Presentation is loading. Please wait.

Presentation is loading. Please wait.

DRAFT www.pwc.com IA’s practical approach to driving success for strategic and transformational initiatives DRAFT ISACA Geek Week 2014.

Similar presentations


Presentation on theme: "DRAFT www.pwc.com IA’s practical approach to driving success for strategic and transformational initiatives DRAFT ISACA Geek Week 2014."— Presentation transcript:

1 DRAFT IA’s practical approach to driving success for strategic and transformational initiatives DRAFT ISACA Geek Week 2014

2 Agenda DRAFT Module A. Welcome and Introduction
B. Transformational Change C. Strategic initiatives – the risks D. Internal Audit’s role E. Keys to successful transformation assurance F. Recap & Questions G. Contact details Talk about CPE Compliance

3 Welcome and Team Introduction

4 Welcome & Team Introduction
DRAFT Welcome & Team Introduction Antwon Hardwick Director- US East Region Project Assurance Leader Located in Atlanta, GA Project, Program and Portfolio assurance and management for transformational projects 13+ years consulting experience with clients in insurance, energy, software, IT services, construction, and entertainment and media Led on-going program management office (PMO) oversight activities for global multi-year $140M ticketing platform transformation for Fortune 500 leading company. Performed a number of risk management and assessment activities to include focused project risk assessments, deep dives, health checks, and periodic status reporting to the client's Audit Committee and senior executives. Talk about CPE Compliance

5 Transformational Change
B

6 Transformational change Market trends
DRAFT Transformational change Market trends Accelerating investments in significant projects to enable business transformation initiatives. IT spending has been cut over the last few years resulting in a backlog of IT projects. Multiple and uncoordinated assurance requirements; IA, external audit, SOX, Compliance, Risk Management. Organizations are resource-constrained – not adequately staffed to advance projects and maintain existing operations. Talk about CPE Compliance Regulatory requirements are expanding, adding to compliance efforts. Complex dependencies across projects. 6

7 What are your experiences with project success rates?
DRAFT What are your experiences with project success rates? Our 2012 survey indicates that 200 global companies were spending over $4.5B on projects to deliver changes required to implement their strategy. 20% of ERP implementation projects are not completed. (Gartner) 71% of ERP projects do not meet the expectations of senior management (CSC Index/AMA Survey) 2%: Companies that had 100% of their projects on time, within budget, to scope and delivering the right business benefits. (PwC Global Survey on State of Project Management) 51% of ERP implementation viewed as a failure (Robbins-Gioia Survey) 84% of projects do not meet all criteria for success (Standish Group) 35%: Number of companies where system projects deliver expected business benefits (PwC Global Survey on State of Project Management)

8 DRAFT As a result… Boards, Audit Committees, and other senior business executives are increasingly recognizing the level of risk posed by large programs and are seeking greater transparency into strategic initiatives to understand if projects will deliver the business outcomes….. Are we going to have a positive return on investment? Are our people engaged and the business ready to change? Is the solution the best we can deliver for the costs we can afford? Have we got the skills we need looking at the really important things we need to do? Are we on-time, on-budget and on-scope? Are we getting the best out of our third parties? Is there appropriate governance to ensure project outcomes? Are we maintaining the integrity of our control environment? …..there is increasing demand for project transparency

9 Reasons for program failures
DRAFT Reasons for program failures Poor estimation continues to be the largest contributor to project failures. Poor estimates, lack of sponsorship and poorly defined scope are 3 primary reasons cited for project under- performance Source: PwC’s 3rd Global Survey on State of Project Management (2012)

10 The state of the Internal Audit profession 2012
92% of CAEs …consider project risk as either important or very important. 82% of Executives 27% …think large program risk is considered well managed. 37%

11 Transformation change: Internal Audit challenges
Building a portfolio risk assessment process which considers the current and emerging risks and evolves with project delivery. 01 Enhancing existing project audit methodology to consider current techniques and more dynamic application. 02 Understanding and leveraging the ‘lines of defense’ appropriately. 03 Acquiring the right resources and skill sets to assemble the team. 04 Identifying effective methods for communicating and reporting risks timely. 05

12 Strategic initiatives – the risks

13 Key areas of project risk
DRAFT Key areas of project risk Risks are not isolated to classic project management artifacts, but extend to a broader ‘risk universe’. Technology Infrastructure System architecture Networking Security Availability Performance Disaster recovery Governance Strategic Alignment Senior Management Commitment Sponsorship / Champions Governance and Decision making Synergy identification and tracking Data Data Structures Mapping Cleansing Effort Conversion and validation Data governance Backup and recovery BI and reporting strategy Program Management Time schedules Budgets Resources/staffing Vendors Knowledge transfer Issue and Risk management Scope management $ You can’t assess most of these risks just looking at classic project management deliverables Aim to spend minutes on this slide. Try to link back to audience conversation from slide 5 “what have been the key reasons for program failure?” Option: ask audience to share experiences and/or show of hands on whether their audit activity covers each segment * Process and Solution Requirements Business processes System Development Life Cycle Data Controls Bolt-ons Interfaces/integrations Organization Business impacts Training Communication Organizational alignment Change management Compliance and controls Business continuity

