05. The Nature and Evaluation of IT General Controls
05.09. IS Project Auditing
Briefly reflect on the following before we begin:
- What are the critical stages in the lifecycle of an IS project that require auditing?
- How do project management controls influence the success of IS projects?
- What are the common risks associated with IS projects?
IS project auditing examines and evaluates IS projects’ management, control, and governance. This section will set the stage for understanding the various stages of IS projects, from initiation and planning to execution and closure, and the importance of auditing each phase. We will also review the methodologies and best practices involved in auditing these projects to understand how auditors assess the alignment of projects with organizational strategies, the effectiveness of project management practices, and the adequacy of controls at each project stage.
Identifying relevant risks and evaluating corresponding project management controls is crucial to IS project auditing. We will review how auditors assess the controls to manage IS projects effectively. It includes examining risk management practices, resource allocation, budgeting, and scheduling controls. We will also discuss how auditors evaluate the risks associated with IS projects and the measures taken to ensure the quality of project deliverables. This includes analyzing risk assessment methodologies, quality control procedures, and compliance with relevant standards and regulations.
IS Project Lifecycle
IS Project Auditing, a crucial component of IT General Controls (ITGC), refers to the systematic process of evaluating and assessing the management of information system projects within an organization. It ensures that the project aligns with the organization’s strategic objectives, is managed efficiently, and adheres to set budgets and timelines. It is vital in identifying potential issues and risks and ensuring the project delivers the intended value. A practical examination of the IS project ensures that it meets its goals, stays within budget, and is completed on time. It also assesses whether the project complies with relevant standards, regulations, and best practices. Stringent auditing is paramount in an era where complex IT projects involve significant investments. Poorly executed projects can lead to wasted resources and failed systems, jeopardizing the organization’s operational stability. Effective auditing helps to mitigate these risks by identifying issues early, allowing for timely corrections and adjustments.
Project planning and approval control are fundamental to successfully executing Information Systems (IS) projects. This phase involves the identification of project objectives and stakeholders and the development of a project charter. The project charter outlines the project’s scope, goals, and constraints and is submitted for approval by relevant stakeholders and senior management. Before a project is approved, a feasibility study is conducted to evaluate its viability. This assessment includes technical feasibility, operational feasibility, economic feasibility, and legal compliance. Auditors ensure that these aspects are thoroughly reviewed and documented. Once approved, the project is planned in detail. This includes defining project scope, objectives, deliverables, and a comprehensive project plan with timelines and resource allocation. Auditors assess whether the planning is complete, realistic, and aligned with organizational goals. IS Auditors then scrutinize the workflow for project approvals, ensuring that it follows a structured process. Proper authorization and signoffs are essential to maintain control over project initiation.
Budget and cost management control is vital to prevent IS projects from exceeding allocated budgets and incurring unexpected expenses. Initially, a budget is given to the project, covering all anticipated costs, including personnel, hardware, software, and external services. Auditors examine the budget allocation process to ensure it is based on realistic estimates. Throughout the project lifecycle, costs are tracked against the budget. Auditors monitor this process, ensuring that expenses are controlled and any variances are addressed promptly. A formal change management process should be in place when project changes impact the budget. Auditors evaluate whether changes are adequately assessed for their impact on costs and whether they are approved through the established channels. Regular financial reports are generated to provide transparency into project spending. Auditors review these reports to ensure accuracy and compliance with financial controls. Project schedules are developed to outline tasks, milestones, and dependencies. Auditors assess the scheduling process, ensuring that it is based on realistic estimates and considers potential risks. IS auditors closely monitor the project’s progress against the schedule. Delays or deviations from the original timeline are investigated to identify root causes and propose corrective actions. Proper resource allocation, including human resources and equipment, is critical for adhering to project timelines. Auditors review resource allocation to identify any discrepancies or bottlenecks. Lastly, effective risk management is integral to schedule control. Auditors evaluate identifying and mitigating risks that could impact project timelines, ensuring that risk management strategies are in place.
Quality assurance control in IS project auditing focuses on maintaining and enhancing the quality of project deliverables and processes. Establishing clear quality standards and metrics is the first step. These standards define the expected quality levels for project deliverables, such as software code, documentation, or user interfaces. Auditors assess whether these standards are defined, documented, and adhered to throughout the project. Quality assurance often involves various testing and inspection activities. Auditors examine the testing procedures, including unit testing, integration testing, and user acceptance testing. They ensure that testing is comprehensive, well-documented, and aligned with quality objectives. IS Auditors review the tools and technologies used for quality control, such as automated testing tools, code review platforms, and bug-tracking systems. They assess whether these tools are effectively utilized to identify and address defects. Continuous process improvement is a core element of quality assurance. Auditors evaluate whether project teams engage in lessons learned sessions, root cause analysis, and process refinement to enhance quality over time. Finally, proper documentation is crucial for quality assurance. Auditors verify that quality plans, test cases, and inspection reports are maintained and accessible for review.
Risk management control within IS project auditing is critical to identify, assess, and mitigate risks that may impact project success. The first step in risk management is identifying potential risks. Auditors evaluate whether a systematic approach to risk identification is in place, including brainstorming sessions, risk registers, and lessons learned from previous projects. After identification, risks are assessed for their potential impact and likelihood. Auditors review risk assessment methodologies to ensure they are comprehensive and adequately consider project-specific factors. IS Auditors examine the effectiveness of risk mitigation strategies. This includes evaluating whether risk responses are developed, implemented, and monitored. They also assess whether contingency plans are in place to address unforeseen risks. Note that risk management is an ongoing process. Auditors review how risks are continuously monitored throughout the project’s lifecycle. They assess whether risk reporting mechanisms exist to inform stakeholders about the status of risks and mitigation efforts. Projects often encounter changes that introduce new risks or alter existing ones. Auditors evaluate how changes are managed and whether risk management strategies are adapted accordingly. As mentioned earlier, proper documentation of risk management activities is essential. Auditors verify the completeness and accuracy of risk registers, risk response plans, and associated documentation.
Compliance and regulatory control in IS project auditing ensures that projects adhere to relevant laws, regulations, and industry standards. IS Auditors begin by assessing the regulatory landscape applicable to the IS project. This includes identifying relevant laws, regulations, and industry standards, such as GDPR, HIPAA, or ISO 27001. Organizations often establish compliance frameworks that outline the requirements and controls needed to comply with regulations. Auditors review these frameworks to ensure they are comprehensive and up-to-date. IS Auditors map project activities and deliverables to specific regulatory requirements. This ensures that all relevant compliance obligations are considered throughout the project lifecycle. IS Auditors ensure that an audit trail is maintained for compliance-related activities. This includes records of regulatory assessments, compliance testing, and evidence of compliance with regulatory requirements.
Change management control within IS project auditing is vital to manage and document changes that may impact project scope, schedule, or resources. IS Auditors review the change request process to ensure it is well-defined and documented. This process typically involves submitting, reviewing, approving, and implementing change requests. When a change request is submitted, it must undergo a thorough impact assessment. Auditors assess whether impact assessments consider potential effects on project scope, schedule, budget, and risks. Change requests should be approved or rejected through a structured process involving relevant stakeholders. Auditors evaluate the approval process to ensure that it includes appropriate authorization and documentation. IS Auditors examine how approved changes are implemented, ensuring that they are adequately tested, documented, and integrated into the project’s work. Communication: Effective communication is crucial in change management. Auditors assess how changes are communicated to project stakeholders, including the rationale for the change, its implications, and any required actions. In many organizations, a change control board oversees change management. Auditors review the composition and effectiveness of this board in managing changes. Lastly, comprehensive documentation of change requests, approvals, and implementation details is essential. Auditors verify that records are maintained to track changes throughout the project.
Relevant Risks
In IS project auditing, organizations face several primary risks that can significantly impact their operations and strategic objectives. Understanding these risks is vital for effective risk management and ensuring access is granted to the organization’s IS projects and conducted in the organization’s best interest. Let’s consider some of these risks.
