The Internal Auditor as Project Auditor: A Winning Combination

Michael Stanleigh, CMC, CSP
Business Improvement Architects

Organizations around the world are losing billions of dollars in wasted project spending that is usually hidden from management and investors. The internal auditor as “project auditor” has a great opportunity to mitigate these losses and add value to their organization’s bottom line. Although some internal auditors may think they do not know or understand the process of managing a project, this couldn’t be further from the truth. The analytical skills displayed by today’s internal auditors can be put to great use in this arena, because audits are best managed as individual projects to be completed successfully and on time. And a key component of transitioning audit staff to become project auditors is for chief audit executives (CAEs) to position themselves and their audit staff as business partners who can provide insight on key projects and strategic initiatives.

The Definition of Internal Auditing
The IIA defines internal auditing as “an independent, objective, assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.”

As the definition of internal auditing clearly demonstrates, internal audit roles include both assurance and advisory-type services that help the organization succeed in accomplishing its strategic initiatives. Yet, many internal auditors spend most of their time analyzing their organization’s financials, internal controls, and compliance processes, without doing anything else. In addition to these important activities, internal auditors also must start examining business efforts and processes that have a direct bottom-line impact and add shareholder value and customer satisfaction. Providing assurance and advisory services on major business projects is one way to do this. In some organizations, for example, advisory services may be more appropriate because they allow internal auditors to provide assistance during the development or redesign of a process rather than evaluating the effectiveness of a newly designed or modified process after the fact.

No Technical Expertise Needed
Contrary to popular belief, internal auditors do not need to be technical experts on the projects they are auditing. Rather, they need to understand the project management process and learn how to use the tools and templates available for effective project oversight. In many organizations, internal auditors work in partnership with the external audit team. Because many external auditors have project management expertise, internal auditors can not only leverage the work performed, but also learn new practices for completing audit projects successfully.

Business Acumen Is All It Takes
Getting management buy-in is essential in auditing projects successfully, especially if this is a new responsibility for internal audit. Many CAEs and internal auditors ask me, “How do we get management to appreciate our role?” Organizations look to individuals and departments that can help them improve their bottom line, shareholder value, and customer experience. Unfortunately, they often don’t believe internal audit has the skill sets or resources to do this.

One way to gain management’s support is to demonstrate internal audit’s knowledge of the issues currently facing the organization, as well as foreseeing potential issues in the areas of control, risk management, and governance. In addition to demonstrating their business acumen, by identifying potential risk areas proactively, internal auditors help to add value to the organization. Once management views internal audit’s role as project auditor as an important aspect of the strategic management cycle, the internal auditor can more easily gain the support required to access and assess critical project controls and recommend actions to reduce unacceptable risk exposures in these projects.

Get a Seat at the Table
Furthermore, CAEs and their audit staff must gain a seat at the table during business discussions of a strategic nature. To be able to add value during the beginning stages of a project, internal audit must be aware that a strategic initiative is about to take place. Therefore, CAEs must build the necessary relationships with key stakeholders, including executive management, to be “in the know” at all times. This, in turn, will help CAEs position internal audit as a valuable resource that can help the organization grow and succeed.

Align the Audit Plan to the Areas That Matter
In addition to being part of strategic business discussions, CAEs need to align the audit plan to the key initiatives that matter to the organization. Doing so will help CAEs not only to ensure audit efforts meet stakeholder needs, but to gain credibility in the eyes of management. And, again, to gain this credibility, internal audit must be an active participant on the critical projects that are under way or are about to start. Once part of the project team, internal auditors must have the courage to convey tough messages and be prepared to work with management to improve project oversight activities, while at the same time maintaining their independence rather than playing an active role in the decision-making process.

Be Part of the Entire Life Cycle
With increasing demands on the internal audit profession from management, the question is raised of how the internal auditor’s role can be redefined, as it shifts from the more traditional assurance aspect of audit work to one that is involved as a proactive business partner in key projects, without losing internal audit’s independent position. Feedback from CAEs working at four Dutch multinationals — Fortis, SNS Reaal, Heineken, and DSM — is that the real added value of the internal auditor is to provide both assurance and advisory services during projects, often referred to as a “project health check,” and that the role should not be limited to a project review after the project has concluded, also called a “post-project audit.” One of the reasons mentioned is that during a project health check internal auditors are still able to challenge and give feedback that can be used to mitigate risks cost-effectively. However, during a post-project audit internal auditors are only able to add value in generating lessons learned that can be used for future projects.

Therefore, when internal auditors provide assurance and advisory services throughout the entire project’s life cycle, they help to enhance the efficiency and effectiveness of the strategic endeavor from the start. In addition, internal auditors can help to uncover process efficiencies, as well as identify control and other solutions before they become too costly to fix.

The Time Is Right
Ultimately, there is an opportunity for the role of internal audit to shift from a provider of assurance on key business projects to one that can add great value during the entire project’s life cycle by advising stakeholders on project improvement efforts. Consequently, CAEs and their audit teams must be continuously vigilant of the key issues facing the organization. In addition, CAEs need to ensure internal auditors have access to the right training opportunities that will enable them to acquire the necessary business acumen to demonstrate how they can add organizational value.

CAEs also need to ensure their rightful seat at the table, especially during key strategic discussions, to better align audit efforts to meet stakeholder and business needs. Once invited to participate in key strategic initiatives, internal audit needs to be an ongoing member of the project’s life cycle team to ensure key audit issues and concerns are addressed appropriately and cost-effectively. Following these recommendations will help CAEs position their audit team as a valuable resource that can significantly improve the organization’s bottom line.


Posted on Feb 7, 2012 by Tim

Share This Article:    

  1. An iestrnteing discussion is price comment. I feel that you need to write more on this topic, it may not be a taboo subject however typically persons are not sufficient to talk on such topics. To the next. Cheers
  1. Auditors need to be independant first and foremost.  That's why the audit committee hired us, as when we start "consulting" on projects we can put our "indendance" at risk.  I mean, when do you stop?  And do you audit the area you have consulted on?  What happens if you have findings??  Who's fault is that then? (You didn't consult too well then did you?)  And heaven forbid if the externals come in and blow it up after I/A's "consulting".  (Lost a bit of credibility with everyone then huh?)  I asking if the added risks are worth the "seat at the table" as you define it.  And are most IA teams versed in consulting? That too is a skill....

    Experience is important. You would never hire a CEO/CFO/CAE without the appropriate business experience, so why would you put newbie auditors w/o experience into a situation that they will fail in? You always put the right talent/experience into the right audits-as a CAE that is your job.  The audit committee expects that as well as management.  Don't short-shift experience and talent!

    Finally, let's remember Authur Anderson and Enron when we discuss "Consulting".  They were a "Big 4" and they got that consulting thing wrong and died, what makes you think that joe auditor will get it right for your firm?


  1. I beg to differ with the idea that Internal auditors should be involved in all stages of project implementation. For one this a threat to Auditors' independence. I agree with John Paul Lorenz on this matter and i would rather auditors stick to their professional roles. Even in providing consultancy services, the CAEs need to be very careful and to always avoid assigning the consultant to audit the consultancy job done by internal audit. To all auditors out there, this is an area that is quite controversial and auditors can easily be sucked into project design and implementation and compromising the integrity of internal audit. There is a lot in terms of corporate governance, risk and ethics on this matter and better watch out.

Leave a Reply