14 Project risk – Inherent, Delivery, Delivered
DRAFT Project risk – Inherent, Delivery, Delivered Inherent Delivery Delivered Strategy and Governance No strategic roadmap for IT spend Project does not align with business strategy No business owner for realizing project benefits post-implementation Program Management Organization lacks a project management methodology Project reporting is inconsistent and inaccurate Lessons learned are not captured Organization Organization has little experience with large projects Business SMEs have limited capacity for involvement in delivery Organization resists adoption of the new solution Solution and Process No process maps or metrics impairs ‘case for change’ Interim processes are ad-hoc and labor intensive Solution does not include robust internal controls (SOX compliance) Data Data is not ‘clean’ Data conversion is inaccurate Backup and archiving not included in solution Technology Inconsistent technology platforms, and no vision for rationalization Insufficient environments to support development, test, and production No support and maintenance plan for new infrastructure $ * Note: There are high level examples only. In most cases, there will be many specific risks corresponding to each box above.

15 Who plays a part in managing program risk?
DRAFT Who plays a part in managing program risk? Large transformation projects typically have a number functions supporting risk and quality management. Understanding the respective roles and levels of assurance provides a holistic view of current assurance levels and helps identify the gaps that may need to be addressed. Risk management Risk ownership Risk assurance 1st line of defense 2nd line of defense 3rd line of defense Work stream monitoring activities Examples of Level 1 activities: Program risk function Program PMO Vendor PMO & QA This applies to all elements of the risk universe. Some examples for discussion: Who is reviewing the quality of business requirements? Who is reviewing data conversion results? Who is reviewing organizational readiness? PMO monitoring and assurance activities Examples of Level 2 activities: Operational risk teams Compliance teams Organizational or independent PMO Targeted QA activities (from within the organization but independent of the project) Product vendor provided assurance External vendor and internal audit Examples of Level 3 activities: Internal Audit reviews (part of the annual plan) ‘Health checks’ and targeted specialist ‘Deep Dive’ reviews External Audit reviews

16 Internal Audit’s role D

17 In 2013, were stakeholders satisfied with IA’s role?
DRAFT In 2013, were stakeholders satisfied with IA’s role? Overall themes: A number of IA functions stepped out to focus in emerging risk areas, but struggled to contribute. This chart shows where stakeholders were least satisfied with IA. The highlight here is that for 3 of the top 4 areas are actually areas where IA significantly increased focused. Detailed talking points As we conclude our journey of navigating the challenges IA faces to add value – we focus in on IA’s contribution of helping the organizations manage critical & emerging risks. Last year we identified a number of critical risks facing organizations that were not in the traditional financial control space - those risks included areas such as Large programs and merger & acquisition and we highlighted several leading practices in these areas. Based on this year’s survey results, it appears that MANY IA functions increased focus on these risks: 84% increase coverage of large programs, 50% in the New Product Introduction area and 58% with M&A activity. This trend is a clear demonstration that IA functions are desiring and moving in the right direction – however, the data also further highlighted opportunity to improve our performance in these areas. The chart on your screen now however, shows us that these areas were also among the risk areas that Stakeholders had the greatest level of dissatisfaction with IA’s performance. Perhaps this was because stakeholders were not aligned on what IA should be doing in these areas or perhaps IA did not have the right capabilities to move into these non-traditional audit areas. So – ask yourself – if you are part of the majority of IA functions that moved into these risk areas – did you do so with the same resources & capabilities and mindset that you have to focus on the more traditional risk areas? Once again the data shows us that all three challenges (alignment, capabilities and contribution) must be addressed to maximize IAs value. Source: Examining the issues – 2013 IA Global survey

18 How can IA add value to a project?
DRAFT How can IA add value to a project? Stay ahead of the curve Get involved early. Build a ‘three lines of defense model’. Develop an embedded assurance plan. Agree how, when and to who you will report. Operate the integrated assurance plan, making responsive changes based on the shifting risks. Use Subject Matter Specialists. Focus on value.

19 How can IA add value to a project?
DRAFT How can IA add value to a project? Develop forward looking view 1. Navigate the integration risk landscape 2. Understand stakeholder perspectives and provide deeper insights 3. Cut through the clutter Questions How well aligned is internal audit’s plan with the critical risks facing the organization? Does internal audit provide a point of view to help the business improve its responses to risk? How effectively does internal audit communicate with stakeholders? How can IA effectively engage in Transformation initiatives Think and act strategically to focus on key integration risks Internal audit understands the organization’s strategy, initiatives, and related risks; project audit activities are derived from a top-down risk assessment and aligned with stakeholder expectations. • Leverage the second line of defense Internal audit contributes to and coordinates with organization and program risk management efforts, providing insight to the overall risk management process and focusing audit efforts appropriately. Understand the business Internal audit is in a unique position to objectively assess perspectives of various integration stakeholders – leverage this to foster the desire for internal audit involvement in integration (and all significant) business initiatives. Leverage specialists Internal audit uses specialists —both internal and external—to support work in areas where it does not have the breadth and depth of expertise to effectively provide a point of view. Deliver advice and best practices Internal audit provides deep insights in all of its activities, as well as proactively offering advice on the design of future processes. Build trust through ongoing dialogue Significant attention is given to face-to-face communication with stakeholders, including the audit committee. In these meetings, additional perspective is provided around the management of critical risks. Simplify reporting, make it consumable Internal audit reports contain concise messages clearly linked to underlying business risks. Connect the dots Internal audit identifies common themes and trends across the organization, enabling the business to close gaps.