| Risk | Description | Example |
|---|---|---|
| Scope Creep Risk | Scope creep occurs when project requirements continually expand beyond the initially defined scope. It can lead to delays, increased costs, and a decreased focus on critical project objectives. | During software application development, stakeholders continuously request additional features, causing the project to exceed its initial scope and timeline. |
| Budget Overrun Risk | This risk involves exceeding the allocated project budget, which may result from unforeseen expenses or escalations. Budget overruns can strain financial resources, impact project viability, and reduce funds for other essential projects. | A project experiences unanticipated hardware procurement costs due to supply chain disruptions, resulting in a significant budget overrun. |
| Resource Constraints Risk | Resource constraints occur when skilled personnel or necessary equipment are unavailable. It can lead to project delays, compromised quality, and increased pressure on the available workforce. | A critical team member with specialized skills resigns during a project, causing resource shortages and timeline setbacks. |
| Schedule Delays Risk | Schedule delays can stem from various factors, such as unforeseen technical challenges, resource constraints, or scope changes. Delays can lead to missed opportunities, extended project costs, and stakeholder dissatisfaction. | An unexpected software bug discovery during the testing phase pushes the project’s release date back several weeks. |
| Quality Assurance Failures Risk | Quality assurance failures involve the inadequate testing or inspection of project deliverables, resulting in defects or errors. Poor quality can lead to post-implementation issues, increased support costs, and damage to an organization’s reputation. | A rushed software release needs more thorough testing, leading to numerous user-reported bugs and declining user satisfaction. |
| Compliance Violations Risk | Compliance violations occur when projects do not adhere to relevant laws, regulations, or industry standards. Non-compliance can lead to legal penalties, reputation damage, and operational disruptions. | A healthcare project fails to meet HIPAA compliance requirements, resulting in regulatory fines and legal actions. |
| Change Management Challenges Risk | Change management challenges arise when changes to project scope, requirements, or resources need to be effectively managed and documented. Poor change management can lead to project disruptions, increased costs, and a loss of stakeholder confidence. | Frequent, uncontrolled changes to project requirements lead to confusion among the project team and delays in project delivery. |
| Communication Breakdown Risk | Communication breakdowns occur when project stakeholders need timely and accurate project information. Poor communication can lead to misunderstandings, conflicts, and a lack of alignment with project objectives. | Key project updates must be communicated to relevant stakeholders, resulting in misinformed decisions and delays in addressing critical issues. |
| Technology Risk | Technology risks encompass the potential for technical failures, such as hardware malfunctions, software bugs, or cybersecurity breaches. Technology risks can disrupt project progress, compromise data security, and result in substantial rework. | A data breach occurs due to inadequate cybersecurity measures, leading to data loss and reputational damage. |
Overall, IS Project Auditing in ITGC involves managing various risks, including project misalignment, budget overruns and schedule delays, poor project quality, non-compliance with regulations, ineffective risk management, inadequate stakeholder engagement, reliance on outdated technology, cybersecurity vulnerabilities, and insufficient documentation and knowledge transfer. Addressing these risks requires thorough auditing practices, regular monitoring, stakeholder involvement, compliance checks, and effective project management strategies. Effectively managing these risks ensures that IT projects are aligned with business goals, completed within budget and schedule, meet quality standards, and contribute positively to the organization’s strategic and operational objectives.
Relevant IT General Controls Objectives and Activities
In IS project auditing, a subset of IT General Controls (ITGC), several crucial controls ensure effective planning, execution, and delivery of critical IS implementation projects. These controls are vital in aligning existing IS with business objectives, managing risks, and ensuring successful outcomes. Let’s consider the primary ITGC objectives for this category.
Project Planning and Approval Control
The primary objective of this control is to ensure that IS projects are well-defined, aligned with organizational goals, and undergo a structured approval process. The purpose of this control here is to establish a systematic approach to project initiation and approval. This includes defining project scope, objectives, and constraints, conducting feasibility assessments, and obtaining appropriate approvals from stakeholders and senior management. The aim is to ensure that projects are strategically aligned and have undergone thorough evaluation before initiation.
Examples of ITGC activities that may facilitate the achievement of this objective include the following:
- A software development project is proposed with a clear definition of its scope, including developing a new customer relationship management system. A feasibility study is conducted to assess technical viability and resource needs.
- Before initiating a network upgrade project, a project charter is prepared detailing the objectives, expected benefits, and potential risks. This document is then reviewed and approved by senior management.
- An e-commerce platform integration project undergoes a structured approval process, including a stakeholder analysis to ensure alignment with business objectives and identify potential impacts on various business units.
Budget and Cost Management Control
This control ensures that IS projects are budgeted, tracked, and managed effectively to prevent cost overruns. The control objective for budget and cost management is establishing a comprehensive allocation process for IS projects, including estimating all relevant costs. It also involves continuously tracking and monitoring project expenses against the budget, implementing a formal change management process for budget modifications, and providing transparent financial reporting. The goal is to maintain cost control and prevent unexpected economic impacts.
Examples of ITGC activities that may facilitate the achievement of this objective include the following:
- In an IT infrastructure overhaul project, a detailed budget is prepared, including costs for new hardware, software licenses, and labour. Regular budget reviews are conducted to monitor expenses.
- A cloud migration project implements a tracking system for monitoring real-time expenditures against the allocated budget, allowing immediate adjustments in case of potential overruns.
- For a cybersecurity enhancement project, any changes exceeding a certain financial threshold require a formal change request and re-approval, ensuring budget adherence.
Schedule and Timeline Control
This control ensures that IS projects are executed within predefined schedules and timelines. The goal is establishing a structured project scheduling process, including task identification, milestone tracking, and dependencies. It involves continuous monitoring of project progress against the schedule, timely identification of delays, resource allocation management, and effective risk management to prevent timeline deviations.
Examples of ITGC activities that may facilitate the achievement of this objective include the following:
- A mobile app development project uses a Gantt chart to track progress against key milestones, with weekly status meetings to address delays.
- A critical path method in a data center relocation project identifies and manages essential tasks, ensuring adherence to the project timeline.
- Implementing a new ERP system project involves assigning a dedicated project manager to oversee task completion and resource allocation, ensuring the project remains on schedule.
Quality Assurance Control
The primary objective of this control is to ensure that IS project deliverables and processes meet established quality standards. The control objective of quality assurance control is to define and adhere to quality standards and metrics for project deliverables. It involves establishing comprehensive testing and inspection procedures, utilizing quality control tools effectively, promoting continuous process improvement, and maintaining proper documentation of quality-related activities.
Examples of ITGC activities that may facilitate the achievement of this objective include the following:
- During a software update project, user acceptance tests ensure that new features meet predefined quality standards and user requirements.
- A network security project includes regular code reviews and vulnerability assessments to maintain high quality and security standards.
- In developing a new IT service management process, a quality control checklist reviews each project phase, from planning to execution.
Risk Management Control
This control ensures that IS projects identify, assess, and mitigate risks that may impact project success. This control aims to establish a systematic risk management process. This includes risk identification, assessment of potential impact and likelihood, development of risk mitigation strategies, continuous monitoring and reporting of risks, and adaptation to changes that may introduce new risks.
Examples of ITGC activities that may facilitate the achievement of this objective include the following:
- In a data migration project, a risk assessment is conducted to identify potential data loss or corruption risks, with data backup and validation strategies developed.
- Risk scenarios such as integration issues and user resistance are identified for a new software implementation, and mitigation plans are developed, including training and pilot testing.
- An IT infrastructure expansion project includes a risk analysis of potential downtime, with contingency plans developed for minimal operational impact.
Compliance and Regulatory Control
This control ensures that IS projects adhere to relevant laws, regulations, and industry standards. The control objective for compliance and regulatory control is to assess and align IS projects with applicable legal and regulatory requirements. It involves regulatory assessments, compliance framework establishment, regulatory mapping, proper documentation of compliance activities, and preparation for external audits or assessments.
Examples of ITGC activities that may facilitate the achievement of this objective include the following:
- A healthcare IT project is evaluated for HIPAA compliance, ensuring patient data handling meets strict regulatory standards.
- In an international e-commerce project, GDPR compliance is a crucial consideration, with specific measures implemented for data protection and user consent.
- A financial reporting system project undergoes regular audits to ensure adherence to Sarbanes-Oxley Act requirements, focusing on data accuracy and security.
Change Management Control
The primary purpose of this control is to ensure that IS projects effectively manage and document changes that may impact project scope, schedule, or resources. This control establishes a well-defined change request process, including impact assessments, approvals, implementation, communication, and documentation. The goal is to systematically manage and communicate changes while minimizing disruptions to the project.
Examples of ITGC activities that may facilitate the achievement of this objective include the following:
- During an IT system upgrade, any request for changes in software specifications undergoes a formal review process, assessing the impact on timeline and resources.
- A cloud service implementation project has a documented procedure for handling changes in vendor services, ensuring that any modifications are communicated and reported effectively.
- In developing a new IT policy, a change control board is established to review and approve significant changes to the project scope, ensuring alignment with original objectives and stakeholder expectations.
