Audit in the next section. Here, we can use loose, easy-to-understand definitions to give you a clear understanding of:
- What each one is, and
- How they differ
Assurance is how we provide stakeholders with a basis for confidence in your project or program. It confirms that you are doing the right thing, in an appropriate way, and making effective use of the time and resources the organization has granted you.
An audit is one way to provide assurance. It is a formal review that seeks to evaluate a project based on specific criteria.
So, ‘how else could you provide assurance?’ you ask.
There are many ways, like:
- scrutinizing data
- speaking with people
- questioning at Project Bard meetings
- testing deliverables
- monitoring expenditure against budget
However, without a doubt, a formal Project Audit is the most robust and objective mechanism for providing Project Assurance. And, as a result, the two terms are often used interchangeably.
So, to conclude:
Crucially, Project Assurance is a continuous, ongoing process, throughout the life of the project or program. A Project Audit is a discrete event. It may happen once in a project life cycle. Or, there may be more than one in a long project or if findings merit a follow-up.
Another key difference is that Assurance often happens from within the project. A Project Audit, on the other hand, must be carried out by a person or team that is independent of the area they are auditing.
Definitions of Assurance and Audit from the Project and Program Management Domains
Let’s start with the wider term, assurance, and then focus in on the narrower, audit.
Defining Project Assurance
My dictionaries tell me that, in this context, assurance means:
‘a statement that inspires confidence and certainty, and overcomes doubt’
It comes from an origin meaning to secure or make sure.
The APM Body of Knowledge 7th edition defines assurance as:
‘The process of providing confidence to stakeholders that projects, programmes and portfolios will achieve their objectives for beneficial change.’
APM Body of Knowledge 7th edition
Association for Project Management, 2019
So, this definition sees Project Assurance as a process, that needs to consider a number of things, like:
- Suitability of design, standards, and specification
- Quality and standards of project deliverables
- Project control processes and delivery practices
- Compliance
- Progress against plan
- Benefits realization processes
- Integrity of decision-making
However, we sometimes use the term ‘Project Assurance’ to refer to the team that conducts the process. It may be a central group within a project’s organization that conducts reviews of projects. Often, this team will sit within some form of PMO: Project, Program, or Portfolio Management Office.
Project Assurance in PRINCE2
In PRINCE2, Project Assurance is the responsibility of the Project Board. And they must conduct assurance against three things:
- Business requirements and projected benefits (Business assurance)
This is primarily the responsibility of the Project Executive (ie Sponsor) in PRINCE2 - Needs and expectations of stakeholders and users (User Assurance)
This is primarily the responsibility of the Senior User in PRINCE2 - Technical standards and requirements (Technical Assurance, or Supplier Assurance)
This is primarily the responsibility of the Senior Supplier in PRINCE2
More on PRINCE2: An Introduction to PRINCE2 with Frank Turley, ‘the PRINCE2 Guy’ | Video
Defining Project Audit
My dictionaries tell me that, in this context, audit means:
‘inspection, review, and verification’
It comes from an origin mean a hearing – as in conducting a hearing to enquire into something. So, it rather resembles some form of judicial process. Yeeks!
But, as with Project Assurance, Project Audit has many interpretations. Inevitably, some see Project Audit as a finance function, focused on the financial performance, cost management, and financial reporting within a project or program.
More generally, Project Audit is about conformance to a full range project or program management processes, guidelines, and standards.
How to Carry out Project Assurance: A Basic Process
The Association for Project Management has the best materials I am aware of, to help us understand Project Assurance. Not only is there a helpful section in the 7th Edition of the AMPM Body of Knowledge [LINK] (section 1.3.2), which I shall draw upon. But they also produce some excellent detailed documents:
- A Guide to Integrated Assurance
A short but deeply helpful guide - Measures for Assuring Projects
A free toolkit available for download to APM members
The Model the APM uses is a three-tier model, that sets out three ‘lines of defense’. This appears in A Guide to Integrated Assurance, by Roy Millard:
- First Line of Defense: Controls
Systems, processes, policies, and standards that reduce the opportunity for error, and so assure probity and effective delivery - Second Line of Defense: Compliance
Day-to-day monitoring and review of the project’s progress and process. These may sit within wider processes like Governance, Risk Management, or Quality Management. They may be overseen by a group outside of the project’s delivery team, like a sponsor,, review group, or PMO. - Third Line of Defense: Independent Review
This does need to be carried out by a team suitably independent from the project or program. It can be peer review by other project managers in the organization, internal audit by a Project Assurance team or PMO, or truly external review by a consulting organization, audit firm, or a government or trade oversight body. Project Audit sits at this tier.