20 How can IA add value? Controls are often overlooked
DRAFT How can IA add value? Controls are often overlooked The design of internal controls (configurable, manual, and access/security) during business process design, rather than identifying and correcting control weaknesses after the process and systems are installed, provides the greatest value in terms of process, system, and data integrity, at the lowest cost. Design Build UAT Implement Go Live Project life cycle During development Post imp. Pre - implementation high finish start low Solution Blueprint Test Cost of controls Cost of controls increases as project progresses An ERP implementation will result in significant business process, business application and IT environment changes. The effect of process transformation may impact nearly every internal control you have in place today; both design and operating effectiveness. You should minimize the risk of non-compliance generated during business process and IT system changes. You should have robust processes to respond to planned or unplanned changes. Controls are often left until the end of a project resulting in ‘open systems’ at go-live and testing and training occurring without controls in place. Failure to implement controls will result in exposure at go-live and a more difficult and time consuming substantive based audit.

21 Developing a Project Assurance Plan
17 April 2017 DRAFT Developing a Project Assurance Plan Why is a Project Assurance Plan important? Helps to understand the roles and sources of assurance available to a project Help you to develop a risk-driven integrated assurance plan that is aligned to the three lines of defence. When should the Project Assurance plan be developed? Ideally this occurs from the beginning of the integration program, and makes use of the program’s initial risk assessment activities. However, it can be implemented at any point in the lifecycle. Who should be involved in developing the Project Assurance plan? Key project stakeholders (internal to the project team and business) Representatives from each line of defense (the PA plan is often a component of an integrated risk or quality management plan)

22 Managing risk over the program lifecycle
DRAFT Managing risk over the program lifecycle Assess Design Construct Implement Operate & Review Is the ‘case for change’ robust with clear scope, business outcomes and ownership? Will the organization & technical design deliver the benefits? Is the solution being built as designed and robustly tested? Is the business ready to go with detailed go live and support plans in place? Are the benefits being delivered and what could be improved? Project governance and mgt review Planning and mobilization Business case review High level target operating model Organization change strategy Deployment strategy Business process design Data and reporting design Test and data conversion strategies Security & controls People and Org Design Dedicated vendor management Solution testing and remediation Training plans and execution Data conversion Security and control configuration Business continuity planning Benefits management plan Support model design Test and training results Go-live process Data conversion process Transition to business as usual (BAU) planning Stakeholder engagement Go-live readiness assessment 30-90 day support Business adoption Benefits realization Compliance and controls certification Delivering Change * Is the Change Management approach appropriate and delivering success? Is the organization engaging key stakeholders (including existing vendors/partners) throughout the change? Driving Change Is the program being effectively governed against guiding principles and managed across all workstreams? Is delivery of business benefits a key focus throughout the lifecycle? $

23 Keys to successful transformation assurance

24 Top 10 Keys to success DRAFT
Key events that may contribute to a successful Project Audit: Stakeholder buy-in & tone at the top, understanding & acceptance of engagement Staffing, proper technical skills, qualifications and capabilities allowing the team to quickly establish credibility Understanding project needs and expectations, as well as the level of comfort desired Scoping appropriately, leveraging a risk based approach and delivering upon the agreed scope Up-front communication regarding scope of review, extent of review, timing of review and level of details to be provided in reporting Execution and completion of work within defined budget and schedule Change agility, being able to change with the project needs (adjust timeline, etc.) but avoiding scope creep Communication to all parties Relevance, providing actionable useful and timely deliverables (reporting) – consider requirements of the audience (i.e. Audit Committee, Sponsor, Project Manager, etc.) Monitoring project progress between checkpoint reviews to minimize ramp-up time required at each checkpoint

25 Recap and Closing F

26 Recap & Questions DRAFT Get involved early.
Build a ‘three lines of defense model’. Develop an embedded assurance plan. Agree how, when and to who you will report. Operate the integrated assurance plan, making responsive changes based on the shifting risks. Use Subject Matter Specialists. Focus on value.

27 Contact Details G

28 DRAFT Thank you Team contact information Antwon Hardwick (678) Team contact information Kshipra Pitre (678) © 2014 PricewaterhouseCoopers LLP. All rights reserved. PwC refers to the United States member firm, and may sometimes refer to the PwC network. Each member firm is a separate legal entity. Please see for further details.


Download ppt "DRAFT www.pwc.com IA’s practical approach to driving success for strategic and transformational initiatives DRAFT ISACA Geek Week 2014."

Similar presentations


Ads by Google