Summarized Audit Program
As discussed in Chapter 3, an audit program is a structured and comprehensive plan that outlines the procedures and activities to assess the effectiveness of an organization’s control environment. Based on the core concepts of IS project auditing ITGCs discussed above, presented below is a summarized audit program highlighting select relevant risks, corresponding ITGCs, and potential ways (audit procedures) to assess the operating effectiveness of such ITGCs. Please note that this is not an exhaustive audit program covering all applicable risks and controls and is provided for your reference only.
| Detailed Description of the Risk and Its Impact | Relevant IT General Control Activity | Detailed Test of Controls Audit Procedure |
|---|---|---|
| Inadequate project planning can lead to delays, cost overruns, and failure to meet objectives. | Comprehensive project planning is conducted for each IT project, including scope definition, resource allocation, and timeline establishment. This includes defining project objectives, determining necessary resources, setting realistic timelines, and identifying potential risks. The project plan is reviewed and updated monthly. | Review 2 recent project plans. Use inspection techniques to verify that the plans include detailed scope, resource requirements, timelines, and risk assessments. Assess whether the project plans are comprehensive and realistic, and check for regular updates and adjustments. |
| Overlooking project risks can result in unaddressed issues and project failures. | Conduct regular project risk assessments and implement risk mitigation strategies. This involves identifying potential risks, evaluating their impact, and developing mitigation strategies. Risk assessments are performed at the initiation of the project and reviewed quarterly. | Examine two quarterly project risk assessment reports. Use analysis techniques to evaluate the effectiveness of the risk identification and mitigation strategies. Confirm that risks are appropriately identified, their impacts are assessed, and effective mitigation strategies are implemented. |
| Non-compliance with legal and regulatory requirements in project execution risks legal penalties and project invalidation. | Ensure compliance with relevant laws and regulations throughout the project lifecycle. This includes regular compliance checks and semi-annual audits. Responsibilities involve reviewing compliance with legal requirements and industry standards. | Inspect documentation from 1 recent compliance audit. Use confirmation techniques to verify that the project adheres to applicable legal and regulatory requirements. Check for evidence of regular compliance reviews and confirm adherence to relevant laws and regulations. |
| Poor budget management in IT projects leads to financial inefficiencies and potential project cancellations. | Rigorous budget management and monitoring are conducted for each IT project, including tracking and comparing expenditures against the budget. This process is carried out monthly. | Review 2 recent monthly financial reports for IT projects. Use analysis techniques to assess adherence to the budget and investigate any significant variances. Determine that expenditures are within budget limits and understand the reasons for any deviations. |
| Ineffective communication and stakeholder engagement can result in better-aligned project objectives and satisfaction. | Maintain regular communication with stakeholders and ensure their engagement throughout the project. This includes periodic status updates and feedback sessions conducted monthly. Responsibilities involve disseminating project progress and addressing stakeholder concerns. | Examine records from 2 recent stakeholder communication sessions. Use observation and inquiry techniques to assess the effectiveness of communication and stakeholder engagement. Verify that stakeholders are regularly informed and that their feedback is considered in project decisions. |
| Inadequate quality assurance processes can compromise the quality of the project deliverables. | Implement thorough quality assurance processes, including regular quality checks and testing of project deliverables. Quality reviews are conducted at key project milestones. | Review documentation from 2 recent quality reviews. Use inspection techniques to verify that quality assurance processes are in place and effectively implemented. Assess whether the quality reviews are comprehensive and whether their findings are addressed promptly. |
| Document project changes and decisions to avoid confusion and lack of accountability. | Maintain detailed documentation of all project changes and critical decisions, including the rationale and approvals for each change. This documentation is updated with every significant change. | Inspect documentation for five recent significant project changes. Use inspection techniques to confirm that all changes and decisions are appropriately documented, including reasons and authorizations. Check for comprehensive documentation that traces changes and decisions made during the project. |
In the Spotlight
For additional context on IS project audit leading practices, please read the article titled “Agile Audit” [opens a new tab].
Spiros, A. (2017). Agile audit. ISACA Journal, 2. https://www.isaca.org/resources/isaca-journal/issues/2017/volume-2/agile-audit
Knowledge Check
Review Questions
- What is the primary purpose of a project charter in IS project management?
- Why is tracking project expenses against the approved budget throughout an IS project’s lifecycle essential?
- What role does the change management process play in IS project management, and why is it important?
- Regarding IS project audits, what are the critical risks associated with scope creep?
- How can quality assurance controls contribute to the success of IS projects, and what are some examples of quality control tools?
Essay Questions
- Describe the critical components of a project charter in IS project management. Why is it essential to have a well-defined project charter, and how does it contribute to project success? Provide examples to illustrate your points.
- Explain the importance of continuous budget monitoring in IS project management. What are the potential consequences of not monitoring project expenses against the approved budget? Provide real-world examples to illustrate your points.
- Discuss the role of the change management process in IS project management. How does effective change management contribute to project success, and what are the standard components of a change management process? Provide examples to illustrate your points.