Requirements for Effective Project Assurance
Aside form the obvious need for the right level of independence, there are a number of other criteria for effective project assurance:
- Clear ownership of the assurance processes.
- Effective planning of what to include, creation of a program of work, and communication so the team knows what to expect.
- Collaborative approach focused on learning and improvement, rather than an adversarial one, focused on finding fault and apportioning blame.
- Right level of detail. Not so superficial as to miss important details. But not so detailed as to focus on trivia with no substantive impact. In the world of financial audit, there is the term, ‘materiality’. Are the findings material to the scale of activities? Can they cause a material impact on outcomes?
- An approach of ‘Questions and Listening’ and supporting it with evidence. This is in contrast to a common ‘tick-boxing’ approach of merely checking-off findings quickly, to show you have gone through the steps.
PMO role in Project Assurance
Your Project, Program, or Portfolio Management Office may take a lead role in supporting or even carrying out Project Assurance. Their role can range from:
- Providing advice, guidance, support, and tools (usually checklists and templates) to project leaders
- Carrying out some Project Assurance activities
- Maintaining a quasi-independent Project Audit team
How to Carry out Project Audit: A Basic Process
There are three phases to a formal Project Audit: before, during , and after the main assessment and data gathering activities. There are no ‘standards’ for how to carry out a Project Audit. So, I offer a simple, generic process with 8 steps in three phases.
Audit Preparation Phase
- Agree an Audit Goal
This is a clear statement of defining the purpose of the audit, and what the audit will and will not cover - Plan the audit process and how you will carry it out
Include roles and responsibilities and the capabilities required of the people to be involved - Specify what you will examine and the definitions of performance standards (the audit criteria)
Your criteria may be simple pass/fail, or more nuanced: for example, excellent, good, adequate, poor, dangerous. You may even have a ten point scale, with Red (0-2), Amber (3-5), Green (6-9), and Blue (10 – best practice) color coding.
Audit Fieldwork and Findings Phase
- Carry out the audit fieldwork
This is where you ask questions, gather data, and review documentation. - Evaluate audit findings
Create a synthesis of what all of the evidence is telling you. - Create an action plan for the project team
Based on your findings, what does the project team need to do to conform to the highest standards. You may choose to rate this by urgency and also by impact. Some actions my address critical failings. Others may simply be recommendations to improve otherwise-effective procedures, for example.
Audit Review Phase
- Reporting process
How will you report, in what format, and who will formally receive the report, and act on its findings. Also, how the audit findings will be published more widely - Process for monitoring, follow-up, and remediation actions that the audit identifies
What a Project Audit needs to cover
This is a simple checklist of the main things that occur to me:
- Status and progress of project and critical tasks
- Quality of products/deliverables
- Effectiveness of Project Management and PM processes
- Robustness of project decision-making and governance
- Use of budget and other resources
- Compliance with regulation and standards, including: health and safety, data protection, …
- Impact of project risks on the sponsoring organization
- Opportunities to make improvements in performance, rigor, accountability
Organization-wide Project Audit
Where you have a project audit function, they will do all of the 8 steps in my three phase model above. But they will also set out procedures for:
- Identifying which projects to audit, and when
- How to trigger and start an audit
- Standardized forms, templates, checklists, and reporting
- How records are created, stored, and archived
How to Think of Project Assurance and Project Audit, as a Working Project Manager
My top tip is simple. Do not think of audit and assurance as adversarial processes. Rather, consider the assurance or audit teams as collaborators whose role is to help you do your job better. Work with them, and welcome any findings that they make. Any failings or causes for concern they find are opportunities to improve your project. And, if they had not found them, those causes for concern would still have been there – you just wouldn’t know about them.
‘What about those Officious, Self-righteous Auditors we Sometimes See?’
Good question. What about them?
Is their unhelpful self-importance your problem?
No, it’s theirs.
Managing your relationship with them (and supporting your team) will be more of a challenge. It will require a greater level of patience and diplomacy. And it may not be fun.
But, the attitude that their findings can help you is still the right one.
And, to anyone charged with conducting and assurance review or audit of any kind, I say this:
‘Blame is for God and small children’
The quote comes from the movie, Papillon, and is spoken by the character Louise Dega, played by Dustin Hoffman.
So, I say…
Blame is for God and small children – I don’t think you are either. And, if you want to act like one, then grow up and behave. Your job is to support your organization (or client) and its projects: not to apportion blame.
What are Your Thoughts on Project Asurance and project Audit?
As always, I am keen to hear your views and experiences, and ever-ready to answer your questions. Please use the comments below.