jump to navigation

Auditing Projects January 3, 2011

Posted by Audit Monkey in The Joy & Pain of Internal Audit.
Tags: , , ,

Rather than confirm the accuracy of my tax demand for HMRC before writing a cheque to help to correct government’s budget deficit, I’ve been reading other auditing blogs and websites. And yes, they do exist.

I stumbled upon ‘IT Audit FAQ’ on www.isect.com courtesy of blogger ‘ITauditsecurity’. A number of items are very funny and I’m sure all internal auditors will recognise the following event.

With reference to projects and to my mind, applicable to auditing in general:

“It is an unfortunate truth that in IT, professional, disciplined and effective project management is a welcome relief rather than the rule. (sic) An experienced IT auditor has generally witnessed all sorts of disasters at close range through bayonetting a number of development projects. (sic) For some obscure reason buried deep in human psyche, the symptoms of imminent disaster that loom large as an obese blue whale to an experienced IT auditor are mysteriously invisible to the average project manager and indeed to their managers and senior management. A kind of corporate blind-spot often develops, way beyond mere blinkers and myopia, we’re talking opaque cataracts in both eyes.

But that’s only the start of it. Persuading managers who eventually, under sufferance and using Braille, acknowledge the undeniable presence of the whale to actually stop a runaway project is very much like trying to stop a runaway Welsh coal train flying down a steep incline at full steam. Ordinary brakes are simply not up to the task. The reason is known as ‘corporate politics’ (sic): big projects are almost invariably led by larger-than-life characters, specifically appointed by management because they are “good blokes” and because they have the big cajones necessary to manage big projects. The IT auditor’s role is truly to proclaim that the king hath no clothes. And make like a rack-and-pinion centre rail or impersonate an enormous block of concrete and steel welded to the tracks”.

True. When you start in auditing, it is easy to think you’re a top guy when you find an error or possible flaw in a process. Then you realise that the error isn’t that big in the grander scheme of things and no-one really gives a hoot. Unfortunately, when you do find items that are reportable, often an inaudible sigh or groan can be heard as you have to go through the rigmarole of including the finding in the draft report and arguing the toss with management. Admittedly it can be interesting auditing ‘a car crash’ but it can get tiresome and soul-destroying.

As for big projects, I haven’t seen an audit report suggesting that the plug is pulled on a project. I’ve seen reports with ‘sticky plaster’ recommendations all over it but none specifically saying ‘fuggeddaboutit’.

With reference to the ‘runway project’, just one small but crucial point. It isn’t the Internal Auditor’s decision to pull a project, the decision ultimately rests with management. If they want to carry on in the face of overwhelming evidence to the contrary, it is their choice.


1. ITmonkey101 - January 7, 2011

I had to comment on this. Not that I have anything constructive to add mind you.

As an IT monkey on the technical side of things on projects I do not envy you guys having to audit these car crashes and report back the inevitable failings.

Most (all?) of the projects I have seen are always compromised in terms of either adhering to corporate standards (call a solution “tactical” though and you can get away with murder) and/or the system is bodged in order to get it out on the deadline.

It’s not unheard of for /dev/test/qa systems to be built after prod has gone live. This is fine though as managers go through the deliverables small print with a magnifying glass in order to find some clause that justifies why the project hit the deadline and they deserve their pat on the back (and bonus most likely). To hell with standards/supportability/long term stability. These are all out of scope.

Not to worry though, the project is signed off so job’s a good ‘un and the PM and managers can waltz off into the sunset congratulating themselves on another job well done. Happy days…

2. ITauditSecurity - January 16, 2011

@ITmonkey101 – a suggestion: you could always pass your concerns onto your friendly neighborhood IT auditor during the project and he might be able to help. I know, that may delay the project…

3. Audit Monkey - January 17, 2011

ITauditSecurity – pray tell, what will the friendly neighbourhood IT auditor do to rake the coals out of the fire?

4. ITauditSecurity - January 20, 2011

What I meant was the auditor can help get some focus on the issues to determine whether they need to be addressed, and if so, help address them.

Sometimes when IT can’t get traction, audit can. And vice versa, as I’ve also experienced.

I’ve been on both sides of the fence and played both sides. It CAN work.

p.s. Not to be cranky, but would you please link to me in your post when you mention my site? I appreciate all your links. Thanks.

5. Audit Monkey - February 17, 2011

A lot depends on the Project Managers and the calibre of the Internal Auditors. Are the Project Managers and Internal Auditors strong enough to escalate issues or are they a load of pussy cats?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: